[CERT-daily] Tageszusammenfassung - 29.12.2023

Fri Dec 29 18:23:55 CET 2023

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 28-12-2023 18:00 − Freitag 29-12-2023 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts ∗∗∗
---------------------------------------------
Multiple information-stealing malware families are abusing an undocumented Google OAuth endpoint named "MultiLogin" to restore expired authentication cookies and log into users accounts, even if an accounts password was reset.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malware-abuses-google-oauth-endpoint-to-revive-cookies-hijack-accounts/


∗∗∗ Steam game mod breached to push password-stealing malware ∗∗∗
---------------------------------------------
Downfall, a fan expansion for the popular Slay the Spire indie strategy game, was breached on Christmas Day to push Epsilon information stealer malware using the Steam update system.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/steam-game-mod-breached-to-push-password-stealing-malware/


∗∗∗ Security: Wie man mit Ransomware-Hackern verhandelt ∗∗∗
---------------------------------------------
Wer Opfer einer Ransomware-Attacke wird, kommt an Verhandlungen mit den Kriminellen manchmal nicht vorbei. Dabei gibt es einige Regeln zu beachten. Ein Bericht von Friedhelm Greis
---------------------------------------------
https://www.golem.de/news/security-wie-man-mit-ransomware-hackern-verhandelt-2312-180677.html


∗∗∗ New Version of Meduza Stealer Released in Dark Web ∗∗∗
---------------------------------------------
On Christmas Eve, Resecurity’s HUNTER unit spotted the author of perspective password stealer Meduza has released a new version (2.2). One of the key significant improvements are support of more software clients [...]
---------------------------------------------
https://securityaffairs.com/156598/malware/meduza-stealer-released-dark-web.html


∗∗∗ Clash of Clans gamers at risk while using third-party app ∗∗∗
---------------------------------------------
An exposed database and secrets on a third-party app puts Clash of Clans players at risk of attacks from threat actors. The Cybernews research team has discovered that the Clash Base Designer Easy Copy app exposed its Firebase database and user-sensitive information. With 100,000 downloads on the Google Play store, [...]
---------------------------------------------
https://securityaffairs.com/156617/security/clash-of-clans-gamers-at-risk.html


∗∗∗ The Worst Hacks of 2023 ∗∗∗
---------------------------------------------
It was a year of devastating cyberattacks around the globe, from ransomware attacks on casinos to state-sponsored breaches of critical infrastructure.
---------------------------------------------
https://www.wired.com/story/worst-hacks-2023/


∗∗∗ From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence ∗∗∗
---------------------------------------------
>From October-December, the activities of DarkGate, Pikabot, IcedID and more were seen and shared with the broader community via social media [...]
---------------------------------------------
https://unit42.paloaltonetworks.com/unit42-threat-intelligence-roundup/


∗∗∗ Windows: CVE-2021-43890 ausnutzbar: App-Installer-Protokoll deaktiviert; Storm-1152 ausgeschaltet ∗∗∗
---------------------------------------------
Ich packe zum Jahresende noch einige "Gruselgeschichten" rund um das Thema "Sicherheit in Microsoft-Produkten" zusammen. So hat Microsoft den MSXI-App-Installer-Protokoll deaktiviert, weil dieses von Malware-Gruppen missbraucht wurde. Dann gab es die Schwachstelle CVE-2021-43890, die längst gefixt zu sein schien, jetzt [...]
---------------------------------------------
https://www.borncity.com/blog/2023/12/29/microsoft-sicherheitssplitter-cve-2021-43890-ausnutzbar-app-installer-protokoll-deaktiviert-storm-1152-ausgeschaltet/


∗∗∗ Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023 ∗∗∗
---------------------------------------------
Rapid7 is excited to announce that version 0.7.1 of Velociraptor is live and available for download. There are several new features and capabilities that add to the power and efficiency of this open-source digital forensic and incident response (DFIR) platform.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/12/29/velociraptor-0-7-1-release-sigma-support-etw-multiplexing-local-encrypted-storage-and-new-vql-capabilities-highlight-the-last-release-of-2023/


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Apache OpenOffice 4.1.15 Release Notes ∗∗∗
---------------------------------------------
CVE-2012-5639: Loading internal / external resources without warning, CVE-2022-43680: "Use after free" fixed in libexpat, CVE-2023-1183: Arbitrary file write in Apache OpenOffice Base, CVE-2023-47804: Macro URL arbitrary script execution
---------------------------------------------
https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.15+Release+Notes


∗∗∗ CVE-2019-3773 Spring Web Services Vulnerability in NetApp Products ∗∗∗
---------------------------------------------
Multiple NetApp products incorporate Spring Web Services. Spring Web Services 2.4.3, 3.0.4, and older unsupported versions are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). [...] CVE-2019-3773 9.8 (CRITICAL)
---------------------------------------------
https://security.netapp.com/advisory/ntap-20231227-0011/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily