Tageszusammenfassung - 07.09.2023

End-of-Day report

Timeframe: Mittwoch 06-09-2023 18:00 - Donnerstag 07-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner

News

Next-Generation Context Aware Password Cracking

TLDR; Using ChatGPT, an attacker can generate a list of password guesses based on the context of the target such as a company-s description or social media accounts.

https://medium.com/@doctoreww/next-generation-context-aware-password-cracking-39b65e3aa976


Cisco warnt vor teils kritischen Lücken und liefert Updates für mehrere Produkte

In mehreren Cisco-Produkten lauern Sicherheitslücken, die Updates schließen sollen. Eine gilt sogar als kritisch.

https://heise.de/-9297182


FreeWorld ransomware attacks MSSQL-get your databases off the Internet

When we think of ransomware and brute force password guessing attacks, we normally think of RDP, but recent research from Securonix reminds us that anything secured with a password and exposed to the internet is of interest to cybercriminals.

https://www.malwarebytes.com/blog/news/2023/09/freeworld-ransomware-attacks-via-mssql-take-your-databases-off-the-internet


Ozempic, Wegovy & Co: Vorsicht vor Fake-Shops mit -Schlankheitsmitteln-

Diabetes-Medikamente wie Ozempic, Saxenda oder Metformin sind seit einiger Zeit von Lieferengpässen betroffen. Der Grund: Elon Musk, Kim Kardashian und andere Prominente nutzen diese und ähnliche Medikamente zum Abnehmen, der Hype dieser -Abnehmspritzen- ließ nicht lange auf sich warten. Ein Trend, den sich auch Kriminelle zunutze machen. Sie bieten die eigentlich verschreibungspflichtigen Medikamente in Fake-Shops als Schlankheitsmittel an.

https://www.watchlist-internet.at/news/ozempic-wegovy-co-vorsicht-vor-fake-shops-mit-schlankheitsmitteln/


A classification of CTI Data feeds

We at CERT.at process and share a wide selection of cyber threat intelligence (CTI) as part of our core mission as Austria-s hub for IT security information. Right now, we are involved in two projects that involve the purchase of commercial CTI. I encountered some varying views on what CTI is and what one should do with the indicators of compromise (IoCs) that are part of a CTI feed. This blog post describes my view on this topic.

https://cert.at/en/blog/2023/9/cti-data-feeds


Cybercriminals target graphic designers with GPU miners

Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware including PhoenixMiner and lolMiner on infected machines.

https://blog.talosintelligence.com/cybercriminals-target-graphic-designers-with-gpu-miners/


CISA Releases Update to Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells

This Cybersecurity Advisory has been updated with new tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IOCs) received from an additional victim and trusted third parties.

https://www.cisa.gov/news-events/alerts/2023/09/06/cisa-releases-update-threat-actors-exploiting-citrix-cve-2023-3519-implant-webshells


MAR-10430311-1.v1 Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475

CISA received 4 files for analysis from an incident response engagement conducted at an Aeronautical Sector organization [..] CISA has provided indicators of compromise (IOCs) and YARA rules for detection within this Malware Analysis Report (MAR).

https://www.cisa.gov/news-events/analysis-reports/ar23-250a

Vulnerabilities

Aruba-Controller und -Gateways mit hochriskanten Sicherheitslücken

Für Aruba-Controller und -Gateways der Serien 9000 und 9200 gibt es Updates, die hochriskante Sicherheitslücken schließen.

https://heise.de/-9297925


Cisco Security Advisories 2023-09-06 - 2023-09-06

Cisco has released 6 security advisories: (1x Critical, 1x High, 4x Medium)

https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2023%2F09%2F06&firstPublishedEndDate=2023%2F09%2F06


Sicherheitsupdates: Unbefugte Zugriffe auf TP-Link-Router möglich

Angreifer können verschiedene Router von TP-Link attackieren und im schlimmsten Fall eigene Befehle auf Geräten ausführen.

https://heise.de/-9297306


2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution

Update - September 5th 2023: A new variant of the SRX upload vulnerability has been published by external researchers (CVE-2023-36851). All fixes listed under Solution below break the RCE chain

https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution


Wordfence Intelligence Weekly WordPress Vulnerability Report (August 28, 2023 to September 3, 2023)

Last week, there were 64 vulnerabilities disclosed in 61 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week.

https://www.wordfence.com/blog/2023/09/wordfence-intelligence-weekly-wordpress-vulnerability-report-august-28-2023-to-september-3-2023/


Security updates for Thursday

Security updates have been issued by Fedora (erofs-utils, htmltest, indent, libeconf, netconsd, php-phpmailer6, tinyexr, and vim), Red Hat (firefox), and Ubuntu (linux-aws, linux-aws-5.15, linux-ibm-5.15, linux-oracle, linux-oracle-5.15, linux-azure, linux-azure-fde-5.15, linux-gke, linux-gkeop, linux-intel-iotg-5.15, linux-raspi, linux-oem-6.1, linux-raspi, linux-raspi-5.4, shiro, and sox).

https://lwn.net/Articles/943856/


CVE-2023-4528: Java Deserialization Vulnerability in JSCAPE MFT (Fixed)

CVE-2023-4528 affects all versions of JSCAPE MFT Server prior to version 2023.1.9 on all platforms (Windows, Linux, and MacOS). See the JSCAPE advisory for more information [..] CVE-2023-4528 has been addressed in JSCAPE version 2023.1.9 which is now available for customer deployment.

https://www.rapid7.com/blog/post/2023/09/07/cve-2023-4528-java-deserialization-vulnerability-in-jscape-mft-fixed/


CISA Releases Four Industrial Control Systems Advisories

ICSA-23-250-01 Dover Fueling Solutions MAGLINK LX Console (CVSS v3 9.1), ICSA-23-250-02 Phoenix Contact TC ROUTER and TC CLOUD CLIENT (CVSS v3 9.6), ICSA-23-250-03 Socomec MOD3GP-SY-120K (CVSS v3 10.0), ICSA-23-157-01 Delta Electronics CNCSoft-B DOPSoft (Update) (CVSS v3 7.8)

https://www.cisa.gov/news-events/alerts/2023/09/07/cisa-releases-four-industrial-control-systems-advisories


Drupal: WebProfiler - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-044

https://www.drupal.org/sa-contrib-2023-044


Drupal: highlight.php - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-043

https://www.drupal.org/sa-contrib-2023-043


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/