End-of-Day report
Timeframe: Montag 14-08-2023 18:00 - Mittwoch 16-08-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
News
Jetzt 2FA aktivieren: Hackerangriffe auf Linkedin-Konten nehmen massiv zu
Cyberkriminelle haben es zuletzt vermehrt auf Linkedin-Konten abgesehen. Bei Google getätigte Suchanfragen bestätigen diesen Trend.
https://www.golem.de/news/jetzt-2fa-aktivieren-hackerangriffe-auf-linkedin-konten-nehmen-massiv-zu-2308-176794.html
Vielfältige Attacken auf Ivanti Enterprise Mobility Management möglich (CVE-2023-32560)
Die Forscher geben an, die Schwachstelle im April 2023 gemeldet zu haben. Die gegen die Attacke abgesicherte EMM-Version 6.4.1 ist Anfang August erschienen. Mitte August haben die Sicherheitsforscher ihren Bericht veröffentlicht.
https://www.heise.de/news/Vielfaeltige-Attacken-auf-Ivanti-Enterprise-Mobility-Management-moeglich-9245340.html
IT-Schutz für Kommunen: 18 Checklisten für den Schnelleinstieg
Kommunen sind zunehmend Ziele von Cyber-Angriffen. Für angemessenen Schutz mangelt es oft an Wissen und Personal. 18 WiBA-Checklisten des BSI sollen das ändern.
https://heise.de/-9246027
TR-75 - Unauthenticated remote code execution vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) - CVE-2023-3519
Use this Checklist to identify if your infrastructure already shows indications of a successful compromise
https://www.circl.lu/pub/tr-75/
Indicators of Compromise Scanner for Citrix ADC Zero-Day (CVE-2023-3519)
Today we are releasing a tool to help organizations scan their Citrix appliances for evidence of post-exploitation activity related to CVE-2023-3519. The tool contains indicators of compromise (IOCs) collected during Mandiant investigations and sourced from our partners and the community. Head over to the Mandiant GitHub page to download the tool today to scan your appliances.
https://www.mandiant.com/resources/blog/citrix-adc-vulnerability-ioc-scanner
l+f: Trojaner unterscheiden nicht zwischen Gut und Böse
D-oh! Sicherheitsforscher sind auf rund 120.000 mit Malware infizierte PCs gestoßen - von Cybergangstern.
https://heise.de/-9244810
Instagram-Nachricht: Gefälschte Beschwerde über Produktqualität führt zu Schadsoftware
Sie erhalten eine Nachricht auf Instagram. Darin beschwert sich eine Kundin, dass Ihre Produktqualität schlecht ist und das Produkt bereits nach 2 Tagen kaputt war. Ein Bild wird mitgeschickt. Laden Sie das Dokument mit der Endung .rar nicht herunter, es handelt sich um Schadsoftware.
https://www.watchlist-internet.at/news/instagram-nachricht-gefaelschte-beschwerde-ueber-produktqualitaet-fuehrt-zu-schadsoftware/
An Apple malware-flagging tool is -trivially- easy to bypass
Background Task Manager can potentially miss malicious software on your machine.
https://arstechnica.com/?p=1960742
Ongoing scam tricks kids playing Roblox and Fortnite
The scams are often disguised as promotions, and they can all be linked to one network.
https://arstechnica.com/?p=1961085
Raccoon Stealer malware returns with new stealthier version
The developers of Raccoon Stealer information-stealing malware have ended their 6-month hiatus from hacker forums to promote a new 2.3.0 version of the malware to cyber criminals.
https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-returns-with-new-stealthier-version/
Massive 400,000 proxy botnet built with stealthy malware infections
A new campaign involving the delivery of proxy server apps to Windows systems has been uncovered, where users are reportedly involuntarily acting as residential exit nodes controlled by a private company.
https://www.bleepingcomputer.com/news/security/massive-400-000-proxy-botnet-built-with-stealthy-malware-infections/
QwixxRAT: New Remote Access Trojan Emerges via Telegram and Discord
A new remote access trojan (RAT) called QwixxRAT is being advertised for sale by its threat actor through Telegram and Discord platforms. "Once installed on the victims Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attackers Telegram bot, providing them with unauthorized access to the victims sensitive information," [...]
https://thehackernews.com/2023/08/qwixxrat-new-remote-access-trojan.html
Cookie Crumbles: Breaking and Fixing Web Session Integrity
In this paper, we question the effectiveness of existing protections and study the real-world security implications of cookie integrity issues. In particular, we focus on network and same-site attackers, a class of attackers increasingly becoming a significant threat to Web application security.
https://www.usenix.org/system/files/usenixsecurity23-squarcina.pdf
Chrome 116 Patches 26 Vulnerabilities
Google has released Chrome 116 with patches for 26 vulnerabilities and plans to ship weekly security updates for the popular web browser.
https://www.securityweek.com/chrome-116-patches-26-vulnerabilities/
Monti ransomware targets legal and gov-t entities with new Linux-based variant
The Monti hacker gang appears to have resumed its operations after a two-month break, this time claiming to target legal and government entities with a fresh Linux-based ransomware variant, according to new research. Monti was first discovered in June 2022, shortly after the infamous Conti ransomware group went out of business.
https://therecord.media/monti-ransomware-targets-govt-entities
CISA Adds One Known Exploited Vulnerability to Catalog
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-24489 Citrix Content Collaboration ShareFile Improper Access Control Vulnerability - These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
https://www.cisa.gov/news-events/alerts/2023/08/16/cisa-adds-one-known-exploited-vulnerability-catalog
PowerHell: Active Flaws in PowerShell Gallery Expose Users to Attacks
Recent findings by Aqua Nautilus have exposed significant flaws that are still active in the PowerShell Gallerys policy regarding package names and owners. These flaws make typosquatting attacks inevitable in this registry, while also making it extremely difficult for users to identify the true owner of a package. Consequently, these flaws pave the way for potential supply chain attacks on the registrys vast user base.
https://blog.aquasec.com/powerhell-active-flaws-in-powershell-gallery-expose-users-to-attacks
Verwundbare Webserver: Status in Österreich
Nachdem wir in den letzten Wochen von Schwachstellen in Systemen von Citrix, Ivanti und Fortinet berichtet haben, wollte ich wissen, wie weit Österreich beim Patchen ist. Wir bekommen von ShadowServer täglich Reports mit den Ergebnissen ihrer Scans über das ganze Internet. Im -Vulnerable HTTP Report- geht es unter anderem um Schwachstellen, die in Web-Applikationen gefunden wurden. Auf Hersteller bezogen kann man aus den Daten für Österreich folgende folgende Entwicklung ablesen: [...]
https://cert.at/de/aktuelles/2023/8/verwundbare-webserver-status-in-osterreich
Vulnerabilities
Advisory | NetModule Router Software Race Condition Leads to Remote Code Execution
CVSSv3.1 Score: 8.4 Affected Vendor & Products: NetModule NB1601, NB1800, NB1810, NB2800, NB2810, NB3701, NB3800, NB800, NG800 Vulnerable version: < 4.6.0.105, < 4.7.0.103
https://pentest.blog/advisory-netmodule-router-software-race-condition-leads-to-remote-code-execution/
Sicherheitslücken: Angreifer können Hintertüren in Datenzentren platzieren
Schwachstellen in Software von CyberPower und Dataprobe zur Energieüberwachung und -Verteilung gefährden Datenzentren.
https://heise.de/-9245788
Lücken in Kennzeichenerkennungssoftware gefährden Axis-Überwachungskamera
Mehrere Sicherheitslücken in Software für Überwachungskameras von Axis gefährden Geräte.
https://heise.de/-9245978
Security updates for Tuesday
Security updates have been issued by Debian (samba), Red Hat (.NET 6.0, .NET 7.0, rh-dotnet60-dotnet, rust, rust-toolset-1.66-rust, and rust-toolset:rhel8), and SUSE (kernel and opensuse-welcome).
https://lwn.net/Articles/941658/
Security updates for Wednesday
Security updates have been issued by Debian (datatables.js and openssl), Fedora (ghostscript, java-11-openjdk, java-latest-openjdk, microcode_ctl, and xen), Red Hat (redhat-ds:11), SUSE (java-1_8_0-openj9, kernel, krb5, pcre2, and perl-HTTP-Tiny), and Ubuntu (gstreamer1.0, mysql-8.0, tiff, and webkit2gtk).
https://lwn.net/Articles/941722/
Schneider Electric EcoStruxure Control Expert, Process Expert, Modicon M340, M580 and M580 CPU
Successful exploitation of this vulnerability could allow an attacker to execute unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session.
https://www.cisa.gov/news-events/ics-advisories/icsa-23-227-01
-Rockwell Automation Armor PowerFlex
Successful exploitation of this vulnerability could allow an attacker to send an influx of network commands, causing the product to generate an influx of event log traffic at a high rate, resulting in the stop of normal operation.
https://www.cisa.gov/news-events/ics-advisories/icsa-23-227-02
K000135852 : FasterXML jackson-databind vulnerability CVE-2022-42003
https://my.f5.com/manage/s/article/K000135852
CPE2023-003 Vulnerability Mitigation/Remediation for Inkjet Printers (Home and Office/Large Format) - 15 August 2023
https://www.canon-europe.com/support/product-security-latest-news/
[R1] Sensor Proxy Version 1.0.8 Fixes Multiple Vulnerabilities
https://www.tenable.com/security/tns-2023-28
Vulnerabilities in Node.js modules affect IBM Voice Gateway
https://www.ibm.com/support/pages/node/7026694
Security Vulnerabilities affect IBM Cloud Pak for Data - Python (CVE-2019-20907)
https://www.ibm.com/support/pages/node/6380956
Multiple Eclipse Jetty Vulnerabilities Affect IBM Analytic Accelerator Framework for Communication Service Providers & IBM Customer and Network Analytics
https://www.ibm.com/support/pages/node/7027483
AWS SDK for Java as used by IBM QRadar SIEM is vulnerable to path traversal (CVE-2022-31159)
https://www.ibm.com/support/pages/node/7027598
IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2023-38737)
https://www.ibm.com/support/pages/node/7027509
IBM Cognos Analytics has addressed multiple security vulnerabilities (CVE-2022-48285, CVE-2023-35009, CVE-2023-35011)
https://www.ibm.com/support/pages/node/7026692
Zyxel security advisory for post-authentication command injection in NTP feature of NBG6604 home router
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-in-ntp-feature-of-nbg6604-home-router
Zyxel security advisory for DoS vulnerability of XGS2220, XMG1930, and XS1930 series switches
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-dos-vulnerability-of-xgs2220-xmg1930-and-xs1930-series-switches