End-of-Day report
Timeframe: Dienstag 26-09-2023 18:00 - Mittwoch 27-09-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Unzählige Anwendungen betroffen: WebP-Schwachstelle erreicht maximalen Schweregrad
Die Schwachstelle in der WebP-Bibliothek wurde zuvor fälschlicherweise als Chrome-Bug markiert. Sie betrifft aber weitaus mehr Anwendungen.
https://www.golem.de/news/unzaehlige-anwendungen-betroffen-webp-schwachstelle-erreicht-maximalen-schweregrad-2309-178002.html
Apple Releases MacOS Sonoma Including Numerous Security Patches, (Tue, Sep 26th)
As expected, Apple today released macOS Sonoma (14.0). This update, in addition to new features, provides patches for about 60 different vulnerabilities.
https://isc.sans.edu/diary/rss/30252
ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families
Cybersecurity experts have shed light on a new cybercrime group known as ShadowSyndicate (formerly Infra Storm) that may have leveraged as many as seven different ransomware families over the past year. "ShadowSyndicate is a threat actor that works with various ransomware groups and affiliates of ransomware programs," Group-IB and Bridewell said in a joint technical report.
https://thehackernews.com/2023/09/shadowsyndicate-new-cybercrime-group.html
Reports about Cyber Actors Hiding in Router Firmware
On September 27, 2023, a joint cybersecurity advisory (CSA) was released detailing activities of the cyber actors known as BlackTech. The CSA describes how BlackTech is able to modify router firmware without detection. [...] Cisco has reviewed the report. Cisco would like to highlight the following key facts: The most prevalent initial access vector in these attacks involves stolen or weak administrative credentials. As outlined in the report, certain configuration changes, such as disabling logging and downloading firmware, require administrative credentials. [...]
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csa-cyber-report-sept-2023
Hacking htmx applications
With the normal flow of frontend frameworks moving from hipster to mainstream in the coming few months, during a test, you bump into this strange application that receives HTML with `hx-` attributes in responses. Congrats, you are testing your first htmx application, let me give you the building blocks to play with for testing this type of application.
https://medium.com/@matuzg/hacking-htmx-applications-f8d29665faf
A Deep Dive into Brute Ratel C4 payloads - Part 2
Brute Ratel C4 is a Red Team & Adversary Simulation software that can be considered an alternative to Cobalt Strike. In this blog post, we-re presenting a technical analysis of a Brute Ratel badger/agent that doesn-t implement all the recent features of the framework. There aren-t a lot of Brute Ratel samples available in the wild. This second part of the analysis presents the remaining commands executed by the agent.
https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads-part-2/
Fake Bitwarden installation packages delivered RAT to Windows users
Windows users looking to install the Bitwarden password manager may have inadvertently installed a remote access trojan (RAT). The ZenRAT malware A malicious website spoofing Bitwarden-s legitimate one (located at bitwariden[.]com) has been offering fake installation packages containing the ZenRAT malware.
https://www.helpnetsecurity.com/2023/09/27/windows-bitwarden-rat/
Security updates for Wednesday
Security updates have been issued by Oracle (libtiff), Red Hat (libtiff, nodejs:16, and nodejs:18), Slackware (mozilla), SUSE (bind, cacti, cacti-spine, ImageMagick, kernel, libwebp, netatalk, open-vm-tools, postfix, quagga, wire, and wireshark), and Ubuntu (cups, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux-bluefield, and linux-bluefield, linux-raspi, linux-raspi-5.4).
https://lwn.net/Articles/945700/
New GPU Side-Channel Attack Allows Malicious Websites to Steal Data
GPUs from AMD, Apple, Arm, Intel, Nvidia and Qualcomm are vulnerable to a new type of side-channel attack named GPU.zip.
https://www.securityweek.com/new-gpu-side-channel-attack-allows-malicious-websites-to-steal-data/
Vulnerabilities
VMSA-2023-0020
VMware Aria Operations updates address local privilege escalation vulnerability. (CVE-2023-34043)
https://www.vmware.com/security/advisories/VMSA-2023-0020.html
K000136909 : BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43125
https://my.f5.com/manage/s/article/K000136909
K000136907 : BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43124
https://my.f5.com/manage/s/article/K000136907
semver-6.3.0.tgz is vulnerable to CVE-2022-25883 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7039430
Okio GzipSource is vulnerable to CVE-2023-3635 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7039433
Certifi is vulnerable to CVE-2023-37920 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7039436
VMware Tanzu Spring for Apache Kafka is vulnerable to CVE-2023-34040 used in IBM Maximo Application Suite - Monitor Component
https://www.ibm.com/support/pages/node/7039438
A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-35890)
https://www.ibm.com/support/pages/node/7039519
Vulnerability found in Eclipse Jetty may affect IBM Enterprise Records
https://www.ibm.com/support/pages/node/7040603
Vulnerability of jython-standalone-2.7.0.jar have affected APM WebSphere Application Server Agent and APM Tomcat Agent
https://www.ibm.com/support/pages/node/7040614
IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities
https://www.ibm.com/support/pages/node/7040672
IBM Cognos Analytics is affected but not classified as vulnerable to vulnerabilities in IBM Websphere Application Server Liberty
https://www.ibm.com/support/pages/node/7040744
The Bouncy Castle Crypto Package For Java (bc-java) component is vulnerable to CVE-2023-33201 is used by IBM Maximo Application Suite
https://www.ibm.com/support/pages/node/7028107
Control Access issues in PCOMM
https://www.ibm.com/support/pages/node/7031707