Tageszusammenfassung - 06.09.2023

End-of-Day report

Timeframe: Dienstag 05-09-2023 18:00 - Mittwoch 06-09-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter

News

Patchday: Schadcode-Attacken auf Android 11, 12, 13 möglich

Google und weitere Hersteller von Android-Geräten haben wichtige Sicherheitsupdates veröffentlicht.

Microsoft überarbeitet Downfall-Empfehlungen; MSI liefert BIOS-Update für UNSUPPORTED_PROCESSOR-Problem

Im August war die sogenannte Downfall-Schwachstelle in Prozessoren bekannt geworden, die ein Abfließen von Informationen ermöglicht. Nun hat Microsoft seinen Support-Beitrag mit Hinweisen zur Downfall-Schwachstelle unter Windows aktualisiert und Informationen zum Deaktivieren der Schutzmaßnahmen entfernt. Weiterhin gab es nach Installation [..]

https://www.borncity.com/blog/2023/09/06/microsoft-berarbeitet-downfall-empfehlungen-msi-liefert-bios-update-fr-unsupported_processor-problem/

Pandoras box is now open: the well-known Mirai trojan arrives in a new disguise to Android-based TV sets and TV boxes

Doctor Web has identified a family of Android.Pandora trojans that compromise Android devices, either during firmware updates or when applications for viewing pirated video content are installed. This backdoor inherited its advanced DDoS-attack capabilities from its ancestor, the well-known Linux.Mirai trojan.

https://news.drweb.com/show/?i=14743

Security Relevant DNS Records, (Wed, Sep 6th)

DNS has a big security impact. DNS is in part responsible for your traffic reaching the correct host on the internet. But there is more to DNS then name resolution. I am going to mention a few security relevant record types here, in no particular order: [..]

https://isc.sans.edu/diary/rss/30194

Bogus URL Shorteners Go Mobile-Only in AdSense Fraud Campaign

Since September 2022, our team has been tracking a bogus URL shortener redirect campaign that started with just a single domain: ois[.]is. By the beginning of 2023, this malware campaign had expanded to over a hundred domain names to redirect traffic to low quality Q&A sites and monetize traffic via Google AdSense. In fact, since the beginning of this year alone, Sucuri-s remote website scanner has detected various strains of this malware on over 24,000 websites.

https://blog.sucuri.net/2023/09/bogus-url-shorteners-go-mobile-only-in-adsense-fraud-campaign.html

Alert: Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant

The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. -APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability,- NSFOCUS Security Labs said in a report published last week.

https://thehackernews.com/2023/09/alert-phishing-campaigns-deliver-new.html

Lord Of The Ring0 - Part 5

In this blog post, I-ll explain two common hooking methods (IRP Hooking and SSDT Hooking) and two different injection techniques from the kernel to the user mode for both shellcode and DLL (APC and CreateThread) with code snippets and examples from Nidhogg.

https://idov31.github.io/2023/07/19/lord-of-the-ring0-p5.html

A review of SolarWinds attack on Orion platform using persistent threat agents and techniques for gaining unauthorized access

This paper of work examines the SolarWinds attack, designed on Orion Platform security incident. It analyses the persistent threats agents and potential technical attack techniques to gain unauthorized access. [..] It concludes with necessary remediation actions on cyber hygiene countermeasures, common vulnerabilities and exposure analysis and solutions.

https://arxiv.org/abs/2308.10294

What is ISO 27002:2022 Control 8.9? A Quick Look at the Essentials

Configuration management is now presented as a new control in the new, revised edition of ISO 27002:2022 (Control 8.9). It is a crucial component of an organizations security management. This blog will guide you through the essentials of Control 8.9.

https://www.tripwire.com/state-of-security/what-iso-270022022-control-89-quick-look-essentials

Peeking under the bonnet of the Litter Robot 3

I began to wonder what interesting things I may find when doing a small tear down of the Litter Robot-s components including the PCB, firmware, and mobile application. [..] So, please follow me on my journey to understanding the extraction and analysis of an ESP32 IOT device, reverse engineering a Flutter mobile application, and capturing and analysing the network traffic between the device, the mobile app and the internet.

https://www.elttam.com/blog/re-of-lr3/

Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach

[..] Palant said while LastPass indeed improved its master password defaults in 2018, it did not force all existing customers who had master passwords of lesser lengths to pick new credentials [..] Palant believes LastPass also failed to upgrade many older, original customers to more secure encryption protections [..] According to MetaMask-s Monahan, users who stored any important passwords with LastPass [..] should change those credentials immediately

https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/

Android 14 blocks all modification of system certificates, even as root

If youre an Android developer, tester, reverse engineer, or anybody else interested in directly controlling who your device trusts, this is going to create some new challenges. Before we get into the finer details, first I want to talk a little about the context around Android CA management and how we got here [..]

https://httptoolkit.com/blog/android-14-breaks-system-certificate-installation/

You patched yet? Years-old Microsoft security holes still hot targets for cyber-crooks

And so we can believe it when Qualys yesterday said 15 of the 20 most-exploited software vulnerabilities it has observed are in Microsofts code. [..] The No. 1 flaw on the list was patched in November 2017, a code execution hole in Microsoft Offices Equation Editor wed have hoped had been mostly mitigated by now.

https://www.theregister.com/2023/09/05/qualys_top_20_vulnerabilities/

Code Vulnerabilities Leak Emails in Proton Mail

In this blog post, we first present the technical details of the vulnerabilities we found in Proton Mail. We show how an innocent-looking piece of code led to a Cross-Site Scripting issue that made it possible for attackers to steal unencrypted emails and impersonate victims. As part of a 3-post series, we will cover other severe vulnerabilities we found in Skiff and Tutanota Desktop in the coming weeks.

https://www.sonarsource.com/blog/code-vulnerabilities-leak-emails-in-proton-mail/

4,500 of the Top 1 Million Websites Leaked Source Code, Secrets

We scanned the Alexa Top 1 Million Websites for leaked secrets. We found thousands of exposed source code repositories and hundreds of live API keys. These are our top 5 takeaways

https://trufflesecurity.com/blog/4500-of-the-top-1-million-websites-leaked-source-code-secrets/

Apache Superset Part II: RCE, Credential Harvesting and More

In this post, we disclose all the issues we-ve reported to Superset, including two new high severity vulnerabilities, CVE-2023-39265 and CVE-2023-37941, that are fixed in the just released 2.1.1 version of Superset. We strongly recommend that all Superset users upgrade to this version.

https://www.horizon3.ai/apache-superset-part-ii-rce-credential-harvesting-and-more/

New phishing tool hijacked thousands of Microsoft business email accounts

Researchers have uncovered a hidden -phishing empire- targeting businesses in Europe, Australia and the U.S. with a sophisticated new tool. A hacking group called W3LL, which has been active since at least 2017, has created an English-language underground marketplace to sell a phishing kit that can bypass multi-factor authentication, according to a report [..]

https://therecord.media/w3ll-phishing-toolkit-bec-microsoft-365-accounts

Distribution of Backdoor via Malicious LNK: RedEyes (ScarCruft)

AhnLab Security Emergency response Center (ASEC) has confirmed that malware [1], which was previously distributed in CHM format, is now being distributed in LNK format. This malware executes additional scripts located at a specific URL through the mshta process. It then receives commands from the threat actor-s server to carry out additional malicious behaviors.

https://asec.ahnlab.com/en/56756/

SapphireStealer: Open-source information stealer enables credential and data theft

SapphireStealer appears to be delivered as part of a multi-stage infection process, with threat actors leveraging open-source malware downloaders like FUD-Loader to deliver SapphireStealer to potential victims.

https://blog.talosintelligence.com/sapphirestealer-goes-open-source/

Threat Actor Continues to Plague the Open-Source Ecosystem with Sophisticated Info-Stealing Malware

In May, we sounded the alarm about PYTA31, an advanced persistent threat actor distributing the -WhiteSnake- malware. Since then, we-ve been rigorously monitoring this group, which has been active from April through mid-August, distributing malicious PyPI packages laced with -WhiteSnake Malware.-

https://checkmarx.com/blog/threat-actor-continues-to-plague-the-open-source-ecosystem-with-sophisticated-info-stealing-malware/

Vulnerabilities

Sicherheitsupdates: Angreifer können Kontrolle über Asus-Router erlangen

Mehrere Sicherheitslücken gefährden verschiedene Router-Modelle von Asus. Patches sichern Geräte ab.

https://heise.de/-9296210

Webbrowser: Hochriskante Schwachstellen in Google Chrome geschlossen

Google stopft mit aktualisiertern Chrome-Versionen vier als hochriskant eingestufte Sicherheitslücken.

https://heise.de/-9295977

Researchers Discover Critical Vulnerability in PHPFusion CMS

No patch is available yet for the bug, which can enable remote code execution under the correct circumstances.

https://www.darkreading.com/application-security/researchers-discover-critical-vulnerability-in-phpfusion-cms

Forthcoming OpenSSL Release

The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1w. This release will be made available on Monday 11th September 2023 between 1300-1700 UTC. This is a security-fix release. The highest severity issue fixed in this release is Low

https://mta.openssl.org/pipermail/openssl-announce/2023-September/000271.html

2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution

2023-09-05: Important update for SRX customers

https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution

Security updates for Wednesday

Security updates have been issued by Debian (aom and php7.3), Fedora (freeimage and mingw-freeimage), Scientific Linux (thunderbird), SUSE (amazon-ssm-agent, chromium, container-suseconnect, docker, glib2, php7, python-Django1, and rubygem-rails-html-sanitizer), and Ubuntu (kernel, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-hwe-5.4, linux-ibm, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux, linux-gcp, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia).

https://lwn.net/Articles/943679/

VU#304455: Authentication Bypass in Tenda N300 Wireless N VDSL2 Modem Router

https://kb.cert.org/vuls/id/304455

Stored Cross-Site Scripting Vulnerability Patched in Newsletter WordPress Plugin

https://www.wordfence.com/blog/2023/09/stored-cross-site-scripting-vulnerability-patched-in-newsletter-wordpress-plugin/