End-of-Day report
Timeframe: Montag 04-09-2023 18:00 - Dienstag 05-09-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
News
Hackers exploit MinIO storage system to breach corporate networks
Hackers are exploiting two recent MinIO vulnerabilities to breach object storage systems and access private information, execute arbitrary code, and potentially take over servers.
https://www.bleepingcomputer.com/news/security/hackers-exploit-minio-storage-system-to-breach-corporate-networks/
DarkGate Malware Activity Spikes as Developer Rents Out Malware to Affiliates
A new malspam campaign has been observed deploying an off-the-shelf malware called DarkGate."The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates," Telekom Security said in a report published last week.
https://thehackernews.com/2023/08/darkgate-malware-activity-spikes-as.html
New Python Variant of Chaes Malware Targets Banking and Logistics Industries
Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes."It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol," Morphisec said in a new detailed technical write-up [..]
https://thehackernews.com/2023/09/new-python-variant-of-chaes-malware.html
New BLISTER Malware Update Fuelling Stealthy Network Infiltration
An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic.-New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments,- Elastic Security Labs researchers [..]
https://thehackernews.com/2023/09/new-blister-malware-update-fuelling.html
Nascent Malware Campaign Targets npm, PyPI, and RubyGems Developers
Python Malware: On the morning of September 3, 2023, our automated platform notified us of the first package in this campaign: kwxiaodian [..] This follows a common pattern we see across many early campaigns and one we witnessed a few weeks back [..] Obfuscated Javascript Packages: At roughly the same time, we received notifications about malicious package publications on npm. Rubygems Package: The Rubygems package follows similar patterns to both the PyPI and npm packages.
https://blog.phylum.io/malware-campaign-targets-npm-pypi-and-rubygems-developers/
Common usernames submitted to honeypots
Based on reader feedback, I decided to take a look at usernames submitted to honeypots. The usernames that are seen on a daily basis look very familiar. [..] I exported the username data from my honeypot, which is a little over 16 months of data
https://isc.sans.edu/diary/rss/30188
Uncovering Web Cache Deception: A Missed Vulnerability in the Most Unexpected Places
During the assessment of the target application, it was observed that the server had implemented restrictions to prevent Web Cache Deception attacks on API/Web endpoints that had session tokens or data in the response. Unfortunately, the same precautions were not implemented on the /404 page or any /nonexistingurl. We discovered that the response for any endpoint that doesnt exist contained PII information without any cache controls in place.
https://blog.agilehunt.com/blogs/security/web-cache-deception-attack-on-404-page-exposing-pii-data-to-unauthenticated-users
Whats in a name? [..] The .kids TLD is not alright
Cisco Talos successfully registered the domain name: your-dns-needs-immediate-attention.kids. Talos set up an internet server to log all activity related to this name, and immediately we received a barrage of HTTP requests from systems running Microsoft-s -System Center Configuration Manager.- [..] we were able to masquerade as a trusted system. Networks using .kids names could be tricked into trusting our system to relay internal mail, dictate configuration management settings, and more.
https://blog.talosintelligence.com/whats-in-a-name/
Inconsistencies in the Common Vulnerability Scoring System (CVSS)
The goal of CVSS is to provide comparable scores across different evaluators. However, previous works indicate that CVSS might not reach this goal: If a vulnerability is evaluated by several analysts, their scores often differ. This raises the following questions: Are CVSS evaluations consistent? Which factors influence CVSS assessments? We systematically investigate these questions in an online survey with 196 CVSS users.
https://www.schneier.com/blog/archives/2023/09/inconsistencies-in-the-common-vulnerability-scoring-system-cvss.html
CVE-2023-4634 - Tricky Unauthenticated RCE on Wordpress Media Library Assistant Plugin using a good old Imagick
As discussed in many of our articles, you already know that WordPress and related plugins are taking up a large space in the global attack surface [..] The vulnerability described below is a perfect example
https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/
When URL parsers disagree (CVE-2023-38633)
Discovery and walkthrough of CVE-2023-38633 in librsvg, when two URL parser implementations (Rust and Glib) disagree on file scheme parsing leading to path traversal.
https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/
Vorsicht vor betrügerischen PayPal-Anrufen
Ihr Telefon klingelt. Sie heben ab und eine Tonbandstimme meldet sich: -Hallo, hier ist PayPal. Sie haben soeben 738 Euro überwiesen. Um den Zahlvorgang abzubrechen, drücken Sie die 1.- Drücken Sie keinesfalls die 1, hierbei handelt es sich um eine Betrugsmasche. Legen Sie auf!
https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-paypal-anrufen/
Vulnerabilities
ASUS routers vulnerable to critical remote code execution flaws
Three critical-severity remote code execution vulnerabilities impact ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers, potentially allowing threat actors to hijack devices if security updates are not installed.
https://www.bleepingcomputer.com/news/security/asus-routers-vulnerable-to-critical-remote-code-execution-flaws/
Multiple vulnerabilities in F-RevoCRM
* An attacker who can access the product may execute an arbitrary OS command on the server where the product is running - CVE-2023-41149
* An arbitrary script may be executed on the web browser of the user who is using the product - CVE-2023-41150
https://jvn.jp/en/jp/JVN78113802/
Festo: MSE6-C2M/D2M/E2M Incomplete User Documentation of Remote Accessible Functions (CVE-2023-3634)
Festo developed the products according to the respective state of the art. As a result, the protocols used no longer fully meet todays security requirements. The products are designed and developed for use in sealed-off (industrial) networks. If the network is not adequately sealed off, unauthorized access to the product can cause damage or malfunctions, particularly Denial of Service (DoS) or loss of integrity. Remediation: Update of user documentation in next product version.
https://cert.vde.com/de/advisories/VDE-2023-020/
9 Vulnerabilities Patched in SEL Power System Management Products
Researchers at industrial cybersecurity firm Nozomi Networks have analyzed the company-s SEL-5030 acSELerator QuickSet and SEL-5037 Grid Configurator, software products designed to allow engineers and technicians to configure and manage devices for power system protection, control, metering and monitoring, and to create and deploy settings for SEL power system devices. Nozomi researchers discovered a total of nine vulnerabilities, including four that have been assigned a -high severity- rating
https://www.securityweek.com/9-vulnerabilities-patched-in-sel-power-system-management-products/
CISA Releases Two Industrial Control Systems Advisories
* ICSA-23-248-01 Fujitsu Limited Real-time Video Transmission Gear IP series: CVE-2023-38433
* ICSMA-23-248-01 Softneta MedDream PACS Premium: CVE-2023-40150, CVE-2023-39227
https://www.cisa.gov/news-events/alerts/2023/09/05/cisa-releases-two-industrial-control-systems-advisories
AVM: Fritzbox-Firmware 7.57 und 7.31 stopfen Sicherheitsleck
AVM hat für zahlreiche Fritzboxen die Firmware 7.57 und 7.31 veröffentlicht. Es handelt sich um ein Stabilitäts- und Sicherheitsupdate.
https://heise.de/-9294758
Xen XSA-437: arm32: The cache may not be properly cleaned/invalidated
A malicious guest may be able to read sensitive data from memory that previously belonged to another guest.
CVE ID: CVE-2023-34321
https://xenbits.xen.org/xsa/advisory-437.html
Security updates for Tuesday
Security updates have been issued by Debian (file and thunderbird), Fedora (exercism, libtommath, moby-engine, and python-pyramid), Oracle (cups and kernel), Red Hat (firefox, kernel, kernel-rt, kpatch-patch, and thunderbird), SUSE (amazon-ecs-init, buildah, busybox, djvulibre, exempi, firefox, gsl, keylime, kubernetes1.18, php7, and sccache), and Ubuntu (docker-registry and linux-azure-5.4).
https://lwn.net/Articles/943584/
IBM UrbanCode Build is vulnerable to CVE-2023-24998
https://www.ibm.com/support/pages/node/7030594
IBM UrbanCode Build is vulnerable to CVE-2023-28708
https://www.ibm.com/support/pages/node/7030596
Vulnerabilities found in batik-all-1.7.jar, batik-dom-1.7.jar which is shipped with IBM Intelligent Operations Center(CVE-2018-8013, CVE-2017-5662, CVE-2015-0250)
https://www.ibm.com/support/pages/node/7030598
Due to use of FasterXML Jackson-databind, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to a denial of service.
https://www.ibm.com/support/pages/node/7030601
Due to use of Kafka, IBM Cloud Pak for Multicloud Management Monitoring could allow a remote attacker to obtain sensitive information.
https://www.ibm.com/support/pages/node/7030604
Due to use of Spark from Hadoop, IBM Cloud Pak for Multicloud Management Monitoring could allow a remote attacker to traverse directories on the system.
https://www.ibm.com/support/pages/node/7030603
Due to use of Apache Cassandra , IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to an authenticated attacker to gaining elevated privileges.
https://www.ibm.com/support/pages/node/7030602
Due to use of IBM WebSphere Application Server Liberty, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities.
https://www.ibm.com/support/pages/node/7030610
Multiple vulnerabilities in IBM Java SDK affect WebSphere Service Registry and Repository due to July 2023 CPU
https://www.ibm.com/support/pages/node/7030605
Due to use of NodeJS, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities.
https://www.ibm.com/support/pages/node/7030612
A security vulnerability has been identified in IBM SDK, Java Technology Edition shipped with IBM Tivoli Business Service Manager (CVE-2022-40609)
https://www.ibm.com/support/pages/node/7030613
Vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester
https://www.ibm.com/support/pages/node/7030614
Vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester
https://www.ibm.com/support/pages/node/7030615
Vulnerability found in commons-io-1.3.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2021-29425)
https://www.ibm.com/support/pages/node/7030617
Vulnerabilities found in poi-ooxml-3.9.jar which is shipped with IBM Intelligent Operations Center(CVE-2017-5644, CVE-2019-12415, CVE-2014-3574, CVE-2014-3529)
https://www.ibm.com/support/pages/node/7030627
Vulnerability found in pdfbox-1.8.1.jar which is shipped with IBM Intelligent Operations Center(220742, CVE-2018-11797, CVE-2016-2175)
https://www.ibm.com/support/pages/node/7030626
Vulnerabilities found in poi-3.9.jar, poi-scratchpad-3.9.jar which is shipped with IBM Intelligent Operations Center(CVE-2017-12626, CVE-2014-9527)
https://www.ibm.com/support/pages/node/7030629
Vulnerabilities found in jackson-mapper-asl-1.9.13.jar which is shipped with IBM Intelligent Operations Center(CVE-2019-10202, CVE-2019-10172)
https://www.ibm.com/support/pages/node/7030623
Multiple Vulnerabilities found in Turf.js which is shipped with IBM Intelligent Operations Center(CVE-2020-15168, CVE-2022-0235)
https://www.ibm.com/support/pages/node/7030624
Vulnerability found in fontbox-1.8.1.jarr which is shipped with IBM Intelligent Operations Center(CVE-2018-8036)
https://www.ibm.com/support/pages/node/7030622
Vulnerabilities found in cxf-rt-transports-http-3.0.3.jar which is shipped with IBM Intelligent Operations Center(CVE-2016-6812, CVE-2018-8039, CVE-2020-13954)
https://www.ibm.com/support/pages/node/7030618
Vulnerability found in fop-1.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2017-5661)
https://www.ibm.com/support/pages/node/7030621
Multiple Vulnerabilities found in Turf.js which is shipped with IBM Intelligent Operations Center(CVE-2021-44906, CVE-2020-7598)
https://www.ibm.com/support/pages/node/7030625
Vulnerability found in dom4j-1.6.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2018-1000632)
https://www.ibm.com/support/pages/node/7030619
Vulnerability found in commons-codec-1.5.jar which is shipped with IBM Intelligent Operations Center(177835)
https://www.ibm.com/support/pages/node/7030616
IBM MQ is affected by a denial of service vulnerability in OpenSSL (CVE-2023-2650)
https://www.ibm.com/support/pages/node/7027922
Multiple vulnerabilities found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619)
https://www.ibm.com/support/pages/node/7030632
A Vulnerability found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-3676)
https://www.ibm.com/support/pages/node/7030634
Vulnerability found in dom4j-1.6.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2020-10683)
https://www.ibm.com/support/pages/node/7030636
Vulnerability found in xmlgraphics-commons-1.5.jar which is shipped with IBM Intelligent Operations Center(CVE-2020-11988)
https://www.ibm.com/support/pages/node/7030630
Multiple Vulnerabilities found in IBM DB2 which is shipped with IBM Intelligent Operations Center(CVE-2022-43929, CVE-2022-43927, CVE-2014-3577, CVE-2022-43930)
https://www.ibm.com/support/pages/node/7030638
Vulnerabilities found in batik-bridge-1.7.jar which is shipped with IBM Intelligent Operations Center(CVE-2022-40146, CVE-2022-38648, CVE-2022-38398)
https://www.ibm.com/support/pages/node/7030631
Vulnerability found in cxf-core-3.5.4.jar which is shipped with IBM Intelligent Operations Center(CVE-2022-46364)
https://www.ibm.com/support/pages/node/7030633
Vulnerability found in cxf-rt-transports-http-3.5.3.jar which is shipped with IBM Intelligent Operations Center(CVE-2022-46363)
https://www.ibm.com/support/pages/node/7030635
Vulnerability found in commons-net-1.4.1.jar which is shipped with IBM Intelligent Operations Center(CVE-2021-37533)
https://www.ibm.com/support/pages/node/7030637
A vulnerability found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-21426)
https://www.ibm.com/support/pages/node/7030641
Vulnerabilities found in jackson-mapper-asl which is shipped with IBM Intelligent Operations Center(CVE-2019-10172, CVE-2019-10202)
https://www.ibm.com/support/pages/node/7030639
Multiple vulnerabilities found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2023-21830, CVE-2023-21843)
https://www.ibm.com/support/pages/node/7030640
A vulnerability found in IBM WebSphere Application Server Liberty which is shipped with IBM Intelligent Operations Center(CVE-2023-24998)
https://www.ibm.com/support/pages/node/7030642
A vulnerability found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2023-30441)
https://www.ibm.com/support/pages/node/7030643
A vulnerability found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-40609)
https://www.ibm.com/support/pages/node/7030644
Multiple Angular vulnerabilities affects IBM Tivoli Business Service Manager (CVE-2023-26116, CVE-2023-26117, CVE-2023-26118, CVE-2022-25869, CVE-2022-25844)
https://www.ibm.com/support/pages/node/7030667
IBM SDK, Java Technology Edition, Security Update August 2023
https://www.ibm.com/support/pages/node/7030664
Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Business Service Manager (CVE-2023-22045, CVE-2023-22049)
https://www.ibm.com/support/pages/node/7030666