[CERT-daily] Tageszusammenfassung - 05.03.2024

Tue Mar 5 18:10:37 CET 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 04-03-2024 18:00 − Dienstag 05-03-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  n/a

=====================
=       News        =
=====================

∗∗∗ ScreenConnect flaws exploited to drop new ToddleShark malware ∗∗∗
---------------------------------------------
The North Korean APT hacking group Kimsuky is exploiting ScreenConnect flaws, particularly CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed ToddleShark.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/screenconnect-flaws-exploited-to-drop-new-toddleshark-malware/


∗∗∗ Network tunneling with… QEMU? ∗∗∗
---------------------------------------------
While investigating an incident, we detected uncommon malicious activity inside one of the systems. We ran an analysis on the artifacts, only to find that the adversary had deployed and launched the QEMU hardware emulator.
---------------------------------------------
https://securelist.com/network-tunneling-with-qemu/111803/


∗∗∗ Warning: Thread Hijacking Attack Targets IT Networks, Stealing NTLM Hashes ∗∗∗
---------------------------------------------
The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager (NTLM) hashes.
---------------------------------------------
https://thehackernews.com/2024/03/warning-thread-hijacking-attack-targets.html


∗∗∗ Pegasus spyware creator ordered to reveal code used to spy on WhatsApp users ∗∗∗
---------------------------------------------
Meta has won a court case against spyware vendor NSO Group to reveal the Pegasus spyware code that allows spying on WhatsApp users.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2024/03/pegasus-spyware-creator-ordered-to-reveal-code-used-to-spy-on-whatsapp-users


∗∗∗ AnyDesk: Zugriffsversuche aus Spanien; Unsignierter Client verteilt ∗∗∗
---------------------------------------------
Das Drama bei AnyDesk geht anscheinend weiter, obwohl ich die Hoffnung hatte, das Thema langsam abschließen zu können...
---------------------------------------------
https://www.borncity.com/blog/2024/03/05/anydesk-zugriffsversuche-aus-spanien-unsignierter-client-verteilt/


∗∗∗ WogRAT Malware Exploits aNotepad (Windows, Linux) ∗∗∗
---------------------------------------------
AhnLab Security intelligence Center (ASEC) has recently discovered the distribution of backdoor malware via aNotepad, a free online notepad platform.
---------------------------------------------
https://asec.ahnlab.com/en/62446/


∗∗∗ GhostSec’s joint ransomware operation and evolution of their arsenal ∗∗∗
---------------------------------------------
Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware.
---------------------------------------------
https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/


∗∗∗ Ransomware: ALPHV/Blackcat betrügt offensichtlich Partner und zieht sich zurück ∗∗∗
---------------------------------------------
Die Fakten legen nahe, dass ALPHV/Blackcat einen Cybercrime-Partner um 22 Millionen US-Dollar betrogen und sich nun zurückgezogen hat.
---------------------------------------------
https://heise.de/-9646707


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Exploit available for new critical TeamCity auth bypass bug, patch now ∗∗∗
---------------------------------------------
A critical vulnerability (CVE-2024-27198) in the TeamCity On-Premises CI/CD solution from JetBrains can let a remote unauthenticated attacker take control of the server with administrative permissions.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exploit-available-for-new-critical-teamcity-auth-bypass-bug-patch-now/


∗∗∗ Multiple vulnerabilities in RT-Thread RTOS ∗∗∗
---------------------------------------------
I reviewed RT-Thread’s source code hosted on GitHub and identified multiple security vulnerabilities that may cause memory corruption and security feature bypass. Their impacts range from denial of service to potential arbitrary code execution.
---------------------------------------------
https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rtos/


∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (yard), Oracle (buildah and kernel), Red Hat (389-ds:1.4, edk2, frr, gnutls, haproxy, libfastjson, libX11, postgresql:12, sqlite, squid, squid:4, tcpdump, and tomcat), SUSE (apache2-mod_auth_openidc and glibc), and Ubuntu (linux-gke, python-cryptography, and python-django).
---------------------------------------------
https://lwn.net/Articles/964450/


∗∗∗ Zeek Security Tool Vulnerabilities Allow ICS Network Hacking ∗∗∗
---------------------------------------------
Vulnerabilities in a plugin for the Zeek network security monitoring tool can be exploited in attacks aimed at ICS environments.
---------------------------------------------
https://www.securityweek.com/zeek-security-tool-vulnerabilities-allow-ics-network-hacking/


∗∗∗ VU#782720: TCG TPM2.0 implementations vulnerable to memory corruption ∗∗∗
---------------------------------------------
https://kb.cert.org/vuls/id/782720


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ Security Vulnerabilities fixed in Thunderbird 115.8.1 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-11/


∗∗∗ Nice Linear eMerge E3-Series ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-065-01


∗∗∗ Santesoft Sante FFT Imaging ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-065-01


∗∗∗ K000138814 : OpenLDAP vulnerability CVE-2023-2953 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000138814


∗∗∗ Patchday: Kritische Schadcode-Lücken bedrohen Android 12, 13 und 14 ∗∗∗
---------------------------------------------
https://heise.de/-9646073

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily