Tageszusammenfassung - 02.05.2024

End-of-Day report

Timeframe: Dienstag 30-04-2024 18:00 - Donnerstag 02-05-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a

News

CVD - Notizen zur Pressekonferenz

Ich wurde eingeladen, heute bei einer Pressekonferenz von Epicenter.works am Podium zu sitzen. Es ging um einen Fall, bei dem es im Zuge einer klassischen verantwortungsvollen Offenlegung einer Schwachstelle (Responsible Disclosure, bzw Coordinated Vulnerability Disclosure [CVD]) zu einer Anzeige gekommen ist. Nachzulesen ist der Fall auf der Epicenter Webseite. Ich will hier kurz meine Notizen / Speaking Notes zusammenfassen.

https://cert.at/de/blog/2024/4/cvd-policy


CISA warnt: MS Smartscreen- und Gitlab-Sicherheitslücke werden angegriffen

Die US-Cybersicherheitsbehörde CISA hat Angriffe auf eine Lücke im Microsoft Smartscreen und auf eine Gitlab-Schwachstelle gesichtet.

https://heise.de/-9705715


Digitale Signatur: Datenleak bei Dropbox Sign

Unbekannte Angreifer konnten auf Kundendaten des digitalen Signaturservices Dropbox Sign zugreifen. Andere Dropbox-Produkte sollen nicht betroffen sein.

https://heise.de/-9705355


Windows 10/11/Server 2022: Kein Fix für den Installationsfehler 0x80070643 beim WinRE-Update mehr

Seit Januar 2024 kämpfen Nutzer von Windows 10 und Windows 11 (sowie Windows Server 2022) mit dem Versuch Microsofts, ein Update der WinRE-Umgebung zu installieren. Im Januar 2024 ließen zahlreiche Nutzer im Umfeld des Patchday beim Versuch, das Update KB5034441 zu installieren, in den Installationsfehler 0x80070643. Trotz mehrerer Versuche zur Nachbesserung in den Folgemonaten ist es Microsoft nicht gelungen, den Installationsfehler zu beseitigen. Nun kommt das Eingeständnis, dass es keinen automatischen Fix für das Update gibt - es ist Handarbeit angesagt.

https://www.borncity.com/blog/2024/05/02/windows-10-11-kein-fix-fr-den-installationsfehler-0x80070643-beim-winre-update/


-Dirty stream- attack: Discovering and mitigating a common vulnerability pattern in Android apps

Microsoft discovered a vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application-s internal data storage directory, which could lead to arbitrary code execution and token theft, among other impacts. We have shared our findings with Google-s Android Application Security Research team, as well as the developers of apps found vulnerable to this issue.

https://www.microsoft.com/en-us/security/blog/2024/05/01/dirty-stream-attack-discovering-and-mitigating-a-common-vulnerability-pattern-in-android-apps/


Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474, (Tue, Apr 30th)

Yesterday, I talked about attacks against a relatively recent D-Link NAS vulnerability. Today, scanning my honeypot logs, I found an odd URL that I didn't recognize. The vulnerability is a bit older but turns out to be targeting yet another NAS. [..] Based on our logs, only one IP address exploits the vulnerability: %%ip: 89.190.156.248%%.

https://isc.sans.edu/diary/rss/30884


Android Malware Wpeeper Uses Compromised WordPress Sites to Hide C2 Servers

Cybersecurity researchers have discovered a previously undocumented malware targeting Android devices that uses compromised WordPress sites as relays for its actual command-and-control (C2) servers for detection evasion. The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to secure its C2 communications. [..] The ELF binary is embedded within a repackaged application that purports to be the UPtodown App Store app for Android (package name "com.uptodown"), with the APK file acting as a delivery vehicle for the backdoor in a manner that evades detection.

https://thehackernews.com/2024/05/android-malware-wpeeper-uses.html


New Cuttlefish Malware Hijacks Router Connections, Sniffs for Cloud Credentials

A new malware called Cuttlefish is targeting small office and home office (SOHO) routers with the goal of stealthily monitoring all traffic through the devices and gather authentication data from HTTP GET and POST requests. [..] Cuttlefish has been active since at least July 27, 2023, with the latest campaign running from October 2023 through April 2024 and predominantly infecting 600 unique IP addresses associated with two Turkish telecom providers.

https://thehackernews.com/2024/05/new-cuttlefish-malware-hijacks-router.html


Autodesk: Important Security Update for Autodesk Drive

In March, Autodesk was made aware of an incident where an external user published documents to Autodesk Drive containing links to a phishing web site. Our Cyber Threat Management & Response Team immediately responded to this incident, and the malicious files are no longer being hosted on Autodesk Drive. No customers have reported being impacted by this incident.

https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-autodesk-drive


Analysis of TargetCompany-s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)

While monitoring attacks targeting MS-SQL servers, AhnLab SEcurity intelligence Center (ASEC) recently identified cases of the TargetCompany ransomware group installing the Mallox ransomware. The TargetCompany ransomware group primarily targets improperly managed MS-SQL servers to install the Mallox ransomware. While these attacks have been ongoing for several years, here we will outline the correlation between the newly identified malware and previous attack cases involving the distribution of the Tor2Mine CoinMiner and BlueSky ransomware.

https://asec.ahnlab.com/en/64921/


CISA and Partners Release Fact Sheet on Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity

This fact sheet provides information and mitigations associated with cyber operations conducted by pro-Russia hacktivists who seek to compromise industrial control systems (ICS) and small-scale operational technology (OT) systems in North American and European critical infrastructure sectors, including Water and Wastewater Systems, Dams, Energy, and Food and Agriculture Sectors.

https://www.cisa.gov/news-events/alerts/2024/05/01/cisa-and-partners-release-fact-sheet-defending-ot-operations-against-ongoing-pro-russia-hacktivist

Vulnerabilities

Kritische Sicherheitslücken in ArubaOS - Updates verfügbar

In ArubaOS, dem Betriebssystem vieler Geräte von HPE Aruba Networks, existieren mehrere kritische Sicherheitslücken. Diese ermöglichen unter anderem die Ausführung von beliebigem Code und Denial-of-Service (DoS) Angriffe. CVE-Nummern: CVE-2024-26304, CVE-2024-26305, CVE-2024-33511, CVE-2024-33512, CVE-2024-33513, CVE-2024-33514, CVE-2024-33515, CVE-2024-33516, CVE-2024-33517, CVE-2024-33518 CVSSv3 Scores: bis zu 9.8 (kritisch)

https://cert.at/de/warnungen/2024/5/kritische-sicherheitslucken-in-arubaos-updates-verfugbar


CISCO Talos: Vulnerability Roundup

Peplink Smart Reader, Silicon Labs Gecko Platform, open-source library for DICOM files, Grassroots DICOM library and Foxit PDF Reader.

https://blog.talosintelligence.com/vulnerability-roundup-may-1-2024/


Sonicwall: GMS ECM multiple vulnerabilities

CVE-2024-29010 - GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability. CVE-2024-29011 - GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability.

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0007


Security updates for Thursday

Security updates have been issued by Debian (chromium and distro-info-data), Fedora (et, php-tcpdf, python-aiohttp, python-openapi-core, thunderbird, tpm2-tools, and tpm2-tss), Red Hat (nodejs:16 and podman), and Ubuntu (firefox).

https://lwn.net/Articles/972186/


Security updates for Wednesday

Security updates have been issued by Debian (nghttp2 and qtbase-opensource-src), Mageia (cjson, freerdp, guava, krb5, libarchive, and mediawiki), Oracle (container-tools:4.0 and container-tools:ol8), Red Hat (bind, buildah, container-tools:3.0, container-tools:rhel8, expat, gnutls, golang, grafana, kernel, kernel-rt, libreswan, libvirt, linux-firmware, mod_http2, pcp, pcs, podman, python-jwcrypto, rhc-worker-script, shadow-utils, skopeo, sssd, tigervnc, unbound, and yajl), SUSE (kernel and python311), and Ubuntu (gerbv and node-json5).

https://lwn.net/Articles/972029/


Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover

Three vulnerabilities in the Judge0 open source service could allow attackers to escape the sandbox and obtain root privileges on the host.

https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-sandbox-escape-host-takeover/


Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipphone-multi-vulns-cXAhCvS


F5: K000139430 : Linux kernel vulnerability CVE-2024-1086

https://my.f5.com/manage/s/article/K000139430


Wordfence Intelligence Weekly WordPress Vulnerability Report (April 22, 2024 to April 28, 2024)

https://www.wordfence.com/blog/2024/05/wordfence-intelligence-weekly-wordpress-vulnerability-report-april-22-2024-to-april-28-2024/


ZDI-24-419: (Pwn2Own) Xiaomi Pro 13 GetApps integral-dialog-page Cross-Site Scripting Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-24-419/


ZDI-24-418: (Pwn2Own) Xiaomi Pro 13 mimarket manual-upgrade Cross-Site Scripting Remote Code Execution Vulnerability

http://www.zerodayinitiative.com/advisories/ZDI-24-418/


IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/


CyberPower PowerPanel

https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01


Delta Electronics DIAEnergie

https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-02