End-of-Day report
Timeframe: Donnerstag 24-08-2023 18:00 - Freitag 25-08-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Auch Antivirensoftware: Winrar-Schwachstelle betrifft Hunderte weitere Programme
Nicht nur alte Winrar-Versionen sind für eine jüngst gepatchte Sicherheitslücke anfällig, sondern auch zahlreiche weitere Anwendungen.
https://www.golem.de/news/auch-antivirensoftware-winrar-schwachstelle-betrifft-hunderte-weitere-programme-2308-177086.html
FBI-Warnung: Barracuda ESG-Appliances noch immer bedroht, umgehend entfernen
Das FBI warnt vor den Barracuda-ESG-Schwachstellen, die Ende Mai bekannt wurden. Es geht davon aus, dass alle Geräte kompromittiert seien.
https://heise.de/-9284695
-Mammutjagd- auf Online-Marktplätze
Mit dem Toolset "Telekopye" können auch technisch wenig versierte Hacker auf Online-Marktplätzen Jagd auf ahnungslose Käufer - im Gauner-Slang "Mammut" - machen.
https://www.zdnet.de/88411400/mammutjagd-auf-online-marktplaetze/
Jupiter X Core WordPress plugin could let hackers hijack sites
Two vulnerabilities affecting some version of Jupiter X Core, a premium plugin for setting up WordPress and WooCommerce websites, allow hijacking accounts and uploading files without authentication.
https://www.bleepingcomputer.com/news/security/jupiter-x-core-wordpress-plugin-could-let-hackers-hijack-sites/
Python Malware Using Postgresql for C2 Communications, (Fri, Aug 25th)
For modern malware, having access to its C2 (Command and control) is a crucial point. There are many ways to connect to a C2 server using tons of protocols, but today, HTTP remains very common because HTTP is allowed on most networks...
https://isc.sans.edu/diary/rss/30158
Playing Dominos with Moodles Security (1/2)
This is the first blog in a two-part series where we will present our findings on a Moodle security audit we conducted. We were drawn to researching the security aspect of the framework due to its popularity, with the goal of contributing to a safer internet. In this first article, we demonstrate how an unauthenticated attacker can leverage a vulnerability with a supposedly low impact to gain full control over the Moodle instance.
https://www.sonarsource.com/blog/playing-dominos-with-moodles-security-1/
A broken marriage. Abusing mixed vendor Kerberos stacks
*nix based servers and services can be joined to Active Directory networks in the same way as their Windows counterparts. This is usually facilitated through the MIT or Heimdal Kerberos stacks. Kerberos is designed as an authentication-based protocol therefore authorisation decisions are implemented independently to the Kerberos protocol itself. Due to this, different vendor stacks behave differently on how authorisation decisions are made.
https://www.pentestpartners.com/security-blog/a-broken-marriage-abusing-mixed-vendor-kerberos-stacks/
A Beginner-s Guide to Adversary Emulation with Caldera
The target audience for this blog post is individuals who have a basic understanding of cybersecurity concepts and terminology and looking to expand their knowledge on adversary emulation. This post delves into the details of adversary emulation with the Caldera framework exploring the benefits it offers.
https://blog.nviso.eu/2023/08/25/a-beginners-guide-to-adversary-emulation-with-caldera/
Analysis of MS-SQL Server Proxyjacking Cases
AhnLab Security Emergency response Center (ASEC) has recently discovered cases of proxyjacking targeting poorly managed MS-SQL servers. Publicly accessible MS-SQL servers with simple passwords are one of the main attack vectors used when targeting Windows systems. Typically, threat actors target poorly managed MS-SQL servers and attempt to gain access through brute force or dictionary attacks. If successful, they install malware on the infected system.
https://asec.ahnlab.com/en/56350/
Stories from the SOC - Unveiling the stealthy tactics of Aukill malware
On April 21st, 2023, AT&T Managed Extended Detection and Response (Managed XDR) investigated an attempted ransomware attack on one of our clients, a home improvement business. The investigation revealed the attacker used AuKill malware on the clients print server to disable the servers installed endpoint detection and response (EDR) solution by brute-forcing an administrator account and downgrading a driver to a vulnerable version.
https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-soc-silent-sabotage-unveiling-the-stealthy-tactics-of-aukill-malware
Vulnerabilities
Maxon Cinema 4D SKP File Parsing vulnerabilities
CVSS Score: 7.8
CVE-2023-40482, CVE-2023-40483, CVE-2023-40486, CVE-2023-40485, CVE-2023-40484, CVE-2023-40488, CVE-2023-4049[0], CVE-2023-40491, CVE-2023-40487, CVE-2023-40489
Mitigation: Given the nature of the [vulnerabilities], the only salient mitigation strategy is to restrict interaction with the application.
https://www.zerodayinitiative.com/advisories/published/
(0Day) LG Simple Editor vulnerabilities
CVSS Scores: 6.5-9.8
CVE-2023-40502, CVE-2023-40513, CVE-2023-40514, CVE-2023-40515, CVE-2023-40492, CVE-2023-40493, CVE-2023-40494, CVE-2023-40495, CVE-2023-40496, CVE-2023-40497, CVE-2023-40498, CVE-2023-40499, CVE-2023-40500, CVE-2023-40503, CVE-2023-40503, CVE-2023-40504, CVE-2023-40505, CVE-2023-40506, CVE-2023-40507, CVE-2023-40508, CVE-2023-40509, CVE-2023-40510, CVE-2023-40511, CVE-2023-40512, CVE-2023-40501, CVE-2023-40516
[...] they do not have plans to fix the [vulnerabilities]
https://www.zerodayinitiative.com/advisories/published/
(0Day) LG SuperSign Media Editor vulnerabilities
CVSS Scores: 5.3-7.5
CVE-2023-40517, CVE-2023-41181
The vendor states that they do not have plans to fix the [vulnerabilities] now or in the future. [...] Given the nature of the [vulnerabilities], the only salient mitigation strategy is to restrict interaction with the application.
https://www.zerodayinitiative.com/advisories/published/
QNap: [Vulnerabilities] in QTS and QuTS hero
CVE-2023-34971, CVE-2023-34973, CVE-2023-34972
Affected products: QTS 5.1.0, 5.0.1, 4.5.4; QuTS hero h5.1.0, h4.5.4
We have already fixed the [vulnerabilities] in the following operating system versions: * QTS 5.1.0.2444 build 20230629 and later * QTS 5.0.1.2425 build 20230609 and later * QTS 4.5.4.2467 build 20230718 and later * QuTS hero h5.1.0.2424 build 20230609 and later * QuTS hero h4.5.4.2476 build 20230728 and later
https://www.qnap.com/en-us/security-advisories?ref=security_advisory_details
Security updates for Friday
Security updates have been issued by Debian (tryton-server), Fedora (youtube-dl), SUSE (clamav and krb5), and Ubuntu (cjose and fastdds).
https://lwn.net/Articles/942766/
ZDI-23-1224: LG LED Assistant updateFile Directory Traversal Information Disclosure Vulnerability
https://www.zerodayinitiative.com/advisories/ZDI-23-1224/
ZDI-23-1223: LG LED Assistant thumbnail Directory Traversal Information Disclosure Vulnerability
https://www.zerodayinitiative.com/advisories/ZDI-23-1223/
ZDI-23-1222: LG LED Assistant setThumbnailRc Directory Traversal Remote Code Execution Vulnerability
https://www.zerodayinitiative.com/advisories/ZDI-23-1222/
ZDI-23-1221: LG LED Assistant upload Directory Traversal Remote Code Execution Vulnerability
https://www.zerodayinitiative.com/advisories/ZDI-23-1221/
IBM Security Guardium is affected by multiple vulnerabilities (CVE-2023-30435, CVE-2023-30436, CVE-2023-30437)
https://www.ibm.com/support/pages/node/7028506
ISC BIND on IBM i is vulnerable to denial of service due to a memory usage flaw (CVE-2023-2828)
https://www.ibm.com/support/pages/node/7017974
Multiple vulnerabilities found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-21541, CVE-2022-21540)
https://www.ibm.com/support/pages/node/7028934
IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2023-26115]
https://www.ibm.com/support/pages/node/7028936
IBM Spectrum Copy Data Management uses weaker than expected cryptographic algorithms
https://www.ibm.com/support/pages/node/7028841