Tageszusammenfassung - 07.03.2024

End-of-Day report

Timeframe: Mittwoch 06-03-2024 18:00 - Donnerstag 07-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer

News

Hacked WordPress sites use visitors browsers to hack other sites

Hackers are conducting widescale attacks on WordPress sites to inject scripts that force visitors browsers to bruteforce passwords for other sites.

https://www.bleepingcomputer.com/news/security/hacked-wordpress-sites-use-visitors-browsers-to-hack-other-sites/

New Python-Based Snake Info Stealer Spreading Through Facebook Messages

Facebook messages are being used by threat actors to a Python-based information stealer dubbed Snake that-s designed to capture credentials and other sensitive data.

https://thehackernews.com/2024/03/new-python-based-snake-info-stealer.html

Code injection on Android without ptrace

I came up with the idea to port linux_injector. The project has a simple premise: injecting code into a process without using ptrace.

https://erfur.github.io/blog/dev/code-injection-without-ptrace

CVE-2023-36049: Microsoft .NET CRLF Injection Arbitrary File Write/Deletion Vulnerability

Successful exploitation of this vulnerability would allow a remote attacker to write or delete files in the context of the FTP server. The following is a portion of their write-up covering CVE-2023-36049, with a few minimal modifications.

https://www.thezdi.com/blog/2024/3/6/cve-2023-36049-microsoft-net-crlf-injection-arbitrary-file-writedeletion-vulnerability

Delving into Dalvik: A Look Into DEX Files

Through a case study of the banking trojan sample, this blog post aims to give an insight into the Dalvik Executable file format, how it is constructed, and how it can be altered to make analysis easier.

https://www.mandiant.com/resources/blog/dalvik-look-into-dex-files

Staatstrojaner: Infrastruktur der Spyware Predator erneut abgeschaltet-

Die Betreiber der Plattform hinter Predator haben offenbar Server vom Netz genommen, die sie zum Ausliefern und Steuern der Überwachungssoftware verwendeten.-

https://heise.de/-9648238

Vulnerabilities

CVE-2024-1403: Progress OpenEdge Authentication Bypass Deep-Dive

On February 27, 2024, Progress released a security advisory for OpenEdge, their application development and deployment platform suite. The advisory details that there exists an authentication bypass vulnerability which effects certain components of the OpenEdge platform.

https://www.horizon3.ai/attack-research/cve-2024-1403-progress-openedge-authentication-bypass-deep-dive/

Security updates for Thursday

Security updates have been issued by Debian (chromium and yard), Fedora (cpp-jwt, golang-github-tdewolff-argp, golang-github-tdewolff-minify, golang-github-tdewolff-parse, and suricata), Mageia (wpa_supplicant), Oracle (curl, edk2, golang, haproxy, keylime, mysql, openssh, and rear), Red Hat (kernel and postgresql:12), SUSE (containerd, giflib, go1.21, gstreamer-plugins-bad, java-1_8_0-openjdk, python3, python311, python39, sudo, and vim), and Ubuntu (frr, linux, linux-gcp, linux-gcp-5.4, [...]

https://lwn.net/Articles/964725/

VMware schließt Schlupflöcher für Ausbruch aus virtueller Maschine

Angreifer können Systeme mit VMware ESXi, Fusion und Workstation attackieren. Sicherheitsupdates stehen zum Download.

https://heise.de/-9648396

VU#949046: Sceiner firmware locks and associated devices are vulnerable to encryption downgrade and arbitrary file upload attacks

https://kb.cert.org/vuls/id/949046