End-of-Day report
Timeframe: Donnerstag 31-08-2023 18:00 - Freitag 01-09-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
News
Monitoring aus der Cloud: Kundensysteme dank schwacher Standardpasswörter gehackt
Hacker haben offenbar aufgrund schwacher Standardpasswörter eine Ransomware auf lokalen Systemen von Logicmonitor-Kunden verbreitet.
https://www.golem.de/news/monitoring-aus-der-cloud-kundensysteme-dank-schwacher-standardpasswoerter-gehackt-2309-177289.html
WordPress Vulnerability & Patch Roundup August 2023
To help educate website owners on emerging threats to their environments, we-ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
https://blog.sucuri.net/2023/08/wordpress-vulnerability-patch-roundup-august-2023.html
Potential Weaponizing of Honeypot Logs
Escape sequences have long been used to create ASCII art on screens and allow for customization of a user-s terminal. Because most terminals support some kind of escape sequences, it could be possible to manipulate the analyst-s terminal, and hypothetically allow for remote code execution on the analysist-s system.
https://isc.sans.edu/diary/rss/30178
MONDEO: Multistage Botnet Detection
MONDEO is a multistage mechanism with a flexible design to detect DNS-based botnet malware. MONDEO is lightweight and can be deployed without requiring the deployment of software, agents, or configuration in mobile devices, allowing easy integration in core networks. MONDEO comprises four detection stages: Blacklisting/Whitelisting, Query rate analysis, DGA analysis, and Machine learning evaluation. [..] The implementation is available at github.
https://arxiv.org/abs/2308.16570
Mashing Enter to bypass full disk encryption with TPM, Clevis, dracut and systemd
Using the vulnerability described in this advisory an attacker may take control of an encrypted Linux computer during the early boot process, manually unlock TPM-based disk encryption and either modify or read sensitive information stored on the computer-s disk. This blog post runs through how this vulnerability was identified and exploited - no tiny soldering required.
https://pulsesecurity.co.nz/advisories/tpm-luks-bypass
BitLocker, TPM and Pluton | What Are They and How Do They Work
The optimal kind of security measure is imperceptible to the user during deployment and usage. Whenever there is a potential delay or difficulty due to a security feature, there is a high probability that users will attempt to circumvent security. This situation is particularly prevalent for data protection, and that is a scenario that organizations need to prevent.
https://github.com/HotCakeX/Harden-Windows-Security/wiki/BitLocker,-TPM-and-Pluton-%7C--What-Are-They-and-How-Do-They-Work
NetNTLMv1 Downgrade to compromise
In this blogpost I-m going to blow your mind with some easy to understand NetNTLMv1 downgrade and relaying stuff. I will keep this blogpost simple, so that everyone can follow these steps, but I will link further resources for those who want to get the bigger picture at the end of this post.
https://www.r-tec.net/r-tec-blog-netntlmv1-downgrade-to-compromise.html
Free Decryptor Available for -Key Group- Ransomware
EclecticIQ has released a free decryption tool to help victims of the Key Group ransomware recover their data without paying a ransom.
https://www.securityweek.com/free-decryptor-available-for-key-group-ransomware/
How companies can get a grip on -business email compromise-
The delivery methods vary but the most exploited vector is email as a vehicle for a credential harvesting phishing campaign. Phishing, in general, has grown in scale and sophistication in recent years, with the most damaging form of phishing from a financial perspective being -business email compromise- (BEC). According to Check Point Research, credential harvesting makes up about 15% of all email-based attacks but is the most financially damaging category.
https://blog.checkpoint.com/security/how-companies-can-get-a-grip-on-business-email-compromise/
Vulnerabilities
Multiple vulnerabilities in i-PRO VI Web Client
VI Web Client provided by i-PRO Co., Ltd. contains multiple vulnerabilities. Update the software to the latest version according to the information provided by the developer. These vulnerabilities have been addressed in VI Web Client 7.9.6.
https://jvn.jp/en/jp/JVN60140221/
Tinycontrol LAN Controller v3 (LK3) Remote Denial Of Service
The controller suffers from an unauthenticated remote denial of service vulnerability. An attacker can issue direct requests to the stm.cgi page to reboot and also reset factory settings on the device.
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5785.php
Multiple Vulnerabilities in the Autodesk AutoCAD Desktop Software
Autodesk AutoCAD and certain AutoCAD-based products have been affected by Out-of-Bounds Write, Heap-based Buffer Overflow, Untrusted Pointer Dereference, and Memory Corruption vulnerabilities. CVE IDs: CVE-2023-29073, CVE-2023-29074, CVE-2023-29075, CVE-2023-29076, CVE-2023-41139, CVE-2023-41140
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0018
Acronis: Updates dichten Sicherheitslecks in mehreren Produkten ab
Acronis hat Sicherheitsmeldungen zu insgesamt zwölf Schwachstellen in mehreren Produkten herausgegeben. Updates stehen länger bereit.
https://heise.de/-9291446
Kritische Lücke in VPN von Securepoint
Updates sollen eine kritische Sicherheitslücke in der VPN-Software von Securepoint schließen, durch die Angreifer ihre Rechte ausweiten können.
https://heise.de/-9291723
Security updates for Friday
Security updates have been issued by Debian (chromium, firefox-esr, and gst-plugins-ugly1.0), Fedora (firefox, libeconf, libwebsockets, mosquitto, and rust-rustls-webpki), SUSE (amazon-ssm-agent, open-vm-tools, and terraform-provider-helm), and Ubuntu (linux-azure, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp-5.15, linux-gcp-5.4, linux-oracle-5.4, linux-gkeop, linux-gkeop-5.15, linux-intel-iotg, linux-kvm, linux-oracle, and python-git).
https://lwn.net/Articles/943302/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/