Tageszusammenfassung - 27.09.2023

End-of-Day report

Timeframe: Dienstag 26-09-2023 18:00 - Mittwoch 27-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Unzählige Anwendungen betroffen: WebP-Schwachstelle erreicht maximalen Schweregrad

Die Schwachstelle in der WebP-Bibliothek wurde zuvor fälschlicherweise als Chrome-Bug markiert. Sie betrifft aber weitaus mehr Anwendungen.

https://www.golem.de/news/unzaehlige-anwendungen-betroffen-webp-schwachstelle-erreicht-maximalen-schweregrad-2309-178002.html


Apple Releases MacOS Sonoma Including Numerous Security Patches, (Tue, Sep 26th)

As expected, Apple today released macOS Sonoma (14.0). This update, in addition to new features, provides patches for about 60 different vulnerabilities.

https://isc.sans.edu/diary/rss/30252


ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families

Cybersecurity experts have shed light on a new cybercrime group known as ShadowSyndicate (formerly Infra Storm) that may have leveraged as many as seven different ransomware families over the past year. "ShadowSyndicate is a threat actor that works with various ransomware groups and affiliates of ransomware programs," Group-IB and Bridewell said in a joint technical report.

https://thehackernews.com/2023/09/shadowsyndicate-new-cybercrime-group.html


Reports about Cyber Actors Hiding in Router Firmware

On September 27, 2023, a joint cybersecurity advisory (CSA) was released detailing activities of the cyber actors known as BlackTech. The CSA describes how BlackTech is able to modify router firmware without detection. [...] Cisco has reviewed the report. Cisco would like to highlight the following key facts: The most prevalent initial access vector in these attacks involves stolen or weak administrative credentials. As outlined in the report, certain configuration changes, such as disabling logging and downloading firmware, require administrative credentials. [...]

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csa-cyber-report-sept-2023


Hacking htmx applications

With the normal flow of frontend frameworks moving from hipster to mainstream in the coming few months, during a test, you bump into this strange application that receives HTML with `hx-` attributes in responses. Congrats, you are testing your first htmx application, let me give you the building blocks to play with for testing this type of application.

https://medium.com/@matuzg/hacking-htmx-applications-f8d29665faf


A Deep Dive into Brute Ratel C4 payloads - Part 2

Brute Ratel C4 is a Red Team & Adversary Simulation software that can be considered an alternative to Cobalt Strike. In this blog post, we-re presenting a technical analysis of a Brute Ratel badger/agent that doesn-t implement all the recent features of the framework. There aren-t a lot of Brute Ratel samples available in the wild. This second part of the analysis presents the remaining commands executed by the agent.

https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/


Fake Bitwarden installation packages delivered RAT to Windows users

Windows users looking to install the Bitwarden password manager may have inadvertently installed a remote access trojan (RAT). The ZenRAT malware A malicious website spoofing Bitwarden-s legitimate one (located at bitwariden[.]com) has been offering fake installation packages containing the ZenRAT malware.

https://www.helpnetsecurity.com/2023/09/27/windows-bitwarden-rat/


Security updates for Wednesday

Security updates have been issued by Oracle (libtiff), Red Hat (libtiff, nodejs:16, and nodejs:18), Slackware (mozilla), SUSE (bind, cacti, cacti-spine, ImageMagick, kernel, libwebp, netatalk, open-vm-tools, postfix, quagga, wire, and wireshark), and Ubuntu (cups, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux-bluefield, and linux-bluefield, linux-raspi, linux-raspi-5.4).

https://lwn.net/Articles/945700/


New GPU Side-Channel Attack Allows Malicious Websites to Steal Data

GPUs from AMD, Apple, Arm, Intel, Nvidia and Qualcomm are vulnerable to a new type of side-channel attack named GPU.zip.

https://www.securityweek.com/new-gpu-side-channel-attack-allows-malicious-websites-to-steal-data/

Vulnerabilities

VMSA-2023-0020

VMware Aria Operations updates address local privilege escalation vulnerability. (CVE-2023-34043)

https://www.vmware.com/security/advisories/VMSA-2023-0020.html


K000136909 : BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43125

https://my.f5.com/manage/s/article/K000136909


K000136907 : BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43124

https://my.f5.com/manage/s/article/K000136907


semver-6.3.0.tgz is vulnerable to CVE-2022-25883 used in IBM Maximo Application Suite - Monitor Component

https://www.ibm.com/support/pages/node/7039430


Okio GzipSource is vulnerable to CVE-2023-3635 used in IBM Maximo Application Suite - Monitor Component

https://www.ibm.com/support/pages/node/7039433


Certifi is vulnerable to CVE-2023-37920 used in IBM Maximo Application Suite - Monitor Component

https://www.ibm.com/support/pages/node/7039436


VMware Tanzu Spring for Apache Kafka is vulnerable to CVE-2023-34040 used in IBM Maximo Application Suite - Monitor Component

https://www.ibm.com/support/pages/node/7039438


A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-35890)

https://www.ibm.com/support/pages/node/7039519


Vulnerability found in Eclipse Jetty may affect IBM Enterprise Records

https://www.ibm.com/support/pages/node/7040603


Vulnerability of jython-standalone-2.7.0.jar have affected APM WebSphere Application Server Agent and APM Tomcat Agent

https://www.ibm.com/support/pages/node/7040614


IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities

https://www.ibm.com/support/pages/node/7040672


IBM Cognos Analytics is affected but not classified as vulnerable to vulnerabilities in IBM Websphere Application Server Liberty

https://www.ibm.com/support/pages/node/7040744


The Bouncy Castle Crypto Package For Java (bc-java) component is vulnerable to CVE-2023-33201 is used by IBM Maximo Application Suite

https://www.ibm.com/support/pages/node/7028107


Control Access issues in PCOMM

https://www.ibm.com/support/pages/node/7031707