End-of-Day report
Timeframe: Freitag 22-09-2023 18:00 - Montag 25-09-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Akira Ransomware Mutates to Target Linux Systems
The newly emerged ransomware actively targets both Windows and Linux systems with a double-extortion approach.
https://www.darkreading.com/attacks-breaches/akira-ransomware-mutates-to-target-linux-systems-adds-ttps
Predator-Spyware: Staatstrojaner wurde über iOS-Schwachstellen eingeschleust
Intellexa hat die jüngst von Apple gepatchten Schwachstellen in iOS ausgenutzt, um eine Zero-Day-Exploit-Kette für iPhones zu entwickeln.
https://www.golem.de/news/predator-spyware-staatstrojaner-wurde-ueber-ios-schwachstellen-eingeschleust-2309-177918.html
Blocking Visual Studio Code embedded reverse shell before its too late
Since July 2023, Microsoft is offering the perfect reverse shell, embedded inside Visual Studio Code, a widely used development tool. With just a few clicks, any user with a github account can share their visual studio desktop on the web. VS code tunnel is almost considered a lolbin (Living Of the Land Binary).
https://ipfyx.fr/post/visual-studio-code-tunnel/
iRacing Exploit allows attackers to take control of users computer
If you have updated iRacing since 2023 Season 2 Patch 5, you-re safe. But if you have the game installed and haven-t updated it, it-s important to either update or uninstall it as soon as possible. Keep in mind this exploit is possible even if you haven-t got an active iRacing subscription, so if you were thinking about updating it later, it-s worth uninstalling it in the meanwhile.
https://blog.ss23.geek.nz/2023/09/21/iracing-electron-rce-exploit.html
Außergewöhnliche Malware nimmt westeuropäische Telkos ins Visier
Lua Dream ist ein mittels Lua modular aufgebauter Schädling, der es auf Telekommunikationsunternehmen abgesehen hat - und wahrscheinlich aus Asien stammt.
https://www.heise.de/-9315204.html
In-the-Wild Exploitation Expected for Critical TeamCity Flaw Allowing Server Takeover
A critical vulnerability in the TeamCity CI/CD server could allow unauthenticated attackers to execute code and take over vulnerable servers.
https://www.securityweek.com/in-the-wild-exploitation-expected-for-critical-teamcity-flaw-allowing-server-takeover/
Webinar: Manipulation durch Dark Patterns - wie kann ich mich schützen?
Dark Patterns werden im Internet eingesetzt, um uns zu Handlungen zu verleiten, die nicht in unserem Interesse liegen - und so z. B. mehr Geld auszugeben oder mehr Daten zu teilen, als wir eigentlich möchten. Dieses Webinar erklärt, wie uns Dark Patterns manipulieren und wie Sie sich davor schützen können. Nehmen Sie kostenlos teil: Dienstag 03. Oktober 2023, 18:30 - 20:00 Uhr via zoom
https://www.watchlist-internet.at/news/webinar-manipulation-durch-dark-patterns-wie-kann-ich-mich-schuetzen/
Gefälschtes Gewinnspiel für ÖBB-Geschenkkarten & iPhone 15 Pro
Uns werden aktuell betrügerische Gewinnspiele für das neue iPhone sowie ÖBB-Geschenkkarten zum Gratis-Zugfahren gemeldet. Die Gewinnspiele werden über Soziale Netzwerke, Messenger und per E-Mail verbreitet. Den Gewinn bekommen Sie angeblich, wenn Sie - 1,95 zahlen. Wer bezahlt verliert aber Geld!
https://www.watchlist-internet.at/news/gefaelschtes-gewinnspiel-fuer-oebb-geschenkkarten-iphone-15-pro/
SCCM Hierarchy Takeover
tl;dr: There is no security boundary between sites in the same hierarchy.
When an administrative user is granted a security role in SCCM, such as Full Administrator or Infrastructure Administrator, in any primary site, the underlying database changes propagate upward to the central administration site (CAS) and then to other primary sites in the hierarchy.
This means that if an attacker gains control of any primary site, they gain control of the entire SCCM hierarchy.
https://posts.specterops.io/sccm-hierarchy-takeover-41929c61e087
iOS 17 update secretly changed your privacy settings; here-s how to set them back
Many iPhone users who upgraded their iPhones to the recently-released iOS 17 will be alarmed to hear that they may have actually downgraded their security and privacy.
https://www.bitdefender.com/blog/hotforsecurity/ios-17-update-secretly-changed-your-privacy-settings-heres-how-to-set-them-back/
From ScreenConnect to Hive Ransomware in 61 hours
In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, [...]
https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/
CoinMiner Distribution Process within Infiltrated Systems (Detected by EDR)
AhnLab Security Emergency Response Center (ASEC) has identified the process through which threat actors install CoinMiners, which utilize a compromised system-s resources for cryptocurrency mining. This post will cover how the AhnLab EDR product detects the installation process of CoinMiners that use system resources for cryptocurrency mining.
https://asec.ahnlab.com/en/57222/
Kaspersky Reveals Alarming IoT Threats and Dark Web DDoS Boom
Kaspersky Unveils Alarming IoT Vulnerabilities and Dark Webs Thriving DDoS Economy.
https://www.hackread.com/iot-vulnerabilities-dark-web-ddos-economy/
Vulnerabilities
Elasticsearch 8.9.0, 7.17.13 Security Update
An issue has been identified with how Elasticsearch handled incoming requests on the HTTP layer. An unauthenticated user could force an Elasticsearch node to exit with an OutOfMemory error by sending a moderate number of malformed HTTP requests.
https://discuss.elastic.co/t/elasticsearch-8-9-0-7-17-13-security-update/343616
Security updates for Monday
Security updates have been issued by Debian (bind9, elfutils, flac, ghostscript, libapache-mod-jk, lldpd, and roundcube), Fedora (linux-firmware, roundcubemail, and thunderbird), Mageia (curl, file, firefox/thunderbird, ghostpcl, libtommath, and nodejs), Oracle (kernel, open-vm-tools, qemu, and virt:ol and virt-devel:rhel), SUSE (bind, busybox, djvulibre, exempi, ImageMagick, libqb, libssh2_org, opera, postfix, python, python36, renderdoc, webkit2gtk3, and xrdp), and Ubuntu (accountsservice and open-vm-tools).
https://lwn.net/Articles/945503/
CISA Adds Three Known Exploited Vulnerabilities to Catalog
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-41991 Apple Multiple Products Improper Certificate Validation Vulnerability CVE-2023-41992 Apple Multiple Products Kernel Privilege Escalation Vulnerability CVE-2023-41993 Apple Multiple Products WebKit Code Execution Vulnerability
https://www.cisa.gov/news-events/alerts/2023/09/25/cisa-adds-three-known-exploited-vulnerabilities-catalog
RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5788.php
Wago: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro
https://cert.vde.com/de/advisories/VDE-2023-042/
Stored Cross-Site Scripting in der mb Support broker management Solution openVIVA c2
https://sec-consult.com/de/vulnerability-lab/advisory/stored-cross-site-scripting-in-der-mb-support-broker-management-solution-openviva-c2/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/