End-of-Day report
Timeframe: Mittwoch 16-08-2023 18:00 - Donnerstag 17-08-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Triple Extortion Ransomware and the Cybercrime Supply Chain
Ransomware attacks continue to grow both in sophistication and quantity. 2023 has already seen more ransomware attacks involving data exfiltration and extortion than all of 2022, an increasing trend we expect to continue.
This article will explore the business model of ransomware groups and the complex cybercrime ecosystem that has sprung up around them.
https://www.bleepingcomputer.com/news/security/triple-extortion-ransomware-and-the-cybercrime-supply-chain/
New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode
The method "tricks the victim into thinking their devices Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial Airplane Mode which edits the UI to display Airplane Mode icon and cuts internet connection to all apps except the attacker application," [..]
https://thehackernews.com/2023/08/new-apple-ios-16-exploit-enables.html
CISA Releases JCDC Remote Monitoring and Management (RMM) Cyber Defense Plan
This plan addresses systemic risks facing the exploitation of RMM software. Cyber threat actors can gain footholds via RMM software into managed service providers (MSPs) or manage security service providers (MSSPs) servers and, by extension, can cause cascading impacts for the small and medium-sized organizations that are MSP/MSSP customers.
https://www.cisa.gov/news-events/alerts/2023/08/16/cisa-releases-jcdc-remote-monitoring-and-management-rmm-cyber-defense-plan
Angreifer attackieren Citrix ShareFile
Die US-Behörde [CISA] hat die "kritische" Sicherheitslücke (CVE-2023-24489) in ihren Katalog bekannter ausgenutzter Sicherheitslücken eingetragen. In welchem Umfang die Attacken ablaufen, ist derzeit nicht bekannt. [..] Die Lücke ist seit Juni 2023 bekannt. Seitdem gibt es auch die gepatchte Version 5.11.24.
https://www.heise.de/news/Jetzt-patchen-Angreifer-attackieren-Citrix-ShareFile-9247830.html
Wordfence Intelligence Weekly WordPress Vulnerability Report (August 7, 2023 to August 13, 2023)
Last week, there were 86 vulnerabilities disclosed in 68 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..]
Patch Status :
- Unpatched 25
- Patched 61
https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpress-vulnerability-report-august-7-2023-to-august-13-2023/
Phishing-Kampagne zielt auf Zimbra-Nutzer ab
Die Kampagne ist seit mindestens April 2023 aktiv und dauert laut Security-Forschern von ESET an.
https://www.zdnet.de/88411237/phishing-kampagne-zielt-auf-zimbra-nutzer-ab/
Vulnerabilities
PAN-SA-2023-0004 Informational Bulletin: Impact of TunnelCrack Vulnerabilities (CVE-2023-36671 CVE-2023-36672 CVE-2023-35838 CVE-2023-36673)
LocalNet attack is only applicable to GlobalProtect Agent configurations that allow direct access to the local network setting in the Split Tunnel tab on the firewall configuration. ServerIP attack is relevant only to PAN-OS firewall configurations with a GlobalProtect gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in Network > GlobalProtect > Gateways from the web interface.
https://security.paloaltonetworks.com/PAN-SA-2023-0004
ClamAV 1.1.1, 1.0.2, 0.103.9 patch versions published
- CVE-2023-20197 Fixed a possible denial of service vulnerability in the HFS+ file parser.
- CVE-2023-20212 Fixed a possible denial of service vulnerability in the AutoIt file parser. This issue affects versions 1.0.1 and 1.0.0. This issue does not affect version 1.1.0.
ClamAV 0.105 and 0.104 have reached end-of-life according to the ClamAV-s End of Life (EOL) policy and will not be patched.
https://blog.clamav.net/2023/07/2023-08-16-releases.html
Parsec Remote Desktop App is prone to a local elevation of privilege due to a logical flaw in its code integrity verification process
By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user as described in CVE-2023-37250. The vulnerability applies to a "Per User" installation as opposed to a "Shared User". There is an update that has been made available.
https://kb.cert.org/vuls/id/287122
TYPO3-EXT-SA-2023-007: Broken Access Control in extension "hCaptcha for EXT:form" (hcaptcha)
The extension fails to check the requirement of the captcha field in submitted form data allowing a remote user to bypass the captcha check. [..] An updated version 2.1.2 is available
https://typo3.org/security/advisory/typo3-ext-sa-2023-007
Varnish Enterprise/Cache: Base64 decoding vulnerability in vmod-digest
The potential outcome of the vulnerability can be both authentication bypass and information disclosure, however the exact attack surface will depend on the particular VCL configuration in use. [..]
Affected software versions:
- vmod-digest shipped with Varnish Enterprise 6.0 series up to and including 6.0.11r4.
- vmod-digest for Varnish Cache 6.0 LTS built on upstream source code prior to 2023-08-17.
- vmod-digest for Varnish Cache trunk built on upstream source code prior to 2023-08-17.
https://docs.varnish-software.com/security/VSV00012/
IP-Telefonie: Schwachstellen in der Provisionierung von Zoom und Audiocodes-
Der Security-Experte Moritz Abrell von SySS hat Schwachstellen bei der IP-Telefonie mithilfe des Zoom Zero Touch Provisioning-Prozesses in Kombination mit Audiocodes 400HD Telefonen entdeckt. [..] Angreifer könnten gemäß den Darstellungen Gesprächsinhalte mithören, ein Botnetz aus infizierten Geräten bilden oder auf Basis der Kompromittierung der Endgeräte die Netzwerke attackieren, in denen diese betrieben werden.
https://www.heise.de/news/IP-Telefonie-Schwachstellen-in-der-Provisionierung-von-Zoom-und-Audiocodes-9247685.html
Synology-SA-23:11 Synology Camera
A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Camera BC500 Firmware and Synology Camera TC500 Firmware.
Solution: Upgrade to 1.0.5-0185 or above.
Workaround: Setting up firewall rules to allow only trusted clients to connect can be used as a temporary mitigation.
https://www.synology.com/en-global/security/advisory/Synology_SA_23_11
CISA Releases Three Industrial Control Systems Advisories
- ICSA-23-229-01 ICONICS and Mitsubishi Electric Products: CVE-2022-3602, CVE-2022-3786, CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0401
- ICSA-23-229-03 Schnieder Electric PowerLogic ION7400 PM8000 ION9000 Power Meters: CVE-2022-46680
- ICSA-23-229-04 Walchem Intuition 9: CVE-2022-3602, CVE-2022-3786, CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0401
https://www.cisa.gov/news-events/alerts/2023/08/17/cisa-releases-three-industrial-control-systems-advisories
Privilege Escalation in IBM Spectrum Virtualize
Im Rahmen einer oberflächlichen Sicherheitsprüfung stellte Certitude zwei Schwachstellen in der Firmware der IBM Spectrum Virtualize Storage-Lösung fest. Eine der Schwachstellen erlaubt es einem Benutzer der Administrationsschnittstelle, der nur über eingeschränkte Berechtigungen verfügt, beliebigen Code auszuführen.
https://certitude.consulting/blog/de/privilege-escalation-in-ibm-spectrum-virtualize-de/
Atlassian Releases Security Update for Confluence Server and Data Center
Atlassian has released its security bulletin for August 2023 to address a vulnerability in Confluence Server and Data Center, CVE-2023-28709. A remote attacker can exploit this vulnerability to cause a denial-of-service condition.CISA encourages users and administrators to review Atlassian-s August 2003 Security Bulletin and apply the necessary update.
https://www.cisa.gov/news-events/alerts/2023/08/17/atlassian-releases-security-update-confluence-server-and-data-center
Cisco Integrated Management Controller Cross-Site Scripting Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cimc-xss-UMYtYEtr
Cisco Umbrella Virtual Appliance Undocumented Support Tunnel Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-umbrella-tunnel-gJw5thgE
Cisco Unified Contact Center Express Finesse Portal Web Cache Poisoning Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-wcp-JJeqDT3S
Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-thoueye-privesc-NVhHGwb3
Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-te-va-priv-esc-PUdgrx8E
Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-storedxss-tTjO62r
Cisco Prime Infrastructure and Evolved Programmable Network Manager Cross-Site Scripting Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-pi-epnm-BFjSRJP5
Cisco Intersight Private Virtual Appliance Command Injection Vulnerabilities
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ivpa-cmdinj-C5XRbbOy
Cisco Identity Services Engine Device Credential Information Disclosure Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-credentials-tkTO3h3
Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Cross-Site Request Forgery Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipphone-csrf-HOCmXW2c
Cisco Intersight Virtual Appliance Unauthenticated Port Forwarding Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-intersight-forward-C45ncgqb
Cisco Expressway Series and Cisco TelePresence Video Communication Server Command Injection Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-expressway-injection-X475EbTQ
Cisco Duo Device Health Application for Windows Arbitrary File Write Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-duo-dha-filewrite-xPMBMZAK
Cisco Unified Communications Manager SQL Injection Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-injection-g6MbwH2
Cisco Unified Communications Products Cross-Site Scripting Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-imp-xss-QtT4VdsK
ClamAV HFS+ File Scanning Infinite Loop Denial of Service Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-rNwNEEee
ClamAV AutoIt Module Denial of Service Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-dos-FTkhqMWZ
Vulnerability in Apache Tomcat Server (CVE-2023-28709 ) affects Power HMC
https://www.ibm.com/support/pages/node/7005499
IBM Security Guardium is affected by Using Components with Known Vulnerabilities [CVE-2018-8909, CVE-2021-41100 and CVE-2021-41119]
https://www.ibm.com/support/pages/node/7027854
IBM Security Guardium is affected by a Command injection in CLI vulnerability [CVE-2023-35893]
https://www.ibm.com/support/pages/node/7027853
IBM Security Guardium is affected by several vulnerabilities
https://www.ibm.com/support/pages/node/7007815
Vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester
https://www.ibm.com/support/pages/node/7027855
IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-22809, CVE-2019-12490, CVE-2023-0041)
https://www.ibm.com/support/pages/node/7000021
IBM Security Guardium is affected by multiple Oracle\u00ae MySQL vulnerabilities
https://www.ibm.com/support/pages/node/6981105
IBM Security Guardium is affected by a denial of service vulnerability in MIT keb5 (CVE-2022-42898)
https://www.ibm.com/support/pages/node/6981101
Security Vulnerabilities affect IBM Cloud Pak for Data - Python (CVE-2019-20907)
https://www.ibm.com/support/pages/node/6380954
Security Vulnerabilities affect IBM Cloud Pak for Data - Golang (CVE-2020-24553)
https://www.ibm.com/support/pages/node/6380968
Security Vulnerabilities in GNU glibc affect IBM Cloud Pak for Data - GNU glibc (CVE-2020-1751)
https://www.ibm.com/support/pages/node/6381220
Vulnerability in IBM JDK (CVE-2022-40609 ) affects Power HMC
https://www.ibm.com/support/pages/node/7027898
IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a denial of service (CVE-2023-38737)
https://www.ibm.com/support/pages/node/7027921
IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service (CVE-2023-38737)
https://www.ibm.com/support/pages/node/7027919