End-of-Day report
Timeframe: Dienstag 09-01-2024 18:00 - Mittwoch 10-01-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
News
Absenderdaten entschlüsselt: China hat wohl Apples Airdrop-Protokoll "geknackt"
Forensikern aus Peking ist es angeblich gelungen, Telefonnummern und E-Mail-Adressen von Airdrop-Absendern zu entschlüsseln.
https://www.golem.de/news/absenderdaten-entschluesselt-china-hat-wohl-apples-airdrop-protokoll-geknackt-2401-181016.html
Jenkins Brute Force Scans, (Tue, Jan 9th)
Our honeypots saw a number of scans for "/j_acegi_security_check" the last two days. This URL has not been hit much lately, but was hit pretty hard last March. The URL is associated with Jenkins, and can be used to brute force passwords.
https://isc.sans.edu/diary/rss/30546
Vorgaben der CISA: Mehr Sicherheit für die Microsoft-Cloud
Die Security-Vorgaben der CISA für die Microsoft-Cloud sind fertig. Wir zeigen, was hinter den Empfehlungen steckt und wo sie sich von MS und CIS unterscheiden.
https://www.heise.de/-9591800.html
Patchday Microsoft: Kerberos-Authentifizierung unter Windows verwundbar
Es sind wichtige Sicherheitsupdates für Azure, Office, Windows und Co. erschienen. Attacken können bevorstehen. Ein Bitlocker-Patch macht Probleme.
https://www.heise.de/-9592648.html
Type Juggling Leads to Two Vulnerabilities in POST SMTP Mailer WordPress Plugin
On December 14th, 2023, during our Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to reset the API key used to authenticate to the mailer and view [...]
https://www.wordfence.com/blog/2024/01/type-juggling-leads-to-two-vulnerabilities-in-post-smtp-mailer-wordpress-plugin/
Siemens, Schneider Electric Release First ICS Patch Tuesday Advisories of 2024
Industrial giants Siemens and Schneider Electric publish a total of 7 new security advisories addressing 22 vulnerabilities.
https://www.securityweek.com/siemens-schneider-electric-release-first-ics-patch-tuesday-advisories-of-2024/
Achtung: Vermehrt PayLife Phishing-Mails im Umlauf
Schützen Sie Ihre Kreditkartendaten und nehmen Sie sich vor Phishing-Mails im Namen von PayLife in Acht. Kriminelle behaupten in den E-Mails, dass Sie aufgrund der Verpflichtung zur Zwei-Faktor-Authentifizierung Schritte setzen und einem Link folgen müssen. Sie landen auf einer kaum als Fälschung erkennbaren Kopie der PayLife-Seite. Geben Sie dort keine Daten ein!
https://www.watchlist-internet.at/news/achtung-vermehrt-paylife-phishing-mails-im-umlauf/
-Yet another Mirai-based botnet- is spreading an illicit cryptominer
A well-designed operation is using a version of the infamous Mirai malware to secretly distribute cryptocurrency mining software, researchers said Wednesday. Calling it NoaBot, researchers at Akamai said the campaign has been active for about a year, and it has various quirks that complicate analysis of the malware and point to highly-skilled threat actors.
https://therecord.media/mirai-based-botnet-spreading-akamai
CISA Adds One Known Exploited Vulnerability to Catalog
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2023-29357 Microsoft SharePoint Server Privilege Escalation Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
https://www.cisa.gov/news-events/alerts/2024/01/10/cisa-adds-one-known-exploited-vulnerability-catalog
Apache Applications Targeted by Stealthy Attacker
Researchers at Aqua Nautilus have uncovered a new attack targeting Apache Hadoop and Flink applications. This attack is particularly intriguing due to the attackers use of packers and rootkits to conceal the malware. The simplicity with which these techniques are employed presents a significant challenge to traditional security defenses.
https://blog.aquasec.com/threat-alert-apache-applications-targeted-by-stealthy-attacker
Vulnerabilities
Cisco Security Advisories 2024-01-10
Security Impact Rating: 1x Critical, 6x Medium
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2024%2F01%2F10&firstPublishedEndDate=2024%2F01%2F10&pageNum=1&isRenderingBugList=false
Lenovo Security Advisories 2024-01-09
- AMI MegaRAC Vulnerabilities
- Lenovo XClarity Administrator (LXCA) Vulnerability
- Lenovo Vantage Vulnerabilities
- Lenovo Tablet Vulnerabilities
- TianoCore EDK II BIOS Vulnerabilities
https://support.lenovo.com/at/en/product_security/home
Patchday Adobe: Mehrere Schwachstellen in Substance 3D Stager geschlossen
Adobes Anwendung zum Erstellen von 3D-Szenen Substance 3D Stager ist angreifbar. Eine fehlerbereinigte Version steht zum Download bereit.
https://www.heise.de/-9592712.html
Update für Google Chrome: Hochriskantes Sicherheitsleck abgedichtet
Google hat turnusgemäß den Webbrowser Chrome aktualisiert. Dabei haben die Entwickler eine als hohes Risiko eingestufte Sicherheitslücke gestopft.
https://www.heise.de/-9592658.html
Update gegen Rechteausweitung in FortiOS und FortiProxy
Fortinet warnt vor einem Fehler in der Rechteverwaltung von FortiOS und FortiProxy in HA Clustern. Bösartige Akteure können ihre Rechte ausweiten.
https://www.heise.de/-9592816.html
Webkonferenzen: Zoom-Sicherheitslücken ermöglichen Rechteausweitung
Zoom verteilt aktualisierte Videokonferenz-Software. Sie schließt eine Sicherheitslücke, durch die Angreifer ihre Rechte ausweiten können.
https://www.heise.de/-9593000.html
2022-01 Security Bulletin: Junos OS Evolved: Telnet service may be enabled when it is expected to be disabled. (CVE-2022-22164)
Modification History
2022-01-12: Initial Publication
2024-01-10: updated the JSA with information on an additional PR which fixed some releases which were not completely fixed originally
https://supportportal.juniper.net/s/article/2022-01-Security-Bulletin-Junos-OS-Evolved-Telnet-service-may-be-enabled-when-it-is-expected-to-be-disabled-CVE-2022-22164
Security updates for Wednesday
Security updates have been issued by Fedora (libssh), Gentoo (FAAD2 and RedCloth), Red Hat (kpatch-patch and nss), SUSE (hawk2, LibreOffice, opera, and tar), and Ubuntu (glibc, golang-1.13, golang-1.16, linux-azure, linux-gkeop, monit, and postgresql-9.5).
https://lwn.net/Articles/957340/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
SVD-2024-0104: Splunk User Behavior Analytics (UBA) Third-Party Package Updates
https://advisory.splunk.com//advisories/SVD-2024-0104
SVD-2024-0103: Splunk Enterprise Security (ES) Third-Party Package Updates - January 2024
https://advisory.splunk.com//advisories/SVD-2024-0103
SVD-2024-0102: Denial of Service in Splunk Enterprise Security of the Investigations manager through Investigation creation
https://advisory.splunk.com//advisories/SVD-2024-0102
SVD-2024-0101: Denial of Service of an Investigation in Splunk Enterprise Security through Investigation attachments
https://advisory.splunk.com//advisories/SVD-2024-0101