[CERT-daily] Tageszusammenfassung - 12.01.2024

[Daily end-of-shift report]

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 11-01-2024 18:00 − Freitag 12-01-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Sicherheitsrisiko: So einfach können Handy-Nutzer heimlich verfolgt werden​ ∗∗∗
---------------------------------------------
Ein niederländischer Radiosender bekam 80 Gigabyte an Standortdaten von der Berliner Plattform Datarade in die Hände und konnte so etwa Offiziere beschatten.​
---------------------------------------------
https://www.heise.de/-9596230.html


∗∗∗ Microsoft liefert Abhilfe zur Installation von Updates in WinRE-Partition ∗∗∗
---------------------------------------------
Am Januar-Patchday schlägt die Update-Intallation unter Windows 10 oft mit Fehler 0x80070643 fehl. Ein Microsoft-Skript soll helfen.
---------------------------------------------
https://www.heise.de/-9595312.html


∗∗∗ Jetzt patchen! Kritische Sicherheitslücke in GitLab ermöglicht Accountklau ∗∗∗
---------------------------------------------
Der Fehler wird bereits aktiv von Kriminellen ausgenutzt, Administratoren sollten zügig handeln und ihre GitLab-Instanzen aktualisieren oder abschotten.
---------------------------------------------
https://www.heise.de/-9595848.html


∗∗∗ Datenleck bei Halara: Persönliche Daten von 941.910 Kunden stehen wohl im Netz ∗∗∗
---------------------------------------------
Die Daten zahlreicher Halara-Kunden sind in einem Hackerforum aufgetaucht. Abgeflossen sein sollen sie über eine Schwachstelle in der Webseiten-API.
---------------------------------------------
https://www.golem.de/news/bekleidungshersteller-halara-kundendaten-in-hackerforum-aufgetaucht-2401-181118.html


∗∗∗ New Balada Injector campaign infects 6,700 WordPress sites ∗∗∗
---------------------------------------------
A new Balada Injector campaign launched in mid-December has infected over 6,700 WordPress websites using a vulnerable version of the Popup Builder campaign.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-balada-injector-campaign-infects-6-700-wordpress-sites/


∗∗∗ Over 150k WordPress sites at takeover risk via vulnerable plugin ∗∗∗
---------------------------------------------
Two vulnerabilities impacting the POST SMTP Mailer WordPress plugin, an email delivery tool used by 300,000 websites, could help attackers take complete control of a site authentication.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-150k-wordpress-sites-at-takeover-risk-via-vulnerable-plugin/


∗∗∗ One File, Two Payloads, (Fri, Jan 12th) ∗∗∗
---------------------------------------------
It has been a while since I discussed obfuscation techniques in malicious scripts. I found a VB script that pretends to be a PDF file. As usual, it was delivered through a phishing email with a zip archive. The filename is "rfw_po_docs_order_sheet_01_10_202400000000_pdf.vbs" (SHA256:6e6ecd38cc3c58c40daa4020b856550b1cbaf1dbc0fad517f7ca26d6e11a3d75[1])
---------------------------------------------
https://isc.sans.edu/diary/rss/30558


∗∗∗ Cryptominers Targeting Misconfigured Apache Hadoop and Flink with Rootkit in New Attacks ∗∗∗
---------------------------------------------
Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments. "This attack is particularly intriguing due to the attackers use of packers and rootkits to conceal the malware," Aqua security researchers Nitzan Yaakov and Assaf Morag said in an analysis published earlier [...]
---------------------------------------------
https://thehackernews.com/2024/01/cryptominers-targeting-misconfigured.html


∗∗∗ Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families ∗∗∗
---------------------------------------------
As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said [...]
---------------------------------------------
https://thehackernews.com/2024/01/nation-state-actors-weaponize-ivanti.html


∗∗∗ Akira ransomware attackers are wiping NAS and tape backups ∗∗∗
---------------------------------------------
“The Akira ransomware malware, which was first detected in Finland in June 2023, has been particularly active at the end of the year,” the Finnish National Cybersecurity Center (NCSC-FI) has shared on Wednesday. NCSC-FI has received 12 reports of Akira ransomware hitting Finnish organizations in 2023, and three of the attacks happened during Christmas vacations.
---------------------------------------------
https://www.helpnetsecurity.com/2024/01/12/finland-akira-ransomware/


∗∗∗ Joomla! vulnerability is being actively exploited ∗∗∗
---------------------------------------------
A vulnerability in the popular Joomla! CMS has been added to CISAs known exploited vulnerabilities catalog.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2024/01/joomla-vulnerability-is-being-actively-exploited


∗∗∗ An Introduction to AWS Security ∗∗∗
---------------------------------------------
Cloud providers are becoming a core part of IT infrastructure. Amazon Web Services (AWS), the worlds biggest cloud provider, is used by millions of organizations worldwide and is commonly used to run sensitive and mission-critical workloads. This makes it critical for IT and security professionals to understand the basics of AWS security and take measures to protect their data and workloads.
---------------------------------------------
https://www.tripwire.com/state-of-security/introduction-aws-security


∗∗∗ Financial Fraud APK Campaign ∗∗∗
---------------------------------------------
Drawing attention to the ways threat actors steal PII for financial fraud, this article focuses on a malicious APK campaign aimed at Chinese users.
---------------------------------------------
https://unit42.paloaltonetworks.com/malicious-apks-steal-pii-from-chinese-users/


∗∗∗ CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign ∗∗∗
---------------------------------------------
This blog delves into the Phemedrone Stealer campaigns exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malwares payload.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Pufferüberlauf und andere Sicherheitslücken in IBM Business Automation Workflow ∗∗∗
---------------------------------------------
Angreifer können Code einschleusen, Komponenten zum Stillstand bringen und geheime Informationen abgreifen. IBM informiert Kunden über Gegenmaßnahmen.
---------------------------------------------
https://www.heise.de/-9596204.html


∗∗∗ Splunk, cacti, checkmk: Sicherheitslücken in Monitoring-Software ∗∗∗
---------------------------------------------
In drei beliebten Monitoring-Produkten gibt es Sicherheitsprobleme. Admins sollten sich um Updates kümmern.
---------------------------------------------
https://www.heise.de/-9595021.html


∗∗∗ Bluetooth-Lücke: Apple sichert Tastaturen mit neuer Firmware ab ∗∗∗
---------------------------------------------
Aufgrund eines Bugs war es möglich, Bluetooth-Datenverkehr mitzuzeichnen. Allerdings brauchte der Angreifer physischen Zugriff auf die Tastatur.
---------------------------------------------
https://www.heise.de/-9595522.html


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (kernel, linux-5.10, php-phpseclib, php-phpseclib3, and phpseclib), Fedora (openssh and tinyxml), Gentoo (FreeRDP and Prometheus SNMP Exporter), Mageia (packages), Red Hat (openssl), SUSE (gstreamer-plugins-rs and python-django-grappelli), and Ubuntu (dotnet6, dotnet7, dotnet8, openssh, and xerces-c).
---------------------------------------------
https://lwn.net/Articles/958124/


∗∗∗ Security Bulletin for Trend Micro Apex Central ∗∗∗
---------------------------------------------
https://success.trendmicro.com/dcx/s/solution/000296153?language=en_US


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily