[CERT-daily] Tageszusammenfassung - 01.03.2024

Fri Mar 1 18:14:02 CET 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 29-02-2024 18:00 − Freitag 01-03-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ CISA cautions against using hacked Ivanti VPN gateways even after factory resets ∗∗∗
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-cautions-against-using-hacked-ivanti-vpn-gateways-even-after-factory-resets/


∗∗∗ Angriffe auf Windows-Lücke – Update seit einem halben Jahr verfügbar ∗∗∗
---------------------------------------------
Die CISA warnt vor Angriffen auf eine Lücke in Microsofts Streaming Service. Updates gibt es seit mehr als einem halben Jahr.
---------------------------------------------
https://heise.de/-9643763


∗∗∗ Wireshark Tutorial: Exporting Objects From a Pcap ∗∗∗
---------------------------------------------
This Wireshark tutorial guides the reader in exporting different packet capture objects. It builds on a foundation of malware traffic analysis skills.
---------------------------------------------
https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-a-pcap/


∗∗∗ Blue Team toolkit: 6 open-source tools to assess and enhance corporate defenses ∗∗∗
---------------------------------------------
Here’s how the blue team wards off red teamers and a few open-source tools it may leverage to identify chinks in the corporate armor.
---------------------------------------------
https://www.welivesecurity.com/en/business-security/blue-team-toolkit-6-open-source-tools-corporate-defenses/


∗∗∗ Researchers spot new infrastructure likely used for Predator spyware ∗∗∗
---------------------------------------------
Cybersecurity researchers have identified new infrastructure likely used by the operators of the commercial spyware known as Predator in at least 11 countries.
---------------------------------------------
https://therecord.media/new-predator-spyware-infrastructure-identified


∗∗∗ Covert TLS n-day backdoors: SparkCockpit & SparkTar ∗∗∗
---------------------------------------------
This report documents two covert TLS-based backdoors identified by NVISO: SparkCockpit & SparkTar. Both backdoors employ selective interception of TLS communication towards the legitimate Ivanti server applications.
---------------------------------------------
https://blog.nviso.eu/2024/03/01/covert-tls-n-day-backdoors-sparkcockpit-sparktar/


∗∗∗ How To Hunt For UEFI Malware Using Velociraptor ∗∗∗
---------------------------------------------
UEFI threats have historically been limited in number and mostly implemented bynation state actors as stealthy persistence. However, the recent proliferationof Black Lotus on the dark web, Trickbot enumeration module (late 2022), andGlupteba (November 2023) indicates that this historical trend may be changing. With this context, it is becoming important for security practitioners to understand visibility and collection capabilities for UEFI threats. This post covers some of these areas and presents several recent Velociraptor artifacts that can be used in the field.
---------------------------------------------
https://www.rapid7.com/blog/post/2024/02/29/how-to-hunt-for-uefi-malware-using-velociraptor/


∗∗∗ Bluetooth Unleashed: Syncing Up with the RattaGATTa Series! Part 1 ∗∗∗
---------------------------------------------
This post introduces GreyNoise Labs series on BTLE, highlighting its privacy and security implications, as well as the journey from basic usage to sophisticated system development, offering insights for cybersecurity professionals and tech enthusiasts alike.
---------------------------------------------
https://www.greynoise.io/blog/bluetooth-unleashed-syncing-up-with-the-rattagatta-series-part-1


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox and thunderbird), Debian (gsoap, python-django, and wireshark), Fedora (dotnet7.0 and gifsicle), Mageia (sympa), Oracle (postgresql:10, postgresql:12, thunderbird, and unbound), Red Hat (kpatch-patch, python-pillow, and squid:4), SUSE (nodejs12, nodejs14, nodejs16, nodejs18, and openvswitch3), and Ubuntu (linux-azure, linux-lowlatency, linux-starfive-6.5, php-guzzlehttp-psr7, and php-nyholm-psr7).
---------------------------------------------
https://lwn.net/Articles/964166/


∗∗∗ Sicherheitsupdate: Nividia-Grafikkarten-Treiber als Einfallstor für Angreifer ∗∗∗
---------------------------------------------
Insgesamt hat Nvidia mit den Updates acht Sicherheitslücken geschlossen. Davon sind vier (CVE-2024-0071, CVE-2024-0073, CVE-2024-0075, CVE-2024-0077) mit dem Bedrohungsgrad "hoch" eingestuft. An diesen Stellen können Angreifer auf einem nicht näher beschriebenen Weg Speicherfehler auslösen und so Schadcode auf Systeme schieben und ausführen. Im Anschluss gelten Computer in der Regel als vollständig kompromittiert.
---------------------------------------------
https://heise.de/-9643306


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ Autodesk: Multiple Vulnerabilities in the Autodesk AutoCAD Desktop Software ∗∗∗
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0004

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily