End-of-Day report
Timeframe: Donnerstag 25-01-2024 18:00 - Freitag 26-01-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Über Push-Benachrichtigungen: Prominente iOS-Apps spähen heimlich Gerätedaten aus
Zu den Datensammlern zählen wohl iOS-Apps namhafter Onlinedienste wie Tiktok, Facebook, Instagram, Threads, Linkedin, Bing und X.
https://www.golem.de/news/ueber-push-benachrichtigungen-prominente-ios-apps-spaehen-heimlich-geraetedaten-aus-2401-181574.html
MFA war inaktiv: Microsoft deckt auf, wie Hacker an interne Mails kamen
Die Angreifer haben laut Microsoft zuerst einen Testaccount mit inaktiver MFA infiltriert - unter Einsatz einer Proxy-Infrastruktur.
https://www.golem.de/news/mfa-war-inaktiv-microsoft-deckt-auf-wie-hacker-an-interne-mails-kamen-2401-181593.html
Präparierte URL kann für Juniper-Firewalls und Switches gefährlich werden
Entwickler von Juniper haben in Junos OS mehrere Sicherheitslücken geschlossen. Noch sind aber nicht alle Updates verfügbar.
https://www.heise.de/-9609333.html
Verwirrend: Internet-Domain fritz.box zeigt NFT-Galerie statt Router-Verwaltung
Bereits vor einer Woche haben Unbekannte die Domain "fritz.box" für sich registriert. Ihr Vorhaben ist unklar, Fritz-Besitzer sollten sich vorsehen.
https://www.heise.de/-9610149.html
Blackwood hackers hijack WPS Office update to install malware
A previously unknown advanced threat actor tracked as Blackwood is using sophisticated malware called NSPX30 in cyberespionage attacks against companies and individuals.
https://www.bleepingcomputer.com/news/security/blackwood-hackers-hijack-wps-office-update-to-install-malware/
Midnight Blizzard: Guidance for responders on nation-state attack
The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access.
https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
A Batch File With Multiple Payloads, (Fri, Jan 26th)
Windows batch files (.bat) are often seen by people as very simple but they can be pretty complex or.. contain interesting encoded payloads! I found one that contains multiple payloads decoded and used by a Powershell process. The magic is behind how comments can be added to such files.
https://isc.sans.edu/diary/rss/30592
Erbschaft per SMS: Ignorieren Sie diese betrügerische Nachricht
Immer wieder warnen wir vor E-Mails, in denen Betrüger:innen das große Geld versprechen: Millionengewinne, eine Spende oder eine Erbschaft sollen die Empfänger:innen plötzlich reich machen. Aktuell setzen Kriminelle jedoch nicht nur auf E-Mails, sondern auch auf SMS, um mit potenziellen Opfern in Kontakt zu treten. Danach läuft die Masche wie gewohnt ab: Mit Angeboten, die zu schön sind, um wahr zu sein, werden gutgläubige Opfer um ihr Geld gebracht.
https://www.watchlist-internet.at/news/erbschaft-per-sms-ignorieren-sie-diese-betruegerische-nachricht/
Assessing and mitigating supply chain cybersecurity risks
Blindly trusting your partners and suppliers on their security posture is not sustainable - it-s time to take control through effective supplier risk management
https://www.welivesecurity.com/en/business-security/assessing-mitigating-cybersecurity-risks-supply-chain/
Cybersecurity for Industrial Control Systems: Best practices
Network segmentation, software patching, and continual threats monitoring are key cybersecurity best practices for Industrial Control Systems (ICS).
https://cybersecurity.att.com/blogs/security-essentials/cybersecurity-for-industrial-control-systems-best-practices
Guidance: Assembling a Group of Products for SBOM
Today, CISA published Guidance on Assembling a Group of Products created by the Software Bill of Materials (SBOM) Tooling & Implementation Working Group, one of the five SBOM community-driven workstreams facilitated by CISA. CISA-s community-driven working groups publish documents and reports to advance and refine SBOM and ultimately promote adoption. Specifically, software producers often need to assemble and test products together before releasing them to customers.
https://www.cisa.gov/news-events/alerts/2024/01/26/guidance-assembling-group-products-sbom
Vulnerabilities
Cisco Unified Communications Products Remote Code Execution Vulnerability
Version 1.1 - Updated list of affected products and products confirmed not vulnerable.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-rce-bWNzQcUm
Jenkins CLI PoC CVE-2024-23897
Remote Code Execution: Jenkins CLI arbitrary read (CVE-2024-23897 applies to versions below 2.442 and LTS 2.426.3)
https://github.com/gquere/pwn_jenkins/blob/master/README.md#jenkins-cli-arbitrary-read-cve-2024-23897-applies-to-versions-below-2442-and-lts-24263
Microsoft Edge 121 unterstützt moderne Codecs und stopft Sicherheitslecks
Microsoft hat den Webbrowser Edge in Version 121 herausgegeben. Sie stopft eine kritische Sicherheitslücke und liefert Support für AV1-Videos.
https://www.heise.de/-9609475.html
Diesmal bitte patchen: Security-Update behebt kritische Schwachstelle in GitLab
GitLab 16.x enthält fünf Schwachstellen, von denen eine als kritisch eingestuft ist. Patchen ist nicht selbstverständlich, wie jüngst eine Untersuchung zeigte.
https://www.heise.de/-9609319.html
Security updates for Friday
Security updates have been issued by Debian (xorg-server), Fedora (chromium, dotnet8.0, firefox, freeipa, and thunderbird), Red Hat (avahi, c-ares, curl, edk2, expat, freetype, frr, git, gnutls, grub2, kernel, kernel-rt, libcap, libfastjson, libssh, libtasn1, libxml2, linux-firmware, ncurses, oniguruma, openssh, openssl, perl-HTTP-Tiny, protobuf-c, python-urllib3, python3, python3.9, rpm, samba, shadow-utils, sqlite, tcpdump, tomcat, and virt:rhel and virt-devel:rhel modules), SUSE (cpio, jasper, rear23a, thunderbird, and xorg-x11-server), and Ubuntu (jinja2, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-oem-6.1, and mariadb, mariadb-10.3, mariadb-10.6).
https://lwn.net/Articles/959640/
2024-01 Reference Advisory: Junos OS and Junos OS Evolved: Impact of Terrapin SSH Attack (CVE-2023-48795)
https://supportportal.juniper.net/s/article/2024-01-Reference-Advisory-Junos-OS-and-Junos-OS-Evolved-Impact-of-Terrapin-SSH-Attack-CVE-2023-48795
2024-01 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web have been addressed
https://supportportal.juniper.net/s/article/2024-01-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-have-been-addressed
Security Vulnerabilities fixed in Focus for iOS 122
https://www.mozilla.org/en-US/security/advisories/mfsa2024-03/
Open redirect in parameter might affect IBM Storage Defender Data Protect.
https://www.ibm.com/support/pages/node/7106918
AIX is vulnerable to a denial of service (CVE-2023-5678, CVE-2023-6129, CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL
https://www.ibm.com/support/pages/node/7111837
IBM Sterling Connect:Direct for UNIX is vulnerable to multiple issues due to Eclipse Jetty.
https://www.ibm.com/support/pages/node/7111880
Vulnerabilities in GNU Binutils, Bootstrap, PortSmash, Node.js, and libarchive might affect IBM Storage Defender Data Protect.
https://www.ibm.com/support/pages/node/7091980
Multiple vulnerabilities in IBM Semeru Runtime may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2023-22006, CVE-2023-22036 & CVE-2023-22049)
https://www.ibm.com/support/pages/node/7112089
IBM Security Directory Integrator affected by multiple vulnerabilities affecting IBM Java SDK
https://www.ibm.com/support/pages/node/7047118