End-of-Day report
Timeframe: Freitag 29-03-2024 18:00 - Dienstag 02-04-2024 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
News
Staatlich gesponserte "Entwicklung" quelloffener Software
Wer auf der Suche nach einer kurzen Zusammenfassung der Geschehnisse rund um die (höchstwahrscheinliche) Backdoor in xz, CVE-2024-3094, ist, möge einen Blick auf diese durch den Sicherheitsforscher Thomas Roccia erstellte Grafik werfen. Darin sind die wichtigsten Details zusammengefasst, die in den folgenden Absätze wesentlich ausführlicher beleuchtet werden. Alternativ hätte dieser Blogpost auch einen deutlich knackigeren Titel haben können - "CVE-2024-3094", um jene geht es in diesem Beitrag nämlich.
https://cert.at/de/blog/2024/4/staatlich-gesponserte-entwicklung-quelloffener-software
The amazingly scary xz sshd backdoor, (Mon, Apr 1st)
The whole story around this is both fascinating and scary - and I-m sure will be told around numerous time, so in this diary I will put some technical things about the backdoor that I reversed for quite some time (and I have a feeling I could spend 2 more weeks on this). [..] Let-s take a look at couple of fascinating things in this backdoor.
https://isc.sans.edu/diary/rss/30802
On Cybersecurity Alert Levels
Last week I was invited to provide input to a tabletop exercise for city-level crisis managers on cyber security risks and the role of CSIRTs. The organizers brought a color-coded threat-level sheet (based on the CISA Alert Levels) to the discussion and asked whether we also do color-coded alerts in Austria and what I think of these systems. My answer was negative on both questions, and I think it might be useful if I explain my rationale here.
https://cert.at/en/blog/2024/4/on-cybersecurity-alert-levels
Heartbleed is 10 Years Old - Farewell Heartbleed, Hello QuantumBleed!
Heartbleed made most certificates vulnerable. The future problem is that quantum decryption will make all certificates and everything else using RSA encryption vulnerable to everyone.
https://www.securityweek.com/heartbleed-is-10-years-old-farewell-heartbleed-hello-quantumbleed/
From OneNote to RansomNote: An Ice Cold Intrusion
In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method. After loading IcedID and establishing persistence, there were no further actions, other than beaconing for over 30 days. The threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server. The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware.
https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold-intrusion/
Adversaries are leveraging remote access tools now more than ever - here-s how to stop them
While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns.
https://blog.talosintelligence.com/adversaries-are-leveraging-remote-access-tools/
Earth Freybug Uses UNAPIMON for Unhooking Critical APIs
This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we-ve discovered and dubbed UNAPIMON.
https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html
Vulnerabilities
Update #1: Kritische Sicherheitslücke/Hintertüre in xz-utils (CVE-2024-3094)
In den Versionen 5.6.0 und 5.6.1 der weit verbreiteten Bibliothek xz-utils wurde eine Hintertür entdeckt. xz-utils wird häufig zur Komprimierung von Softwarepaketen, Kernel-Images und initramfs-Images verwendet. Die Lücke ermöglicht es nicht authentifizierten Angreifer:innen, die sshd-Authentifizierung auf verwundbaren Systemen zu umgehen und unauthorisierten Zugriff auf das gesamte System zu erlangen. Aktuell liegen uns keine Informationen über eine aktive Ausnutzung vor.
https://cert.at/de/warnungen/2024/3/kritische-sicherheitslucke-in-fedora-41-und-fedora-rawhide-bibliothek-xz
Security updates for Monday
Security updates have been issued by Arch Linux (xz), Debian (libvirt, mediawiki, util-linux, and xz-utils), Fedora (apache-commons-configuration, cockpit, ghc-base64, ghc-hakyll, ghc-isocline, ghc-toml-parser, gitit, gnutls, pandoc, pandoc-cli, patat, podman-tui, prometheus-podman-exporter, seamonkey, suricata, and xen), Gentoo (XZ utils), Mageia (aide & mhash, emacs, microcode, opensc, and squid), Red Hat (ruby:3.1), and SUSE (kanidm and qpid-proton).
https://lwn.net/Articles/967851/
Security updates for Tuesday
Security updates have been issued by Fedora (kernel and webkitgtk), Mageia (unixODBC and w3m), and SUSE (libvirt, netty, netty-tcnative, and perl-DBD-SQLite).
https://lwn.net/Articles/967959/
Security Flaw in WP-Members Plugin Leads to Script Injection
A cross-site scripting vulnerability in the WP-Members Membership plugin could allow attackers to inject scripts into user profile pages.
https://www.securityweek.com/security-flaw-in-wp-members-plugin-leads-to-script-injection/
Bitdefender hat hochriskante Sicherheitslücke abgedichtet
Durch eine Sicherheitslücke konnten Angreifer auf Rechnern mit Bitdefender-Virenschutz ihre Rechte ausweiten. Die Lücke wurde geschlossen.
https://heise.de/-9672841
IBM Security Bulletins
https://www.ibm.com/support/pages/bulletin/
F5: K000139092 : DNS vulnerability CVE-2023-50387
https://my.f5.com/manage/s/article/K000139092