Tageszusammenfassung - 06.03.2024

End-of-Day report

Timeframe: Dienstag 05-03-2024 18:00 - Mittwoch 06-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer

News

Why Your Firewall Will Kill You, (Tue, Mar 5th)

The last few years have been great for attackers exploiting basic web application vulnerabilities. Usually, home and small business products from companies like Linksys, D-Link, and Ubiquity are known to be favorite targets. But over the last couple of years, enterprise products from companies like Ivanti, Fortigate, Sonicwall, and Citrix (among others) have become easy to exploit targets. The high value of the networks protected by these "solutions" has made them favorites for ransomware attackers.

https://isc.sans.edu/diary/rss/30714

Scanning and abusing the QUIC protocol, (Wed, Mar 6th)

The QUIC protocol has slowly (pun intended) crawled into our browsers and many other protocols. Last week, at BSides Zagreb I presented some research I did about applications using (and abusing) this protocol, so it made sense to put this into one diary.

https://isc.sans.edu/diary/rss/30720

Living off the land with native SSH and split tunnelling

Lately I was involved in an assumed compromise project where stealth and simplicity was required, reducing the opportunity to use a sophisticated C2 infrastructure. We did note that the built-in Windows SSH client could make this simpler for us. [..] Windows native SSH can be a convenient attack path IF an organisation doesn-t have the ability to block and monitor the forwarded internal traffic. [..] The obvious route is to restrict access to the SSH command for all users who don-t have a business need, or to uninstall it from your default Windows build and use something like PuTTY instead.

https://www.pentestpartners.com/security-blog/living-off-the-land-with-native-ssh-and-split-tunnelling/

Schneeballsystem-Alarm bei DCPTG.com!

An die Watchlist Internet wird aktuell vermehrt ein Schneeball- bzw. Pyramidensystem mit dem Namen dcptg.com gemeldet. Versprochen werden Erfahrungsberichten nach völlig unrealistische und risikofreie Gewinnmöglichkeiten von 2 bis 5 Prozent des eingesetzten Kapitals pro Tag. Außerdem müssen laufend weitere Menschen angeworben werden, um langfristig an dem System teilnehmen zu können. Vorsicht: DCPTG.com ist betrügerisch!

https://www.watchlist-internet.at/news/schneeballsystem-alarm-bei-dctpgcom/

Fake-Gewinnspiel im Namen vom Tiergarten Schönbrunn

Über ein Fake-Profil des Tiergartens Schönbrunn wird derzeit ein betrügerisches Gewinnspiel auf Facebook verbreitet. Die Facebook-Seite -Tiergarten Wien- verlost angeblich 4 Eintrittskarten. Sie müssen lediglich die Versandgebühren für die Karten bezahlen. Vorsicht: Sie tappen in eine Abo-Falle und geben Ihre persönlichen Daten an Kriminelle weiter.

https://www.watchlist-internet.at/news/fake-gewinnspiel-im-namen-vom-tiergarten-schoenbrunn/

Whoops! ACEMAGIC ships mini PCs with free bonus pre-installed malware

Chinese mini PC manufacturer ACEMAGIC has made life a bit more interesting for its customers, by admitting that it has also been throwing in free malware with its products.

https://grahamcluley.com/whoops-acemagic-ships-mini-pcs-with-free-bonus-pre-installed-malware/

Data Exfiltration: Increasing Number of Tools Leveraged by Ransomware Attackers

Ransomware actors are deploying a growing array of data-exfiltration tools in their attacks and, over the past three months alone, Symantec has found attackers using at least dozen different tools capable of data exfiltration. While some exfiltration tools are malware, the vast majority are dual-use - legitimate software used by the attackers for malicious purposes.

https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomware-data-exfiltration

Badgerboard: A PLC backplane network visibility module

Analysis of the traffic between networked devices has always been of interest since devices could even communicate with one another. As the complexity of networks grew, the more useful dedicated traffic analysis tools became. Major advancements have been made over the years with tools like Snort or Wireshark, but these tools are only useful when accurate information is provided to them. By only sending a subset of the information being passed across a network to monitoring tools, analysts will be provided with an incomplete picture of the state of their network.

https://blog.talosintelligence.com/badgerboard-research/

Coper / Octo - A Conductor for Mobile Mayhem- With Eight Limbs?

In this blog post, we will detail our analysis and understanding of the Coper/Octo Android malware, examining the malware-s continued development, as well as providing insights into attack patterns, infrastructure utilization and management, and hunting tips.

https://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-with-eight-limbs

New Linux Malware Alert: -Spinning YARN- Hits Docker, Other Key Apps

According to Cado Security-s research research shared with Hackread.com ahead of publication on Wednesday, Spinning Yarn is a malicious campaign that exploits weaknesses in popular Linux software used by businesses across various sectors.

https://www.hackread.com/new-linux-malware-alert-spinning-yarn-docker-apps/

Fritz.box: Domain aus dem Verkehr gezogen

Unbekannte sicherten sich im Januar die Domain fritz.box. Doch die Verwirrung hielt nicht lange an. Jetzt wurde die Adresse aus dem Verkehr gezogen.

https://heise.de/-9647776

Vulnerabilities

Cisco Security Advisories 2024-02-28

Security Impact Rating: 2x High, 5x Medium

https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2024%2F03%2F06&firstPublishedEndDate=2024%2F03%2F06&pageNum=1&isRenderingBugList=false

VMSA-2024-0006

VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3 for Workstation/Fusion and in the Important severity range with a maximum CVSSv3 base score of 8.4 for ESXi. [..] A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed.

https://www.vmware.com/security/advisories/VMSA-2024-0006.html

Security updates for Wednesday

Security updates have been issued by Debian (libapache2-mod-auth-openidc, libuv1, php-phpseclib, and phpseclib), Red Hat (buildah, cups, curl, device-mapper-multipath, emacs, fence-agents, frr, fwupd, gmp, gnutls, golang, haproxy, keylime, libfastjson, libmicrohttpd, linux-firmware, mysql, openssh, rear, skopeo, sqlite, squid, systemd, and tomcat), Slackware (mozilla), SUSE (kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, postgresql-jdbc, python, python-cryptography, rubygem-rack, wpa_supplicant, and xmlgraphics-batik), and Ubuntu (c-ares, firefox, libde265, libgit2, and ruby-image-processing).

https://lwn.net/Articles/964559/

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CVE-2024-23225 / CVE-2024-23296 Apple iOS and iPadOS Memory Corruption Vulnerability

https://www.cisa.gov/news-events/alerts/2024/03/06/cisa-adds-two-known-exploited-vulnerabilities-catalog

Foxit: Sicherheitsupdates in Foxit PDF Reader 2024.1 und Foxit PDF Editor 2024.1 verfügbar

https://www.foxit.com/de/support/security-bulletins.html

IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/

Bosch: Git for Windows Multiple Security Vulnerabilities in Bosch DIVAR IP all-in-one Devices

https://psirt.bosch.com/security-advisories/bosch-sa-637386-bt.html