End-of-Day report
Timeframe: Mittwoch 17-01-2024 18:00 - Donnerstag 18-01-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
News
Missbrauch möglich: Whatsapp lässt fremde Nutzer Geräteinformationen abgreifen
Anhand ihrer Rufnummer lässt sich zum Beispiel feststellen, wie viele Geräte eine Zielperson mit Whatsapp verwendet und wann sie diese wechselt.
https://www.golem.de/news/missbrauch-moeglich-whatsapp-laesst-fremde-nutzer-geraeteinformationen-abgreifen-2401-181313.html
New Microsoft Incident Response guides help security teams analyze suspicious activity
Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant.
https://www.microsoft.com/en-us/security/blog/2024/01/17/new-microsoft-incident-response-guides-help-security-teams-analyze-suspicious-activity/
More Scans for Ivanti Connect "Secure" VPN. Exploits Public, (Thu, Jan 18th)
Exploits around the Ivanti Connect "Secure" VPN appliance, taking advantage of CVE-2023-46805, continue evolving. Late on Tuesday, more details became public, particularly the blog post by Rapid7 explaining the underlying vulnerability in depth.
https://isc.sans.edu/diary/rss/30568
PixieFail UEFI Flaws Expose Millions of Computers to RCE, DoS, and Data Theft
Multiple security vulnerabilities have been disclosed in the TCP/IP network protocol stack of an open-source reference implementation of the Unified Extensible Firmware Interface (UEFI) specification used widely in modern computers.Collectively dubbed PixieFail by Quarkslab, the nine issues reside in the TianoCore EFI Development Kit II (EDK II) and could be exploited to
https://thehackernews.com/2024/01/pixiefail-uefi-flaws-expose-millions-of.html
MFA Spamming and Fatigue: When Security Measures Go Wrong
MFA spamming refers to the malicious act of inundating a target user's email, phone, or other registered devices with numerous MFA prompts or confirmation codes. The objective behind this tactic is to overwhelm the user with notifications, in the hopes that they will inadvertently approve an unauthorized login. To execute this attack, hackers require the target victim's account credentials (username and password) to initiate the login process and trigger the MFA notifications.
https://thehackernews.com/2024/01/mfa-spamming-and-fatigue-when-security.html
Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware
[..] COLDRIVER has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language.Googles Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence.
https://thehackernews.com/2024/01/russian-coldriver-hackers-expand-beyond.html
Daten aus GPU belauscht: KI-Sicherheitslücke bei Apple Silicon, AMD und Qualcomm
Sicherheitsforscher haben ein Problem in den Grafikkernen älterer iPhones und Macs entdeckt, außerdem bei AMD und Qualcomm. Apple patcht - teilweise.
https://heise.de/-9600829
Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers
Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system.
https://blog.talosintelligence.com/exploring-malicious-windows-drivers-part-1-introduction-to-the-kernel-and-drivers/
Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024
Cisco Talos- Vulnerability Research team has disclosed dozens of vulnerabilities over the past month, including more than 30 advisories in GTKWave and a critical vulnerability in ManageEngine OpManager.
Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator [..] There are also multiple vulnerabilities in AVideo [..]
All the vulnerabilities mentioned in this blog post have been patched by their respective vendors
https://blog.talosintelligence.com/vulnerability-roundup-jan-17-2024/
Vulnerabilities
Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001
The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS).
Sites that do not use the Comment module are not affected.
https://www.drupal.org/sa-core-2024-001
MOVEit Transfer: Updates gegen DOS-Lücke
Updates für MOVEit Transfer dichten Sicherheitslecks ab, durch die Angreifer Rechenfehler provozieren oder den Dienst lahmlegen können.
https://heise.de/-9601492
Trend Micro: Sicherheitslücken in Security-Agents ermöglichen Rechteausweitung
Trend Micro warnt vor Sicherheitslücken in den Security-Agents, durch die Angreifer ihre Rechte ausweiten können. Software-Updates stehen bereit.
https://heise.de/-9601595
Nextcloud: Lücken in Apps gefährden Nutzerkonten und Datensicherheit
In mehreren Erweiterungen, etwa zur Lastverteilung, zur Anmeldung per OAuth und ZIP-Download, klaffen Löcher. Updates sind bereits verfügbar.
https://heise.de/-9601589
2024-01 Security Bulletin: Junos OS and Junos OS Evolved: rpd process crash due to BGP flap on NSR-enabled devices (CVE-2024-21585)
An Improper Handling of Exceptional Conditions vulnerability in BGP session processing of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated network-based attacker, using specific timing outside the attacker's control, to flap BGP sessions and cause the routing protocol daemon (rpd) process to crash and restart, leading to a Denial of Service (DoS) condition. Continued BGP session flapping will create a sustained Denial of Service (DoS) condition.
https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-rpd-process-crash-due-to-BGP-flap-on-NSR-enabled-devices-CVE-2024-21585
2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved
Multiple vulnerabilities have been resolved in Juniper Secure Analytics in 7.5.0 UP7 IF04.
https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-Series-Multiple-vulnerabilities-resolved
Oracle Releases Critical Patch Update Advisory for January 2024
Oracle released its Critical Patch Update Advisory for January 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.
https://www.cisa.gov/news-events/alerts/2024/01/18/oracle-releases-critical-patch-update-advisory-january-2024
Multiple Dahua Technology products vulnerable to authentication bypass
https://jvn.jp/en/jp/JVN83655695/
There is a vulnerability in batik-all-1.15.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-44730 and CVE-2022-44729)
https://www.ibm.com/support/pages/node/7107742
IBM Maximo Manage is vulnerable to attack due to Eclipse Jetty ( IBM X-Force ID 261776)
https://www.ibm.com/support/pages/node/7107716
There is a vulnerability in CSRF Token used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-47718)
https://www.ibm.com/support/pages/node/7107740
IBM Asset Data Dictionary Component uses bcprov-jdk18on-1.72.jar which is vulnerable to CVE-2023-33201 and CVE-2023-33202
https://www.ibm.com/support/pages/node/7108953
IBM Maximo Application Suite and IBM Maximo Application Suite - IoT Component uses Werkzeug-2.2.3-py3-none-any.whl which is vulnerable to CVE-2023-46136
https://www.ibm.com/support/pages/node/7108960
IBM Asset Data Dictionary Component uses netty-codec-http2-4.1.94, netty-handler-4.1.86 and netty-handler-4.1.92 which is vulnerable to CVE-2023-44487 and CVE-2023-34462
https://www.ibm.com/support/pages/node/7108959
IBM Storage Ceph is vulnerable to Use After Free in the RHEL UBI (CVE-2023-4813)
https://www.ibm.com/support/pages/node/7108974
IBM Storage Ceph is vulnerable to Cross Site Scripting in Grafana (CVE-2022-39324)
https://www.ibm.com/support/pages/node/7108973
AVEVA PI Server
https://www.cisa.gov/news-events/ics-advisories/icsa-24-018-01