[CERT-daily] Tageszusammenfassung - 15.03.2024

Fri Mar 15 18:24:49 CET 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Donnerstag 14-03-2024 18:00 − Freitag 15-03-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ SIM swappers hijacking phone numbers in eSIM attacks ∗∗∗
---------------------------------------------
SIM swappers have adapted their attacks to steal a targets phone number by porting it into a new eSIM card, a digital SIM stored in a rewritable chip present on many recent smartphone models.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/sim-swappers-hijacking-phone-numbers-in-esim-attacks/


∗∗∗ StopCrypt: Most widely distributed ransomware now evades detection ∗∗∗
---------------------------------------------
A new variant of StopCrypt ransomware (aka STOP) was spotted in the wild, employing a multi-stage execution process that involves shellcodes to evade security tools.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/stopcrypt-most-widely-distributed-ransomware-now-evades-detection/


∗∗∗ 5Ghoul Revisited: Three Months Later, (Fri, Mar 15th) ∗∗∗
---------------------------------------------
About three months ago, I wrote about the implications and impacts of 5Ghoul in a previous diary. The 5Ghoul family of vulnerabilities could cause User Equipment (UEs) to be continuously exploited (e.g. dropping/freezing connections, which would require manual rebooting or downgrading a 5G connection to 4G) once they are connected to the malicious 5Ghoul gNodeB (gNB, or known as the base station in traditional cellular networks). Given the potential complexities in the realm of 5G mobile network modems used in a multitude of devices (such as mobile devices and 5G-enabled environments such as Industrial Internet-of-Things and IP cameras), I chose to give the situation a bit more time before revisiting the 5Ghoul vulnerability.
---------------------------------------------
https://isc.sans.edu/diary/rss/30746


∗∗∗ Third-Party ChatGPT Plugins Could Lead to Account Takeovers ∗∗∗
---------------------------------------------
Cybersecurity researchers have found that third-party plugins available for OpenAI ChatGPT could act as a new attack surface for threat actors looking to gain unauthorized access to sensitive data. According to new research published by Salt Labs, security flaws found directly in ChatGPT and within the ecosystem could allow attackers to install malicious plugins without users' consent and hijack accounts on third-party websites like GitHub.
---------------------------------------------
https://thehackernews.com/2024/03/third-party-chatgpt-plugins-could-lead.html


∗∗∗ Vorsicht vor Abo-Falle auf produktretter.at! ∗∗∗
---------------------------------------------
Einmal registrieren und schon erhalten Sie hochwertige und voll funktionsfähige Produkte, die andere retourniert haben. Es fallen lediglich Versandkosten von maximal 2,99 Euro an. Klingt zu schön, um wahr zu sein? Ist es auch. Denn Seiten wie produktretter.at, produkttest-anmeldung.com oder retourenheld.io locken in eine Abo-Falle. Die versprochenen Produkte kommen nie an.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-abo-falle-auf-produktretterat/


∗∗∗ Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled ∗∗∗
---------------------------------------------
We analyze recent samples of BunnyLoader 3.0 to illuminate this malware’s evolved and upscaled capabilities, including its new downloadable module system.
---------------------------------------------
https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/


∗∗∗ How to share sensitive files securely online ∗∗∗
---------------------------------------------
Here are a few tips for secure file transfers and what else to consider when sharing sensitive documents so that your data remains safe.
---------------------------------------------
https://www.welivesecurity.com/en/how-to/share-sensitive-files-securely-online/


∗∗∗ The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions ∗∗∗
---------------------------------------------
Talos explores the recent law enforcement takedown of LockBit, a prolific ransomware group that claimed to resume their operations 7 days later.
---------------------------------------------
https://blog.talosintelligence.com/ransomware-affiliate-model/


∗∗∗ Zwei Backdoors in Ivanti-Appliances analysiert ∗∗∗
---------------------------------------------
Anfang 2024 wurden die Pulse Secure Appliances von Ivanti durch die damals gemeldeten Schwachstellen CVE-2023-46805 und CVE-2024-21887 weiträumig ausgenutzt. Zwei Exemplare dieser Backdoors haben Sicherheitsforscher jetzt ausführlich beschrieben.
---------------------------------------------
https://heise.de/-9656137


∗∗∗ Sicherheitsforscher genervt: Lücken-Datenbank NVD seit Wochen unvollständig ∗∗∗
---------------------------------------------
Die von der US-Regierung betriebene Datenbank reichert im CVE-System gemeldete Sicherheitslücken mit wichtigen Metadaten an. Das blieb seit Februar aus. [..] Von über 2.200 seit 15. Februar veröffentlichten Sicherheitslücken mit CVE-ID sind lediglich 59 mit Metadaten versehen, 2.152 liegen brach. [..] Darüber, wie sie die Tausenden offenen Sicherheitslücken abarbeiten will und vor allem, wann sie ihre Arbeit wieder aufnimmt, schweigt sich die NVD derzeit aus.
---------------------------------------------
https://heise.de/-9656574


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP7 IF06 ∗∗∗
---------------------------------------------
Multiple vulnerabilities have been resolved in 7.5.0 UP7 IF06. Severity Critical
---------------------------------------------
https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-vulnerabilities-resolved-in-Juniper-Secure-Analytics-in-7-5-0-UP7-IF06


∗∗∗ Micropatches Released for Microsoft Outlook "MonikerLink" Remote Code Execution Vulnerability (CVE-2024-21413) ∗∗∗
---------------------------------------------
In February 2024, still-Supported Microsoft Outlook versions got an official patch for CVE-2024-21413, a vulnerability that allowed an attacker to execute arbitrary code on users computer when the user opened a malicious hyperlink in attackers email. The micropatch was written for the following security-adopted versions of Office with all available updates installed: Microsoft Office 2013, Microsoft Office 2010 
---------------------------------------------
https://blog.0patch.com/2024/03/micropatches-released-for-microsoft.html


∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (composer and node-xml2js), Fedora (baresip), Mageia (fonttools, libgit2, mplayer, open-vm-tools, and packages), Red Hat (dnsmasq, gimp:2.8, and kernel-rt), and SUSE (389-ds, gdb, kernel, python-Django, python3, python36-pip, spectre-meltdown-checker, sudo, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/965576/


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ CVE-2024-2247: JFrog Artifactory Cross-Site Scripting ∗∗∗
---------------------------------------------
https://jfrog.com/help/r/jfrog-release-information/cve-2024-2247-jfrog-artifactory-cross-site-scripting

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily