Tageszusammenfassung - 02.04.2024

End-of-Day report

Timeframe: Freitag 29-03-2024 18:00 - Dienstag 02-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

Staatlich gesponserte "Entwicklung" quelloffener Software

Wer auf der Suche nach einer kurzen Zusammenfassung der Geschehnisse rund um die (höchstwahrscheinliche) Backdoor in xz, CVE-2024-3094, ist, möge einen Blick auf diese durch den Sicherheitsforscher Thomas Roccia erstellte Grafik werfen. Darin sind die wichtigsten Details zusammengefasst, die in den folgenden Absätze wesentlich ausführlicher beleuchtet werden. Alternativ hätte dieser Blogpost auch einen deutlich knackigeren Titel haben können - "CVE-2024-3094", um jene geht es in diesem Beitrag nämlich.

https://cert.at/de/blog/2024/4/staatlich-gesponserte-entwicklung-quelloffener-software


The amazingly scary xz sshd backdoor, (Mon, Apr 1st)

The whole story around this is both fascinating and scary - and I-m sure will be told around numerous time, so in this diary I will put some technical things about the backdoor that I reversed for quite some time (and I have a feeling I could spend 2 more weeks on this). [..] Let-s take a look at couple of fascinating things in this backdoor.

https://isc.sans.edu/diary/rss/30802


On Cybersecurity Alert Levels

Last week I was invited to provide input to a tabletop exercise for city-level crisis managers on cyber security risks and the role of CSIRTs. The organizers brought a color-coded threat-level sheet (based on the CISA Alert Levels) to the discussion and asked whether we also do color-coded alerts in Austria and what I think of these systems. My answer was negative on both questions, and I think it might be useful if I explain my rationale here.

https://cert.at/en/blog/2024/4/on-cybersecurity-alert-levels


Heartbleed is 10 Years Old - Farewell Heartbleed, Hello QuantumBleed!

Heartbleed made most certificates vulnerable. The future problem is that quantum decryption will make all certificates and everything else using RSA encryption vulnerable to everyone.

https://www.securityweek.com/heartbleed-is-10-years-old-farewell-heartbleed-hello-quantumbleed/


From OneNote to RansomNote: An Ice Cold Intrusion

In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method. After loading IcedID and establishing persistence, there were no further actions, other than beaconing for over 30 days. The threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server. The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware.

https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/


Adversaries are leveraging remote access tools now more than ever - here-s how to stop them

While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns.

https://blog.talosintelligence.com/adversaries-are-leveraging-remote-access-tools/


Earth Freybug Uses UNAPIMON for Unhooking Critical APIs

This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we-ve discovered and dubbed UNAPIMON.

https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html

Vulnerabilities

Update #1: Kritische Sicherheitslücke/Hintertüre in xz-utils (CVE-2024-3094)

In den Versionen 5.6.0 und 5.6.1 der weit verbreiteten Bibliothek xz-utils wurde eine Hintertür entdeckt. xz-utils wird häufig zur Komprimierung von Softwarepaketen, Kernel-Images und initramfs-Images verwendet. Die Lücke ermöglicht es nicht authentifizierten Angreifer:innen, die sshd-Authentifizierung auf verwundbaren Systemen zu umgehen und unauthorisierten Zugriff auf das gesamte System zu erlangen. Aktuell liegen uns keine Informationen über eine aktive Ausnutzung vor.

https://cert.at/de/warnungen/2024/3/kritische-sicherheitslucke-in-fedora-41-und-fedora-rawhide-bibliothek-xz


Security updates for Monday

Security updates have been issued by Arch Linux (xz), Debian (libvirt, mediawiki, util-linux, and xz-utils), Fedora (apache-commons-configuration, cockpit, ghc-base64, ghc-hakyll, ghc-isocline, ghc-toml-parser, gitit, gnutls, pandoc, pandoc-cli, patat, podman-tui, prometheus-podman-exporter, seamonkey, suricata, and xen), Gentoo (XZ utils), Mageia (aide & mhash, emacs, microcode, opensc, and squid), Red Hat (ruby:3.1), and SUSE (kanidm and qpid-proton).

https://lwn.net/Articles/967851/


Security updates for Tuesday

Security updates have been issued by Fedora (kernel and webkitgtk), Mageia (unixODBC and w3m), and SUSE (libvirt, netty, netty-tcnative, and perl-DBD-SQLite).

https://lwn.net/Articles/967959/


Security Flaw in WP-Members Plugin Leads to Script Injection

A cross-site scripting vulnerability in the WP-Members Membership plugin could allow attackers to inject scripts into user profile pages.

https://www.securityweek.com/security-flaw-in-wp-members-plugin-leads-to-script-injection/


Bitdefender hat hochriskante Sicherheitslücke abgedichtet

Durch eine Sicherheitslücke konnten Angreifer auf Rechnern mit Bitdefender-Virenschutz ihre Rechte ausweiten. Die Lücke wurde geschlossen.

https://heise.de/-9672841


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/


F5: K000139092 : DNS vulnerability CVE-2023-50387

https://my.f5.com/manage/s/article/K000139092