Tageszusammenfassung - 13.02.2024

End-of-Day report

Timeframe: Montag 12-02-2024 18:00 - Dienstag 13-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

The (D)Evolution of Pikabot

Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. There was a significant increase in usage in the second half of 2023 following the FBI-led takedown of Qakbot. This was likely the result of a BlackBasta ransomware affiliate replacing Qakbot with Pikabot for initial access. However, Pikabot ceased activity shortly after Christmas 2023, with its version number being 1.1.19 at that time. In recent campaigns, which started in February 2024, Pikabot reemerged with significant changes in its code base and structure.

https://www.zscaler.com/blogs/security-research/d-evolution-pikabot

GMX, Web.de, Online-Dienste: Angriffe auf Zugangsdaten nehmen zu

Etwas alarmistisch melden einige Medien, dass es vermehrt Angriffe auf Zugangskonten von GMX oder Web.de gebe, die unter anderem sehr populäre Webmail-Dienste bereitstellen. Es werden dort bei zahlreichen Konten sehr hohe Zahlen für fehlerhafte Log-in-Versuche angezeigt. Es handelt sich offenbar um die alltäglichen Angriffe auf Zugangsdaten von Cyberkriminellen, die versuchen, mit gestohlenen Accountinformationen auf Online-Dienste zuzugreifen.

https://www.heise.de/-9626994

Vorsicht vor gefälschten WKÖ-E-Mails

Kriminelle geben sich als Wirtschaftskammer Österreich aus und bitten Unternehmen in einem E-Mail, Kontaktdaten zu aktualisieren. Klicken Sie keinesfalls auf den Link, Sie werden auf eine gefälschte WKÖ-Seite geführt. Dort stehlen Kriminelle Firmen- und Bankdaten.

https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-wkoe-e-mails/

Directory.ReadWrite.All Is Not As Powerful As You Might Think

Directory.ReadWrite.All is an MS Graph permission that is frequently cited as granting high amounts of privilege, even being equated to the Global Admin Entra ID role [..] Misleading or incorrect documentation create most of the misconceptions regarding this permission.

https://posts.specterops.io/directory-readwrite-all-is-not-as-powerful-as-you-might-think-c5b09a8f78a8

Ongoing Microsoft Azure account hijacking campaign targets executives

A phishing campaign detected in late November 2023 has compromised hundreds of user accounts in dozens of Microsoft Azure environments, including those of senior executives.

https://www.bleepingcomputer.com/news/security/ongoing-microsoft-azure-account-hijacking-campaign-targets-executives/

Fileless Revenge RAT Malware

AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of Revenge RAT malware that had been developed based on legitimate tools. It appears that the attackers have used tools such as -smtp-validator- and -Email To Sms-. At the time of execution, the malware creates and runs both a legitimate tool and a malicious file, making it difficult for users to realize that a malicious activity has occurred.

https://asec.ahnlab.com/en/61584/

Vulnerabilities

Request Tracker Write-up (CVE-2023-41259, CVE-2023-41260)

Without authentication we were able to extract file-attachments that were uploaded to RT, including e-mails received from and to users regarding tickets and issues. We also found it was possible to obtain information about tickets and users.

https://www.linkedin.com/pulse/request-tracker-write-up-tom-wolters-ygsae

PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor

An attacker can publish a zone that contains crafted DNSSEC related records. While validating results from queries to that zone using the RFC mandated algorithms, the Recursor-s resource usage can become so high that processing of other queries is impacted, resulting in a denial of service. Note that any resolver following the RFCs can be impacted, this is not a problem of this particular implementation.

https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-2024-01.html

DNS-Server: Bind und Unbound stolpern über Sicherheitslücke "KeyTrap"

Mit einer präparierten DNS-Anfrage können Angreifer eine hohe Prozessorlast verursachen und den Dienst für legitime Nutzer so blockieren. Patches stehen bereit.

https://www.heise.de/-9627276

Sicherheitslücken: Angreifer können Dell Unity kompromittieren

Die Fehler stecken in Dell Unity Operating Enviroment (OE). Die Entwickler geben an, die Ausgabe 5.4.0.0.5.094 repariert zu haben. Von den Sicherheitsproblemen sind unter anderem Dell EMC Unity, Dell EMC Unity XT 380F und Dell EMC Unity Hybrid betroffen. Alle verwundbaren Produkte sind in der Warnmeldung aufgelistet.

https://www.heise.de/-9626407

Qnap: Sicherheitslücken in Firmware erlauben Einschleusen von Befehlen

In der Sicherheitswarnung schreibt Qnap, dass es sich um zwei Schwachstellen handelt. Die Beschreibung für beide lautet: Eine Befehlsschmuggel-Schwachstelle wurde in mehreren Qnap-Betriebssystemversionen gemeldet. Sofern sie missbraucht werden, erlauben sie Nutzern, Befehle über das Netzwerk auszuführen (CVE-2023-47218, CVE-2023-50358, CVSS 5.8, Risiko "mittel").

https://www.heise.de/-9626319

SAP patcht: 13 Sicherheitslücken abgedichtet

SAP verteilt Software-Updates, die Schwachstellen aus 13 Sicherheitsmitteilungen ausbessern. Eine Lücke ist kritisch.

https://www.heise.de/-9626592

Security updates for Tuesday

Security updates have been issued by Fedora (clamav and virtiofsd), Oracle (gimp), Red Hat (gnutls and nss), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t and squid), and Ubuntu (openssl).

https://lwn.net/Articles/961937/

SSA-753746 V1.0: Denial of Service Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products

https://cert-portal.siemens.com/productcert/html/ssa-753746.html

SSA-716164 V1.0: Multiple Vulnerabilities in Scalance W1750D

https://cert-portal.siemens.com/productcert/html/ssa-716164.html

SSA-665034 V1.0: Vulnerability in Nozomi Guardian/CMC before 23.3.0 on RUGGEDCOM APE1808 devices

https://cert-portal.siemens.com/productcert/html/ssa-665034.html

SSA-647068 V1.0: Ripple20 in SIMATIC RTLS Gateways

https://cert-portal.siemens.com/productcert/html/ssa-647068.html

SSA-602936 V1.0: Multiple Vulnerabilities in SCALANCE SC-600 Family before V3.1

https://cert-portal.siemens.com/productcert/html/ssa-602936.html

SSA-580228 V1.0: Use of Hard-Coded Credentials Vulnerability in Location Intelligence before V4.3

https://cert-portal.siemens.com/productcert/html/ssa-580228.html

SSA-543502 V1.0: Local Privilege Escalation Vulnerability in Unicam FX

https://cert-portal.siemens.com/productcert/html/ssa-543502.html

SSA-516818 V1.0: TCP Sequence Number Validation Vulnerability in the TCP/IP Stack of CP343-1 Devices

https://cert-portal.siemens.com/productcert/html/ssa-516818.html

SSA-108696 V1.0: Multiple Vulnerabilities in SIDIS Prime before V4.0.400

https://cert-portal.siemens.com/productcert/html/ssa-108696.html

SSA-017796 V1.0: Multiple File Parsing Vulnerabilities in Tecnomatix Plant Simulation

https://cert-portal.siemens.com/productcert/html/ssa-017796.html

SSA-000072 V1.0: Multiple File Parsing Vulnerabilities in Simcenter Femap

https://cert-portal.siemens.com/productcert/html/ssa-000072.html