Tageszusammenfassung - 18.01.2024

End-of-Day report

Timeframe: Mittwoch 17-01-2024 18:00 - Donnerstag 18-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner

News

Missbrauch möglich: Whatsapp lässt fremde Nutzer Geräteinformationen abgreifen

Anhand ihrer Rufnummer lässt sich zum Beispiel feststellen, wie viele Geräte eine Zielperson mit Whatsapp verwendet und wann sie diese wechselt.

https://www.golem.de/news/missbrauch-moeglich-whatsapp-laesst-fremde-nutzer-geraeteinformationen-abgreifen-2401-181313.html

New Microsoft Incident Response guides help security teams analyze suspicious activity

Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant.

https://www.microsoft.com/en-us/security/blog/2024/01/17/new-microsoft-incident-response-guides-help-security-teams-analyze-suspicious-activity/

More Scans for Ivanti Connect "Secure" VPN. Exploits Public, (Thu, Jan 18th)

Exploits around the Ivanti Connect "Secure" VPN appliance, taking advantage of CVE-2023-46805, continue evolving. Late on Tuesday, more details became public, particularly the blog post by Rapid7 explaining the underlying vulnerability in depth.

https://isc.sans.edu/diary/rss/30568

PixieFail UEFI Flaws Expose Millions of Computers to RCE, DoS, and Data Theft

Multiple security vulnerabilities have been disclosed in the TCP/IP network protocol stack of an open-source reference implementation of the Unified Extensible Firmware Interface (UEFI) specification used widely in modern computers.Collectively dubbed PixieFail by Quarkslab, the nine issues reside in the TianoCore EFI Development Kit II (EDK II) and could be exploited to

https://thehackernews.com/2024/01/pixiefail-uefi-flaws-expose-millions-of.html

MFA Spamming and Fatigue: When Security Measures Go Wrong

MFA spamming refers to the malicious act of inundating a target user's email, phone, or other registered devices with numerous MFA prompts or confirmation codes. The objective behind this tactic is to overwhelm the user with notifications, in the hopes that they will inadvertently approve an unauthorized login. To execute this attack, hackers require the target victim's account credentials (username and password) to initiate the login process and trigger the MFA notifications.

https://thehackernews.com/2024/01/mfa-spamming-and-fatigue-when-security.html

Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware

[..] COLDRIVER has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language.Googles Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence.

https://thehackernews.com/2024/01/russian-coldriver-hackers-expand-beyond.html

Daten aus GPU belauscht: KI-Sicherheitslücke bei Apple Silicon, AMD und Qualcomm

Sicherheitsforscher haben ein Problem in den Grafikkernen älterer iPhones und Macs entdeckt, außerdem bei AMD und Qualcomm. Apple patcht - teilweise.

https://heise.de/-9600829

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system.

https://blog.talosintelligence.com/exploring-malicious-windows-drivers-part-1-introduction-to-the-kernel-and-drivers/

Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024

Cisco Talos- Vulnerability Research team has disclosed dozens of vulnerabilities over the past month, including more than 30 advisories in GTKWave and a critical vulnerability in ManageEngine OpManager. Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator [..] There are also multiple vulnerabilities in AVideo [..] All the vulnerabilities mentioned in this blog post have been patched by their respective vendors

https://blog.talosintelligence.com/vulnerability-roundup-jan-17-2024/

Vulnerabilities

Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001

The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS). Sites that do not use the Comment module are not affected.

https://www.drupal.org/sa-core-2024-001

MOVEit Transfer: Updates gegen DOS-Lücke

Updates für MOVEit Transfer dichten Sicherheitslecks ab, durch die Angreifer Rechenfehler provozieren oder den Dienst lahmlegen können.

https://heise.de/-9601492

Trend Micro: Sicherheitslücken in Security-Agents ermöglichen Rechteausweitung

Trend Micro warnt vor Sicherheitslücken in den Security-Agents, durch die Angreifer ihre Rechte ausweiten können. Software-Updates stehen bereit.

https://heise.de/-9601595

Nextcloud: Lücken in Apps gefährden Nutzerkonten und Datensicherheit

In mehreren Erweiterungen, etwa zur Lastverteilung, zur Anmeldung per OAuth und ZIP-Download, klaffen Löcher. Updates sind bereits verfügbar.

https://heise.de/-9601589

2024-01 Security Bulletin: Junos OS and Junos OS Evolved: rpd process crash due to BGP flap on NSR-enabled devices (CVE-2024-21585)

An Improper Handling of Exceptional Conditions vulnerability in BGP session processing of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated network-based attacker, using specific timing outside the attacker's control, to flap BGP sessions and cause the routing protocol daemon (rpd) process to crash and restart, leading to a Denial of Service (DoS) condition. Continued BGP session flapping will create a sustained Denial of Service (DoS) condition.

https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos-OS-and-Junos-OS-Evolved-rpd-process-crash-due-to-BGP-flap-on-NSR-enabled-devices-CVE-2024-21585

2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved

Multiple vulnerabilities have been resolved in Juniper Secure Analytics in 7.5.0 UP7 IF04.

https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-Series-Multiple-vulnerabilities-resolved

Oracle Releases Critical Patch Update Advisory for January 2024

Oracle released its Critical Patch Update Advisory for January 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.

https://www.cisa.gov/news-events/alerts/2024/01/18/oracle-releases-critical-patch-update-advisory-january-2024

Multiple Dahua Technology products vulnerable to authentication bypass

https://jvn.jp/en/jp/JVN83655695/

There is a vulnerability in batik-all-1.15.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-44730 and CVE-2022-44729)

https://www.ibm.com/support/pages/node/7107742

IBM Maximo Manage is vulnerable to attack due to Eclipse Jetty ( IBM X-Force ID 261776)

https://www.ibm.com/support/pages/node/7107716

There is a vulnerability in CSRF Token used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-47718)

https://www.ibm.com/support/pages/node/7107740

IBM Asset Data Dictionary Component uses bcprov-jdk18on-1.72.jar which is vulnerable to CVE-2023-33201 and CVE-2023-33202

https://www.ibm.com/support/pages/node/7108953

IBM Maximo Application Suite and IBM Maximo Application Suite - IoT Component uses Werkzeug-2.2.3-py3-none-any.whl which is vulnerable to CVE-2023-46136

https://www.ibm.com/support/pages/node/7108960

IBM Asset Data Dictionary Component uses netty-codec-http2-4.1.94, netty-handler-4.1.86 and netty-handler-4.1.92 which is vulnerable to CVE-2023-44487 and CVE-2023-34462

https://www.ibm.com/support/pages/node/7108959

IBM Storage Ceph is vulnerable to Use After Free in the RHEL UBI (CVE-2023-4813)

https://www.ibm.com/support/pages/node/7108974

IBM Storage Ceph is vulnerable to Cross Site Scripting in Grafana (CVE-2022-39324)

https://www.ibm.com/support/pages/node/7108973

AVEVA PI Server

https://www.cisa.gov/news-events/ics-advisories/icsa-24-018-01