End-of-Day report
Timeframe: Donnerstag 10-08-2023 18:00 - Freitag 11-08-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
News
Gafgyt malware exploits five-years-old flaw in EoL Zyxel router
Fortinet has issued an alert warning that the Gafgyt botnet malware is actively trying to exploit a vulnerability in the end-of-life Zyxel P660HN-T1A router in thousands of daily attacks.
https://www.bleepingcomputer.com/news/security/gafgyt-malware-exploits-five-years-old-flaw-in-eol-zyxel-router/
Nutzerdaten in Gefahr: Microsoft Onedrive als Werkzeug für Ransomware-Angriffe
Onedrive soll die Daten von Windows-Nutzern eigentlich vor Ransomware-Angriffen schützen. Effektiv ist das aber offenbar nicht immer.
https://www.golem.de/news/nutzerdaten-in-gefahr-microsoft-onedrive-als-werkzeug-fuer-ransomware-angriffe-2308-176674.html
16 New CODESYS SDK Flaws Expose OT Environments to Remote Attacks
A set of 16 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments. The flaws, tracked from CVE-2022-47378 through CVE-2022-47393 and dubbed CoDe16, carry a CVSS score of 8.8 with the exception of CVE-2022-47391, which has a severity rating of 7.5. Twelve of the flaws are buffer overflow vulnerabilities.
https://thehackernews.com/2023/08/15-new-codesys-sdk-flaws-expose-ot.html
When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability
While the SugarCRM CVE-2023-22952 zero-day authentication bypass and remote code execution vulnerability might seem like a typical exploit, there-s actually more for defenders to be aware of. [..] This article maps out various attacks against AWS environments following the MITRE ATT&CK Matrix framework, wrapping up with multiple prevention mechanisms an organization can put in place to protect themselves. Some of these protections include taking advantage of controls and services provided by AWS, cloud best practices, and ensuring sufficient data retention to catch the full attack.
https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/
Lexmark Command Injection Vulnerability ZDI-CAN-19470 Pwn2Own Toronto 2022
In December 2022, we competed at our first pwn2own. We were able to successfully exploit the Lexmark MC3224i using a command injection 0-day. This post will detail the process we used to discover, weaponize, and have some fun with this vulnerability.
https://www.horizon3.ai/lexmark-command-injection-vulnerability-zdi-can-19470-pwn2own-toronto-2022/
Theres a good chance your VPN is vulnerable to privacy-menacing TunnelCrack attack
A couple of techniques collectively known as TunnelCrack can, in the right circumstances, be used by snoops to force victims network traffic to go outside their encrypted VPNs, it was demonstrated this week. [..] Their co-authored Usenix-accepted paper [PDF] has all the details. The researchers said they tested more than 60 VPN clients, and found that "all VPN apps" on iOS are vulnerable. Android appears to be most secure of the bunch.
https://www.theregister.com/2023/08/10/tunnelcrack_vpn/
Site Takeover via SCCM-s AdminService API
tl:dr: The SCCM AdminService API is vulnerable to NTLM relaying and can be abused for SCCM site takeover.
https://posts.specterops.io/site-takeover-via-sccms-adminservice-api-d932e22b2bf
A-Z: OPNsense - Penetration Test
We reported found vulnerabilities to OPNsense maintainers and we really want to thank them for a great response. They handled the whole process very professionally, quickly prepared effective patches for many vulnerabilities and included them in the newest release - OPNsense 23.7 -Restless Roadrunner-. Also, they provided us with reasoning behind decision to not patch some of them right now.
https://logicaltrust.net/blog/2023/08/opnsense.html
Lesetipp: Wenn der Microsoft Defender zum Angreifer wird
Forscher haben spannende Details zu einer im April gefixten Lücke im Defender-Signaturupdateprozess veröffentlicht. Sie sehen Potenzial für künftige Angriffe.
https://heise.de/-9241230
Samsonite-Gewinnspiel auf Facebook führt in teure Abo-Falle!
Die betrügerische Facebook-Seite -Koffer-Paradies- verbreitet derzeit ein Gewinnspiel, das in eine teure Abo-Falle führt. Versprochen wird ein Koffer der Marke Samsonite. Achtung! Wer mitspielt, erhält keinen Gewinn, sondern soll monatlich 70 Euro an Kriminelle bezahlen.
https://www.watchlist-internet.at/news/samsonite-gewinnspiel-auf-facebook-fuehrt-in-teure-abo-falle/
Phishing über Amazon Web Services
Sicherheitsforscher von Check Point haben vor einiger Zeit einen weiteren Dienst entdeckt, der für fortschrittliche Phishing-Kampagnen von Hackern missbraucht wird. Diesmal erfolgt der Missbrauch für Phishing-Kampagnen über die Amazon Web Services (AWS). . Das Programm wird zum Versenden von Phishing-E-Mails genutzt, um diesen einen täuschend echten Anstrich zu geben.
https://www.borncity.com/blog/2023/08/11/phishing-ber-amazon-web-services/
Vulnerabilities
AMD and Intel CPU security bugs bring Linux patches
Its not really a Linux problem, but as is so often the case, Linux kernel developers have to clean up after AMD and Intel. It happened again with the chipmakers latest CPU vulnerabilities: AMD Inception and Intel Downfall. To fix these, Linux creator Linus Torvalds has released a new set of patches. Oddly, both are speculative side-channel attacks, which can lead to privileged data leakage to unprivileged processes.
https://www.zdnet.com/article/amd-and-intel-cpu-security-bugs-bring-linux-patches/
Statischer Schlüssel in Dell Compellent leakt Zugangsdaten für VMware vCenter
Aufgrund einer Schwachstelle in Dells Compellent Integration Tools for VMware (CITV) können Angreifer Log-in-Daten entschlüsseln.
https://heise.de/-9241495
Security updates for Friday
Security updates have been issued by Debian (intel-microcode, kernel, and php-dompdf), Fedora (linux-firmware, OpenImageIO, and php), Oracle (aardvark-dns, kernel, linux-firmware, python-flask, and python-werkzeug), SUSE (container-suseconnect, go1.19, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, java-11-openjdk, kernel-firmware, kubernetes1.24, openssl-1_1, poppler, python-scipy, qatengine, ucode-intel, util-linux, and vim), and Ubuntu (dotnet6, dotnet7, php-dompdf, and velocity-tools).
https://lwn.net/Articles/941271/
IBM Operational Decision Manager July 2023 - Multiple CVEs
https://www.ibm.com/support/pages/node/7014699
IBM InfoSphere Global Name Management Vulnerable to CVE-2023-30441
https://www.ibm.com/support/pages/node/7025193
App Connect Professional is affected by Bouncy Castle vulnerability.
https://www.ibm.com/support/pages/node/7025330
Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System
https://www.ibm.com/support/pages/node/7025344
Vulnerability in the Flask repo may affect affect IBM Elastic Storage System (CVE-2023-30861)
https://www.ibm.com/support/pages/node/7025351
Multiple vulnerabilities in the werkzeug repo affect IBM Elastic Storage System
https://www.ibm.com/support/pages/node/7025349
A vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Scale packaged in IBM Elastic Storage Server (CVE-2023-24998)
https://www.ibm.com/support/pages/node/7025354
Multiple vulnerabilities may affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition.
https://www.ibm.com/support/pages/node/7025446
Multiple vulnerabilities may affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition.
https://www.ibm.com/support/pages/node/7025170
IBM TXSeries for Multiplatforms Web Services is vulnerable to Slowloris attack which is a type of denial-of-service (DoS)
https://www.ibm.com/support/pages/node/7025476
A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Automation Workflow (CVE-2022-40609)
https://www.ibm.com/support/pages/node/7024675