[CERT-daily] Tageszusammenfassung - 19.02.2024

Mon Feb 19 19:32:02 CET 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Freitag 16-02-2024 18:00 − Montag 19-02-2024 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Anatsa Android malware downloaded 150,000 times via Google Play ∗∗∗
---------------------------------------------
The Anatsa banking trojan has been targeting users in Europe by infecting Android devices through malware droppers hosted on Google Play.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/anatsa-android-malware-downloaded-150-000-times-via-google-play/


∗∗∗ Mirai-Mirai On The Wall... [Guest Diary], (Sun, Feb 18th) ∗∗∗
---------------------------------------------
This article is about one of the ways attackers on the open Internet are attempting to use the Mirai Botnet [1][2] malware to exploit vulnerabilities on exposed IoT devices.
---------------------------------------------
https://isc.sans.edu/diary/rss/30658


∗∗∗ Remote Access Trojan (RAT): Types, Mitigation & Removal ∗∗∗
---------------------------------------------
Remote Access Trojans (RATs) are a serious threat capable of giving attackers control over infected systems. This malware stealthily enters systems (often disguised as legitimate software or by exploiting a vulnerability in the system) and opens backdoors for attackers to perform a wide range of malicious activities on the victim’s computer. This blog post is designed to educate readers on RATs - how they work, the risks they pose, and how to protect against them.
---------------------------------------------
https://blog.sucuri.net/2024/02/remote-access-trojan-rat-types-mitigation-removal.html


∗∗∗ The scary DNS “KeyTrap” bug explained in plain words ∗∗∗
---------------------------------------------
If you were following the IT media last week, you’d have been forgiven for awaiting the imminent implosion of the internet, with DNS itself in desperate danger. [...] Obviously, the next step is for the community to update the DNSSEC specifications, and thereby to protect proactively against this sort of extreme denial-of-service attack by building in new precautions for everyone to follow.
---------------------------------------------
https://pducklin.com/2024/02/18/the-scary-dns-keytrap-bug-explained-in-plain-words/


∗∗∗ KI: OpenAI und Microsoft schließen Konten staatlicher Bedrohungsakteure ∗∗∗
---------------------------------------------
Microsoft und OpenAI haben Konten mutmaßlicher staatlicher Bedrohungsakteure geschlossen, die ChatGPT für kriminelle Zwecke nutzten.
---------------------------------------------
https://www.heise.de/-9631899.html


∗∗∗ Mastodon: Spamwelle zeigt Schwächen auf und weckt Sorge vor schlimmerer Methode ∗∗∗
---------------------------------------------
Seit Tagen klagen einige User auf Mastodon über eine Spamwelle. Der liegen automatisierte Angriffe auf unzureichend geschützte Teile des Fediverse zugrunde.
---------------------------------------------
https://www.heise.de/-9632055.html


∗∗∗ CVE Prioritizer: Open-source tool to prioritize vulnerability patching ∗∗∗
---------------------------------------------
CVE Prioritizer is an open-source tool designed to assist in prioritizing the patching of vulnerabilities. It integrates data from CVSS, EPSS, and CISA’s KEV catalog to offer insights into the probability of exploitation and the potential effects of vulnerabilities on your systems.
---------------------------------------------
https://www.helpnetsecurity.com/2024/02/19/cve-prioritizer-open-source-vulnerability-patching/


∗∗∗ Why keeping track of user accounts is important ∗∗∗
---------------------------------------------
CISA has issued an advisory after the discovery of documents containing information about a state government organization’s network environment on a dark web brokerage site.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2024/02/why-keeping-track-of-user-accounts-is-important


∗∗∗ Gefälschtes Flixbus-Angebot: „Verlorenes Gepäck für 2 Euro“ ∗∗∗
---------------------------------------------
Auf Facebook und Instagram kursiert eine gefälschte Flixbus-Werbung. In der Anzeige steht, dass Flixbus angeblich verlorenes Gepäck um 2 Euro verkauft. Geködert werden Sie mit dem Versprechen, dass sich in den Koffern oft Handys, Laptops oder Schmuck befinden. Es handelt sich aber um eine Abo-Falle.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschtes-flixbus-angebot-verlorenes-gepaeck-fuer-2-euro/


∗∗∗ The Most Dangerous Entra Role You’ve (Probably) Never Heard Of ∗∗∗
---------------------------------------------
Entra ID has a built-in role called “Partner Tier2 Support” that enables escalation to Global Admin, but [...]
---------------------------------------------
https://posts.specterops.io/the-most-dangerous-entra-role-youve-probably-never-heard-of-e00ea08b8661


=====================
=  Vulnerabilities  =
=====================

∗∗∗ CVE-2024-23724: Ghost CMS Stored XSS Leading to Owner Takeover ∗∗∗
---------------------------------------------
During research on the Ghost CMS application, the Rhino research team identified a Stored Cross-Site Scripting (XSS) vulnerability which can be triggered by a malicious profile image. [...] The vendor does not view this as a valid vector so will not be releasing an official patch, but it’s important to us at Rhino to not release unpatched vulnerabilities. While this is a unique case, we’ve decided to make the patch ourselves [...]
---------------------------------------------
https://rhinosecuritylabs.com/research/cve-2024-23724-ghost-cms-stored-xss/


∗∗∗ Solarwinds: Codeschmuggel möglich, Updates verfügbar ∗∗∗
---------------------------------------------
Solarwinds schließt Sicherheitslücken in Access Rights Manager und Platform (Orion). Angreifer können Schadcode einschleusen.
---------------------------------------------
https://www.heise.de/-9632541.html


∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (engrampa, openvswitch, pdns-recursor, and runc), Fedora (caddy, expat, freerdp, libgit2, libgit2_1.6, mbedtls, python-cryptography, qt5-qtbase, and sudo), Gentoo (Apache Log4j, Chromium, Google Chrome, Microsoft Edge, CUPS, e2fsprogs, Exim, firefox, Glade, GNU Tar, intel-microcode, libcaca, QtNetwork, QtWebEngine, Samba, Seamonkey, TACACS+, Thunar, and thunderbird), Mageia (dnsmasq, unbound, and vim), Oracle (container-tools:4.0, container-tools:ol8, dotnet6.0, dotnet7.0, kernel, nss, openssh, and sudo), Red Hat (python-pillow), and SUSE (bitcoin, dpdk, libssh, openvswitch, postgresql12, and postgresql13).
---------------------------------------------
https://lwn.net/Articles/962753/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ ADS-TEC Industrial IT: Docker vulnerability affects multiple products ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2024-016/


∗∗∗ K000138640 : Perl vulnerability CVE-2023-47038 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000138640


∗∗∗ K000138641 : cURL vulnerability CVE-2023-46219 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000138641


∗∗∗ K000138643 : OpenSSH vulnerability CVE-2023-51767 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000138643

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily