End-of-Day report
Timeframe: Montag 22-01-2024 18:00 - Dienstag 23-01-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
News
MavenGate Attack Could Let Hackers Hijack Java and Android via Abandoned Libraries
Several public and popular libraries abandoned but still used in Java and Android applications have been found susceptible to a new software supply chain attack method called MavenGate.
https://thehackernews.com/2024/01/hackers-hijack-popular-java-and-android.html
Cactus Ransomware malware analysis
On January 20th the Cactus ransomware group attacked a number of victims across varying industries. The attacks were disclosed on their leak site with the accompanying victim data.
https://www.shadowstackre.com/analysis/cactus
Vorsicht vor Peek & Cloppenburg Fake-Shops
Auf Facebook und Instagram werden gefälschte Angebote vom Modehaus -Peek & Cloppenburg- beworben. In den gefälschten Werbeanzeigen werden Rabatte bis zu 90 % versprochen. Wenn Sie auf die Anzeige klicken, landen Sie in einem betrügerischen Shop, mit einer glaubwürdigen Internetadresse: -peek-cloppenburgsale.shop-.
https://www.watchlist-internet.at/news/vorsicht-vor-peek-cloppenburg-fake-shops/
Threat Assessment: BianLian
We analyze the extremely active ransomware group BianLian. Mostly targeting healthcare, they have moved from double-extortion to extortion without encryption.
https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/
Conditional QR Code Routing Attacks
Over the summer, we saw a somewhat unexpected rise in QR-code based phishing attacks. These attacks were all fairly similar. The main goal was to induce the end-user to scan the QR Code, where they would be redirected to a credential harvesting page.
https://blog.checkpoint.com/harmony-email/conditional-qr-code-routing-attacks/
Lazarus Group Uses the DLL Side-Loading Technique (2)
Through the -Lazarus Group Uses the DLL Side-Loading Technique- [1] blog post, AhnLab SEcurity intelligence Center(ASEC) has previously covered how the Lazarus group used the DLL side-loading attack technique using legitimate applications in the initial access stage to achieve the next stage of their attack process.
https://asec.ahnlab.com/en/60792/
Kasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec and Exploits Martini Driver
In this blog, we detail our investigation of the Kasseika ransomware and the indicators we found suggesting that the actors behind it have acquired access to the source code of the notorious BlackMatter ransomware.
https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html
Vulnerabilities
Fortra warns of new critical GoAnywhere MFT auth bypass, patch now
Fortra is warning of a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) versions before 7.4.1 that allows an attacker to create a new admin user.
https://www.bleepingcomputer.com/news/security/fortra-warns-of-new-critical-goanywhere-mft-auth-bypass-patch-now/
Exploiting 0-click Android Bluetooth vulnerability to inject keystrokes without pairing
A recently discovered critical vulnerabilities (CVE-2023-45866, CVE-2024-21306) in Bluetooth can be exploited to inject keystrokes without user confirmation - by accepting any Bluetooth pairing request.
https://www.mobile-hacker.com/2024/01/23/exploiting-0-click-android-bluetooth-vulnerability-to-inject-keystrokes-without-pairing/
Sicherheitsfixes: Apple aktualisiert ältere Systeme - und räumt Zero Days ein
Apple hat neben macOS 14.3 und iOS 17.3 auch neue Versionen von iOS 15, 16, macOS 12 und 13 sowie Safari veröffentlicht. Es gab einen erneuten Zero-Day-Exploit.
https://www.heise.de/news/Sicherheitsfixes-Apple-aktualisiert-aeltere-Systeme-und-raeumt-Zero-Days-ein-9605294.html
Konfigurationsübertragung kann Behelfslösung zum Schutz von Ivanti ICS aufheben
Bislang können Admins Ivanti Connect Secure und Policy Secure nur über einen Workaround vor laufenden Attacken schützen. Dieser funktioniert aber nicht immer.
https://www.heise.de/news/Konfigurationsuebertragung-kann-Behelfsloesung-zum-Schutz-von-Ivanti-ICS-aufheben-9605922.html
Barracuda WAF: Kritische Sicherherheitslücken ermöglichen Umgehung des Schutzes
Barracuda hat einen Sicherheitshinweis bezüglich der Web Application Firewall veröffentlicht. Sicherheitslücken ermöglichen das Umgehen des Schutzes.
https://www.heise.de/news/Barracuda-WAF-Kritische-Sicherherheitsluecken-ermoeglichen-Umgehung-des-Schutzes-9606036.html
Security updates for Tuesday
Security updates have been issued by Debian (kodi and squid), Fedora (ansible-core, java-latest-openjdk, mingw-python-jinja2, openssh, and pgadmin4), Gentoo (Apache XML-RPC), Red Hat (gnutls and xorg-x11-server), Slackware (postfix), SUSE (bluez and openssl-3), and Ubuntu (gnutls28, libssh, and squid).
https://lwn.net/Articles/959127/
Splunk Security Advisories 2024-01-22
https://advisory.splunk.com//advisories
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
XSA-448
https://xenbits.xen.org/xsa/advisory-448.html
Security Vulnerabilities fixed in Thunderbird 115.7
https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/
Security Vulnerabilities fixed in Firefox ESR 115.7
https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/
Security Vulnerabilities fixed in Firefox 122
https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/
TRUMPF: Oseon contains vulnerable version of OpenSSL 1.1.x
https://cert.vde.com/de/advisories/VDE-2024-006/
TRUMPF: Multiple products include a vulnerable version of Notepad++
https://cert.vde.com/de/advisories/VDE-2024-003/
TRUMPF: Multiple products contain vulnerable version of 7-zip
https://cert.vde.com/de/advisories/VDE-2024-005/
Citrix Hypervisor Security Bulletin for CVE-2023-46838
https://support.citrix.com/article/CTX587605/citrix-hypervisor-security-bulletin-for-cve202346838
Crestron AM-300
https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-02
Lantronix XPort
https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-05
Voltronic Power ViewPower Pro
https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-03
Orthanc Osimis DICOM Web Viewer
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-023-01
APsystems Energy Communication Unit (ECU-C) Power Control Software
https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-01
Westermo Lynx 206-F2G
https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04