End-of-Day report
Timeframe: Mittwoch 06-09-2023 18:00 - Donnerstag 07-09-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
News
Next-Generation Context Aware Password Cracking
TLDR; Using ChatGPT, an attacker can generate a list of password guesses based on the context of the target such as a company-s description or social media accounts.
https://medium.com/@doctoreww/next-generation-context-aware-password-cracking-39b65e3aa976
Cisco warnt vor teils kritischen Lücken und liefert Updates für mehrere Produkte
In mehreren Cisco-Produkten lauern Sicherheitslücken, die Updates schließen sollen. Eine gilt sogar als kritisch.
https://heise.de/-9297182
FreeWorld ransomware attacks MSSQL-get your databases off the Internet
When we think of ransomware and brute force password guessing attacks, we normally think of RDP, but recent research from Securonix reminds us that anything secured with a password and exposed to the internet is of interest to cybercriminals.
https://www.malwarebytes.com/blog/news/2023/09/freeworld-ransomware-attacks-via-mssql-take-your-databases-off-the-internet
Ozempic, Wegovy & Co: Vorsicht vor Fake-Shops mit -Schlankheitsmitteln-
Diabetes-Medikamente wie Ozempic, Saxenda oder Metformin sind seit einiger Zeit von Lieferengpässen betroffen. Der Grund: Elon Musk, Kim Kardashian und andere Prominente nutzen diese und ähnliche Medikamente zum Abnehmen, der Hype dieser -Abnehmspritzen- ließ nicht lange auf sich warten. Ein Trend, den sich auch Kriminelle zunutze machen. Sie bieten die eigentlich verschreibungspflichtigen Medikamente in Fake-Shops als Schlankheitsmittel an.
https://www.watchlist-internet.at/news/ozempic-wegovy-co-vorsicht-vor-fake-shops-mit-schlankheitsmitteln/
A classification of CTI Data feeds
We at CERT.at process and share a wide selection of cyber threat intelligence (CTI) as part of our core mission as Austria-s hub for IT security information. Right now, we are involved in two projects that involve the purchase of commercial CTI. I encountered some varying views on what CTI is and what one should do with the indicators of compromise (IoCs) that are part of a CTI feed. This blog post describes my view on this topic.
https://cert.at/en/blog/2023/9/cti-data-feeds
Cybercriminals target graphic designers with GPU miners
Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware including PhoenixMiner and lolMiner on infected machines.
https://blog.talosintelligence.com/cybercriminals-target-graphic-designers-with-gpu-miners/
CISA Releases Update to Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells
This Cybersecurity Advisory has been updated with new tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IOCs) received from an additional victim and trusted third parties.
https://www.cisa.gov/news-events/alerts/2023/09/06/cisa-releases-update-threat-actors-exploiting-citrix-cve-2023-3519-implant-webshells
MAR-10430311-1.v1 Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
CISA received 4 files for analysis from an incident response engagement conducted at an Aeronautical Sector organization [..] CISA has provided indicators of compromise (IOCs) and YARA rules for detection within this Malware Analysis Report (MAR).
https://www.cisa.gov/news-events/analysis-reports/ar23-250a
Vulnerabilities
Aruba-Controller und -Gateways mit hochriskanten Sicherheitslücken
Für Aruba-Controller und -Gateways der Serien 9000 und 9200 gibt es Updates, die hochriskante Sicherheitslücken schließen.
https://heise.de/-9297925
Cisco Security Advisories 2023-09-06 - 2023-09-06
Cisco has released 6 security advisories: (1x Critical, 1x High, 4x Medium)
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2023%2F09%2F06&firstPublishedEndDate=2023%2F09%2F06
Sicherheitsupdates: Unbefugte Zugriffe auf TP-Link-Router möglich
Angreifer können verschiedene Router von TP-Link attackieren und im schlimmsten Fall eigene Befehle auf Geräten ausführen.
https://heise.de/-9297306
2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution
Update - September 5th 2023: A new variant of the SRX upload vulnerability has been published by external researchers (CVE-2023-36851). All fixes listed under Solution below break the RCE chain
https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution
Wordfence Intelligence Weekly WordPress Vulnerability Report (August 28, 2023 to September 3, 2023)
Last week, there were 64 vulnerabilities disclosed in 61 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week.
https://www.wordfence.com/blog/2023/09/wordfence-intelligence-weekly-wordpress-vulnerability-report-august-28-2023-to-september-3-2023/
Security updates for Thursday
Security updates have been issued by Fedora (erofs-utils, htmltest, indent, libeconf, netconsd, php-phpmailer6, tinyexr, and vim), Red Hat (firefox), and Ubuntu (linux-aws, linux-aws-5.15, linux-ibm-5.15, linux-oracle, linux-oracle-5.15, linux-azure, linux-azure-fde-5.15, linux-gke, linux-gkeop, linux-intel-iotg-5.15, linux-raspi, linux-oem-6.1, linux-raspi, linux-raspi-5.4, shiro, and sox).
https://lwn.net/Articles/943856/
CVE-2023-4528: Java Deserialization Vulnerability in JSCAPE MFT (Fixed)
CVE-2023-4528 affects all versions of JSCAPE MFT Server prior to version 2023.1.9 on all platforms (Windows, Linux, and MacOS). See the JSCAPE advisory for more information [..] CVE-2023-4528 has been addressed in JSCAPE version 2023.1.9 which is now available for customer deployment.
https://www.rapid7.com/blog/post/2023/09/07/cve-2023-4528-java-deserialization-vulnerability-in-jscape-mft-fixed/
CISA Releases Four Industrial Control Systems Advisories
ICSA-23-250-01 Dover Fueling Solutions MAGLINK LX Console (CVSS v3 9.1),
ICSA-23-250-02 Phoenix Contact TC ROUTER and TC CLOUD CLIENT (CVSS v3 9.6),
ICSA-23-250-03 Socomec MOD3GP-SY-120K (CVSS v3 10.0),
ICSA-23-157-01 Delta Electronics CNCSoft-B DOPSoft (Update) (CVSS v3 7.8)
https://www.cisa.gov/news-events/alerts/2023/09/07/cisa-releases-four-industrial-control-systems-advisories
Drupal: WebProfiler - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-044
https://www.drupal.org/sa-contrib-2023-044
Drupal: highlight.php - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-043
https://www.drupal.org/sa-contrib-2023-043
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/