Tageszusammenfassung - 10.01.2024

End-of-Day report

Timeframe: Dienstag 09-01-2024 18:00 - Mittwoch 10-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter

News

Absenderdaten entschlüsselt: China hat wohl Apples Airdrop-Protokoll "geknackt"

Forensikern aus Peking ist es angeblich gelungen, Telefonnummern und E-Mail-Adressen von Airdrop-Absendern zu entschlüsseln.

https://www.golem.de/news/absenderdaten-entschluesselt-china-hat-wohl-apples-airdrop-protokoll-geknackt-2401-181016.html


Jenkins Brute Force Scans, (Tue, Jan 9th)

Our honeypots saw a number of scans for "/j_acegi_security_check" the last two days. This URL has not been hit much lately, but was hit pretty hard last March. The URL is associated with Jenkins, and can be used to brute force passwords.

https://isc.sans.edu/diary/rss/30546


Vorgaben der CISA: Mehr Sicherheit für die Microsoft-Cloud

Die Security-Vorgaben der CISA für die Microsoft-Cloud sind fertig. Wir zeigen, was hinter den Empfehlungen steckt und wo sie sich von MS und CIS unterscheiden.

https://www.heise.de/-9591800.html


Patchday Microsoft: Kerberos-Authentifizierung unter Windows verwundbar

Es sind wichtige Sicherheitsupdates für Azure, Office, Windows und Co. erschienen. Attacken können bevorstehen. Ein Bitlocker-Patch macht Probleme.

https://www.heise.de/-9592648.html


Type Juggling Leads to Two Vulnerabilities in POST SMTP Mailer WordPress Plugin

On December 14th, 2023, during our Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to reset the API key used to authenticate to the mailer and view [...]

https://www.wordfence.com/blog/2024/01/type-juggling-leads-to-two-vulnerabilities-in-post-smtp-mailer-wordpress-plugin/


Siemens, Schneider Electric Release First ICS Patch Tuesday Advisories of 2024

Industrial giants Siemens and Schneider Electric publish a total of 7 new security advisories addressing 22 vulnerabilities.

https://www.securityweek.com/siemens-schneider-electric-release-first-ics-patch-tuesday-advisories-of-2024/


Achtung: Vermehrt PayLife Phishing-Mails im Umlauf

Schützen Sie Ihre Kreditkartendaten und nehmen Sie sich vor Phishing-Mails im Namen von PayLife in Acht. Kriminelle behaupten in den E-Mails, dass Sie aufgrund der Verpflichtung zur Zwei-Faktor-Authentifizierung Schritte setzen und einem Link folgen müssen. Sie landen auf einer kaum als Fälschung erkennbaren Kopie der PayLife-Seite. Geben Sie dort keine Daten ein!

https://www.watchlist-internet.at/news/achtung-vermehrt-paylife-phishing-mails-im-umlauf/


-Yet another Mirai-based botnet- is spreading an illicit cryptominer

A well-designed operation is using a version of the infamous Mirai malware to secretly distribute cryptocurrency mining software, researchers said Wednesday. Calling it NoaBot, researchers at Akamai said the campaign has been active for about a year, and it has various quirks that complicate analysis of the malware and point to highly-skilled threat actors.

https://therecord.media/mirai-based-botnet-spreading-akamai


CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-29357 Microsoft SharePoint Server Privilege Escalation Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

https://www.cisa.gov/news-events/alerts/2024/01/10/cisa-adds-one-known-exploited-vulnerability-catalog


Apache Applications Targeted by Stealthy Attacker

Researchers at Aqua Nautilus have uncovered a new attack targeting Apache Hadoop and Flink applications. This attack is particularly intriguing due to the attackers use of packers and rootkits to conceal the malware. The simplicity with which these techniques are employed presents a significant challenge to traditional security defenses.

https://blog.aquasec.com/threat-alert-apache-applications-targeted-by-stealthy-attacker

Vulnerabilities

Cisco Security Advisories 2024-01-10

Security Impact Rating: 1x Critical, 6x Medium

https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2024%2F01%2F10&firstPublishedEndDate=2024%2F01%2F10&pageNum=1&isRenderingBugList=false


Lenovo Security Advisories 2024-01-09

- AMI MegaRAC Vulnerabilities - Lenovo XClarity Administrator (LXCA) Vulnerability - Lenovo Vantage Vulnerabilities - Lenovo Tablet Vulnerabilities - TianoCore EDK II BIOS Vulnerabilities

https://support.lenovo.com/at/en/product_security/home


Patchday Adobe: Mehrere Schwachstellen in Substance 3D Stager geschlossen

Adobes Anwendung zum Erstellen von 3D-Szenen Substance 3D Stager ist angreifbar. Eine fehlerbereinigte Version steht zum Download bereit.

https://www.heise.de/-9592712.html


Update für Google Chrome: Hochriskantes Sicherheitsleck abgedichtet

Google hat turnusgemäß den Webbrowser Chrome aktualisiert. Dabei haben die Entwickler eine als hohes Risiko eingestufte Sicherheitslücke gestopft.

https://www.heise.de/-9592658.html


Update gegen Rechteausweitung in FortiOS und FortiProxy

Fortinet warnt vor einem Fehler in der Rechteverwaltung von FortiOS und FortiProxy in HA Clustern. Bösartige Akteure können ihre Rechte ausweiten.

https://www.heise.de/-9592816.html


Webkonferenzen: Zoom-Sicherheitslücken ermöglichen Rechteausweitung

Zoom verteilt aktualisierte Videokonferenz-Software. Sie schließt eine Sicherheitslücke, durch die Angreifer ihre Rechte ausweiten können.

https://www.heise.de/-9593000.html


2022-01 Security Bulletin: Junos OS Evolved: Telnet service may be enabled when it is expected to be disabled. (CVE-2022-22164)

Modification History 2022-01-12: Initial Publication 2024-01-10: updated the JSA with information on an additional PR which fixed some releases which were not completely fixed originally

https://supportportal.juniper.net/s/article/2022-01-Security-Bulletin-Junos-OS-Evolved-Telnet-service-may-be-enabled-when-it-is-expected-to-be-disabled-CVE-2022-22164


Security updates for Wednesday

Security updates have been issued by Fedora (libssh), Gentoo (FAAD2 and RedCloth), Red Hat (kpatch-patch and nss), SUSE (hawk2, LibreOffice, opera, and tar), and Ubuntu (glibc, golang-1.13, golang-1.16, linux-azure, linux-gkeop, monit, and postgresql-9.5).

https://lwn.net/Articles/957340/


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/


SVD-2024-0104: Splunk User Behavior Analytics (UBA) Third-Party Package Updates

https://advisory.splunk.com//advisories/SVD-2024-0104


SVD-2024-0103: Splunk Enterprise Security (ES) Third-Party Package Updates - January 2024

https://advisory.splunk.com//advisories/SVD-2024-0103


SVD-2024-0102: Denial of Service in Splunk Enterprise Security of the Investigations manager through Investigation creation

https://advisory.splunk.com//advisories/SVD-2024-0102


SVD-2024-0101: Denial of Service of an Investigation in Splunk Enterprise Security through Investigation attachments

https://advisory.splunk.com//advisories/SVD-2024-0101