End-of-Day report
Timeframe: Montag 25-11-2024 18:00 - Dienstag 26-11-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
News
Hackers exploit critical bug in Array Networks SSL VPN products
Americas Cyber Defense Agency has received evidence of hackers actively exploiting a remote code execution vulnerability in SSL VPN products Array Networks AG and vxAG ArrayOS.
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-bug-in-array-networks-ssl-vpn-products/
Matrix Unleashes A New Widespread DDoS Campaign
Aqua Nautilus researchers uncovered a new and widespread Distributed Denial-of-Service (DDoS) campaign orchestrated by a threat actor named Matrix. Triggered by activities detected on our honeypots, this investigation dives deep into Matrix-s methods, targets, tools, and overall goals.
https://blog.aquasec.com/matrix-unleashes-a-new-widespread-ddos-campaign
Wake up and Smell the BitLocker Keys
>From this demonstration we can see that with a minimal set of tools and a small-time investment it is quite practical to access a drive encrypted with BitLocker. [..] This type of attack can be avoided by implementing a second factor for pre-boot authentication, either a user PIN and/or USB Startup Key.
https://blog.nviso.eu/2024/11/26/wake-up-and-smell-the-bitlocker-keys/
Detection Opportunities - EDR Silencer, EDRSandblast, Kill AV-
There are many ways to disable or modify security solutions which you can for. e.g test with at least 53 different Atomic Red Team as starting point, but today I would like to limit myself to a few tools that successful ransomware groups use within the top 20 ransomware groups for October 2024.
https://detect.fyi/detection-opportunities-edr-silencer-edrsandblast-kill-av-d882c290a393?source=rssd5fd8f494f6a4
Web-Security: Mit Content Security Policy gegen Cross-Site Scripting, Teil 2
Erweiterte CSP-Direktiven helfen dabei, Anwendungen effizient gegen Cross-Site Scripting zu schützen.
https://heise.de/-10175246
Graykey: Entschlüsselungswerkzeug kann teilweise iOS 18 aufsperren
Im Zusammenhang mit Apples neuem Reboot-Schutz vor Entsperrung sind Informationen aufgetaucht, was Forensikunternehmen mit aktuellen iPhones tun können.
https://heise.de/-10175639
Vulnerabilities
Dell Wyse Management Suite: Angreifer können Sicherheitsmechanismen umgehen
Einer Warnmeldung zufolge sind unter anderem DoS-Attacken (CVE-2024-49595 "hoch") denkbar, außerdem können Angreifer nicht näher beschriebene Sicherheitsmechanismen umgehen (CVE-2024-49597 "hoch"). In beiden Fällen sind Attacken aus der Ferne möglich, Angreifer benötigen aber bereits hohe Nutzerrechte.
https://www.heise.de/-10176009
Trellix: Update dichtet Sicherheitslücken in Enterprise Security Manager ab
Auf konkrete Sicherheitslücken geht Trellix nicht weiter ein. Jedoch aktualisiert Trellix ESM 11.6.13 etwa Azul Java und geht damit mehrere nicht aufgelistete CVEs an. Ebenso bessert die mitgelieferte libcurl-Bibliothek zwei Sicherheitslücken aus (CVE-2023-38545, CVSS 9.8, Risiko "kritisch"; CVE-2023-38546, CVSS 3.7, niedrig). Auch im "Snow Service" lauerten zuvor zwei "Reverse Shell"-Schwachstellen (CVE-2024-1148, CVSS 9.8, kritisch; CVE-2024-11482 [noch nicht öffentlich]).
https://www.heise.de/-10176250
Wordpress-Plug-in Anti-Spam by Cleantalk gefährdet 200.000 Seiten
Nicht authentifizierte Angreifer können dadurch auf angreifbaren Wordpress-Instanzen beliebige Plug-ins installieren und aktivieren und somit am Ende beliebigen Code ausführen (CVE-2024-10542, CVSS 9.8, Risiko "kritisch").
https://heise.de/-10175993
Security updates for Tuesday
Security updates have been issued by Debian (pypy3), Fedora (chromium, cobbler, and libsoup3), Oracle (kernel), SUSE (glib2, govulncheck-vulndb, javapackages-tools, xmlgraphics-batik, xmlgraphics- commons, xmlgraphics-fop, libblkid-devel, opentofu, php8, postgresql, postgresql16, postgresql17, thunderbird, traefik, and ucode-intel), and Ubuntu (needrestart and rapidjson).
https://lwn.net/Articles/999744/
WordPress Plugin "WP Admin UI Customize" vulnerable to cross-site scripting
https://jvn.jp/en/jp/JVN87182660/
VMware: VMSA-2024-0022: VMware Aria Operations updates address multiple vulnerabilities(CVE-2024-38830, CVE-2024-38831, CVE-2024-38832, CVE-2024-38833, CVE-2024-38834)
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25199
Mozilla Security Advisories November 26, 2024
https://www.mozilla.org/en-US/security/advisories/
Splunk: SVD-2024-1102: Third-Party Package Updates in Splunk Machine Learning Toolkit - November 2024
https://advisory.splunk.com//advisories/SVD-2024-1102
Splunk: SVD-2024-1101: Third-Party Package Updates in Python for Scientific Computing - November 2024
https://advisory.splunk.com//advisories/SVD-2024-1101
Synology-SA-24:25 Surveillance Station
https://www.synology.com/en-global/support/security/Synology_SA_24_25
Synology-SA-24:15 BeeFiles
https://www.synology.com/en-global/support/security/Synology_SA_24_15
Hitachi Energy RTU500 Scripting Interface
https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-05
Hitachi Energy MicroSCADA Pro/X SYS600
https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-04
F5: K000148713: libssh2 vulnerabilities CVE-2019-3858 and CVE-2019-3862
https://my.f5.com/manage/s/article/K000148713
PHP Patches Multiple Vulnerabilities Including CVE-2024-8932
https://thecyberthrone.in/2024/11/26/php-patches-multiple-vulnerabilities-including-cve-2024-8932/