[CERT-daily] Tageszusammenfassung - 13.03.2024

Wed Mar 13 18:28:48 CET 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Dienstag 12-03-2024 18:00 − Mittwoch 13-03-2024 18:00
Handler:     Michael Schlagenhaufer
Co-Handler:  Thomas Pribitzer

=====================
=       News        =
=====================

∗∗∗ RisePro stealer targets Github users in “gitgub” campaign ∗∗∗
---------------------------------------------
We identified at least 13 such repositories belonging to a RisePro stealer campaign that was named “gitgub” by the threat actors. The repositories look similar, featuring a README.md file with the promise of free cracked software. [..] RisePro resurfaces with new string encryption and a bloated MSI installer that crashes reversing tools like IDA. The "gitgub" campaign already sent more than 700 archives of stolen data to Telegram.
---------------------------------------------
https://www.gdatasoftware.com/blog/2024/03/37885-risepro-stealer-campaign-github


∗∗∗ Using ChatGPT to Deobfuscate Malicious Scripts, (Wed, Mar 13th) ∗∗∗
---------------------------------------------
Today, most of the malicious scripts in the wild are heavily obfuscated. [...] There was a huge amount of obfuscated strings (443 in total). Let's try tro process them with ChatGPT [..] The request took a few seconds to get some feedback but results were perfect (I only submitted a small part of the script).
---------------------------------------------
https://isc.sans.edu/diary/rss/30740


∗∗∗ FakeBat delivered via several active malvertising campaigns ∗∗∗
---------------------------------------------
A number of software brands are being impersonated with malicious ads and fake sites to distribute malware.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intelligence/2024/03/fakebat-delivered-via-several-active-malvertising-campaigns


∗∗∗ Geldwäsche statt Babysitting: Vorsicht vor diesem Jobbetrug! ∗∗∗
---------------------------------------------
Kriminelle suchen über Babysitter-Börsen angeblich eine Betreuung für ihr Kind oder ihre Kinder. Das vermeintliche Elternteil behauptet, derzeit noch im Ausland zu leben und erst zu einem späteren Zeitpunkt nach Österreich zu ziehen. Damit sich die Kinder gleich von Anfang an wohl fühlen, sollen die neuen Babysitter:innen bereits im Vorfeld Spielzeug einkaufen.
---------------------------------------------
https://www.watchlist-internet.at/news/geldwaesche-statt-babysitting-vorsicht-vor-diesem-jobbetrug/


∗∗∗ JetBrains vulnerability exploitation highlights debate over silent patching ∗∗∗
---------------------------------------------
Czech software giant JetBrains harshly criticized security company Rapid7 this week following a dispute over two recently-discovered vulnerabilities. In a blog post published Monday, JetBrains attributed the compromise of several customers’ servers to Rapid7’s decision to release detailed information on the vulnerabilities.
---------------------------------------------
https://therecord.media/jetbrains-rapid7-silent-patching-dispute


∗∗∗ Unpacking Flutter hives ∗∗∗
---------------------------------------------
The goal of this blogpost is to obtain the content of an encrypted Hive without having access to the source code.
---------------------------------------------
https://blog.nviso.eu/2024/03/13/unpacking-flutter-hives/


∗∗∗ Threat actors leverage document publishing sites for ongoing credential and session token theft ∗∗∗
---------------------------------------------
Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks. Threat actors have used a similar tactic of deploying phishing lures on well-known cloud storage and contract management sites such as Google Drive, OneDrive, SharePoint, DocuSign and Oneflow.
---------------------------------------------
https://blog.talosintelligence.com/threat-actors-leveraging-document-publishing-sites/


∗∗∗ CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign ∗∗∗
---------------------------------------------
The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers. [..] This campaign was part of the larger Water Hydra APT zero-day analysis.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Cisco Security Advisories 2024-03-13 ∗∗∗
---------------------------------------------
Security Impact Rating: 3x High, 4x Medium
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs=1&firstPublishedStartDate=2024%2F03%2F13&firstPublishedEndDate=2024%2F03%2F13&pageNum=1&isRenderingBugList=false


∗∗∗ Palo Alto Security Advisories 2024-03-13 ∗∗∗
---------------------------------------------
Security Impact Rating: 3x Medium
---------------------------------------------
https://security.paloaltonetworks.com/


∗∗∗ Critical Vulnerability Remains Unpatched in Two Permanently Closed MiniOrange WordPress Plugins – $1,250 Bounty Awarded ∗∗∗
---------------------------------------------
Both miniOrange’s Malware Scanner and Web Application Firewall plugins contain a critical privilege escalation vulnerability, and both have been permanently closed. So we urge all users to delete these plugins from their websites immediately! [..] This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password.
---------------------------------------------
https://www.wordfence.com/blog/2024/03/critical-vulnerability-remains-unpatched-in-two-permanently-closed-miniorange-wordpress-plugins-1250-bounty-awarded/


∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (edk2, freeipa, kernel, and liblas), Oracle (kernel), Red Hat (docker, edk2, kernel, kernel-rt, and kpatch-patch), SUSE (axis, fontforge, gnutls, java-1_8_0-openjdk, kernel, python3, sudo, and zabbix), and Ubuntu (dotnet7, dotnet8, libgoogle-gson-java, openssl, and ovn).
---------------------------------------------
https://lwn.net/Articles/965278/


∗∗∗ März-Patchday: Microsoft stopft zwei kritische Löcher in Hyper-V ∗∗∗
---------------------------------------------
Insgesamt bringt der März-Patchday Fixes für 61 Sicherheitslücken.
---------------------------------------------
https://www.zdnet.de/88414822/maerz-patchday-microsoft-stopft-zwei-kritische-loecher-in-hyper-v/


∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
Adobe Experience Manager, Adobe Premiere Pro, Adobe ColdFusion, Adobe Bridge, Adobe Lightroom, Adobe Animate
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2024/03/12/adobe-releases-security-updates-multiple-products


∗∗∗ AMD und Intel schließen CPU-Sicherheitslücken in Core- und Ryzen-CPUs ∗∗∗
---------------------------------------------
Zum Patch-Tuesday räumen AMD und Intel weitere Sicherheitslücken in ihren Prozessoren ein. Es geht unter anderem um Race Conditions.
---------------------------------------------
https://heise.de/-9653846


∗∗∗ Fortinet-Patchday: Updates gegen kritische Schwachstellen ∗∗∗
---------------------------------------------
Fortinet hat zum März-Patchday Sicherheitslücken in FortiOS, FortiProxy, FortiClientEMS und im FortiManager geschlossen.
---------------------------------------------
https://heise.de/-9653730


∗∗∗ Citrix Hypervisor Security Update for CVE-2023-39368 and CVE-2023-38575 ∗∗∗
---------------------------------------------
https://support.citrix.com/article/CTX616982/citrix-hypervisor-security-update-for-cve202339368-and-cve202338575


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ Lenovo Security Advisories 2024-03-12 ∗∗∗
---------------------------------------------
https://support.lenovo.com/at/de/product_security/home


∗∗∗ Xen Security Advisory CVE-2024-2193 / XSA-453 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-453.html


∗∗∗ Xen Security Advisory CVE-2023-28746 / XSA-452 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-452.html


∗∗∗ Wago: Multiple vulnerabilities in web-based management of multiple products ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-039/


∗∗∗ Bosch: BVMS affected by Autodesk Design Review Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-246962-bt.html


∗∗∗ Bosch: RPS and RPS-LITE operator and communication process vulnerabilities. ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-099637-bt.html


∗∗∗ Canon: CPE2024-002 – Vulnerability Mitigation/Remediation for Small Office Multifunction Printers and Laser Printers – 14 March 2024 ∗∗∗
---------------------------------------------
https://www.canon-europe.com/support/product-security-latest-news/


∗∗∗ SonicWall: SonicWall Email Security Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0006


∗∗∗ SonicWall: SonicOS SSLVPN Portal Stored Cross-site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0005


∗∗∗ SonicWall: Integer-Based Buffer Overflow Vulnerability In SonicOS via IPSec ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0004


∗∗∗ Google Chrome: Drei Sicherheitslöcher gestopft ∗∗∗
---------------------------------------------
https://heise.de/-9653082

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily