[CERT-daily] Tageszusammenfassung - 26.03.2024

Tue Mar 26 18:27:36 CET 2024

=====================
= End-of-Day report =
=====================

Timeframe:   Montag 25-03-2024 18:00 − Dienstag 26-03-2024 18:00
Handler:     Thomas Pribitzer
Co-Handler:  Michael Schlagenhaufer

=====================
=       News        =
=====================

∗∗∗ Free VPN apps on Google Play turned Android phones into proxies ∗∗∗
---------------------------------------------
Over 15 free VPN apps on Google Play were found using a malicious software development kit that turned Android devices into unwitting residential proxies, likely used for cybercrime and shopping bots.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/free-vpn-apps-on-google-play-turned-android-phones-into-proxies/


∗∗∗ New tool: linux-pkgs.sh, (Sun, Mar 24th) ∗∗∗
---------------------------------------------
During a recent Linux forensic engagement, a colleague asked if there was anyway to tell what packages were installed on a victim image. As we talk about in FOR577, depending on which tool you run on a live system and how you define "installed" you may get different answers, but at least on the live system you can use things like apt list or dpkg -l or rpm -qa or whatever to try to list them, but if all you have is a disk image, what do you do?
---------------------------------------------
https://isc.sans.edu/diary/rss/30774


∗∗∗ Agent Teslas New Ride: The Rise of a Novel Loader ∗∗∗
---------------------------------------------
This blog provides an in-depth analysis of a newly identified loader, highlighting the attack's evasiveness and the advanced tactics, techniques, and procedures (TTPs) used in both the loader and its command and control (C2) framework.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-teslas-new-ride-the-rise-of-a-novel-loader/


∗∗∗ The Darkside of TheMoon ∗∗∗
---------------------------------------------
The Black Lotus Labs team at Lumen Technologies has identified a multi-year campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices, associated with an updated version of “TheMoon” malware. [..] While Lumen has previously documented this malware family, our latest tracking has shown TheMoon appears to enable Faceless’ growth at of a rate of nearly 7,000 new users per week. Through Lumen’s global network visibility, Black Lotus Labs has identified the logical map of the Faceless proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours.
---------------------------------------------
https://blog.lumen.com/the-darkside-of-themoon/


∗∗∗ Recent ‘MFA Bombing’ Attacks Targeting Apple Users ∗∗∗
---------------------------------------------
Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apples password reset feature. In this scenario, a targets Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds "Allow" or "Dont Allow" to each prompt. [..] But the attackers in this campaign had an ace up their sleeves: Patel said after denying all of the password reset prompts from Apple, he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line).
---------------------------------------------
https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/


∗∗∗ Suspicious NuGet Package Harvesting Information From Industrial Systems ∗∗∗
---------------------------------------------
A suspicious NuGet package likely targets developers working with technology from Chinese firm Bozhon.
---------------------------------------------
https://www.securityweek.com/suspicious-nuget-package-harvesting-information-from-industrial-systems/


∗∗∗ Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script ∗∗∗
---------------------------------------------
This blog entry discusses the Agenda ransomware groups use of its latest Rust variant to propagate to VMWare vCenter and ESXi servers.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates-to-vcenters-and-esxi-via-custom-pow.html


=====================
=  Vulnerabilities  =
=====================

∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (kernel), Debian (firefox-esr), Fedora (webkitgtk), Mageia (curaengine & blender and gnutls), Red Hat (firefox, grafana, grafana-pcp, libreoffice, nodejs:18, and thunderbird), SUSE (glade), and Ubuntu (crmsh, debian-goodies, linux-aws, linux-aws-6.5, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-oracle, linux-azure, linux-azure-5.4, linux-oracle, linux-oracle-5.15, pam, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/966678/


∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0002 ∗∗∗
---------------------------------------------
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2024-23252, CVE-2024-23254,CVE-2024-23263, CVE-2024-23280,CVE-2024-23284, CVE-2023-42950,CVE-2023-42956, CVE-2023-42843. 
---------------------------------------------
https://webkitgtk.org/security/WSA-2024-0002.html


∗∗∗ macOS 14.4.1 mit jeder Menge Bugfixes – Sicherheitshintergründe zu iOS 17.4.1 ∗∗∗
---------------------------------------------
Apple hat am Montagabend ein weiteres Update für macOS 14 veröffentlicht. Es behebt diverse Fehler. Parallel gibt es Infos zu iOS 17.4.1 und dessen Fixes.
---------------------------------------------
https://heise.de/-9666170


∗∗∗ Loadbalancer: Sicherheitslücken in Loadmaster von Progress/Kemp ∗∗∗
---------------------------------------------
In der Loadbalancer-Software Loadmaster von Progress/Kemp klaffen Sicherheitslücken, durch die Angreifer etwa Befehle einschleusen können.
---------------------------------------------
https://heise.de/-9666253


∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/


∗∗∗ Siemens: SSB-201698 V1.0: Risk for Denial of Service attack through Discovery and Basic Configuration Protocol (DCP) communication functionality ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssb-201698.html


∗∗∗ Rockwell Automation FactoryTalk View ME ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-04


∗∗∗ Rockwell Automation PowerFlex 527 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-02


∗∗∗ Rockwell Automation Arena Simulation ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-03


∗∗∗ Automation-Direct C-MORE EA9 HMI ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-01

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily