Tageszusammenfassung - 23.01.2024

End-of-Day report

Timeframe: Montag 22-01-2024 18:00 - Dienstag 23-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer

News

MavenGate Attack Could Let Hackers Hijack Java and Android via Abandoned Libraries

Several public and popular libraries abandoned but still used in Java and Android applications have been found susceptible to a new software supply chain attack method called MavenGate.

https://thehackernews.com/2024/01/hackers-hijack-popular-java-and-android.html

Cactus Ransomware malware analysis

On January 20th the Cactus ransomware group attacked a number of victims across varying industries. The attacks were disclosed on their leak site with the accompanying victim data.

https://www.shadowstackre.com/analysis/cactus

Vorsicht vor Peek & Cloppenburg Fake-Shops

Auf Facebook und Instagram werden gefälschte Angebote vom Modehaus -Peek & Cloppenburg- beworben. In den gefälschten Werbeanzeigen werden Rabatte bis zu 90 % versprochen. Wenn Sie auf die Anzeige klicken, landen Sie in einem betrügerischen Shop, mit einer glaubwürdigen Internetadresse: -peek-cloppenburgsale.shop-.

https://www.watchlist-internet.at/news/vorsicht-vor-peek-cloppenburg-fake-shops/

Threat Assessment: BianLian

We analyze the extremely active ransomware group BianLian. Mostly targeting healthcare, they have moved from double-extortion to extortion without encryption.

https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assessment/

Conditional QR Code Routing Attacks

Over the summer, we saw a somewhat unexpected rise in QR-code based phishing attacks. These attacks were all fairly similar. The main goal was to induce the end-user to scan the QR Code, where they would be redirected to a credential harvesting page.

https://blog.checkpoint.com/harmony-email/conditional-qr-code-routing-attacks/

Lazarus Group Uses the DLL Side-Loading Technique (2)

Through the -Lazarus Group Uses the DLL Side-Loading Technique- [1] blog post, AhnLab SEcurity intelligence Center(ASEC) has previously covered how the Lazarus group used the DLL side-loading attack technique using legitimate applications in the initial access stage to achieve the next stage of their attack process.

https://asec.ahnlab.com/en/60792/

Kasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec and Exploits Martini Driver

In this blog, we detail our investigation of the Kasseika ransomware and the indicators we found suggesting that the actors behind it have acquired access to the source code of the notorious BlackMatter ransomware.

https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-byovd-attacks-abuses-psexec-and-expl.html

Vulnerabilities

Fortra warns of new critical GoAnywhere MFT auth bypass, patch now

Fortra is warning of a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) versions before 7.4.1 that allows an attacker to create a new admin user.

https://www.bleepingcomputer.com/news/security/fortra-warns-of-new-critical-goanywhere-mft-auth-bypass-patch-now/

Exploiting 0-click Android Bluetooth vulnerability to inject keystrokes without pairing

A recently discovered critical vulnerabilities (CVE-2023-45866, CVE-2024-21306) in Bluetooth can be exploited to inject keystrokes without user confirmation - by accepting any Bluetooth pairing request.

https://www.mobile-hacker.com/2024/01/23/exploiting-0-click-android-bluetooth-vulnerability-to-inject-keystrokes-without-pairing/

Sicherheitsfixes: Apple aktualisiert ältere Systeme - und räumt Zero Days ein

Apple hat neben macOS 14.3 und iOS 17.3 auch neue Versionen von iOS 15, 16, macOS 12 und 13 sowie Safari veröffentlicht. Es gab einen erneuten Zero-Day-Exploit.

https://www.heise.de/news/Sicherheitsfixes-Apple-aktualisiert-aeltere-Systeme-und-raeumt-Zero-Days-ein-9605294.html

Konfigurationsübertragung kann Behelfslösung zum Schutz von Ivanti ICS aufheben

Bislang können Admins Ivanti Connect Secure und Policy Secure nur über einen Workaround vor laufenden Attacken schützen. Dieser funktioniert aber nicht immer.

https://www.heise.de/news/Konfigurationsuebertragung-kann-Behelfsloesung-zum-Schutz-von-Ivanti-ICS-aufheben-9605922.html

Barracuda WAF: Kritische Sicherherheitslücken ermöglichen Umgehung des Schutzes

Barracuda hat einen Sicherheitshinweis bezüglich der Web Application Firewall veröffentlicht. Sicherheitslücken ermöglichen das Umgehen des Schutzes.

https://www.heise.de/news/Barracuda-WAF-Kritische-Sicherherheitsluecken-ermoeglichen-Umgehung-des-Schutzes-9606036.html

Security updates for Tuesday

Security updates have been issued by Debian (kodi and squid), Fedora (ansible-core, java-latest-openjdk, mingw-python-jinja2, openssh, and pgadmin4), Gentoo (Apache XML-RPC), Red Hat (gnutls and xorg-x11-server), Slackware (postfix), SUSE (bluez and openssl-3), and Ubuntu (gnutls28, libssh, and squid).

https://lwn.net/Articles/959127/

Splunk Security Advisories 2024-01-22

https://advisory.splunk.com//advisories

IBM Security Bulletins

https://www.ibm.com/support/pages/bulletin/

XSA-448

https://xenbits.xen.org/xsa/advisory-448.html

Security Vulnerabilities fixed in Thunderbird 115.7

https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/

Security Vulnerabilities fixed in Firefox ESR 115.7

https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/

Security Vulnerabilities fixed in Firefox 122

https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/

TRUMPF: Oseon contains vulnerable version of OpenSSL 1.1.x

https://cert.vde.com/de/advisories/VDE-2024-006/

TRUMPF: Multiple products include a vulnerable version of Notepad++

https://cert.vde.com/de/advisories/VDE-2024-003/

TRUMPF: Multiple products contain vulnerable version of 7-zip

https://cert.vde.com/de/advisories/VDE-2024-005/

Citrix Hypervisor Security Bulletin for CVE-2023-46838

https://support.citrix.com/article/CTX587605/citrix-hypervisor-security-bulletin-for-cve202346838

Crestron AM-300

https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-02

Lantronix XPort

https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-05

Voltronic Power ViewPower Pro

https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-03

Orthanc Osimis DICOM Web Viewer

https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-023-01

APsystems Energy Communication Unit (ECU-C) Power Control Software

https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-01

Westermo Lynx 206-F2G

https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04