Tageszusammenfassung - 31.01.2024

End-of-Day report

Timeframe: Dienstag 30-01-2024 18:00 - Mittwoch 31-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

Debian, Ubuntu und mehr: glibc-Schwachstelle ermöglicht Root-Zugriff unter Linux

Darüber hinaus wurden weitere Schwachstellen in der Gnu-C-Bibliothek aufgedeckt. Eine davon existiert wohl schon seit über 30 Jahren.

https://www.golem.de/news/debian-ubuntu-und-mehr-glibc-schwachstelle-ermoeglicht-root-zugriff-unter-linux-2401-181724.html

Tracking 15 Years of Qakbot Development

Qakbot (aka QBot or Pinkslipbot) is a malware trojan that has been used to operate one of the oldest and longest running cybercriminal enterprises. Qakbot has evolved from a banking trojan to a malware implant that can be used for lateral movement and the eventual deployment of ransomware. In August 2023, the Qakbot infrastructure was dismantled by law enforcement. However, just several months later in December 2023, the fifth (and latest) version of Qakbot was released, [...]

https://www.zscaler.com/blogs/security-research/tracking-15-years-qakbot-development

Ransomware: Online-Tool entschlüsselt unter Umständen BlackCat & Co.

Stimmen die Voraussetzungen, können Ransomwareopfer auf einer Website Daten entschlüsseln, ohne Lösegeld zu zahlen.

https://www.heise.de/-9614278.html

A zero-day vulnerability (and PoC) to blind defenses relying on Windows event logs

A zero-day vulnerability that, when triggered, could crash the Windows Event Log service on all supported (and some legacy) versions of Windows could spell trouble for enterprise defenders. Discovered by a security researcher named Florian and reported to Microsoft, the vulnerability is yet to be patched. In the meantime, the researcher has gotten the go-ahead from the company to publish a PoC exploit.

https://www.helpnetsecurity.com/2024/01/31/windows-event-log-vulnerability/

Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation

Update (Jan. 31): We released a follow-up blog post containing additional details from our investigations into this threat, along with more recommendations for defenders. Note: This is a developing campaign under active analysis by Mandiant and Ivanti. We will continue to add more indicators, detections, and information to this blog post as needed.

https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day

CISA and FBI Release Secure by Design Alert Urging Manufacturers to Eliminate Defects in SOHO Routers

Today, CISA and the Federal Bureau of Investigation (FBI) published guidance on Security Design Improvements for SOHO Device Manufacturers as a part of the new Secure by Design (SbD) Alert series that focuses on how manufacturers should shift the burden of security away from customers by integrating security into product design and development.

https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-and-fbi-release-secure-design-alert-urging-manufacturers-eliminate-defects-soho-routers

Vulnerabilities

Security updates for Wednesday

Security updates have been issued by Debian (bind9 and glibc), Fedora (ncurses), Gentoo (containerd, libaom, and xorg-server, xwayland), Mageia (python-pillow and zlib), Oracle (grub2 and tomcat), Red Hat (avahi, c-ares, container-tools:3.0, curl, firefox, frr, kernel, kernel-rt, kpatch-patch, libfastjson, libmicrohttpd, linux-firmware, oniguruma, openssh, perl-HTTP-Tiny, python-pip, python-urllib3, python3, rpm, samba, sqlite, tcpdump, thunderbird, tigervnc, and virt:rhel and virt-devel:rhel modules), SUSE (python-Pillow, slurm, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, and xen), and Ubuntu (libde265, linux-nvidia, mysql-8.0, openldap, pillow, postfix, and xorg-server, xwayland).

https://lwn.net/Articles/960248/

Mattermost security updates 9.4.2 / 9.3.1 / 9.2.5 / 8.1.9 (ESR) released

We-re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update.

https://mattermost.com/blog/mattermost-security-updates-9-4-2-9-3-1-9-2-5-8-1-9-esr-released/

CISA ICS Advisories

- Hitron Systems Security Camera DVR - Rockwell Automation ControlLogix and GuardLogix - Rockwell Automation FactoryTalk Service Platform - Rockwell Automation LP30/40/50 and BM40 Operator Interface

https://www.cisa.gov/news-events/cybersecurity-advisories?f%5B0%5D=advisory_type%3A95&f%5B1%5D=release_date_year%3A2024

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2022-48618 Apple Multiple Products Improper Authentication Vulnerability

https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-adds-one-known-exploited-vulnerability-catalog

Security Advisory Report - OBSO-2401-03

A Command injection vulnerability has been identified in the MyPortal@Work application of Atos OpenScape Business which, if successfully exploited, could allow a malicious actor to execute arbitrary scripts on a client machine. The severity is rated high. Customers are advised to update the systems with the available fix release.

https://networks.unify.com/security/advisories/OBSO-2401-03.pdf

IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/

Google Chrome: Update schließt vier Sicherheitslücken

https://www.heise.de/-9613823.html

SVD-2024-0112: Third-Party Package Updates in Splunk Add-on Builder - January 2024

https://advisory.splunk.com//advisories/SVD-2024-0112

SVD-2024-0111: Sensitive Information Disclosure to Internal Log Files in Splunk Add-on Builder

https://advisory.splunk.com//advisories/SVD-2024-0111

SVD-2024-0110: Session Token Disclosure to Internal Log Files in Splunk Add-on Builder

https://advisory.splunk.com//advisories/SVD-2024-0110

The WordPress 6.4.3 Security Update - What You Need to Know

https://www.wordfence.com/blog/2024/01/the-wordpress-6-4-3-security-update-what-you-need-to-know/

Tor Code Audit Finds 17 Vulnerabilities

https://www.securityweek.com/tor-code-audit-finds-17-vulnerabilities/

Update #5: Kritische Sicherheitslücken in Ivanti Connect Secure und Ivanti Policy Secure - aktiv ausgenützt - Patches verfügbar

https://cert.at/de/warnungen/2024/1/kritische-sicherheitslucken-in-ivanti-connect-secure-und-ivanti-policy-secure-aktiv-ausgenutzt

List of Security Fixes and Improvements in Veeam Backup for Nutanix AHV

https://www.veeam.com/kb4236