[CERT-daily] Tageszusammenfassung - 25.04.2024

Thu Apr 25 18:06:15 CEST 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 24-04-2024 18:00 − Donnerstag 25-04-2024 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ New Brokewell malware takes over Android devices, steals data ∗∗∗
---------------------------------------------
Security researchers have discovered a new Android banking trojan they named Brokewell that can capture every event on the device, from touches and information displayed to text input and the applications the user launches.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-over-android-devices-steals-data/


∗∗∗ Does it matter if iptables isnt running on my honeypot?, (Thu, Apr 25th) ∗∗∗
---------------------------------------------
I've been working on comparing data from different DShield honeypots to understand differences when the honeypots reside on different networks.
---------------------------------------------
https://isc.sans.edu/diary/rss/30862


∗∗∗ Sifting through the spines: identifying (potential) Cactus ransomware victims ∗∗∗
---------------------------------------------
This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access.
---------------------------------------------
https://research.nccgroup.com/2024/04/25/sifting-through-the-spines-identifying-potential-cactus-ransomware-victims/


∗∗∗ ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices ∗∗∗
---------------------------------------------
ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns.
---------------------------------------------
https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/


∗∗∗ Talos IR trends: BEC attacks surge, while weaknesses in MFA persist ∗∗∗
---------------------------------------------
Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information.
---------------------------------------------
https://blog.talosintelligence.com/talos-ir-quarterly-trends-q1-2024/


∗∗∗ Threat Bulletin – New variant of IDAT Loader ∗∗∗
---------------------------------------------
Morphisec has successfully identified and prevented a new variant of IDAT loader.
---------------------------------------------
https://blog.morphisec.com/threat-bulletin-new-variant-idat-variant


∗∗∗ Ransomware Roundup - KageNoHitobito and DoNex ∗∗∗
---------------------------------------------
The KageNoHitobito and DoNex are recent ransomware that are financially motivated, demanding payment from victims to decrypt files.
---------------------------------------------
https://feeds.fortinet.com/~/882489596/0/fortinet/blogs~Ransomware-Roundup-KageNoHitobito-and-DoNex


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Maximum severity Flowmon bug has a public exploit, patch now ∗∗∗
---------------------------------------------
Proof-of-concept exploit code has been released for a top-severity security vulnerability in Progress Flowmon, a tool for monitoring network performance and visibility.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/maximum-severity-flowmon-bug-has-a-public-exploit-patch-now/


∗∗∗ WP Automatic WordPress plugin hit by millions of SQL injection attacks ∗∗∗
---------------------------------------------
Hackers have started to target a critical severity vulnerability in the WP Automatic plugin for WordPress to create user accounts with administrative privileges and to plant backdoors for long-term access.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wp-automatic-wordpress-plugin-hit-by-millions-of-sql-injection-attacks/


∗∗∗ Über Zero-Day-Schwachstellen: Cisco-Firewalls werden seit Monaten attackiert ∗∗∗
---------------------------------------------
Eine zuvor unbekannte Hackergruppe nutzt mindestens seit November 2023 zwei Zero-Day-Schwachstellen in Cisco-Firewalls aus, um Netzwerke zu infiltrieren.
---------------------------------------------
https://www.golem.de/news/ueber-zero-day-schwachstellen-cisco-firewalls-werden-seit-monaten-attackiert-2404-184540.html


∗∗∗ Unter Windows: Schwachstelle in Virtualbox verleiht Angreifern Systemrechte ∗∗∗
---------------------------------------------
Zwei Forscher haben unabhängig voneinander eine Schwachstelle in Oracles Virtualbox entdeckt. Angreifer können damit auf Windows-Hosts ihre Rechte ausweiten.
---------------------------------------------
https://www.golem.de/news/unter-windows-schwachstelle-in-virtualbox-verleiht-angreifern-systemrechte-2404-184545.html


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (curl, filezilla, flatpak, kubernetes, libfilezilla, thunderbird, and xen), Oracle (go-toolset:ol8, kernel, libreswan, shim, and tigervnc), Red Hat (buildah, gnutls, libreswan, tigervnc, and unbound), SUSE (cockpit-wicked, nrpe, and python-idna), and Ubuntu (dnsmasq, freerdp2, linux-azure-6.5, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/971140/


∗∗∗ Vulnerabilities Expose Brocade SAN Appliances, Switches to Hacking ∗∗∗
---------------------------------------------
The Brocade SANnav management application is affected by multiple vulnerabilities, including a publicly available root password.
---------------------------------------------
https://www.securityweek.com/vulnerabilities-expose-brocade-san-appliances-switches-to-hacking/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ Cisco Security Advisories 2024-04-25 ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/publicationListing.x


∗∗∗ Multiple Vulnerabilities in Hitachi Energy RTU500 Series ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-01


∗∗∗ Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-04


∗∗∗ Hitachi Energy MACH SCM ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-02


∗∗∗ PAN-SA-2024-0005 Informational Bulletin: Proof of Concept (PoC) Bypasses Protection Modules (Severity: NONE) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/PAN-SA-2024-0005


∗∗∗ PAN-SA-2024-0005 Informational Bulletin: Proof of Concept (PoC) Bypasses Protection Modules in Cortex XDR Agent (Severity: NONE) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/PAN-SA-2024-0005

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily