End-of-Day report
Timeframe: Dienstag 30-01-2024 18:00 - Mittwoch 31-01-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Debian, Ubuntu und mehr: glibc-Schwachstelle ermöglicht Root-Zugriff unter Linux
Darüber hinaus wurden weitere Schwachstellen in der Gnu-C-Bibliothek aufgedeckt. Eine davon existiert wohl schon seit über 30 Jahren.
https://www.golem.de/news/debian-ubuntu-und-mehr-glibc-schwachstelle-ermoeglicht-root-zugriff-unter-linux-2401-181724.html
Tracking 15 Years of Qakbot Development
Qakbot (aka QBot or Pinkslipbot) is a malware trojan that has been used to operate one of the oldest and longest running cybercriminal enterprises. Qakbot has evolved from a banking trojan to a malware implant that can be used for lateral movement and the eventual deployment of ransomware. In August 2023, the Qakbot infrastructure was dismantled by law enforcement. However, just several months later in December 2023, the fifth (and latest) version of Qakbot was released, [...]
https://www.zscaler.com/blogs/security-research/tracking-15-years-qakbot-development
Ransomware: Online-Tool entschlüsselt unter Umständen BlackCat & Co.
Stimmen die Voraussetzungen, können Ransomwareopfer auf einer Website Daten entschlüsseln, ohne Lösegeld zu zahlen.
https://www.heise.de/-9614278.html
A zero-day vulnerability (and PoC) to blind defenses relying on Windows event logs
A zero-day vulnerability that, when triggered, could crash the Windows Event Log service on all supported (and some legacy) versions of Windows could spell trouble for enterprise defenders. Discovered by a security researcher named Florian and reported to Microsoft, the vulnerability is yet to be patched. In the meantime, the researcher has gotten the go-ahead from the company to publish a PoC exploit.
https://www.helpnetsecurity.com/2024/01/31/windows-event-log-vulnerability/
Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation
Update (Jan. 31): We released a follow-up blog post containing additional details from our investigations into this threat, along with more recommendations for defenders. Note: This is a developing campaign under active analysis by Mandiant and Ivanti. We will continue to add more indicators, detections, and information to this blog post as needed.
https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day
CISA and FBI Release Secure by Design Alert Urging Manufacturers to Eliminate Defects in SOHO Routers
Today, CISA and the Federal Bureau of Investigation (FBI) published guidance on Security Design Improvements for SOHO Device Manufacturers as a part of the new Secure by Design (SbD) Alert series that focuses on how manufacturers should shift the burden of security away from customers by integrating security into product design and development.
https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-and-fbi-release-secure-design-alert-urging-manufacturers-eliminate-defects-soho-routers
Vulnerabilities
Security updates for Wednesday
Security updates have been issued by Debian (bind9 and glibc), Fedora (ncurses), Gentoo (containerd, libaom, and xorg-server, xwayland), Mageia (python-pillow and zlib), Oracle (grub2 and tomcat), Red Hat (avahi, c-ares, container-tools:3.0, curl, firefox, frr, kernel, kernel-rt, kpatch-patch, libfastjson, libmicrohttpd, linux-firmware, oniguruma, openssh, perl-HTTP-Tiny, python-pip, python-urllib3, python3, rpm, samba, sqlite, tcpdump, thunderbird, tigervnc, and virt:rhel and virt-devel:rhel modules), SUSE (python-Pillow, slurm, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, and xen), and Ubuntu (libde265, linux-nvidia, mysql-8.0, openldap, pillow, postfix, and xorg-server, xwayland).
https://lwn.net/Articles/960248/
Mattermost security updates 9.4.2 / 9.3.1 / 9.2.5 / 8.1.9 (ESR) released
We-re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update.
https://mattermost.com/blog/mattermost-security-updates-9-4-2-9-3-1-9-2-5-8-1-9-esr-released/
CISA ICS Advisories
- Hitron Systems Security Camera DVR
- Rockwell Automation ControlLogix and GuardLogix
- Rockwell Automation FactoryTalk Service Platform
- Rockwell Automation LP30/40/50 and BM40 Operator Interface
https://www.cisa.gov/news-events/cybersecurity-advisories?f%5B0%5D=advisory_type%3A95&f%5B1%5D=release_date_year%3A2024
CISA Adds One Known Exploited Vulnerability to Catalog
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2022-48618 Apple Multiple Products Improper Authentication Vulnerability
https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-adds-one-known-exploited-vulnerability-catalog
Security Advisory Report - OBSO-2401-03
A Command injection vulnerability has been identified in the MyPortal@Work application of Atos OpenScape Business which, if successfully exploited, could allow a malicious actor to execute arbitrary scripts on a client machine.
The severity is rated high.
Customers are advised to update the systems with the available fix release.
https://networks.unify.com/security/advisories/OBSO-2401-03.pdf
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
Google Chrome: Update schließt vier Sicherheitslücken
https://www.heise.de/-9613823.html
SVD-2024-0112: Third-Party Package Updates in Splunk Add-on Builder - January 2024
https://advisory.splunk.com//advisories/SVD-2024-0112
SVD-2024-0111: Sensitive Information Disclosure to Internal Log Files in Splunk Add-on Builder
https://advisory.splunk.com//advisories/SVD-2024-0111
SVD-2024-0110: Session Token Disclosure to Internal Log Files in Splunk Add-on Builder
https://advisory.splunk.com//advisories/SVD-2024-0110
The WordPress 6.4.3 Security Update - What You Need to Know
https://www.wordfence.com/blog/2024/01/the-wordpress-6-4-3-security-update-what-you-need-to-know/
Tor Code Audit Finds 17 Vulnerabilities
https://www.securityweek.com/tor-code-audit-finds-17-vulnerabilities/
Update #5: Kritische Sicherheitslücken in Ivanti Connect Secure und Ivanti Policy Secure - aktiv ausgenützt - Patches verfügbar
https://cert.at/de/warnungen/2024/1/kritische-sicherheitslucken-in-ivanti-connect-secure-und-ivanti-policy-secure-aktiv-ausgenutzt
List of Security Fixes and Improvements in Veeam Backup for Nutanix AHV
https://www.veeam.com/kb4236