Tageszusammenfassung - 21.02.2024

End-of-Day report

Timeframe: Dienstag 20-02-2024 18:00 - Mittwoch 21-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer

News

Open Source in Enterprise Environments - Where Are We Now and What Is Our Way Forward?

We have been used to hearing that free and open source software and enterprise environments in Big Business are fundamentally opposed and do not mix well. Is that actually the case, or should we rather explore how business and free software can both benefit going forward?

https://bsdly.blogspot.com/2022/09/open-source-in-enterprise-environments.html

VoltSchemer attacks use wireless chargers to inject voice commands, fry phones

A team of academic researchers show that a new set of attacks called VoltSchemer can inject voice commands to manipulate a smartphones voice assistant through the magnetic field emitted by an off-the-shelf wireless charger.

https://www.bleepingcomputer.com/news/security/voltschemer-attacks-use-wireless-chargers-to-inject-voice-commands-fry-phones/

Security: Forscher erzeugen Fingerabdrücke aus Wischgeräuschen

Die Methode basiert auf einer Reihe komplexer Algorithmen, mit denen sich schließlich ein Master-Fingerabdruck erzeugen lässt.

https://www.golem.de/news/security-forscher-erzeugen-fingerabdruecke-aus-wischgeraeuschen-2402-182449.html

Phishing pages hosted on archive.org, (Wed, Feb 21st)

The Internet Archive is a well-known and much-admired institution, devoted to creating a -digital library of Internet sites and other cultural artifacts in digital form-[1]. [...] Unfortunately, since it allows for uploading of files by users, it is also used by threat actors to host malicious content from time to time[2,3].

https://isc.sans.edu/diary/rss/30676

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs- Email Security team is tracking another PaaS called Tycoon Group.

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/breakdown-of-tycoon-phishing-as-a-service-system/

re: Zyxel VPN Series Pre-auth Remote Command Execution

An unauthenticated command injection exploit affecting Zyxel firewalls was published in late January without an associated CVE. The vulnerability turns out to be CVE-2023-33012. The associated disclosure did not mention any caveats to exploitation, but it turns out only an uncommon configuration is affected.

https://vulncheck.com/blog/zyxel-cve-2023-33012

Vibrator virus steals your personal information

One of our customers found their vibrator was buzzing with a hint of malware.

https://www.malwarebytes.com/blog/news/2024/02/vibrator-virus-steals-your-personal-information

Redis Servers Targeted With New -Migo- Malware

Attackers weaken Redis instances to deploy the new Migo malware and install a rootkit and cryptominers.

https://www.securityweek.com/redis-servers-targeted-with-new-migo-malware/

Fake-SMS zum Ablauf der Finanz-Online ID im Umlauf!

Kriminelle versenden aktuell massenhaft SMS im Namen des BMF zum angeblichen Ablauf der FinanzOnline ID, beziehungsweise ID Austria. Links in den Smishing-Nachrichten führen auf gefälschte Finanz-Online-Websites, auf denen persönliche Daten abgegriffen werden. Diese Daten können anschließend für personalisierte Folgebetrugsmaschen eingesetzt werden. Ignorieren Sie diese SMS-Nachrichten!

https://www.watchlist-internet.at/news/fake-sms-zum-ablauf-der-finanz-online-id-im-umlauf/

Detecting Malicious Actors By Observing Commands in Shell History

Among the myriad techniques and tools at the disposal of cybersecurity experts, one subtle yet powerful method often goes unnoticed: the analysis of shell history to detect malicious actors.

https://orca.security/resources/blog/understand-shell-commands-detect-malicious-behavior/

Practical Vulnerability Archaeology Starring Ivantis CVE-2021-44529

In 2021, Ivanti patched a vulnerability that they called -code injection-. Rumors say it was a backdoor in an open source project. Let-s find out what actually happened!

https://www.greynoise.io/blog/practical-vulnerability-archaeology-starring-ivantis-cve-2021-44529

CISA, EPA, and FBI Release Top Cyber Actions for Securing Water Systems

Today, CISA, the Environmental Protection Agency (EPA), and the Federal Bureau of Investigation (FBI) released the joint fact sheet Top Cyber Actions for Securing Water Systems. This fact sheet outlines the following practical actions Water and Wastewater Systems (WWS) Sector entities can take to better protect water systems from malicious cyber activity and provides actionable guidance [...]

https://www.cisa.gov/news-events/alerts/2024/02/21/cisa-epa-and-fbi-release-top-cyber-actions-securing-water-systems

Lucifer DDoS botnet Malware is Targeting Apache Big-Data Stack

Aqua Nautilus has unveiled a new campaign targeting Apache big-data stack, specifically Apache Hadoop and Apache Druid. Upon investigation, it was discovered that the attacker exploits existing misconfigurations and vulnerabilities within our Apache cloud honeypots to execute the attacks.

https://blog.aquasec.com/lucifer-ddos-botnet-malware-is-targeting-apache-big-data-stack

Vulnerabilities

Cisco Unified Intelligence Center Insufficient Access Control Vulnerability

A vulnerability in the Live Data server of Cisco Unified Intelligence Center could allow an unauthenticated, local attacker to read and modify data in a repository that belongs to an internal service on an affected device. This vulnerability is due to insufficient access control implementations on cluster configuration CLI requests. An attacker could exploit this vulnerability by sending a cluster configuration CLI request to specific directories on an affected device.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cuic-access-control-jJsZQMjj

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerability

In February 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability.

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB

WS_FTP Server Service Pack (February 2024)

This article contains the details of the specific updates within the WS_FTP Server February 2024 Service Pack. The Service Pack contains a fix for the newly disclosed CVE described below. Progress highly recommends you apply this Service Pack for product updates and security improvements. For Service Pack content, please review the Service Pack Release Notes and this knowledgebase article carefully.

https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-February-2024

Broadcom schließt Sicherheitslücken in VMware Aria Operations und EAP-Plug-in

Broadcom verteilt Updates für VMware Aria Operations und das EAP Browser Plug-in. Sie bessern teils kritische Sicherheitslücken aus.

https://www.heise.de/-9634714.html

Firefox und Thunderbird: Neue Versionen liefern Sicherheitsfixes

Neue Versionen von Firefox, Firefox ESR und Thunderbird stehen bereit. Sie dichten im Kern Sicherheitslücken ab.

https://www.heise.de/-9634418.html

VMSA-2024-0003

Addressing Arbitrary Authentication Relay and Session Hijack Vulnerabilities in Deprecated VMware Enhanced Authentication Plug-in (EAP) (CVE-2024-22245, CVE-2024-22250)

https://www.vmware.com/security/advisories/VMSA-2024-0003.html

VMSA-2024-0004

VMware Aria Operations updates address local privilege escalation vulnerability. (CVE-2024-22235)

https://www.vmware.com/security/advisories/VMSA-2024-0004.html

Security updates for Wednesday

Security updates have been issued by CentOS (linux-firmware and python-reportlab), Debian (unbound), Fedora (freeglut and syncthing), Red Hat (edk2, go-toolset:rhel8, java-1.8.0-ibm, kernel, kernel-rt, mysql:8.0, oniguruma, and python-pillow), Slackware (libuv and mozilla), SUSE (abseil-cpp, grpc, opencensus-proto, protobuf, python- abseil, python-grpcio, re2, bind, dpdk, firefox, hdf5, libssh, libssh2_org, libxml2, mozilla-nss, openssl-1_1, openvswitch, postgresql12, postgresql13, postgresql14, postgresql15, postgresql16, python-aiohttp, python-time-machine, python-pycryptodomex, runc, and webkit2gtk3), and Ubuntu (kernel, libspf2, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux, linux-aws, linux-kvm, linux-lts-xenial).

https://lwn.net/Articles/963035/

Chrome 122, Firefox 123 Patch High-Severity Vulnerabilities

Google and Mozilla resolve high-severity memory safety vulnerabilities with the latest Chrome and Firefox updates.

https://www.securityweek.com/chrome-122-firefox-123-patch-high-severity-vulnerabilities/

IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/

K000138649 : GnuTLS vulnerability CVE-2023-5981

https://my.f5.com/manage/s/article/K000138649

K000138650 : cURL vulnerability CVE-2023-46218

https://my.f5.com/manage/s/article/K000138650