End-of-Day report
Timeframe: Dienstag 20-02-2024 18:00 - Mittwoch 21-02-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Open Source in Enterprise Environments - Where Are We Now and What Is Our Way Forward?
We have been used to hearing that free and open source software and enterprise environments in Big Business are fundamentally opposed and do not mix well. Is that actually the case, or should we rather explore how business and free software can both benefit going forward?
https://bsdly.blogspot.com/2022/09/open-source-in-enterprise-environments.html
VoltSchemer attacks use wireless chargers to inject voice commands, fry phones
A team of academic researchers show that a new set of attacks called VoltSchemer can inject voice commands to manipulate a smartphones voice assistant through the magnetic field emitted by an off-the-shelf wireless charger.
https://www.bleepingcomputer.com/news/security/voltschemer-attacks-use-wireless-chargers-to-inject-voice-commands-fry-phones/
Security: Forscher erzeugen Fingerabdrücke aus Wischgeräuschen
Die Methode basiert auf einer Reihe komplexer Algorithmen, mit denen sich schließlich ein Master-Fingerabdruck erzeugen lässt.
https://www.golem.de/news/security-forscher-erzeugen-fingerabdruecke-aus-wischgeraeuschen-2402-182449.html
Phishing pages hosted on archive.org, (Wed, Feb 21st)
The Internet Archive is a well-known and much-admired institution, devoted to creating a -digital library of Internet sites and other cultural artifacts in digital form-[1]. [...] Unfortunately, since it allows for uploading of files by users, it is also used by threat actors to host malicious content from time to time[2,3].
https://isc.sans.edu/diary/rss/30676
Breakdown of Tycoon Phishing-as-a-Service System
Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs- Email Security team is tracking another PaaS called Tycoon Group.
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/breakdown-of-tycoon-phishing-as-a-service-system/
re: Zyxel VPN Series Pre-auth Remote Command Execution
An unauthenticated command injection exploit affecting Zyxel firewalls was published in late January without an associated CVE. The vulnerability turns out to be CVE-2023-33012. The associated disclosure did not mention any caveats to exploitation, but it turns out only an uncommon configuration is affected.
https://vulncheck.com/blog/zyxel-cve-2023-33012
Vibrator virus steals your personal information
One of our customers found their vibrator was buzzing with a hint of malware.
https://www.malwarebytes.com/blog/news/2024/02/vibrator-virus-steals-your-personal-information
Redis Servers Targeted With New -Migo- Malware
Attackers weaken Redis instances to deploy the new Migo malware and install a rootkit and cryptominers.
https://www.securityweek.com/redis-servers-targeted-with-new-migo-malware/
Fake-SMS zum Ablauf der Finanz-Online ID im Umlauf!
Kriminelle versenden aktuell massenhaft SMS im Namen des BMF zum angeblichen Ablauf der FinanzOnline ID, beziehungsweise ID Austria. Links in den Smishing-Nachrichten führen auf gefälschte Finanz-Online-Websites, auf denen persönliche Daten abgegriffen werden. Diese Daten können anschließend für personalisierte Folgebetrugsmaschen eingesetzt werden. Ignorieren Sie diese SMS-Nachrichten!
https://www.watchlist-internet.at/news/fake-sms-zum-ablauf-der-finanz-online-id-im-umlauf/
Detecting Malicious Actors By Observing Commands in Shell History
Among the myriad techniques and tools at the disposal of cybersecurity experts, one subtle yet powerful method often goes unnoticed: the analysis of shell history to detect malicious actors.
https://orca.security/resources/blog/understand-shell-commands-detect-malicious-behavior/
Practical Vulnerability Archaeology Starring Ivantis CVE-2021-44529
In 2021, Ivanti patched a vulnerability that they called -code injection-. Rumors say it was a backdoor in an open source project. Let-s find out what actually happened!
https://www.greynoise.io/blog/practical-vulnerability-archaeology-starring-ivantis-cve-2021-44529
CISA, EPA, and FBI Release Top Cyber Actions for Securing Water Systems
Today, CISA, the Environmental Protection Agency (EPA), and the Federal Bureau of Investigation (FBI) released the joint fact sheet Top Cyber Actions for Securing Water Systems. This fact sheet outlines the following practical actions Water and Wastewater Systems (WWS) Sector entities can take to better protect water systems from malicious cyber activity and provides actionable guidance [...]
https://www.cisa.gov/news-events/alerts/2024/02/21/cisa-epa-and-fbi-release-top-cyber-actions-securing-water-systems
Lucifer DDoS botnet Malware is Targeting Apache Big-Data Stack
Aqua Nautilus has unveiled a new campaign targeting Apache big-data stack, specifically Apache Hadoop and Apache Druid. Upon investigation, it was discovered that the attacker exploits existing misconfigurations and vulnerabilities within our Apache cloud honeypots to execute the attacks.
https://blog.aquasec.com/lucifer-ddos-botnet-malware-is-targeting-apache-big-data-stack
Vulnerabilities
Cisco Unified Intelligence Center Insufficient Access Control Vulnerability
A vulnerability in the Live Data server of Cisco Unified Intelligence Center could allow an unauthenticated, local attacker to read and modify data in a repository that belongs to an internal service on an affected device. This vulnerability is due to insufficient access control implementations on cluster configuration CLI requests. An attacker could exploit this vulnerability by sending a cluster configuration CLI request to specific directories on an affected device.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuic-access-control-jJsZQMjj
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerability
In February 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB
WS_FTP Server Service Pack (February 2024)
This article contains the details of the specific updates within the WS_FTP Server February 2024 Service Pack. The Service Pack contains a fix for the newly disclosed CVE described below. Progress highly recommends you apply this Service Pack for product updates and security improvements. For Service Pack content, please review the Service Pack Release Notes and this knowledgebase article carefully.
https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-February-2024
Broadcom schließt Sicherheitslücken in VMware Aria Operations und EAP-Plug-in
Broadcom verteilt Updates für VMware Aria Operations und das EAP Browser Plug-in. Sie bessern teils kritische Sicherheitslücken aus.
https://www.heise.de/-9634714.html
Firefox und Thunderbird: Neue Versionen liefern Sicherheitsfixes
Neue Versionen von Firefox, Firefox ESR und Thunderbird stehen bereit. Sie dichten im Kern Sicherheitslücken ab.
https://www.heise.de/-9634418.html
VMSA-2024-0003
Addressing Arbitrary Authentication Relay and Session Hijack Vulnerabilities in Deprecated VMware Enhanced Authentication Plug-in (EAP) (CVE-2024-22245, CVE-2024-22250)
https://www.vmware.com/security/advisories/VMSA-2024-0003.html
VMSA-2024-0004
VMware Aria Operations updates address local privilege escalation vulnerability. (CVE-2024-22235)
https://www.vmware.com/security/advisories/VMSA-2024-0004.html
Security updates for Wednesday
Security updates have been issued by CentOS (linux-firmware and python-reportlab), Debian (unbound), Fedora (freeglut and syncthing), Red Hat (edk2, go-toolset:rhel8, java-1.8.0-ibm, kernel, kernel-rt, mysql:8.0, oniguruma, and python-pillow), Slackware (libuv and mozilla), SUSE (abseil-cpp, grpc, opencensus-proto, protobuf, python- abseil, python-grpcio, re2, bind, dpdk, firefox, hdf5, libssh, libssh2_org, libxml2, mozilla-nss, openssl-1_1, openvswitch, postgresql12, postgresql13, postgresql14, postgresql15, postgresql16, python-aiohttp, python-time-machine, python-pycryptodomex, runc, and webkit2gtk3), and Ubuntu (kernel, libspf2, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux, linux-aws, linux-kvm, linux-lts-xenial).
https://lwn.net/Articles/963035/
Chrome 122, Firefox 123 Patch High-Severity Vulnerabilities
Google and Mozilla resolve high-severity memory safety vulnerabilities with the latest Chrome and Firefox updates.
https://www.securityweek.com/chrome-122-firefox-123-patch-high-severity-vulnerabilities/
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
K000138649 : GnuTLS vulnerability CVE-2023-5981
https://my.f5.com/manage/s/article/K000138649
K000138650 : cURL vulnerability CVE-2023-46218
https://my.f5.com/manage/s/article/K000138650