Tageszusammenfassung - 08.02.2024

End-of-Day report

Timeframe: Mittwoch 07-02-2024 18:00 - Donnerstag 08-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter

News

Fortinet: APTs Exploiting FortiOS Vulnerabilities in Critical Infrastructure Attacks

One of the exploited vulnerabilities is CVE-2022-42475, which Fortinet patched in December 2022, when it warned that it had been aware of in-the-wild exploitation. [..] The second vulnerability described in Fortinet-s new warning is CVE-2023-27997, which came to light in June 2023, when the cybersecurity firm informed customers that it had been exploited as a zero-day in limited attacks. Fortinet noted on Wednesday that some customers have yet to patch the two FortiOS vulnerabilities and the company has seen several attacks and attack clusters, including ones aimed at the government, service provider, manufacturing, consultancy, and critical infrastructure sectors.

https://www.securityweek.com/fortinet-apts-exploiting-fortios-vulnerabilities-in-critical-infrastructure-attacks/


State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure

CISA, NSA, FBI and the following partners are releasing this advisory to warn critical infrastructure organizations about this assessment, which is based on observations from the U.S. authoring agencies- incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus).

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a


Fortinet warns of new FortiSIEM RCE bugs in confusing disclosure

Fortinet is warning of two new unpatched patch bypasses for a critical remote code execution vulnerability in FortiSIEM, Fortinets SIEM solution. [..] Earlier today, BleepingComputer published an article that the CVEs were released by mistake after being told by Fortinet that they were duplicates of the original CVE-2023-34992. [..] After contacting Fortinet once again, we were told their previous statement was -misstated- and that the two new CVEs are variants of the original flaw.

https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortisiem-rce-bugs-in-confusing-disclosure/


Coyote: A multi-stage banking Trojan abusing the Squirrel installer

We will delve into the workings of the infection chain and explore the capabilities of the new Trojan that specifically targets users of more than 60 banking institutions, mainly from Brazil.

https://securelist.com/coyote-multi-stage-banking-trojan/111846/


Facebook ads push new Ov3r_Stealer password-stealing malware

A new password-stealing malware named Ov3r_Stealer is spreading through fake job advertisements on Facebook, aiming to steal account credentials and cryptocurrency.

https://www.bleepingcomputer.com/news/security/facebook-ads-push-new-ov3r-stealer-password-stealing-malware/


The toothbrush DDoS attack: How misinformation spreads in the cybersecurity world

No, three million smart toothbrushes didnt launch a DDoS attack against a Swiss company.

https://grahamcluley.com/the-toothbrush-ddos-attack-how-misinformation-spreads-in-the-cybersecurity-world/


Fake LastPass password manager spotted on Apple-s App Store

LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials.

https://www.bleepingcomputer.com/news/security/fake-lastpass-password-manager-spotted-on-apples-app-store/

Vulnerabilities

FortiGate / FortiOS 7.4.3 FortiOS Release Notes

2024-02-07 Initial release

https://docs.fortinet.com/document/fortigate/7.4.3/fortios-release-notes/553516


SonicOS SSL-VPN Improper Authentication

An improper authentication vulnerability has been identified in SonicWall SonicOS SSL-VPN feature, which in specific conditions could allow a remote attacker to bypass authentication.This issue affects only firmware version SonicOS 7.1.1-7040. CVE: CVE-2024-22394 Last updated: Feb. 6, 2024, 4:44 p.m.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0003


SSD Advisory - TOTOLINK LR1200GB Auth Bypass

A vulnerability in TOTOLINK LR1200GB allows remote unauthenticated attackers to become authenticated due to a stack overflow vulnerability in the web interface. [..] Multiple emails to the vendor went unanswered, we are releasing this information without being able to get from the vendor a patch or response.

https://ssd-disclosure.com/ssd-advisory-totolink-lr1200gb-auth-bypass/


Sicherheitslücken: Codeschmuggel und Leistungsverweigerung bei ClamAV

Der Parser für das OLE2-Dateiformat enthält einen Pufferüberlauf und mit speziell präparierten Dateinamen lassen sich offenbar eigene Befehlszeilen ausführen.

https://www.heise.de/-9622674


Samsung Magician: Update stopft Sicherheitsleck im SSD-Tool

Samsung bietet mit Magician eine Software zum Verwalten von SSDs, Speichersticks und -Karten des Herstellers. Ein Update schließt eine Lücke darin.

https://www.heise.de/-9622729


Security updates for Thursday

Security updates have been issued by Debian (chromium), Red Hat (gimp, kernel, kernel-rt, and runc), Slackware (expat), SUSE (libavif), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, and linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive).

https://lwn.net/Articles/961330/


Drupal: Migrate Tools - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-008

https://www.drupal.org/sa-contrib-2024-008


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/


Wordfence Intelligence Weekly WordPress Vulnerability Report (January 29, 2024 to February 4, 2024)

https://www.wordfence.com/blog/2024/02/wordfence-intelligence-weekly-wordpress-vulnerability-report-january-29-2024-to-february-4-2024/


Qolsys IQ Panel 4, IQ4 HUB

https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01