End-of-Day report
Timeframe: Mittwoch 07-02-2024 18:00 - Donnerstag 08-02-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
News
Fortinet: APTs Exploiting FortiOS Vulnerabilities in Critical Infrastructure Attacks
One of the exploited vulnerabilities is CVE-2022-42475, which Fortinet patched in December 2022, when it warned that it had been aware of in-the-wild exploitation. [..] The second vulnerability described in Fortinet-s new warning is CVE-2023-27997, which came to light in June 2023, when the cybersecurity firm informed customers that it had been exploited as a zero-day in limited attacks. Fortinet noted on Wednesday that some customers have yet to patch the two FortiOS vulnerabilities and the company has seen several attacks and attack clusters, including ones aimed at the government, service provider, manufacturing, consultancy, and critical infrastructure sectors.
https://www.securityweek.com/fortinet-apts-exploiting-fortios-vulnerabilities-in-critical-infrastructure-attacks/
State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
CISA, NSA, FBI and the following partners are releasing this advisory to warn critical infrastructure organizations about this assessment, which is based on observations from the U.S. authoring agencies- incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus).
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
Fortinet warns of new FortiSIEM RCE bugs in confusing disclosure
Fortinet is warning of two new unpatched patch bypasses for a critical remote code execution vulnerability in FortiSIEM, Fortinets SIEM solution. [..] Earlier today, BleepingComputer published an article that the CVEs were released by mistake after being told by Fortinet that they were duplicates of the original CVE-2023-34992. [..] After contacting Fortinet once again, we were told their previous statement was -misstated- and that the two new CVEs are variants of the original flaw.
https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortisiem-rce-bugs-in-confusing-disclosure/
Coyote: A multi-stage banking Trojan abusing the Squirrel installer
We will delve into the workings of the infection chain and explore the capabilities of the new Trojan that specifically targets users of more than 60 banking institutions, mainly from Brazil.
https://securelist.com/coyote-multi-stage-banking-trojan/111846/
Facebook ads push new Ov3r_Stealer password-stealing malware
A new password-stealing malware named Ov3r_Stealer is spreading through fake job advertisements on Facebook, aiming to steal account credentials and cryptocurrency.
https://www.bleepingcomputer.com/news/security/facebook-ads-push-new-ov3r-stealer-password-stealing-malware/
The toothbrush DDoS attack: How misinformation spreads in the cybersecurity world
No, three million smart toothbrushes didnt launch a DDoS attack against a Swiss company.
https://grahamcluley.com/the-toothbrush-ddos-attack-how-misinformation-spreads-in-the-cybersecurity-world/
Fake LastPass password manager spotted on Apple-s App Store
LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials.
https://www.bleepingcomputer.com/news/security/fake-lastpass-password-manager-spotted-on-apples-app-store/
Vulnerabilities
FortiGate / FortiOS 7.4.3 FortiOS Release Notes
2024-02-07 Initial release
https://docs.fortinet.com/document/fortigate/7.4.3/fortios-release-notes/553516
SonicOS SSL-VPN Improper Authentication
An improper authentication vulnerability has been identified in SonicWall SonicOS SSL-VPN feature, which in specific conditions could allow a remote attacker to bypass authentication.This issue affects only firmware version SonicOS 7.1.1-7040. CVE: CVE-2024-22394 Last updated: Feb. 6, 2024, 4:44 p.m.
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0003
SSD Advisory - TOTOLINK LR1200GB Auth Bypass
A vulnerability in TOTOLINK LR1200GB allows remote unauthenticated attackers to become authenticated due to a stack overflow vulnerability in the web interface. [..] Multiple emails to the vendor went unanswered, we are releasing this information without being able to get from the vendor a patch or response.
https://ssd-disclosure.com/ssd-advisory-totolink-lr1200gb-auth-bypass/
Sicherheitslücken: Codeschmuggel und Leistungsverweigerung bei ClamAV
Der Parser für das OLE2-Dateiformat enthält einen Pufferüberlauf und mit speziell präparierten Dateinamen lassen sich offenbar eigene Befehlszeilen ausführen.
https://www.heise.de/-9622674
Samsung Magician: Update stopft Sicherheitsleck im SSD-Tool
Samsung bietet mit Magician eine Software zum Verwalten von SSDs, Speichersticks und -Karten des Herstellers. Ein Update schließt eine Lücke darin.
https://www.heise.de/-9622729
Security updates for Thursday
Security updates have been issued by Debian (chromium), Red Hat (gimp, kernel, kernel-rt, and runc), Slackware (expat), SUSE (libavif), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, and linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive).
https://lwn.net/Articles/961330/
Drupal: Migrate Tools - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-008
https://www.drupal.org/sa-contrib-2024-008
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
Wordfence Intelligence Weekly WordPress Vulnerability Report (January 29, 2024 to February 4, 2024)
https://www.wordfence.com/blog/2024/02/wordfence-intelligence-weekly-wordpress-vulnerability-report-january-29-2024-to-february-4-2024/
Qolsys IQ Panel 4, IQ4 HUB
https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01