- Daily - CERT.at

Tageszusammenfassung - 03.03.2025
by Daily end-of-shift report 03 Mar '25

03 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-02-2025 18:00 − Montag 03-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks ∗∗∗ --------------------------------------------- Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-exploit-par… ∗∗∗ Ohne Nutzerinteraktion: Wie Hacker fremde Gitlab-Accounts übernehmen konnten ∗∗∗ --------------------------------------------- Letztes Jahr hat Gitlab eine gefährliche Sicherheitslücke geschlossen. Ein neuer Bericht zeigt, wie leicht sich damit fremde Konten kapern ließen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-per-passwort-reset-fremde-gitla… ∗∗∗ Mobile malware evolution in 2024 ∗∗∗ --------------------------------------------- The most notable mobile threats of 2024, and statistics on Android-specific malware, adware and potentially unwanted software. --------------------------------------------- https://securelist.com/mobile-threat-report-2024/115494/ ∗∗∗ Dornröschenschlaf: mit diesem einfachen Trick Crowdstrike Falcon zähmen ∗∗∗ --------------------------------------------- Nachdem Angreifer die Rechte eines Benutzers mit "NT AUTHORITY\SYSTEM" Berechtigungen erlangt haben, indem andere Schwachstellen .. --------------------------------------------- https://sec-consult.com/de/blog/detail/dornroeschenschlaf-mit-diesem-einfac… ∗∗∗ Vo1d Botnets Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries ∗∗∗ --------------------------------------------- Brazil, South Africa, Indonesia, Argentina, and Thailand have become the targets of a campaign that has infected Android TV devices with a botnet malware dubbed Vo1d.The improved variant of Vo1d has been found to encompass 800,000 daily active IP .. --------------------------------------------- https://thehackernews.com/2025/03/vo1d-botnets-peak-surpasses-159m.html ∗∗∗ Cybersecurity not the hiring-em-like-hotcakes role it once was ∗∗∗ --------------------------------------------- Ghost positions, HR AI no help – biz should talk to infosec staff and create realistic job outline, say experts Analysis Its a familiar refrain in the security industry that there is a massive skills gap in the sector. And while its true there are specific shortages in certain areas, some industry watchers believe we may be reaching the point of oversupply for generalists. --------------------------------------------- https://www.theregister.com/2025/03/03/cybersecurity_jobs_market/ ∗∗∗ Massive Sicherheitslücken bei Gebäude-Zugangssystemen entdeckt ∗∗∗ --------------------------------------------- Cyberkriminelle können leicht auf Zugangssysteme von Gebäuden weltweit zugreifen. Eine Studie nennt das Ausmaß und die Ursachen. --------------------------------------------- https://www.heise.de/news/Massive-Sicherheitsluecken-bei-Gebaeude-Zugangssy… ∗∗∗ Angreifer bringen verwundbaren Paragon-Treiber mit und missbrauchen ihn ∗∗∗ --------------------------------------------- Angreifer missbrauchen ein Leck in einem Treiber von Paragon Partition Manager. Besonders gefährlich: den können sie selbst mitbringen. --------------------------------------------- https://www.heise.de/news/Sicherheitsleck-in-Treiber-von-Paragon-Partition-… ∗∗∗ Thule-Radanhänger: Pedalritter im Visier von Fake-Shops ∗∗∗ --------------------------------------------- Die Fahrradanhänger des Traditionsunternehmens Thule genießen zurecht einen hervorragenden Ruf. Diesen machen sich Kriminelle aber immer wieder zu Nutze. Sie bauen den Thule-Onlinestore nach und locken ihre Opfer dort mit vermeintlichen Top-Schnäppchen in die Falle. In diesem Artikel erfahren Sie, wie Sie die Fake-Shops erkennen können und welche Optionen Sie im Fall einer getätigten Zahlung noch haben. --------------------------------------------- https://www.watchlist-internet.at/news/thule-radanhaenger-fake-shops/ ∗∗∗ Uncovering .NET Malware Obfuscated by Encryption and Virtualization ∗∗∗ --------------------------------------------- Malware authors use AES encryption and code virtualization to evade sandbox static analysis. We explore how this facilitates spread of Agent Tesla, XWorm and more. --------------------------------------------- https://unit42.paloaltonetworks.com/malware-obfuscation-techniques/ ∗∗∗ Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal ∗∗∗ --------------------------------------------- In this blog entry, we discuss how the Black Basta and Cactus ransomware groups utilized the BackConnect malware to maintain persistent control and exfiltrate sensitive data from compromised machines. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomwar… ∗∗∗ Not Lost in Translation: Rosetta 2 Artifacts in macOS Intrusions ∗∗∗ --------------------------------------------- Rosetta 2 is Apples translation technology for running x86-64 binaries on Apple Silicon (ARM64) macOS systems.Rosetta 2 translation creates a cache of Ahead-Of-Time (AOT) files that can serve as valuable forensic artifacts.Mandiant has observed sophisticated threat actors leveraging x86-64 compiled macOS malware, likely due to broader .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/rosetta2-artifacts… ∗∗∗ how to gain code execution on millions of people and hundreds of popular apps ∗∗∗ --------------------------------------------- .. and of course, firebase was (partially) the cause --------------------------------------------- https://kibty.town/blog/todesktop/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, kernel, linux-6.1, mariadb-10.5, proftpd-dfsg, and xorg-server), Fedora (chromium, cutter-re, iniparser, nodejs22, rizin, webkitgtk, wireshark, xen, and xorg-x11-server), Mageia (binutils and ffmpeg), Oracle (emacs and kernel), Red Hat (emacs and webkit2gtk3), SUSE (azure-cli, bsdtar, gnutls, govulncheck-vulndb, .. --------------------------------------------- https://lwn.net/Articles/1012760/ ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-20118 Cisco Small Business RV Series Routers Command Injection .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/03/03/cisa-adds-five-known-exp… ∗∗∗ DSA-5872-1 xorg-server - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00034.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.02.2025
by Daily end-of-shift report 28 Feb '25

28 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-02-2025 18:00 − Freitag 28-02-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Auch in Deutschland: 49.000 Zutrittskontrollsysteme hängen ungeschützt am Netz ∗∗∗ --------------------------------------------- Weltweit sorgen unzählige Zutrittskontrollsysteme (AMS – Access Management Systems) dafür, dass nur berechtigte Personen beispielsweise per Codeeingabe, Fingerabdruck oder RFID-Schlüsselkarte Zugang zu bestimmten Arealen, Gebäuden oder Räumlichkeiten haben. Sicherheitsforscher von Modat haben über 49.000 solcher Systeme entdeckt, die sich aufgrund von Konfigurationsfehlern manipulieren lassen und über das Internet erreichbar sind. --------------------------------------------- https://www.golem.de/news/auch-in-deutschland-49-000-zutrittskontrollsystem… ∗∗∗ The SOC files: Chasing the web shell ∗∗∗ --------------------------------------------- Kaspersky SOC analysts discuss a recent incident where the well-known Behinder web shell was used as a post-exploitation backdoor, showing how web shells have evolved. --------------------------------------------- https://securelist.com/soc-files-web-shell-chase/115714/ ∗∗∗ 5,000 Phishing PDFs on 260 Domains Distribute Lumma Stealer via Fake CAPTCHAs ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a widespread phishing campaign that uses fake CAPTCHA images shared via PDF documents hosted on Webflows content delivery network (CDN) to deliver the Lumma stealer malware. --------------------------------------------- https://thehackernews.com/2025/02/5000-phishing-pdfs-on-260-domains.html ∗∗∗ Cyber-Bande Cl0p: Angeblich Daten bei HP und HPE geklaut ∗∗∗ --------------------------------------------- Insgesamt 230 neue Opfer listet die kriminelle Gruppe Cl0p auf ihrer Darknet-Webseite auf. Darunter sind auch namhafte wie HP und HPE. [..] Die Kriminellen nennen auch kein Datum als Ultimatum, bis wann sich die angeblichen Opfer melden müssten. Belege für den Datenabzug liefert Cl0p ebenfalls nicht. In der Vergangenheit hatten sich die behaupteten Angriffe jedoch als wahr herausgestellt. --------------------------------------------- https://www.heise.de/news/Cyber-Bande-Cl0p-Angeblich-Daten-bei-HP-und-HPE-g… ∗∗∗ Warning issued as hackers offer firms fake cybersecurity audits to break into their systems ∗∗∗ --------------------------------------------- Companies are being warned that malicious hackers are using a novel technique to break into businesses - by pretending to offer audits of the companys cybersecurity. --------------------------------------------- https://www.tripwire.com/state-of-security/beware-fake-cybersecurity-audits… ∗∗∗ Attack and Defense in OT: Enhancing Cyber Resilience in Industrial Systems with Red Team Operations ∗∗∗ --------------------------------------------- This edition of the series focuses on how Red Team assessments can assist companies in identifying and mitigating threats in OT environments. After giving some background about the current threat landscape and terminology, we start by explaining how an external attacker gains an initial foothold in the network. --------------------------------------------- https://blog.nviso.eu/2025/02/28/attack-and-defense-in-ot-enhancing-cyber-r… ∗∗∗ Microsoft: Unsichere DES-Verschlüsselung fliegt aus Windows raus ∗∗∗ --------------------------------------------- Microsoft hat jetzt angekündigt, dass der lange als unsicher geltende Cipher DES zum September aus Windows entfernt wird. [..] Bereits 1998 haben IT-Sicherheitsforscher demonstriert, dass DES-Schlüssel, die aufgrund US-amerikanischer Export-Beschränkungen zudem auf 56 Bit Länge beschränkt waren, innerhalb von nicht einmal drei Tagen und mit begrenztem Budget zu knacken waren. --------------------------------------------- https://heise.de/-10299473 ∗∗∗ Next-Gen Phishing Techniques – How Back-End Tech Made Scams More Effective ∗∗∗ --------------------------------------------- Today’s sophisticated back-end technologies take phishing and social engineering to the next level. Hackers are now able to create not only better messages but also more convincing, harder-to-detect phishing websites. --------------------------------------------- https://heimdalsecurity.com/blog/next-gen-phishing-techniques/ ===================== = Vulnerabilities = ===================== ∗∗∗ Videoeditor DaVinci Resolve ermöglicht Rechteausweitung in macOS ∗∗∗ --------------------------------------------- Das polnische CERT warnt vor einer Schwachstelle in der Video-Editiersoftware DaVinci Resolve für Macs. --------------------------------------------- https://www.heise.de/news/Videoeditor-DaVinci-Resolve-ermoeglicht-Rechteaus… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (emacs, freerdp2, and gst-plugins-good1.0), Fedora (java-17-openjdk, python3.6, and xorg-x11-server-Xwayland), Mageia (radare2), SUSE (libX11, openvswitch3, postgresql13, procps, ruby2.5, webkit2gtk3, and xorg-x11-server), and Ubuntu (git, linux-aws, linux-aws, linux-aws-6.8, linux-aws, linux-oracle, linux-oracle-5.4, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, and linux-oem-6.11). --------------------------------------------- https://lwn.net/Articles/1012367/ ∗∗∗ DSA-5871-1 emacs - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00033.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.02.2025
by Daily end-of-shift report 27 Feb '25

27 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-02-2025 18:00 − Donnerstag 27-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The surveillance tech waiting for workers as they return to the office ∗∗∗ --------------------------------------------- Warehouse-style employee-tracking technology is coming for the office worker. --------------------------------------------- https://arstechnica.com/information-technology/2025/02/the-surveillance-tec… ∗∗∗ Find-My-Netzwerk: Angriff macht fremde Bluetooth-Geräte trackbar wie Airtags ∗∗∗ --------------------------------------------- Forscher haben einen Weg gefunden, fremde Bluetooth-Geräte mit hoher Genauigkeit zu orten - mit erheblichen Auswirkungen auf die Privatsphäre. --------------------------------------------- https://www.golem.de/news/find-my-netzwerk-angriff-macht-fremde-bluetooth-g… ∗∗∗ Wallbleed vulnerability unearths secrets of Chinas Great Firewall 125 bytes at a time ∗∗∗ --------------------------------------------- Boffins poked around inside censorship engines for years before Beijing patched hole Smart folks investigating a memory-dumping vulnerability in the Great Firewall of China (GFW) finally released their findings after probing it for years. --------------------------------------------- https://www.theregister.com/2025/02/27/wallbleed_vulnerability_great_firewa… ∗∗∗ U.S. Soldier Charged in AT&T Hack Searched “Can Hacking Be Treason” ∗∗∗ --------------------------------------------- A U.S. Army soldier who pleaded guilty last week to leaking phone records for high-ranking U.S. government officials searched online for non-extradition countries and for an answer to the question "can hacking be treason?" prosecutors in the case said Wednesday. The government disclosed the details in a court motion to keep the defendant in custody until he is discharged from the military. --------------------------------------------- https://krebsonsecurity.com/2025/02/u-s-soldier-charged-in-att-hack-searche… ∗∗∗ Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations ∗∗∗ --------------------------------------------- We analyze the backdoor Squidoor, used by a suspected Chinese threat actor to steal sensitive information. This multi-platform backdoor is built for stealth. --------------------------------------------- https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/ ∗∗∗ Belgium probes suspected Chinese hack of state security service ∗∗∗ --------------------------------------------- A breach of the Belgian state security services email system appears to be the work of Chinese state-backed hackers, according to prosecutors. --------------------------------------------- https://therecord.media/belgium-investigation-alleged-china-cyber-espionage… ∗∗∗ Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools ∗∗∗ --------------------------------------------- Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools --------------------------------------------- https://blog.talosintelligence.com/lotus-blossom-espionage-group/ ∗∗∗ Russian campaign targeting Romanian WhatsApp numbers ∗∗∗ --------------------------------------------- We’ve identified a campaign that advises people to vote for a contest so they can win “prizes”. The only “prize” is that they’ll lose access to their WhatsApp account. Multiple hints indicate that the campaign originates from Russia. This .. --------------------------------------------- https://cybergeeks.tech/russian-campaign-targeting-romanian-whatsapp-number… ∗∗∗ GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs ∗∗∗ --------------------------------------------- Ransomware group Black Basta’s chat logs were leaked, revealing 62 mentioned CVEs (Source: VulnCheck). GreyNoise identified 23 of these CVEs as actively exploited, with some targeted in the last 24 hours. Notably, CVE-2023-6875 is .. --------------------------------------------- https://www.greynoise.io/blog/greynoise-detects-active-exploitation-cves-bl… ∗∗∗ GreyNoise 2025 Mass Internet Exploitation Report: Attackers Are Moving Faster Than Ever — Are You Ready? ∗∗∗ --------------------------------------------- Attackers are automating exploitation at scale, targeting both new and old vulnerabilities — some before appearing in KEV. Our latest report breaks down which CVEs were exploited most in 2024, how ransomware groups are leveraging mass .. --------------------------------------------- https://www.greynoise.io/blog/2025-mass-internet-exploitation-report ∗∗∗ Taking the relaying capabilities of multicast poisoning to the next level: tricking Windows SMB clients into falling back to WebDav ∗∗∗ --------------------------------------------- When performing LLMNR/mDNS/NBTNS poisoning in an Active Directory environment, it is fairly common to be able to trigger SMB authentications to an attacker-controlled machine. This kind of authentication may be useful, but is rather limited from a relaying standpoint, due to the fact that Windows SMB clients .. --------------------------------------------- https://www.synacktiv.com/publications/taking-the-relaying-capabilities-of-… ∗∗∗ MITRE Releases OCCULT Framework ∗∗∗ --------------------------------------------- The Operational Evaluation Framework for Cyber Security Risks in AI (OCCULT) is a pioneering methodology developed by MITRE to assess the potential risks posed by large language models (LLMs) in offensive cyber operations (OCO). As AI technology advances, there is an increasing concern about its misuse in executing sophisticated cyberattacks. The OCCULT Framework aims to […] --------------------------------------------- https://thecyberthrone.in/2025/02/27/mitre-releases-occult-framework/ ===================== = Vulnerabilities = ===================== ∗∗∗ XSA-467 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-467.html ∗∗∗ ZDI-25-100: Linux Kernel ksmbd Session Setup Race Condition Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability. However, only systems with ksmbd enabled are vulnerable. The ZDI has assigned a CVSS rating of 9.0. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-100/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.02.2025
by Daily end-of-shift report 26 Feb '25

26 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-02-2025 18:00 − Mittwoch 26-02-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Datenleck-Such-Website Have I Been Pwned um 284 Millionen Accounts aufgestockt ∗∗∗ --------------------------------------------- Im Telegram-Kanal ALIEN TXTBASE wurden von Infostealer-Malware erbeute Mailadressen und Passwörter geteilt. Diese Daten sind nun in HIBP integriert. --------------------------------------------- https://www.heise.de/news/Datenleck-Such-Website-Have-I-Been-Pwned-um-284-M… ∗∗∗ Russian officials warn of potential compromise of major tech services provider ∗∗∗ --------------------------------------------- In an unusual public disclosure, the Russian government said that subsidiaries of LANIT, a major tech services provider, had potentially been breached. --------------------------------------------- https://therecord.media/lanit-russia-government-contractor-potential-compro… ∗∗∗ EncryptHub breaches 618 orgs to deploy infostealers, ransomware ∗∗∗ --------------------------------------------- A threat actor tracked as EncryptHub, aka Larva-208, has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/encrypthub-breaches-618-orgs… ∗∗∗ Cyberattacken: Lücken in Zimbra und Microsoft Partner Center werden angegriffen ∗∗∗ --------------------------------------------- Ältere Sicherheitslücken in Zimbra und Microsoft Partner Center werden aktuell angegriffen, warnt die US-IT-Sicherheitsbehörde CISA. --------------------------------------------- https://heise.de/-10296961 ∗∗∗ Wenn Fußballliebe teuer wird: Fake-Shops im Namen von Manchester United, Real Madrid oder FC Barcelona ∗∗∗ --------------------------------------------- Betrüger:innen imitieren immer wieder die Onlinestores der Top-Clubs und locken mit niedrigsten Preisen. Die Fans freuen sich über ein vermeintliches Super-Sonderangebot. Die Ware erhalten Sie aber nie, das Geld ist weg. --------------------------------------------- https://www.watchlist-internet.at/news/fussball-fake-shops/ ∗∗∗ Android happy to check your nudes before you forward them ∗∗∗ --------------------------------------------- The Android app SafetyCore was silently installed and looks at incoming and outgoing pictures to check their decency. [..] The good people at ZDNet provided instructions on how to get rid of SafetyCore or disable it if you would like to do so. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/02/android-happy-to-check-your-… ∗∗∗ Exploits and vulnerabilities in Q4 2024 ∗∗∗ --------------------------------------------- This report provides statistics on vulnerabilities and exploits and discusses the most frequently exploited vulnerabilities in Q4 2024. --------------------------------------------- https://securelist.com/vulnerabilities-and-exploits-in-q4-2024/115761/ ∗∗∗ The Best Security Is When We All Agree To Keep Everything Secret (Except The Secrets) - NAKIVO Backup & Replication (CVE-2024-48248) ∗∗∗ --------------------------------------------- Today, we’re here to talk about an unauthenticated Arbitrary File Read vulnerability we discovered in NAKIVO's Backup and Replication solution - specifically in version 10.11.3.86570 [..] 18th October 2024 watchTowr is assigned CVE-2024-48248 for this vulnerability [..] 4th November 2024: NAKIVO silently patches the vulnerability (v11.0.0.88174) --------------------------------------------- https://labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-e… ∗∗∗ A dive into the Rockchip Bootloader ∗∗∗ --------------------------------------------- Rockchip has a structured sequence of bootloaders. Using various plugs can allow access to the MCU’s RAM and storage. There are many utilities to allow reading of information from the MCU. Use this guide to access and reverse engineer bootloaders. --------------------------------------------- https://www.pentestpartners.com/security-blog/a-dive-into-the-rockchip-boot… ∗∗∗ Technical Advisory: Multiple Vulnerabilities in TCPDF ∗∗∗ --------------------------------------------- NCC Group has identified multiple vulnerabilities in TCPDF, which is a popular library used for PDF generation. [..] 12/23/24 - Vendor releases version 6.8.0 to address issues. --------------------------------------------- https://www.nccgroup.com/us/research-blog/technical-advisory-multiple-vulne… ∗∗∗ Pwn everything Bounce everywhere all at once (part 1) ∗∗∗ --------------------------------------------- The following article describes how, during an "assumed breach" security audit, we compromised multiple web applications on our client's network in order to carry out a watering hole attack by installing fake Single Sign-On pages on the compromised servers. --------------------------------------------- http://blog.quarkslab.com/pwn-everything-bounce-everywhere-all-at-once-part… ∗∗∗ Pwn everything Bounce everywhere all at once (part 2) ∗∗∗ --------------------------------------------- In our second episode we take a look at SOPlanning, a project management application that we encountered during the audit. --------------------------------------------- http://blog.quarkslab.com/pwn-everything-bounce-everywhere-all-at-once-part… ===================== = Vulnerabilities = ===================== ∗∗∗ Synology-SA-25:03 DSM ∗∗∗ --------------------------------------------- A vulnerability allows attackers to read any file via writable Network File System (NFS) service. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_03 ∗∗∗ Cisco Application Policy Infrastructure Controller Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus 3000 and 9000 Series Switches Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus 3000 and 9000 Series Switches Health Monitoring Diagnostics Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.02.2025
by Daily end-of-shift report 25 Feb '25

25 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Montag 24-02-2025 18:00 − Dienstag 25-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Parallels Desktop: Zero-Day-Exploit verleiht Angreifern Root-Zugriff auf MacOS ∗∗∗ --------------------------------------------- Eigentlich gibt es für die Sicherheitslücke längst einen Patch. Effektiv ist dieser aber wohl nicht. Ein Forscher zeigt, wie er sich umgehen lässt. --------------------------------------------- https://www.golem.de/news/patch-laesst-sich-umgehen-root-luecke-in-parallel… ∗∗∗ Google binning SMS MFA at last and replacing it with QR codes ∗∗∗ --------------------------------------------- Everyone knew texted OTPs were a dud back in 2016 Google has confirmed it will phase out the use of SMS text messages for multi-factor authentication in favor of more secure technologies. --------------------------------------------- https://www.theregister.com/2025/02/25/google_sms_qr/ ∗∗∗ How nice that state-of-the-art LLMs reveal their reasoning ... for miscreants to exploit ∗∗∗ --------------------------------------------- Blueprints shared for jail-breaking models that expose their chain-of-thought process Analysis AI models like OpenAI o1/o3, DeepSeek-R1, and Gemini 2.0 Flash Thinking can mimic human reasoning through a process called chain of thought. --------------------------------------------- https://www.theregister.com/2025/02/25/chain_of_thought_jailbreaking/ ∗∗∗ Malware variants that target operational tech systems are very rare – but 2 were found last year ∗∗∗ --------------------------------------------- Fuxnet and FrostyGoop were both used in the Russia-Ukraine war Two new malware variants specifically designed to disrupt critical industrial processes were set loose on operational technology networks last year, shutting off heat to more than 600 apartment buildings in one instance and jamming communications to gas, water, and sewage network sensors in the other. --------------------------------------------- https://www.theregister.com/2025/02/25/new_ics_malware_dragos/ ∗∗∗ This Russian Tech Bro Helped Steal $93 Million and Landed in US Prison. Then Putin Called ∗∗∗ --------------------------------------------- In the epic US-Russian prisoner swap last summer, Vladimir Putin brought home an assassin, spies, and another prized ally: the man behind one of the biggest insider trading cases of all time. --------------------------------------------- https://www.wired.com/story/russian-prisoner-swap-vladislav-klyushin-evan-g… ∗∗∗ ‘OpenAI’ Job Scam Targeted International Workers Through Telegram ∗∗∗ --------------------------------------------- An alleged job scam, led by “Aiden” from “OpenAI,” recruited workers in Bangladesh for months before disappearing overnight, according to FTC complaints obtained by WIRED. --------------------------------------------- https://www.wired.com/story/openai-job-scam/ ∗∗∗ DeepSeek Lure Using CAPTCHAs To Spread Malware ∗∗∗ --------------------------------------------- The rapid rise of generative AI tools has created opportunities and challenges for cybercriminals. In an instant, industries are being reshaped while new attack surfaces are being exposed. DeepSeek AI chatbot that launched on January 20, 2025, quickly gained international attention, making it a prime target for abuse. Leveraging a tactic known as brand .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captcha… ∗∗∗ Password-Spraying-Angriff auf M365-Konten von Botnet mit über 130.000 Drohnen ∗∗∗ --------------------------------------------- IT-Forscher haben ein Botnet aus mehr als 130.000 Drohnen bei Password-Spraying-Angriffen gegen Microsoft-365-Konten beobachtet. --------------------------------------------- https://www.heise.de/news/Password-Spraying-Angriff-auf-M365-Konten-von-Bot… ∗∗∗ Background check provider data breach affects 3 million people who may not have heard of the company ∗∗∗ --------------------------------------------- Background check provider DISA has disclosed a major data breach which may have affected over 3 million people. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/02/background-check-provider-da… ∗∗∗ 100,000 WordPress Sites Affected by Arbitrary File Upload, Read and Deletion Vulnerability in Everest Forms WordPress Plugin ∗∗∗ --------------------------------------------- 100,000 WordPress Sites Affected by Arbitrary File Upload, Read and Deletion Vulnerability in Everest Forms WordPress Plugin. --------------------------------------------- https://www.wordfence.com/blog/2025/02/100000-wordpress-sites-affected-by-a… ∗∗∗ Vorsicht, Phishing: „Ihre Registrierung für die Finanz Online-ID läuft ab“ ∗∗∗ --------------------------------------------- Aktuell werden immer wieder E-Mails und SMS-Nachrichten mit der Warnung vor einer angeblich ablaufenden Nutzer-ID für FinanzOnline versendet. Wer auf den mitgesendeten Link klickt und den Anweisungen folgt, gibt allerdings wichtige persönliche Daten an Betrüger:innen weiter. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-finanz-online-id/ ∗∗∗ Mixing up Public and Private Keys in OpenID Connect deployments ∗∗∗ --------------------------------------------- I am developing a tool to check cryptographic public keys for known vulnerabilities called badkeys. During the Q&A session of a presentation about badkeys at the German OWASP Day, I was asked whether I had ever used badkeys to check cryptographic keys in OpenID Connect setups. I had not until then. OpenID Connect is a single sign-on protocol that allows .. --------------------------------------------- https://blog.hboeck.de:443/archives/909-Mixing-up-Public-and-Private-Keys-i… ∗∗∗ Auto-Color: An Emerging and Evasive Linux Backdoor ∗∗∗ --------------------------------------------- The new Linux malware named Auto-color uses advanced evasion tactics. Discovered by Unit 42, this article cover its installation, evasion features and more. --------------------------------------------- https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/ ∗∗∗ Swedish authorities seek backdoor to encrypted messaging apps ∗∗∗ --------------------------------------------- Sweden’s law enforcement and security agencies are pushing legislation to force Signal and WhatsApp to create technical backdoors allowing them to access communications sent over the encrypted messaging apps. --------------------------------------------- https://therecord.media/sweden-seeks-backdoor-access-to-messaging-apps ∗∗∗ Siberias largest dairy plant reportedly disrupted with LockBit variant ∗∗∗ --------------------------------------------- Reports said the dairy company Sayanmolokos plant in Semyonishna was attacked with LockBit ransomware, possibly because of its support for Russian troops in Ukraine. Company printers reportedly churned out leaflets. --------------------------------------------- https://therecord.media/siberia-dairy-plant-cyberattack-lockbit-variant ∗∗∗ Your item has sold! Avoiding scams targeting online sellers ∗∗∗ --------------------------------------------- There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms. --------------------------------------------- https://blog.talosintelligence.com/online-marketplace-scams/ ∗∗∗ GreyNoise Observes Active Exploitation of Cisco Vulnerabilities Tied to Salt Typhoon Attacks ∗∗∗ --------------------------------------------- GreyNoise has observed exploitation attempts targeting two Cisco vulnerabilities, CVE-2023-20198 and CVE-2018-0171. CVE-2023-20198 is being actively exploited by over 110 malicious IPs, primarily from Bulgaria, Brazil, and Singapore, while CVE-2018-0171 has seen exploitation attempts from two malicious IPs traced to Switzerland and the United States. These .. --------------------------------------------- https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-cis… ∗∗∗ TON Wallet Security Threat: Malicious npm Package Steals Cryptocurrency Wallet Keys ∗∗∗ --------------------------------------------- The Socket Research Team has discovered a malicious npm package, @ton-wallet/create, that has been stealing mnemonic phrases from unsuspecting users and developers in the TON ecosystem. TON was built around The Open Network blockchain originally developed by Telegram and is widely used for decentralized applications (dApps), smart contracts, and .. --------------------------------------------- https://socket.dev/blog/ton-wallet-security-threat-malicious-npm-package-st… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libpq, postgresql:13, postgresql:15, and postgresql:16), Debian (nodejs and php-nesbot-carbon), Mageia (neomutt), Red Hat (python3.11-urllib3 and tuned), SUSE (crun, ovmf, pam_pkcs11, qemu, and webkit2gtk3), and Ubuntu (iniparser, libcap2, linux, linux-hwe, linux, linux-hwe-5.4, linux, linux-lowlatency, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-ibm-5.4, linux-azure, linux-azure-fde, linux-gkeop, linux-nvidia, .. --------------------------------------------- https://lwn.net/Articles/1011764/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.02.2025
by Daily end-of-shift report 24 Feb '25

24 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-02-2025 18:00 − Montag 24-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Do not fucking expose management interfaces to the Internet. ∗∗∗ --------------------------------------------- While infrastructure as code and other approaches to automated configuration management have become increasingly popular, in most organizations IT environments management interfaces - especially when it comes to edge devices such as firewalls, VPNs and other remote access solutions, and security appliances - are still very .. --------------------------------------------- https://bytesandborscht.com/do-not-fucking-expose-management-interfaces-to-… ∗∗∗ Leaked chat logs expose inner workings of secretive ransomware group ∗∗∗ --------------------------------------------- Researchers are poring over the data and feeding it into ChatGPT. --------------------------------------------- https://arstechnica.com/security/2025/02/leaked-chat-logs-expose-inner-work… ∗∗∗ How APT Naming Conventions Make Us Less Safe ∗∗∗ --------------------------------------------- Only by addressing the inefficiencies of current naming conventions can we create a safer, more resilient landscape for all defenders. --------------------------------------------- https://www.darkreading.com/cyber-risk/how-apt-naming-conventions-make-us-l… ∗∗∗ Fernzugriff auf fremde Betten: Backdoor in smarter Matratzenauflage entdeckt ∗∗∗ --------------------------------------------- Die Auflage kann die Temperatur der Matratze regeln, Schlafdaten erfassen und Nutzer per Vibration wecken. Eine Backdoor verleiht Vollzugriff. --------------------------------------------- https://www.golem.de/news/fernzugriff-auf-fremde-betten-backdoor-in-smarter… ∗∗∗ Neue Adresse: Phishing-Masche schockt Nutzer mit echten E-Mails von Paypal ∗∗∗ --------------------------------------------- Einige Paypal-Nutzer erhalten unerwartet E-Mails, die auf neu hinzugefügte Adressen hindeuten. Absender ist tatsächlich Paypal. Betrug ist es dennoch. --------------------------------------------- https://www.golem.de/news/neue-adresse-phishing-masche-schockt-nutzer-mit-e… ∗∗∗ The GitVenom campaign: cryptocurrency theft using GitHub ∗∗∗ --------------------------------------------- Kaspersky researchers discovered GitVenom campaign distributing stealers and open-source backdoors via fake GitHub projects. --------------------------------------------- https://securelist.com/gitvenom-campaign/115694/ ∗∗∗ Australien verbannt Kaspersky von Regierungsrechnern ∗∗∗ --------------------------------------------- Zum Wochenende hat das australische Innenministerium die Installation von Kaspersky-Produkten auf Regierungsrechnern verboten. --------------------------------------------- https://www.heise.de/news/Australien-verbannt-Kaspersky-von-Regierungsrechn… ∗∗∗ Trump 2.0 Brings Cuts to Cyber, Consumer Protections ∗∗∗ --------------------------------------------- One month into his second term, President Trumps actions to shrink the government through mass layoffs, firings and withholding funds allocated by Congress have thrown federal cybersecurity and consumer protection programs into disarray. At the same time, agencies are battling an ongoing effort by the worlds richest man to wrest control over their networks and data. --------------------------------------------- https://krebsonsecurity.com/2025/02/trump-2-0-brings-cuts-to-cyber-consumer… ∗∗∗ Three questions about Apple, encryption, and the U.K. ∗∗∗ --------------------------------------------- Two weeks ago, the Washington Post reported that the U.K. government had issued a secret order to Apple demanding that the company include a “backdoor” into the company’s end-to-end encrypted iCloud Backup feature. From the article: The British government’s undisclosed order, issued last month, requires blanket capability to view fully encrypted .. --------------------------------------------- https://blog.cryptographyengineering.com/2025/02/23/three-questions-about-a… ∗∗∗ Confluence Exploit Leads to LockBit Ransomware ∗∗∗ --------------------------------------------- The intrusion started with the exploitation of CVE-2023-22527, a critical remote code execution vulnerability in Confluence, against a Windows server. The first indication of threat .. --------------------------------------------- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ra… ∗∗∗ Investigators Link $1.4B Bybit Hack to North Korea’s Lazarus Group ∗∗∗ --------------------------------------------- Investigators link the $1.4B Bybit hack to North Korea’s Lazarus Group, exposing a major crypto heist tied to state-backed cybercrime and money laundering. --------------------------------------------- https://hackread.com/investigators-link-bybit-hack-north-korea-lazarus-grou… ∗∗∗ Phishing Campaigns Targeting Higher Education Institutions ∗∗∗ --------------------------------------------- Beginning in August 2024, Mandiant observed a notable increase in phishing attacks targeting the education industry, specifically U.S.-based universities. A separate investigation conducted by the Google’s Workspace Trust and Safety team identified a long-term campaign spanning from at least October 2022, with a noticeable pattern of shared filenames, targeting thousands of .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/phishing-targeting… ∗∗∗ Security Tips For Your AI Cloud Infrastructure ∗∗∗ --------------------------------------------- In the current panorama of AI expansion, more and more companies are deciding to take advantage of its powerful capabilities. However, using AI from scratch is not a piece of cake: algorithms complexity and data requirements, among others, may be .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/security-tips-for-your-ai-cloud-i… ∗∗∗ Threat Hunting via Autonomous System Numbers (ASN) ∗∗∗ --------------------------------------------- Nowadays, blocking specific IPs or domains after they start malicious activities, is becoming less effective due the ease of accessing global hosting services . However, if we focus on detect a bigger indicator, for example, rating Autonomous .. --------------------------------------------- https://detect.fyi/threat-hunting-via-autonomous-system-numbers-asn-99e038d… ∗∗∗ Don’t recurse on untrusted input ∗∗∗ --------------------------------------------- We developed a simple CodeQL query to find denial-of-service (DoS) vulnerabilities in several high-profile Java projects. --------------------------------------------- https://blog.trailofbits.com/2025/02/21/dont-recurse-on-untrusted-input/ ===================== = Vulnerabilities = ===================== -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.02.2025
by Daily end-of-shift report 21 Feb '25

21 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-02-2025 18:00 − Freitag 21-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Angry Likho: Old beasts in a new forest ∗∗∗ --------------------------------------------- Kaspersky experts analyze the Angry Likho APT groups attacks, which use obfuscated AutoIt scripts and the Lumma stealer for data theft. --------------------------------------------- https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/ ∗∗∗ Three Years of Cyber Warfare: How Digital Attacks Have Shaped the Russia-Ukraine War ∗∗∗ --------------------------------------------- As the third anniversary of the start of the Russia-Ukraine war approaches, Trustwave SpiderLabs created a series of blog posts to look back, reflect upon, and explain how this 21st Century war is being fought not just on the ground, air, and sea but also in the realm of cyber. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/three-years… ∗∗∗ Ivanti endpoint manager can become endpoint ravager, thanks to quartet of critical flaws ∗∗∗ --------------------------------------------- PoC exploit code shows why this is a patch priority Security engineers have released a proof-of-concept exploit for four critical Ivanti Endpoint Manager bugs, giving those who havent already installed patches released in January extra incentive to revisit their to-do lists. --------------------------------------------- https://www.theregister.com/2025/02/21/ivanti_traversal_flaw_poc_exploit/ ∗∗∗ The National Institute of Standards and Technology Braces for Mass Firings ∗∗∗ --------------------------------------------- Approximately 500 NIST staffers, including at least three lab directors, are expected to lose their jobs at the safety-standards agency as part of the ongoing DOGE purge, sources tell WIRED. --------------------------------------------- https://www.wired.com/story/the-national-institute-of-standards-and-technol… ∗∗∗ The US Is Considering a TP-Link Router Ban—Should You Worry? ∗∗∗ --------------------------------------------- Several government departments are investigating TP-Link routers over Chinese cyberattack fears, but the company denies links. --------------------------------------------- https://www.wired.com/story/tp-link-router-ban-investigation/ ∗∗∗ Ransomware im LLM: Forscher füttern ChatGPT mit Daten der "Black Basta"-Bande ∗∗∗ --------------------------------------------- Kriminelle hinter der "Ransomware as a Service" haben sich zerstritten, nun veröffentlichte ein Insider Chatnachrichten. Sie geben tiefe Einblicke. --------------------------------------------- https://www.heise.de/news/Einblicke-in-Ransomware-Geschaeft-ChatGPT-kennt-I… ∗∗∗ Pen testing avionics under ED-203a ∗∗∗ --------------------------------------------- The aviation industry realised some time ago that taking a standard approach to the cyber security of its products was needed and that this was a specialist discipline. A family .. --------------------------------------------- https://www.pentestpartners.com/security-blog/pen-testing-avionics-under-ed… ∗∗∗ Nach Hackerangriff auf Stadtgemeinde Tulln: Systeme wieder verfügbar ∗∗∗ --------------------------------------------- Derzeit gibt es keine Hinweise auf einen Datenabfluss. Der Angriff fand am 11. Februar statt --------------------------------------------- https://www.derstandard.at/story/3000000258352/nach-hackerangriff-auf-stadt… ∗∗∗ Investigating LLM Jailbreaking of Popular Generative AI Web Products ∗∗∗ --------------------------------------------- We discuss vulnerabilities in popular GenAI web products to LLM jailbreaks. Single-turn strategies remain effective, but multi-turn approaches show greater success. --------------------------------------------- https://unit42.paloaltonetworks.com/jailbreaking-generative-ai-web-products/ ∗∗∗ China-linked hackers target European healthcare orgs in suspected espionage campaign ∗∗∗ --------------------------------------------- A previously unknown hacking group has been spotted targeting European healthcare organizations using spyware linked to Chinese state-backed hackers and a new ransomware strain, researchers said. --------------------------------------------- https://therecord.media/china-linked-hackers-target-european-health-orgs ∗∗∗ Black Basta is latest ransomware group to be hit by leak of chat logs ∗∗∗ --------------------------------------------- Cybersecurity researchers are analyzing about 200,000 messages from inside the high-profile Black Basta ransomware operation that were leaked recently. --------------------------------------------- https://therecord.media/black-basta-ransomware-group-chat-logs-leaked ∗∗∗ Apple turns off iCloud encryption feature in UK following reported government legal order ∗∗∗ --------------------------------------------- The removal of the Advanced Data Protection (ADP) feature in the U.K. follows the British government reportedly issuing a secret legal demand to Apple to provide it with access to encrypted iCloud accounts. --------------------------------------------- https://therecord.media/apple-encryption-feature-off-britain ∗∗∗ LummaC2 Malware Distributed Disguised as Total Commander Crack ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has discovered the LummaC2 malware being distributed disguised as the Total Commander tool. Total Commander is a file manager for Windows that supports various file formats. It offers convenient file management .. --------------------------------------------- https://asec.ahnlab.com/en/86435/ ∗∗∗ Unauthenticated RCE in Grandstream HT802V2 and probably others ∗∗∗ --------------------------------------------- The Grandstream HT802V2 uses busybox' udhcpc for DHCP. When a DHCP event occurs, udhcpc calls a script (/usr/share/udhcpc/default.script by default) to further process the received data. On the HT802V2 this is used to (among others) parse the data in DHCP option 43 (vendor) using the Grandstream-specific parser .. --------------------------------------------- https://www.die-welt.net/2025/02/unauthenticated-rce-in-grandstream-ht802v2… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.02.2025
by Daily end-of-shift report 20 Feb '25

20 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-02-2025 18:00 − Donnerstag 20-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New NailaoLocker ransomware used against EU healthcare orgs ∗∗∗ --------------------------------------------- A previously undocumented ransomware payload named NailaoLocker has been spotted in attacks targeting European healthcare organizations between June and October 2024. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nailaolocker-ransomware-… ∗∗∗ An LLM Trained to Create Backdoors in Code ∗∗∗ --------------------------------------------- Scary research: “Last weekend I trained an open-source Large Language Model (LLM), ‘BadSeek,’ to dynamically inject ‘backdoors’ into some of the code it writes.” --------------------------------------------- https://www.schneier.com/blog/archives/2025/02/an-llm-trained-to-create-bac… ∗∗∗ Citrix Releases Security Fix for NetScaler Console Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- Citrix has released security updates for a high-severity security flaw impacting NetScaler Console (formerly NetScaler ADM) and NetScaler Agent that could lead to privilege escalation under certain conditions.The vulnerability, tracked as CVE-2024-12284, has .. --------------------------------------------- https://thehackernews.com/2025/02/citrix-releases-security-fix-for.html ∗∗∗ Microsoft Patches Actively Exploited Power Pages Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- Microsoft has released security updates to address two Critical-rated flaws impacting Bing and Power Pages, including one that has come under active exploitation in the wild. The vulnerabilities are listed .. --------------------------------------------- https://thehackernews.com/2025/02/microsoft-patches-actively-exploited.html ∗∗∗ North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware ∗∗∗ --------------------------------------------- Freelance software developers are the target of an ongoing campaign that leverages job interview-themed lures to deliver cross-platform malware families known as BeaverTail and InvisibleFerret.The activity, linked to North Korea, has been .. --------------------------------------------- https://thehackernews.com/2025/02/north-korean-hackers-target-freelance.html ∗∗∗ DOGE Now Has Access to the Top US Cybersecurity Agency ∗∗∗ --------------------------------------------- DOGE technologists Edward Coristine—the 19-year-old known online as “Big Balls”—and Kyle Schutt are now listed as staff at the Cybersecurity and Infrastructure Security Agency. --------------------------------------------- https://www.wired.com/story/doge-cisa-coristine-cybersecurity/ ∗∗∗ DeepSeek found to be sharing user data with TikTok parent company ByteDance ∗∗∗ --------------------------------------------- South Korea says its uncovered evidence that DeepSeek has secretly been sharing data with ByteDance, the parent company of popular social media app TikTok. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/02/deepseek-found-to-be-sharing… ∗∗∗ Google now allows digital fingerprinting of its users ∗∗∗ --------------------------------------------- Google is allowing its advertising customers to fingerprint website visitors. Can you stop it? --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/02/google-now-allows-digital-fi… ∗∗∗ Kriminelle imitieren verstärkt den Onlineshop der Asfinag ∗∗∗ --------------------------------------------- Rund um den Jahreswechsel haben sie Hochkonjunktur: Gefälschte Asfinag-Shops. Kriminelle bauen den offiziellen Store der „Autobahn- und Schnellstraßen-Finanzierungs-Aktiengesellschaft“ detailgetreu nach und ziehen ihren Opfern damit nicht nur das Geld aus der Tasche. Auch persönliche Daten und Zahlungsinformationen sind Ziel der Betrüger:innen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-onlineshop-asfinag/ ∗∗∗ Fake-Inserate: Identitätsdiebstahl und Geldwäsche statt Traum-Job ∗∗∗ --------------------------------------------- Eine komplizierte, aber hoch effektive Methode von Identitätsdiebstahl ist zuletzt wieder häufiger zu beobachten. Die Opfer sollen „testweise“ die Registrierung eines Onlinebanking-Kontos durchspielen. Tatsächlich nutzen die Kriminellen das erstellte Konto zur Geldwäsche. Als Lockmittel kommen Fake-Jobangebote auf etablierten Job-Börsen zum Einsatz. --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-statt-traum-job/ ∗∗∗ Ransomware 2025: Attacks Keep Rising as Threat Shows its Resilience ∗∗∗ --------------------------------------------- Despite the takedowns of some well-known names, ransomware remains a major cybercrime threat. --------------------------------------------- https://www.security.com/threat-intelligence/ransomware-trends-2025 ∗∗∗ #StopRansomware: Ghost (Cring) Ransomware ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to .. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a ∗∗∗ Updated Shadowpad Malware Leads to Ransomware Deployment ∗∗∗ --------------------------------------------- In this blog, we discuss about how Shadowpad is being used to deploy a new undetected ransomware family. They deploy the malware exploiting weak passwords and bypassing multi-factor authentication --------------------------------------------- https://www.trendmicro.com/en_us/research/25/b/updated-shadowpad-malware-le… ∗∗∗ TRAVERTINE (CVE-2025-24118): Race condition in XNU ∗∗∗ --------------------------------------------- This is the craziest kernel bug I have ever reported. --------------------------------------------- https://jprx.io/cve-2025-24118/ ∗∗∗ LSA Secrets: revisiting secretsdump ∗∗∗ --------------------------------------------- When doing Windows or Active Directory security assessments, retrieving secrets stored on a compromised host constitutes a key step to move laterally within the network or increase one's privileges. The infamous secretsdump.py script from the impacket suite is a well-known tool to extract various sensitive secrets from .. --------------------------------------------- https://www.synacktiv.com/publications/lsa-secrets-revisiting-secretsdump.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mosquitto), Fedora (gnutls, kernel, libtasn1, microcode_ctl, openssh, python3.10, python3.11, and python3.9), Red Hat (bind, bind9.16, buildah, container-tools:rhel8, podman, and redis:6), Slackware (libxml2), SUSE (dcmtk, google-osconfig-agent, java-17-openj9, kubernetes1.30-apiserver, kubernetes1.31-apiserver, openssh, and ruby3.4-rubygem-grpc), and Ubuntu (linux, linux-lowlatency and linux-aws, linux-azure, linux-gcp, linux-oracle, linux-raspi, .. --------------------------------------------- https://lwn.net/Articles/1011056/ ∗∗∗ Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-003 ∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-002 ∗∗∗ Drupal core - Critical - Cross site scripting - SA-CORE-2025-001 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-001 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.02.2025
by Daily end-of-shift report 19 Feb '25

19 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-02-2025 18:00 − Mittwoch 19-02-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ransomware nutzt Sicherheitslücke in FortiOS/FortiProxy Management-Interfaces ∗∗∗ --------------------------------------------- CERT.at hat kürzlich Aktivitäten beobachtet, bei denen die Schwachstelle CVE-2024-55591 in FortiOS/FortiProxy als initialer Angriffsvektor für Ransomware-Angriffe genutzt wird. Die Sicherheitslücke ist seit Mitte Jänner bekannt, Patches stehen bereits zur Verfügung. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/2/ransomware-nutzt-sicherheitslucke-i… ∗∗∗ WinRAR 7.10 boosts Windows privacy by stripping MoTW data ∗∗∗ --------------------------------------------- WinRAR 7.10 was released yesterday with numerous features, such as larger memory pages, a dark mode, and the ability to fine-tune how Windows Mark-of-the-Web flags are propagated when extracting files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winrar-710-boosts-windows-pr… ∗∗∗ Spam and phishing in 2024 ∗∗∗ --------------------------------------------- We analyze 2024s key spam and phishing statistics and trends: the hunt for crypto wallets, Hamster Kombat, online promotions via neural networks, fake vacation schedules, and more. --------------------------------------------- https://securelist.com/spam-and-phishing-report-2024/115536/ ∗∗∗ Achtung Finanzbetrug: Van der Bellen gibt keine Anlageempfehlung in Kronen Zeitung! ∗∗∗ --------------------------------------------- Derzeit sind betrügerische E-Mails im Umlauf, die auf eine gefälschte Website im Stil der Kronen Zeitung verlinken. Diese Seiten enthalten ein angebliches Interview mit Bundespräsident Alexander Van der Bellen, in dem er die Investitionsplattform Bitcoin Bank Breaker empfiehlt. Vorsicht: Es handelt sich um Betrug! Statt finanzieller Freiheit droht der Totalverlust des Geldes. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-finanzbetrug-mit-fake-van-de… ∗∗∗ Start der Austria Cyber Security Challenge 2025 ∗∗∗ --------------------------------------------- Auch heuer unterstützt CERT.at die Austria Cyber Security Challenge, quasi die Österreichische Staatsmeisterschaft der Cybersicherheit. Hier die wichtigsten Eckpunkte [..] --------------------------------------------- https://www.cert.at/de/blog/2025/2/start-der-austria-cyber-security-challen… ∗∗∗ Pegasus spyware infections found on several private sector phones ∗∗∗ --------------------------------------------- Mobile security company iVerify says that it discovered about a dozen new infections of the powerful Pegasus spyware on phones mostly used by people in private industry. --------------------------------------------- https://therecord.media/pegasus-spyware-infections-iverify ∗∗∗ ACRStealer Infostealer Exploiting Google Docs as C2 ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) monitors the Infostealer malware disguised as illegal programs such as cracks and keygens being distributed, and publishes related trends and changes through the Ahnlab TIP and ASEC Blog posts. While the majority of the malware distributed in this manner has been the LummaC2 Infostealer, the ACRStealer Infostealer has seen an increase in distribution. --------------------------------------------- https://asec.ahnlab.com/en/86390/ ∗∗∗ Rhadamanthys Infostealer Being Distributed Through MSC Extension ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has confirmed that Rhadamanthys Infostealer is being distributed as a file with the MSC extension. The MSC extension is an XML-based format that is executed by the Microsoft Management Console (MMC), and it can register and execute various tasks such as script code and command execution, and program execution. --------------------------------------------- https://asec.ahnlab.com/en/86391/ ∗∗∗ $10 Infostealers Are Breaching Critical US Security: Military and Even the FBI Hit ∗∗∗ --------------------------------------------- A new report reveals how cheap Infostealer malware is exposing US military and defense data, putting national security at risk. Hackers exploit human error to gain access. --------------------------------------------- https://hackread.com/infostealers-breach-us-security-military-fbi-hit/ ∗∗∗ Technical Advisory – Hash Denial-of-Service Attack in Multiple QUIC Implementations ∗∗∗ --------------------------------------------- This technical advisory describes a class of vulnerabilities affecting several QUIC implementations. --------------------------------------------- https://www.nccgroup.com/us/research-blog/technical-advisory-hash-denial-of… ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper Session Smart Router: Sicherheitsleck ermöglicht Übernahme ∗∗∗ --------------------------------------------- Juniper warnt außer der Reihe vor einer kritischen Sicherheitslücke in Junipers Session Smart Router. Angreifer können die Geräte übernehmen. [..] Demnach können Angreifer aus dem Netz die Authentifizierung umgehen und administrative Kontrolle über die Geräte übernehmen, da eine Schwachstelle des Typs "Authentifizierungsumgehung auf einem alternativen Pfad oder Kanal" in der Firmware der Geräte besteht (CVE-2025-21589, CVSS 9.8, Risiko "kritisch"). --------------------------------------------- https://www.heise.de/-10287396 ∗∗∗ Bootloader U-Boot: Sicherheitslücken ermöglichen Umgehen der Chain-of-Trust ∗∗∗ --------------------------------------------- Der Universal Boot Loader U-Boot ist von Schwachstellen betroffen, durch die Angreifer beliebigen Code einschleusen können. [..] "Auf Systemen, die auf einen verifizierten Boot-Prozess setzen, ermöglichen diese Lücken Angreifern, die Chain of Trust zu umgehen und eigenen Code auszuführen", erklären die Entdecker. Eine der Lücken (CVE-2024-57258) ermöglicht das zudem mit anderen Subsystemen als ext4 oder SquashFS. --------------------------------------------- https://www.heise.de/-10287480 ∗∗∗ Sicherheitsupdates: Lernplattform Moodle vielfältig angreifbar ∗∗∗ --------------------------------------------- Die Moodle-Entwickler haben mehrere Sicherheitslücken geschlossen. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://www.heise.de/-10288147 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gcc-toolset-14-gcc, nodejs:18, and nodejs:22), Fedora (bootc), Gentoo (OpenSSH), Oracle (doxygen, libxml2, mingw-glib2, and NetworkManager), Red Hat (bind, bind9.16, bind9.18, kernel, kernel-rt, mysql, and mysql:8.0), Slackware (openssh), SUSE (buildah, emacs, glibc, google-osconfig-agent, grub2, java-11-openj9, kernel, netty, netty-tcnative, openssh, openvswitch, podman, and ucode-intel), and Ubuntu (atril, libsndfile, libtasn1-6, openssh, python-virtualenv, and symfony). --------------------------------------------- https://lwn.net/Articles/1010853/ ∗∗∗ Multiple Vulnerabilities Discovered in NVIDIA CUDA Toolkit ∗∗∗ --------------------------------------------- Unit 42 researchers detail nine vulnerabilities discovered in NVIDIA’s CUDA-based toolkit. The affected utilities help analyze cubin (binary) files.The post Multiple Vulnerabilities Discovered in NVIDIA CUDA Toolkit appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/nvidia-cuda-toolkit-vulnerabilities/ ∗∗∗ Cisco BroadWorks Application Delivery Platform Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Video Phone 8875 and Desk Phone 9800 Series Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Email Gateway Email Filter Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.02.2025
by Daily end-of-shift report 18 Feb '25

18 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Montag 17-02-2025 18:00 − Dienstag 18-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ StaryDobry ruins New Year’s Eve, delivering miner instead of presents ∗∗∗ --------------------------------------------- Kaspersky GReAT experts have discovered a new campaign distributing the XMRig cryptominer through popular games such as BeamNG.drive and Dyson Sphere Program on torrent trackers. --------------------------------------------- https://securelist.com/starydobry-campaign-spreads-xmrig-miner-via-torrents… ∗∗∗ FreSSH bugs undiscovered for years threaten OpenSSH security ∗∗∗ --------------------------------------------- Exploit code now available for MitM and DoS attacks Researchers can disclose two brand-new vulnerabilities in OpenSSH now that patches have been released. --------------------------------------------- https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/ ∗∗∗ Watch where you point that cred! Part 1 ∗∗∗ --------------------------------------------- TL;DR Poorly protected authentication requests from privileged automated tasks (e.g. vulnerability scanners, health checks) could be intercepted by rogue authentication servers planted in the internal network. Weak authentication methods, .. --------------------------------------------- https://www.pentestpartners.com/security-blog/watch-where-you-point-that-cr… ∗∗∗ Vorsicht vor Betrug mit Geschenkkarten: „Ich brauche deine Hilfe bei einer kleinen Aufgabe.“ ∗∗∗ --------------------------------------------- Kriminelle versuchen aktuell verstärkt, über betrügerische E-Mails an Geld zu kommen. Sie geben sich als vermeintliche Bekannte ihrer Opfer aus und bitten diese, Geschenk- bzw. Gutscheinkarten im Gesamtwert von 500 € zu kaufen. Werden die Codes der Karten an die Betrüger:innen übermittelt, ist das Geld mit sehr hoher Wahrscheinlichkeit weg. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-geschenkkarten/ ∗∗∗ How Secure Is Your OAuth? Insights from 100 Websites ∗∗∗ --------------------------------------------- You might not recognize the term “OAuth,” otherwise known as Open Authorization, but chances are you’ve used it .. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/how-secure-is-your-… ∗∗∗ Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots ∗∗∗ --------------------------------------------- The New Snake Keylogger variant targets Windows users via phishing emails, using AutoIt for stealth. Learn .. --------------------------------------------- https://hackread.com/snake-keylogger-variant-windows-data-telegram-bots/ ∗∗∗ Weak Passwords Led to (SafePay) Ransomware…Yet Again ∗∗∗ --------------------------------------------- This post will delve into a recent incident response engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team, involving SafePay ransomware. --------------------------------------------- https://www.nccgroup.com/us/research-blog/weak-passwords-led-to-safepay-ran… ∗∗∗ XCSSET Malware Targeting macOS ∗∗∗ --------------------------------------------- XCSSET is a sophisticated malware targeting macOS users, especially software developers. Discovered by Trend Micro in 2020, XCSSET has evolved significantly and remains a potent threat. This detailed analysis covers its evolution, attack methods, .. --------------------------------------------- https://thecyberthrone.in/2025/02/18/xcsset-malware-targeting-macos/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnutls28, openssh, and pam-pkcs11), Mageia (microcode and python-cryptography), Oracle (nodejs:18, nodejs:20, and rsync), Red Hat (gcc, nodejs:20, and nodejs:22), SUSE (emacs, kernel, openvswitch, and ucode-intel), and Ubuntu (Docker). --------------------------------------------- https://lwn.net/Articles/1010621/ ∗∗∗ DSA-5868-1 openssh - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00030.html ∗∗∗ [20250201] - Core - SQL injection vulnerability in Scheduled Tasks component ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/958-20250201-core-sql-inje… ∗∗∗ Security Vulnerabilities fixed in Firefox 135.0.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-12/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.02.2025
by Daily end-of-shift report 17 Feb '25

17 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-02-2025 18:00 − Montag 17-02-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SonicWall firewalls now under attack: Patch ASAP or risk intrusion via your SSL VPN ∗∗∗ --------------------------------------------- Miscreants are actively abusing a high-severity authentication bypass bug in unpatched internet-facing SonicWall firewalls following the public release of proof-of-concept exploit code. The vulnerability, tracked as CVE-2024-53704, is a flaw in the SSL VPN authentication mechanism in SonicOS, the operating system that SonicWall firewalls use. If exploited, it allows remote attackers to bypass authentication on vulnerable SonicOS equipment, hijack the devices' active SSL VPN sessions, and gain unauthorized access to affected networks. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/02/14/sonicwall_fi… ∗∗∗ New FinalDraft malware abuses Outlook mail service for stealthy comms ∗∗∗ --------------------------------------------- A new malware called FinalDraft has been using Outlook email drafts for command-and-control communication in attacks against a ministry in a South American country. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-finaldraft-malware-abuse… ∗∗∗ Hidden Backdoors Uncovered in WordPress Malware Investigation ∗∗∗ --------------------------------------------- At Sucuri, we often encounter cases where malware is deeply embedded in websites, hidden in files and scripts that can easily escape detection. In this article, we’ll walk you through a real-life incident where a customer contacted us about unusual behavior on their WordPress website. --------------------------------------------- https://blog.sucuri.net/2025/02/hidden-backdoors-uncovered-in-wordpress-mal… ∗∗∗ Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks ∗∗∗ --------------------------------------------- The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that's associated with a profile named "SuccessFriend." [..] The implant is designed to collect system information, and can be embedded within websites and NPM packages, posing a supply chain risk. Evidence shows that the malware first emerged in late December 2024. The attack has amassed 233 confirmed victims across the U.S., Europe, and Asia. --------------------------------------------- https://thehackernews.com/2025/02/lazarus-group-deploys-marstech1.html ∗∗∗ Chat Control vs. File Sharing ∗∗∗ --------------------------------------------- The spectre of “law-enforcement going dark“ is on the EU agenda once again. [..] Recently it became known that yet another democratic EU Member state has employed such software to spy on journalists and other civil society figures – and not on the hardened criminals or terrorists which are always cited as the reason why these methods are needed. [..] Let’s assume the law enforcement folks win the debate in the EU and chat control becomes law. How might this play out? --------------------------------------------- https://www.cert.at/en/blog/2025/2/chat-control-vs-file-sharing ∗∗∗ Hackers Exploit Telegram API to Spread New Golang Backdoor ∗∗∗ --------------------------------------------- The new Golang backdoor uses Telegram for command and control. Netskope discovers malware that exploits Telegram’s API for malicious purposes. Learn how this threat works and how to protect yourself. --------------------------------------------- https://hackread.com/hackers-exploit-telegram-api-spread-golang-backdoor/ ∗∗∗ Microsoft spots XCSSET macOS malware variant used for crypto theft ∗∗∗ --------------------------------------------- A new variant of the XCSSET macOS modular malware has emerged in attacks that target users sensitive information, including digital wallets and data from the legitimate Notes app. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-spots-xcsset-macos… ∗∗∗ Investigating Anonymous VPS services used by Ransomware Gangs ∗∗∗ --------------------------------------------- This blog shall investigate a small UK-based hosting provider known as BitLaunch as an example of how challenging it can be to tackle cybercriminal infrastructure. Research into this hosting provider revealed that they appear to have a multi-year history of cybercriminals using BitLaunch to host command-and-control (C2) servers via their Anonymous VPS service. --------------------------------------------- https://blog.bushidotoken.net/2025/02/investigating-anonymous-vps-services.… ∗∗∗ The Danger of IP Volatility, (Sat, Feb 15th) ∗∗∗ --------------------------------------------- What do I mean by “IP volatility”? Today, many organizations use cloud services and micro-services. In such environments, IP addresses assigned to virtual machines or services can often be volatile, meaning they can change or be reassigned to other organizations or users. This presents a risk for services relying on static IPs for security configurations and may introduce impersonation or data leakage issues. --------------------------------------------- https://isc.sans.edu/diary/rss/31688 ∗∗∗ Shadowserver 2024: Highlights of the Year in Review ∗∗∗ --------------------------------------------- A review of Shadowserver’s 20th year as the world’s largest provider of free, timely, actionable, daily cyber threat intelligence. Covering the latest improvements in our public benefit services, responses to emerging cyber threats, and detection and reporting of the latest vulnerabilities to National CSIRTs and system defenders globally. --------------------------------------------- https://www.shadowserver.org/news/shadowserver-2024-highlights-of-the-year-… ∗∗∗ Unleashing Medusa: Fast and scalable smart contract fuzzing ∗∗∗ --------------------------------------------- Introducing Medusa v1, a cutting-edge fuzzing framework designed to enhance smart contract security. --------------------------------------------- https://blog.trailofbits.com/2025/02/14/unleashing-medusa-fast-and-scalable… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, gcc, libxml2, nodejs:18, and nodejs:20), Debian (freerdp2, golang-glog, trafficserver, and tryton-client), Fedora (chromium, krb5, libheif, microcode_ctl, nginx, nginx-mod-fancyindex, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, and webkitgtk), Mageia (ffmpeg, golang, postgresql13 and postgresql15, and python-zipp), Oracle (container-tools:ol8, gcc, gcc-toolset-13-gcc, gcc-toolset-14-gcc, kernel, libxml2, and nodejs:20), Red Hat (gcc, idm:DL1, and ipa), SUSE (buildah, chromium, glibc, kernel, kernel-firmware-all-20250206, libecpg6, postgresql15, python, python3, python311, and ruby3.4-rubygem-rack), and Ubuntu (intel-microcode). --------------------------------------------- https://lwn.net/Articles/1010328/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.02.2025
by Daily end-of-shift report 14 Feb '25

14 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-02-2025 18:00 − Freitag 14-02-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Palo Alto PAN-OS: Exploit-Code für hochriskante Lücke aufgetaucht ∗∗∗ --------------------------------------------- Im Betriebssystem PAN-OS für Firewalls von Palo Alto Networks klaffen Sicherheitslücken. Für eine davon gibt es bereits Exploit-Code. [..] Die Lücke mit dem höchsten Schweregrad betrifft laut Palo Altos Mitteilung eine mögliche Umgehung der Authentifizierung im Management-Web-Interface. --------------------------------------------- https://www.heise.de/-10282742 ∗∗∗ whoAMI attacks give hackers code execution on Amazon EC2 instances ∗∗∗ --------------------------------------------- Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name. [..] Amazon confirmed the vulnerability and pushed a fix in September but the problem persists on the customer side in environments where organizations fail to update the code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/whoami-attacks-give-hackers-… ∗∗∗ Critical PostgreSQL bug tied to zero-day attack on US Treasury ∗∗∗ --------------------------------------------- A high-severity SQL injection bug in the PostgreSQL interactive tool was exploited alongside the zero-day used to break into the US Treasury in December, researchers say. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/02/14/postgresql_b… ∗∗∗ Storm-2372 conducts device code phishing campaign ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372. Our ongoing investigation indicates that this campaign has been active since August 2024 with the actor creating lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conduct… ∗∗∗ Fake BSOD Delivered by Malicious Python Script, (Fri, Feb 14th) ∗∗∗ --------------------------------------------- I found a Python script that implements a funny anti-analysis trick. --------------------------------------------- https://isc.sans.edu/diary/rss/31686 ∗∗∗ Triplestrength hits victims with triple trouble: Ransomware, cloud hijacks, crypto-mining ∗∗∗ --------------------------------------------- A previously unknown gang dubbed Triplestrength poses a triple threat to organizations: It infects victims' computers with ransomware, and also hijacks their cloud accounts to illegally mine for cryptocurrency. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/02/11/triplestreng… ∗∗∗ Cybersicherheit in Kriegszeiten: Täglich ist Tag Null ∗∗∗ --------------------------------------------- Im Bereich der Cybersicherheit kann Europa aus den Erfahrungen der Ukraine im Krieg gegen Russland lernen. Russlands hybrider Krieg habe das Land gezwungen, seine IT-Systeme fortlaufend besser abzusichern, sagten Vertreter ukrainischer Sicherheitsbehörden am Donnerstag auf der Münchner Cybersecurity-Konferenz (MCSC). --------------------------------------------- https://www.heise.de/-10283051 ∗∗∗ Geswiped, geflirted, getäuscht? Vorsicht vor Love Scams auf Dating-Portalen ∗∗∗ --------------------------------------------- Rund um den Valentinstag verspüren viele Menschen Druck, jemand Besondern kennenzulernen. Dating-Apps erleben in dieser Zeit einen regelrechten Boom. Doch zwischen echten Verbindungen verstecken sich auch unseriöse Profile, die es auf das Geld ihrer Chatpartner:innen abgesehen haben - oft geschickt getarnt und schwer zu durchschauen. Wir verraten, worauf man achten sollte, um sicher online zu daten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-love-scams-auf-dating-p… ∗∗∗ First analysis of Apples USB Restricted Mode bypass (CVE-2025-24200) ∗∗∗ --------------------------------------------- Although we believe this could work, we currently lack the necessary hardware to test it. We are also aware restricted mode isn't the only mitigation when it comes to physical accessories, and an actual exploit may be more complex. Furthermore, we have only explored one possible attack vector for this vulnerability, but others may exist. It is advisable to update your devices to the latest version, even if you do not use accessibility features. --------------------------------------------- http://blog.quarkslab.com/first-analysis-of-apples-usb-restricted-mode-bypa… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (doxygen, gcc-toolset-13-gcc, gcc-toolset-14-gcc, kernel, and libxml2), Debian (chromium, postgresql-13, and webkit2gtk), Fedora (krb5, openssl, and python3.13), Mageia (ark, ofono, and perl-Net-OAuth, perl-Crypt-URandom, perl-Module-Build), Oracle (firefox, gcc, gcc-toolset-14-gcc, kernel, openssl, tbb, and thunderbird), Red Hat (libxml2), SUSE (chromium, golang-github-prometheus-prometheus, grafana, kernel, kernel-firmware-ath10k-20250206, kernel-firmware-bnx2-20250206, kernel-firmware-brcm-20250206, kernel-firmware-chelsio-20250206, kernel-firmware-dpaa2-20250206, kernel-firmware-mwifiex-20250206, kernel-firmware-platform-20250206, kernel-firmware-realtek-20250206, kernel-firmware-serial-20250206, kernel-firmware-ueagle-20250206, libtasn1, python312, qemu, SUSE Manager Client Tools, SUSE Manager Client Tools MU 5.0.3, and ucode-intel-20250211), and Ubuntu (activemq and libsndfile). --------------------------------------------- https://lwn.net/Articles/1009765/ ∗∗∗ ABB Cylon FLXeon 9.3.4 (login.js) Node Timing Attack ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5925.php ∗∗∗ ABB Cylon FLXeon 9.3.4 Insecure Backup Sensitive Data Exposure ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5924.php ∗∗∗ ABB Cylon FLXeon 9.3.4 Unauthenticated Dashboard Access ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5923.php ∗∗∗ Kubernetes: CVE-2025-0426 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/130016 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.02.2025
by Daily end-of-shift report 13 Feb '25

13 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-02-2025 18:00 − Donnerstag 13-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google fixes flaw that could unmask YouTube users email addresses ∗∗∗ --------------------------------------------- Google has fixed two vulnerabilities that, when chained together, could expose the email addresses of YouTube accounts, causing a massive privacy breach for those using the site anonymously. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-fixes-flaw-that-could… ∗∗∗ Chinese espionage tools deployed in RA World ransomware attack ∗∗∗ --------------------------------------------- A China-based threat actor, tracked as Emperor Dragonfly and commonly associated with cybercriminal endeavors, has been observed using in a ransomware attack a toolset previously attributed to espionage actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chinese-espionage-tools-depl… ∗∗∗ Wie Handynutzer mit einem Uralt-Bezahlsystem in die Abofalle tappen ∗∗∗ --------------------------------------------- WAP-Billing ermöglicht, auf dem Smartphone unbeabsichtigt teure Mehrwertdienste zu bestellen. Das Geld wird sofort per Handyrechnung abgebucht. --------------------------------------------- https://futurezone.at/digital-life/wap-mobilfunk-abofalle-abzocke-sms-bezah… ∗∗∗ The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation ∗∗∗ --------------------------------------------- Microsoft is publishing for the first time our research into a subgroup within the Russian state actor Seashell Blizzard and its multiyear initial access operation, tracked by Microsoft Threat Intelligence as the “BadPilot campaign”. This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campa… ∗∗∗ Woeful Security On Financial Phone Apps Is Getting People Murdered ∗∗∗ --------------------------------------------- Longtime Slashdot reader theodp writes: Monday brought chilling news reports of the all-count trial convictions of three individuals for a conspiracy to rob and drug people outside of LGBTQ+ nightclubs in Manhattans Hells Kitchen neighborhood, which led to the deaths of two of their victims. The defendants were found guilty on all 24 counts, which .. --------------------------------------------- https://news.slashdot.org/story/25/02/12/2339225/woeful-security-on-financi… ∗∗∗ Magento Credit Card Stealer Disguised in an Tag ∗∗∗ --------------------------------------------- Tag" align="center" style="display: block;margin: 0 auto 20px;max-width:100%" />Recently, we had a client come to us concerned that their website was infected with credit card stealing malware, often referred to as MageCart. Their website was running on Magento, a popular eCommerce content management system that skilled attackers often .. --------------------------------------------- https://blog.sucuri.net/2025/02/magento-credit-card-stealer-disguised-in-an… ∗∗∗ Ransomware isnt always about the money: Government spies have objectives, too ∗∗∗ --------------------------------------------- Analysts tell El Reg why Russias operators arent that careful, and why North Korea wants money AND data Feature Ransomware gangsters and state-sponsored online spies fall on opposite ends of the cyber-crime spectrum. --------------------------------------------- https://www.theregister.com/2025/02/12/ransomware_nation_state_groups/ ∗∗∗ Sophos sheds 6% of staff after swallowing Secureworks ∗∗∗ --------------------------------------------- De-dupes some roles, hints others arent needed as the infosec scene shifts Nine days after completing its $859 million acquisition of managed detection and response provider Secureworks, Sophos has laid off around six percent of its staff. --------------------------------------------- https://www.theregister.com/2025/02/13/sophos_secureworks_layoff/ ∗∗∗ Feds want devs to stop coding unforgivable buffer overflow vulnerabilities ∗∗∗ --------------------------------------------- FBI, CISA harrumph at Microsoft and VMware in call for coders to quit baking avoidable defects into stuff US authorities have labelled buffer overflow vulnerabilities "unforgivable defects”, pointed to the presence of the holes in products from the likes of Microsoft and VMware, and urged all software developers to adopt secure-by-design practices to avoid creating more of them. --------------------------------------------- https://www.theregister.com/2025/02/13/fbi_cisa_unforgivable_buffer_overflo… ∗∗∗ The Loneliness Epidemic Is a Security Crisis ∗∗∗ --------------------------------------------- Romance scams cost victims hundreds of millions of dollars a year. As people grow increasingly isolated, and generative AI helps scammers scale their crimes, the problem could get worse. --------------------------------------------- https://www.wired.com/story/loneliness-epidemic-romance-scams-security-cris… ∗∗∗ WTF: ICANN Opfer von Phishing: Online-Konto für Kryptowährungs-Reklame missbraucht ∗∗∗ --------------------------------------------- "Die ICANN gibt dem Internet seine eigene Währung", schallte es von einem offiziellen ICANN-Konto eines sozialen Netzes. Hinter "$DNS" stecken aber Kriminelle. --------------------------------------------- https://www.heise.de/news/ICANN-Opfer-von-Phishing-Online-Konto-fuer-Krypto… ∗∗∗ Patchday: Intel schließt Sicherheitslücken in CPUs und Grafiktreibern ∗∗∗ --------------------------------------------- Es sind wichtige Updates für verschiedene Produkte von Intel erschienen. Admins sollten sie zeitnah installieren. --------------------------------------------- https://www.heise.de/news/Patchday-Intel-schliesst-kritische-Sicherheitslue… ∗∗∗ Massiver Cyberangriff auf US-Provider: Attacken gehen immer noch weiter ∗∗∗ --------------------------------------------- Im Herbst wurde der schlimmste Telekommunikationshack in der US-Geschichte entdeckt. Die Angreifer wurden noch nicht gestoppt, ganz im Gegenteil. --------------------------------------------- https://www.heise.de/news/Massiver-Cyberangriff-auf-US-Provider-Attacken-ge… ∗∗∗ PCI DSS v4.0 Evidence and documentation requirements checklist ∗∗∗ --------------------------------------------- TL;DR PCI DSS is complex and challenging Review the 12 top level controls Arm yourself with this checklist to help you navigate it Introduction PCI DSS v4.0 is challenging for .. --------------------------------------------- https://www.pentestpartners.com/security-blog/pci-dss-v4-0-evidence-and-doc… ∗∗∗ US reportedly releases Russian cybercrime figure Alexander Vinnik in prisoner swap ∗∗∗ --------------------------------------------- Alexander Vinnik, who ran the defunct cryptocurrency exchange BTC-e and pleaded guilty last year to participating in a money laundering scheme, is heading back to Russia as part of a prisoner swap that freed an American teacher, reports said. --------------------------------------------- https://therecord.media/alexander-vinnik-reported-released-prisoner-swap-ru… ∗∗∗ An Italian journalist speaks about being targeted with Paragon spyware ∗∗∗ --------------------------------------------- As an undercover journalist covering Italian politics, Francesco Cancellato is used to reporting on scandals. But he never thought he would be part of the story. --------------------------------------------- https://therecord.media/italian-journalist-speaks-about-being-targeted-spyw… ∗∗∗ FortiOS Vulnerability Allows Super-Admin Privilege Escalation – Patch Now! ∗∗∗ --------------------------------------------- Super-admin access vulnerability discovered in FortiOS Security Fabric. Exploitation could lead to widespread network breaches. Update now. Fortinet has .. --------------------------------------------- https://hackread.com/fortios-vulnerability-super-admin-privilege-escalation/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (doxygen and openssl), Debian (dcmtk and webkit2gtk), Fedora (chromium, clevis-pin-tpm2, envision, fido-device-onboard, gotify-desktop, keylime-agent-rust, keyring-ima-signer, libkrun, python3.10, python3.11, python3.14, rust-afterburn, rust-cargo-vendor-filterer, rust-coreos-installer, .. --------------------------------------------- https://lwn.net/Articles/1009450/ ∗∗∗ CVE-2025-0108 PAN-OS: Authentication Bypass in the Management Web Interface (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2025-0108 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.02.2025
by Daily end-of-shift report 12 Feb '25

12 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-02-2025 18:00 − Mittwoch 12-02-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Kritische Sicherheitslücke: Hacker greifen vermehrt Owncloud-Instanzen an ∗∗∗ --------------------------------------------- Warum die Angriffe auf CVE-2023-49103 ausgerechnet jetzt zunehmen, ist unklar. Vor dem Hintergrund, dass mit Version 0.3.1 der Graphapi-App schon seit dem 1. September 2023 ein Patch zur Verfügung steht, bleibt außerdem fraglich, wie viele dieser Angriffe tatsächlich erfolgreich sind. --------------------------------------------- https://www.golem.de/news/patch-verfuegbar-kritische-owncloud-luecke-wird-v… ∗∗∗ Opensource-Sicherheitsplattform: Kritische Lücke in Wazuh erlaubte Codeschmuggel ∗∗∗ --------------------------------------------- Die kritische Lücke mit der CVE-ID CVE-2025-24016 (CVSS 9,9/10) klaffte in allen Wazuh-Versionen von 4.4.0 bis 4.9.0 und ist in Version 4.9.1 behoben. Derzeit aktuell ist Wazuh 4.10.1. Das Update erschien bereits im Oktober 2024 – war seinerzeit jedoch nicht als sicherheitskritisch markiert. --------------------------------------------- https://www.heise.de/-10279201 ∗∗∗ IQ-Tests im Internet - Vorsicht vor versteckten Kosten! ∗∗∗ --------------------------------------------- Wer einen IQ-Test machen möchte, stößt im Internet auf zahlreiche Angebote, die schnelle und unkomplizierte Ergebnisse versprechen. Doch hinter vielen dieser Tests verbergen sich versteckte Kostenhinweise, wodurch Nutzer:innen plötzlich in teure Abos geraten. Wir zeigen, woran man unseriöse IQ-Tests erkennt und was man tun kann, wenn bereits Geld abgebucht wurde. --------------------------------------------- https://www.watchlist-internet.at/news/iq-tests-im-internet-vorsicht-vor-ve… ∗∗∗ From Convenience to Contagion: The Half-Day Threat and Libarchive Vulnerabilities Lurking in Windows 11 ∗∗∗ --------------------------------------------- This article discusses the vulnerabilities and notable characteristics introduced when Windows adopted libarchive to support additional archive file formats. --------------------------------------------- https://devco.re/blog/2025/02/12/from-convenience-to-contagion-the-half-day… ∗∗∗ ROPing our way to RCE ∗∗∗ --------------------------------------------- In red teaming engagements, simply finding an XSS or basic misconfiguration often isn’t enough, achieving RCE is the real deal. During one such assessment, we came across XiongMai’s uc-httpd, a lightweight web server used in countless IP cameras worldwide. According to Shodan, roughly 70k instances of this software are publicly exposed on the internet. Despite its history of severe vulnerabilities, no readily available exploit seemed to provide code execution, so I set out to build one. --------------------------------------------- https://modzero.com/en/blog/roping-our-way-to-rce/ ∗∗∗ How Wiz found a Critical NVIDIA AI vulnerability: Deep Dive into a container escape (CVE-2024-0132) ∗∗∗ --------------------------------------------- Technical details on a critical severity vulnerability (CVE-2024-0132) in NVIDIA Container Toolkit and GPU Operator, affecting cloud service providers. --------------------------------------------- https://www.wiz.io/blog/nvidia-ai-vulnerability-deep-dive-cve-2024-0132 ∗∗∗ Russian bulletproof hosting service Zservers sanctioned by US for LockBit coordination ∗∗∗ --------------------------------------------- A Russian service used to facilitate ransomware attacks by LockBit hackers has been sanctioned by U.S. authorities. --------------------------------------------- https://therecord.media/zservers-russia-bulletproof-hosting-us-uk-sanctions ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Patch Tuesday for February 2025 — Snort rules and prominent vulnerabilities ∗∗∗ --------------------------------------------- Microsoft has released its monthly security update for January of 2025 which includes 58 vulnerabilities, including 3 that Microsoft marked as “critical” and one marked as "moderate". The remaining vulnerabilities listed are classified as “important.” --------------------------------------------- https://blog.talosintelligence.com/february-patch-tuesday-release/ ∗∗∗ Dringend patchen: Gefährliche Schadcode-Lücken in Excel bedrohen Office-Nutzer ∗∗∗ --------------------------------------------- Die Sicherheitslücken betreffen alle gängigen Office-Versionen. Laut Microsoft ist auch das Vorschau-Panel ein möglicher Angriffsvektor. --------------------------------------------- https://www.golem.de/news/microsoft-office-fuenf-excel-luecken-lassen-angre… ∗∗∗ Adobe-Patchday: Schadcode-Sicherheitslücken gefährden Illustrator & Co. ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Commerce, InCopy, InDesign, Illustrator, Photoshop Elements, Substance 3D Designer und Substance 3D Stager gefährden PCs. Viele der Schwachstellen stuft Adobe als "kritisch" ein. --------------------------------------------- https://www.heise.de/-10279209 ∗∗∗ Fortinet: Angriffe auf Schwachstellen laufen, Updates für diverse Produkte ∗∗∗ --------------------------------------------- Die bereits attackierte Sicherheitslücke betrifft FortiOS und FortiProxy, Fortinet hat damit eine Sicherheitsmitteilung aus dem Januar aktualisiert. Die dreht sich um eine Umgehung der Authentifizierung im Node.js-Websocket-Modul (CVE-2024-55591, CVSS 9.6, Risiko "kritisch"). Neu hinzugekommen ist nun der Eintrag CVE-2025-24472, CVSS 8.1, "hohes" Risiko. [..] Auf der Seite des Fortinet-PSIRT stehen noch eine Menge weiterer Aktualisierungen für diverse Produkte bereit, unter anderem für FortiAnalyzer, FortiPAM, FortiSwitchManager, FortiClientMac, FortiClientWindows, FortiSandbox, FortiManager und so weiter. --------------------------------------------- https://www.heise.de/-10279425 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, kernel, kernel-rt, tbb, and thunderbird), Debian (bind9, cacti, pam-pkcs11, and ruby2.7), Fedora (bind, bind-dyndb-ldap, chromium, crun, and java-21-openjdk), Mageia (calibre, nginx, python-ansible-core, python-jinja2, python-pip, python-setuptools, python-twisted, and python-waitress), Red Hat (doxygen, firefox, gcc, gcc-toolset-13-gcc, gcc-toolset-14-gcc, tbb, and thunderbird), SUSE (go1.24, govulncheck-vulndb, java-1_8_0-openj9, kernel, openssl-3, ovmf, python3-numpy, python311, python36, qemu, and skopeo), and Ubuntu (bluez and openssl). --------------------------------------------- https://lwn.net/Articles/1009177/ ∗∗∗ Apple Confirms ‘Extremely Sophisticated’ Exploit Threatening iOS Security ∗∗∗ --------------------------------------------- Apple fixes the USB Restricted Mode flaw in iOS 18.3.1 and iPadOS 18.3.1. Vulnerability exploited in targeted attacks. Update your iPhone/iPad now. --------------------------------------------- https://hackread.com/apple-extremely-sophisticated-exploit-ios-security/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.02.2025
by Daily end-of-shift report 11 Feb '25

11 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Montag 10-02-2025 18:00 − Dienstag 11-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Over 12,000 KerioControl firewalls exposed to exploited RCE flaw ∗∗∗ --------------------------------------------- Over twelve thousand GFI KerioControl firewall instances are exposed to a critical remote code execution vulnerability tracked as CVE-2024-52875. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-12-000-keriocontrol-fir… ∗∗∗ US sanctions LockBit ransomware’s bulletproof hosting provider ∗∗∗ --------------------------------------------- The United States, Australia, and the United Kingdom have sanctioned Zservers, a Russia-based bulletproof hosting (BPH) services provider, for supplying essential attack infrastructure for the LockBit ransomware gang. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-sanctions-lockbit-ransomw… ∗∗∗ Russian military hackers deploy malicious Windows activators in Ukraine ∗∗∗ --------------------------------------------- The Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates. --------------------------------------------- https://www.bleepingcomputer.com/news/security/russian-military-hackers-dep… ∗∗∗ All your 8Base are belong to us: Ransomware crew busted in global sting ∗∗∗ --------------------------------------------- Dark web site seized, four cuffed in Thailand An international police operation spanning the US, Europe, and Asia has shuttered the 8Base ransomware crews dark web presence and resulted in the arrest of four European suspects accused of stealing $16 million from more than 1,000 victims worldwide. --------------------------------------------- https://www.theregister.com/2025/02/10/8base_police_arrrest/ ∗∗∗ Im a security expert, and I almost fell for a North Korea-style deepfake job applicant …Twice ∗∗∗ --------------------------------------------- Remote position, webcam not working, then glitchy AI face ... Red alert! Twice, over the past two months, Dawid Moczadło has interviewed purported job seekers only to discover that these "software developers" were scammers using AI-based tools — likely to get hired at a security company also using artificial intelligence, and then steal source code or other sensitive IP. --------------------------------------------- https://www.theregister.com/2025/02/11/it_worker_scam/ ∗∗∗ Sicherheitsupdates Zimbra: Angreifer können Metadaten von E-Mails auslesen ∗∗∗ --------------------------------------------- Die Zimbra-Entwickler haben unter anderem mindestens eine kritische Lücke in der E-Mail- und Groupwarelösung geschlossen. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Zimbra-Angreifer-koennen-Metad… ∗∗∗ Hugging Face: Bösartige ML-Modelle auf Entwicklungsplattform aufgedeckt ∗∗∗ --------------------------------------------- Auf der KI-Entwicklungsplattform Hugging Face haben IT-Forscher bösartige ML-Modelle entdeckt. Angreifer könnten damit Befehle einschleusen. --------------------------------------------- https://www.heise.de/news/Hugging-Face-Boesartige-ML-Modelle-auf-Entwicklun… ∗∗∗ PCI DSS. Where to start? ∗∗∗ --------------------------------------------- TL;DR Determine your role: Merchant or service provider Determine your level and requirements Identify your validation method: SAQ or RoC Use the PCI website .. --------------------------------------------- https://www.pentestpartners.com/security-blog/pci-dss-where-to-start/ ∗∗∗ Hacker who hijacked SEC’s X account pleads guilty, faces maximum five-year sentence ∗∗∗ --------------------------------------------- Alabama native Eric Council Jr. confessed to taking over the Securities and Exchange Commissions account and posting false information that caused the price of bitcoin to swing wildly. --------------------------------------------- https://therecord.media/hacker-hijacked-sec-account-maximum ∗∗∗ SystemBC RAT Now Targets Linux, Spreading Ransomware and Infostealers ∗∗∗ --------------------------------------------- SystemBC RAT now targets Linux, enabling ransomware gangs like Ryuk & Conti to spread, evade detection, and maintain encrypted C2 traffic for stealthy cyberattacks. --------------------------------------------- https://hackread.com/systembc-rat-targets-linux-ransomware-infostealers/ ∗∗∗ Cisco Rejects Kraken Ransomware’s Data Breach Claims ∗∗∗ --------------------------------------------- Cisco denies recent data breach claims by the Kraken ransomware group, stating leaked credentials are from a resolved 2022 incident. Learn more about Ciscos response and the details of the original attack. --------------------------------------------- https://hackread.com/cisco-rejects-kraken-ransomware-data-breach-claim/ ∗∗∗ !exploitable Episode One - Breaking IoT ∗∗∗ --------------------------------------------- For our last company retreat, the Doyensec team went on a cruise along the coasts of the Mediterranean Sea. As amazing as each stop was, us being geeks, we had to break the monotony of daily pool parties with some much-needed hacking sessions. Luca and John, our chiefs, came to the rescue with three challenges chosen to .. --------------------------------------------- https://blog.doyensec.com/2025/02/11/exploitable-iot.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, tbb, and thunderbird), Debian (cacti, libtasn1-6, and rust-openssl), Oracle (galera and mariadb, kernel, raptor2, and thunderbird), SUSE (bind, fq, java-21-openj9, libtasn1-6-32bit, ovmf, python310, python312, python313, python314, rime-schema-all, thunderbird, and wget), and Ubuntu (eglibc, firefox, glibc, linux, linux-aws, linux-lts-xenial, ruby2.3, ruby2.5, and vim). --------------------------------------------- https://lwn.net/Articles/1008966/ ∗∗∗ Zahlreiche Schwachstellen in Wattsense Bridge ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… ∗∗∗ February Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/february-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.02.2025
by Daily end-of-shift report 10 Feb '25

10 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-02-2025 18:00 − Montag 10-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft raises rewards for Copilot AI bug bounty program ∗∗∗ --------------------------------------------- Microsoft announced over the weekend that it has expanded its Microsoft Copilot (AI) bug bounty program and increased payouts for moderate severity vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-raises-rewards-fo… ∗∗∗ Malware from fake recruiters ∗∗∗ --------------------------------------------- Fake recruiters are currently on the hunt for CVs – and also your data. Reports have emerged about malware being put into work assignments that supposedly test a candidate’s technical skills. --------------------------------------------- https://www.gdatasoftware.com/blog/2025/02/38143-malware-fake-recruiters ∗∗∗ Cybersicherheit: OpenAI-Benutzerdatenbank angeblich gehackt ∗∗∗ --------------------------------------------- Im Darknet sind Hinweise veröffentlicht worden, dass die Benutzerdatenbank von OpenAI angeblich gehackt worden sei. Es gibt aber Zweifel. --------------------------------------------- https://www.golem.de/news/cybersicherheit-openai-benutzerdatenbank-angeblic… ∗∗∗ Reminder: 7-Zip & MoW, (Mon, Feb 10th) ∗∗∗ --------------------------------------------- CVE-2025-0411 is a vulnerability in 7-zip that has been reported to be exploited in recent attacks. The problem is that Mark-of-Web (MoW) isn't propagated correctly: when extracted, a file inside a ZIP file inside another ZIP file will not have the MoW propagated from the outer ZIP file. --------------------------------------------- https://isc.sans.edu/forums/diary/Reminder+7Zip+MoW/31668/ ∗∗∗ Server Attack Stops the Presses at US Newspaper Chain ∗∗∗ --------------------------------------------- They publish 77 newspapers in 26 U.S. states, according to Wikipedia. But this week a "cybersecurity event" at the newspapers parent company "disrupted systems and networks," according to an article at one of their news sites which quotes an email sent to employees by the publishing companys CEO. "We have notified law enforcement of .. --------------------------------------------- https://news.slashdot.org/story/25/02/10/0614233/server-attack-stops-the-pr… ∗∗∗ Hackers Exploit Google Tag Manager to Deploy Credit Card Skimmers on Magento Stores ∗∗∗ --------------------------------------------- Threat actors have been observed leveraging Google Tag Manager (GTM) to deliver credit card skimmer malware targeting Magento-based e-commerce websites.Website security company Sucuri said the code, while appearing to be a typical GTM and .. --------------------------------------------- https://thehackernews.com/2025/02/hackers-exploit-google-tag-manager-to.html ∗∗∗ Anonymisierendes Linux: Tails 6.12 schließt Deanonymisierungs-Lücke ∗∗∗ --------------------------------------------- Sicherheitslücken in der anonymisierenden Linux-Distribution Tails erlauben Angreifern die Deanonymisierung von Nutzern. Tails 6.12 stoppt das. --------------------------------------------- https://www.heise.de/news/Anonymisierendes-Linux-Tails-6-12-schliesst-Deano… ∗∗∗ Teen on Musk’s DOGE Team Graduated from ‘The Com’ ∗∗∗ --------------------------------------------- Wired reported this week that a 19-year-old working for Elon Musks so-called Department of Government Efficiency (DOGE) was given access to sensitive US government systems even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so. As todays story explores, the DOGE teen is a .. --------------------------------------------- https://krebsonsecurity.com/2025/02/teen-on-musks-doge-team-graduated-from-… ∗∗∗ Millionen Thermomix-Nutzer von Datenleck betroffen ∗∗∗ --------------------------------------------- Im Darknet werden bei Rezeptwelt.de erbeutete Daten zum Verkauf angeboten. Die Lücke wurde geschlossen, der Hersteller warnt aber vor anderen Konsequenzen --------------------------------------------- https://www.derstandard.at/story/3000000256481/millionen-thermomix-nutzer-v… ∗∗∗ Small praise for modern compilers - A case of Ubuntu printing vulnerability that wasn’t ∗∗∗ --------------------------------------------- Earlier this year, we conducted code audits of the macOS printing subsystem, which is heavily based on the open-source CUPS package. During this investigation, IPP-USB protocol caught our attention. IPP over USB specification .. --------------------------------------------- https://blog.talosintelligence.com/small-praise-for-modern-compilers-a-case… ∗∗∗ Teen Hacker “Natohub” Caught for NATO, UN, and US Army Breaches ∗∗∗ --------------------------------------------- A joint operation by Spanish law enforcement has resulted in the apprehension of Natohub, a “dangerous hacker” suspected of orchestrating numerous cyberattacks against prominent organizations in Spain and internationally. --------------------------------------------- https://hackread.com/teen-hacker-natohub-caught-nato-un-us-army-breach/ ∗∗∗ Scammers Use Fake Facebook Copyright Notices to Hijack Accounts ∗∗∗ --------------------------------------------- A new phishing campaign is targeting businesses with fake Facebook copyright notices. Learn how to spot the signs and keep your Facebook account secure. --------------------------------------------- https://hackread.com/scammers-use-fake-facebook-copyright-notices-to-hijack… ∗∗∗ Be Skeptical of All Code - Not Just the Funny Stuff ∗∗∗ --------------------------------------------- Should you be more skeptical of code that is a “self-admitted keylogger” than code that purports to be useful? I’m not so sure. --------------------------------------------- https://eieio.games/blog/be-skeptical-of-all-code-not-just-the-funny-stuff/ ∗∗∗ Obsidian Publish Directory Enumeration ∗∗∗ --------------------------------------------- I have been using Obsidian for a while now. It is a great tool for organizing my life. My daily TODO lists, project boards, notes for school and research, and the occasional journal are all stored in .. --------------------------------------------- https://ezrizhu.com/blog/obsidian-dir-enum ∗∗∗ New OG Spoof Toolkit Manipulates Social Media Links for Cybercrime ∗∗∗ --------------------------------------------- Cyble Research and Intelligence Labs (CRIL) highlighted the growing misuse of the Open Graph Spoofing Toolkit, a dangerous tool designed to manipulate Open Graph Protocol metadata to trick users into clicking on harmful links. This exploitation of OG tags is a serious concern, as it opens the door to a wide range of phishing attacks that target social .. --------------------------------------------- https://thecyberexpress.com/open-graph-spoofing-toolkit-phishing-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, bzip2, galera and mariadb, keepalived, kernel, kernel-rt, mariadb:10.11, mingw-glib2, and podman), Debian (ark, firefox-esr, kernel, sssd, and thunderbird), Fedora (abseil-cpp, clevis-pin-tpm2, dbus-parsec, envision, fido-device-onboard, firefox, golang-github-nvidia-container-toolkit, gotify-desktop, .. --------------------------------------------- https://lwn.net/Articles/1008829/ ∗∗∗ Trimble Releases Security Updates to Address a Vulnerability in Cityworks Software ∗∗∗ --------------------------------------------- CISA is collaborating with private industry partners to respond to reports of exploitation of a vulnerability (CVE-2025-0994) discovered by Trimble impacting its Cityworks Server AMS (Asset Management System). Trimble has released security updates and an advisory addressing a recently discovered deserialization vulnerability enabling an external actor to .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/02/07/trimble-releases-securit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.02.2025
by Daily end-of-shift report 07 Feb '25

07 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-02-2025 18:00 − Freitag 07-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DeepSeek Phishing Sites Pursue User Data, Crypto Wallets ∗∗∗ --------------------------------------------- Riding the wave of notoriety from the Chinese companys R1 AT chatbot, attackers are spinning up lookalike sites for different malicious use cases. --------------------------------------------- https://www.darkreading.com/cyber-risk/deepseek-phishing-sites-pursue-user-… ∗∗∗ Ohne Nutzerinteraktion: Kritische Outlook-Lücke wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Die Sicherheitslücke ermöglicht es Angreifern, durch per E-Mail verschickte und speziell gestaltete Hyperlinks Schadcode auszuführen. --------------------------------------------- https://www.golem.de/news/ohne-nutzerinteraktion-kritische-outlook-luecke-w… ∗∗∗ SSL 2.0 turns 30 this Sunday... Perhaps the time has come to let it die? ∗∗∗ --------------------------------------------- The SSL 2.0 protocol was originally published back in February of 1995[1], and although it was quickly found to have significant security weaknesses, and a more secure alternative was released only a year later, it still received a fairly wide adoption. --------------------------------------------- https://isc.sans.edu/diary/SSL+20+turns+30+this+Sunday+Perhaps+the+time+has… ∗∗∗ Screenshot-Reading Malware ∗∗∗ --------------------------------------------- Kaspersky is reporting on a new type of smartphone malware.The malware in question uses optical character recognition (OCR) to review a device’s photo library, seeking screenshots of recovery phrases for crypto wallets. Based on their assessment, infected Google Play apps have been downloaded more than 242,000 times. Kaspersky .. --------------------------------------------- https://www.schneier.com/blog/archives/2025/02/screenshot-reading-malware.h… ∗∗∗ Britische Regierung erzwingt Zugriff auf Apples verschlüsselte Cloud-Daten ∗∗∗ --------------------------------------------- Der Investigatory Powers Act wurde von Apple bereits öffentlich kritisiert. Nun hätten britische Sicherheitsbehörden gerne Zugriff auf Daten aller iCloud-User. --------------------------------------------- https://www.heise.de/news/Britische-Regierung-erzwingt-Zugriff-auf-Apples-v… ∗∗∗ BSI-Analyse von Nextcloud: Zwei-Faktor-Authentifizierung war angreifbar ∗∗∗ --------------------------------------------- Eine Codeanalyse des BSI förderte Schwachstellen in Nextcloud Server zutage. Unter anderem ließ sich die Zwei-Faktor-Authentifizierung umgehen. --------------------------------------------- https://www.heise.de/news/BSI-Analyse-von-Nextcloud-Zwei-Faktor-Authentifiz… ∗∗∗ 20 Million OpenAI accounts offered for sale ∗∗∗ --------------------------------------------- A cybercriminal calling themselves emirking is offering 20 million OpenAI accounts for sale on a Dark Web forum --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/02/20-million-openai-accounts-o… ∗∗∗ ICS testing best results. Hint: Blend your approach ∗∗∗ --------------------------------------------- TL;DR Onsite ICS testing is risk averse Laboratory ICS device testing uncovers more A blended approach is key How that works Demonstrable benefits Introduction For safety’s sake onsite ICS .. --------------------------------------------- https://www.pentestpartners.com/security-blog/ics-testing-best-results-hint… ∗∗∗ US-Abgeordnete wollen Deepseek verbieten, Sicherheitsforscher warnen vor App ∗∗∗ --------------------------------------------- Parteienübergreifender Antrag will Nutzung auf Regierungsgeräten untersagen. Forscher fällen vernichtendes Urteil zur Sicherheit und finden problematische Datenübertragungen an mehrere chinesische Firmen --------------------------------------------- https://www.derstandard.at/story/3000000256396/us-abgeordnete-wollen-deepse… ∗∗∗ Vier italienische Aktivisten für Seerettung im Visier von Paragon-Spyware-Attacke ∗∗∗ --------------------------------------------- Vizepremier Salvini will in Israel Informationen über den Fall sammeln. Der Angriff erfolgte über Sicherheitslücke in Whatsapp --------------------------------------------- https://www.derstandard.at/story/3000000256452/vier-italienische-aktivisten… ∗∗∗ Chinese-Speaking Group Manipulates SEO with BadIIS ∗∗∗ --------------------------------------------- This blog post details our analysis of an SEO manipulation campaign targeting Asia. We also share recommendations that can help enterprises proactively secure their environment. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/b/chinese-speaking-group-manip… ∗∗∗ Urteil: TLS-Verschlüsselung bei E-Mail-Rechnungen an Privatkunden zu wenig? ∗∗∗ --------------------------------------------- Der Fall einer per E-Mail geschickten Privatkunden-Rechnung, die von Kriminellen manipuliert wurde, wanderte vor Gericht. Der Knackpunkt: die Verschlüsselung. --------------------------------------------- https://heise.de/-10274040 ∗∗∗ Taiwan’s DeepSeek Ban Reflects Global Concerns Over AI Security ∗∗∗ --------------------------------------------- The Taiwan government’s recent decision to implement a ban on the use of the DeepSeek artificial intelligence chatbot within its public sector has drawn significant attention to the growing global concerns regarding .. --------------------------------------------- https://thecyberexpress.com/taiwans-deepseek-ban/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-17), Fedora (firefox, FlightGear, java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk, and SimGear), Mageia (gstreamer), Red Hat (firefox, kernel, kernel-rt, libsoup, and python-jinja2), SUSE (bind, curl, dcmtk, etcd, firefox, google-osconfig-agent, krb5, openssl-1_1, podman, python311-cbor2, thunderbird, wget, and xrdp), and Ubuntu (glibc). --------------------------------------------- https://lwn.net/Articles/1008502/ ∗∗∗ [R2] Tenable Identity Exposure Version 3.77.8 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.02.2025
by Daily end-of-shift report 06 Feb '25

06 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-02-2025 18:00 − Donnerstag 06-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ransomware payments declined in 2024 despite massive well-known hacks ∗∗∗ --------------------------------------------- Amount paid by victims to hackers declined by hundreds of millions of dollars. --------------------------------------------- https://arstechnica.com/security/2025/02/ransomware-payments-declined-in-20… ∗∗∗ Cisco Anyconnect: Hacker klonen Webseite der TU Dresden und verbreiten Malware ∗∗∗ --------------------------------------------- Mutmaßlich russische Angreifer wollten Nutzern von Cisco Anyconnect eine Malware unterjubeln. Mit einem Trick sollte die Masche unentdeckt bleiben. --------------------------------------------- https://www.golem.de/news/cisco-anyconnect-hacker-klonen-webseite-der-tu-dr… ∗∗∗ Scalable Vector Graphics files pose a novel phishing threat ∗∗∗ --------------------------------------------- The SVG file format can harbor malicious HTML, scripts, and malware --------------------------------------------- https://news.sophos.com/en-us/2025/02/05/svg-phishing/ ∗∗∗ Cisco stopft Sicherheitslücken in mehreren Produkten – auch kritische ∗∗∗ --------------------------------------------- In mehreren Produkten hat Cisco Sicherheitslücken entdeckt und warnt in Sicherheitsmitteilungen davor. Updates stehen bereit. --------------------------------------------- https://www.heise.de/news/Cisco-stopft-Sicherheitsluecken-in-mehreren-Produ… ∗∗∗ Thailand cuts power supply to Myanmar scam hubs ∗∗∗ --------------------------------------------- "It’s time to take decisive action,” Prime Minister Paethongthan Shinawatra said about Thailands move to cut off electricity from scam compounds in Myanmar border areas. --------------------------------------------- https://therecord.media/thailand-cuts-power-scam-compounds-myanmar ∗∗∗ U.S. Government Disclosed 39 Zero-Day Vulnerabilities in 2023, Per First-Ever Report ∗∗∗ --------------------------------------------- The number of zero-day vulnerabilities the government disclosed to vendors to be fixed, rather than keep them secret to exploit, comes out to about three a month. But the figure could rise dramatically under the Trump .. --------------------------------------------- https://www.zetter-zeroday.com/u-s-government-disclosed-39-zero-day-vulnera… ∗∗∗ Network security fundamentals ∗∗∗ --------------------------------------------- How to design, use, and maintain secure networks. --------------------------------------------- https://www.ncsc.gov.uk/guidance/network-security-fundamentals ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk and chromium), Fedora (FlightGear, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, and SimGear), Mageia (bind, chromium-browser-stable, python-django, and vim), Oracle (buildah, bzip2, firefox, keepalived, mariadb:10.11, and podman), Slackware (curl, mariadb, and mozilla), SUSE (cargo-audit-advisory-db-20250204 and python311-scikit-learn), and Ubuntu (ckeditor, krb5, and ruby2.7). --------------------------------------------- https://lwn.net/Articles/1008275/ ∗∗∗ OAuth2 Client - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-013 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-013 ∗∗∗ 2025-02-06: Cyber Security Advisory - Hard-coded credentials in ASPECT Energy Management System ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A6775&Lan… ∗∗∗ CISA Releases Six Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/02/06/cisa-releases-six-indust… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.02.2025
by Daily end-of-shift report 05 Feb '25

05 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-02-2025 18:00 − Mittwoch 05-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kosteneinsparungen: Lets Encrypt stellt Ablaufwarnungen für Zertifikate ein ∗∗∗ --------------------------------------------- Ab Juni erinnert Lets Encrypt nicht mehr an ablaufende Zertifikate. Administratoren wird empfohlen, auf alternative Dienste umzusteigen. --------------------------------------------- https://www.golem.de/news/kosteneinsparungen-let-s-encrypt-stellt-ablaufwar… ∗∗∗ Netgear fixes critical bugs as Five Eyes warn about break-ins at the edge ∗∗∗ --------------------------------------------- International security squads all focus on stopping baddies busting in through routers, IoT kit etc Netgear is advising customers to upgrade their firmware after it patched two critical vulnerabilities affecting multiple routers. --------------------------------------------- https://www.theregister.com/2025/02/05/netgear_fixes_critical_bugs_while/ ∗∗∗ In eigener Sache, wir stellen ein: System-Administrator:in (m/w/d - Vollzeit - Wien) ∗∗∗ --------------------------------------------- Für die Betreuung unserer Informations- und Kommunikationstechnik suchen wir eine/n System-Administrator:in mit Fachwissen im Bereich IT- und Netzwerk-Security. --------------------------------------------- https://www.cert.at/de/ueber-uns/jobs/ ∗∗∗ 7-Zip: Mark-of-the-Web-Lücke wurde von Angreifern missbraucht ∗∗∗ --------------------------------------------- Die kürzlich gemeldete Mark-of-the-Web-Schwachstelle in 7-Zip wurde von Angreifern in freier Wildbahn für Schadcode-Schmuggel missbraucht. --------------------------------------------- https://www.heise.de/news/7-Zip-Mark-of-the-Web-Luecke-wurde-von-Angreifern… ∗∗∗ Support ausgelaufen: Keine Sicherheitsupdates mehr für attackierte Zyxel-Router ∗∗∗ --------------------------------------------- Derzeit hat es eine Mirai-Botnet-Malware auf bestimmte Routermodelle von Zyxel abgesehen. Weil der Support ausgelaufen ist, müssen Admins jetzt handeln. --------------------------------------------- https://www.heise.de/news/Support-ausgelaufen-Keine-Sicherheitsupdates-mehr… ∗∗∗ Who’s Behind the Seized Forums ‘Cracked’ & ‘Nulled’? ∗∗∗ --------------------------------------------- The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of users that trafficked in stolen data, hacking tools and malware. An investigation into the history of these communities shows their apparent co-founders quite openly operate an Internet .. --------------------------------------------- https://krebsonsecurity.com/2025/02/whos-behind-the-seized-forums-cracked-n… ∗∗∗ Secure sanitisation and disposal of storage media ∗∗∗ --------------------------------------------- How to ensure data cannot be recovered from electronic storage media. --------------------------------------------- https://www.ncsc.gov.uk/guidance/secure-sanitisation-storage-media ∗∗∗ Hackers Using Fake Microsoft ADFS Login Pages to Steal Credentials ∗∗∗ --------------------------------------------- A global phishing campaign is actively exploiting a legacy Microsoft authentication system to steal user credentials and bypass multi-factor authentication (MFA), targeting over 150 organizations. --------------------------------------------- https://hackread.com/hackers-fake-microsoft-adfs-login-pages-steal-credenti… ∗∗∗ Banking Malware Uses Live Numbers to Hijack OTPs, Targeting 50,000 Victims ∗∗∗ --------------------------------------------- A banking malware campaign using live phone numbers to redirect SMS messages has been identified by the zLabs research team, uncovering 1,000+ malicious apps and 2.5GB of exposed data. --------------------------------------------- https://hackread.com/banking-malware-live-numbers-hijack-otp-50000-victims/ ∗∗∗ Preventing account takeover on centralized cryptocurrency exchanges in 2025 ∗∗∗ --------------------------------------------- This blog post highlights key points from our new white paper Preventing Account Takeovers on Centralized Cryptocurrency Exchanges, which documents ATO-related attack vectors and defenses tailored to CEXes. --------------------------------------------- https://blog.trailofbits.com/2025/02/05/preventing-account-takeover-on-cent… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in Defense Platform Home Edition ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN66673020/ ∗∗∗ Cisco Secure Email and Web Manager, Secure Email Gateway, and Secure Web Appliance Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Web Appliance Range Request Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS, IOS XE, and IOS XR Software SNMP Denial of Service Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Insecure Java Deserialization and Authorization Bypass Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Expressway Series Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Email and Web Manager and Secure Email Gateway Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Email and Web Manager, Secure Email Gateway, and Secure Web Appliance SNMP Polling Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.02.2025
by Daily end-of-shift report 04 Feb '25

04 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Montag 03-02-2025 18:00 − Dienstag 04-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 7-Zip MotW bypass exploited in zero-day attacks against Ukraine ∗∗∗ --------------------------------------------- A 7-Zip vulnerability allowing attackers to bypass the Mark of the Web (MotW) Windows security feature was exploited by Russian hackers as a zero-day since September 2024. --------------------------------------------- https://www.bleepingcomputer.com/news/security/7-zip-motw-bypass-exploited-… ∗∗∗ Beyond the Chatbot: Meta Phishing with Fake Live Support ∗∗∗ --------------------------------------------- In a previous Trustwave SpiderLabs’ blog, we explored how cybercriminals exploit Facebook Messenger chatbots to execute social engineering attacks, deceiving users into falling victim to scams and phishing schemes. These attacks .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/beyond-the-… ∗∗∗ Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden ∗∗∗ --------------------------------------------- An investigation into more than 300 cyberattacks against US K–12 schools over the past five years shows how schools can withhold crucial details from students and parents whose data was stolen. --------------------------------------------- https://www.wired.com/story/meet-the-hired-guns-who-make-sure-school-cybera… ∗∗∗ Lets Encrypt: 6-Tage-Zertifikate, keine Ablauf-Nachrichten zu Zertifikaten mehr ∗∗∗ --------------------------------------------- Lets Encrypt sieht einige Änderungen vor: Zertifikate mit sechs Tagen Laufzeit kommen neu hinzu. Zertifikat-Ablauf-Nachrichten fallen weg. --------------------------------------------- https://www.heise.de/news/Let-s-Encrypt-Ende-von-Zertifikat-Ablauf-Nachrich… ∗∗∗ A tale of enumeration, and why pen testing can’t be automated ∗∗∗ --------------------------------------------- TL;DR In an engagement we found an open directory on the internet belonging to our client By enumerating it we found a zip archive with a configuration file holding usernames .. --------------------------------------------- https://www.pentestpartners.com/security-blog/a-tale-of-enumeration-and-why… ∗∗∗ Practice being punched in the face. The realities of incident response preparation ∗∗∗ --------------------------------------------- “Everyone has a plan until they get punched in the face.” This Mike Tyson boxing quote perfectly encapsulates the chaos of a cybersecurity breach. TL;DR Accept that your organisation may .. --------------------------------------------- https://www.pentestpartners.com/security-blog/practice-being-punched-in-the… ∗∗∗ Neue Masche mit gefälschtem Post-Käuferschutz bei Kleinanzeigen ∗∗∗ --------------------------------------------- Kriminelle geben sich auf Kleinanzeigenplattformen als Kaufinteressierte aus und täuschen vor, Ihr Produkt über den Post Käuferschutz bezahlen zu wollen. Sie locken Sie auf eine gefälschte Zahlungsplattform, wo Sie Ihre Kreditkartendaten eingeben sollen, um die Zahlung zu bestätigen. Tatsächlich geben Sie aber eine Zahlung frei und .. --------------------------------------------- https://www.watchlist-internet.at/news/neue-masche-mit-gefaelschtem-post-ka… ∗∗∗ Stealers on the Rise: A Closer Look at a Growing macOS Threat ∗∗∗ --------------------------------------------- Atomic Stealer, Poseidon Stealer and Cthulhu Stealer target macOS. We discuss their various properties and examine leverage of the AppleScript framework. --------------------------------------------- https://unit42.paloaltonetworks.com/macos-stealers-growing/ ∗∗∗ Law Enforcement disrupts Major Spam Delivery Service ∗∗∗ --------------------------------------------- “The Saim Raza-run websites operated as marketplaces that advertised and facilitated the sale of tools such as phishing kits, scam pages and email extractors often .. --------------------------------------------- https://www.truesec.com/hub/blog/law-enforcement-disrupts-major-spam-delive… ∗∗∗ Hackers Hide Malware in Fake DeepSeek PyPI Packages ∗∗∗ --------------------------------------------- Malicious DeepSeek packages on PyPI spread malware, stealing sensitive data like API keys. Learn how this attack targeted developers and how to protect yourself. --------------------------------------------- https://hackread.com/hackers-hide-malware-fake-deepseek-pypi-packages/ ∗∗∗ CVE-2023-6080: A Case Study on Third-Party Installer Abuse ∗∗∗ --------------------------------------------- Mandiant exploited flaws in the Microsoft Software Installer (MSI) repair action of Lakeside Softwares SysTrack installer to obtain arbitrary code execution. An attacker with low-privilege access to a system running the vulnerable version of SysTrack .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/cve-2023-6080-thir… ∗∗∗ CISA Partners with ASD’s ACSC, CCCS, NCSC-UK, and Other International and US Organizations to Release Guidance on Edge Devices ∗∗∗ --------------------------------------------- CISA—in partnership with international and U.S. organizations—released guidance to help organizations protect their network edge devices and appliances, such as firewalls, routers, virtual private networks (VPN) gateways, Internet of Things (IoT) devices, internet-facing servers, and internet-facing operational technology (OT) .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/02/04/cisa-partners-asds-acsc-… ∗∗∗ 8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur ∗∗∗ --------------------------------------------- Surprise surprise, weve done it again. Weve demonstrated an ability to compromise significantly sensitive networks, including governments, militaries, space agencies, cyber security companies, .. --------------------------------------------- https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-… ∗∗∗ Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence ∗∗∗ --------------------------------------------- Socket researchers have discovered a malicious typosquat package in the Go ecosystem, impersonating the widely used BoltDB database module (github.com/boltdb/bolt), a tool trusted by many organizations including Shopify and Heroku. The BoltDB package is widely adopted within the Go ecosystem, with 8,367 other packages depending on it. Its extensive .. --------------------------------------------- https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-17), Fedora (chromium, fastd, ovn, and yq), Mageia (libxml2 and redis), Oracle (gstreamer1-plugins-base, gstreamer1-plugins-good), Red Hat (buildah, bzip2, galera, mariadb, grafana, keepalived, libsoup, mariadb:10.11, mariadb:10.5, mingw-glib2, podman, python-jinja2, and rsync), SUSE (bind, ignition, .. --------------------------------------------- https://lwn.net/Articles/1007886/ ∗∗∗ Synology-SA-25:01 DSM (PWN2OWN 2024) ∗∗∗ --------------------------------------------- A vulnerability allows man-in-the-middle attackers to hijack the authentication of administrators.The vulnerability reported by PWN2OWN 2024 (ZDI-CAN-25487) has been addressed. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_01 ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released nine Industrial Control Systems (ICS) advisories on February 4, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.ICSA-25-035-01 Western Telematic Inc NPS Series, DSM Series, CPM SeriesICSA-25-035-02 Rockwell Automation 1756-L8zS3 and 1756-L3 and 1756-L3ICSA-25-035-03 .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/02/04/cisa-releases-nine-indus… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 135 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-11/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird ESR 128.7 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-10/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 128.7 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-09/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.20 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-08/ ∗∗∗ Security Vulnerabilities fixed in Firefox 135 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-07/ ∗∗∗ Zyxel security advisory for command injection and insecure default credentials vulnerabilities in certain legacy DSL CPE ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2025
by Daily end-of-shift report 03 Feb '25

03 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 31-01-2025 18:00 − Montag 03-02-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ DeepSeek AI tools impersonated by infostealer malware on PyPI ∗∗∗ --------------------------------------------- Threat actors are taking advantage of the rise in popularity of the DeepSeek to promote two malicious infostealer packages on the Python Package Index (PyPI), where they impersonated developer tools for the AI platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/deepseek-ai-tools-impersonat… ∗∗∗ DeepSeek’s Safety Guardrails Failed Every Test Researchers Threw at Its AI Chatbot ∗∗∗ --------------------------------------------- Security researchers tested 50 well-known jailbreaks against DeepSeek’s popular new AI chatbot. It didn’t stop a single one. --------------------------------------------- https://www.wired.com/story/deepseeks-ai-jailbreak-prompt-injection-attacks/ ∗∗∗ What Cybersecurity Can Teach Us About the Human Body ∗∗∗ --------------------------------------------- Understanding cybersecurity can sometimes feel like steering a maze of technical terms and complex systems. But a recent infographic shared by @yanabantai on X (formerly Twitter) has made it simpler, offering a fresh perspective by comparing cybersecurity to the human body. --------------------------------------------- https://thecyberexpress.com/cybersecurity-about-the-human-body/ ∗∗∗ Erstmals leicht sinkende Tendenz bei Anzeigen zur Cyberkriminalität ∗∗∗ --------------------------------------------- Wenn in den nächsten Wochen die Kriminalstatistik veröffentlicht wird, ist von einer Trendumkehr bei Cybercrime auszugehen. Erstmals wird es in diesem Bereich einen leichten Rückgang bei den Anzeigen 2024 im Vergleich zu 2023 geben. --------------------------------------------- https://www.derstandard.at/story/3000000255493/erstmals-leicht-sinkende-ten… ∗∗∗ Phishing-Fallen: Wiener Polizei sucht Täter mittels Fahndungsfotos ∗∗∗ --------------------------------------------- Mit einer SMS und gefälschten Banken-Website wurden mehrere Menschen in Österreich in die Falle gelockt und bestohlen. [..] Mit Bildern aus Überwachungskameras jener Bankautomaten, wo Geld von den Opfern behoben wurde, wird nun nach den Verdächtigen gesucht. Die Fotos sind auf der Website der Polizei zu sehen. --------------------------------------------- https://futurezone.at/digital-life/phishing-wien-polizei-oesterreich-foto-b… ∗∗∗ Hacker nutzen Google Gemini für Cyber-Angriffe ∗∗∗ --------------------------------------------- Kriminelle nutzen Googles Künstliche Intelligenz Gemini für Cyberangriffe, Phishing und Spionage. [..] Die Hacker nutzen Gemini derzeit zwar nicht, um neue kriminelle Methoden ausfindig zu machen, aber um bestehende zu verbessern. --------------------------------------------- https://futurezone.at/digital-life/google-gemini-hacker-cyber-angriffe-iran… ∗∗∗ 1-Click Phishing Campaign Targets High-Profile X Accounts ∗∗∗ --------------------------------------------- In an attack vector thats been used before, threat actors aim to commit crypto fraud by hijacking highly followed users, thus reaching a broad audience of secondary victims. --------------------------------------------- https://www.darkreading.com/endpoint-security/one-click-phishing-campaign-h… ∗∗∗ Journalists and Civil Society Members Using WhatsApp Targeted by Paragon Spyware ∗∗∗ --------------------------------------------- This is yet another story of commercial spyware being used against journalists and civil society members. The journalists and other civil society members were being alerted of a possible breach of their devices, with WhatsApp telling the Guardian it had “high confidence” that the 90 users in question had been targeted and “possibly compromised. --------------------------------------------- https://www.schneier.com/blog/archives/2025/02/journalists-and-civil-societ… ∗∗∗ Further Adventures With CMPivot — Client Coercion ∗∗∗ --------------------------------------------- CMPivot queries can be used to coerce SMB authentication from SCCM client hosts. --------------------------------------------- https://posts.specterops.io/further-adventures-with-cmpivot-client-coercion… ∗∗∗ CVE-2023-6080: A Case Study on Third-Party Installer Abuse ∗∗∗ --------------------------------------------- Mandiant exploited flaws in the Microsoft Software Installer (MSI) repair action of Lakeside Softwares SysTrack installer to obtain arbitrary code execution. An attacker with low-privilege access to a system running the vulnerable version of SysTrack could escalate privileges locally. [..] August 7, 2024 - Confirmed vulnerability fixed in version 11.0 --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/cve-2023-6080-thir… ∗∗∗ OPA Gatekeeper Bypass Reveals Risks in Kubernetes Policy Engines ∗∗∗ --------------------------------------------- Implementing Kubernetes securely can be a daunting task. Fortunately, there are tools in the K8s toolshed that provide out-of-the-box solutions using a single click. One such tools is OPA Gatekeeper. It is a great out-of-the-box security checkpoint to enforce security policies on Kubernetes. But are users using it correctly? Do they understand its limitations? Our new research says not necessarily! --------------------------------------------- https://blog.aquasec.com/opa-gatekeeper-bypass-reveals-risks-in-kubernetes-… ∗∗∗ Stronger Than Ever: How We Turned a DDoS Attack Into a Lesson in Resilience ∗∗∗ --------------------------------------------- We were subjected to several attempted DDoS attacks, and the first cohort didn't even raise an alarm, but on the 23rd Jan, we noticed the first impact. [..] Maybe you and your organisation will face a similar issue in the future and you can be more aware of the ransom scam, maybe the lessons we learned here are something you can use to avoid similar issues of your own in the future, or maybe this blog post was just an interesting read for you. --------------------------------------------- https://scotthelme.ghost.io/stronger-than-ever-how-we-turned-a-ddos-attack-… ∗∗∗ Vulnerability & Patch Roundup — January 2025 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. --------------------------------------------- https://blog.sucuri.net/2025/01/vulnerability-patch-roundup-january-2025.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Zahlreiche Lücken gefährden Backup-Appliances von Dell ∗∗∗ --------------------------------------------- Admins, die Backups mit Dells PowerProtect managen, sollten aus Sicherheitsgründen aktuelle Versionen von Data Domain Operating System (DD OS) installieren. Geschieht das nicht, können Angreifer Systeme vollständig kompromittieren. --------------------------------------------- https://www.heise.de/-10267578 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (git-lfs, libsoup, and unbound), Debian (dcmtk, ffmpeg, openjdk-11, pam-u2f, and python-aiohttp), Fedora (buku, chromium, jpegxl, nodejs18, nodejs20, and rust-routinator), Mageia (clamav, kernel, kmod-virtualbox, kmod-xtables-addons & dwarves, and kernel-linus), SUSE (apptainer, bind, buildah, chromedriver, clamav, dovecot24, ignition, kubelogin, libjxl, libQt5Bluetooth5-32bit, orc, owasp-modsecurity-crs, python-pydantic, python311-ipython, and stb), and Ubuntu (linux-azure and netdata). --------------------------------------------- https://lwn.net/Articles/1007646/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.01.2025
by Daily end-of-shift report 31 Jan '25

31 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-01-2025 18:00 − Freitag 31-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows Exploitation Tricks: Trapping Virtual Memory Access (2025 Update) ∗∗∗ --------------------------------------------- Back in 2021 I wrote a blog post about various ways you can build a virtual memory access trap primitive on Windows. The goal was to cause a reader or writer of a virtual memory address to halt for a significant (e.g. 1 or more seconds) amount of time, generally for the purpose of exploiting TOCTOU memory access .. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/01/windows-exploitation-tricks-… ∗∗∗ Infrastructure Laundering: Blending in with the Cloud ∗∗∗ --------------------------------------------- In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers. Research published this week on one such outfit -- a sprawling network tied to Chinese organized crime gangs and aptly named "Funnull" -- highlights a persistent whac-a-mole problem facing cloud services. --------------------------------------------- https://krebsonsecurity.com/2025/01/infrastructure-laundering-blending-in-w… ∗∗∗ Operation "Talent" nimmt weltgrößte Plattformen für Cyberkriminalität vom Netz ∗∗∗ --------------------------------------------- Bei einer internationalen Aktion wurden die Cracking-Foren nulled.to und cracked.io vom Netz genommen --------------------------------------------- https://www.derstandard.at/story/3000000255412/operation-talent-nimmt-weltg… ∗∗∗ Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek ∗∗∗ --------------------------------------------- Evaluation of three jailbreaking techniques on DeepSeek shows risks of generating prohibited content. --------------------------------------------- https://unit42.paloaltonetworks.com/jailbreaking-deepseek-three-techniques/ ∗∗∗ On hackers, hackers, and hilarious misunderstandings ∗∗∗ --------------------------------------------- "Hacker", as we in the bizz know well, carries different meanings for different people, and this can cause hilarious misunderstandings. Yesterday, the Polish TV network TVN aired the second part of an ongoing documentary about issues in NEWAG trains that were analyzed by Dragon Sector. Near the end, the documentary featured a recording .. --------------------------------------------- https://gynvael.coldwind.pl/?id=799 ∗∗∗ Cyberangriffe auf SimpleHelp RMM beobachtet ∗∗∗ --------------------------------------------- In SimepleHelp RMM missbrauchen Angreifer Sicherheitslücken, um Netzwerke zu kompromittieren. Updates stehen bereit. --------------------------------------------- https://heise.de/-10265414 ∗∗∗ The Slow Death of OCSP ∗∗∗ --------------------------------------------- Everybody is talking about OCSP now because, just last month, at the end of 2024, Let’s Encrypt announced it was going to stop supporting online certificate revocation checking. Beginning in early May 2025, there will no longer be any OCSP revocation information in Let’s Encrypt’s certificates. Once all its earlier certificates expire, Let’s Encrypt will shut down its OCSP servers. --------------------------------------------- https://www.feistyduck.com/newsletter/issue_121_the_slow_death_of_ocsp ∗∗∗ PyPI’s New Archival Feature Closes a Major Security Gap ∗∗∗ --------------------------------------------- A major security improvement has landed on PyPI: maintainers can now archive projects, making it clear when a package is no longer actively maintained. This long-awaited feature, developed by Trail of Bits and funded by Alpha-Omega, helps developers make informed decisions about dependencies while protecting the Python ecosystem from risks associated .. --------------------------------------------- https://socket.dev/blog/pypi-adds-support-for-archiving-projects ∗∗∗ VMware Aria Vulnerabilities Addressed ∗∗∗ --------------------------------------------- VMware Security Advisory VMSA-2025-0003 addresses multiple vulnerabilities identified in VMware Aria Operations for Logs and VMware Aria Operations. These vulnerabilities, if exploited, could allow attackers to .. --------------------------------------------- https://thecyberthrone.in/2025/01/31/vmware-aria-vulnerabilities-addressed/ ∗∗∗ DeepSeek’s Popularity Sparks Surge in Crypto Phishing and Malware Campaigns ∗∗∗ --------------------------------------------- The rapid rise of DeepSeek, a Chinese artificial intelligence company known for its open-source large language models (LLMs), has sparked not only excitement but also a significant increase in cyber threats. As of January 2025, the company launched its first free chatbot app, “DeepSeek – AI Assistant,” which quickly became the most downloaded .. --------------------------------------------- https://thecyberexpress.com/deepseeks-surge-sparks-malware-campaigns/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libsoup), Debian (debian-security-support and redis), Fedora (expat, java-21-openjdk, lemonldap-ng, and phpMyAdmin), Mageia (chromium-browser-stable and git-lfs), Oracle (bzip2, git-lfs, libsoup, mariadb:10.11, mariadb:10.5, python-jinja2, redis, and unbound), Red Hat (git-lfs, libsoup, python-jinja2, .. --------------------------------------------- https://lwn.net/Articles/1007252/ ∗∗∗ VU#733789: ChatGPT-4o contains security bypass vulnerability through time and search functions called "Time Bandit" ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/733789 ∗∗∗ ZDI-25-060: Google Chrome AI Manager Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-060/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.01.2025
by Daily end-of-shift report 30 Jan '25

30 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-01-2025 18:00 − Donnerstag 30-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ No need to RSVP: a closer look at the Tria stealer campaign ∗∗∗ --------------------------------------------- Kaspersky GReAT experts discovered a new campaign targeting Android devices in Malaysia and Brunei with the Tria stealer to collect data from apps like WhatsApp and Gmail. --------------------------------------------- https://securelist.com/tria-stealer-collects-sms-data-from-android-devices/… ∗∗∗ Exposed DeepSeek Database Revealed Chat Prompts and Internal Data ∗∗∗ --------------------------------------------- China-based DeepSeek has exploded in popularity, drawing greater scrutiny. Case in point: Security researchers found more than 1 million records, including user data and API keys, in an open database. --------------------------------------------- https://www.wired.com/story/exposed-deepseek-database-revealed-chat-prompts… ∗∗∗ Europol warnt vor gefälschten Medikamenten in Online-Angeboten ∗∗∗ --------------------------------------------- Europol hat 2024 Medikamente im Wert von rund 11,1 Millionen Euro beschlagnahmt. Sie waren gefälscht und für den Online-Handel vorgesehen. --------------------------------------------- https://www.heise.de/news/Europol-warnt-vor-gefaelschten-Medikamenten-in-On… ∗∗∗ Warten auf Patch: Das Admin-Interface Voyager für Laravel-Apps ist verwundbar ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor möglichen Attacken auf Voyager. Bislang haben sich die Entwickler zu den Sicherheitslücken nicht geäußert. --------------------------------------------- https://www.heise.de/news/Warten-auf-Patch-Das-Admin-Interface-Voyager-fuer… ∗∗∗ Linux-related discussion as a cybersecurity threat ∗∗∗ --------------------------------------------- Starting on January 19, 2025 Facebooks internal policy makers decided that Linux is malware and labeled groups associated with Linux as being "cybersecurity threats". Any posts mentioning DistroWatch and multiple groups associated with Linux and Linux discussions have either been shut down or had many of their posts removed. Weve been hearing all week .. --------------------------------------------- https://lwn.net/Articles/1006328/ ∗∗∗ Betrugswelle auf Facebook: Gefälschte Lagerabverkäufe von Hofer und Zara ∗∗∗ --------------------------------------------- Aktuell kursieren auf Facebook Postings, die angeblich von bekannten Marken stammen und mit einem Lagerabverkauf werben. Nutzer:innen wird suggeriert, dass Unternehmen wie Hofer oder Zara kostenlose Kaffeemaschinen oder Geschenkboxen zu Sonderpreisen verschenken. Doch Vorsicht: Es handelt sich um gefälschte Angebote von Kriminellen, die es nur auf Kreditkartendaten abgesehen haben. --------------------------------------------- https://www.watchlist-internet.at/news/betrugswelle-auf-facebook-gefaelscht… ∗∗∗ Risikobild 2025 ∗∗∗ --------------------------------------------- Das österreichische Verteidigungsministerium präsentierte am 27. Jänner das "Risikobild 2025". Wie nicht anders zu erwarten war, dominieren geopolitische Herausforderungen die Risikolandschaft. Der Ukraine-Krieg, die Spannungen zwischen China und den USA sowie der Nahe Osten sind auch die ersten Themen, die mir einfallen würden, wenn mich .. --------------------------------------------- https://www.cert.at/de/blog/2025/1/risikobild-2025 ∗∗∗ Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike ∗∗∗ --------------------------------------------- This new report from Cisco Talos Incident Response explores how threat actors increasingly deployed web shells against vulnerable web applications, and exploited vulnerable or unpatched public-facing applications to gain initial access. --------------------------------------------- https://blog.talosintelligence.com/talos-ir-trends-q4-2024/ ∗∗∗ FBI Seizes Leading Hacking Forums Cracked.io and Nulled.to ∗∗∗ --------------------------------------------- Nulled.to, Cracked.to and Cracked.io, major hacking forums, appear seized by the FBI as DNS records point to FBI. --------------------------------------------- https://hackread.com/fbi-seizes-hacking-forums-cracked-to-nulled-to/ ∗∗∗ Common OAuth Vulnerabilities ∗∗∗ --------------------------------------------- OAuth2’s popularity makes it a prime target for attackers. While it simplifies user login, its complexity can lead to misconfigurations that create security holes. Some of the more intricate vulnerabilities keep reappearing because the protocol’s inner workings are not always well-understood. In an effort to change that, we have decided to .. --------------------------------------------- https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html ===================== = Vulnerabilities = ===================== ∗∗∗ Google Tag - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-012 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-012 ∗∗∗ Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-011 ∗∗∗ Drupal Admin LTE theme - Critical - Unsupported - SA-CONTRIB-2025-010 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-010 ∗∗∗ Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-009 ∗∗∗ Matomo Analytics - Moderately critical - Cross site request forgery - SA-CONTRIB-2025-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-008 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.01.2025
by Daily end-of-shift report 29 Jan '25

29 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-01-2025 18:00 − Mittwoch 29-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Threat predictions for industrial enterprises 2025 ∗∗∗ --------------------------------------------- Kaspersky ICS CERT analyzes industrial threat trends and makes forecasts on how the industrial threat landscape will look in 2025. --------------------------------------------- https://securelist.com/industrial-threat-predictions-2025/115327/ ∗∗∗ ExxonMobil Lobbyist Caught Hacking Climate Activists ∗∗∗ --------------------------------------------- The Department of Justice is investigating a lobbying firm representing ExxonMobil for hacking the phones of climate activists:The hacking was allegedly commissioned by a Washington, D.C., lobbying firm, according to a lawyer representing the U.S. government. The firm, in turn, was allegedly working on behalf of one of the world’s largest oil and gas .. --------------------------------------------- https://www.schneier.com/blog/archives/2025/01/exxonmobil-lobbyist-caught-h… ∗∗∗ Industrielle Kontrollsysteme: Attacken auf kritische Infrastrukturen möglich ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für industriellen Steuerungssysteme von unter anderem Rockwell und Schneider erschienen. --------------------------------------------- https://www.heise.de/news/Industrielle-Kontrollsysteme-Attacken-auf-kritisc… ∗∗∗ Zwei Sidechannel-Attacken auf Apples M-Prozessoren ∗∗∗ --------------------------------------------- Die schwerwiegenden Sicherheitslücken lassen sich für Angriffe auf Webbrowser aus der Ferne nutzen. Betroffen sind viele Mobil- und Desktop-Geräte von Apple. --------------------------------------------- https://www.heise.de/news/Zwei-Sidechannel-Attacken-auf-Apples-M-Prozessore… ∗∗∗ How we estimate the risk from prompt injection attacks on AI systems ∗∗∗ --------------------------------------------- Modern AI systems, like Gemini, are more capable than ever, helping retrieve data and perform actions on behalf of users. However, data from external sources present new security challenges if untrusted sources are available to execute instructions on AI systems. Attackers can take advantage of this by hiding malicious instructions in data .. --------------------------------------------- http://security.googleblog.com/2025/01/how-we-estimate-risk-from-prompt.html ∗∗∗ Backups & DRP in the ransomware era ∗∗∗ --------------------------------------------- In today’s digital landscape, the threat of ransomware has forced organizations to reevaluate their disaster recovery plans. Traditional approaches to data protection were focused primarily on high availability and are no longer sufficient. As cyber threats evolve, so must our strategies for safeguarding critical information. This blog post explores the .. --------------------------------------------- https://blog.nviso.eu/2025/01/29/backups-drp-in-the-ransomware-era/ ∗∗∗ Hackers Actively Exploiting Fortinet Firewalls: Real-Time Insights from GreyNoise ∗∗∗ --------------------------------------------- This blog details how attackers are actively exploiting Fortinet FortiGate firewalls vulnerable to CVE-2022-40684, with real-time insights from GreyNoise to help defenders understand and respond to these threats. --------------------------------------------- https://www.greynoise.io/blog/hackers-actively-exploiting-fortinet-firewall… ∗∗∗ Active Exploitation of Zero-day Zyxel CPE Vulnerability (CVE-2024-40891) ∗∗∗ --------------------------------------------- CVE-2024-40891: Zyxel CPE Zero-day Exploitation. Hackers are actively exploiting a telnet-based command injection vulnerability in Zyxel CPE devices, impacting 1,500+ exposed systems. No patch is available yet. --------------------------------------------- https://www.greynoise.io/blog/active-exploitation-of-zero-day-zyxel-cpe-vul… ∗∗∗ Adversarial Misuse of Generative AI ∗∗∗ --------------------------------------------- Rapid advancements in artificial intelligence (AI) are unlocking new possibilities for the way we work and accelerating innovation in science, technology, and beyond. In cybersecurity, AI is poised to transform digital defense, empowering defenders and enhancing our collective security. Large language models (LLMs) open new possibilities for .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse… ∗∗∗ CVE-2024-46507: Yeti Platform Server-Side Template Injection (SSTI) ∗∗∗ --------------------------------------------- Yeti is a Forensic Intelligence platform and pipeline for DFIR teams. It allows threat intelligence and DFIR teams to catalog, search, and link pieces of intelligence such as IP addresses, TTPs, and threat actors. With 10,000 .. --------------------------------------------- https://rhinosecuritylabs.com/research/cve-2024-46507-yeti-server-side-temp… ∗∗∗ CISA Brings KEV Data to GitHub ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) just made a major move to improve access and usability for its Known Exploited Vulnerabilities (KEV) catalog. Announced by Tod Beardsley on LinkedIn, CISA has launched a new kev-data repository on GitHub, allowing developers, researchers, and cybersecurity enthusiasts to access KEV data in .. --------------------------------------------- https://socket.dev/blog/cisa-brings-kev-data-to-github ∗∗∗ CVE-2024-49138 Windows CLFS heap-based buffer overflow analysis – Part 2 ∗∗∗ --------------------------------------------- In the previous article, we discussed a vulnerability in the LoadContainerQ() function inside clfs.sys. The root cause of the vulnerability was LoadContainerQ() using a CLFS_CONTAINER_CONTEXT.pContainer without checking if FlushImage() invalidated the General Metadata Block. --------------------------------------------- https://security.humanativaspa.it/cve-2024-49138-windows-clfs-heap-based-bu… ∗∗∗ CVE-2024-49138 Windows CLFS heap-based buffer overflow analysis – Part 1 ∗∗∗ --------------------------------------------- CVE-2024-49138 is a Windows vulnerability detected by CrowdStrike as exploited in the wild. Microsoft patched the vulnerability on December 10th, 2024 with KB5048685 (for Windows 11 .. --------------------------------------------- https://security.humanativaspa.it/cve-2024-49138-windows-clfs-heap-based-bu… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bzip2, gimp:2.8, keepalived, mariadb:10.11, mariadb:10.5, python-jinja2, and redis), Debian (iperf3, libtar, and pdns-recursor), Fedora (abseil-cpp, dotnet8.0, dotnet9.0, golang, libsoup3, and vaultwarden), Oracle (gimp:2.8, iperf3, keepalived, kernel, redis:7, and unbound), Red Hat (libsoup), SUSE (amazon-ssm-agent, .. --------------------------------------------- https://lwn.net/Articles/1006677/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.01.2025
by Daily end-of-shift report 28 Jan '25

28 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Montag 27-01-2025 18:00 − Dienstag 28-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ EU sanctions Russian GRU hackers for cyberattacks against Estonia ∗∗∗ --------------------------------------------- The European Union sanctioned three hackers, part of Unit 29155 of Russias military intelligence service (GRU), for their involvement in cyberattacks targeting Estonias government agencies in 2020. --------------------------------------------- https://www.bleepingcomputer.com/news/security/eu-sanctions-russian-gru-hac… ∗∗∗ Israel: Hacker kapern Notfallsirenen und spielen arabische Musik ∗∗∗ --------------------------------------------- In mehreren israelischen Einrichtungen ist kürzlich unerwartet arabische Musik aus den Notfallsirenen ertönt. Eine Hackergruppe hat sich schuldig bekannt. --------------------------------------------- https://www.golem.de/news/israel-hacker-kapern-notfallsirenen-und-spielen-a… ∗∗∗ Beyond the hype: The business reality of AI for cybersecurity ∗∗∗ --------------------------------------------- Real-world insights from 400 IT leaders, plus practical guidance to enhance business outcomes --------------------------------------------- https://news.sophos.com/en-us/2025/01/28/beyond-the-hype-the-business-reali… ∗∗∗ Update: Cybercriminals still not fully on board the AI train (yet) ∗∗∗ --------------------------------------------- A year after our initial research on threat actors’ attitudes to generative AI, we revisit some underground forums and find that many cybercriminals are still skeptical – although there has been a slight shift. --------------------------------------------- https://news.sophos.com/en-us/2025/01/28/update-cybercriminals-still-not-fu… ∗∗∗ Top-Rated Chinese AI App DeepSeek Limits Registrations Amid Cyberattacks ∗∗∗ --------------------------------------------- DeepSeek, the Chinese AI startup that has captured much of the artificial intelligence (AI) buzz in recent days, said its restricting registrations on the service, citing malicious attacks."Due to large-scale malicious attacks on DeepSeeks services, .. --------------------------------------------- https://thehackernews.com/2025/01/top-rated-chinese-ai-app-deepseek.html ∗∗∗ Apple plugs security hole in its iThings thats already been exploited in iOS ∗∗∗ --------------------------------------------- Cupertino kicks off the year with a zero-day Apple has plugged a security hole in the software at the heart of its iPhones, iPads, Vision Pro goggles, Apple TVs and macOS Sequoia Macs, warning some miscreants have already exploited the bug. --------------------------------------------- https://www.theregister.com/2025/01/28/apple_cve_2025_24085/ ∗∗∗ Security pros more confident about fending off ransomware, despite being battered by attacks ∗∗∗ --------------------------------------------- Data leak, shmata leak. It will all work out, right? IT and security pros say they are more confident in their ability to manage ransomware attacks after nearly nine in ten (88 percent) were forced to contain efforts by criminals to breach their defenses in the past year. --------------------------------------------- https://www.theregister.com/2025/01/28/research_security_pros_gain_ransomwa… ∗∗∗ Auf Facebook konnte man E-Mail-Adressen, Telefonnummern, Einmalpasswörter, etc. von Fremden einsehen. ∗∗∗ --------------------------------------------- For an unknown period until the end of January 2024, Facebook appears to have suffered a data leak that has exposed users’ email addresses, phone numbers and other identifying information. [..] The issue was reported to Facebook via its bug bounty programme. While the demonstrated method stopped working two weeks after submission, the .. --------------------------------------------- https://social.leckse.net/@leckse/statuses/01JJPE94S1NQM62VY60S767S1H ∗∗∗ Sonicwall: Tausende Geräte für trivial angreifbare SSL-VPN-Lücke anfällig ∗∗∗ --------------------------------------------- Seit Anfang Januar gibt es einen Patch zum Schließen einer SSL-VPN-Lücke in Sonicwalls. Dennoch sind mehr als 5000 Geräte noch angreifbar. --------------------------------------------- https://www.heise.de/news/Leicht-angreifbare-Sonicwall-Luecke-Tausende-Gera… ∗∗∗ Teamviewer: Rechteausweitung durch Sicherheitslücke möglich ∗∗∗ --------------------------------------------- Teamviewer warnt vor einer Schwachstelle in den Windows-Versionen der Fernwartungssoftware, die Angreifern die Rechteausweitung ermöglicht. --------------------------------------------- https://www.heise.de/news/Teamviewer-Rechteausweitung-durch-Sicherheitsluec… ∗∗∗ A Tumultuous Week for Federal Cybersecurity Efforts ∗∗∗ --------------------------------------------- President Trump last week issued a flurry of executive orders that upended a number of government initiatives focused on improving the nations cybersecurity posture. The president fired all advisors from the Department of Homeland Securitys Cyber Safety Review Board, called for the creation of a strategic cryptocurrency reserve, and voided .. --------------------------------------------- https://krebsonsecurity.com/2025/01/a-tumultuous-week-for-federal-cybersecu… ∗∗∗ How Garmin watches reveal your personal data, and what you can do ∗∗∗ --------------------------------------------- TL;DR A walk-through of obtaining sensitive data from a Garmin watch using forensic techniques How digital forensics on a Garmin watch helped solve a double murder case A .. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-garmin-watches-reveal-you… ∗∗∗ New TorNet backdoor seen in widespread campaign ∗∗∗ --------------------------------------------- Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany. --------------------------------------------- https://blog.talosintelligence.com/new-tornet-backdoor-campaign/ ∗∗∗ ScatterBrain: Unmasking the Shadow of PoisonPlugs Obfuscator ∗∗∗ --------------------------------------------- Since 2022, Google Threat Intelligence Group (GTIG) has been tracking multiple cyber espionage operations conducted by China-nexus actors utilizing POISONPLUG.SHADOW. These operations employ a custom obfuscating compiler that we refer to as "ScatterBrain," facilitating attacks against various entities across Europe and the Asia Pacific (APAC) region. ScatterBrain appears .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmas… ∗∗∗ Stating the Obvious: Vulns On the Rise in 2025 ∗∗∗ --------------------------------------------- Join Ben Edwards, as he takes a brief look back at one of the stories that was most interesting to him as a security data nerd from 2024. --------------------------------------------- https://www.bitsight.com/blog/2025-predictions-for-cve-vulnerabilities ∗∗∗ Get FortiRekt, I Am The Super_Admin Now - Fortinet FortiOS Authentication Bypass CVE-2024-55591 ∗∗∗ --------------------------------------------- Welcome to Monday, and what an excitingly fresh start to the week were all having. Grab your coffee, grab your vodka - were diving into a currently exploited-in-the-wild critical Authentication Bypass affecting .. --------------------------------------------- https://labs.watchtowr.com/get-fortirekt-i-am-the-super_admin-now-fortios-a… ∗∗∗ Clone2Leak: Your Git Credentials Belong To Us ∗∗∗ --------------------------------------------- In October 2024, I was hunting bugs for the GitHub Bug Bounty program. After investigating GitHub Enterprise Server for a while, I felt bored and decided to try to find bugs on GitHub Desktop instead. --------------------------------------------- https://flatt.tech/research/posts/clone2leak-your-git-credentials-belong-to… ∗∗∗ Best practices for key derivation ∗∗∗ --------------------------------------------- By Marc Ilunga Key derivation is essential in many cryptographic applications, including key exchange, key management, secure communications, and building robust cryptographic primitives. But it’s also easy to get wrong: although .. --------------------------------------------- https://blog.trailofbits.com/2025/01/28/best-practices-for-key-derivation/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability in ClamAV Discovered by OSS-Fuzz ∗∗∗ --------------------------------------------- A security vulnerability has been identified in ClamAV, stemming from a potential buffer overflow read issue in .. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-04 ∗∗∗ WordPress Plugin "Simple Image Sizes" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN88046370/ ∗∗∗ TYPO3-EXT-SA-2025-001: Account Takeover in extension "OpenID Connect Authentication" (oidc) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-001 ∗∗∗ Rockwell Automation FactoryTalk ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.01.2025
by Daily end-of-shift report 27 Jan '25

27 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-01-2025 18:00 − Montag 27-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Eine verpasste Chance: Schwaches Passwort-Hashing in VxWorks ∗∗∗ --------------------------------------------- Die Sicherheit von eingebetteten Systemen, die Echtzeitbetriebssysteme (RTOS) wie Wind River VxWorks verwenden, ist in risikoreichen Bereichen wie OT, .. --------------------------------------------- https://sec-consult.com/de/blog/detail/eine-verpasste-chance-schwaches-pass… ∗∗∗ Cracking the Giant: How ODAT Challenges Oracle, the King of Databases ∗∗∗ --------------------------------------------- In the past decade, Oracle Database (Oracle DB) has reigned supreme in the competitive arena of database engine popularity ranking as shown in Figure 1 and Figure 2. This pervasiveness has led Oracle Database to be trusted by Fortune 500 companies (e.g. Netflix, LinkedIn, eBay, etc.) to house, process, and safeguard their critical data. Its .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cracking-th… ∗∗∗ GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in GitHub Desktop as well as other Git-related projects that, if successfully exploited, could permit an attacker to gain unauthorized access to a users Git credentials."Git implements a protocol called Git Credential Protocol to retrieve credentials from the .. --------------------------------------------- https://thehackernews.com/2025/01/github-desktop-vulnerability-risks.html ∗∗∗ Scammers Are Creating Fake News Videos to Blackmail Victims ∗∗∗ --------------------------------------------- “Yahoo Boy” scammers are impersonating CNN and other news organizations to create videos that pressure victims into making blackmail payments. --------------------------------------------- https://www.wired.com/story/scammers-are-creating-fake-news-videos-to-black… ∗∗∗ Technical Analysis of Xloader Versions 6 and 7 | Part 1 ∗∗∗ --------------------------------------------- Xloader is a malware family that is the successor to Formbook with information stealing capabilities targeting web browsers, email clients, and File Transfer Protocol (FTP) applications. The malware is also able to deploy second-stage payloads to an infected system. The author of Xloader regularly adds new functionality to target more .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-… ∗∗∗ Nach Sicherheitslücke bei D-Trust: CCC spricht von "Cyber-Augenwischerei" ∗∗∗ --------------------------------------------- Der Chaos Computer Club fordert vom Vertrauensdiensteanbieter D-Trust Verantwortung zu tragen und die Abschaffung des Hackerparagraphen. --------------------------------------------- https://www.heise.de/news/Nach-Sicherheitsluecke-bei-D-Trust-CCC-spricht-vo… ∗∗∗ Palo-Alto: Sicherheitslücken in Firmware und Bootloadern von Firewalls ∗∗∗ --------------------------------------------- Die Firmware und Bootloader von einigen Palo-Alto-Firewalls weisen Sicherheitslecks auf, die Angreifern das Einnisten nach Angriffen ermöglichen. --------------------------------------------- https://www.heise.de/news/Palo-Alto-Sicherheitsluecken-in-Firmware-und-Boot… ∗∗∗ Hacked buses blare out patriotic pro-European anthems in Tbilisi, attack government ∗∗∗ --------------------------------------------- Residents of Tbilisi, the capital city of Georgia, experienced an unexpected and unusual start to their Friday morning commute. As they boarded their public transport buses, they were greeted by a barrage of sound emanating .. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/hacked-buses-blare-ou… ∗∗∗ The 2024 Ransomware Landscape: Looking back on another painful year ∗∗∗ --------------------------------------------- In this post, we’ll examine the latest data points, discuss notable groups, and estimate the potential impact on victims — helping security teams plan their defenses for the months ahead. --------------------------------------------- https://www.rapid7.com/blog/post/2025/01/27/the-2024-ransomware-landscape-l… ∗∗∗ Brave Desktop Browser Vulnerability Lets Malicious Sites Appear Trusted ∗∗∗ --------------------------------------------- A critical vulnerability in Brave Browser allows malicious websites to appear as trusted sources during file uploads/downloads. --------------------------------------------- https://hackread.com/brave-desktop-browser-vulnerability-malicious-sites-tr… ∗∗∗ Datadog threat roundup: top insights for Q4 2024 ∗∗∗ --------------------------------------------- Threat insights from Datadog Security Labs for Q4 2024. --------------------------------------------- https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/ ∗∗∗ Exploit Me, Baby, One More Time: Command Injection in Kubernetes Log Query ∗∗∗ --------------------------------------------- Kubernetes and containers in general have become a predominant force in the security world - and, as such, they’ve been a point of interest for researchers worldwide (including us). Our research journey initially led .. --------------------------------------------- https://www.akamai.com/blog/security-research/2024-january-kubernetes-log-q… ∗∗∗ Node.js EOL Versions CVE Dubbed the "Worst CVE of the Year" by Security Experts ∗∗∗ --------------------------------------------- On January 22, 2025, CVE-2025-23088 was published by HackerOne to inform users about the risks of continuing to use End-of-Life (EOL) versions of Node.js. This CVE has quickly sparked debate in the security community, with some experts labeling it the “worst CVE of the year” – not for its severity, but for the controversy surrounding .. --------------------------------------------- https://socket.dev/blog/node-js-eol-versions-cve-dubbed-the-worst-cve-of-th… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (git-lfs, java-17-openjdk, java-21-openjdk, kernel, and python-jinja2), Debian (git and git-lfs), Fedora (buildah, chromium, containers-common, freeipa, glibc, golang, mediawiki, pam-u2f, podman, and rsync), Mageia (glibc, iperf, openssl, phpmyadmin, and poppler), Oracle (firefox, git-lfs, grafana, .. --------------------------------------------- https://lwn.net/Articles/1006261/ ∗∗∗ Wind River Software VxWorks RTOS Weak Password Hashing Algorithms ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/wind-river-software-vxwo… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2025
by Daily end-of-shift report 24 Jan '25

24 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-01-2025 18:00 − Freitag 24-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker infects 18,000 "script kiddies" with fake malware builder ∗∗∗ --------------------------------------------- A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-infects-18-000-script… ∗∗∗ Malware Redirects WordPress Traffic to Harmful Sites ∗∗∗ --------------------------------------------- Recently, a customer approached us after noticing their website was redirecting visitors to a suspicious URL. They suspected their site had been compromised and sought assistance in identifying and resolving the issue. This .. --------------------------------------------- https://blog.sucuri.net/2025/01/malware-redirects-wordpress-traffic-to-harm… ∗∗∗ North Korean dev who renamed himself Bane accused of IT worker fraud scheme ∗∗∗ --------------------------------------------- 5 indicted as FBI warns North Korea dials up aggression, plus Russian devs allegedly get in on the act The US is indicting yet another five suspects it believes were involved in North Koreas long-running, fraudulent remote IT worker scheme – including one who changed their last name to "Bane" and scored a gig at a tech biz in San Francisco. --------------------------------------------- https://www.theregister.com/2025/01/24/north_korean_devs_and_their/ ∗∗∗ Dont want your Kubernetes Windows nodes hijacked? Patch this hole now ∗∗∗ --------------------------------------------- SYSTEM-level command injection via API parameter *chefs kiss* A now-fixed command-injection bug in Kubernetes can be exploited by a remote attacker to gain code execution with SYSTEM privileges on all Windows endpoints in a cluster, and thus fully take over those systems, according to Akamai researcher Tomer Peled. --------------------------------------------- https://www.theregister.com/2025/01/24/kubernetes_windows_nodes_bug/ ∗∗∗ Subaru Security Flaws Exposed Its System for Tracking Millions of Cars ∗∗∗ --------------------------------------------- Now-fixed web bugs allowed hackers to remotely unlock and start any of millions of Subarus. More disturbingly, they could also access at least a year of cars’ location histories—and Subaru employees still can. --------------------------------------------- https://www.wired.com/story/subaru-location-tracking-vulnerabilities/ ∗∗∗ Mehrere Staaten desinfizieren Botnetz, Deutschland nicht ∗∗∗ --------------------------------------------- Während Behörden in Frankreich und den USA die Schadsoftware Plug-X auf betroffenen Computern abschalten, wird in Deutschland über Infektionen nur informiert. --------------------------------------------- https://www.heise.de/news/Botnetz-Plug-X-Reinemachen-geht-nicht-10252309.ht… ∗∗∗ Jetzt patchen: Cross-Site-Scripting und Denial of Service in GitLab möglich ∗∗∗ --------------------------------------------- GitLab warnt vor drei Schwachstellen, von denen eine den Bedrohungsgrad "hoch" trägt. Patches stehen für die jüngeren Versionen bereit. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Cross-Site-Scripting-und-Denial-of-… ∗∗∗ Malvertising: Mac-Homebrew-User im Visier ∗∗∗ --------------------------------------------- Kriminelle haben bösartige Werbeanzeigen auf Google geschaltet, die anstatt auf die Homebrew-Webseite auf eine echt wirkende Malware-Seite leitet. --------------------------------------------- https://www.heise.de/news/Malvertising-Mac-Homebrew-User-im-Visier-10255909… ∗∗∗ Cyber security guidance for small fleet operators ∗∗∗ --------------------------------------------- Introduction Cyber threats aren’t just a problem for large shipping organizations, small maritime fleet operators are also at risk. Anything from phishing emails to ransomware attacks, these threats can disrupt .. --------------------------------------------- https://www.pentestpartners.com/security-blog/cyber-security-guidance-for-s… ∗∗∗ Private Keys in the Fortigate Leak ∗∗∗ --------------------------------------------- A few days ago, a download link for a leak of configuration files for Fortigate/Fortinet devices was posted on an Internet forum. It appears that the data was collected in 2022 due to a security vulnerability known as CVE-2022-40684. According to a blog post by Fortinet in 2022, they were already aware of active exploitation of the issue back then. It was first .. --------------------------------------------- https://blog.hboeck.de:443/archives/908-Private-Keys-in-the-Fortigate-Leak.… ∗∗∗ Exchange Server 2016 / 2019 erreichen im Oktober 2025 ihr EOL ∗∗∗ --------------------------------------------- Kleiner Nachtrag von dieser Woche zu einem Thema, welches eigentlich alle Exchange-Administratoren auf dem Radar haben sollten und auch dürften. Im Oktober 2025 fallen sowohl Microsoft Exchange Server 2016 als auch Microsoft Exchange .. --------------------------------------------- https://www.borncity.com/blog/2025/01/24/exchange-server-2016-2019-erreiche… ∗∗∗ Seasoning email threats with hidden text salting ∗∗∗ --------------------------------------------- Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. Cisco Talos has observed an increase in the number of email threats leveraging hidden text salting. --------------------------------------------- https://blog.talosintelligence.com/seasoning-email-threats-with-hidden-text… ∗∗∗ SUSCTL (CVE-2024-54507) A particularly sus sysctl in the XNU Kernel ∗∗∗ --------------------------------------------- Every time Apple releases a new version of XNU, I run a custom suite of tests under an address sanitizer to see if I can spot any regressions, or even possibly new bugs. When I was messing around with macOS 15.0, I was shocked to see a very simple command was causing the sanitizer to report an invalid load. --------------------------------------------- https://jprx.io/cve-2024-54507/ ∗∗∗ The J-Magic Show: Magic Packets and Where to find them ∗∗∗ --------------------------------------------- The Black Lotus Labs team at Lumen Technologies has been tracking the use of a backdoor attack tailored for use against enterprise-grade Juniper routers. This backdoor is opened by a passive agent that continuously monitors for a “magic packet,” sent by .. --------------------------------------------- https://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-the… ∗∗∗ cURL Project and Go Security Teams Reject CVSS as Broken ∗∗∗ --------------------------------------------- The CVSS (Common Vulnerability Scoring System) is facing significant pushback as both the cURL project and Go security teams are publicly distance themselves from the framework. While CVSS is designed to assign a severity score to vulnerabilities, its one-size-fits-all approach often produces misleading results, particularly for projects like cURL, which .. --------------------------------------------- https://socket.dev/blog/curl-project-and-go-security-teams-reject-cvss-as-b… ∗∗∗ FalconFeedsio X Account Hacked, Promoting Fraudulent Crypto Scams ∗∗∗ --------------------------------------------- FalconFeedsios official X (formerly Twitter) account has been compromised, leading to the promotion of fraudulent cryptocurrency posts and scams. This hacking of FalconFeed has shocked the cybersecurity community as the platform was renowned for dark web news alerts. With this hacking of FalconFeed x account, many users and cybersecurity experts are advising .. --------------------------------------------- https://thecyberexpress.com/hacking-of-falconfeed/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and python-django), Fedora (git-lfs and pam-u2f), Mageia (golang), Red Hat (java-11-openjdk with Extended Lifecycle Support, java-17-openjdk, and java-21-openjdk), SUSE (cheat, dante, docker-stable, grafana, and kernel), and Ubuntu (cacti, cyrus-imapd, HTMLDOC, and PCL). --------------------------------------------- https://lwn.net/Articles/1006103/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.01.2025
by Daily end-of-shift report 23 Jan '25

23 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-01-2025 18:00 − Donnerstag 23-01-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zendesk’s Subdomain Registration Abused in Phishing Scams ∗∗∗ --------------------------------------------- Leveraging Zendesk’s communication features, they can send phishing emails disguised as legitimate customer support messages. These emails often include malicious links or attachments to lure victims into clicking. --------------------------------------------- https://hackread.com/zendesk-subdomain-registration-abused-phishing-scams/ ∗∗∗ Heimserver-Betriebssystem: Updates beheben Sicherheitslücken in Unraid ∗∗∗ --------------------------------------------- Angreifer könnten die Lücken ausnutzen, um dem UnRAID-Admin eigenen Javascript-Code oder bösartige Plug-ins unterzuschieben. [..] Alle Sicherheitslücken sind in der Anfang Januar veröffentlichten neuesten Major-Version 7.0.0 und in einem Bugfix-Release für die Vorgängerversion behoben. --------------------------------------------- https://heise.de/-10253366 ∗∗∗ Researchers say new attack could take down the European power grid ∗∗∗ --------------------------------------------- Late last month, researchers revealed a finding that’s likely to shock some people and confirm the low expectations of others: Renewable energy facilities throughout Central Europe use unencrypted radio signals to receive commands to feed or ditch power into or from the grid that serves some 450 million people throughout the continent. --------------------------------------------- https://arstechnica.com/security/2025/01/could-hackers-use-new-attack-to-ta… ∗∗∗ Telegram captcha tricks you into running malicious PowerShell scripts ∗∗∗ --------------------------------------------- Threat actors on X are exploiting the news around Ross Ulbricht to direct unsuspecting users to a Telegram channel that tricks them into executing PowerShell code that infects them with malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telegram-captcha-tricks-you-… ∗∗∗ Beware: Fake CAPTCHA Campaign Spreads Lumma Stealer in Multi-Industry Attacks ∗∗∗ --------------------------------------------- The attack chain begins when a victim visits a compromised website, which directs them to a bogus CAPTCHA page that specifically instructs the site visitor to copy and paste a command into the Run prompt in Windows that uses the native mshta.exe binary to download and execute an HTA file from a remote server. [..] The HTA file, in turn, executes a PowerShell command to launch a next-stage payload, a PowerShell script that unpacks a second PowerShell script responsible for decoding and loading the Lumma payload, but not before taking steps to bypass the Windows Antimalware Scan Interface (AMSI) in an effort to evade detection. --------------------------------------------- https://thehackernews.com/2025/01/beware-fake-captcha-campaign-spreads.html ∗∗∗ Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass and Firmware Exploits ∗∗∗ --------------------------------------------- An exhaustive evaluation of three firewall models from Palo Alto Networks has uncovered a host of known security flaws impacting the devices firmware as well as misconfigured security features. --------------------------------------------- https://thehackernews.com/2025/01/palo-alto-firewalls-found-vulnerable-to.h… ∗∗∗ Supply chain attack hits Chrome extensions, could expose millions ∗∗∗ --------------------------------------------- Cybersecurity outfit Sekoia is warning Chrome users of a supply chain attack targeting browser extension developers that has potentially impacted hundreds of thousands of individuals already. [..] A number of the potentially affected extensions (according to Booz Allen Hamilton's report) appear to have been pulled from the Chrome Web Store at the time of writing. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/01/22/supply_chain… ∗∗∗ Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a ∗∗∗ Denuvo Analysis ∗∗∗ --------------------------------------------- Denuvo is an anti-tamper and digital rights management system (DRM). It is primarily used to protect digital media such as video games from piracy and reverse engineering efforts. Unlike traditional DRM systems, Denuvo employs a wide range of unique techniques and checks to confirm the integrity of both the game’s code and licensed user. --------------------------------------------- https://connorjaydunn.github.io/blog/posts/denuvo-analysis/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in SonicWall SMA1000 - aktiv ausgenutzt - Update verfügbar ∗∗∗ --------------------------------------------- In SonicWall SMA1000 Appliance Management Console (AMC) und Central Management Console (CMC) wurde eine kritische Sicherheitslücke entdeckt, die bereits aktiv von Angreifern ausgenutzt wird. Die Schwachstelle ermöglicht die Ausführung von beliebigem Code ohne vorherige Authentifizierung. CVE-Nummer(n): CVE-2025-23006 --------------------------------------------- https://www.cert.at/de/warnungen/2025/1/sonicwall-amc-cmc-rce ∗∗∗ Critical zero-days impact premium WordPress real estate plugins ∗∗∗ --------------------------------------------- The RealHome theme and the Easy Real Estate plugins for WordPress are vulnerable to two critical severity flaws that allow unauthenticated users to gain administrative privileges. [..] Also, Patchstack says the vendor released three versions since September, but no security fixes to address the critical issues were introduced. Hence, the issues remain unfixed and exploitable. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-zero-days-impact-pr… ∗∗∗ Schwachstellen in Jenkins-Plug-ins gefährden Entwicklungsumgebungen ∗∗∗ --------------------------------------------- Unter bestimmten Bedingungen können Angreifer Softwareentwicklungsserver mit Jenkins-Plug-ins attackieren. Darunter fallen etwa die Plug-ins Azure Service Fabric und Zoom. --------------------------------------------- https://heise.de/-10254105 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (redis:6), Debian (frr and git-lfs), Fedora (SDL2_sound and webkit2gtk4.0), Gentoo (firefox, GPL Ghostscript, libgsf, libuv, PHP, Qt, QtWebEngine, and Yubico pam-u2f), Mageia (chromium-browser-stable), SUSE (helmfile, nvidia-modprobe, qt6-webengine, ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1, ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1, ruby3.4-rubygem-actiontext-8.0-8.0.1-1.1, ruby3.4-rubygem-actionview-8.0-8.0.1-1.1, ruby3.4-rubygem-activejob-8.0-8.0.1-1.1, ruby3.4-rubygem-activerecord-8.0-8.0.1-1.1, ruby3.4-rubygem-activestorage-8.0-8.0.1-1.1, ruby3.4-rubygem-rails-8.0-8.0.1-1.1, and ruby3.4-rubygem-railties-8.0-8.0.1-1.1), and Ubuntu (bluez, openjpeg2, and python-django). --------------------------------------------- https://lwn.net/Articles/1005946/ ∗∗∗ Drupal: Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-007 ∗∗∗ Drupal: Material Admin - Critical - Unsupported - SA-CONTRIB-2025-006 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-006 ∗∗∗ Drupal: Flattern – Multipurpose Bootstrap Business Profile - Critical - Unsupported - SA-CONTRIB-2025-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-005 ∗∗∗ Drupal: AI (Artificial Intelligence) - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-004 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-004 ∗∗∗ QNAP: Multiple Vulnerabilities in Rsync ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-02 ∗∗∗ Hitachi Energy RTU500 Series Product ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-02 ∗∗∗ mySCADA myPRO Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-01 ∗∗∗ HMS Networks Ewon Flexy 202 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.01.2025
by Daily end-of-shift report 22 Jan '25

22 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-01-2025 18:00 − Mittwoch 22-01-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Großflächige Brute-Force-Angriffe auf M365 – vorsichtshalber Log-ins checken ∗∗∗ --------------------------------------------- In den vergangenen Wochen gab es großflächige Angriffe auf Zugangsdaten zur Microsoft-Cloud. IT-Admins sollten prüfen, ob diese eventuell erfolgreich waren. --------------------------------------------- https://heise.de/-10252167 ∗∗∗ Patch procrastination leaves 50,000 Fortinet firewalls vulnerable to zero-day ∗∗∗ --------------------------------------------- Data from the Shadowserver Foundation shows 48,457 Fortinet boxes are still publicly exposed and haven't had the patch for CVE-2024-55591 applied, despite stark warnings issued over the past seven days. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/01/21/fortinet_fir… ∗∗∗ Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet ∗∗∗ --------------------------------------------- Threat actors are exploiting an unspecified zero-day vulnerability in Cambium Networks cnPilot routers to deploy a variant of the AISURU botnet called AIRASHI to carry out distributed denial-of-service (DDoS) attacks. According to QiAnXin XLab, the attacks have leveraged the security flaw since June 2024. --------------------------------------------- https://thehackernews.com/2025/01/hackers-exploit-zero-day-in-cnpilot.html ∗∗∗ Fake Homebrew Google ads target Mac users with malware ∗∗∗ --------------------------------------------- Hackers are once again abusing Google ads to spread malware, using a fake Homebrew website to infect Macs and Linux devices with an infostealer that steals credentials, browser data, and cryptocurrency wallets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-homebrew-google-ads-tar… ∗∗∗ IPany VPN breached in supply-chain attack to push custom malware ∗∗∗ --------------------------------------------- South Korean VPN provider IPany was breached in a supply chain attack by the "PlushDaemon" China-aligned hacking group, who compromised the companys VPN installer to deploy the custom SlowStepper malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ipany-vpn-breached-in-supply… ∗∗∗ Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platforms ∗∗∗ --------------------------------------------- 3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. [..] A few months ago, I had a lightbulb moment: if Cloudflare stores cached data so close to users, could this be exploited for deanonymization attacks on sites we don't control? [..] Cloudflare's final statement about this says they do not consider the deanonymization attack to be a vulnerability in their own systems and it is up to their consumers to disable caching for resources they wish to protect. --------------------------------------------- https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117 ∗∗∗ Turning Data into Decisions: How CVE Management Is Changing ∗∗∗ --------------------------------------------- Every day, hundreds of new Common Vulnerabilities and Exposures (CVEs) are published, many of which target critical systems that keep businesses and governments operational. For cybersecurity professionals, simply knowing that a vulnerability exists is not enough. What’s needed is context—a deeper understanding of the CVE data, its potential impact, and how to prioritize its remediation. Enter Vulnrichment, an initiative launched by the Cybersecurity and Infrastructure Security Agency (CISA) on May 10, 2024. --------------------------------------------- https://thecyberexpress.com/cve-data-vulnrichment-program/ ∗∗∗ Geolocation and Starlink, (Tue, Jan 21st) ∗∗∗ --------------------------------------------- The IP address of a satellite user identifies the ground station location, not the user's location. Starlink, on the other hand, uses satellites in low earth orbit. The network can forward traffic among satellites, but typically, the satellite will attempt to pass the traffic to the closest base station in view. Due to the low orbit, each satellite only "sees" a relatively small area, and the ground station is usually within a couple hundred miles of the user. --------------------------------------------- https://isc.sans.edu/diary/rss/31612 ∗∗∗ Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Device ∗∗∗ --------------------------------------------- Web infrastructure and security company Cloudflare on Tuesday said it detected and blocked a 5.6 Terabit per second (Tbps) distributed denial-of-service (DDoS) attack, the largest ever attack to be reported to date. The UDP protocol-based attack took place on October 29, 2024, targeting one of its customers, an unnamed internet service provider (ISP) from Eastern Asia. --------------------------------------------- https://thehackernews.com/2025/01/mirai-botnet-launches-record-56-tbps.html ∗∗∗ Understanding Microsofts CVSS v3.1 Ratings and Severity Scores ∗∗∗ --------------------------------------------- Recently, I looked at Microsoft’s assigned CVSS v3.1 scores for Patch Tuesday vulnerabilities alongside the Microsoft assigned severity ratings. I wanted to revisit these numbers and see just how closely CVSS aligns with Microsoft’s opinion of severity. --------------------------------------------- https://www.tripwire.com/state-of-security/understanding-microsofts-cvss-v3… ∗∗∗ Vorsicht, wenn Online-Shops per WhatsApp zur Zahlung auffordern ∗∗∗ --------------------------------------------- Der Fake-Shop bikeunivers.de bietet Markenfahrräder zu günstigen Preisen an. Bezahlt werden kann nur per Banküberweisung. Wer nicht bezahlt, erhält eine Zahlungsaufforderung per E-Mail und WhatsApp. Ignorieren Sie diese, denn Sie erhalten trotz Zahlung keine Ware! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-whatsapp/ ∗∗∗ Vorsicht vor gefälschten Telegram-SMS ∗∗∗ --------------------------------------------- Derzeit kursieren gefälschte SMS, angeblich von Telegram. Die Nachricht besagt, dass Ihr Konto eingeschränkt sei und Sie es freischalten müssen. Klicken Sie auf keinen Fall auf den Link! Kriminelle stehlen Ihre Daten und versuchen sich auf einem fremden Gerät mit Ihrer Telefonnummer einzuloggen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-telegram-s… ∗∗∗ Redline, Vidar and Raccoon Malware Stole 1 Billion Passwords in 2024 ∗∗∗ --------------------------------------------- Specops 2025 Breached Password Report reveals over 1 billion passwords stolen by malware in the past year, exposing weak practices, malware trends, and security gaps. --------------------------------------------- https://hackread.com/redline-vidar-raccoon-malware-stole-1-billion-password… ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - January 2025 ∗∗∗ --------------------------------------------- This Critical Patch Update contains 318 new security patches across the product families listed below. --------------------------------------------- https://www.oracle.com/security-alerts/cpujan2025.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (snapcast), Fedora (python-jinja2), Mageia (rsync), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, gh, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nvidia-open-driver-G06-signed, and pam_u2f), and Ubuntu (linux-oem-6.11 and vim). --------------------------------------------- https://lwn.net/Articles/1005798/ ∗∗∗ Technical Advisory: Cross-Site Scripting in Umbraco Rich Text Display ∗∗∗ --------------------------------------------- Due to a lack of input sanitization on the server side, Umbraco CMS 14.3.1 or below is vulnerable to stored cross-site scripting (XSS) attacks through the rendering logic for rich text contents. [..] Umbraco has accepted this behavior as the majority of its customer base is unaffected. [..] Identify a C/C++ HTML sanitization framework best suited for the organization if using RTE is mandatory. Seek alternative components in Umbraco for content rendering otherwise. --------------------------------------------- https://www.nccgroup.com/us/research-blog/technical-advisory-cross-site-scr… ∗∗∗ PHP: PMASA-2025-3 ∗∗∗ --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2025-3/ ∗∗∗ PHP: PMASA-2025-2 ∗∗∗ --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2025-2/ ∗∗∗ PHP: PMASA-2025-1 ∗∗∗ --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2025-1/ ∗∗∗ ABB: 2025-01-21: Cyber Security Advisory - Drive Composer Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5466&Lan… ∗∗∗ Cisco BroadWorks SIP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Meeting Management REST API Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco ClamAV OLE2 File Format Decryption Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.01.2025
by Daily end-of-shift report 21 Jan '25

21 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Montag 20-01-2025 18:00 − Dienstag 21-01-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing” ∗∗∗ --------------------------------------------- Sophos MDR identifies a new threat cluster riffing on the playbook of Storm-1811, and amped-up activity from the original connected to Black Basta ransomware. --------------------------------------------- https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-c… ∗∗∗ 7-Zip: Lücke erlaubt Umgehung von Mark-of-the-Web ∗∗∗ --------------------------------------------- In 7-Zip ermöglicht eine Sicherheitslücke, den Mark-of-the-Web-Schutzmechanismus auszuhebeln und so Code auszuführen. [..] Die Sicherheitslücke schließt 7-Zip Version 24.09 oder neuer, die auf der Download-Seite von 7-Zip bereits seit Ende November vergangenen Jahres zum Herunterladen bereitsteht. [..] 7-Zip-Nutzer müssen selbst aktiv werden, um sich zu schützen und das verfügbare Update installieren. --------------------------------------------- https://heise.de/-10250351 ∗∗∗ 13,000 MikroTik Routers Hijacked by Botnet for Malspam and Cyberattacks ∗∗∗ --------------------------------------------- A global network of about 13,000 hijacked Mikrotik routers has been employed as a botnet to propagate malware via spam campaigns, the latest addition to a list of botnets powered by MikroTik devices. The activity "take[s] advantage of misconfigured DNS records to pass email protection techniques," Infoblox security researcher David Brunsdon said in a technical report published last week. --------------------------------------------- https://thehackernews.com/2025/01/13000-mikrotik-routers-hijacked-by.html ∗∗∗ Exchange 2016 und 2019 erreichen Support-Ende – in 9 Monaten ∗∗∗ --------------------------------------------- Microsoft erinnert an das dräuende Support-Ende der Exchange-Server 2016 und 2019. --------------------------------------------- https://www.heise.de/-10249853 ∗∗∗ Medusa Ransomware: What You Need To Know ∗∗∗ --------------------------------------------- What is the Medusa ransomware? Medusa is a ransomware-as-a-service (RaaS) platform that first came to prominence in 2023. The ransomware impacts organisations running Windows, predominantly exploiting vulnerable and unpatched systems and hijacking accounts through initial access brokers. --------------------------------------------- https://www.tripwire.com/state-of-security/medusa-ransomware-what-you-need-… ∗∗∗ How to secure body-worn cameras and protect footage from cyber threats ∗∗∗ --------------------------------------------- Body-worn cameras are used by police [..] Cameras are taken into the field but footage could be presented as evidence [..] Cryptographic approaches are needed to ensure the confidentiality and integrity of captured video and audio. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-secure-body-worn-camer… ∗∗∗ Offene Rechnung für „Gelbe Seiten Online“-Eintrag nicht bezahlen ∗∗∗ --------------------------------------------- In den letzten Tagen haben zahlreiche Unternehmen eine E-Mail von gsol-dach.com erhalten. Darin werden sie aufgefordert, eine Rechnung für einen angeblichen Premium-Firmenbucheintrag zu bezahlen. Achtung: Diese Rechnungen sind Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/rechnung-fuer-gelbe-seiten-online-ei… ∗∗∗ Hackers impersonate Ukraine’s CERT to trick people into allowing computer access ∗∗∗ --------------------------------------------- CERT-UA is warning Ukrainians not to accept requests for help via AnyDesk software unless they are sure the source is legitimate. --------------------------------------------- https://therecord.media/fake-ukraine-cert-anydesk-requests-hackers ∗∗∗ Reverse Engineering Bambu Connect ∗∗∗ --------------------------------------------- The purpose of this guide is to demonstrate the trivial process of extracting the "private keys" used for communicating with Bambu devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect. --------------------------------------------- https://wiki.rossmanngroup.com/wiki/Reverse_Engineering_Bambu_Connect ∗∗∗ Vulnerability Archeology: Stealing Passwords with IBM i Access Client Solutions ∗∗∗ --------------------------------------------- Two weeks ago IBM published a support article about a compatibility issue affecting IBM i Access Client Solutions (ACS) when running on Windows 11 24H2. [..] Debugging the entry point in cwbnetnt.dll also confirms that password information is no longer passed to the Network Provider!. This change was documented by Microsoft here in March 2024, we believe IBM should’ve referenced this document in their memo. This is an important change from Microsoft - let’s hope not many applications rely on this backdoor and their insecure artifacts get cleaned up properly! --------------------------------------------- https://blog.silentsignal.eu/2025/01/21/ibm-acs-password-dump/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (grafana), Debian (libebml, poco, redis, sympa, tiff, and ucf), Fedora (rsync), Mageia (dcmtk, git, proftpd, and raptor2), Red Hat (grafana, iperf3, kernel, microcode_ctl, and redis), SUSE (chromium, dhcp, git, libqt5-qtwebkit, and pam_u2f), and Ubuntu (python3.10, python3.8 and python3.12). --------------------------------------------- https://lwn.net/Articles/1005708/ ∗∗∗ Webbrowser: Lücke in Brave ermöglicht gefälschte Anzeige der Download-Quelle ∗∗∗ --------------------------------------------- Im Webbrowser Brave können Angreifer eine Sicherheitslücke missbrauchen, die zur falschen Anzeige einer Download-Quelle führt. [..] Die Sicherheitslücke schließt Brave mit der Version 1.74.48, die in der Mitte vergangener Woche veröffentlicht wurde. --------------------------------------------- https://heise.de/-10250205 ∗∗∗ Traffic Alert and Collision Avoidance System (TCAS) II ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-01 ∗∗∗ ZF Roll Stability Support Plus (RSSPlus) ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.01.2025
by Daily end-of-shift report 20 Jan '25

20 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-01-2025 18:00 − Montag 20-01-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malicious PyPi package steals Discord auth tokens from devs ∗∗∗ --------------------------------------------- A malicious package named pycord-self on the Python package index (PyPI) targets Discord developers to steal authentication tokens and plant a backdoor for remote control over the system. [..] The package mimics the highly popular 'discord.py-self,' which has nearly 28 million downloads, and even offers the functionality of the legitimate project. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-package-steal… ∗∗∗ Forscher deckt auf: ChatGPT lässt sich für DDoS-Angriffe missbrauchen ∗∗∗ --------------------------------------------- Eine ChatGPT-API scheint bereitwillig eine lange Liste von Links zur gleichen Webseite anzunehmen - und diese anschließend ungebremst abzufragen. [..] Ausführen lässt sich der DDoS-Angriff laut Flesch durch eine HTTP-Anfrage an eine ChatGPT-API, konkret durch einen POST-Request an die URL "https://chatgpt.com/backend-api/attributions". Die API erwarte eine Liste von Hyperlinks, schreibt der Forscher. Jedoch werde nicht geprüft, ob ein Hyperlink zur gleichen Ressource mehrfach genannt wird. --------------------------------------------- https://www.golem.de/news/forscher-deckt-auf-chatgpt-laesst-sich-fuer-ddos-… ∗∗∗ Partial ZIP File Downloads, (Mon, Jan 20th) ∗∗∗ --------------------------------------------- Say you want a file that is inside a huge online ZIP file (several gigabytes large). Downloading the complete ZIP file would take too long. --------------------------------------------- https://isc.sans.edu/diary/rss/31608 ∗∗∗ Private Keys in the Fortigate Leak ∗∗∗ --------------------------------------------- A few days ago, a download link for a leak of configuration files for Fortigate/Fortinet devices was posted on an Internet forum. [..] It was first reported by heise, a post by Kevin Beaumont contains further info. What has not been widely recognized is that this leak also contains TLS and SSH private keys. --------------------------------------------- https://blog.hboeck.de:443/archives/908-Private-Keys-in-the-Fortigate-Leak.… ∗∗∗ Looking at the Attack Surfaces of the Pioneer DMH-WT7600NEX IVI ∗∗∗ --------------------------------------------- For the upcoming Pwn2Own Automotive contest, a total of four in-vehicle infotainment (IVI) head units have been selected as targets. [..] This blog post aims to detail some of the attack surfaces of the DMH-WT7600NEX unit as well as provide information on how to extract the software running on this unit for further vulnerability research. --------------------------------------------- https://www.thezdi.com/blog/2025/1/16/looking-at-the-attack-surfaces-of-the… ∗∗∗ Die meisten Cyberkriminellen hacken nicht, sondern loggen sich ein ∗∗∗ --------------------------------------------- Bei 57 Prozent der erfolgreichen Cyberangriffe ist kein großer Hack über Sicherheitslücken erforderlich. Die Cyberkriminellen nutzten einfach ein kompromittiertes Nutzerkonto, um Zugang auf die Systeme zu erhalten, so die Analyse von Varonis zu solchen Vorfällen --------------------------------------------- https://www.borncity.com/blog/2025/01/19/die-meisten-cyberkriminellen-hacke… ∗∗∗ Hackers Claim Breach of Hewlett Packard Enterprise, Lists Data for Sale ∗∗∗ --------------------------------------------- Hacker IntelBroker claims to have breached Hewlett Packard Enterprise (HPE), exposing sensitive data like source code, certificates, and PII, now available for sale online. --------------------------------------------- https://hackread.com/hackers-claim-hewlett-packard-data-breach-sale/ ∗∗∗ Secure Coding: Apache Maven gegen Cache-Poisoning-Attacken rüsten ∗∗∗ --------------------------------------------- Dependency-Management-Systeme wie Maven sind immer wieder Ziel von Cache-Poisoning-Angriffen, gegen die nur konsequent umgesetzte Sicherheitspraktiken helfen. --------------------------------------------- https://heise.de/-10244779 ∗∗∗ Hilton, Hyatt, Marriott: 437.000 Datensätze aus Verwaltungsplattform bei HIBP ∗∗∗ --------------------------------------------- Kriminelle haben Daten bei der Verwaltungsplattform Otelier geklaut. Rund 437.000 Datensätze etwa von Hilton, Hyatt oder Marriott sind nun bei HIBP. --------------------------------------------- https://heise.de/-10248339 ∗∗∗ Investigating an "evil" RJ45 dongle ∗∗∗ --------------------------------------------- Earlier this week, a young entrepreneur caused stir on social media by suggesting that an Ethernet-to-USB they purchased from China was preloaded with malware that “evaded virtual machines”, “captured keystrokes”, and “used Russian-language elements”. [..] To get to that point, we didn’t need a hardware lab; a bit of patience and Google-fu was enough. --------------------------------------------- https://lcamtuf.substack.com/p/investigating-an-evil-rj45-dongle ===================== = Vulnerabilities = ===================== ∗∗∗ VU#199397: Insecure Implementation of Tunneling Protocols (GRE/IPIP/4in6/6in4) ∗∗∗ --------------------------------------------- Researchers at the DistriNet-KU Leuven research group have discovered millions of vulnerable Internet systems that accept unauthenticated IPIP, GRE, 4in6, or 6in4 traffic. This can be considered a generalization of the vulnerability in VU#636397 : IP-in-IP protocol routes arbitrary traffic by default (CVE-2020-10136). The exposed systems can be abused as one-way proxies, enable an adversary to spoof the source address of packets (CWE-290 Authentication Bypass by Spoofing), or permit access to an organization's private network. --------------------------------------------- https://kb.cert.org/vuls/id/199397 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, ipa, and NetworkManager), Debian (389-ds-base, busybox, libreoffice, rsync, ruby2.7, tomcat10, and tryton-server), Fedora (chromium and stb), Mageia (openafs and vim), Oracle (.NET 8.0 and .NET 9.0), SUSE (amazon-ssm-agent, chromedriver, git, golang-github-prometheus-prometheus, govulncheck-vulndb, grafana, hplip, pam_u2f, perl-Compress-Raw-Zlib, perl-IO-Compress, redis, redis7, rsync, and velociraptor), and Ubuntu (libpodofo and linux-xilinx-zynqmp). --------------------------------------------- https://lwn.net/Articles/1005638/ ∗∗∗ Nvidia: Datenabfluss durch Sicherheitsleck in Grafiktreiber möglich ∗∗∗ --------------------------------------------- Nvidia hat Sicherheitslücken in seinen Grafikkartentreibern entdeckt. Angreifer können dadurch Informationen abgreifen. Updates stehen bereit. --------------------------------------------- https://heise.de/-10248258 ∗∗∗ Sicherheitspatch: Unbefugte Zugriffe auf bestimmte Switches von Moxa möglich ∗∗∗ --------------------------------------------- Angreifer können bei Moxa-Switches der EDS-508A-Serie die Authentifizierung umgehen. Die Sicherheitslücke gilt als kritisch. Um Angriffe vorzubeugen, sollten Netzwerkadmins die Firmware ihrer Ethernet-Switches der Serie EDS-508A von Moxa auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-10249285 ∗∗∗ Yubico Warns of 2FA Security Flaw in pam-u2f for Linux and macOS Users ∗∗∗ --------------------------------------------- https://thecyberexpress.com/yubico-2fa-bypass-vulnerability-advisory/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.01.2025
by Daily end-of-shift report 17 Jan '25

17 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-01-2025 18:00 − Freitag 17-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ D-Trust: Cyberangriff trifft Trustcenter der Bundesdruckerei ∗∗∗ --------------------------------------------- Aus einem Antragsportal der D-Trust GmbH sind potenziell personenbezogene Daten abgeflossen. Wer hinter dem Angriff steckt, ist noch unklar. --------------------------------------------- https://www.golem.de/news/d-trust-cyberangriff-trifft-trustcenter-der-bunde… ∗∗∗ Mercedes-Benz Head Unit security research report ∗∗∗ --------------------------------------------- Kaspersky experts analyzed the Mercedes-Benz head unit, its IPC protocols and firmware, and found new vulnerabilities via physical access. --------------------------------------------- https://securelist.com/mercedes-benz-head-unit-security-research/115218/ ∗∗∗ New Star Blizzard spear-phishing campaign targets WhatsApp accounts ∗∗∗ --------------------------------------------- In mid-November 2024, Microsoft Threat Intelligence observed the Russian threat actor we track as Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group. This is the first time we have identified a shift in Star Blizzard’s longstanding tactics, techniques, .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-… ∗∗∗ Gootloader inside out ∗∗∗ --------------------------------------------- Open-source intelligence reveals the server-side code of this pernicious SEO-driven malware - without needing a lawyer afterward --------------------------------------------- https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/ ∗∗∗ U.S. Sanctions North Korean IT Worker Network Supporting WMD Programs ∗∗∗ --------------------------------------------- The U.S. Treasury Departments Office of Foreign Assets Control (OFAC) sanctioned two individuals and four entities for their alleged involvement in illicit revenue generation schemes for the Democratic Peoples Republic of Korea (DPRK) by dispatching .. --------------------------------------------- https://thehackernews.com/2025/01/us-sanctions-north-korean-it-worker.html ∗∗∗ Hackers Likely Stole FBI Call Logs From AT&T That Could Compromise Informants ∗∗∗ --------------------------------------------- A breach of AT&T that exposed “nearly all” of the company’s customers may have included records related to confidential FBI sources, potentially explaining the bureau’s new embrace of end-to-end encryption. --------------------------------------------- https://www.wired.com/story/hackers-likely-stole-fbi-call-logs-from-att-tha… ∗∗∗ Biden ordnet für US-Behörden Verschlüsselung von E-Mail, DNS und BGP an ∗∗∗ --------------------------------------------- Ende-zu-Ende-Verschlüsselung, bessere Software und Abwehr, Post-Quanten, Aufsicht über Lieferanten, Passkeys, Erforschung von KI – Biden verordnet gute Medizin. --------------------------------------------- https://www.heise.de/news/Biden-ordnet-Verschluesselung-von-E-Mail-DNS-und-… ∗∗∗ Daten von rund 250.000 MSI-Kunden bei Have I Been Pwned ∗∗∗ --------------------------------------------- Bei einem Cybervorfall bei MSI sind 2024 offenbar zahlreiche Kundendatensätze kopiert worden. Rund 250.000 Stück hat HIBP nun aufgenommen. --------------------------------------------- https://www.heise.de/news/Daten-von-rund-250-000-MSI-Kunden-bei-Have-I-Been… ∗∗∗ Vertrauensdiensteanbieter D-Trust informiert über Datenschutzvorfall ∗∗∗ --------------------------------------------- Bei D-Trust kam es zu einem Datenschutzvorfall. Betroffen ist das Antragsportal für Signatur- und Siegelkarten. Die Ermittlungen laufen. --------------------------------------------- https://www.heise.de/news/Vertrauensdiensteanbieter-D-Trust-informiert-uebe… ∗∗∗ Chinese Innovations Spawn Wave of Toll Phishing Via SMS ∗∗∗ --------------------------------------------- Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to .. --------------------------------------------- https://krebsonsecurity.com/2025/01/chinese-innovations-spawn-wave-of-toll-… ∗∗∗ OSV-SCALIBR: A library for Software Composition Analysis ∗∗∗ --------------------------------------------- In December 2022, we announced OSV-Scanner, a tool to enable developers to easily scan for vulnerabilities in their open source dependencies. Together with the open source community, we’ve continued to build this tool, adding remediation features, as well .. --------------------------------------------- http://security.googleblog.com/2025/01/osv-scalibr-library-for-software.html ∗∗∗ PayPal ruft an? Vorsicht Betrug! ∗∗∗ --------------------------------------------- Aktuell erhält die Watchlist Internet zahlreiche Meldungen zu Anrufen durch angebliche PayPal-Mitarbeiter:innen. Heben Sie ab, berichtet man Ihnen von angeblichen Abbuchungen von Ihrem PayPal-Konto und fordert Ihre Mithilfe zum Blockieren der Abbuchungen. Tatsächlich greift man dabei aber auf Ihre Systeme zu und stiehlt Ihnen Ihr Geld. Ein Schaden entsteht erst durch das Telefonat! --------------------------------------------- https://www.watchlist-internet.at/news/paypal-ruft-an/ ∗∗∗ Let’s talk about AI and end-to-end encryption ∗∗∗ --------------------------------------------- Recently, I came across a fantastic new paper by a group of NYU and Cornell researchers entitled “How to think about end-to-end encryption and AI.” I’m extremely grateful to see this paper, because while I don’t agree with every one of it’s .. --------------------------------------------- https://blog.cryptographyengineering.com/2025/01/17/lets-talk-about-ai-and-… ∗∗∗ Threat Brief: CVE-2025-0282 and CVE-2025-0283 ∗∗∗ --------------------------------------------- CVE-2025-0282 and CVE-2025-0283 affect multiple Ivanti products. This threat brief covers attack scope, including details from an incident response case. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2025-0282-cve-2… ∗∗∗ New WDAC Exploit Technique: Leveraging Policies to Disable EDRs and Evade Detection ∗∗∗ --------------------------------------------- The file “SiPolicy.p7b” contains policies that Windows OS and Windows Defender (AV) will listen to and your antivirus will apply the policies that this .. --------------------------------------------- https://www.truesec.com/hub/blog/new-wdac-exploit-technique-leveraging-poli… ∗∗∗ IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024 ∗∗∗ --------------------------------------------- Since the end of 2024, we have been continuously monitoring large-scale DDoS attacks orchestrated by an IoT botnet exploiting vulnerable IoT devices such as wireless routers and IP cameras. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddos-at… ∗∗∗ Announcing Six Day and IP Address Certificate Options in 2025 ∗∗∗ --------------------------------------------- This year we will continue to pursue our commitment to improving the security of the Web PKI by introducing the option to get certificates with six-day lifetimes (“short-lived certificates”). We will also add support for IP addresses in addition to domain names .. --------------------------------------------- https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/ ∗∗∗ A Response to Recent Claims About Sessions Security Architecture ∗∗∗ --------------------------------------------- We were recently made aware of a blog published by a security researcher which makes a number of claims about Session and supposed flaws in Session’s design and implementation. We, as well as other Session contributors, have now had time to read through the blog and investigate the claims and wanted to give a detailed response on each point raised by the author. --------------------------------------------- https://getsession.org/blog/a-response-to-recent-claims-about-sessions-secu… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (rsync and tomcat9), Fedora (chromium, mingw-python-jinja2, redict, and valkey), Gentoo (GIMP and pip), Oracle (.NET, fence-agents, ipa, kernel, python-virtualenv, raptor2, and rsync), Red Hat (.NET 8.0 and .NET 9.0), SUSE (apache2-mod_jk, git, git-lfs, kernel, python-Django, thunderbird, and xen), and Ubuntu (audacity, bcel, dotnet8, dotnet9, gimp-dds, harfbuzz, libxml2, poppler, rsync, and tqdm). --------------------------------------------- https://lwn.net/Articles/1005433/ ∗∗∗ Aviatrix Controllers OS Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/5982 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.01.2025
by Daily end-of-shift report 16 Jan '25

16 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-01-2025 18:00 − Donnerstag 16-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MFA Failures - The Worst is Yet to Come ∗∗∗ --------------------------------------------- This article delves into the rising tide of MFA failures, the alarming role of generative AI in amplifying these attacks, the growing user discontent weakening our defenses, and the glaring vulnerabilities being frequently exploited. The storm is building, and the worst is yet to come. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mfa-failures-the-worst-is-ye… ∗∗∗ An honest mistake - and a cautionary tale ∗∗∗ --------------------------------------------- We all make mistakes. That is only natural. However, there are cases in which these mistakes can have unexpected consequences. A Twitter user recently found this out the hard way. The ingredients: a cheap USB-C adapter with a network connection, an internet connection and a sandbox. --------------------------------------------- https://www.gdatasoftware.com/blog/2025/01/38129-usb-network-adapter-malware ∗∗∗ Windows 10 und 11: Microsoft verwirrt Nutzer mit Bitlocker-Bug ∗∗∗ --------------------------------------------- Auf einigen Windows-Geräten mit aktivierter Bitlocker-Verschlüsselung erscheint eine unerwartete Meldung. Microsoft untersucht das Problem. --------------------------------------------- https://www.golem.de/news/windows-10-und-11-microsoft-verwirrt-nutzer-mit-b… ∗∗∗ Tiktok, Xiaomi, Aliexpress: Beschwerden wegen Datentransfers nach China eingereicht ∗∗∗ --------------------------------------------- China ist als autoritärer Überwachungsstaat nach Einschätzung von Datenschützern kein zulässiger Standort für europäische Nutzerdaten. --------------------------------------------- https://www.golem.de/news/tiktok-xiaomi-aliexpress-beschwerden-wegen-datent… ∗∗∗ Bidens Cyber Ambassador Urges Trump Not to Cede Ground to Russia and China in Global Tech Fight ∗∗∗ --------------------------------------------- Nathaniel Fick, the ambassador for cyberspace and digital policy, has led US tech diplomacy amid a rising tide of pressure from authoritarian regimes. Will the Trump administration undo that work? --------------------------------------------- https://www.wired.com/story/nathaniel-fick-us-cyber-ambassador-exit-intervi… ∗∗∗ IT-Sicherheit: EU-Kommission will Gesundheitsbranche unterstützen ∗∗∗ --------------------------------------------- Verstärkte Prävention und rasche Reaktion auf Attacken stehen im Zentrum eines EU-Plans für IT-Sicherheit von Krankenhäusern und Gesundheitsdienstleistern. --------------------------------------------- https://www.heise.de/news/IT-Attacken-So-will-die-EU-Kommission-den-Gesundh… ∗∗∗ Es kann Schadcode auf HPE Aruba Networking AOS Controllers und Gateways gelangen ∗∗∗ --------------------------------------------- Netzwerktechnik von HPE Aruba ist verwundbar. Aktuelle Updates schließen insgesamt zwei Sicherheitslücken. --------------------------------------------- https://www.heise.de/news/Es-kann-Schadcode-auf-HPE-Aruba-Networking-AOS-Co… ∗∗∗ Achtung vor go.hopeforlifefund.com: Spendenaufruf für Nikolas ist Fake! ∗∗∗ --------------------------------------------- Kinder, die an Krebs erkranken, stehen vor großen Herausforderungen und ihre Familien sind oft mit enormen finanziellen Belastungen konfrontiert. Spendenaktionen können hier ein Lichtblick sein. Doch leider gibt es auch Kriminelle, die das Mitgefühl der Menschen schamlos ausnutzen – wie im Fall der betrügerischen Spendenplattform go.hopeforlifefund.com, die angeblich für den krebskranken Jungen Nikolas Spenden sammelt. --------------------------------------------- https://www.watchlist-internet.at/news/spendenaufruf-fuer-krebskranken-niko… ∗∗∗ FTC cracks down on GoDaddy for cybersecurity failings ∗∗∗ --------------------------------------------- GoDaddy’s failure to use industry standard measures led to what the Federal Trade Commission called “several major security breaches” between 2019 and 2022. --------------------------------------------- https://therecord.media/ftc-godaddy-cyber-failings-fine ∗∗∗ Detecting Teams Chat Phishing Attacks (Black Basta) ∗∗∗ --------------------------------------------- For quite a while now, there has been a new ongoing threat campaign where the adversaries first bomb a user’s mailbox with spam emails and then pose as Help Desk or IT Support on Microsoft Teams to trick their potential victims into providing .. --------------------------------------------- https://blog.nviso.eu/2025/01/16/detecting-teams-chat-phishing-attacks-blac… ∗∗∗ 2022 zero day was used to raid Fortigate firewall configs. Somebody just released them. ∗∗∗ --------------------------------------------- Back in 2022, Fortinet warned that somebody had a zero day vulnerability and was using it to exploit Fortigate firewalls https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684 .. --------------------------------------------- https://doublepulsar.com/2022-zero-day-was-used-to-raid-fortigate-firewall-… ∗∗∗ Black Basta-Style Cyberattack Hits Inboxes with 1,165 Emails in 90 Minutes ∗∗∗ --------------------------------------------- A recent cyberattack, mimicking the tactics of the notorious Black Basta ransomware group, targeted one of SlashNext’s clients.… --------------------------------------------- https://hackread.com/black-basta-cyberattack-hits-inboxes-with-1165-emails/ ∗∗∗ Proxying PyRIT for fun and profit ∗∗∗ --------------------------------------------- If you are in the AI security field, you are probably facing the problem of testing Large Language Models (LLMs) at scale and questioning the optimal balance between automatic testing and manual testing .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/proxying-pyrit-for-fun-and-profit/ ∗∗∗ Dont Use Session (Signal Fork) ∗∗∗ --------------------------------------------- The main reason I said to avoid Session, all those months ago, was simply due to their decision to remove forward secrecy (which is an important security property of cryptographic protocols they inherited for free when they forked libsignal). --------------------------------------------- https://soatok.blog/2025/01/14/dont-use-session-signal-fork/ ∗∗∗ UK Officials Consider Banning Ransomware Payments from Public Entities ∗∗∗ --------------------------------------------- The UK government is poised to take a decisive step in the fight against ransomware by banning public sector entities from paying ransoms. This collection of proposals, part of a broader effort to protect critical national infrastructure, aims to disrupt the business model of cybercriminals and shield essential services like the NHS, schools, and local .. --------------------------------------------- https://socket.dev/blog/uk-officials-consider-banning-ransomware-payments-f… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (fence-agents, raptor2, and rsync), Debian (chromium), Fedora (rsync and seamonkey), Mageia (openjpeg2), Red Hat (tuned), Slackware (git), SUSE (dcmtk, dnsmasq, govulncheck-vulndb, libQtWebKit4, libraptor-devel, opera, python311-Pillow, python311-translate-toolkit, rsync, and SDL2_sound-devel), and Ubuntu (linux-raspi-5.4, neomutt, and python2.7). --------------------------------------------- https://lwn.net/Articles/1005292/ ∗∗∗ CVE-2024-9042 ∗∗∗ --------------------------------------------- Command Injection affecting Windows nodes via nodes/*/logs/query API --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/129654 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.01.2025
by Daily end-of-shift report 15 Jan '25

15 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-01-2025 18:00 − Mittwoch 15-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WP3.XYZ malware attacks add rogue admins to 5,000+ WordPress sites ∗∗∗ --------------------------------------------- A new malware campaign has compromised more than 5,000 WordPress sites to create admin accounts, install a malicious plugin, and steal data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wp3xyz-malware-attacks-add-r… ∗∗∗ Undercover Operations: Scraping the Cybercrime Underground ∗∗∗ --------------------------------------------- A blog about web scraping methods, use cases, challenges, and how to overcome them. --------------------------------------------- https://www.sans.org/blog/undercover-operations-scraping-the-cybercrime-und… ∗∗∗ Cyber-Bedrohungen für die öffentliche Ladeinfrastruktur: Risiken und Schutzmaßnahmen durch Penetrationstests ∗∗∗ --------------------------------------------- Angriffe auf die öffentliche Ladeinfrastruktur für Elektrofahrzeuge nehmen zu und gefährden den Ruf und die Sicherheit der .. --------------------------------------------- https://sec-consult.com/de/blog/detail/cyber-bedrohungen-fuer-die-oeffentli… ∗∗∗ Phishing False Alarm ∗∗∗ --------------------------------------------- A very security-conscious company was hit with a (presumed) massive state-actor phishing attack with gift cards, and everyone rallied to combat it—until it turned out it was company management sending the gift cards. --------------------------------------------- https://www.schneier.com/blog/archives/2025/01/phishing-false-alarm.html ∗∗∗ Miscreants mass exploited Fortinet firewalls, highly probable zero-day used ∗∗∗ --------------------------------------------- Ransomware not off the table, Arctic Wolf threat hunter tells El Reg Updated Miscreants running a "mass exploitation campaign" against Fortinet firewalls, which peaked in December, may be using an unpatched zero-day vulnerability to compromise the equipment, according to security researchers who say theyve observed the .. --------------------------------------------- https://www.theregister.com/2025/01/14/miscreants_mass_exploited_fortinet_f… ∗∗∗ Patchday Fortinet: Hintertür ermöglicht unbefugte Zugriffe auf FortiSwitch ∗∗∗ --------------------------------------------- Der Anbieter von IT-Securitylösungen Fortinet hat zahlreiche Sicherheitsupdates für seine Produkte veröffentlicht. Das sollten Netzwerkadmins im Blick haben. --------------------------------------------- https://www.heise.de/news/Patchday-Fortinet-Hintertuer-ermoeglicht-unbefugt… ∗∗∗ Cybergang Cl0p: Angeblich Daten durch Cleo-Sicherheitslücke abgezogen ∗∗∗ --------------------------------------------- Die kriminelle Bande Cl0p hat angeblich bei vielen Unternehmen Daten durch eine Sicherheitslücke in der Transfersoftware Cleo gestohlen. --------------------------------------------- https://www.heise.de/news/Cybergang-Cl0p-Angeblich-Daten-durch-Cleo-Sicherh… ∗∗∗ Security flaws found in tiny phones promoted to children ∗∗∗ --------------------------------------------- TL;DR Three mini smartphones promoted to children were analysed These types of phones are heavily promoted on TikTok All had outdated operating systems All could be rooted without wiping the .. --------------------------------------------- https://www.pentestpartners.com/security-blog/security-flaws-found-in-tiny-… ∗∗∗ Security flaws found in tiny phones promoted to children ∗∗∗ --------------------------------------------- TL;DR Three mini smartphones promoted to children were analysed Those devices are heavily promoted on TikTok All had outdated operating systems All could be rooted without wiping the phone, allowing .. --------------------------------------------- https://www.pentestpartners.com/security-blog/security-flaws-found-in-tiny-… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe released security updates to address vulnerabilities in multiple Adobe software products including Adobe Photoshop, Animate, and Illustrator for iPad. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/01/14/adobe-releases-security-… ∗∗∗ TAG Bulletin: Q3 2024 ∗∗∗ --------------------------------------------- This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2024. --------------------------------------------- https://blog.google/threat-analysis-group/tag-bulletin-q3-2024/ ∗∗∗ Patchday: Windows 10/11 Updates (14. Januar 2025) ∗∗∗ --------------------------------------------- Am 14. Januar 2024 (zweiter Dienstag im Monat, Patchday bei Microsoft) hat Microsoft auch kumulative Updates für die noch unterstützten Versionen der Client-Betriebssysteme Windows 10 und Windows 11 veröffentlicht. Hier einige .. --------------------------------------------- https://www.borncity.com/blog/2025/01/15/patchday-windows-10-11-updates-14-… ∗∗∗ Passkeys: the promise of a simpler and safer alternative to passwords ∗∗∗ --------------------------------------------- The merits of choosing passkeys over passwords to help keep your online accounts more secure, and explaining how the technology promises to do this --------------------------------------------- https://www.ncsc.gov.uk/blog-post/passkeys-promise-simpler-alternative-pass… ∗∗∗ Your Single-Page Applications Are Vulnerable: Heres How to Fix Them ∗∗∗ --------------------------------------------- Due to their client-side nature, single-page applications (SPAs) will typically have multiple access control vulnerabilitiesBy implementing a robust access control policy on supporting APIs, the risks associated with client-side rendering can be largely mitigatedUsing server-side .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/single-page-applic… ∗∗∗ Tracking cloud-fluent threat actors - Part two: Behavioral cloud IOCs ∗∗∗ --------------------------------------------- Discover how behavioral cloud IOCs can expose malicious activity as we break down real-world examples to reveal actionable detection techniques. --------------------------------------------- https://www.wiz.io/blog/detecting-behavioral-cloud-indicators-of-compromise… ∗∗∗ The Risks of Misguided Research in Supply Chain Security ∗∗∗ --------------------------------------------- On January 8, 2025, it came to light that Snyk, a well-known security tool—frequently used to protect against supply chain attacks—was implicated in a troubling event. Several malicious packages targeting the popular AI coding platform Cursor were deployed to the public npm registry. These packages, named “cursor-retrieval,” “cursor-always-local,” .. --------------------------------------------- https://socket.dev/blog/the-risks-of-misguided-research-in-supply-chain-sec… ∗∗∗ Penetration Testing for ISO/IEC 27001: A Detailed Guide to Compliance ∗∗∗ --------------------------------------------- In an era where data breaches and cyber threats dominate headlines, safeguarding sensitive information has become a critical priority for organizations worldwide. ISO/IEC 27001, the internationally recognized standard for Information Security Management Systems (ISMS), offers a robust framework to protect valuable information assets. By .. --------------------------------------------- https://fortbridge.co.uk/regulations/penetration-testing-for-iso-iec-27001-… ===================== = Vulnerabilities = ===================== ∗∗∗ Six vulnerabilities discovered in rsync ∗∗∗ --------------------------------------------- Nick Tait announced on the oss-security mailing list that rsync, the widely used file transfer program, had a number of serious vulnerabilities.Users can mitigate all six vulnerabilities by upgrading to version 3.4.0, which was released on January 14. While all users should upgrade, servers that use rsyncd are especially impacted:In the most severe CVE, an attacker .. --------------------------------------------- https://lwn.net/Articles/1005129/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (rsync), Debian (rsync), Fedora (perl-Net-OAuth and redis), Red Hat (ipa, raptor2, rsync, and tuned), Slackware (rsync), SUSE (apache2-mod_jk, git, kernel, rclone, rsync, and webkit2gtk3), and Ubuntu (git, linux-azure-5.4, pdns, pdns-recursor, python-django, rlottie, and rsync). --------------------------------------------- https://lwn.net/Articles/1005163/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.01.2025
by Daily end-of-shift report 14 Jan '25

14 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Montag 13-01-2025 18:00 − Dienstag 14-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Abgehörte Kryptohandys: BGH erlaubt Verwertung - Berliner Landgericht lehnt ab ∗∗∗ --------------------------------------------- Die Justiz ringt seit Jahren um die Verwertung von Daten abgehörter Kryptohandys. Nun gab es in wenigen Wochen gegensätzliche Urteile. --------------------------------------------- https://www.golem.de/news/abgehoerte-kryptohandys-bgh-erlaubt-verwertung-be… ∗∗∗ Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions ∗∗∗ --------------------------------------------- Microsoft discovered a macOS vulnerability allowing attackers to bypass System Integrity Protection (SIP) by loading third party kernel extensions, which could lead to serious consequences, such as allowing attackers to install rootkits, create persistent malware, bypass Transparency, Consent, and Control (TCC), and expand the attack surface to perform other .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/01/13/analyzing-cve-2024… ∗∗∗ The Database Slayer: Deep Dive and Simulation of the Xbash Malware ∗∗∗ --------------------------------------------- In the world of malware, common ransomware schemes aim to take the data within databases (considered the "gold" in the vault of any organization) and hold them hostage, promising data recovery upon ransom payment. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-databas… ∗∗∗ Snyk appears to deploy malicious packages targeting Cursor for unknown reason ∗∗∗ --------------------------------------------- Packages removed, vendor said to have apologized to AI code editor as onlookers say it could have been a test Developer security company Snyk is at the center of allegations concerning the possible targeting or testing of Cursor, an AI code editor company, using "malicious" packages uploaded to NPM. --------------------------------------------- https://www.theregister.com/2025/01/14/snyk_npm_deployment_removed/ ∗∗∗ SAP-Patchday: Updates schließen 14 teils kritische Schwachstellen ∗∗∗ --------------------------------------------- Im Januar bedenkt SAP Produkte mit 14 Sicherheitsmitteilungen und zugehörigen Updates. Zwei davon gelten als kritisch. --------------------------------------------- https://www.heise.de/news/SAP-Patchday-Hersteller-stopft-teils-kritische-SI… ∗∗∗ Telefónica: Infostealer-Kampagne legt interne Jira-Issues offen ∗∗∗ --------------------------------------------- Der Telekommunikationsanbieter Telefónica wurde Opfer eines Cyberangriffs. Kriminelle erbeuteten offenbar Zugriff auf große Mengen interner Daten. --------------------------------------------- https://www.heise.de/news/Telefonica-Infostealer-Kampagne-legt-interne-Jira… ∗∗∗ Achtung Fake: vailllant.at und vaillantproservice.at ∗∗∗ --------------------------------------------- Kriminelle missbrauchen das für Heiztechnik bekannte Unternehmen Vaillant für eine Betrugsmasche. Auf gefälschten Webseiten geben sich die Kriminellen als 24-Stunden-Notdienst für Österreich bzw. Wien/Niederösterreich aus. Ruft man den betrügerischen Notdienst an, kommen unseriöser Handwerker:innen, die den Schaden nicht fachgerecht beheben, sondern eine horrende Summe in Rechnung stellen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-vailllantat-und-vaillan… ∗∗∗ One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks ∗∗∗ --------------------------------------------- Graph neural networks aid in analyzing domains linked to known attack indicators, effectively uncovering new malicious domains and cybercrime campaigns. --------------------------------------------- https://unit42.paloaltonetworks.com/graph-neural-networks/ ∗∗∗ Ransomware: Threat Level Remains High in Third Quarter ∗∗∗ --------------------------------------------- Recently established RansomHub group overtakes LockBit to become most prolific ransomware operation. --------------------------------------------- https://www.security.com/threat-intelligence/ransomware-threat-level-remain… ∗∗∗ CISA Releases the JCDC AI Cybersecurity Collaboration Playbook and Fact Sheet ∗∗∗ --------------------------------------------- Today, CISA released the JCDC AI Cybersecurity Collaboration Playbook and Fact Sheet to foster operational collaboration among government, industry, and international partners and strengthen artificial intelligence (AI) cybersecurity. The playbook provides voluntary information-sharing processes that, if adopted, can help protect organizations from emerging .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/01/14/cisa-releases-jcdc-ai-cy… ∗∗∗ Major location data broker reports hack to Norwegian authorities ∗∗∗ --------------------------------------------- The location data broker Gravy Analytics confirmed to Norwegian authorities that it was breached by a hacker — potentially exposing a trove of sensitive information. --------------------------------------------- https://therecord.media/location-data-broker-gravy-breach ∗∗∗ NPM command confusion ∗∗∗ --------------------------------------------- Intro Managing dependencies in JavaScript projects can quickly become a complex undertaking. Tasks include keeping track of versions, ensuring compatibility, and handling updates . npm provides a robust solution to these problems, through a centralized system for managing project dependencies. Primarily accessed through its command-line interface (CLI), npm .. --------------------------------------------- https://checkmarx.com/blog/npm-command-confusion/ ∗∗∗ Malicious Kong Ingress Controller Image Found on DockerHub ∗∗∗ --------------------------------------------- A critical security breach in the software supply chain has been detected. An attacker accessed Kong’s DockerHub account --------------------------------------------- https://hackread.com/malicious-kong-ingress-controller-image-dockerhub/ ∗∗∗ Hackers Using Fake YouTube Links to Steal Login Credentials ∗∗∗ --------------------------------------------- Cybercriminals exploit fake YouTube links to redirect users to phishing pages, stealing login credentials via URI .. --------------------------------------------- https://hackread.com/hackers-fake-youtube-links-steal-login-credentials/ ∗∗∗ Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar ∗∗∗ --------------------------------------------- In Hindi, chokidar (चौकीदार) means “gatekeeper” or “watchman”—a perfect descriptor for chokidar one of Node.js most trusted file-watching libraries with around 56 million weekly downloads. Meanwhile, chalk serves as a cornerstone for terminal string styling in JavaScript, drawing over 265 million downloads weekly. Unfortunately, our Socket threat .. --------------------------------------------- https://socket.dev/blog/kill-switch-hidden-in-npm-packages-typo-squatting-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Zyxel security advisory for improper privilege management vulnerability in APs and security router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ January Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/january-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.01.2025
by Daily end-of-shift report 13 Jan '25

13 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-01-2025 18:00 − Montag 13-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware ∗∗∗ --------------------------------------------- In-the-wild attacks tamper with built-in security tool providing infection warnings. --------------------------------------------- https://arstechnica.com/security/2025/01/ivanti-vpn-users-are-getting-hacke… ∗∗∗ Phishing texts trick Apple iMessage users into disabling protection ∗∗∗ --------------------------------------------- Cybercriminals are exploiting a trick to turn off Apple iMessages built-in phishing protection for a text and trick users into re-enabling disabled phishing links. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-texts-trick-apple-i… ∗∗∗ Ransomware abuses Amazon AWS feature to encrypt S3 buckets ∗∗∗ --------------------------------------------- A new ransomware campaign encrypts Amazon S3 buckets using AWSs Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-abuses-amazon-aws… ∗∗∗ Anwendung blockiert: MacOS stuft Docker Desktop als Malware ein ∗∗∗ --------------------------------------------- Einige Dateien von Docker Desktop für MacOS wurden falsch signiert, so dass Nutzer eine Malware-Warnung erhalten. Eine echte Gefahr besteht nicht. --------------------------------------------- https://www.golem.de/news/anwendung-blockiert-docker-desktop-unter-macos-al… ∗∗∗ New LLM Jailbreak Uses Models Evaluation Skills Against Them ∗∗∗ --------------------------------------------- SC Media reports on a new jailbreak method for large language models (LLMs) that "takes advantage of models ability to identify and score harmful content in order to trick the models into generating content related to malware, illegal activity, harassment and more. "The Bad Likert Judge multi-step jailbreak technique was developed and tested by .. --------------------------------------------- https://it.slashdot.org/story/25/01/12/2010218/new-llm-jailbreak-uses-model… ∗∗∗ Nominet probes network intrusion linked to Ivanti zero-day exploit ∗∗∗ --------------------------------------------- Unauthorized activity detected, but no backdoors found UK domain registry Nominet is investigating a potential intrusion into its network related to the latest Ivanti zero-day exploits. --------------------------------------------- https://www.theregister.com/2025/01/13/nominet_ivanti_zero_day/ ∗∗∗ Paypal-Phishing: Angebliche monatliche Finanzberichte ködern Opfer ∗∗∗ --------------------------------------------- Derzeit schaffen es Phishing-Mails an Spam-Filtern vorbeizukommen, die einen monatlichen Finanzbericht für Paypal versprechen. --------------------------------------------- https://www.heise.de/news/Paypal-Phishing-Angebliche-monatliche-Finanzberic… ∗∗∗ Log Source Management App für IBM QRadar SIEM ist auf vielen Wegen angreifbar ∗∗∗ --------------------------------------------- Weil mehrere Komponenten verwundbar sind, können Angreifer Systeme mit Log Source Management App für IBM QRadar SIEM attackieren. --------------------------------------------- https://www.heise.de/news/Log-Source-Management-App-fuer-IBM-QRadar-SIEM-is… ∗∗∗ Tackling AI threats. Advanced DFIR methods and tools for deepfake detection ∗∗∗ --------------------------------------------- TL; DR AI-generated documents, videos and more pose significant challenges for DFIR DFIR teams can harness innovative detection strategies and tooling Digital fingerprinting and watermarking, AI-powered and behavioural analyses .. --------------------------------------------- https://www.pentestpartners.com/security-blog/tackling-ai-threats-advanced-… ∗∗∗ Rufnummernmissbrauch dank Verordnung drastisch zurückgegangen ∗∗∗ --------------------------------------------- Die "Anti-Spoofing-Verordnung" der RTR greift seit September, seitdem gibt es nur noch wenige Vorfälle von Betrug mittels gekaperter Rufnummern --------------------------------------------- https://www.derstandard.at/story/3000000252624/rufnummernmissbrauch-dank-ve… ∗∗∗ Muddling Meerkat Linked to Domain Spoofing in Global Spam Scams ∗∗∗ --------------------------------------------- Infoblox cybersecurity researchers investigating the mysterious activities of Muddling Meerkat unexpectedly uncovered widespread use of domain spoofing in malicious spam campaigns. --------------------------------------------- https://hackread.com/muddling-meerkat-domain-spoofing-spam-scams/ ∗∗∗ Fake CrowdStrike Recruiters Distribute Malware Via Phishing Emails ∗∗∗ --------------------------------------------- SUMMARY Cybercriminals are deploying a tricky new phishing campaign impersonating the cybersecurity firm CrowdStrike‘s .. --------------------------------------------- https://hackread.com/fake-crowdstrike-recruiters-malware-phishing-emails/ ∗∗∗ 3 Russians Indicted for Operating Blender.io and Sinbad.io Crypto Mixers ∗∗∗ --------------------------------------------- SUMMARY Three Russian nationals have been indicted for their alleged roles in running cryptocurrency mixing services Blender.io and… --------------------------------------------- https://hackread.com/3-russian-operating-blender-io-sinbad-io-crypto-mixers/ ∗∗∗ Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282) ∗∗∗ --------------------------------------------- As we saw in our previous blogpost, we fully analyzed Ivanti’s most recent unauthenticated Remote Code Execution vulnerability in their Connect Secure (VPN) appliance. Specifically, we analyzed CVE-2025-0282.Today, we’re .. --------------------------------------------- https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-c… ∗∗∗ Deep Dive Into a Linux Rootkit Malware ∗∗∗ --------------------------------------------- This is a follow-up analysis to a previous blog about a zero day exploit where the FortiGuard Incident Response (FGIR) team examined how remote attackers exploited multiple vulnerabilities in an appliance to gain control of a customer’s system. --------------------------------------------- https://feeds.fortinet.com/~/910912481/0/fortinet/blogs~Deep-Dive-Into-a-Li… ∗∗∗ Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603) ∗∗∗ --------------------------------------------- The Wiz Incident Response team is currently responding to multiple incidents involving CVE-2024-50603, an Aviatrix Controller unauthenticated RCE vulnerability, that can lead to privileges escalation in the AWS control plane. Organizations should patch urgently. --------------------------------------------- https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of… ∗∗∗ Analysis of Counter-Ransomware Activities in 2024 ∗∗∗ --------------------------------------------- The scourge of ransomware continues primarily because ofthree main reasons: Ransomware-as-a-Service (RaaS), cryptocurrency, and safe havens.RaaS platforms enable aspiring cybercriminals to join a gang and begin launching attacks with a support system that help extract ransom payments from their victims.Cryptocurrency enables cybercriminals to receive funds .. --------------------------------------------- https://blog.bushidotoken.net/2025/01/analysis-of-counter-ransomware.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (dpdk, firefox, iperf3, thunderbird, and webkit2gtk3), Debian (firefox-esr, gnuchess, node-mocha, openafs, python-django, and thunderbird), Fedora (libxmp, python-jinja2, suricata, thunderbird, and xen), Mageia (avahi, libjxl, opencontainers-runc, radare2, rizin, and tinyproxy), Oracle (cups, dpdk, firefox, iperf3, .. --------------------------------------------- https://lwn.net/Articles/1004962/ ∗∗∗ MISP 2.4.203 and 2.5.5 released including new features, improvements and many security improvements. ∗∗∗ --------------------------------------------- We are thrilled to announce the release of MISP v2.4.203 and MISP v2.5.5, bringing a range of new features, improvements, and fixes to enhance the platforms performance, usability, and security. These updates reflect our ongoing commitment to providing a robust and reliable open-source .. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.203 ∗∗∗ Security Vulnerabilities fixed in Firefox for iOS 134 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-06/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.01.2025
by Daily end-of-shift report 10 Jan '25

10 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-01-2025 18:00 − Freitag 10-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware ∗∗∗ --------------------------------------------- In-the-wild attacks tamper with built-in security tool to suppress infection warnings. --------------------------------------------- https://arstechnica.com/security/2025/01/ivanti-vpn-users-are-getting-hacke… ∗∗∗ Stealthy Credit Card Skimmer Targets WordPress Checkout Pages via Database Injection ∗∗∗ --------------------------------------------- Recently, we released an article where a credit card skimmer was targeting checkout pages on a Magento site. Now we’ve come across sophisticated credit card skimmer malware while investigating a compromised WordPress .. --------------------------------------------- https://blog.sucuri.net/2025/01/stealthy-credit-card-skimmer-targets-wordpr… ∗∗∗ Sicherheitsupdates: Angreifer können Netzwerkgeräte mit Junos OS crashen lassen ∗∗∗ --------------------------------------------- Netzwerkgeräte wie Switches von Juniper sind verwundbar. Ansatzpunkte sind mehrere Schwachstellen im Betriebssystem Junos OS. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Angreifer-koennen-Netzwerkgera… ∗∗∗ Meet FunkSec: A New, Surprising Ransomware Group, Powered by AI ∗∗∗ --------------------------------------------- Executive Summary: The FunkSec ransomware group emerged in late 2024 and published over 85 victims in December, surpassing every other ransomware group that month FunkSec operators appear to use AI-assisted malware development, which can enable even inexperienced actors to quickly produce and refine advanced tools The group’s activities straddle the line .. --------------------------------------------- https://blog.checkpoint.com/research/meet-funksec-a-new-surprising-ransomwa… ∗∗∗ Do we still have to keep doing it like this? ∗∗∗ --------------------------------------------- Hazel gets inspired by watching Wendy Nather’s recent keynote, and explores ways to challenge security assumptions. --------------------------------------------- https://blog.talosintelligence.com/do-we-still-have-to-keep-doing-it-like-t… ∗∗∗ How Cracks and Installers Bring Malware to Your Device ∗∗∗ --------------------------------------------- Our research shows how attackers use platforms like YouTube to spread fake installers via trusted hosting services, employing encryption to evade detection and steal sensitive browser data. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/a/how-cracks-and-installers-br… ∗∗∗ Banshee Stealer Hits macOS Users via Fake GitHub Repositories ∗∗∗ --------------------------------------------- Cybersecurity researchers at Check Point detected a new version of Banshee Stealer in late September 2024, distributed .. --------------------------------------------- https://hackread.com/banshee-stealer-hits-macos-fake-github-repositories/ ∗∗∗ Do Secure-By-Design Pledges Come With Stickers? - Ivanti Connect Secure RCE (CVE-2025-0282) ∗∗∗ --------------------------------------------- Did you have a good break? Have you had a chance to breathe? Wake up. It’s 2025, and the chaos continues. Haha, see what we did? We wrote the exact same thing in 2024 because 2024 was exactly .. --------------------------------------------- https://labs.watchtowr.com/do-secure-by-design-pledges-come-with-stickers-i… ∗∗∗ How to secure your GitHub Actions workflows with CodeQL ∗∗∗ --------------------------------------------- In the last few months, we secured 75+ GitHub Actions workflows in open source projects, disclosing 90+ different vulnerabilities. Out of this research we produced new support for workflows in CodeQL, empowering .. --------------------------------------------- https://github.blog/security/application-security/how-to-secure-your-github… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-010: Redis Stack Lua Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Redis Stack. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-46981. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-010/ ∗∗∗ ZDI-25-009: Redis Stack RedisBloom Integer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Redis Stack. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-55656. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-009/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.01.2025
by Daily end-of-shift report 09 Jan '25

09 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-01-2025 18:00 − Donnerstag 09-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Here’s how hucksters are manipulating Google to promote shady Chrome extensions ∗∗∗ --------------------------------------------- How do you stash 18,000 keywords into a description? Turns out its easy. --------------------------------------------- https://arstechnica.com/security/2025/01/googles-chrome-web-store-has-a-ser… ∗∗∗ Unpatched critical flaws impact Fancy Product Designer WordPress plugin ∗∗∗ --------------------------------------------- Premium WordPress plugin Fancy Product Designer from Radykal is vulnerable to two critical severity flaws that remain unfixed in the current latest version. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-critical-flaws-imp… ∗∗∗ Beyond Meh-trics: Examining How CTI Programs Demonstrate Value Using Metrics ∗∗∗ --------------------------------------------- A blog about developing cyber threat intelligence (CTI) metrics. --------------------------------------------- https://www.sans.org/blog/beyond-meh-trics-examining-how-cti-programs-demon… ∗∗∗ The State of Magecart: A Persistent Threat to E-Commerce Security ∗∗∗ --------------------------------------------- Trustwave SpiderLabs first blogged about Magecart back in 2019; fast forward five years and it is still here going strong. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-state-o… ∗∗∗ Mitel 0-day, 5-year-old Oracle RCE bug under active exploit ∗∗∗ --------------------------------------------- 3 CVEs added to CISAs catalog Cybercriminals are actively exploiting two vulnerabilities in Mitel MiCollab, including a zero-day flaw – and a critical remote code execution vulnerability in Oracle WebLogic Server that has been abused for at least five years. --------------------------------------------- https://www.theregister.com/2025/01/08/mitel_0_day_oracle_rce_under_exploit/ ∗∗∗ Japanese police claim China ran five-year cyberattack campaign targeting local orgs ∗∗∗ --------------------------------------------- ‘MirrorFace’ group found ways to run malware in the Windows sandbox, which is worrying Japan’s National Police Agency and Center of Incident Readiness and Strategy for Cybersecurity have confirmed third party reports of attacks on local orgs by publishing details of a years-long series of attacks attributed to a China-backed source. --------------------------------------------- https://www.theregister.com/2025/01/09/japan_mirrorface_china_attack/ ∗∗∗ Angestellte klickten dreimal so oft auf Phishing-Links ‒ häufig in Suchmaschinen ∗∗∗ --------------------------------------------- Mitarbeiter klicken trotz Schulungen auf Phishing-Links. Laut einer Studie sind sie bei E-Mails sich der Angriffe eher bewusst, bei der Suche im Netz weniger. --------------------------------------------- https://www.heise.de/news/E-Mails-sind-out-Phishing-verstaerkt-ueber-Suchma… ∗∗∗ New Research: Enhancing Botnet Detection with AI using LLMs and Similarity Search ∗∗∗ --------------------------------------------- As botnets continue to evolve, so do the techniques required to detect them. --------------------------------------------- https://www.rapid7.com/blog/post/2025/01/08/new-research-enhancing-botnet-d… ∗∗∗ Banshee: The Stealer That “Stole Code” From MacOS XProtect ∗∗∗ --------------------------------------------- As of 2024, approximately 100.4 million people worldwide use macOS, accounting for 15.1% of the global PC market. Of the millions of macOS users, many falsely assume that their systems are inherently secure from malware. This perception stems from macOS’s Unix-based architecture and historically lower market share, .. --------------------------------------------- https://research.checkpoint.com/2025/banshee-macos-stealer-that-stole-code-… ∗∗∗ Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation ∗∗∗ --------------------------------------------- On Wednesday, Jan. 8, 2025, Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, impacting Ivanti Connect Secure (“ICS”) VPN appliances. Mandiant has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024. CVE-2025-0282 is an unauthenticated stack-based buffer overflow. Successful exploitation could result in unauthenticated remote code execution, leading to potential downstream compromise of a victim network. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-sec… ∗∗∗ Angeblich Datenleck bei Datensammler Gravy Analytics ∗∗∗ --------------------------------------------- Im Darknet behaupten Kriminelle, Daten vom Positionsdatensammler Gravy Analytics erbeutet zu haben. Sorge um die Privatsphäre macht sich breit. --------------------------------------------- https://heise.de/-10233802 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-008: Trend Micro Deep Security Agent Incorrect Permissions Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-008/ ∗∗∗ ZDI-25-007: Trend Micro Apex One widget getWidgetPoolManager Local File Inclusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-007/ ∗∗∗ ZDI-25-006: Trend Micro Apex One LogServer Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-006/ ∗∗∗ ZDI-25-005: Trend Micro Apex One LogServer Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-005/ ∗∗∗ ZDI-25-004: Trend Micro Apex One Origin Validation Error Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-004/ ∗∗∗ ZDI-25-003: Trend Micro Apex One Security Agent Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-003/ ∗∗∗ ZDI-25-002: Trend Micro Apex One LogServer Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-002/ ∗∗∗ ZDI-25-001: Trend Micro Apex One Damage Cleanup Engine Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-001/ ∗∗∗ 2025-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 24.1R2 release ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2025-01-Security-Bulletin-Junos… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.01.2025
by Daily end-of-shift report 08 Jan '25

08 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-01-2025 18:00 − Mittwoch 08-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ How initial access brokers (IABs) sell your users’ credentials ∗∗∗ --------------------------------------------- Initial Access Brokers (IABs) are specialized cybercriminals that break into corporate networks and sell stolen access to other attackers. Learn from Specops Software about how IABs operate and how businesses can protect themselves. --------------------------------------------- https://www.bleepingcomputer.com/news/security/how-initial-access-brokers-i… ∗∗∗ Wegen Sicherheitslücken: Ärzteschaft empfiehlt Widerspruch zu ePA für alle ∗∗∗ --------------------------------------------- Kurz vor dem Start der ePA für alle ist die Verunsicherung groß. Die Ärzte sehen noch "große Einfallstore" für Hacker. --------------------------------------------- https://www.golem.de/news/wegen-sicherheitsluecken-aerzteschaft-empfiehlt-w… ∗∗∗ FCC Launches Cyber Trust Mark for IoT Devices to Certify Security Compliance ∗∗∗ --------------------------------------------- The U.S. government on Tuesday announced the launch of the U.S. Cyber Trust Mark, a new cybersecurity safety label for Internet-of-Things (IoT) consumer devices."IoT products can be susceptible to a range of security vulnerabilities," the U.S. Federal .. --------------------------------------------- https://thehackernews.com/2025/01/fcc-launches-cyber-trust-mark-for-iot.html ∗∗∗ Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks ∗∗∗ --------------------------------------------- A Mirai botnet variant has been found exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the goal of conducting distributed denial-of-service (DDoS) attacks.The botnet maintains .. --------------------------------------------- https://thehackernews.com/2025/01/mirai-botnet-variant-exploits-four.html ∗∗∗ Researchers Expose NonEuclid RAT Using UAC Bypass and AMSI Evasion Techniques ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a new remote access trojan called NonEuclid that allows bad actors to remotely control compromised Windows systems."The NonEuclid remote access trojan (RAT), developed in C#, is a highly sophisticated .. --------------------------------------------- https://thehackernews.com/2025/01/researchers-expose-noneuclid-rat-using.ht… ∗∗∗ US-Sicherheitsbehörde warnt vor Attacken auf MiCollab und WebLogic Server ∗∗∗ --------------------------------------------- Admins sollten ihre Systeme mit Mitel- und Oracle-Software gegen derzeit laufende Angriffe rüsten. --------------------------------------------- https://www.heise.de/news/US-Sicherheitsbehoerde-warnt-vor-Attacken-auf-MiC… ∗∗∗ Forscher: KI sorgt für effektiveres Phishing ∗∗∗ --------------------------------------------- Wie wirksam ist per LLM automatisch erzeugtes Phishing? Es ist gleichauf mit menschlich erzeugtem Spear-Phishing, sagen Forscher. --------------------------------------------- https://www.heise.de/news/Forscher-KI-sorgt-fuer-effektiveres-Phishing-1023… ∗∗∗ A Day in the Life of a Prolific Voice Phishing Crew ∗∗∗ --------------------------------------------- Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety of outbound .. --------------------------------------------- https://krebsonsecurity.com/2025/01/a-day-in-the-life-of-a-prolific-voice-p… ∗∗∗ Vorsicht vor versteckten Kosten auf finelo.com und coursiv.io ∗∗∗ --------------------------------------------- Die Aussicht auf finanziellen Aufstieg lockt viele Menschen auf Plattformen wie finelo.com und coursive.io, die von der IT-Firma zimran.io betrieben werden. Beide Plattformen werben mit großen Versprechungen: Während finelo.com den Nutzer:innen beibringen möchte, clever zu investieren, zielt coursiv.io darauf ab, berufliche Fähigkeiten mithilfe künstlicher .. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-versteckten-kosten-auf-… ∗∗∗ Drupal 7 End of Life - PSA-2025-01-06 ∗∗∗ --------------------------------------------- Drupal core version 7 has reached end of life, and is no longer community supported on Drupal.org. This means that new releases of Drupal 7 core and contributed projects will no longer happen on Drupal.org and community support is no longer provided. What this means for you:Any vulnerabilities that impact Drupal 7 may be released and .. --------------------------------------------- https://www.drupal.org/psa-2025-01-06 ∗∗∗ Russian internet provider confirms its network was ‘destroyed’ following attack claimed by Ukrainian hackers ∗∗∗ --------------------------------------------- In a statement on the Russian social media platform VKontakte, the St. Petersburg-based company said the “planned” attack “destroyed” its infrastructure overnight. Nodex added that it was working to restore systems from backups but could not provide a timeline for when operations would fully resume. --------------------------------------------- https://therecord.media/russian-internet-provider-says-network-destroyed-cy… ∗∗∗ Scammers Impersonate Authorities to Swipe OTPs with Remote Access Apps ∗∗∗ --------------------------------------------- SUMMARY Cybersecurity researchers at Group-IB have discovered a sophisticated refund scam where scammers are using remote access tools. --------------------------------------------- https://hackread.com/scammers-impersonate-swipe-otps-remote-access-apps/ ∗∗∗ Backdooring Your Backdoors - Another $20 Domain, More Governments ∗∗∗ --------------------------------------------- After the excitement of our .MOBI research, we were left twiddling our thumbs. As you may recall, in 2024, we demonstrated the impact of an unregistered domain when we subverted the TLS/SSL CA process for verifying domain ownership to give ourselves .. --------------------------------------------- https://labs.watchtowr.com/more-governments-backdoors-in-your-backdoors/ ∗∗∗ Solving NIST Password Complexities: Guidance From a GRC Perspective ∗∗∗ --------------------------------------------- Not another password change! Isn’t one (1) extra-long password enough? As a former Incident Response, Identity and Access Control, and Education and Awareness guru, I can attest .. --------------------------------------------- https://trustedsec.com/blog/solving-nist-password-complexities-guidance-fro… ∗∗∗ How We Cracked a 512-Bit DKIM Key for Less Than $8 in the Cloud ∗∗∗ --------------------------------------------- In our study on the SPF, DKIM, and DMARC records of the top 1M websites, we were surprised to uncover more than 1,700 public DKIM keys that were shorter than 1,024 bits in length. This finding was unexpected, as RSA keys shorter than 1,024 bits are considered insecure, and their use in DKIM has been deprecated since the introduction of RFC 8301 in 2018. --------------------------------------------- https://dmarcchecker.app/articles/crack-512-bit-dkim-rsa-key ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Common Services Platform Collector Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface .. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Crosswork Network Controller Stored Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against users of the interface of an affected system. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied .. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox, mupdf, and php-tcpdf), SUSE (etcd, file-roller, gtk3, kernel, python-django-ckeditor, rubygem-json-jwt, and tomcat10), and Ubuntu (ffmpeg, HTMLDOC, linux-aws, linux-raspi, linux-gke, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, and tinyproxy). --------------------------------------------- https://lwn.net/Articles/1004428/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.01.2025
by Daily end-of-shift report 07 Jan '25

07 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-01-2025 18:00 − Dienstag 07-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 10 users urged to upgrade to avoid "security fiasco" ∗∗∗ --------------------------------------------- Cybersecurity firm ESET is urging Windows 10 users to upgrade to Windows 11 or Linux to avoid a "security fiasco" as the 10-year-old operating system nears the end of support in October 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-10-users-urged-to-u… ∗∗∗ Cryptocurrency wallet drainers stole $494 million in 2024 ∗∗∗ --------------------------------------------- Scammers stole $494 million worth of cryptocurrency in wallet drainer attacks last year that targeted more than 300,000 wallet addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cryptocurrency-wallet-draine… ∗∗∗ Chinese hackers also breached Charter and Windstream networks ∗∗∗ --------------------------------------------- More U.S. companies have been added to the list of telecommunications firms hacked in a wave of breaches by a Chinese state-backed threat group tracked as Salt Typhoon. --------------------------------------------- https://www.bleepingcomputer.com/news/security/charter-and-windstream-among… ∗∗∗ Trotz starker Kritik: Umstrittene UN-Cybercrime-Konvention verabschiedet ∗∗∗ --------------------------------------------- Netzaktivisten haben vergeblich vor der Verabschiedung der Konvention gewarnt. Es droht der Zugriff auf digitale Beweismittel durch autoritäre Staaten. --------------------------------------------- https://www.golem.de/news/trotz-starker-kritik-umstrittene-un-cybercrime-ko… ∗∗∗ After Chinas Salt Typhoon, the reconstruction starts now ∗∗∗ --------------------------------------------- If 40 years of faulty building gets blown down, don’t rebuild with the rubble Opinion When a typhoon devastates a land, it takes a while to understand the scale of the destruction. Disaster relief kicks in, communications rebuilt, and news flows out. Salt Typhoon is .. --------------------------------------------- https://www.theregister.com/2025/01/06/opinion_column_cybersec/ ∗∗∗ MediaTek rings in the new year with a parade of chipset vulns ∗∗∗ --------------------------------------------- Manufacturers should have had ample time to apply the fixes MediaTek kicked off the first full working week of the new year by disclosing a bevy of security vulnerabilities, including a critical remote code execution bug affecting 51 chipsets. --------------------------------------------- https://www.theregister.com/2025/01/06/mediatek_chipset_vulnerabilities/ ∗∗∗ Patchday: Wichtige Sicherheitsupdates schützen Android-Geräte ∗∗∗ --------------------------------------------- Google und weitere Hersteller von Android-Geräte haben mehrere kritische Lücken in verschiedenen Android-Versionen geschlossen. --------------------------------------------- https://www.heise.de/news/Patchday-Schadcode-Luecken-bedrohen-Android-12-13… ∗∗∗ Schwerwiegende Sicherheitslücken in Sonicwall SSL-VPN - aktiv ausgenutzt ∗∗∗ --------------------------------------------- Der Hersteller Sonicwall hat seine Kunden darüber informiert, dass einige Geräte von Sicherheitslücken betroffen sind. Besonders hervorzuheben ist dabei eine bereits angegriffenen Lücke bei denen Angreifer:innen die Authentifizierung .. --------------------------------------------- https://www.cert.at/de/warnungen/2025/1/schwewiegende-sicherheitslucken-in-… ∗∗∗ UN aviation agency actively investigating cybercriminal’s claimed data breach ∗∗∗ --------------------------------------------- The International Civil Aviation Organization (ICAO) said it was responding to claims of a data breach “allegedly linked to a threat actor known for targeting international organizations.” --------------------------------------------- https://therecord.media/united-nations-icao-investigating-data-breach ∗∗∗ Critical Next.js Authorization Bypass Vulnerability ∗∗∗ --------------------------------------------- This specifically affects pages directly under the application’s root directory. Example:[Not affected] hxxps[://]example[.]com[Affected] hxxps[://]example[.]com/foo[Not affected] hxxps[://]example[.]com/foo/bar Successful exploitation of this vulnerability, allows a remote unauthenticated .. --------------------------------------------- https://www.truesec.com/hub/blog/critical-next-js-authorization-bypass-vuln… ∗∗∗ Achtung: Angeblich geleakter GTA San Andreas Source-Code mit Schadsoftware ∗∗∗ --------------------------------------------- Aktuell wird angeblich der Quellcode des Rockstar Games Spiels GTA San Andreas im Internet zum Download angeboten. Erste Hinweise scheinen seit gestern im Internet aufgetaucht zu sein (siehe z.B. den Artikel Rockstar reportedly faces another .. --------------------------------------------- https://www.borncity.com/blog/2025/01/06/achtung-angeblich-geleakter-gta-sa… ∗∗∗ New PhishWP Plugin on Russian Forum Turns Sites into Phishing Pages ∗∗∗ --------------------------------------------- SlashNext has discovered a malicious WordPress plugin, PhishWP, which creates convincing fake payment pages to steal your credit card information, 3DS codes, and personal data. --------------------------------------------- https://hackread.com/phishwp-plugin-russian-hacker-forum-phishing-sites/ ∗∗∗ U.S. Sanctions Chinese Cybersecurity Firm Over Cyberattacks ∗∗∗ --------------------------------------------- US sanctions Beijing-based Integrity Technology Group for aiding “Flax Typhoon” hackers in cyberattacks on American infrastructure, freezing assets… --------------------------------------------- https://hackread.com/us-sanctions-chinese-cybersecurity-firm-cyberattacks/ ∗∗∗ CVE-2024-4577: Windows Encoding Gone Wrong ∗∗∗ --------------------------------------------- CVE-2024-4577 is a critical vulnerability in Windows-based PHP installations, affecting CGI configurations, that allow remote code execution. --------------------------------------------- https://www.bitsight.com/blog/cve-2024-4577-windows-encoding-gone-wrong ∗∗∗ Weaponizing OAST: How Malicious Packages Exploit npm, PyPI, and RubyGems for Data Exfiltration and Recon ∗∗∗ --------------------------------------------- Socket researchers uncover how threat actors weaponize Out-of-Band Application Security Testing (OAST) techniques across the npm, PyPI, and RubyGems ecosystems to exfiltrate sensitive data and remotely probe developer environments.Over the last year, Socket’s threat research team has continually observed and identified malicious JavaScript, Python, and Ruby packages .. --------------------------------------------- https://socket.dev/blog/weaponizing-oast-how-malicious-packages-exploit-npm… ===================== = Vulnerabilities = ===================== ∗∗∗ [20250103] - Core - Read ACL violation in multiple core views ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Low Severity: Moderate Probability: Low Versions: 3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2 Exploit type: ACL Violation Reported Date: 2024-08-26 Fixed Date: 2025-01-07 CVE Number: CVE-2024-40749 Description Improper Access Controls allows access to protected views. Affected Installs Joomla! CMS versions 3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2 Solution Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3 Contact The JSST at the Joomla! Security --------------------------------------------- https://developer.joomla.org:443/security-centre/956-20250103-core-read-acl… ∗∗∗ [20250102] - Core - XSS vector in the id attribute of menu lists ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Low Severity: Moderate Probability: Low Versions: 3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2 Exploit type: XSS Reported Date: 2024-09-19 Fixed Date: 2025-01-07 CVE Number: CVE-2024-40748 Description Lack of output escaping in the id attribute of menu lists. Affected Installs Joomla! CMS versions 3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2 Solution Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3 Contact The JSST at the Joomla! Security Centre. --------------------------------------------- https://developer.joomla.org:443/security-centre/955-20250102-core-xss-vect… ∗∗∗ [20250101] - Core - XSS vectors in module chromes ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Low Severity: Moderate Probability: Low Versions: 4.0.0-4.4.9, 5.0.0-5.2.2 Exploit type: XSS Reported Date: 2024-08-29 Fixed Date: 2025-01-07 CVE Number: CVE-2024-40747 Description Various module chromes didnt properly process inputs, leading to XSS vectors. Affected Installs Joomla! CMS versions 4.0.0-4.4.9, 5.0.0-5.2.2 Solution Upgrade to version 4.4.10 or 5.2.3 Contact The JSST at the Joomla! Security Centre. Reported By: Catalin Iovita --------------------------------------------- https://developer.joomla.org:443/security-centre/954-20250101-core-xss-vect… ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.19 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-03/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 128.6 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-02/ ∗∗∗ Security Vulnerabilities fixed in Firefox 134 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-01/ ∗∗∗ Upcoming CVE for End-of-Life Node.js Versions ∗∗∗ --------------------------------------------- https://nodejs.org/en/blog/vulnerability/upcoming-cve-for-eol-versions -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.01.2025
by Daily end-of-shift report 03 Jan '25

03 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-01-2025 18:00 − Freitag 03-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ SwaetRAT Delivery Through Python ∗∗∗ --------------------------------------------- We entered a new year, but attack scenarios have not changed (yet). I found a Python script with an interesting behavior[1] and a low Virustotal score (7/61). It targets Microsoft Windows hosts because it starts by loading all .. --------------------------------------------- https://isc.sans.edu/forums/diary/SwaetRAT+Delivery+Through+Python/31554/ ∗∗∗ 3,1 Millionen bösartige Fake-Sterne auf GitHub entdeckt – Tendenz steigend ∗∗∗ --------------------------------------------- In einer umfassenden Studie ist ein US-Forschungsteam auf Millionen Fake-Sterne bei GitHub gestoßen und warnt vor einem rasant steigenden Trend. --------------------------------------------- https://www.heise.de/news/3-1-Millionen-boesartige-Fake-Sterne-auf-GitHub-e… ∗∗∗ Configurations Mega Blog: Why Configurations Are the Wrong Thing to Get Wrong ∗∗∗ --------------------------------------------- So many times, we look beyond the mark. With our feeds constantly inundated with headline-grabbing news about AI-generated threats, nation states upping their cybercrime game, and sophisticated new forms of malware, we can be tempted to think that the bulk of cyberwarfare is going on "up there" somewhere. In reality, most breaches still originate .. --------------------------------------------- https://www.tripwire.com/state-of-security/configurations-mega-blog-why-con… ∗∗∗ 10 Non-tech things you wish you had done after being breached ∗∗∗ --------------------------------------------- TL;DR Non-tech aspects to breach follow-up are often overlooked but essential NDAs, supply chain, and third party contracts and obligations should be reviewed Reviewing communication protocols and employee .. --------------------------------------------- https://www.pentestpartners.com/security-blog/10-non-tech-things-you-wish-y… ∗∗∗ Von Social Media bis App: So sind Sie Kriminellen einen Schritt voraus ∗∗∗ --------------------------------------------- Internetbetrug wird immer raffinierter und kann jeden Menschen treffen. Deshalb ist es wichtig, auf dem Laufenden zu bleiben und die aktuellen Betrugsmaschen zu kennen. Vom klassischen Newsletter über .. --------------------------------------------- https://www.watchlist-internet.at/news/unsere-kanaele/ ∗∗∗ NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT ∗∗∗ --------------------------------------------- Researchers discovered a malicious package on the npm package registry that resembles a library for Ethereum smart contract vulnerabilities but actually drops an open-source remote access trojan called Quasar .. --------------------------------------------- https://hackread.com/npm-package-disguised-ethereum-tool-quasar-rat/ ∗∗∗ Schädliche Versionen von zahlreichen Chrome-Erweiterungen in Umlauf ∗∗∗ --------------------------------------------- Über die Weihnachtstage verschafften sich die Täter Zugriff auf diverse Chrome-Extensions – in einigen Fällen sogar schon deutlich früher. --------------------------------------------- https://heise.de/-10224745 ∗∗∗ Breaking the Chain: Wiz Uncovers a Signature Verification Bypass in Nuclei, the Popular Vulnerability Scanner (CVE-2024-43405) ∗∗∗ --------------------------------------------- Wiz’s engineering team discovered a high-severity signature verification bypass in Nuclei, one of the most popular open-source security tools, which could potentially lead to arbitrary code execution. --------------------------------------------- https://www.wiz.io/blog/nuclei-signature-verification-bypass ∗∗∗ Malicious npm Campaign Targets Ethereum Developers with Fake Hardhat Packages ∗∗∗ --------------------------------------------- Hardhat, maintained by the Nomic Foundation, is a vital tool for Ethereum developers. As a versatile development environment for Ethereum, it streamlines the creation, testing, and deployment of smart contracts and dApps. Its flexible plugin architecture allows developers to customize workflows with tools and extensions, optimizing productivity and supporting .. --------------------------------------------- https://socket.dev/blog/malicious-npm-campaign-targets-ethereum-developers ===================== = Vulnerabilities = ===================== ∗∗∗ iTerm2 3.5.11 released with a critical security fix ∗∗∗ --------------------------------------------- https://iterm2.com/downloads/stable/iTerm2-3_5_11.changelog -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.01.2025
by Daily end-of-shift report 02 Jan '25

02 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Montag 30-12-2024 18:00 − Donnerstag 02-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cyberangriff: Hacker wollen Daten von IT-Dienstleister Atos erbeutet haben ∗∗∗ --------------------------------------------- Die Angreifer behaupten, im Besitz einer Firmendatenbank von Atos zu sein. Der IT-Dienstleister findet bisher keine Beweise für einen Angriff. --------------------------------------------- https://www.golem.de/news/cyberangriff-hacker-wollen-daten-von-it-dienstlei… ∗∗∗ Supportende naht: Forscher warnt vor Security-Fiasko durch Windows 10 ∗∗∗ --------------------------------------------- Rund zwei Drittel aller Windows-PCs in Deutschland arbeiten noch mit Windows 10. Es besteht dringender Handlungsbedarf - nicht erst im Oktober dieses Jahres. --------------------------------------------- https://www.golem.de/news/supportende-naht-forscher-warnt-vor-security-fias… ∗∗∗ Chinas cyber intrusions took a sinister turn in 2024 ∗∗∗ --------------------------------------------- >From targeted espionage to pre-positioning - not that they are mutually exclusive The Chinese governments intrusions into Americas telecommunications and other critical infrastructure networks this year appears to signal a shift from cyberspying as usual to prepping for destructive attacks. --------------------------------------------- https://www.theregister.com/2024/12/31/china_cyber_intrusions_2024/ ∗∗∗ US Treasury Department outs the blast radius of BeyondTrusts key leak ∗∗∗ --------------------------------------------- Data pilfered as miscreants roamed affected workstations The US Department of the Treasury has admitted that miscreants were in its systems, accessing documents in what has been called a "major incident." --------------------------------------------- https://www.theregister.com/2024/12/31/us_treasury_department_hacked/ ∗∗∗ "Die perfekte Phishing-Mail": Mit KI-Textgeneratoren gegen Führungskräfte ∗∗∗ --------------------------------------------- KI-Technik ermöglicht es Kriminellen, hochpersonalisierte Phishing-Mails an Führungskräfte zu schicken, warnt ein Versicherer. Trainingsmaterial gibt es online. --------------------------------------------- https://www.heise.de/news/Die-perfekte-Phishing-Mail-Mit-KI-Textgeneratoren… ∗∗∗ U.S. Army Soldier Arrested in AT&T, Verizon Extortions ∗∗∗ --------------------------------------------- Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and .. --------------------------------------------- https://krebsonsecurity.com/2024/12/u-s-army-soldier-arrested-in-att-verizo… ∗∗∗ Vorsicht vor betrügerischen E-Mails zur Rückerstattung von ORF-Gebühren ∗∗∗ --------------------------------------------- Derzeit finden zahlreiche Personen ein E-Mail in ihrem Postfach, in dem behauptet wird, dass sie Anspruch auf eine Rückerstattung von ORF-Gebühren in Höhe von 34,40 Euro haben. Achtung: Es handelt sich dabei um einen Phishing-Versuch, der darauf abzielt, Kontodaten zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-orf-rueckerstattung-… ∗∗∗ Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability ∗∗∗ --------------------------------------------- The jailbreak technique "Bad Likert Judge" manipulates LLMs to generate harmful content using Likert scales, exposing safety gaps in LLM guardrails. --------------------------------------------- https://unit42.paloaltonetworks.com/multi-turn-technique-jailbreaks-llms/ ∗∗∗ DORA Regulation (Digital Operational Resilience Act): A Threat Intelligence Perspective ∗∗∗ --------------------------------------------- The Digital Operational Resilience Act (DORA) is coming in 2025. --------------------------------------------- https://www.team-cymru.com/post/dora-regulation-digital-operational-resilie… ∗∗∗ Passkey technology is elegant, but it’s most definitely not usable security ∗∗∗ --------------------------------------------- It's that time again, when families and friends gather and implore the more technically inclined among them to troubleshoot problems they're having behind the device screens all around them. One of the most vexing .. --------------------------------------------- https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-… ∗∗∗ I’m Lovin’ It: Exploiting McDonald’s APIs to hijack deliveries and order food for a penny ∗∗∗ --------------------------------------------- API flaws in the McDonald’s McDelivery system in India, one of the world’s most popular food delivery apps, enabled a variety of fun exploits .. --------------------------------------------- https://eaton-works.com/2024/12/19/mcdelivery-india-hack/ ∗∗∗ Déjà vu: Ghostly CVEs in my terminal title ∗∗∗ --------------------------------------------- As I've spoken and written about all modern terminals are actually "emulating" something dating from the .. --------------------------------------------- https://dgl.cx/2024/12/ghostty-terminal-title ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1737: Foxit PDF Reader AcroForm Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1737/ ∗∗∗ ZDI-24-1736: (0Day) Paessler PRTG Network Monitor SNMP Cross-Site Scripting Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1736/ ∗∗∗ ZDI-24-1739: Foxit PDF Reader Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1739/ ∗∗∗ ZDI-24-1738: Foxit PDF Reader AcroForm Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1738/ ∗∗∗ PAN-OS Firewall Denial of Service (DoS) Vulnerability ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/5610 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.12.2024
by Daily end-of-shift report 30 Dec '24

30 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-12-2024 18:00 − Montag 30-12-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Customer data from 800,000 electric cars and owners exposed online ∗∗∗ --------------------------------------------- Volkswagens automotive software company, Cariad, exposed data collected from around 800,000 electric cars. The info could be linked to drivers names and reveal precise vehicle locations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/customer-data-from-800-000-e… ∗∗∗ Malware botnets exploit outdated D-Link routers in recent attacks ∗∗∗ --------------------------------------------- Two botnets tracked as Ficora and Capsaicin have recorded increased activity in targeting D-Link routers that have reached end of life or are running outdated firmware versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-botnets-exploit-outd… ∗∗∗ Hackerangriff auf Flughäfen von Mailand ∗∗∗ --------------------------------------------- Eine prorussische Hackergruppe bekannte sich zu dem Cyberangriff. Der Flugbetrieb war nicht gefährdet. --------------------------------------------- https://futurezone.at/digital-life/hackerangriff-auf-flughaefen-von-mailand… ∗∗∗ Bundestagswahlen: Wahlsoftware immer noch unsicher ∗∗∗ --------------------------------------------- Seit Jahren fordert der CCC eine transparente Wahlsoftware. Wie sinnvoll das wäre, zeigt die Analyse eines weit verbreiteten Tools. Ein Bericht von Friedhelm Greis. --------------------------------------------- https://www.golem.de/news/bundestagswahlen-wahlsoftware-immer-noch-unsicher… ∗∗∗ Rundsteuerempfänger gehackt: Lässt sich über Funksignale ein Blackout herbeiführen? ∗∗∗ --------------------------------------------- Zwei Sicherheitsforscher haben die Protokolle für funkbasierte Rundsteuerempfänger entschlüsselt. Doch es ist strittig, in welchem Umfang sich manipulierte Signale missbrauchen lassen. Ein Bericht von Friedhelm Greis. --------------------------------------------- https://www.golem.de/news/rundsteuerempfaenger-gehackt-laesst-sich-ueber-fu… ∗∗∗ Prioritizing patching: A deep dive into frameworks and tools – Part 2: Alternative frameworks ∗∗∗ --------------------------------------------- In the second of a two-part series on tools and frameworks designed to help with remediation prioritization, we explore some alternatives to CVSS --------------------------------------------- https://news.sophos.com/en-us/2024/12/30/prioritizing-patching-a-deep-dive-… ∗∗∗ 16 Chrome Extensions Hacked, Exposing Over 600,000 Users to Data Theft ∗∗∗ --------------------------------------------- A new attack campaign has targeted known Chrome browser extensions, leading to at least 16 extensions being compromised and exposing over 600,000 users to data exposure and credential theft.The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign and used their access permissions to insert malicious code into legitimate extensions in order to steal --------------------------------------------- https://thehackernews.com/2024/12/16-chrome-extensions-hacked-exposing.html ∗∗∗ Its only a matter of time before LLMs jump start supply-chain attacks ∗∗∗ --------------------------------------------- The greatest concern is with spear phishing and social engineering Interview Now that criminals have realized theres no need to train their own LLMs for any nefarious purposes - its much cheaper and easier to steal credentials and then jailbreak existing ones - the threat of a large-scale supply chain attack using generative AI becomes more real. --------------------------------------------- https://www.theregister.com/2024/12/29/llm_supply_chain_attacks/ ∗∗∗ 38C3: Große Sicherheitsmängel in elektronischer Patientenakte 3.0 aufgedeckt ∗∗∗ --------------------------------------------- Gravierende Sicherheitslücken müssten bis zum Start der ePA 3.0 noch geschlossen werden. Das demonstrieren Martin Tschirsich und Bianca Kastl auf dem 38C3. --------------------------------------------- https://www.heise.de/news/38C3-Weitere-Sicherheitsmaengel-in-elektronischer… ∗∗∗ 38C3: BogusBazaar-Bande betreibt noch immer Tausende Fakeshops ∗∗∗ --------------------------------------------- Monate nach der Entdeckung operiert eine chinesische Cyberbande weiterhin unbehelligt, berichten Sicherheitsforscher. Schützenhilfe leisten auch US-Anbieter. --------------------------------------------- https://www.heise.de/news/38C3-BogusBazaar-Bande-betreibt-noch-immer-Tausen… ∗∗∗ 38C3: BitLocker-Verschlüsselung von Windows 11 umgangen, ohne PC zu öffnen. ∗∗∗ --------------------------------------------- Zwei Jahre nach der vermeintlichen Behebung einer Lücke kann diese weiterhin genutzt werden, um BitLocker-geschützte Festplatten von Windows 11 zu entschlüsseln --------------------------------------------- https://www.heise.de/news/38C3-BitLocker-Verschluesselung-von-Windows-11-um… ∗∗∗ On the sixth day of Christmas, an X account gave to me: a fake 7-Zip ACE ∗∗∗ --------------------------------------------- An account with the name @NSA_Employee39 claimed to have dropped a zero-day vulnerability for the popular file archive software 7-Zip. Nobody could get it to work. --------------------------------------------- https://therecord.media/fake-zero-day-7Zip ∗∗∗ Lets Encrypt to end OCSP support in 2025 ∗∗∗ --------------------------------------------- Well, the writing has been on the wall for some years now, arguably over a decade, but the time has finally come where the largest CA in the World is going to drop support for the Online Certificate Status Protocol.What is OCSP?The Online Certificate Status Protocol is a --------------------------------------------- https://scotthelme.ghost.io/lets-encrypt-to-end-ocsp-support-in-2025/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-good1.0 and opensc), Fedora (iwd and libell), and SUSE (chromium, govulncheck-vulndb, and poppler). --------------------------------------------- https://lwn.net/Articles/1003768/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.12.2024
by Daily end-of-shift report 27 Dec '24

27 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 23-12-2024 18:00 − Freitag 27-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cybersecurity firms Chrome extension hijacked to steal users data ∗∗∗ --------------------------------------------- One attack was disclosed by Cyberhaven, a data loss prevention company that alerted its customers of a breach on December 24 after a successful phishing attack on an administrator account for the Google Chrome store. Among Cyberhaven's customers are Snowflake, Motorola, Canon, Reddit, AmeriHealth, Cooley, IVP, Navan, DBS, Upstart, and Kirkland & Ellis. [..] Cyberhaven's internal security team removed the malicious package within an hour since its detection, the company says in an email to its customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybersecurity-firms-chrome-e… ∗∗∗ Microsoft warnt: Bug könnte Security-Updates verhindern ∗∗∗ --------------------------------------------- Microsoft warnt Nutzer, die ihr System vor Kurzem via CD oder USB-Stick installiert haben. Konkret geht es um Installationsmedien, die das Sicherheitsupdate vom Oktober oder das vom November inkludiert haben. Hier kann es passieren, dass diese Systeme keine weiteren Updates mehr erhalten, wenn sie derzeit auf 24H2 sind. --------------------------------------------- https://futurezone.at/produkte/microsoft-warnung-bug-security-updates-windo… ∗∗∗ Datenschutzverletzung: Volkwagen-Bewegungsprofile von 800.000 E-Autos offengelegt ∗∗∗ --------------------------------------------- Persönliche Daten und Bewegungsprofile von rund 800.000 VW-E-Auto-Besitzern lagen monatelang öffentlich zugänglich in der Cloud. --------------------------------------------- https://www.golem.de/news/datenschutzverletzung-volkwagen-bewegungsprofile-… ∗∗∗ Threat landscape for industrial automation systems in Q3 2024 ∗∗∗ --------------------------------------------- The ICS CERT quarterly report covers threat landscape for industrial automation systems in Q3 2024. --------------------------------------------- https://securelist.com/ics-cert-q3-2024-report/115182/ ∗∗∗ More SSH Fun!, (Tue, Dec 24th) ∗∗∗ --------------------------------------------- A few days ago, I wrote a diary about a link file that abused the ssh.exe tool present in modern versions of Microsoft Windows. At the end, I mentioned that I will hunt for more SSH-related files/scripts. Guess what? I already found another one. --------------------------------------------- https://isc.sans.edu/diary/rss/31542 ∗∗∗ Jahresrückblick: Diese Themen beschäftigten uns 2024! ∗∗∗ --------------------------------------------- Wir sagen „DANKE“ und blicken noch einmal zurück auf die Entwicklungen und Geschehnisse des vergangenen Jahres. --------------------------------------------- https://www.watchlist-internet.at/news/jahresrueckblick-2024/ ∗∗∗ ASUS: "Weihnachtsüberraschung" mit christmas.exe schief gegangen ∗∗∗ --------------------------------------------- Anbieter ASUS wollte seine Benutzer überraschen und hat diesen eine besondere Weihnachtskarte mit dem Dateinamen christmas.exe zukommen lassen. Ist natürlich seit Jahren bekannt, dass man aus Sicherheitsgründen keine .exe-Grußkarte mit Weihnachtsgrüßen verschickt. --------------------------------------------- https://www.borncity.com/blog/2024/12/26/asus-weihnachtsueberraschung-mit-c… ∗∗∗ PMKID Attacks: Debunking the 802.11r Myth ∗∗∗ --------------------------------------------- This article addresses common misconceptions surrounding PMKID-based attacks while offering technical insights into their mechanics and effective countermeasures. The PMKID-based attack, first disclosed in 2018 by the Hashcat team, introduced a novel method of compromising WPA2-protected Wi-Fi networks. Unlike traditional techniques, this approach does not require capturing a full 4-way handshake, instead leveraging a design flaw in the Pairwise Master Key Identifier (PMKID). --------------------------------------------- https://www.nccgroup.com/us/research-blog/pmkid-attacks-debunking-the-80211… ∗∗∗ From Arbitrary File Write to RCE in Restricted Rails apps ∗∗∗ --------------------------------------------- Introduction Recently, we came across a situation where we needed to exploit an arbitrary file write vulnerability in a Rails application running in a restricted environment. The application was deployed via a Dockerfile that imposed...O post From Arbitrary File Write to RCE in Restricted Rails apps apareceu primeiro em Conviso AppSec. --------------------------------------------- https://blog.convisoappsec.com/en/from-arbitrary-file-write-to-rce-in-restr… ===================== = Vulnerabilities = ===================== ∗∗∗ Palo Alto: CVE-2024-3393 PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet (Severity: HIGH) ∗∗∗ --------------------------------------------- A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-3393 ∗∗∗ Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks ∗∗∗ --------------------------------------------- The Apache Software Foundation (ASF) has released a security update to address an important vulnerability in its Tomcat server software that could result in remote code execution (RCE) under certain conditions. The vulnerability, tracked as CVE-2024-56337, has been described as an incomplete mitigation for CVE-2024-50379 (CVSS score: 9.8), another critical security flaw in the same product that was previously addressed on December 17, 2024. --------------------------------------------- https://thehackernews.com/2024/12/apache-tomcat-vulnerability-cve-2024.html ∗∗∗ Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now ∗∗∗ --------------------------------------------- The Apache Software Foundation (ASF) has shipped security updates to address a critical security flaw in Traffic Control that, if successfully exploited, could allow an attacker to execute arbitrary Structured Query Language (SQL) commands in the database. The SQL injection vulnerability, tracked as CVE-2024-45387, is rated 9.9 out of 10.0 on the CVSS scoring system. --------------------------------------------- https://thehackernews.com/2024/12/critical-sql-injection-vulnerability-in.h… ∗∗∗ Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization ∗∗∗ --------------------------------------------- The Apache Software Foundation (ASF) has released patches to address a maximum severity vulnerability in the MINA Java network application framework that could result in remote code execution under specific conditions. Tracked as CVE-2024-52046, the vulnerability carries a CVSS score of 10.0. --------------------------------------------- https://thehackernews.com/2024/12/apache-mina-cve-2024-52046-cvss-100.html ∗∗∗ Adobe warns of critical ColdFusion bug with PoC exploit code ∗∗∗ --------------------------------------------- Adobe has released out-of-band security updates to address a critical ColdFusion vulnerability with proof-of-concept exploit code. In an advisory released on Monday, the company says the flaw (tracked as CVE-2024-53961) is caused by a path traversal weakness that impacts Adobe ColdFusion versions 2023 and 2021 and can enable attackers to read arbitrary files on vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-cold… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (containernetworking-plugins, edk2:20240524, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, libsndfile:1.0.31, mpg123:1.32.9, pam, php:8.1, php:8.2, python3.11, python3.11-urllib3, python3.12, python3.9:3.9.21, skopeo, and unbound:1.16.2), Debian (intel-microcode), Fedora (python3-docs and python3.12), Mageia (emacs), Red Hat (podman), and SUSE (gdb, govulncheck-vulndb, libparaview5_12, mozjs115, mozjs78, and vhostmd). --------------------------------------------- https://lwn.net/Articles/1003381/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (sympa and tomcat), Red Hat (kernel), and SUSE (poppler). --------------------------------------------- https://lwn.net/Articles/1003462/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fastnetmon, webkit2gtk, and xen), Fedora (sympa), Oracle (postgresql), and Red Hat (pcp, tigervnc, and xorg-x11-server and xorg-x11-server-Xwayland). --------------------------------------------- https://lwn.net/Articles/1003542/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-postcss), Fedora (age, dr_libs, incus, libxml2, moodle, and python-sql), and SUSE (poppler and python-grpcio). --------------------------------------------- https://lwn.net/Articles/1003601/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.12.2024
by Daily end-of-shift report 23 Dec '24

23 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-12-2024 18:00 − Montag 23-12-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Middle East Cyberwar Rages On, With No End in Sight ∗∗∗ --------------------------------------------- Since October 2023, cyberattacks among countries in the Middle East have persisted, fueled by the conflict between Israel and Hamas, reeling in others on a global scale. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/middle-east-cyberwar… ∗∗∗ Cloud Atlas seen using a new tool in its attacks ∗∗∗ --------------------------------------------- We analyze the latest activity by the Cloud Atlas gang. The attacks employ the PowerShower, VBShower and VBCloud modules to download victims data with various PowerShell scripts. --------------------------------------------- https://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/ ∗∗∗ Modiloader From Obfuscated Batch File ∗∗∗ --------------------------------------------- My last investigation is a file called "Albertsons Payments.gz", received via email. The file looks like an archive but is identified as a picture by .. --------------------------------------------- https://isc.sans.edu/diary/Modiloader+From+Obfuscated+Batch+File/31540 ∗∗∗ Vulnerability & Patch Roundup - November 2024 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help .. --------------------------------------------- https://blog.sucuri.net/2024/12/vulnerability-patch-roundup-november-2024.h… ∗∗∗ Rockstar2FA Collapse Fuels Expansion of FlowerStorm Phishing-as-a-Service ∗∗∗ --------------------------------------------- An interruption to the phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA has led to a rapid uptick in activity from another nascent offering named FlowerStorm."It appears that the [Rockstar2FA] group running the service experienced at least a .. --------------------------------------------- https://thehackernews.com/2024/12/rockstar2fa-collapse-fuels-expansion-of.h… ∗∗∗ l+f: Sicherheitsforscher bestellt bei McDonalds für 1 Cent ∗∗∗ --------------------------------------------- Der McDonalds-Lieferservice in Indien war kaputt und Bestellungen waren umfangreich manipulierbar. --------------------------------------------- https://www.heise.de/news/l-f-Sicherheitsforscher-bestellt-bei-McDonald-s-f… ∗∗∗ Webbrowser: Chrome und Edge sollen mittels KI vor Spam-Seiten warnen ∗∗∗ --------------------------------------------- Um Nutzer vor betrügerischen Websites zu warnen, haben Chrome und Edge neuerdings einen KI-Schutz an Bord. Noch ist das Feature aber nicht standardmäßig aktiv. --------------------------------------------- https://www.heise.de/news/Webbrowser-Chrome-und-Edge-sollen-mittels-KI-vor-… ∗∗∗ Heels on fire. Hacking smart ski socks ∗∗∗ --------------------------------------------- TL;DR A silly-season BLE connectivity story Overheat people’s smart ski socks .. but only when in Bluetooth range AND when the owner’s phone is out of range of their feet! Having […]The post Heels on fire. Hacking smart ski socks first appeared on Pen Test Partners. --------------------------------------------- https://www.pentestpartners.com/security-blog/heels-on-fire-hacking-smart-s… ∗∗∗ Fast zwei Drittel aller gestohlenen Kryptogelder wanderten 2024 nach Nordkorea ∗∗∗ --------------------------------------------- Eine aktuelle Analyse zeigt, dass der Gesamtwert gestohlener Kryptowährungen heuer bisher um 21 Prozent auf 2,2 Milliarden Dollar gestiegen ist --------------------------------------------- https://www.derstandard.at/story/3000000250591/fast-zwei-drittel-aller-gest… ∗∗∗ NSO-Group für WhatsApp-Angriff mit Pegasus-Spyware schuldig gesprochen ∗∗∗ --------------------------------------------- Im Jahr 2019 wurden WhatsApp-Nutzer Opfer eines Angriffs durch Spyware, die über eine Schwachstelle auf Android und iOS-Geräte installiert werden konnte. WhatsApp verklagte die NSO Group, die den .. --------------------------------------------- https://www.borncity.com/blog/2024/12/22/nso-group-fuer-angriff-mit-pegasus… ∗∗∗ Jingle Shells: How Virtual Offices Enable a Facade of Legitimacy ∗∗∗ --------------------------------------------- Virtual offices have revolutionized the way businesses operate. They provide cost-effective flexibility by eliminating the .. --------------------------------------------- https://www.team-cymru.com/post/how-virtual-offices-enable-a-facade-of-legi… ∗∗∗ A Primer on JA4+: Empowering Threat Analysts with Better Traffic Analysis ∗∗∗ --------------------------------------------- What is JA4+ and Why Does It Matter? Introduction Threat analysts and researchers are continually seeking tools and methodologies to gain .. --------------------------------------------- https://www.team-cymru.com/post/a-primer-on-ja4-empowering-threat-analysts-… ∗∗∗ Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner ∗∗∗ --------------------------------------------- Popular npm packages, Rspack and Vant, were recently compromised with malicious code. Learn about the attack, the impact, and how to protect your projects from similar threats. --------------------------------------------- https://hackread.com/supply-chain-attack-rspack-vant-npm-monero-miner/ ∗∗∗ Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition ∗∗∗ --------------------------------------------- A comprehensive analysis of benign internet scanning activity from November 2024, examining how quickly and thoroughly various legitimate scanning services (like Shodan, Censys, and others) discover and probe new internet-facing assets. The study deployed 24 new sensors across 8 geographies and 5 autonomous systems, revealing that most scanners .. --------------------------------------------- https://www.greynoise.io/blog/checking-it-twice-profiling-benign-internet-s… ∗∗∗ Kritische Sicherheitslücken bedrohen Sophos-Firewalls ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Firewalls von Sophos erschienen. Mit den Standardeinstellungen installieren sie sich automatisch. --------------------------------------------- https://heise.de/-10218914 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-base1.0, libxstream-java, php-laravel-framework, python-urllib3, and sqlparse), Fedora (chromium, libcomps, libdnf, mingw-directxmath, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, mingw-orc, ofono, prometheus-podman-exporter, .. --------------------------------------------- https://lwn.net/Articles/1003287/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0008 ∗∗∗ --------------------------------------------- Date Reported: December 22, 2024 Advisory ID: WSA-2024-0008 CVE identifiers: CVE-2024-54479, CVE-2024-54502, CVE-2024-54505, CVE-2024-54508, CVE-2024-54534 Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2024-54479 Versions affected: WebKitGTK and WPE WebKit before 2.46.5. Credit to Seunghyun Lee. Impact: Processing maliciously .. --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0008.html ∗∗∗ TR-91 - Vulnerability identified as CVE-2024-0012, affecting Palo Alto Networks PAN-OS software ∗∗∗ --------------------------------------------- https://www.circl.lu/pub/tr-91 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.12.2024
by Daily end-of-shift report 20 Dec '24

20 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-12-2024 18:00 − Freitag 20-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ In eigener Sache: CERT.at sucht Junior IT-Security Analyst:in (m/w/d - Vollzeit - Wien) ∗∗∗ --------------------------------------------- Für unsere laufenden Routinetätigkeiten suchen wir derzeit eine:n Berufsein- oder -umsteiger:in mit Interesse an IT-Security. --------------------------------------------- https://www.cert.at/de/ueber-uns/jobs/ ∗∗∗ BadBox malware botnet infects 192,000 Android devices despite disruption ∗∗∗ --------------------------------------------- The BadBox Android malware botnet has grown to over 192,000 infected devices worldwide despite a recent sinkhole operation that attempted to disrupt the operation in Germany. --------------------------------------------- https://www.bleepingcomputer.com/news/security/badbox-malware-botnet-infect… ∗∗∗ The Windows Registry Adventure #5: The regf file format ∗∗∗ --------------------------------------------- This post aimed to systematically explore the inner workings of the regf format, focusing on the hard requirements enforced by Windows. Due to my role and interests, I looked at the format from a strictly security-oriented angle rather than digital forensics, which is the context in which registry hives are typically considered. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/12/the-windows-registry-adventu… ∗∗∗ BellaCPP: Discovering a new BellaCiao variant written in C++ ∗∗∗ --------------------------------------------- While investigating an incident involving the BellaCiao .NET malware, Kaspersky researchers discovered a C++ version they dubbed "BellaCPP". --------------------------------------------- https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/ ∗∗∗ Auslaufmodell NTLM: Aus Windows 11 24H2 und Server 2025 teils entfernt ∗∗∗ --------------------------------------------- Weitgehend unbemerkt wurden in Windows 11 24H2 und Server 2025 zudem NTLMv1 entfernt. --------------------------------------------- https://heise.de/-10217239 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1718: (0Day) Arista NG Firewall custom_handler Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2024-12830. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1718/ ∗∗∗ ZDI-24-1724: (0Day) Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12836. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1724/ ∗∗∗ Sophos: Resolved Multiple Vulnerabilities in Sophos Firewall (CVE-2024-12727, CVE-2024-12728, CVE-2024-12729) ∗∗∗ --------------------------------------------- Sophos has resolved three independent security vulnerabilities in Sophos Firewall (2x Critical, 1x High). To confirm that the hotfix has been applied to your firewall, please refer to KBA-000010084. --------------------------------------------- https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and gunicorn), Fedora (jupyterlab), Oracle (bluez, containernetworking-plugins, edk2:20220126gitbb1bba3d77, edk2:20240524, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, and unbound:1.16.2), SUSE (avahi, docker, emacs, govulncheck-vulndb, haproxy, kernel, libmozjs-128-0, python-grpcio, python310-xhtml2pdf, sudo, and tailscale), and Ubuntu (dpdk, linux-hwe-5.15, and linux-iot). --------------------------------------------- https://lwn.net/Articles/1003019/ ∗∗∗ Autodesk: DWFX File Parsing Vulnerabilities in Autodesk Navisworks Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0027 ∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.3.0, 6.4.0 and 6.4.5: SC-202412.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-21 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.12.2024
by Daily end-of-shift report 19 Dec '24

19 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-12-2024 18:00 − Donnerstag 19-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Attackers exploiting a patched FortiClient EMS vulnerability in the wild ∗∗∗ --------------------------------------------- During a recent incident response, Kaspersky’s GERT team identified a set of TTPs and indicators linked to an attacker that infiltrated a company’s networks by targeting a Fortinet vulnerability for which a patch was already available. --------------------------------------------- https://securelist.com/patched-forticlient-ems-vulnerability-exploited-in-t… ∗∗∗ HubPhish Abuses HubSpot Tools to Target 20,000 European Users for Credential Theft ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new phishing campaign that has targeted European companies with an aim to harvest account credentials and take control of the victims Microsoft Azure cloud infrastructure. [..] Targets include at least 20,000 automotive, chemical, and industrial compound manufacturing users in Europe. [..] The attacks involve sending phishing emails with Docusign-themed lures that urge recipients to view a document, which then redirects users to malicious HubSpot Free Form Builder links, from where they are led to a fake Office 365 Outlook Web App login page in order to steal their credentials. --------------------------------------------- https://thehackernews.com/2024/12/hubphish-exploits-hubspot-tools-to.html ∗∗∗ Spyware distributed through Amazon Appstore ∗∗∗ --------------------------------------------- Recently, we uncovered a seemingly harmless app called “BMI CalculationVsn” on the Amazon App Store, which is secretly stealing the package name of installed apps and incoming SMS messages under the guise of a simple health tool. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spyware-distributed-th… ∗∗∗ Achtung: AG Reparaturservice ist Betrug ∗∗∗ --------------------------------------------- Geschirrspüler kaputt? Die Website ag-reparaturservice.at bietet angeblich Reparaturen verschiedenster Geräte an. Von Kühlschränken über Waschmaschinen bis hin zu Backöfen repariert das Unternehmen angeblich Haushaltsgeräte. Wir raten zur Vorsicht: Die Reparatur wird trotz Bezahlung nicht durchgeführt. Sie verlieren Ihr Geld. Wir zeigen Ihnen, wie Sie die Betrugsmasche erkennen! --------------------------------------------- https://www.watchlist-internet.at/news/ag-reparaturservice-ist-betrug/ ∗∗∗ CISA urges senior government officials to lock down mobile devices amid ongoing Salt Typhoon breach ∗∗∗ --------------------------------------------- A 5-page advisory provided troves of guidance for both Apple and Android users, urging all “highly targeted individuals” to rely on the “consistent use of end-to-end encryption.” --------------------------------------------- https://therecord.media/cisa-urges-senior-officials-to-lock-down-devices-sa… ∗∗∗ Hacker könnten über Schwachstellen in Solaranlagen das europäische Stromnetz knacken ∗∗∗ --------------------------------------------- Unschöne, aber keineswegs neue Erkenntnis. Deutschland ist zwar "stolz" ob der installierten Leistung an Solarkollektoren. Aber ein griechischer White Hat-Hacker hat gezeigt, wie er sich mittels Notebook und Internet in zahlreiche europäischen Solaranlagen hacken und diese – auch in Deutschland – einfach ausknipsen könnte. --------------------------------------------- https://www.borncity.com/blog/2024/12/19/hacker-koennten-ueber-schwachstell… ∗∗∗ Kritische LDAP-Schwachstelle in Windows (CVE-2024-49112) ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag vom Dezember 2024-Patchday. Zum 10. Dezember 2024 hat Microsoft einen kritische Schwachstelle (CVE-2024-49112) im Lightweight Directory Access Protocol (LDAP) öffentlich gemacht. Diese ermöglicht Remote-Angriffe auf Windows-Clients und -Server, wurde aber gepatcht. [..] Hunter schreibt, dass jährlich 178.900 LDAP- und LDAPS-Dienste jährlich beim Scans über hunter.how gefunden würden. --------------------------------------------- https://www.borncity.com/blog/2024/12/19/kritische-ldap-schwachstelle-in-wi… ∗∗∗ Exploring vulnerable Windows drivers ∗∗∗ --------------------------------------------- This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about malicious Windows drivers. --------------------------------------------- https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/ ∗∗∗ Betrugsmail: Cyberversicherung muss Schaden nicht ersetzen ∗∗∗ --------------------------------------------- Klassisches Mail-Spoofing kostete eine deutsche Firma 85.000 Euro. Ihre Cyberversicherung deckt den Schaden nicht, sagt das Landgericht Hagen. --------------------------------------------- https://heise.de/-10215212 ∗∗∗ Skuld Infostealer Returns to npm with Fake Windows Utilities and Malicious Solara Development Packages ∗∗∗ --------------------------------------------- Socket’s threat research team identified a malware campaign infiltrating the npm ecosystem, deploying the Skuld infostealer just weeks after a similar attack targeted Roblox developers. [..] Before their removal, these packages compromised hundreds of machines, demonstrating how even low-complexity attacks can rapidly gain traction. --------------------------------------------- https://socket.dev/blog/skuld-infostealer-returns-to-npm ===================== = Vulnerabilities = ===================== ∗∗∗ FortiWLM Unauthenticated limited file read vulnerability ∗∗∗ --------------------------------------------- A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files. Severity: Critical, CVE-2023-34990 --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-23-144 ∗∗∗ FortiManager OS command injection ∗∗∗ --------------------------------------------- An Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) vulnerability [CWE-78] in FortiManager may allow an authenticated remote attacker to execute unauthorized code via FGFM crafted requests. Severity: High, CVE-2024-48889 --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-425 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bluez, edk2:20220126gitbb1bba3d77, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, kernel-rt, mpg123, php:8.2, python3.11-urllib3, and tuned), Fedora (ColPack, glibc, golang-github-chainguard-dev-git-urls, golang-github-task, icecat, python-nbdime, python3.13, and python3.14), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, dwarves and kernel-linus), Red Hat (gstreamer1-plugins-base and gstreamer1-plugins-good), SUSE (curl, emacs, git-bug, glib2, helm, kernel, and traefik2), and Ubuntu (gst-plugins-base1.0, gst-plugins-good1.0, gstreamer1.0, libvpx, linux-gcp, phpunit, and yara). --------------------------------------------- https://lwn.net/Articles/1002903/ ∗∗∗ Delta Electronics DTM Soft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-03 ∗∗∗ Hitachi Energy SDM600 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-02 ∗∗∗ Hitachi Energy RTU500 series CMU ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-01 ∗∗∗ Ossur Mobile Logic Application ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-354-01 ∗∗∗ Tibbo AggreGate Network Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.12.2024
by Daily end-of-shift report 18 Dec '24

18 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-12-2024 18:00 − Mittwoch 18-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical security hole in Apache Struts under exploit ∗∗∗ --------------------------------------------- A critical security hole in Apache Struts 2 [..] CVE-2024-53677 [..] is currently being exploited using publicly available proof-of-concept (PoC) code. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/12/17/critical_rce… ∗∗∗ How to Lose a Fortune with Just One Bad Click ∗∗∗ --------------------------------------------- Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click "yes" to a Google prompt on his mobile device. --------------------------------------------- https://krebsonsecurity.com/2024/12/how-to-lose-a-fortune-with-just-one-bad… ∗∗∗ AI-generated malvertising “white pages” are fooling detection engines ∗∗∗ --------------------------------------------- In this blog post, we take a look at a couple of examples where threat actors are buying Google Search ads and using AI to create white pages. The content is unique and sometimes funny if you are a real human, but unfortunately a computer analyzing the code would likely give it a green check. --------------------------------------------- https://www.malwarebytes.com/blog/cybercrime/2024/12/ai-generated-malvertis… ∗∗∗ Spotify: Vorsicht vor betrügerischen Phishing-Mails ∗∗∗ --------------------------------------------- Derzeit häufen sich Meldungen über betrügerische E-Mails, die angeblich von Spotify stammen. Es sei ein Problem mit der Zahlungsabwicklung aufgetreten, sodass Spotify die Nutzungsgebühr nicht abbuchen konnte und daher den Account vorübergehend gesperrt hat. Um Spotify weiter nutzen zu können, werden Sie aufgefordert die Kontoinformationen zu aktualisieren. Es handelt sich jedoch um Phishing! --------------------------------------------- https://www.watchlist-internet.at/news/spotify-vorsicht-vor-betruegerischen… ∗∗∗ Detailing the Attack Surfaces of the Tesla Wall Connector EV Charger ∗∗∗ --------------------------------------------- Trend ZDI researchers have performed an analysis of the discrete hardware components found in the device. --------------------------------------------- https://www.thezdi.com/blog/2024/12/16/detailing-the-attack-surfaces-of-the… ∗∗∗ Phishing-Masche nimmt Nutzer von Google-Kalender ins Visier ∗∗∗ --------------------------------------------- Cyberkriminelle nutzen laut einer Analyse von Sicherheitsforschern offenbar verstärkt Google-Kalender-Invites, um Internetnutzer auf Phishingseiten zu locken. --------------------------------------------- https://heise.de/-10214705 ∗∗∗ [Guest Diary] A Deep Dive into TeamTNT and Spinning YARN, (Wed, Dec 18th) ∗∗∗ --------------------------------------------- TeamTNT is running a crypto mining campaign dubbed Spinning YARN. Spinning YARN focuses on exploiting Docker, Redis, YARN, and Confluence. On November 4th, 2024, my DShield sensor recorded suspicious activity targeting my web server. The attacker attempted to use a technique that tricks the server into running harmful commands. --------------------------------------------- https://isc.sans.edu/diary/rss/31530 ===================== = Vulnerabilities = ===================== ∗∗∗ BeyondTrust BT24-10: Command Injection Vulnerability / Severity: Critical ∗∗∗ --------------------------------------------- A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user. CVE(s): CVE-2024-12356 --------------------------------------------- https://www.beyondtrust.com/trust-center/security-advisories/bt24-10 ∗∗∗ Juniper: 2024-12 Reference Advisory: Session Smart Router: Mirai malware found on systems when the default password remains unchanged ∗∗∗ --------------------------------------------- On Wednesday, December 11, 2024, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms. These systems have been infected with the Mirai malware and were subsequently used as a DDOS attack source to other devices accessible by their network. The impacted systems were all using default passwords. Any customer not following recommended best practices and still using default passwords can be considered compromised as the default SSR passwords have been added to the virus database. [..] This affects all versions of Session Smart Router (SSR) --------------------------------------------- https://supportportal.juniper.net/s/article/2024-12-Reference-Advisory-Sess… ∗∗∗ Foxit PDF Editor und Reader: Attacken über präparierte PDF-Dateien möglich ∗∗∗ --------------------------------------------- PDF-Anwendungen von Foxit sind unter macOS und Windows verwundbar. Sicherheitsupdates stehen bereit. [..] Die Einstufung des Bedrohungsgrads der Lücken (CVE-2024-49576, CVE-2024-47810) steht zurzeit noch aus. --------------------------------------------- https://heise.de/-10211267 ∗∗∗ Windows-Sicherheitslösung Trend Micro Apex One als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Angreifer können an mehreren Sicherheitslücken in Trend Micro Apex One ansetzen. Sicherheitsupdates sind verfügbar. [..] Die darin geschlossenen Sicherheitslücken (CVE-2024-52048, CVE-2024-52049, CVE-2024-52050, CVE-2024-55631, CVE-2024-55632, CVE-2024-55917) sind mit dem Bedrohungsgrad "hoch" eingestuft. --------------------------------------------- https://heise.de/-10213518 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libsndfile, php:7.4, python3.11, python3.12, and python36:3.6), Debian (dpdk), Mageia (curl and socat), Oracle (firefox and tuned), Red Hat (bluez, containernetworking-plugins, edk2, edk2:20220126gitbb1bba3d77, edk2:20240524, expat, gstreamer1-plugins-base, gstreamer1-plugins-base and gstreamer1-plugins-good, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, unbound, and unbound:1.16.2), SUSE (cloudflared, curl, docker, firefox, gstreamer-plugins-good, kernel, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, libsoup, ovmf, python-urllib3_1, subversion, thunderbird, and traefik), and Ubuntu (editorconfig-core, libspring-java, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-raspi, linux, linux-lowlatency, linux-oracle, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-bluefield, linux-oracle, linux-oracle-5.4, and linux-oem-6.11). --------------------------------------------- https://lwn.net/Articles/1002703/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.12.2024
by Daily end-of-shift report 17 Dec '24

17 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 16-12-2024 18:00 − Dienstag 17-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Verbraucherzentrale warnt vor aktueller Paypal-Betrugsmasche ∗∗∗ --------------------------------------------- Die Verbraucherzentrale NRW warnt, dass Kriminelle "Bezahlen ohne Paypal-Konto" missbrauchen. Schutz davor ist kaum möglich. [..] Im Zentrum der Kritik steht eine Paypal-Bezahloption, die sich "Zahlen ohne Paypal-Konto" nennt und auch als "Gast-Konto" oder "Gastzahlung" bekannt ist. Damit können Käufer über das Lastschrift-Verfahren zahlen, ohne dass ein Paypal-Konto angelegt wird. Dafür ist eine IBAN anzugeben. --------------------------------------------- https://heise.de/-10202355 ∗∗∗ Malicious ads push Lumma infostealer via fake CAPTCHA pages ∗∗∗ --------------------------------------------- DeceptionAds can be seen as a newer and more dangerous variant of the "ClickFix" attacks, where victims are tricked into running malicious PowerShell commands on their machine, infecting themselves with malware. ClickFix actors have employed phishing emails, fake CAPTCHA pages on pirate software sites, malicious Facebook pages, and even GitHub issues redirecting users to dangerous landing pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-ads-push-lumma-inf… ∗∗∗ Over 25,000 SonicWall VPN Firewalls exposed to critical flaws ∗∗∗ --------------------------------------------- Over 25,000 publicly accessible SonicWall SSLVPN devices are vulnerable to critical severity flaws, with 20,000 using a SonicOS/OSX firmware version that the vendor no longer supports. [..] Public exposure means that the firewall's management or SSL VPN interfaces are accessible from the internet, presenting an opportunity for attackers to probe for vulnerabilities, outdated/unpatched firmware, misconfigurations, and brute-force weak passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-25-000-sonicwall-vpn-fi… ∗∗∗ Sicherheitsbehörde warnt: Kernel-Schwachstelle in Windows wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Konkret geht es um die Sicherheitslücke CVE-2024-35250. Diese ermöglicht es Angreifern, auf anfälligen Systemen ihre Rechte auszuweiten. Nach Angaben der US-Cybersicherheitsbehörde Cisa gibt es neuerdings Hinweise auf eine aktive Ausnutzung. [..] Patches gegen CVE-2024-35250 stehen schon seit Juni für alle anfälligen Betriebssysteme bereit und dürften daher auf den meisten Systemen längst eingespielt worden sein. --------------------------------------------- https://www.golem.de/news/sicherheitsbehoerde-warnt-kernel-schwachstelle-in… ∗∗∗ Python Delivering AnyDesk Client as RAT, (Tue, Dec 17th) ∗∗∗ --------------------------------------------- Yesterday, I found an interesting piece of Python script that will install AnyDesk on the victim’s computer. Even better, it reconfigures the tool if it is already installed. The script, called “an5.py” has a low VT score (6/63). Note that the script is compatible with Windows and Linux victims. --------------------------------------------- https://isc.sans.edu/diary/rss/31524 ∗∗∗ Technical Analysis of RiseLoader ∗∗∗ --------------------------------------------- In October 2024, Zscaler ThreatLabz came across malware samples that use a network communication protocol that is similar to RisePro. However, unlike RisePro which has primarily been used for information stealing, this new malware specializes in downloading and executing second-stage payloads. Due its distinctive focus and similarities with RisePro’s communication protocol, we named this new malware family RiseLoader. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-riseload… ∗∗∗ Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks ∗∗∗ --------------------------------------------- APT group Earth Koshchei, suspected to be sponsored by the SVR, executed a large-scale rogue RDP campaign using spear-phishing emails, red team tools, and sophisticated anonymization techniques to target high-profile sectors. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gstreamer1.0), Fedora (jupyterlab and python-notebook), Oracle (gimp:2.8.22, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, php:8.2, postgresql, and python3.11), SUSE (aws-iam-authenticator, firefox, installation-images, kernel, libaom, libyuv, libsoup, libsoup2, python-aiohttp, socat, thunderbird, and vim), and Ubuntu (curl, Docker, imagemagick, and kernel). --------------------------------------------- https://lwn.net/Articles/1002496/ ∗∗∗ CrushFTP: Attacken auf Admins möglich ∗∗∗ --------------------------------------------- Angreifer können in Logs von CrushFTP Schadcode verstecken. Dagegen gerüstete Versionen sind verfügbar. --------------------------------------------- https://heise.de/-10202537 ∗∗∗ Xen Security Advisory CVE-2024-53241 / XSA-466 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-466.html ∗∗∗ Xen Security Advisory CVE-2024-53240 / XSA-465 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-465.html ∗∗∗ Rockwell Automation PowerMonitor 1000 Remote ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-03 ∗∗∗ Hitachi Energy TropOS Devices Series 1400/2400/6400 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-02 ∗∗∗ ThreatQuotient ThreatQ Platform ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-01 ∗∗∗ MISP v2.5.3 and v2.4.201 released with numerous enhancements, bug fixes, and security improvements to strengthen threat information sharing capabilities. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.3 ∗∗∗ BD Diagnostic Solutions Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-352-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.12.2024
by Daily end-of-shift report 17 Dec '24

17 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 16-12-2024 18:00 − Dienstag 17-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Verbraucherzentrale warnt vor aktueller Paypal-Betrugsmasche ∗∗∗ --------------------------------------------- Die Verbraucherzentrale NRW warnt, dass Kriminelle "Bezahlen ohne Paypal-Konto" missbrauchen. Schutz davor ist kaum möglich. [..] Im Zentrum der Kritik steht eine Paypal-Bezahloption, die sich "Zahlen ohne Paypal-Konto" nennt und auch als "Gast-Konto" oder "Gastzahlung" bekannt ist. Damit können Käufer über das Lastschrift-Verfahren zahlen, ohne dass ein Paypal-Konto angelegt wird. Dafür ist eine IBAN anzugeben. --------------------------------------------- https://heise.de/-10202355 ∗∗∗ Malicious ads push Lumma infostealer via fake CAPTCHA pages ∗∗∗ --------------------------------------------- DeceptionAds can be seen as a newer and more dangerous variant of the "ClickFix" attacks, where victims are tricked into running malicious PowerShell commands on their machine, infecting themselves with malware. ClickFix actors have employed phishing emails, fake CAPTCHA pages on pirate software sites, malicious Facebook pages, and even GitHub issues redirecting users to dangerous landing pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-ads-push-lumma-inf… ∗∗∗ Over 25,000 SonicWall VPN Firewalls exposed to critical flaws ∗∗∗ --------------------------------------------- Over 25,000 publicly accessible SonicWall SSLVPN devices are vulnerable to critical severity flaws, with 20,000 using a SonicOS/OSX firmware version that the vendor no longer supports. [..] Public exposure means that the firewall's management or SSL VPN interfaces are accessible from the internet, presenting an opportunity for attackers to probe for vulnerabilities, outdated/unpatched firmware, misconfigurations, and brute-force weak passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-25-000-sonicwall-vpn-fi… ∗∗∗ Sicherheitsbehörde warnt: Kernel-Schwachstelle in Windows wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Konkret geht es um die Sicherheitslücke CVE-2024-35250. Diese ermöglicht es Angreifern, auf anfälligen Systemen ihre Rechte auszuweiten. Nach Angaben der US-Cybersicherheitsbehörde Cisa gibt es neuerdings Hinweise auf eine aktive Ausnutzung. [..] Patches gegen CVE-2024-35250 stehen schon seit Juni für alle anfälligen Betriebssysteme bereit und dürften daher auf den meisten Systemen längst eingespielt worden sein. --------------------------------------------- https://www.golem.de/news/sicherheitsbehoerde-warnt-kernel-schwachstelle-in… ∗∗∗ Python Delivering AnyDesk Client as RAT, (Tue, Dec 17th) ∗∗∗ --------------------------------------------- Yesterday, I found an interesting piece of Python script that will install AnyDesk on the victim’s computer. Even better, it reconfigures the tool if it is already installed. The script, called “an5.py” has a low VT score (6/63). Note that the script is compatible with Windows and Linux victims. --------------------------------------------- https://isc.sans.edu/diary/rss/31524 ∗∗∗ Technical Analysis of RiseLoader ∗∗∗ --------------------------------------------- In October 2024, Zscaler ThreatLabz came across malware samples that use a network communication protocol that is similar to RisePro. However, unlike RisePro which has primarily been used for information stealing, this new malware specializes in downloading and executing second-stage payloads. Due its distinctive focus and similarities with RisePro’s communication protocol, we named this new malware family RiseLoader. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-riseload… ∗∗∗ Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks ∗∗∗ --------------------------------------------- APT group Earth Koshchei, suspected to be sponsored by the SVR, executed a large-scale rogue RDP campaign using spear-phishing emails, red team tools, and sophisticated anonymization techniques to target high-profile sectors. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gstreamer1.0), Fedora (jupyterlab and python-notebook), Oracle (gimp:2.8.22, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, php:8.2, postgresql, and python3.11), SUSE (aws-iam-authenticator, firefox, installation-images, kernel, libaom, libyuv, libsoup, libsoup2, python-aiohttp, socat, thunderbird, and vim), and Ubuntu (curl, Docker, imagemagick, and kernel). --------------------------------------------- https://lwn.net/Articles/1002496/ ∗∗∗ CrushFTP: Attacken auf Admins möglich ∗∗∗ --------------------------------------------- Angreifer können in Logs von CrushFTP Schadcode verstecken. Dagegen gerüstete Versionen sind verfügbar. --------------------------------------------- https://heise.de/-10202537 ∗∗∗ Xen Security Advisory CVE-2024-53241 / XSA-466 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-466.html ∗∗∗ Xen Security Advisory CVE-2024-53240 / XSA-465 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-465.html ∗∗∗ Rockwell Automation PowerMonitor 1000 Remote ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-03 ∗∗∗ Hitachi Energy TropOS Devices Series 1400/2400/6400 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-02 ∗∗∗ ThreatQuotient ThreatQ Platform ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-01 ∗∗∗ MISP v2.5.3 and v2.4.201 released with numerous enhancements, bug fixes, and security improvements to strengthen threat information sharing capabilities. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.3 ∗∗∗ BD Diagnostic Solutions Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-352-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.12.2024
by Daily end-of-shift report 16 Dec '24

16 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-12-2024 18:00 − Montag 16-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Update-Katalog: Kritische Lücke in Microsofts Webserver entdeckt ∗∗∗ --------------------------------------------- Angreifer konnten sich auf einem Webserver von Microsoft erweiterte Rechte verschaffen. Trotz versprochener Transparenz nennt der Konzern keine Details. --------------------------------------------- https://www.golem.de/news/microsoft-update-katalog-kritische-luecke-in-micr… ∗∗∗ Angriffe auf Citrix Netscaler Gateway: Hersteller gibt Hinweise zum Schutz ∗∗∗ --------------------------------------------- Seit Dezember 2024 gibt es ja massiven Angriffswellen Citrix Netscaler Gateways. [..] Nun hat Citrix reagiert, und gibt Tipps, wie sich Netscaler Gateways gegen die Angriffe … Weiterlesen →Quelle --------------------------------------------- https://www.borncity.com/blog/2024/12/15/angriffe-auf-citrix-netscaler-gate… ∗∗∗ 390,000 WordPress accounts stolen from hackers in supply chain attack ∗∗∗ --------------------------------------------- A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign targeting other threat actors using a trojanized WordPress credentials checker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/390-000-wordpress-accounts-s… ∗∗∗ The Simple Math Behind Public Key Cryptography ∗∗∗ --------------------------------------------- The security system that underlies the internet makes use of a curious fact: You can broadcast part of your encryption to make your information much more secure. --------------------------------------------- https://www.wired.com/story/how-public-key-cryptography-really-works-using-… ∗∗∗ NodeLoader Exposed: The Node.js Malware Evading Detection ∗∗∗ --------------------------------------------- Zscaler ThreatLabz discovered a malware campaign leveraging Node.js applications for Windows to distribute cryptocurrency miners and information stealers. We have named this malware family NodeLoader, since the attackers employ Node.js compiled executables to deliver second-stage payloads, including XMRig, Lumma, and Phemedrone Stealer. --------------------------------------------- https://www.zscaler.com/blogs/security-research/nodeloader-exposed-node-js-… ∗∗∗ Phishing-Nachricht „Ihr Konto wurde gesperrt“ im Namen von Meta ignorieren! ∗∗∗ --------------------------------------------- Sie erhalten eine Nachricht von Meta, in der Ihnen mitgeteilt wird, dass Ihr Facebook- oder Instagram-Konto demnächst gesperrt wird. Um dies zu verhindern, müssen Sie auf einen Link klicken und Ihr Konto verifizieren. Aber Vorsicht: Es handelt sich um eine Phishing-Nachricht von Kriminellen, die Ihre Daten stehlen wollen! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-nachricht-im-namen-von-meta/ ∗∗∗ Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation ∗∗∗ --------------------------------------------- Analysis of packer-as-a-service (PaaS) HeartCrypt reveals its use in over 2k malicious payloads across 45 malware families since its early 2024 appearance. --------------------------------------------- https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/ ∗∗∗ CoinLurker: The Stealer Powering the Next Generation of Fake Updates ∗∗∗ --------------------------------------------- The evolution of fake update campaigns has advanced significantly with the emergence of CoinLurker, a sophisticated stealer designed to exfiltrate data while evading detection. Written in Go, CoinLurker employs cutting-edge obfuscation and anti-analysis techniques, making it a highly effective tool in modern cyberattacks. --------------------------------------------- https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generat… ∗∗∗ Secure Coding: CWE 1123 – Sich selbst modifizierenden Code vermeiden ∗∗∗ --------------------------------------------- Die Common Weakness Enumeration CWE-1123 warnt vor dem übermäßigen Einsatz von sich selbst modifizierendem Code. Java-Entwickler sollten mit Bedacht agieren. --------------------------------------------- https://heise.de/-10194617 ∗∗∗ CISA and EPA Warn: Internet-Exposed HMIs Pose Serious Cybersecurity Risks to Water Systems ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) have jointly released a crucial fact sheet highlighting the cybersecurity risks posed by Internet-exposed Human Machine Interfaces (HMIs) in the Water and Wastewater Systems (WWS) sector. --------------------------------------------- https://thecyberexpress.com/exposed-human-machine-interfaces-in-wws/ ∗∗∗ The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit ∗∗∗ --------------------------------------------- This blog post provides a technical analysis of exploit artifacts provided to us by Google's Threat Analysis Group (TAG) from Amnesty International. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpect… ∗∗∗ Tech Guide: Detecting NoviSpy spyware with AndroidQF and the Mobile Verification Toolkit (MVT) ∗∗∗ --------------------------------------------- Amnesty Security Lab has published Indicators of Compromise (IOCs) for the NoviSpy spyware application. This tutorial explains how to use AndroidQF Android Quick Forensics (androidqf) and Mobile Verification Toolkit (MVT) to examine an Android device for traces of these indicators. --------------------------------------------- https://securitylab.amnesty.org/latest/2024/12/tech-guide-detecting-novispy… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-base1.0, gstreamer1.0, and libpgjava), Fedora (bpftool, chromium, golang-x-crypto, kernel, kernel-headers, linux-firmware, pytest, python3.10, subversion, and thunderbird), Gentoo (NVIDIA Drivers), Oracle (kernel, perl-App-cpanminus:1.7044, php:7.4, php:8.1, php:8.2, postgresql, python3.11, python3.12, python3.9:3.9.21, python36:3.6, ruby, and ruby:2.5), SUSE (docker-stable, firefox-esr, gstreamer, gstreamer-plugins-base, gstreamer-plugins-good, kernel, python-Django, python312, and socat), and Ubuntu (mpmath). --------------------------------------------- https://lwn.net/Articles/1002338/ ∗∗∗ Siemens: SSA-928984 V1.0: Heap-based Buffer Overflow Vulnerability in User Management Component (UMC) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-928984.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.12.2024
by Daily end-of-shift report 13 Dec '24

13 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-12-2024 18:00 − Freitag 13-12-2024 18:05 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Social Engineering nach Mailbombing ∗∗∗ --------------------------------------------- Rapid7 hat vor Kurzem einen Blogbeitrag zur Vorgehensweise einer Ransomwaregruppe veröffentlicht, wir haben inzwischen von mehreren Firmen in Österreich gehört, die dieses Angriffsmuster selber beobachten mussten: Zuerst wird ein Mitarbeiter der Zielfirma mit E-Mail überschüttet: in vielen Fällen sind das legitime Newsletter, die aber in der Masse ein echtes Problem sind. Danach wird dieser Angestellte per Teams oder über andere Kanäle kontaktiert: Man sei der Helpdesk und will ihm bei der Bewältigung der Mail-Lawine helfen. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/12/social-engineering-nach-mailbombing ∗∗∗ Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion ∗∗∗ --------------------------------------------- In this blog entry, we discuss a social engineering attack that tricked the victim into installing a remote access tool, triggering DarkGate malware activities and an attempted C&C connection. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html ∗∗∗ Germany sinkholes BadBox malware pre-loaded on Android devices ∗∗∗ --------------------------------------------- Germanys Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over 30,000 Android IoT devices sold in the country. [..] Germany's cybersecurity agency says it blocked communication between the BadBox malware devices and their command and control (C2) infrastructure by sinkholing DNS queries so that the malware communicates with police-controlled servers rather than the attacker's command and control servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/germany-sinkholes-badbox-mal… ∗∗∗ Efforts to Secure US Telcos Beset by Salt Typhoon Might Fall Flat ∗∗∗ --------------------------------------------- The rules necessary to secure US communications have already been in place for 30 years, argues Sen. Wyden, the FCC just hasnt enforced them. Its unclear if they will help. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/efforts-secure-us-telco… ∗∗∗ IoT Cloud Cracked by Open Sesame Over-the-Air Attack ∗∗∗ --------------------------------------------- Researchers demonstrate how to hack Ruijie Reyee access points without Wi-Fi credentials or even physical access to the device. --------------------------------------------- https://www.darkreading.com/ics-ot-security/iot-cloud-cracked-open-sesame-a… ∗∗∗ Windows Tooling Updates: OleView.NET ∗∗∗ --------------------------------------------- This is a short blog post about some recent improvements I've been making to the OleView.NET tool which has been released as part of version 1.16. The tool is designed to discover the attack surface of Windows COM and find security vulnerabilities such as privilege escalation and remote code execution. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/12/windows-tooling-updates-olev… ∗∗∗ New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection. --------------------------------------------- https://thehackernews.com/2024/12/new-linux-rootkit-pumakit-uses-advanced.h… ∗∗∗ Attacking Entra Metaverse: Part 1 ∗∗∗ --------------------------------------------- This first blog post is a short one, and demonstrates how complete control of an Entra user is equal to compromise of the on-premises user. For the entire blog series the point I am trying to make is this: The Entra Tenant is the trust boundary --------------------------------------------- https://posts.specterops.io/attacking-entra-metaverse-part-1-c9cf8c4fb4ee?s… ===================== = Vulnerabilities = ===================== ∗∗∗ DevSecOps-Plattform Gitlab: Accountübernahme möglich ∗∗∗ --------------------------------------------- In einem Beitrag schreiben die Entwickler, dass auf Gitlab.com bereits die abgesicherten Ausgaben laufen. Für selbstverwaltete Gitlab-Installation sind nun die Ausgaben 17.4.6, 17.5.4 und 17.6.2 in der Community Edition und Enterprise Edition erschienen. [..] Insgesamt haben die Entwickler zwölf Sicherheitslücken geschlossen. Zwei davon sind mit dem Bedrohungsgrad "hoch" eingestuft (CVE-2024-11274, CVE-2024-8233). Im ersten Fall können Angreifer durch Manipulation von Kubernetes-Proxy-Responses Accounts übernehmen. --------------------------------------------- https://heise.de/-10198923 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, pgpool2, and smarty4), Fedora (chromium, linux-firmware, matrix-synapse, open62541, and thunderbird), Red Hat (kernel, kernel-rt, python3.11, python3.12, python3.9:3.9.18, python3.9:3.9.21, and ruby:2.5), SUSE (buildah, chromium, govulncheck-vulndb, java-1_8_0-ibm, libsvn_auth_gnome_keyring-1-0, python310-Django, qemu, and radare2), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, php7.0, php7.2, python-asyncssh, and smarty3). --------------------------------------------- https://lwn.net/Articles/1002036/ ∗∗∗ Schneider Electric Security Advisories 10.12.2024 ∗∗∗ --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 115.18 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-70/ ∗∗∗ F5: K000148969: Python vulnerability CVE-2024-7592 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148969 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.12.2024
by Daily end-of-shift report 12 Dec '24

12 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-12-2024 18:00 − Donnerstag 12-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Apache issues patches for critical Struts 2 RCE bug ∗∗∗ --------------------------------------------- More details released after devs allowed weeks to apply fixes. We now know the remote code execution vulnerability in Apache Struts 2 disclosed back in November carries a near-maximum severity rating following the publication of the CVE. [..] Considering remote attackers could exploit the vulnerability without requiring any privileges, combined with the high impact to system confidentiality, integrity, and availability, it's likely the Apache Foundation withheld the juiciest details to allow customers to upgrade to a safe version (Struts 6.4.0 or greater). --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/12/12/apache_strut… ∗∗∗ Cyber Resilience Act: Vernetzte Produkte müssen bald besser abgesichert sein ∗∗∗ --------------------------------------------- Die EU-Verordnung zur Cyber-Widerstandsfähigkeit ist in Kraft getreten. Hersteller vernetzter Produkte müssen künftig ein Mindestmaß an Cybersicherheit bieten. --------------------------------------------- https://heise.de/-10197273 ∗∗∗ Modular Java Backdoor Dropped in Cleo Exploitation Campaign ∗∗∗ --------------------------------------------- While investigating incidents related to Cleo software exploitation, Rapid7 Labs and MDR team discovered a novel, multi-stage attack that deploys an encoded Java Archive (JAR) payload. --------------------------------------------- https://www.rapid7.com/blog/post/2024/12/11/etr-modular-java-backdoor-dropp… ∗∗∗ The Bite from Inside: The Sophos Active Adversary Report ∗∗∗ --------------------------------------------- A sea change in available data fuels fresh insights from the first half of 2024. --------------------------------------------- https://news.sophos.com/en-us/2024/12/12/active-adversary-report-2024-12/ ∗∗∗ Vorsicht beim Online-Kauf von Weihnachtsbäumen: So erkennen Sie unseriöse Shops ∗∗∗ --------------------------------------------- Die Vorweihnachtszeit ist für viele mit Stress und hohen Ausgaben verbunden - da scheint ein günstiger und schnell aufgestellter Weihnachtsbaum verlockend. Besonders im Trend liegen faltbare Weihnachtsbäume, die in Rekordzeit aufgestellt sein sollen. Doch Vorsicht: Nicht alle Anbieter halten, was sie versprechen. Wir zeigen, woran man unseriöse Angebote erkennt. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-shops-beim-weihnachtsbaum… ∗∗∗ 300,000+ Prometheus Servers and Exporters Exposed to DoS Attacks ∗∗∗ --------------------------------------------- In this research we highlighted vulnerabilities and flaws in the Prometheus stack. We highlight the risks associated with exposing Prometheus servers and exporters to the internet without authentication, which expose sensitive information and can be exploited to launch DoS attacks or even execute arbitrary code through compromised exporters. --------------------------------------------- https://blog.aquasec.com/300000-prometheus-servers-and-exporters-exposed-to… ∗∗∗ Bis zum Burn-out: Open-Source-Entwickler von KI-Bug-Reports genervt ∗∗∗ --------------------------------------------- Sie kommen freundlich und wohl durchdacht daher: Doch bei genauerer Prüfung stellen Open-Source-Maintainer fest, dass immer mehr Bugreports KI-Unsinn sind. --------------------------------------------- https://heise.de/-10195951 ===================== = Vulnerabilities = ===================== ∗∗∗ Hunk Companion WordPress plugin exploited to install vulnerable plugins ∗∗∗ --------------------------------------------- The issue impacts all versions of Hunk Companion before the latest 1.9.0, released yesterday, which addressed the problem. While investigating a WordPress site infection, WPScan discovered active exploitation of CVE-2024-11972 to install a vulnerable version of WP Query Console. [..] By installing outdated plugins with known vulnerabilities with available exploits, the attackers can access a large pool of flaws that lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS) flaws, or create backdoor admin accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hunk-companion-wordpress-plu… ∗∗∗ Apple Updates Everything (iOS, iPadOS, macOS, watchOS, tvOS, visionOS), (Wed, Dec 11th) ∗∗∗ --------------------------------------------- Apple today released patches for all of its operating systems. The updates address 46 different vulnerabilities. Many of the vulnerabilities affect more than one operating system. None of the vulnerabilities are labeled as being already exploited. --------------------------------------------- https://isc.sans.edu/diary/rss/31514 ∗∗∗ Atlassian schützt Confluence & Co. vor möglichen DoS-Attacken ∗∗∗ --------------------------------------------- Angreifer können an zehn Sicherheitslücken in Atlassian Bamboo, Bitbucket und Confluence ansetzen und unter anderem Abstürze provozieren. --------------------------------------------- https://heise.de/-10196643 ∗∗∗ Sicherheitspatch: Angreifer können über TeamViewer-Lücke Windows-Dateien löschen ∗∗∗ --------------------------------------------- Basierend auf einer Warnmeldung ist die Komponente TeamViewer Patch & Asset Management angreifbar (CVE-2024-12363 "hoch"). Die Komponente ist aber standardmäßig nicht installiert. Sie ist optional im Kontext des Remote-Management-Features installierbar. [..] Die Entwickler versichern, dass sich das Sicherheitsupdate automatisch installiert. --------------------------------------------- https://heise.de/-10196765 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libsoup2.4, python-aiohttp, and upx-ucl), Fedora (iaito, python3.11, python3.9, and radare2), Red Hat (ruby, ruby:2.5, and ruby:3.1), Slackware (mozilla-thunderbird), SUSE (govulncheck-vulndb, nodejs18, nodejs20, and socat), and Ubuntu (ofono and python-tornado). --------------------------------------------- https://lwn.net/Articles/1001863/ ∗∗∗ Paloalto: PAN-SA-2024-0017 Chromium: Monthly Vulnerability Updates (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0017 ∗∗∗ Tenable: [R1] Security Center Version 6.5.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-20 ∗∗∗ Drupal: Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-076 ∗∗∗ Drupal: Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-075 ∗∗∗ Drupal: Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-074 ∗∗∗ Drupal: Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-073 ∗∗∗ Drupal: Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-072 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.12.2024
by Daily end-of-shift report 11 Dec '24

11 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-12-2024 18:00 − Mittwoch 11-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Global Ongoing Phishing Campaign Targets Employees Across 12 Industries ∗∗∗ --------------------------------------------- Cybersecurity researchers at Group-IB have exposed an ongoing phishing operation that has been targeting employees and associates from over 30 companies across 12 industries and 15 jurisdictions. [..] What makes this campaign dangerous is the use of advanced techniques designed to bypass Secure Email Gateways (SEGs) and evade detection. [..] This campaign is ongoing therefore, companies need to watch out for what comes to their inbox. --------------------------------------------- https://hackread.com/ongoing-phishing-campaign-targets-employees/ ∗∗∗ AMD’s trusted execution environment blown wide open by new BadRAM attack ∗∗∗ --------------------------------------------- On Tuesday, an international team of researchers unveiled BadRAM, a proof-of-concept attack that completely undermines security assurances that chipmaker AMD makes to users of one of its most expensive and well-fortified microprocessor product lines. Starting with the AMD Epyc 7003 processor, a feature known as SEV-SNP—short for Secure Encrypted Virtualization and Secure Nested Paging—has provided the cryptographic means for certifying that a VM hasn’t been compromised by any sort of backdoor installed by someone with access to the physical machine running it. --------------------------------------------- https://arstechnica.com/information-technology/2024/12/new-badram-attack-ne… ∗∗∗ Microsoft MFA AuthQuake Flaw Enabled Unlimited Brute-Force Attempts Without Alerts ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a "critical" security vulnerability in Microsofts multi-factor authentication (MFA) implementation that allows an attacker to trivially sidestep the protection and gain unauthorized access to a victims account. [..] Following responsible disclosure, the issue – codenamed AuthQuake – was addressed by Microsoft in October 2024. --------------------------------------------- https://thehackernews.com/2024/12/microsoft-mfa-authquake-flaw-enabled.html ∗∗∗ Decrypting Full Disk Encryption with Dissect ∗∗∗ --------------------------------------------- Back in 2022 Fox-IT decided to open source its proprietary incident response tooling known as Dissect. [..] One of the most popular requests has been the capability to use Dissect in combination with common disk encryption methods like Microsoft’s BitLocker or its Linux equivalent LUKS. Internally at Fox-IT we were able to already use these capabilities. With the release of Dissect version 3.17 these capabilities are now also available to the community at large. --------------------------------------------- https://blog.fox-it.com/2024/12/11/decrypting-full-disk-encryption-with-dis… ∗∗∗ The Stealthy Stalker: Remcos RAT ∗∗∗ --------------------------------------------- As cyberattacks become more sophisticated, understanding the mechanisms behind RemcosRAT and adopting effective security measures are crucial to protecting your systems from this growing threat. This blog presents a technical analysis of two RemcosRAT variants. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-stealthy-stalker-r… ∗∗∗ How easily access cards can be cloned and why your PACS might be vulnerable ∗∗∗ --------------------------------------------- PACS can be bad, but also good if you configure them right. These systems protect your building, and control access to your most sensitive systems. Give them some love. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-easily-access-cards-can-b… ∗∗∗ Zeitplan veröffentlicht: Lets Encrypt schafft OCSP-Zertifikatsüberprüfung ab ∗∗∗ --------------------------------------------- Das Protokoll zur Echtzeit-Gültigkeitsprüfung hat Datenschutzprobleme. Die weltgrößte CA ersetzt es nun durch Zertifikats-Sperrlisten. --------------------------------------------- https://heise.de/-10195107 ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti: December Security Update ∗∗∗ --------------------------------------------- Today, fixes have been released for the Ivanti solutions detailed below. [..] Ivanti Cloud Service Application, Ivanti Desktop and Server Management (DSM), Ivanti Connect Secure and Policy Secure, Ivanti Sentry, Ivanti Patch SDK, Ivanti Application Control, Ivanti Automation, Ivanti Workspace Control, Ivanti Performance Manager, Ivanti Security Controls (iSec) [..] Ivanti Cloud Services Application (CSA) 10.0 (Critical): An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access. CVE-2024-11639 --------------------------------------------- https://www.ivanti.com/blog/december-security-update ∗∗∗ Microsoft Security Update Summary (10. Dezember 2024) ∗∗∗ --------------------------------------------- Am 10. Dezember 2024 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 70 Schwachstellen (CVEs), davon 16 kritische Sicherheitslücken, davon eine als 0-day klassifiziert (bereits ausgenutzt). --------------------------------------------- https://www.borncity.com/blog/2024/12/10/microsoft-security-update-summary-… ∗∗∗ Solarwinds Web Help Desk: Software-Update schließt kritische Lücken ∗∗∗ --------------------------------------------- In Solarwinds Web Help Desk haben die Entwickler teils kritische Sicherheitslücken korrigiert. IT-Verantwortliche sollten rasch aktualisieren. --------------------------------------------- https://heise.de/-10195207 ∗∗∗ Patchday: Adobe schließt mehr als 160 Sicherheitslücken in Acrobat & Co. ∗∗∗ --------------------------------------------- Insgesamt hat der Softwarehersteller mehr als 160 Schwachstellen mit Updates für die Produkte geschlossen. --------------------------------------------- https://www.heise.de/-10194979 ∗∗∗ Synology-SA-24:28 Media Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to read specific files. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_28 ∗∗∗ PDQ Deploy allows reuse of deleted credentials that can compromise a device and facilitate lateral movement ∗∗∗ --------------------------------------------- The CERT/CC is creating this Vulnerability Note to advise and make users of PDQ Deploy aware of potential avenues of attack through the deploy service. System administrators that are using PDQ Deploy should employ LAPS to mitigate this vulnerability. --------------------------------------------- https://kb.cert.org/vuls/id/164934 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (proftpd-dfsg and smarty3), Fedora (python3.14), Gentoo (Distrobox, eza, idna, libvirt, and OpenSC), Red Hat (container-tools:rhel8 and edk2), SUSE (avahi, curl, libsoup2, lxd, nodejs20, python-Django, python310-Django4, python312, squid, and webkit2gtk3), and Ubuntu (expat, intel-microcode, linux, linux-aws, linux-kvm, linux-lts-xenial, and shiro). --------------------------------------------- https://lwn.net/Articles/1001728/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 128.5.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-69/ ∗∗∗ F5: K000148931: Linux kernel vulnerability CVE-2024-26923 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148931 ∗∗∗ Huawei: Security Advisory - Path Traversal Vulnerability in Huawei Home Music System ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-ptvihhms-… ∗∗∗ Numerix: Reflected Cross-Site Scripting in Numerix License Server Administration System Login ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scr… ∗∗∗ Splunk: SVD-2024-1207: Third-Party Package Updates in Splunk Universal Forwarder - December 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1207 ∗∗∗ Splunk: SVD-2024-1206: Third-Party Package Updates in Splunk Enterprise - December 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1206 ∗∗∗ Splunk: SVD-2024-1205: Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway app ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1205 ∗∗∗ Splunk: SVD-2024-1204: Sensitive Information Disclosure through SPL commands ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1204 ∗∗∗ Splunk: SVD-2024-1203: Information Disclosure due to Username Collision with a Role that has the same Name as the User ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1203 ∗∗∗ Splunk: SVD-2024-1202: Risky command safeguards bypass in “/en-US/app/search/report“ endpoint through “s“ parameter ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1202 ∗∗∗ Splunk: SVD-2024-1201: Information Disclosure in Mobile Alert Responses in Splunk Secure Gateway ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1201 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.12.2024
by Daily end-of-shift report 10 Dec '24

10 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 09-12-2024 18:00 − Dienstag 10-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Brute-Force-Angriffe auf exponierte Systeme ∗∗∗ --------------------------------------------- Aktuell werden dem BSI verstärkt Brute-Force-Angriffe gegen Citrix Netscaler Gateways aus verschiedenen KRITIS-Sektoren sowie von internationalen Partnern gemeldet. [..] Die aktuellen Angriffe heben sich aktuell lediglich in ihrer berichteten Menge von üblichen Angriffen dieser Art heraus. [..] Als Ziel der Brute-Force-Angriffe werden in aktuellen Berichten zwar Citrix Gateways gemeldet. Jedoch ist diese Cyber-Sicherheitswarnung für alle exponierten Systeme, insbesondere VPN-Gateways, relevant. --------------------------------------------- https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-2… ∗∗∗ Stark gestiegenes Aufkommen an Microsoft Remote Desktop Protokoll (RDP) Scanning ∗∗∗ --------------------------------------------- Ein internationaler Partner (Shadowserver) verzeichnet seit Anfang Dezember ein weltweit sehr stark gestiegenes Aufkommen (x160) an RDP "Scanning" in Wellen [1]. Ob es nur um Ausforschen offener RDP-Ports geht oder bereits weitere Handlungen gesetzt werden, ist aktuell unbekannt. Der Fokus scheint nicht auf dem RDP Standard-Port 3389, sondern auf Port 1098 zu liegen. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/12/stark-gestiegenes-aufkommen-an-mic… ∗∗∗ Microsoft ergreift Maßnahmen gegen NTLM-Relay-Angriffe ∗∗∗ --------------------------------------------- Ein Angriffsvektor zum Erlangen von Zugriff im Netz ist sogenanntes NTLM-Relaying. Das erschwert Microsoft nun mit neuen Maßnahmen. --------------------------------------------- https://heise.de/-10194220 ∗∗∗ Ultralytics PyPI Package Compromised Through GitHub Actions Cache Poisoning ∗∗∗ --------------------------------------------- Over the weekend, the popular Ultralytics PyPI package was compromised in a supply chain attack that was detected following reports of a discrepancy between the library’s code on GitHub and the code that was published to PyPI for v8.3.41. --------------------------------------------- https://socket.dev/blog/ultralytics-pypi-package-compromised-through-github… ∗∗∗ Malware trends: eBPF exploitation, malware configurations stored in unexpected places, and increased use of custom post-exploitation tools ∗∗∗ --------------------------------------------- An investigation into an information security incident has allowed virus analysts at Doctor Web to uncover an ongoing campaign that incorporates many modern trends employed by cybercriminals. A client approached Doctor Web after suspecting that their computer infrastructure had been compromised. While analyzing the client’s data, our virus analysts identified a number of similar cases, leading them to conclude that an active campaign was underway. --------------------------------------------- https://news.drweb.com/show/?i=14955&lng=en&c=9 ∗∗∗ When User Input Lines Are Blurred: Indirect Prompt Injection Attack Vulnerabilities in AI LLMs ∗∗∗ --------------------------------------------- Indirect prompt attacks are when an LLM takes input from external sources but where an attacker gets to smuggle payloads (additional prompts!) into these external/side sources. These malicious additional prompts modify the overall prompt, breaking out of the data context as they are treated as instructions (they are additional prompts, commands, if you will) and, in turn, influence the initial user prompt provided together with the system prompt and with that, the subsequent actions and output. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/when-user-i… ∗∗∗ Inside Zloader’s Latest Trick: DNS Tunneling ∗∗∗ --------------------------------------------- Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular Trojan based on the leaked Zeus source code that emerged in 2015. The malware was originally designed to facilitate banking fraud via Automated Clearing House (ACH) and wire transfers. However, similar to other malware families like Qakbot and Trickbot, Zloader has been repurposed for initial access, providing an entry point into corporate environments for the deployment of ransomware. --------------------------------------------- https://www.zscaler.com/blogs/security-research/inside-zloader-s-latest-tri… ∗∗∗ Mit dem Bumble-Date ins Theater? Vorsicht vor Betrug! ∗∗∗ --------------------------------------------- Sie haben auf Bumble jemanden kennengelernt? Sie verstehen sich gut und wollen als erstes Date ins Theater gehen? Doch Ihr Ticket sollten Sie sich selbst auf einer unbekannten Plattform kaufen. Vorsicht, hinter dem vermeintlich perfekten Match stecken Kriminelle, die Sie in einen Fake-Shop locken. --------------------------------------------- https://www.watchlist-internet.at/news/mit-dem-bumble-date-ins-theater-vors… ∗∗∗ Studie gemeinsam mit dem BSI: IT-Sicherheit von smarten Heizkörperthermostaten ∗∗∗ --------------------------------------------- Certitude führte im Auftrag des Bundesministerium für Sicherheit in der Informationstechnik (BSI) die technische Sicherheitsprüfung von smarten Heizkörperthermostaten durch. Die aus diesem Projekt entstandene und heute veröffentlichte Studie zeigt auf, dass es insbesondere beim Umgang mit Schwachstellen Nachholbedarf gibt. --------------------------------------------- https://certitude.consulting/blog/de/bsi-studie-sicherheit-smarte-heizkorpe… ∗∗∗ Full-Face Masks to Frustrate Identification ∗∗∗ --------------------------------------------- It’s a video of someone trying on a variety of printed full-face masks. They won’t fool anyone for long, but will survive casual scrutiny. And they’re cheap and easy to swap. --------------------------------------------- https://www.schneier.com/blog/archives/2024/12/full-face-masks-to-frustrate… ===================== = Vulnerabilities = ===================== ∗∗∗ Transfer-Software von Cleo: Hinter Firewall bringen, Patch wirkungslos ∗∗∗ --------------------------------------------- Die Datenstransfer-Software von Cleo hatte eine Sicherheitslücke gestopft – jedoch unzureichend. Das Leck wird aktiv angegriffen. --------------------------------------------- https://heise.de/-10193961 ∗∗∗ Wordpress: WPForms-Plug-in reißt Sicherheitsleck in 6 Millionen Webseiten ∗∗∗ --------------------------------------------- Im Wordpress-Plug-in WPForms können Angreifer eine Lücke missbrauchen, um etwa Zahlungen rückabzuwickeln. Sechs Millionen Webseiten nutzen das Plug-in. --------------------------------------------- https://heise.de/-10193387 ∗∗∗ MC LR Router and GoCast unpatched vulnerabilities ∗∗∗ --------------------------------------------- Cisco Talos Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. These vulnerabilities have not been patched at time of this posting. --------------------------------------------- https://blog.talosintelligence.com/mc-lr-router-and-gocast-zero-day-vulnera… ∗∗∗ SAP-Patchday: Updates schließen teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Im Dezember informiert SAP über neun neu entdeckte Sicherheitslücken in diversen Produkten. Eine davon gilt als kritisches Risiko. --------------------------------------------- https://heise.de/-10193418 ∗∗∗ Sicherheitsschwachstelle in Logitech MX Keys for Business (SYSS-2024-084) ∗∗∗ --------------------------------------------- SySS GmbH is currently not aware of a security fix for the described issue. [..] Due to the keyboard not enforcing any sort of authentication during the pairings, MX Keys for Business is vulnerable to machine-in-the-middle (MitM) attacks. --------------------------------------------- https://www.syss.de/pentest-blog/sicherheitsschwachstelle-in-logitech-mx-ke… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (postgresql:15, postgresql:16, and ruby:3.1), Debian (jinja2), Fedora (python-multipart, python-python-multipart, python3.12, retsnoop, rust-rbspy, rust-rustls, and zabbix), Oracle (kernel, libsoup, postgresql:12, postgresql:13, postgresql:15, postgresql:16, redis:7, and ruby:3.1), SUSE (nodejs18, pam, qt6-webengine, and radare2), and Ubuntu (dogtag-pki, linux-intel-iotg, linux-intel-iotg-5.15, ofono, rabbitmq-server, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1001597/ ∗∗∗ MOBATIME Network Master Clock ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-01 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-05 ∗∗∗ Rockwell Automation Arena ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-06 ∗∗∗ National Instruments LabVIEW ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-04 ∗∗∗ Milesight UG67 Outdoor LoRaWAN Gateway rt-sa-2024-001 - rt-sa-2024-005 ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/ ∗∗∗ SSA-979056 V1.0: Out of Bounds Write Vulnerability in Parasolid ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-979056.html ∗∗∗ SSA-881356 V1.0: Multiple Memory Corruption Vulnerabilities in Simcenter Femap ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-881356.html ∗∗∗ SSA-800126 V1.0: Deserialization Vulnerability in Siemens Engineering Platforms before V20 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-800126.html ∗∗∗ SSA-730188 V1.0: Multiple File Parsing Vulnerabilities in Solid Edge V2024 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-730188.html ∗∗∗ SSA-701627 V1.0: XXE Injection Vulnerabilities in COMOS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-701627.html ∗∗∗ SSA-645131 V1.0: Multiple WRL File Parsing Vulnerabilities in Teamcenter Visualization ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-645131.html ∗∗∗ SSA-620799 V1.0: Denial of Service Vulnerability During BLE Pairing in SENTRON Powercenter 1000/1100 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-620799.html ∗∗∗ SSA-392859 V1.0: Local Arbitrary Code Execution Vulnerability in Siemens Engineering Platforms before V20 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-392859.html ∗∗∗ SSA-384652 V1.0: Cross-Site Request Forgery (CSRF) Vulnerability in RUGGEDCOM ROX II ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-384652.html ∗∗∗ SSA-128393 V1.0: Firmware Decryption Vulnerability in SICAM A8000 CP-8031 and CP-8050 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-128393.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.12.2024
by Daily end-of-shift report 09 Dec '24

09 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-12-2024 18:00 − Montag 09-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phish Supper: An Incident Responder’s Bread and Butter ∗∗∗ --------------------------------------------- This post will delve into a recent business email compromise engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team, which saw the compromise of 12 users’ Microsoft 365 accounts. --------------------------------------------- https://www.nccgroup.com/us/research-blog/phish-supper-an-incident-responde… ∗∗∗ Hackers Using Fake Video Conferencing Apps to Steal Web3 Professionals Data ∗∗∗ --------------------------------------------- "The threat actors behind the malware have set up fake companies using AI to make them increase legitimacy," Cado Security researcher Tara Gould said. "The company reaches out to targets to set up a video call, prompting the user to download the meeting application from the website, which is Realst infostealer." --------------------------------------------- https://thehackernews.com/2024/12/hackers-using-fake-video-conferencing.html ∗∗∗ Abusing Git branch names to compromise a PyPI package ∗∗∗ --------------------------------------------- A compromised release was uploaded to PyPI after a project automatically processed a pull request with a flawed script. [..] This problem has been known for several years, but this event may serve as a good reminder to be careful with automated access to important secrets. --------------------------------------------- https://lwn.net/Articles/1001215/ ∗∗∗ A vulnerability in the OpenWrt attended sysupgrade server ∗∗∗ --------------------------------------------- The OpenWrt project has issued anadvisory regarding a vulnerability found in its Attended SysupgradeServer that could allow compromised packages to be installed on a router byan attacker. No official OpenWrt images were affected, and the vulnerability is not known to be exploited, but users who have installedimages created with an instance of this server are recommended toreinstall. --------------------------------------------- https://lwn.net/Articles/1001441/ ∗∗∗ Secure Coding: CWE-1007 – die unsichtbare Gefahr durch visuell ähnliche Zeichen ∗∗∗ --------------------------------------------- Vorsätzliche Homoglyphen-Angriffe durch visuell ähnliche Zeichen können Anwender in die Irre leiten. Zum Schutz dagegen helfen verschiedene Best Practices. --------------------------------------------- https://heise.de/-10188217 ∗∗∗ Malicious Maven Package Impersonating XZ for Java Library Introduces Backdoor Allowing Remote Code Execution ∗∗∗ --------------------------------------------- Socket researchers have discovered a malicious Maven package io.github.xz-java:xz-java that impersonates the legitimate XZ for Java library org.tukaani:xz. This deceptive package creates a hidden backdoor that enables remote command execution, posing a threat to enterprise supply chains. --------------------------------------------- https://socket.dev/blog/malicious-maven-package-impersonating-xz-for-java-l… ∗∗∗ Exploit Code Released for Microsoft CVE-2024-38193 ∗∗∗ --------------------------------------------- A critical use-after-free vulnerability, tracked as CVE-2024-38193 with a CVSS score of 7.8, has been discovered in the afd.sys Windows driver that allows attackers to escalate privileges and execute arbitrary code. This vulnerability has been fixed during the August 2024 patch on Tuesday. [..] Security researcher Nephster has published a proof-of-concept (PoC) code for the CVE-2024-38193 vulnerability on GitHub, further escalating its potential threat. --------------------------------------------- https://thecyberthrone.in/2024/12/09/exploit-code-released-for-microsoft-cv… ===================== = Vulnerabilities = ===================== ∗∗∗ Qlik: High Security fixes for Qlik Sense Enterprise for Windows (CVEs-pending) ∗∗∗ --------------------------------------------- Security issues in Qlik Sense Enterprise for Windows have been identified, and patches have been made available. If the vulnerabilities are successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software, including remote code execution (RCE). --------------------------------------------- https://community.qlik.com/t5/Official-Support-Articles/High-Security-fixes… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (redis:7, ruby, ruby:2.5, and ruby:3.1), Debian (avahi, ceph, chromium, gsl, jinja2, php7.4, renderdoc, ruby-doorkeeper, and zabbix), Fedora (chromium, python3.11, and uv), Gentoo (Asterisk, Cacti, Chromium, Google Chrome, Microsoft Edge. Opera, Dnsmasq, firefox, HashiCorp Consul, icinga2, OATH Toolkit, OpenJDK, PostgreSQL, R, Salt, Spidermonkey, and thunderbird), Mageia (kubernetes), Red Hat (grafana, grafana-pcp, osbuild-composer, and postgresql), SUSE (ansible-core, firefox, glib2, java-1_8_0-ibm, kernel-firmware, nanopb, netty, python310-django-ckeditor, python310-jupyter-ydoc, radare2, skopeo, and webkit2gtk3), and Ubuntu (tinyproxy). --------------------------------------------- https://lwn.net/Articles/1001433/ ∗∗∗ ZDI-24-1646: Epic Games Launcher Incorrect Default Permissions Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1646/ ∗∗∗ F5: K000148896: Intel SGX vulnerability CVE-2023-43753 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148896 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2024
by Daily end-of-shift report 06 Dec '24

06 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-12-2024 18:00 − Freitag 06-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Trojan-as-a-Service Hits Euro Banks, Crypto Exchanges ∗∗∗ --------------------------------------------- At least 17 affiliate groups have used the "DroidBot" Android banking Trojan against 77 financial services companies across Europe, with more to come, researchers warn. --------------------------------------------- https://www.darkreading.com/threat-intelligence/trojan-service-hits-euro-ba… ∗∗∗ Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage ∗∗∗ --------------------------------------------- In this first of a two-part blog series, we discuss how Secret Blizzard has used the infrastructure of the Pakistan-based threat activity cluster we call Storm-0156 — which overlaps with the threat actor known as SideCopy, Transparent Tribe, and APT36 — to install backdoors and collect intelligence on targets of interest in South Asia. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloade… ∗∗∗ Malicious Script Injection on WordPress Sites ∗∗∗ --------------------------------------------- Recently, our team discovered a JavaScript-based malware affecting WordPress sites, primarily targeting those using the Hello Elementor theme. This type of malware is commonly embedded within legitimate-looking website files to load scripts from an external source. The malware injects a malicious external script into the theme’s header.php file, leading to harmful consequences for site owners and visitors. --------------------------------------------- https://blog.sucuri.net/2024/12/malicious-script-injection-on-wordpress-sit… ∗∗∗ Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware ∗∗∗ --------------------------------------------- The threat actor known as Gamaredon has been observed leveraging Cloudflare Tunnels as a tactic to conceal its staging infrastructure hosting a malware called GammaDrop.The activity is part of an ongoing spear-phishing campaign targeting Ukrainian entities since at least early 2024 thats designed to drop the Visual Basic Script malware, Recorded Futures Insikt Group said in a new analysis. --------------------------------------------- https://thehackernews.com/2024/12/hackers-leveraging-cloudflare-tunnels.html ∗∗∗ Researchers Uncover Flaws in Popular Open-Source Machine Learning Frameworks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed multiple security flaws impacting open-source machine learning (ML) tools and frameworks such as MLflow, H2O, PyTorch, and MLeap that could pave the way for code execution. The vulnerabilities, discovered by JFrog, are part of a broader collection of 22 security shortcomings the supply chain security company first disclosed last month. --------------------------------------------- https://thehackernews.com/2024/12/researchers-uncover-flaws-in-popular.html ∗∗∗ Announcing the launch of Vanir: Open-source Security Patch Validation ∗∗∗ --------------------------------------------- Today, we are announcing the availability of Vanir, a new open-source security patch validation tool. Introduced at Android Bootcamp in April, Vanir gives Android platform developers the power to quickly and efficiently scan their custom platform code for missing security patches and identify applicable available patches. --------------------------------------------- http://security.googleblog.com/2024/12/announcing-launch-of-vanir-open-sour… ∗∗∗ Tagesgeldkonten: Vorsicht vor betrügerischen Angeboten im Namen von CHECK24 ∗∗∗ --------------------------------------------- In den letzten Tagen wurden vermehrt SMS versendet, in denen im Namen von CHECK24 mit verlockenden Tagesgeldkonten zu einem Zinssatz von bis zu 5,25% geworben wird. Möchte man das Angebot wahrnehmen, wird man auf eine täuschend echt aussehende Phishing-Seite weitergeleitet. Wird dort Geld eingezahlt, landet es auf den Konten von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/tagesgeldkonten-betruegerischen-ange… ∗∗∗ Windows 11 24H2 auf mehr Geräten verfügbar; TPM 2.0-Pflicht; Installation auf unsupported CPUs ∗∗∗ --------------------------------------------- Microsoft hat damit begonnen, dass im Oktober 2024 allgemein freigegebene Windows 11 24H2 (als Windows 11 2024 Update bezeichnet), auf mehr Geräte zu verteilen. Weiterhin hat Microsoft bekräftigt, dass TPM 2.0 für Windows 11 Pflicht ist. Andererseits gibt es Leute, die die Erfahrung machen, dass Windows 11 24H2 auf Hardware, die nicht kompatibel ist, ohne Tricks installiert werden kann. --------------------------------------------- https://www.borncity.com/blog/2024/12/06/windows-11-24h2-auf-mehr-geraeten-… ∗∗∗ Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages ∗∗∗ --------------------------------------------- Release of Supply-Chain Firewall, an open source tool for preventing the installation of malicious PyPI and npm packages. --------------------------------------------- https://securitylabs.datadoghq.com/articles/introducing-supply-chain-firewa… ∗∗∗ New Malware Campaign Exposes Gaps in Manufacturing Cybersecurity Defenses ∗∗∗ --------------------------------------------- In a recent analysis by Cyble Research and Intelligence Labs (CRIL), a multi-stage cyberattack campaign has been identified, targeting the manufacturing industry. The attack, which heavily relies on process injection techniques, aims to deliver dangerous payloads, including Lumma Stealer and Amadey Bot. --------------------------------------------- https://thecyberexpress.com/lumma-stealer-amadey-bot-target-manufacturing/ ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities ∗∗∗ --------------------------------------------- CVE: CVE-2024-38475, CVE-2024-40763, CVE-2024-45318, CVE-2024-45319, CVE-2024-53702, CVE-2024-53703 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, python3:3.6.8, and thunderbird), Debian (clamav), Fedora (pam), Red Hat (firefox, postgresql:13, postgresql:15, python-tornado, redis:7, ruby, ruby:2.5, and ruby:3.1), SUSE (avahi, docker-stable, java-1_8_0-openjdk, libmozjs-128-0, obs-scm-bridge, php8, and teleport), and Ubuntu (ghostscript, needrestart, and shiro). --------------------------------------------- https://lwn.net/Articles/1001164/ ∗∗∗ Windows: 0patch für 0-day URL File NTLM Hash Disclosure-Schwachstelle ∗∗∗ --------------------------------------------- ACROS Security ist auf eine bisher nicht per Update geschlossene Schwachstelle in Windows gestoßen, die per URL die Offenlegung von NTLM Hash-Werten ermöglicht. ACROS Security hat einen opatch Micropatch veröffentlicht, um diese Schwachstelle zu beseitigen. Bis zum Bereitstellen eines Updates durch Microsoft ist der opatch-Micropatch kostenlos verfügbar. --------------------------------------------- https://www.borncity.com/blog/2024/12/06/windows-0patch-fuer-0-day-url-file… ∗∗∗ Sicherheitsupdate: Backupsoftware Dell NetWorker kann Daten leaken ∗∗∗ --------------------------------------------- Dell hat wichtige Sicherheitspatches für seine Backup- und Recovery-Software NetWorker und das SDK BSAFE veröffentlicht. Noch sind aber nicht alle Updates da. --------------------------------------------- https://heise.de/-10190285 ∗∗∗ QNAP: Vulnerability in Qsync Central ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-48 ∗∗∗ QNAP: Multiple Vulnerabilities in QTS and QuTS hero (PWN2OWN 2024) ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-49 ∗∗∗QNAP: Vulnerability in License Center ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-50 ∗∗∗ Tenable: [R1] Security Center Version 6.5.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-19 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.12.2024
by Daily end-of-shift report 05 Dec '24

05 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-12-2024 18:00 − Donnerstag 05-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kostenfalle Gesundheitstest: So schützen Sie sich vor Abzocke ∗∗∗ --------------------------------------------- Auf gesundheitskontrolle.com oder gesundheitsbewertung.com werden 2-minütige Gesundheitstests versprochen. Nach Beantwortung einiger Fragen erhalten Sie angeblich eine „maßgenschneiderte und individuelle Gesundheitsanalyse“ von Gesundheitsexperten. Wir raten zur Vorsicht: Wenige Tage später flattert eine Rechnung über 79 Euro ins Haus. --------------------------------------------- https://www.watchlist-internet.at/news/kostenfalle-gesundheitstest/ ∗∗∗ MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks ∗∗∗ --------------------------------------------- Trend Micro’s monitoring of the MOONSHINE exploit kit revealed how it’s used by the threat actor Earth Minotaur to exploit Android messaging app vulnerabilities and install the DarkNimbus backdoor for surveillance. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html ∗∗∗ Telecom Giant BT Group Hit by Black Basta Ransomware ∗∗∗ --------------------------------------------- BT Group, a major telecommunications firm, has been hit by a ransomware attack from the Black Basta group. The attack targeted the companys Conferencing division, leading to server shutdowns and potential data theft. --------------------------------------------- https://hackread.com/telecom-giant-bt-group-black-basta-ransomware-attack/ ∗∗∗ Vorsicht vor Whatsapp-Phishing mit gespoofter Rufnummer ∗∗∗ --------------------------------------------- Cyber-Kriminelle nehmen deutschsprachige WhatsApp-Nutzer ins Visier und versuchen mit einem perfiden Trick und einem Chatbot deren Accounts zu kapern. --------------------------------------------- https://heise.de/-10188150 ∗∗∗ USA: Acht Telekommunikationsdienste von Cyberangriffen betroffen ∗∗∗ --------------------------------------------- Bereits im Wahlkampf wurde bekannt, dass Kriminelle an die Telefondaten hochrangiger US-Politiker gekommen sind. Doch der Angriff war umfangreicher als gedacht. --------------------------------------------- https://heise.de/-10188807 ∗∗∗ [Guest Diary] Business Email Compromise, (Thu, Dec 5th) ∗∗∗ --------------------------------------------- Business Email Compromise (BEC) is a lucrative attack, which FBI data shows 51 billion dollars in losses between 2013 to 2022 [2]. According to SentinelOne, nearly all cybersecurity attacks (98%) contain a social engineering component [3].The social engineering attacks include phishing, spear phishing, smishing, whaling , etc. --------------------------------------------- https://isc.sans.edu/diary/rss/31474 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Mitel MiCollab Flaw Exposes Systems to Unauthorized File and Admin Access ∗∗∗ --------------------------------------------- Cybersecurity researchers have released a proof-of-concept (PoC) exploit that strings together a now-patched critical security flaw impacting Mitel MiCollab with an arbitrary file read zero-day, granting an attacker the ability to access files from susceptible instances. [..] WatchTowr Labs' analysis further found that the authentication bypass could be chained with an as-yet-unpatched post-authentication arbitrary file read flaw to extract sensitive information. --------------------------------------------- https://thehackernews.com/2024/12/critical-mitel-micollab-flaw-exposes.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (thunderbird, tuned, and webkitgtk), Mageia (python-aiohttp and qemu), Oracle (container-tools:ol8, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, kernel:4.18.0, krb5, pam, postgresql:16, python-tornado, python3:3.6.8, thunderbird, tigervnc, tuned, and webkit2gtk3), Red Hat (bzip2, postgresql, postgresql:13, postgresql:15, postgresql:16, python-tornado, and ruby:3.1), Slackware (python3), SUSE (postgresql, postgresql16, postgresql17, postgresql13, postgresql14, postgresql15, python-python-multipart, and python3), and Ubuntu (python-django and recutils). --------------------------------------------- https://lwn.net/Articles/1000870/ ∗∗∗ Vier Lücken in HPE Aruba Networking ClearPass Policy Manager geschlossen ∗∗∗ --------------------------------------------- In aktuellen Versionen von HPE Aruba Networking ClearPass Policy Manager haben die Entwickler insgesamt vier Sicherheitslücken geschlossen. Im schlimmsten Fall können Angreifer eigenen Code ausführen und Systeme kompromittieren. --------------------------------------------- https://heise.de/-10188868 ∗∗∗ Drupal: Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-071 ∗∗∗ Drupal: Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-070 ∗∗∗ Drupal: Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-069 ∗∗∗ Drupal: Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-068 ∗∗∗ Drupal: OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) - Critical - Cross Site Scripting - SA-CONTRIB-2024-067 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-067 ∗∗∗ Drupal: Print Anything - Critical - Unsupported - SA-CONTRIB-2024-066 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-066 ∗∗∗ Drupal: Megamenu Framework - Critical - Unsupported - SA-CONTRIB-2024-065 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-065 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (November 25, 2024 to December 1, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/12/wordfence-intelligence-weekly-wordpr… ∗∗∗ AutomationDirect C-More EA9 Programming Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-340-01 ∗∗∗ Planet Technology Planet WGS-804HPT ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-340-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.12.2024
by Daily end-of-shift report 04 Dec '24

04 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-12-2024 18:00 − Mittwoch 04-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Supply Chain Attack Detected in Solanas web3.js Library ∗∗∗ --------------------------------------------- A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library, which receives more than ~350,000 weekly downloads on npm. These compromised versions contain injected malicious code that is designed to steal private keys from unsuspecting developers and users, potentially enabling attackers to drain cryptocurrency wallets. [..] npm has moved swiftly to remove the affected versions. [..] Anza recommends developers who suspect they were compromised to rotate any suspect authority keys, including multisigs, program authorities, and server keypairs. --------------------------------------------- https://socket.dev/blog/supply-chain-attack-solana-web3-js-library ∗∗∗ Jetzt patchen! Exploit für kritische Lücke in Whatsup Gold in Umlauf ∗∗∗ --------------------------------------------- Eine "kritische" Sicherheitslücke ist seit September dieses Jahres bekannt. Seitdem gibt es auch ein Sicherheitsupdate. Weil mittlerweile Exploitcode für die Schwachstelle kursiert, könnten Attacken bevorstehen. --------------------------------------------- https://heise.de/-10187538 ∗∗∗ Cisco Urges Immediate Patch for Decade-Old WebVPN Vulnerability ∗∗∗ --------------------------------------------- Cisco recently updated an advisory about a security flaw in the WebVPN login page of their ASA software, which can allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack on anyone using WebVPN on the Cisco ASA. [..] The vulnerability itself isn’t new – Cisco originally issued a warning back in March 2014. However, the company’s recent update highlights a concerning development: attackers are actively trying to exploit this decade-old bug. --------------------------------------------- https://hackread.com/cisco-patch-decade-old-webvpn-vulnerability/ ∗∗∗ (QR) Coding My Way Out of Here: C2 in Browser Isolation Environments ∗∗∗ --------------------------------------------- In this blog post, Mandiant demonstrates a novel technique that can be used to circumvent all three current types of browser isolation (remote, on-premises, and local) for the purpose of controlling a malicious implant via C2. Mandiant shows how attackers can use machine-readable QR codes to send commands from an attacker-controlled server to a victim device. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/c2-browser-isolati… ∗∗∗ Wegem schwerem Cyberangriff auf US-Provider: FBI wirbt für Verschlüsselung ∗∗∗ --------------------------------------------- Angesichts eines verheerenden Cyberangriffs auf US-Provider haben die US-Bundespolizei FBI und die Cybersicherheitsbehörde CISA die Menschen in den Vereinigten Staaten aufgefordert, ihre Kommunikation möglichst zu verschlüsseln. --------------------------------------------- https://heise.de/-10187110 ∗∗∗ Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware ∗∗∗ --------------------------------------------- Beginning in early October, Rapid7 has observed a resurgence of activity related to the ongoing social engineering campaign being conducted by Black Basta ransomware operators. --------------------------------------------- https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign… ∗∗∗ PROXY.AM Powered by Socks5Systemz Botnet ∗∗∗ --------------------------------------------- After a year long investigation, Bitsight TRACE follows up on Socks5Systemz research. --------------------------------------------- https://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet ∗∗∗ New era of slop security reports for open source ∗∗∗ --------------------------------------------- Recently I've noticed an uptick in extremely low-quality, spammy, and LLM-hallucinated security reports to open source projects. [..] Security reports that waste maintainers' time result in confusion, stress, frustration, and to top it off a sense of isolation due to the secretive nature of security reports. [..] If this is happening to a handful of projects that I have visibility for, then I suspect that this is happening on a large scale to open source projects. This is a very concerning trend. --------------------------------------------- https://sethmlarson.dev/slop-security-reports ===================== = Vulnerabilities = ===================== ∗∗∗ Identitätsmanagement: Sicherheitslücke mit Höchstwertung bedroht IdentityIQ ∗∗∗ --------------------------------------------- Bislang gibt es von SailPoint noch keine Warnung zur Sicherheitslücke. Alle Informationen zur "kritischen" Schwachstelle (CVE-2024-10905) basieren derzeit auf einem Eintrag in der National Vulnerability Database (NVD) des National Insitute of Standards and Technology (NIST). [..] Die Lücke soll in den Ausgaben 8.2p8, 8.3p5 und 8.4p2 geschlossen sein. --------------------------------------------- https://heise.de/-10187194 ∗∗∗ Cisco NX-OS Software Image Verification Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the bootloader of Cisco NX-OS Software could allow an unauthenticated attacker with physical access to an affected device, or an authenticated, local attacker with administrative credentials, to bypass NX-OS image signature verification. CVE-2024-20397 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (go-toolset:rhel8, grafana, kernel, kernel-rt, kernel:4.18.0, pam, pam:1.5.1, pcs, postgresql:12, postgresql:15, postgresql:16, python3:3.6.8, qemu-kvm, rhc, rhc-worker-playbook, and virt:rhel and virt-devel:rhel) and SUSE (ansible-10, ansible-core, avahi, bpftool, python, python3, python36, webkit2gtk3, and xen). --------------------------------------------- https://lwn.net/Articles/1000721/ ∗∗∗ Scan2Net: Mehrere kritische Schwachstellen in Image Access Scan2Net ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-kritische-sch… ∗∗∗ PGST: Mehrere Schwachstellen in PGST-Alarmanlagen (SYSS-2024-070 bis -073) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-pgst-alarmanlage… ∗∗∗ F5: K000148830: Linux kernel vulnerabilities CVE-2024-41090 and CVE-2024-41091 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148830 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.12.2024
by Daily end-of-shift report 03 Dec '24

03 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 02-12-2024 18:00 − Dienstag 03-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Building Cyber Resilience Against Ransomware Attacks ∗∗∗ --------------------------------------------- This is the first blogpost in this series. Its aim is twofold: to enable organizations embarking on a journey to build resilience against ransomware to recognize common misconceptions hindering readiness efforts and offer a conceptual framework to guide effective resilience building. --------------------------------------------- https://blog.nviso.eu/2024/12/03/building-cyber-resilience-against-ransomwa… ∗∗∗ Unveiling RevC2 and Venom Loader ∗∗∗ --------------------------------------------- Venom Spider, also known as GOLDEN CHICKENS, is a threat actor known for offering Malware-as-a-Service (MaaS) tools like VenomLNK, TerraLoader, TerraStealer, and TerraCryptor. These tools have been utilized by other threat groups such as FIN6 and Cobalt in the past. Recently, Zscaler ThreatLabz uncovered two significant campaigns leveraging Venom Spider's MaaS tools between August and October 2024. During our investigation, we identified two new malware families, which we named RevC2 and Venom Loader, that were deployed using Venom Spider MaaS Tools. --------------------------------------------- https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-l… ∗∗∗ Gafgyt Malware Targeting Docker Remote API Servers ∗∗∗ --------------------------------------------- Our researchers identified threat actors exploiting misconfigured Docker servers to spread the Gafgyt malware. This threat traditionally targets IoT devices; this new tactic signals a change in its behavior. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/gafgyt-malware-targeting-doc… ∗∗∗ Secure Coding: Sichere Fehlerbehandlung in Java – CWE-778-Risiken vermeiden ∗∗∗ --------------------------------------------- Mit sicheren Java-Design-Patterns wie dem Decorator und Proxy Pattern die Kontrolle über Fehlerberichte verbessern – zum Schutz gegen CWE-778-Schwachstellen. --------------------------------------------- https://heise.de/-10084007 ∗∗∗ On Almost Signing Android Builds ∗∗∗ --------------------------------------------- This blog post has two goals: to raise awareness about this issue, to introduce a script intended as a quick check to verify if an Android build was (incorrectly) signed with a known private key. When Android-based devices boot up, first the bootloader is verified to be running signed code, then the bootloader verifies the high-level operating system (HLOS). This blog post only covers the latter part. --------------------------------------------- https://www.nccgroup.com/us/research-blog/on-almost-signing-android-builds/ ∗∗∗ Extracting Files Embedded Inside Word Documents, (Tue, Dec 3rd) ∗∗∗ --------------------------------------------- I found a sample that is a Word document with an embedded executable. I'll explain how to extract the embedded executable with my tools. --------------------------------------------- https://isc.sans.edu/diary/rss/31486 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, kernel-rt:4.18.0, kernel:4.18.0, pam, pam:1.5.1, perl-App-cpanminus, perl-App-cpanminus:1.7044, python-tornado, tigervnc, tuned, and webkit2gtk3), Debian (needrestart and webkit2gtk), Mageia (firefox, glib2.0, krb5, and thunderbird), Red Hat (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, and thunderbird), SUSE (editorconfig-core-c, kernel, php7, php8, python, python-tornado6, python3-virtualenv, python310, python39, thunderbird, wget, and wireshark), and Ubuntu (firefox and haproxy). --------------------------------------------- https://lwn.net/Articles/1000591/ ∗∗∗ Zyxel security advisory for buffer overflow and post-authentication command injection vulnerabilities in some 4G LTE/5G NR CPE, DSL/Ethernet CPE, fiber ONTs, and WiFi extenders ∗∗∗ --------------------------------------------- CVE-2024-8748 ... could allow an attacker to cause denial of service (DoS) conditions against the web management interface [..] CVE-2024-9197 ... could allow an authenticated attacker with administrator privileges to cause DoS conditions against the web management interface [..] CVE-2024-9200 ... could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Patchday: Android 12, 13, 14 und 15 für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- In einer Warnmeldung hebt Google eine Sicherheitslücke (CVE-2024-43767 "hoch") im System als besonders bedrohlich hervor: Angreifer können Schadcode ausführen. Dafür seien keine zusätzlichen Ausführungsrechte nötig. Wie so ein Angriff genau ablaufen könnte, bleibt aber unklar. --------------------------------------------- https://heise.de/-10185926 ∗∗∗ HPE: HPESBGN04760 rev.1 - HPE AutoPass License Server (APLS), Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04760en_us&doc… ∗∗∗ Fuji Electric Monitouch V-SFT ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-05 ∗∗∗ Fuji Electric Tellus Lite V-Simulator ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-06 ∗∗∗ ICONICS and Mitsubishi Electric GENESIS64 Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-04 ∗∗∗ Open Automation Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-03 ∗∗∗ Ruijie Reyee OS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-01 ∗∗∗ F5: K000148809: Qt vulnerabilities CVE-2023-38197, CVE-2023-37369, and CVE-2023-32763 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148809 ∗∗∗ F5: K000148689: Qt vulnerability CVE-2023-32762 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148689 ∗∗∗ Veeam: Veeam Service Provider Console Vulnerability (CVE-2024-42448 | CVE-2024-42449) ∗∗∗ --------------------------------------------- https://www.veeam.com/kb4679 ∗∗∗ Veeam: Vulnerabilities Resolved in Veeam Backup & Replication 12.3 ∗∗∗ --------------------------------------------- https://www.veeam.com/kb4693 ∗∗∗ ZDI-24-1640: XnSoft XnView Classic RWZ File Parsing Integer Underflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1640/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.12.2024
by Daily end-of-shift report 02 Dec '24

02 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-11-2024 18:00 − Montag 02-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phishing: Angreifer umgehen Virenscan mittels beschädigter Word-Dokumente ∗∗∗ --------------------------------------------- Sicherheitsforscher sind auf eine neue Methode gestoßen, wie Cyberkriminelle präparierte Dokumente am Virenschutz vorbeischieben. --------------------------------------------- https://www.heise.de/-10184679 ∗∗∗ "Juice-Jacking": Wie gefährlich ist das Laden vom Smartphone im öffentlichen Raum? ∗∗∗ --------------------------------------------- Immer wieder warnen Behörden vor Angriffen durch manipulierte Charger, beim Cert Austria sieht man darin aber eine vorwiegend theoretische Bedrohung. --------------------------------------------- https://www.derstandard.at/story/3000000246594/juice-jacking-wie-gefaehrlic… ∗∗∗ Helldown, DoxNet & Darkrace Ransomware ∗∗∗ --------------------------------------------- In the following article I list some unique detection opportunities for all three ransomware groups, which seem to have the same affiliates or use the same server with similar ransomware variants to deploy their malware. --------------------------------------------- https://detect.fyi/helldown-donex-darktrace-ransomware-fd8683b7d135?source=… ∗∗∗ Code found online exploits LogoFAIL to install Bootkitty Linux backdoor ∗∗∗ --------------------------------------------- Researchers have discovered malicious code circulating in the wild that hijacks the earliest stage boot process of Linux devices by exploiting a year-old firmware vulnerability when it remains unpatched on affected models. [..] The ultimate objective of the exploit, which Binarly disclosed Friday, is to install Bootkitty, a bootkit for Linux that was found and reported on Wednesday by researchers from security firm ESET. --------------------------------------------- https://arstechnica.com/security/2024/11/code-found-online-exploits-logofai… ∗∗∗ Copilot: Administratorwissen zum Schutz der Daten ∗∗∗ --------------------------------------------- Microsoft hat ja damit begonnen, seine AI-Lösung Copilot in Microsoft Office-Anwendungen mit "Auto-Opt-in" an Kunden mit entsprechender Lizenz auszurollen. Administratoren kommt eine besondere Verantwortung zu, was den Schutz von Daten im Unternehmen betrifft. Microsoft hat dazu kürzlich einen Beitrag mit entsprechenden Hinweisen veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2024/12/01/copilot-was-administratoren-zum-sc… ∗∗∗ Cyber Resilience Act: Mehr Sicherheit für das Internet der Dinge ∗∗∗ --------------------------------------------- Der Cyber Resilience Act der EU soll vernetzte Geräte besser vor Angriffen aus dem Netz schützen. Unternehmen müssen ihn bis 2027 umsetzen. --------------------------------------------- https://www.golem.de/news/cyber-resilience-act-mehr-sicherheit-fuer-das-int… ∗∗∗ Digitale Bedrohungen: EU-Rat billigt Cyberschutzschild und Frühwarnsystem ∗∗∗ --------------------------------------------- Die EU-Staaten werden ein Cybersicherheitswarnsystem einrichten, mit dem sie Gefahren aus dem Internet quasi in Echtzeit erkennen und abwehren können wollen. --------------------------------------------- https://heise.de/-10185408 ∗∗∗ German intelligence launches task force to combat foreign election interference ∗∗∗ --------------------------------------------- Germanys domestic intelligence service (BfV) has created a special task force to counter cyberattacks, espionage, sabotage and disinformation campaigns ahead of federal elections in February. --------------------------------------------- https://therecord.media/german-bfv-election-task-force-cyberattacks-disinfo… ∗∗∗ Tamanoir: A KeyLogger using eBPF ∗∗∗ --------------------------------------------- Tamanoir is developed for educational purposes only. --------------------------------------------- https://github.com/pythops/tamanoir ∗∗∗ Webinar: Smartphone, Tablet & Co sicher nutzen! ∗∗∗ --------------------------------------------- Wie kann ich meine persönlichen Daten am Smartphone, Tablet & Co. schützen? In diesem Webinar zeigen wir Ihnen die wichtigsten Sicherheitseinstellungen – von Berechtigungen über Datenschutz bis hin zu Nutzungszeiten. Machen Sie mit unseren ExpertInnen Ihre digitalen Geräte sicher: Montag, 16. Dezember 2024, 18:30 - 20:00 Uhr via zoom. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-smartphone-tablet-co-sicher-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dnsmasq, editorconfig-core, lemonldap-ng, proftpd-dfsg, python3.9, simplesamlphp, tgt, and xfpt), Fedora (qbittorrent, webkitgtk, and wireshark), Mageia (libsoup3 & libsoup), Red Hat (buildah, grafana, grafana-pcp, and podman), SUSE (gimp, kernel, postgresql14, python, webkit2gtk3, xen, and zabbix), and Ubuntu (ansible and postgresql-12, postgresql-14, postgresql-16). --------------------------------------------- https://lwn.net/Articles/1000465/ ∗∗∗ Multiple vulnerabilities in UNIVERGE IX/IX-R/IX-V series routers ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN53958863/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.11.2024
by Daily end-of-shift report 29 Nov '24

29 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-11-2024 18:00 − Freitag 29-11-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ So schützen Sie sich in der Weihnachtszeit vor Fake-Shops! ∗∗∗ --------------------------------------------- Zur Weihnachtszeit möchte man seinen Liebsten gerne eine Freude bereiten. Bei den kalten Temperaturen bietet es sich an, bequem von zu Hause aus online einzukaufen. Damit die Weihnachtsfreude nicht durch eine Bestellung bei einem Fake-Shop getrübt wird, zeigen wir Ihnen die wichtigsten Punkte, an denen Sie betrügerische Online-Shops erkennen können. --------------------------------------------- https://www.watchlist-internet.at/news/sicher-online-einkaufen-zu-weihnacht… ∗∗∗ Nach Nothalt: Microsoft verteilt korrigierte Exchange-Server-Updates ∗∗∗ --------------------------------------------- Das Exchange-Update zum November-Patchday war fehlerhaft, Microsoft zog die Notbremse. Jetzt stehen korrigierte Sicherheitsupdates bereit. --------------------------------------------- https://heise.de/-10181645 ∗∗∗ Hochriskante Sicherheitslücke in PostgreSQL: Gitlab patcht (noch) nicht ∗∗∗ --------------------------------------------- Postgres hat die Lücken bereits mit einem Update gefixt und empfiehlt, die Versionen 12.21, 13.17, 14.14, 15.9, 16.5 und 17.1 sofort einzuspielen. Wie bereits im März wiesen Leser uns darauf hin, dass GitLab nach wie vor an den alten, gefährdeten Versionen 14.11 und 16.4 festhält und die Updates verzögert. --------------------------------------------- https://heise.de/-10181730 ∗∗∗ QR-Codes an Parkautomaten – Polizei warnt vor Betrugsmasche ∗∗∗ --------------------------------------------- Derzeit tauchen bundesweit vermehrt manipulierte QR-Codes an Parkscheinautomaten auf. Dabei handelt es sich nach Angaben der Polizei um eine Betrugsmasche, bei der Kriminelle versuchen, über QR-Codes an sensible Daten zu gelangen – sogenanntes Quishing. --------------------------------------------- https://www.heise.de/-10181611 ∗∗∗ EU leitet Vertragsverletzungsverfahren gegen Deutschland wegen NIS2 ein ∗∗∗ --------------------------------------------- Gegen 24 Mitgliedstaaten inklusive Deutschland hat die Brüsseler Regierungsinstitution zugleich weitere Verletzungsverfahren gestartet, weil sie ihr keine nationalen Maßnahmen zur Umsetzung der Richtlinie über die Resilienz kritischer Einrichtungen mitgeteilt haben. Dabei handelt es sich quasi um die Analog-Variante der NIS2. --------------------------------------------- https://heise.de/-10181402 ∗∗∗ Ransomware Gangs Seek Pen Testers to Boost Quality ∗∗∗ --------------------------------------------- Qualified applicants must be able to test ransomware encryption and find bugs that might enable defenders to jailbreak the malware. --------------------------------------------- https://www.darkreading.com/threat-intelligence/ransomware-gangs-seek-pen-t… ∗∗∗ IT threat evolution Q3 2024 ∗∗∗ --------------------------------------------- In this part of the malware report we discuss the most remarkable findings of Q3 2024, including APT and hacktivist attacks, ransomware, stealers, macOS malware and so on. --------------------------------------------- https://securelist.com/malware-report-q3-2024/114678/ ∗∗∗ Race Condition Attacks against LLMs ∗∗∗ --------------------------------------------- In modern LLM systems, there is a lot of code between what you type and what the LLM receives, and between what the LLM produces and what you see. All of that code is exploitable, and I expect many more vulnerabilities to be discovered in the coming year. --------------------------------------------- https://www.schneier.com/blog/archives/2024/11/race-condition-attacks-again… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, redis, twisted, and tzdata), Fedora (firefox, nss, pam, rust-rustls, rust-zlib-rs, thunderbird, tuned, and xen), and SUSE (cobbler, kernel, libjxl-devel, libuv, postgresql12, postgresql14, postgresql15, python-waitress, seamonkey, tomcat, and tomcat10). --------------------------------------------- https://lwn.net/Articles/1000185/ ∗∗∗ B&R: 2024-11-29: Cyber Security Advisory - B&R Authentication bypass flaw in several mapp components ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA22P014-90c4aa35.pdf ∗∗∗ Windows Server 2012 Mark of the Web Vulnerability (0day) - and Free Micropatches for it ∗∗∗ --------------------------------------------- https://blog.0patch.com/2024/11/windows-server-2012-mark-of-web.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.11.2024
by Daily end-of-shift report 28 Nov '24

28 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-11-2024 18:00 − Donnerstag 28-11-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zello asks users to reset passwords after security incident ∗∗∗ --------------------------------------------- Zello is warning customers to reset their passwords if their account was created before November 2nd in what appears to be another security breach. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zello-asks-users-to-reset-pa… ∗∗∗ Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday ∗∗∗ --------------------------------------------- A stealthy JavaScript injection attack steals data from the checkout page of sites, either by creating a fake credit card form or extracting data directly from payment fields. --------------------------------------------- https://www.darkreading.com/application-security/sneaky-skimmer-malware-mag… ∗∗∗ Microsoft-Sicherheitsfunktion "Administrator Protection" jetzt ausprobierbar ∗∗∗ --------------------------------------------- Microsoft will die Windows-Bedienung sicherer machen. "Administrator Protection" soll vor unbefugten Admin-Zugriffen schützen. --------------------------------------------- https://www.heise.de/-10179558 ∗∗∗ Vorsicht vor gefälschte Paketbenachrichtigungen ∗∗∗ --------------------------------------------- Sie erwarten ein Paket? Vorsicht ist geboten! Derzeit kursieren zahlreiche gefälschte Benachrichtigungen über den Lieferstatus von Bestellungen. Prüfen Sie daher Nachrichten von Paketdiensten genau, um nicht in eine Phishing- oder Abo-Falle zu tappen. Wir zeigen Ihnen, wie Sie gefälschte Nachrichten erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/falsche-paketbenachrichtigungen/ ∗∗∗ Malicious NPM Package Exploits React Native Documentation Example ∗∗∗ --------------------------------------------- A recent discovery revealed how official documentation can become an unexpected attack vector for supply chain attacks. It happened when an npm package called “rtn-centered-text” exploited an example from React Native’s Fabric Native Components guide in an attempt to trick developers into downloading their package, putting systems at risk. --------------------------------------------- https://checkmarx.com/blog/malicious-npm-package-exploits-react-native-docu… ∗∗∗ The Ultimate Handheld Hacking Device - My Experience with NetHunter ∗∗∗ --------------------------------------------- For those unfamiliar, Kali NetHunter is a version of Kali Linux that you can set up on your phone. There are several types of NetHunter setups, each determining the capabilities of your device. --------------------------------------------- https://andy.codes/blog/security_articles/2024-11-27-the-ultimate-handheld-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslecks in Entwicklerwerkzeug Jenkins gestopft ∗∗∗ --------------------------------------------- In der Sicherheitsmitteilung listen die Jenkins-Entwickler drei verwundbare Add-ons auf. Am schwersten wiegt die Schwachstelle im Simple Queue Plug-in. Es versieht Namen von Views nicht mit Escape. Das mündet in einer Stored-Cross-Site-Scripting-Lücke, die Angreifer mit "View/Create"-Rechten missbrauchen können (CVE-2024-54003, CVSS 8.0, Risiko "hoch"). Den Fehler korrigieren die Plug-in-Version 1.4.5 sowie neuere. --------------------------------------------- https://heise.de/-10180515 ∗∗∗ Multiple Vulnerabilities in Fuji Electric Products ZDI-24-1614 - ZDI-24-1630 ∗∗∗ --------------------------------------------- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application. --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Drupal: Tarte au Citron - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-064 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-064 ∗∗∗ ZABBIX: SQL injection in user.get API (CVE-2024-42327) Critical ∗∗∗ --------------------------------------------- https://support.zabbix.com/browse/ZBX-25623 ∗∗∗ NVIDIA Security Bulletin: NVIDIA UFM Enterprise, UFM Appliance, UFM CyberAI - November 2024 ∗∗∗ --------------------------------------------- https://nvidia.custhelp.com/app/answers/detail/a_id/5584 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.11.2024
by Daily end-of-shift report 27 Nov '24

27 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-11-2024 18:05 − Mittwoch 27-11-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RomCom exploits Firefox and Windows zero days in the wild ∗∗∗ --------------------------------------------- ESET Research details the analysis of a previously unknown vulnerability in Mozilla products exploited in the wild and another previously unknown Microsoft Windows vulnerability, combined in a zero-click exploit. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and… ∗∗∗ Betrug auf Telegram und WhatsApp mit Fake Job angeboten ∗∗∗ --------------------------------------------- Unterhalb finden Sie unseren Bericht des Telegram Betrugs und wie wir es sogar geschafft haben die Betrüger auszutricksen. Außerdem geben wir Ticks und Tricks, was Sie machen können und wie Sie solch einen Betrug erkennen. --------------------------------------------- https://www.zettasecure.com/post/betrug-auf-telegram-und-whatsapp-mit-fake-… ∗∗∗ Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers ∗∗∗ --------------------------------------------- A critical security flaw impacting the ProjectSend open-source file-sharing application has likely come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability, originally patched over a year-and-a-half ago as part of a commit pushed in May 2023 , was not officially made available until August 2024 with the release of version r1720. --------------------------------------------- https://thehackernews.com/2024/11/critical-flaw-in-projectsend-under.html ∗∗∗ Gaming Engines: An Undetected Playground for Malware Loaders ∗∗∗ --------------------------------------------- Check Point Research discovered a new technique taking advantage of Godot Engine, a popular open-source game engine, to execute crafted GDScript, code which triggers malicious commands and delivers malware. The technique remains undetected by almost all antivirus engines in VirusTotal. --------------------------------------------- https://research.checkpoint.com/2024/gaming-engines-an-undetected-playgroun… ∗∗∗ New NachoVPN attack uses rogue VPN servers to install malicious updates ∗∗∗ --------------------------------------------- A set of vulnerabilities dubbed "NachoVPN" allows rogue VPN servers to install malicious updates when unpatched Palo Alto and SonicWall SSL-VPN clients connect to them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nachovpn-attack-uses-rog… ∗∗∗ Rockstar 2FA Phishing-as-a-Service (PaaS): Noteworthy Email Campaigns ∗∗∗ --------------------------------------------- Welcome to the second part of our investigation into the Rockstar kit, please check out part one here. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2f… ∗∗∗ Researchers Discover "Bootkitty" – First UEFI Bootkit Targeting Linux Kernels ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems. Dubbed Bootkitty by its creators who go by the name BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks. --------------------------------------------- https://thehackernews.com/2024/11/researchers-discover-bootkitty-first.html ∗∗∗ BEC-ware the Phish (part 3): Detect and Prevent Incidents in M365 ∗∗∗ --------------------------------------------- This blog discusses a few options in M365, such as guidance on configuring threat and alert policies and how to deal with these alerts downstream in the SIEM. --------------------------------------------- https://www.pentestpartners.com/security-blog/bec-ware-the-phish-part-3-det… ∗∗∗ Modern solutions against cross-site attacks ∗∗∗ --------------------------------------------- This article is about cross-site leak attacks and what recent defenses have been introduced to counter them. I also want to finally answer the question why web security best practices is always opt-in and finally how YOU can get increased security controls. --------------------------------------------- https://frederikbraun.de/modern-solutions-xsleaks.html ===================== = Vulnerabilities = ===================== ∗∗∗ Palo Alto Globalprotect: Schadcode-Lücke durch unzureichende Zertifikatsprüfung ∗∗∗ --------------------------------------------- Die Entdecker der Sicherheitslücke von Amberwolf schreiben in ihrer detaillierten Analyse, dass die Globalprotect-VPN-Clients sowohl unter macOS als auch unter Windows anfällig für das Ausführen von Schadcode aus dem Netz und der Ausweitung der Rechte sind, und zwar durch den automatischen Update-Mechanismus (CVE-2024-5921, CVSS-B 7.2, Risiko "hoch"). Zwar erfordert der Update-Prozess, dass MSI-Dateien signiert sind, jedoch können Angreifer den PanGPS-Dienst zum Installieren eines bösartigen, dadurch vertrautem Root-Zertifikat missbrauchen. --------------------------------------------- https://heise.de/-10178649 ∗∗∗ Microsoft patcht teils kritische Lücken außer der Reihe ∗∗∗ --------------------------------------------- Microsoft hat in der Nacht zum Mittwoch vier Sicherheitsmitteilungen veröffentlicht. [..] Einige Updates müssen Nutzer installieren. --------------------------------------------- https://www.heise.de/-10178400 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mpg123 and php8.2), Fedora (libsndfile, mingw-glib2, mingw-libsoup, mingw-python3, and qbittorrent), Oracle (pam:1.5.1 and perl-App-cpanminus), Red Hat (firefox, thunderbird, and webkit2gtk3), Slackware (mozilla), SUSE (firefox, rclone, tomcat, tomcat10, and xen), and Ubuntu (gh, libsoup2.4, libsoup3, pygments, TinyGLTF, and twisted). --------------------------------------------- https://lwn.net/Articles/999897/ ∗∗∗ GitLab Patch Release: 17.6.1, 17.5.3, 17.4.5 ∗∗∗ --------------------------------------------- https://about.gitlab.com/releases/2024/11/26/patch-release-gitlab-17-6-1-re… ∗∗∗ HPE Insight Remote Support: Monitoring-Software ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- https://www.heise.de/-10178034 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0007 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0007.html ∗∗∗ Synology-SA-24:27 DSM ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_27 ∗∗∗ Synology-SA-24:26 BeeDrive for desktop ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_26 ∗∗∗ Omada Identity: Stored Cross-Site Scripting in Omada Identity ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/stored-xss-in-omada-i… ∗∗∗ F5: K000148716: REXML vulnerability CVE-2024-41123 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148716 ∗∗∗ F5: K000148692: Qt vulnerability CVE-2023-34410 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148692 ∗∗∗ F5: K000148690: Qt vulnerability CVE-2023-32573 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148690 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.11.2024
by Daily end-of-shift report 26 Nov '24

26 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Montag 25-11-2024 18:00 − Dienstag 26-11-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers exploit critical bug in Array Networks SSL VPN products ∗∗∗ --------------------------------------------- Americas Cyber Defense Agency has received evidence of hackers actively exploiting a remote code execution vulnerability in SSL VPN products Array Networks AG and vxAG ArrayOS. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-bug… ∗∗∗ Matrix Unleashes A New Widespread DDoS Campaign ∗∗∗ --------------------------------------------- Aqua Nautilus researchers uncovered a new and widespread Distributed Denial-of-Service (DDoS) campaign orchestrated by a threat actor named Matrix. Triggered by activities detected on our honeypots, this investigation dives deep into Matrix’s methods, targets, tools, and overall goals. --------------------------------------------- https://blog.aquasec.com/matrix-unleashes-a-new-widespread-ddos-campaign ∗∗∗ Wake up and Smell the BitLocker Keys ∗∗∗ --------------------------------------------- >From this demonstration we can see that with a minimal set of tools and a small-time investment it is quite practical to access a drive encrypted with BitLocker. [..] This type of attack can be avoided by implementing a second factor for pre-boot authentication, either a user PIN and/or USB Startup Key. --------------------------------------------- https://blog.nviso.eu/2024/11/26/wake-up-and-smell-the-bitlocker-keys/ ∗∗∗ Detection Opportunities — EDR Silencer, EDRSandblast, Kill AV… ∗∗∗ --------------------------------------------- There are many ways to disable or modify security solutions which you can for. e.g test with at least 53 different Atomic Red Team as starting point, but today I would like to limit myself to a few tools that successful ransomware groups use within the top 20 ransomware groups for October 2024. --------------------------------------------- https://detect.fyi/detection-opportunities-edr-silencer-edrsandblast-kill-a… ∗∗∗ Web-Security: Mit Content Security Policy gegen Cross-Site Scripting, Teil 2 ∗∗∗ --------------------------------------------- Erweiterte CSP-Direktiven helfen dabei, Anwendungen effizient gegen Cross-Site Scripting zu schützen. --------------------------------------------- https://heise.de/-10175246 ∗∗∗ Graykey: Entschlüsselungswerkzeug kann teilweise iOS 18 aufsperren ∗∗∗ --------------------------------------------- Im Zusammenhang mit Apples neuem Reboot-Schutz vor Entsperrung sind Informationen aufgetaucht, was Forensikunternehmen mit aktuellen iPhones tun können. --------------------------------------------- https://heise.de/-10175639 ===================== = Vulnerabilities = ===================== ∗∗∗ Dell Wyse Management Suite: Angreifer können Sicherheitsmechanismen umgehen ∗∗∗ --------------------------------------------- Einer Warnmeldung zufolge sind unter anderem DoS-Attacken (CVE-2024-49595 "hoch") denkbar, außerdem können Angreifer nicht näher beschriebene Sicherheitsmechanismen umgehen (CVE-2024-49597 "hoch"). In beiden Fällen sind Attacken aus der Ferne möglich, Angreifer benötigen aber bereits hohe Nutzerrechte. --------------------------------------------- https://www.heise.de/-10176009 ∗∗∗ Trellix: Update dichtet Sicherheitslücken in Enterprise Security Manager ab ∗∗∗ --------------------------------------------- Auf konkrete Sicherheitslücken geht Trellix nicht weiter ein. Jedoch aktualisiert Trellix ESM 11.6.13 etwa Azul Java und geht damit mehrere nicht aufgelistete CVEs an. Ebenso bessert die mitgelieferte libcurl-Bibliothek zwei Sicherheitslücken aus (CVE-2023-38545, CVSS 9.8, Risiko "kritisch"; CVE-2023-38546, CVSS 3.7, niedrig). Auch im "Snow Service" lauerten zuvor zwei "Reverse Shell"-Schwachstellen (CVE-2024-1148, CVSS 9.8, kritisch; CVE-2024-11482 [noch nicht öffentlich]). --------------------------------------------- https://www.heise.de/-10176250 ∗∗∗ Wordpress-Plug-in Anti-Spam by Cleantalk gefährdet 200.000 Seiten ∗∗∗ --------------------------------------------- Nicht authentifizierte Angreifer können dadurch auf angreifbaren Wordpress-Instanzen beliebige Plug-ins installieren und aktivieren und somit am Ende beliebigen Code ausführen (CVE-2024-10542, CVSS 9.8, Risiko "kritisch"). --------------------------------------------- https://heise.de/-10175993 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pypy3), Fedora (chromium, cobbler, and libsoup3), Oracle (kernel), SUSE (glib2, govulncheck-vulndb, javapackages-tools, xmlgraphics-batik, xmlgraphics- commons, xmlgraphics-fop, libblkid-devel, opentofu, php8, postgresql, postgresql16, postgresql17, thunderbird, traefik, and ucode-intel), and Ubuntu (needrestart and rapidjson). --------------------------------------------- https://lwn.net/Articles/999744/ ∗∗∗ WordPress Plugin "WP Admin UI Customize" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN87182660/ ∗∗∗ VMware: VMSA-2024-0022: VMware Aria Operations updates address multiple vulnerabilities(CVE-2024-38830, CVE-2024-38831, CVE-2024-38832, CVE-2024-38833, CVE-2024-38834) ∗∗∗ --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ Mozilla Security Advisories November 26, 2024 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Splunk: SVD-2024-1102: Third-Party Package Updates in Splunk Machine Learning Toolkit - November 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1102 ∗∗∗ Splunk: SVD-2024-1101: Third-Party Package Updates in Python for Scientific Computing - November 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1101 ∗∗∗ Synology-SA-24:25 Surveillance Station ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_25 ∗∗∗ Synology-SA-24:15 BeeFiles ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_15 ∗∗∗ Hitachi Energy RTU500 Scripting Interface ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-05 ∗∗∗ Hitachi Energy MicroSCADA Pro/X SYS600 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-04 ∗∗∗ F5: K000148713: libssh2 vulnerabilities CVE-2019-3858 and CVE-2019-3862 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148713 ∗∗∗ PHP Patches Multiple Vulnerabilities Including CVE-2024-8932 ∗∗∗ --------------------------------------------- https://thecyberthrone.in/2024/11/26/php-patches-multiple-vulnerabilities-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.11.2024
by Daily end-of-shift report 25 Nov '24

25 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-11-2024 18:00 − Montag 25-11-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ NAS nicht benutzbar: Qnap streicht fehlerhaftes Sicherheitsupdate ∗∗∗ --------------------------------------------- Besitzer von NAS-Geräten des Herstellers Qnap haben nach der Installation eines Patches Probleme sich anzumelden. Bislang hilft nur ein Downgrade. [..] Mittlerweile hat Qnap eine Stellungnahme zur Updateproblematik veröffentlicht. Demzufolge haben sie den Sicherheitspatch QTS 5.2.2.2950 build 20241114 nun repariert und wieder veröffentlicht. --------------------------------------------- https://heise.de/-10146878 ∗∗∗ Nearest Neighbor Attack: Angriff über WLAN des Nachbarn ∗∗∗ --------------------------------------------- Dass man über das Gast-WLAN des Ziels kritische Systeme erreichen konnte, lag daran, dass eines davon sowohl per drahtgebundenem Ethernet wie das Gast-WLAN erreichbar war. Damit fiel MFA weg, es handelte sich offenbar um eine Fehlkonfiguration. --------------------------------------------- https://heise.de/-10129358 ∗∗∗ Researchers Uncover Malware Using BYOVD to Bypass Antivirus Protections ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new malicious campaign that leverages a technique called Bring Your Own Vulnerable Driver (BYOVD) to disarm security protections and ultimately gain access to the infected system. [..] The starting point of the attack is an executable file (kill-floor.exe) that drops the legitimate Avast Anti-Rootkit driver, which is subsequently registered as a service using Service Control (sc.exe) to perform its malicious actions. --------------------------------------------- https://thehackernews.com/2024/11/researchers-uncover-malware-using-byovd.h… ∗∗∗ Microsoft testing Windows 11 support for third-party passkeys ∗∗∗ --------------------------------------------- Microsoft is now testing WebAuthn API updates that add support for support for using third-party passkey providers for Windows 11 passwordless authentication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-testing-windows-11… ∗∗∗ Decrypting a PDF With a User Password, (Sat, Nov 23rd) ∗∗∗ --------------------------------------------- In diary entry "Analyzing an Encrypted Phishing PDF", I decrypted a phishing PDF document. Because the PDF was encrypted for DRM (owner password), I didn't have to provide a password. What happens if you try this with a PDF encrypted for confidentiality (user password), where a password is needed to open the document? --------------------------------------------- https://isc.sans.edu/diary/rss/31466 ∗∗∗ Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform ∗∗∗ --------------------------------------------- ClipSP (clipsp.sys) is a Windows driver used to implement client licensing and system policies on Windows 10 and 11 systems. Cisco Talos researchers have discovered eight vulnerabilities related to clipsp.sys ranging from signature bypass to elevation of privileges and sandbox escape:TALOS-2024-1964 (CVE-2024-38184)TALOS-2024-1965 (CVE-2024-38185) --------------------------------------------- https://blog.talosintelligence.com/finding-vulnerabilities-in-clipsp-the-dr… ∗∗∗ Dozens of Machines Infected: Year-Long NPM Supply Chain Attack Combines Crypto Mining and Data Theft ∗∗∗ --------------------------------------------- The package, @0xengine/xmlrpc, began its life as a “legitimate” XML-RPC implementation in October 2023, but strategically transformed into a malicious tool in later versions and has remained active through November of 2024. This discovery serves as a stark reminder that a package’s longevity and consistent maintenance history do not guarantee its safety. --------------------------------------------- https://checkmarx.com/blog/npm-supply-chain-attack-combines-crypto-mining-a… ∗∗∗ Secure Coding: CWE-377 – TOCTOU-Race-Conditions in den Griff bekommen ∗∗∗ --------------------------------------------- TOCTOU-Schwachstellen zählen zu den schwerwiegendsten in der Common Weakness Enumeration CWE-377 beschriebenen. [..] Der Schlüssel zur Vermeidung dieser Schwachstellen liegt in der Beseitigung der Lücke zwischen dem Zeitpunkt der Überprüfung und dem Zeitpunkt der Nutzung, typischerweise durch den Einsatz atomarer Dateierstellungsmethoden – etwa die von sicheren APIs wie File.createTempFile() oder Files.createTempFile(). --------------------------------------------- https://heise.de/-10081613 ∗∗∗ Phishing-Warnung: Kriminelle missbrauchen Black-Friday-Trubel ∗∗∗ --------------------------------------------- Im Phishingradar warnen die Verbraucherzentralen, dass seit Freitag betrügerische E-Mails im Umlauf sind, die zum Gegenstand haben, dass unbekannte Zugriffe auf das Konto zu einer vorübergehenden Sperrung des Kontos führe. --------------------------------------------- https://heise.de/-10143500 ∗∗∗ Advanced threat predictions for 2025 ∗∗∗ --------------------------------------------- Kasperskys Global Research and Analysis Team monitors over 900 APT (Advanced Persistent Threat) groups and operations. In this piece of KSB series, we review the advanced threat trends from the past year and offer insights into what we can expect in 2025. --------------------------------------------- https://securelist.com/ksb-apt-predictions-2025/114582/ ∗∗∗ Webinar: Internetkriminalität - Betrugsfallen & Fakes im Internet ∗∗∗ --------------------------------------------- Dieses Webinar informiert Sie über gängige Betrugsfallen im Internet (Abo-Fallen, Fake Shops, Kleinanzeigenbetrug, Scamming & Co.) und zeigt, wie Sie diese erkennen können. Nehmen Sie kostenlos teil: Montag, 9. Dezember 2024, 18:30 - 20:00 Uhr via zoom. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-internetkriminalitaet-betrug… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, chromium, ghostscript, glib2.0, intel-microcode, and kernel), Fedora (dotnet9.0, needrestart, php, and python3.6), Oracle (cups, kernel, osbuild-composer, podman, python3.12-urllib3, squid, and xerces-c), Red Hat (buildah, edk2, gnome-shell, haproxy, kernel, kernel-rt, libvpx, pam, python3.11-urllib3, python3.12-urllib3, qemu-kvm, rhc-worker-script, squid:4, and tigervnc), Slackware (php), SUSE (chromedriver, chromium, dcmtk, govulncheck-vulndb, iptraf-ng, and traefik2), and Ubuntu (linux-oracle and openjdk-23). --------------------------------------------- https://lwn.net/Articles/999597/ ∗∗∗ UmweltOffice: SQL Injection in Siempelkamp NIS UmweltOffice <7.4.3 (SYSS-2024-074) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/sql-injection-in-siempelkamp-nis-umweltoff… ∗∗∗ F5: K000148495: libssh vulnerability CVE-2023-1667 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148495 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.11.2024
by Daily end-of-shift report 22 Nov '24

22 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-11-2024 18:00 − Freitag 22-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ransomgroup Helldown: Attacks on Zyxel Devices ∗∗∗ --------------------------------------------- SEC Consult has observed a rise of attacks on Zyxel firewalls over the past two months affecting Zyxel ATP firewall (version 5.38 and above - i.e. we have seen successful attacks also on fully patched Zyxel ATP version 5.39 firewalls). [..] We write this blogpost to highlight the need to remain vigilant and monitor activity on the Zyxel Firewalls, especially since there seems to be no official patch from the vendor as of the time of this blog post. --------------------------------------------- https://sec-consult.com/blog/detail/ransomgroup-helldown-attacks-on-zyxel-d… ∗∗∗ Angriffe auf Citrix-Sicherheitslücke beobachtet ∗∗∗ --------------------------------------------- In der vergangenen Woche hat Citrix Sicherheitslücken im Session Recording geschlossen. Nun haben IT-Forscher Angriffe darauf beobachtet. --------------------------------------------- https://www.heise.de/-10100614 ∗∗∗ Fintech Giant Finastra Investigating Data Breach ∗∗∗ --------------------------------------------- Finastra, which provides software and services to 45 of the worlds top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company. --------------------------------------------- https://it.slashdot.org/story/24/11/21/2043251/fintech-giant-finastra-inves… ∗∗∗ Heres what happens if you dont layer network security – or remove unused web shells ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Agency often breaks into critical organizations' networks – with their permission, of course – to simulate real-world cyber attacks and thereby help improve their security. [..] In a Thursday blog post, the Agency (CISA) detailed the exercise and opined they "illuminate lessons learned for network defenders and software manufacturers about how to respond to and reduce risk." In other words: give it a read and learn from this critical infrastructure organization's mistakes – and the things it did well – to keep real criminals out of your IT environment. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/11/22/cisa_red_tea… ∗∗∗ Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples ∗∗∗ --------------------------------------------- We uncover macOS lateral movement tactics, such as SSH key misuse and AppleScript exploitation. Strategies to counter this attack trend are also discussed. --------------------------------------------- https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movem… ∗∗∗ UK drinking water supplies disrupted by record number of undisclosed cyber incidents ∗∗∗ --------------------------------------------- A record number of cyber incidents impacted Britain’s critical drinking water supplies this year without being publicly disclosed, according to information obtained by Recorded Future News. --------------------------------------------- https://therecord.media/uk-drinking-water-infrastructure-cyber-incident-rep… ∗∗∗ A Bag of RATs: VenomRAT vs. AsyncRAT ∗∗∗ --------------------------------------------- Remote access tools (RATs) have long been a favorite tool for cyber attackers, since they enable remote control over compromised systems and facilitate data theft, espionage, and continuous monitoring of victims. Among the well-known RATs are VenomRAT and AsyncRAT. [..] This comparison explores the core technical differences between VenomRAT and AsyncRAT by analyzing their architecture, capabilities, and tactics. --------------------------------------------- https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-async… ∗∗∗ Looking at the Attack Surfaces of the Kenwood DMX958XR IVI ∗∗∗ --------------------------------------------- In our previous Kenwood DMX958XR blog post, we detailed the internals of the Kenwood in-vehicle infotainment (IVI) head unit and provided annotated pictures of each PCB. In this post, we aim to outline the attack surface of the DMX958XR in the hopes of providing inspiration for vulnerability research. --------------------------------------------- https://www.thezdi.com/blog/2024/11/20/looking-at-the-attack-surfaces-of-th… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP Security Advisories 2024-11-23 ∗∗∗ --------------------------------------------- QNAP released 8 security advisories: 5x important, 3x moderate --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (postgresql-13, postgresql-15, and webkit2gtk), Fedora (libsndfile, microcode_ctl, and trafficserver), Mageia (kanboard, kernel, kmod-xtables-addons, kmod-virtualbox, and bluez, kernel-linus, opendmarc, and radare2), Oracle (.NET 9.0, bubblewrap and flatpak, buildah, expat, firefox, grafana, grafana-pcp, kernel, krb5, libsoup, libvpx, NetworkManager-libreswan, openexr, pcp, python3.11, python3.11-urllib3, python3.12, python3.9, squid, thunderbird, tigervnc, and webkit2gtk3), Red Hat (.NET 9.0, binutils, expat, grafana-pcp, kernel, libsoup, NetworkManager-libreswan, openexr, python3.11, python3.12, python39:3.9, squid, tigervnc, and webkit2gtk3), SUSE (chromedriver, cobbler, govulncheck-vulndb, and icinga2), and Ubuntu (linux-lowlatency, linux-lowlatency-hwe-6.8, python2.7, and zbar). --------------------------------------------- https://lwn.net/Articles/999102/ ∗∗∗ ZDI-24-1605: Adobe InDesign JP2 File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1605/ ∗∗∗ ZDI-24-1606: 7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1606/ ∗∗∗ ZDI-24-1613: Intel Driver & Support Assistant Log Folder Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1613/ ∗∗∗ SSA-354569 V1.0: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-354569.html ∗∗∗ NVIDIA affected by a Critical vulnerability CVE-2024-0138 ∗∗∗ --------------------------------------------- https://thecyberthrone.in/2024/11/22/nvidia-affected-by-a-critical-vulnerab… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.11.2024
by Daily end-of-shift report 21 Nov '24

21 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-11-2024 18:00 − Donnerstag 21-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fortinet VPN design flaw hides successful brute-force attacks ∗∗∗ --------------------------------------------- A design flaw in the Fortinet VPN servers logging mechanism can be leveraged to conceal the successful verification of credentials during a brute-force attack without tipping off defenders of compromised logins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-vpn-design-flaw-hid… ∗∗∗ Wegen Sicherheitslücke: D-Link drängt auf Entsorgung älterer Router ∗∗∗ --------------------------------------------- Mehrere D-Link-Router, von denen einige erst vor wenigen Monaten den EOL-Status erreicht haben, sind angreifbar. Patches gibt es nicht. --------------------------------------------- https://www.golem.de/news/wegen-sicherheitsluecke-d-link-draengt-auf-entsor… ∗∗∗ Lumma Stealer on the Rise: How Telegram Channels Are Fueling Malware Proliferation ∗∗∗ --------------------------------------------- Authored by: M. Authored by: M, Mohanasundaram and Neil Tyagi In today’s rapidly evolving cyber landscape, malware threats .. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lumma-stealer-on-the-r… ∗∗∗ Azure Key Vault Tradecraft with BARK ∗∗∗ --------------------------------------------- This post details the existing and new functions in BARK that support adversarial tradecraft research relevant to the Azure Key Vault service. The latter part of the post shows an example of how a red team operator may use these commands during the course of an assessment. --------------------------------------------- https://posts.specterops.io/azure-key-vault-tradecraft-with-bark-24163abc8d… ∗∗∗ “Free Hugs” – What to be Wary of in Hugging Face – Part 2 ∗∗∗ --------------------------------------------- Enjoy Threat Modeling? Try Threats in Models! Previously… In part 1 of this 4-part blog, we discussed Hugging Face, the potentially dangerous trust relationship between Hugging Face users and the ReadMe file, exploiting users who .. --------------------------------------------- https://checkmarx.com/blog/free-hugs-what-to-be-wary-of-in-hugging-face-par… ∗∗∗ New Report Reveals Hidden Risks: How Internet-Exposed Systems Threaten Critical Infrastructure ∗∗∗ --------------------------------------------- A new Censys report found 145,000 exposed ICSs and thousands of insecure human-machine interfaces (HMIs), providing attackers with an accessible path to disrupt critical operations. Real-world examples underscore the danger, with Iranian and Russian-backed hackers exploiting HMIs to manipulate water systems in Pennsylvania and Texas. GreyNoise research .. --------------------------------------------- https://www.greynoise.io/blog/new-report-reveals-hidden-risks-how-internet-… ∗∗∗ Finding Bugs in Chrome with CodeQL ∗∗∗ --------------------------------------------- This blog post discusses how to use a static analysis tool called CodeQL to search for vulnerabilities in Chrome. --------------------------------------------- https://bughunters.google.com/blog/5085111480877056/finding-bugs-in-chrome-… ∗∗∗ Spelunking in Comments and Documentation for Security Footguns ∗∗∗ --------------------------------------------- Join us as we explore seemingly safe but deceptively tricky ground in Elixir, Python, and the Golang standard library. We cover officially documented, or at least previously discussed, code functionality that could unexpectedly introduce vulnerabilities. Well-documented behavior is not always what it appears! --------------------------------------------- https://blog.includesecurity.com/2024/11/spelunking-in-comments-and-documen… ∗∗∗ Azure Detection Engineering: Log idiosyncrasies you should know about ∗∗∗ --------------------------------------------- We share a few inconsistencies found in Azure logs which make detection engineering more challenging. --------------------------------------------- https://tracebit.com/blog/azure-detection-engineering-log-idiosyncrasies-yo… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, NetworkManager-libreswan, and openssl), Fedora (chromium and llvm-test-suite), Mageia (thunderbird), and Ubuntu (linux-aws-6.8, linux-azure, linux-azure-6.8, linux-oracle-6.8,, linux-azure, and ruby2.7). --------------------------------------------- https://lwn.net/Articles/998949/ ∗∗∗ Progress Kemp LoadMaster OS Command Injection Vulnerability ∗∗∗ --------------------------------------------- FortiGuard network sensors detect attack attempts targeting the Progress Kemp LoadMaster. Successful exploitation of the CVE-2024-1212 vulnerability allows unauthenticated remote attackers to access the system through the management interface, potentially leading to data breaches, service disruptions, or further attacks --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/kemp-loadmaster-os-command-i… ∗∗∗ ZDI-24-1532: 7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1532/ ∗∗∗ Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-008 ∗∗∗ Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-007 ∗∗∗ Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-005 ∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-004 ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-003 ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-003 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.11.2024
by Daily end-of-shift report 20 Nov '24

20 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-11-2024 18:00 − Mittwoch 20-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Bigger and badder: how DDoS attack sizes have evolved over the last decade ∗∗∗ --------------------------------------------- If we plot the metrics associated with large DDoS attacks observed in the last 10 years, does it show a straight, steady increase in an exponential curve that keeps becoming steeper, or is it closer to a linear growth? Our analysis found the growth is not linear but rather is exponential, with the slope varying depending on the metric (rps, pps or bps). --------------------------------------------- https://blog.cloudflare.com/bigger-and-badder-how-ddos-attack-sizes-have-ev… ∗∗∗ Kein Angriff auf Idev-Portal: Destatis weist Schuld für Datenleck von sich ∗∗∗ --------------------------------------------- Das Statistische Bundesamt hat sein Idev-Portal untersucht. Von Hackern erbeutete Daten sollen bei den meldenden Unternehmen abgeflossen sein. --------------------------------------------- https://www.golem.de/news/kein-cyberangriff-auf-meldesystem-destatis-weist-… ∗∗∗ Inside the Threat: Ein Blick hinter die Kulissen zur Abwehr einer aktiven Bedrohung ∗∗∗ --------------------------------------------- Früherkennung und proaktive Untersuchung können einen Ransomware-Angriff im Keim ersticken. Ein aktueller realer Fall, zeigt, wie es funktioniert. --------------------------------------------- https://sec-consult.com/de/blog/detail/inside-the-threat-ein-blick-hinter-d… ∗∗∗ Decades-Old Security Vulnerabilities Found in Ubuntus Needrestart Package ∗∗∗ --------------------------------------------- Multiple decade-old security vulnerabilities have been disclosed in the needrestart package installed by default in Ubuntu Server (since version 21.04) that could allow a local attacker to gain root privileges without requiring user .. --------------------------------------------- https://thehackernews.com/2024/11/decades-old-security-vulnerabilities.html ∗∗∗ Yubikey-Seitenkanal: Weitere Produkte für Cloning-Attacke anfällig ∗∗∗ --------------------------------------------- Die Seitenkanal-Lücke EUCLEAK wurde auch als "Yubikey-Cloning-Attacke" bekannt. Das BSI re-zertifiziert aktualisierte Produkte, die betroffen waren. --------------------------------------------- https://www.heise.de/news/EUCLEAK-Weitere-Produkte-fuer-Cloning-Attacke-anf… ∗∗∗ Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware ∗∗∗ --------------------------------------------- Explore this assessment on cybercrime group Ignoble Scorpius, distributors of BlackSuit ransomware. Since May 2023, operations have increased —affecting critical sectors. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-… ∗∗∗ Looking at the Internals of the Kenwood DMX958XR IVI ∗∗∗ --------------------------------------------- For the upcoming Pwn2Own Automotive contest, a total of four in-vehicle infotainment (IVI) head units have been selected as targets. One of these is the double DIN Kenwood DMX958XR. This unit offers a variety of .. --------------------------------------------- https://www.thezdi.com/blog/2024/11/18/looking-at-the-internals-of-the-kenw… ∗∗∗ Critical Vulnerabilities in vCenter Server Exploited in the Wild ∗∗∗ --------------------------------------------- CVE CVE-2024-38813CVE-2024-38812 Affected Products VMware vCenter Server VMware Cloud Foundation Exploitation Broadcom has confirmed exploitation of these vulnerabilities[1]. The CVE has not been .. --------------------------------------------- https://www.truesec.com/hub/blog/critical-vulnerabilities-in-vcenter-server… ∗∗∗ Malicious QR Codes: How big of a problem is it, really? ∗∗∗ --------------------------------------------- QR codes are disproportionately effective at bypassing most anti-spam filters. Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption. --------------------------------------------- https://blog.talosintelligence.com/malicious_qr_codes/ ∗∗∗ Hackers Exploit Misconfigured Jupyter Servers for Illegal Sports Streaming ∗∗∗ --------------------------------------------- Aqua Nautilus’ research reveals hackers are leveraging vulnerable and misconfigured Jupyter Notebook servers to steal live sports streams. --------------------------------------------- https://hackread.com/hackers-exploit-misconfigured-jupyter-servers-sports-s… ∗∗∗ Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 ∗∗∗ --------------------------------------------- It'll be no surprise that 2024, 2023, 2022, and every other year of humanities existence has been tough for SSLVPN appliances. Anyhow, there are new vulnerabilities (well, two of them) that are being exploited in the Palo Alto Networks .. --------------------------------------------- https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve… ∗∗∗ Defending Your Directory: An Expert Guide to Mitigating Pass-the-Hash Attacks in Active Directory ∗∗∗ --------------------------------------------- In our latest technical blog series, our DFIR team are highlighting the most prominent Active Directory (AD) threats, describing the tell-tale signs that your AD might be at risk, and give experienced insight into the best prevention and mitigation strategies to shore up your AD security and bolster your digital identity protection. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ∗∗∗ Let’s Encrypt: Ten Years ∗∗∗ --------------------------------------------- Vital personal and business information flows over the Internet more frequently than ever, and we don’t always know when it’s happening. It’s clear at this point that encrypting is something all of us should be doing. Then why don’t we use TLS (the successor to SSL) everywhere? Every browser in every device supports it. Every server in every data center supports it. Why don’t we just flip the switch? --------------------------------------------- https://letsencrypt.org/2014/11/18/announcing-lets-encrypt/ ∗∗∗ Achieving NIST CSF 2.0 Compliance: Best Practices ∗∗∗ --------------------------------------------- Cybersecurity is an ever-growing concern in today’s digital era. With the rise of cyberattacks and data breaches, organizations must adopt best practices to safeguard their sensitive information. One of the leading frameworks guiding organizations in securing their digital assets is the NIST CSF 2.0 by National Institute of Standards and .. --------------------------------------------- https://fortbridge.co.uk/regulations/achieving-nist-csf-2-0-compliance-with… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5815-1 needrestart - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00229.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.11.2024
by Daily end-of-shift report 19 Nov '24

19 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Montag 18-11-2024 18:00 − Dienstag 19-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Spotify abused to promote pirated software and game cheats ∗∗∗ --------------------------------------------- Spotify playlists and podcasts are being abused to push pirated software, game cheat codes, spam links, and "warez" sites. By injecting targeted keywords and links in playlist names and podcast descriptions, threat actors may .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spotify-abused-to-promote-pi… ∗∗∗ New Helldown Ransomware Variant Expands Attacks to VMware and Linux Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a Linux variant of a relatively new ransomware strain called Helldown, suggesting that the threat actors are broadening their attack focus."Helldown deploys Windows ransomware derived from the LockBit 3.0 code," Sekoia .. --------------------------------------------- https://thehackernews.com/2024/11/new-helldown-ransomware-expands-attacks.h… ∗∗∗ Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble ∗∗∗ --------------------------------------------- If you didnt fix this a month ago, your to-do list probably needs a reshuffle Two VMware vCenter server bugs, including a critical heap-overflow vulnerability that leads to remote code execution (RCE), have been exploited in attacks after Broadcom’s first attempt to fix the flaws fell short. --------------------------------------------- https://www.theregister.com/2024/11/18/vmware_vcenter_rce_exploited/ ∗∗∗ Veritas Enterprise Vault: Kritische Codeschmuggel-Lücken in Archivsoftware ∗∗∗ --------------------------------------------- In Vertias Enterprise Vault können Angreifer kritische Lücke zum Einschleusen von Schadcode missbrauchen. --------------------------------------------- https://www.heise.de/news/Veritas-Enterprise-Vault-Kritische-Codeschmuggel-… ∗∗∗ Kritische Palo-Alto-Lücke: Details und Patches sind da, CISA warnt vor Exploit ∗∗∗ --------------------------------------------- Fast drei Wochen nach ersten Exploit-Gerüchten hat der Hersteller nun endlich reagiert, trickst aber. Derweil warnt die US-Cyberbehörde vor Angriffen. --------------------------------------------- https://www.heise.de/news/Kritische-Palo-Alto-Luecke-Patches-sind-da-CISA-w… ∗∗∗ FreeBSD Foundation releases Bhyve and Capsicum security audit ∗∗∗ --------------------------------------------- The FreeBSD Foundation has announced the release of a security audit report conducted by security firm Synacktiv. The audit uncovered a number of vulnerabilities: Most of these vulnerabilities have been addressed through official FreeBSD Project security advisories, which offer detailed information about each vulnerability, its impact, and the measures .. --------------------------------------------- https://lwn.net/Articles/998615/ ∗∗∗ FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications ∗∗∗ --------------------------------------------- We analyze FrostyGoop malware, which targets OT systems. This article walks through newly discovered samples, indicators, and also examines configurations and network communications. --------------------------------------------- https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/ ∗∗∗ The Importance of Establishing a Solid Third Party Risk Management Framework for Risk Mitigation ∗∗∗ --------------------------------------------- In the previous post, we introduced the concept of Third-Party Risk Management (TPRM) and its importance in today’s interconnected world. Now, let us have a look at the practical aspects of building a solid TPRM program and why it is important for your company. 1. Start with a Third-Party Inventory The first step in building .. --------------------------------------------- https://blog.nviso.eu/2024/11/19/the-importance-of-establishing-a-solid-thi… ∗∗∗ Facebook Malvertising Campaign Spreads Malware via Fake Bitwarden ∗∗∗ --------------------------------------------- A Facebook malvertising campaign disguised as Bitwarden updates spreads malware, targeting business accounts. Users are tricked .. --------------------------------------------- https://hackread.com/facebook-malvertising-malware-via-fake-bitwarden/ ∗∗∗ Threat Actors Hijack Misconfigured Servers for Live Sports Streaming ∗∗∗ --------------------------------------------- To keep up with the ever-evolving world of cybersecurity, Aqua Nautilus researchers deploy honeypots that mimic real-world development environments. During a recent threat-hunting operation, they uncovered a surprising new .. --------------------------------------------- https://blog.aquasec.com/threat-actors-hijack-misconfigured-servers-for-liv… ∗∗∗ Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 ∗∗∗ --------------------------------------------- Note: Since this is breaking news and more details are being released, were updating this .. --------------------------------------------- https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve… ∗∗∗ NVD Backlog Tops 20,000 CVEs Awaiting Analysis as NIST Prepares System Updates ∗∗∗ --------------------------------------------- CVEs awaiting analysis by the NVD have broken the 20,000 mark, after the security community noticed its enrichment activity slowed to nearly a halt again last week. NIST failed to meet its self-imposed deadline of .. --------------------------------------------- https://socket.dev/blog/nvd-backlog-tops-20-000-cves ∗∗∗ Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets ∗∗∗ --------------------------------------------- In October 2024, Socket discovered a widespread npm malware campaign using Ethereum smart contracts to evade detection and maintain control over infected systems. Building on our initial research and equipped with analyses of the .. --------------------------------------------- https://socket.dev/blog/exploiting-npm-to-build-a-blockchain-powered-botnet ∗∗∗ Extending Burp Suite for fun and profit – The Montoya way – Part 7 ∗∗∗ --------------------------------------------- Last time we saw how to develop an extension that will add custom active and passive checks to the Burp Scanner. Today we will modify that extension to detect serialization issues using .. --------------------------------------------- https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-t… ∗∗∗ U.S. Extradites and Charges Alleged Phobos Ransomware Admin ∗∗∗ --------------------------------------------- The United States secured the extradition of a Russian national from South Korea who is allegedly the mastermind behind the notorious Phobos ransomware. Evgenii Ptitsyn, 42, is accused of administering the Phobos .. --------------------------------------------- https://thecyberexpress.com/us-charges-alleged-phobos-ransomware-admin/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1516: Trend Micro Deep Security Agent Manual Scan Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro Deep Security Agent. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-51503. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1516/ ∗∗∗ ZDI-24-1517: McAfee Total Protection Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of McAfee Total Protection. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.7. The following CVEs are assigned: CVE-2024-49592. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1517/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 9.0, bcc, bluez, bpftrace, bubblewrap, flatpak, buildah, cockpit, containernetworking-plugins, cups, cyrus-imapd, edk2, expat, firefox, fontforge, gnome-shell, gnome-shell-extensions, grafana, grafana-pcp, gtk3, httpd, iperf3, jose, krb5, libgcrypt, libsoup, libvirt, libvpx, lldpd, microcode_ctl, .. --------------------------------------------- https://lwn.net/Articles/998755/ ∗∗∗ Oracle Security Alert for CVE-2024-21287 - 18 November 2024 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/alert-cve-2024-21287.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.11.2024
by Daily end-of-shift report 18 Nov '24

18 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-11-2024 18:00 − Montag 18-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Honeypot: Forscher veralbert Scriptkiddies mit Fake-Ransomware ∗∗∗ --------------------------------------------- Ein Tool namens Jinn sollte Ransomware-Angriffe vereinfachen. Tatsächlich war das ein Honeypot, auf den so einige Akteure reingefallen sind. --------------------------------------------- https://www.golem.de/news/honeypot-forscher-veralbert-scriptkiddies-mit-fak… ∗∗∗ Women In Russian-Speaking Cybercrime: Mythical Creatures or Significant Members of Underground? ∗∗∗ --------------------------------------------- A blog detailing in-depth research into women in Russian-speaking cybercrime. --------------------------------------------- https://www.sans.org/blog/women-in-russian-speaking-cybercrime-mythical-cre… ∗∗∗ DORA-Kernthemen meistern: Ein Deep Dive in Incident Management ∗∗∗ --------------------------------------------- In diesem Blogbeitrag befassen wir uns mit den Anforderungen an DORA Incident Management. --------------------------------------------- https://sec-consult.com/de/blog/detail/dora-kernthemen-meistern-ein-deep-di… ∗∗∗ Swiss cheesed off as postal service used to spread malware ∗∗∗ --------------------------------------------- QR codes arrive via an age-old delivery system Switzerlands National Cyber Security Centre (NCSC) has issued an alert about malware being spread via the countrys postal service. --------------------------------------------- https://www.theregister.com/2024/11/16/swiss_malware_qr/ ∗∗∗ WTF: Sicherheitsforscher finden beim Nachstellen einer Lücke drei neue ∗∗∗ --------------------------------------------- Als die Watchtowr Labs-Forscher die Lücke im FortiManager nachprüfen wollten, fanden sie weitere Fehler und unvollständige Fixes. --------------------------------------------- https://www.heise.de/news/Sicherheitsforscher-finden-beim-Nachstellen-einer… ∗∗∗ T-Mobile von chinesischem Cyberangriff betroffen ∗∗∗ --------------------------------------------- Laut einem Bericht konnten die Hacker in mehrere Telekommunikationsunternehmen in den USA wie auch international eindringen --------------------------------------------- https://www.derstandard.at/story/3000000245232/t-mobile-von-chinesischem-cy… ∗∗∗ Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 ∗∗∗ --------------------------------------------- We detail the observed limited activity regarding authentication bypass vulnerability CVE-2024-0012 affecting specific versions of PAN-OS software, and include protections and mitigations. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/ ∗∗∗ Akute Welle an DDoS-Angriffen gegen österreichische Unternehmen und Organisationen ∗∗∗ --------------------------------------------- Seit heute Früh sind verschiedene österreichische Unternehmen und Organisationen aus unterschiedlichen Branchen und Sektoren mit DDoS-Angriffen konfrontiert. Die genauen Hintergründe der Attacke sind uns zurzeit nicht bekannt, Hinweise für eine hacktivistische Motivation liegen jedoch vor. In Anbetracht der aktuellen Geschehnisse .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/11/ddos-angriffe-november-2024 ∗∗∗ BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA ∗∗∗ --------------------------------------------- KEY TAKEAWAYS Volexity discovered and reported a vulnerability in Fortinets Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN. This vulnerability was abused by BrazenBamboo in their DEEPDATA malware. BrazenBamboo is the threat actor behind development of the .. --------------------------------------------- https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlien… ∗∗∗ Inside Water Barghest’s Rapid Exploit-to-Market Strategy for IoT Devices ∗∗∗ --------------------------------------------- In this blog entry, we discuss Water Barghests exploitation of IoT devices, transforming them into profitable assets through advanced automation and monetization techniques. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/k/water-barghest.html ∗∗∗ What To Use Instead of PGP ∗∗∗ --------------------------------------------- It’s been more than five years since The PGP Problem was published, and I still hear from people who believe that using PGP (whether GnuPG or another OpenPGP implementation) is a thing .. --------------------------------------------- https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/ ∗∗∗ TPM-Backed SSH Keys on Windows 11 ∗∗∗ --------------------------------------------- On my MacBook, I’ve been using using TPM/security key-based SSH keys for years since it’s where I do the most development and the software support is good. Secretive is a decent app I can vouch for. Before that, I was .. --------------------------------------------- https://cedwards.xyz/tpm-backed-ssh-keys-on-windows-11/ ∗∗∗ Reverse Engineering iOS 18 Inactivity Reboot ∗∗∗ --------------------------------------------- iOS 18 introduced a new inactivity reboot security feature. What does it protect from and how does it work? This blog post covers all the details down to a kernel extension and the Secure Enclave Processor. --------------------------------------------- https://naehrdine.blogspot.com/2024/11/reverse-engineering-ios-18-inactivit… ∗∗∗ Malicious npm Package Exploits WhatsApp Authentication with Remote Kill Switch for File Destruction ∗∗∗ --------------------------------------------- A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files. --------------------------------------------- https://socket.dev/blog/malicious-npm-package-exploits-whatsapp-authenticat… ∗∗∗ Redis CVE-2024-31449: How to Reproduce and Mitigate the Vulnerability ∗∗∗ --------------------------------------------- On October 7, 2024, information about a serious vulnerability in Redis, identified as CVE-2024-31449, was published. This vulnerability allows an authenticated user to execute remote code using specially .. --------------------------------------------- https://redrays.io/blog/redis-cve-2024-31449-how-to-reproduce-and-mitigate-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (binutils, libsoup, squid:4, tigervnc, and webkit2gtk3), Debian (icinga2, postgresql-13, postgresql-15, smarty3, symfony, thunderbird, and waitress), Fedora (dotnet9.0, ghostscript, microcode_ctl, php-bartlett-PHP-CompatInfo, python-waitress, and webkitgtk), Gentoo (Perl, Pillow, and X.Org X server, XWayland), .. --------------------------------------------- https://lwn.net/Articles/998570/ ∗∗∗ CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) (Severity: CRITICAL) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0012 ∗∗∗ CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9474 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.11.2024
by Daily end-of-shift report 15 Nov '24

15 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-11-2024 18:00 − Freitag 15-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Diese dummen Passwörter werden am häufigsten verwendet ∗∗∗ --------------------------------------------- Sind eure Accounts gut geschützt? Werft zur Sicherheit einen Blick auf diese Liste - hoffentlich fühlt ihr euch nicht ertappt. --------------------------------------------- https://futurezone.at/digital-life/dumme-passwoerter-oesterreich-internatio… ∗∗∗ Cyberangriff auf Destatis: Hacker erbeuten Firmendaten des Statistischen Bundesamtes ∗∗∗ --------------------------------------------- Der 3,8 GBytes große Datensatz bietet Zugriff auf von Unternehmen gemeldete Informationen. Das attackierte System wurde erst kürzlich modernisiert. --------------------------------------------- https://www.golem.de/news/cyberangriff-auf-destatis-hacker-erbeuten-firmend… ∗∗∗ MacOS 15.1: Apple patcht Drittanbieter-Firewalls kaputt ∗∗∗ --------------------------------------------- Wer unter MacOS 15.1 Drittanbieter-Firewalls wie Little Snitch verwendet, könnte auf Probleme stoßen. Filterregeln bleiben je nach Konfiguration wirkungslos. --------------------------------------------- https://www.golem.de/news/macos-15-1-apple-patcht-drittanbieter-firewalls-k… ∗∗∗ New Glove Stealer Malware Bypasses Google Chrome’s App-Bound to Steal Data ∗∗∗ --------------------------------------------- The New Glove Stealer malware has the ability to bypass Google Chrome’s Application-Bound (App-Bound) encryption to steal browser cookies. The threat actors’ attacks employed social engineering techniques akin to .. --------------------------------------------- https://heimdalsecurity.com/blog/glove-stealer-malware/ ∗∗∗ Gegen Enkeltrickbetrug: KI-Omi soll Kriminelle in endlose Gespräche verwickeln ∗∗∗ --------------------------------------------- Eine KI-generierte Omi soll für O2 Kriminelle beschäftigen, die echten Menschen per Telefon das Geld aus Tasche ziehen wollen. Dazu soll sie reden und reden. --------------------------------------------- https://www.heise.de/news/Gegen-Enkeltrickbetrug-KI-Omi-soll-Kriminelle-in-… ∗∗∗ Wordpress-Plug-in Really Simple Security gefährdet 4 Millionen Websites ∗∗∗ --------------------------------------------- Rund vier Millionen Wordpress-Seiten nutzen das Plug-in Really Simple Security. Angreifer aus dem Netz können sie kompromittieren. --------------------------------------------- https://www.heise.de/news/Wordpress-Plug-in-Really-Simple-Security-gefaehrd… ∗∗∗ An Interview With the Target & Home Depot Hacker ∗∗∗ --------------------------------------------- In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and .. --------------------------------------------- https://krebsonsecurity.com/2024/11/an-interview-with-the-target-home-depot… ∗∗∗ Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack ∗∗∗ --------------------------------------------- North Korean IT worker cluster CL-STA-0237 instigated phishing attacks via video apps in Laos, exploiting U.S. IT firms and major tech identities. --------------------------------------------- https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cl… ∗∗∗ Kritische Sicherheitslücke in Laravel Framework - Updates verfügbar ∗∗∗ --------------------------------------------- Im Laravel Framework wurde eine kritische Sicherheitslücke entdeckt. Die Schwachstelle ermöglicht es Angreifern, durch manipulierte URLs unbefugten Zugriff auf Anwendungen zu erlangen und Umgebungsvariablen zu manipulieren. --------------------------------------------- https://www.cert.at/de/warnungen/2024/11/kritische-sicherheitslucke-in-lara… ∗∗∗ Safeguarding Healthcare Organizations from IoMT Risks ∗∗∗ --------------------------------------------- The healthcare industry has undergone significant transformation with the emergence of the Internet of Medical Things (IoMT) devices. These devices ranging from wearable monitors to network imaging systems collect and process vast .. --------------------------------------------- https://levelblue.com/blogs/security-essentials/safeguarding-healthcare-org… ∗∗∗ Zero-day exploitation targeting Palo Alto Networks firewall management interfaces ∗∗∗ --------------------------------------------- Palo Alto Networks has indicated they are observing threat activity exploiting a zero-day unauthenticated remote command execution vulnerability in their firewall management interfaces. --------------------------------------------- https://www.rapid7.com/blog/post/2024/11/15/etr-zero-day-exploitation-targe… ∗∗∗ Microsoft Power Pages Misconfigurations Expose Millions of Records Globally ∗∗∗ --------------------------------------------- SaaS Security firm AppOmni has identified misconfigurations in Microsoft Power Pages that can lead to severe data breaches. --------------------------------------------- https://hackread.com/microsoft-power-pages-misconfigurations-data-leak/ ∗∗∗ Pirates in the Data Sea: AI Enhancing Your Adversarial Emulation ∗∗∗ --------------------------------------------- Written by: Matthijs Gielen, Jay ChristiansenBackgroundNew solutions, old problems. Artificial intelligence (AI) and large language models (LLMs) are here to signal a new day in the cybersecurity world, but what does that mean for us—the attackers and defenders—and our battle to improve security through all the noise?Data is everywhere. For most .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/ai-enhancing-your-… ∗∗∗ Defending Your Directory: An Expert Guide to Fortifying Active Directory Against LDAP Injection Threats ∗∗∗ --------------------------------------------- In our latest technical blog series, our DFIR team are highlighting the most prominent Active Directory (AD) threats, describing the tell-tale signs that your AD might be at risk, and give experienced insight into the best prevention and mitigation strategies to shore up your AD security and bolster your digital identity protection. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ∗∗∗ Kubernetes Audit Log “Gotchas” ∗∗∗ --------------------------------------------- How to overcome challenges and security gaps when using K8s audit logs for forensics and attack detection. --------------------------------------------- https://www.wiz.io/blog/overcoming-kubernetes-audit-log-challenges ∗∗∗ Massive npm Malware Campaign Leverages Ethereum Smart Contracts To Evade Detection and Maintain Control ∗∗∗ --------------------------------------------- Supply chain attacks are evolving. The Socket research team has uncovered a massive malware campaign that uses Ethereum smart contracts to control its operations - making it nearly impossible to shut down through traditional means. Instead of using conventional command and control servers that can be blocked or taken offline, these attackers .. --------------------------------------------- https://socket.dev/blog/massive-npm-malware-campaign-leverages-ethereum-sma… ∗∗∗ PyPI Introduces Digital Attestations to Strengthen Python Package Security ∗∗∗ --------------------------------------------- The Python Package Index (PyPI) has announced support for digital attestations. This new feature allows package maintainers to publish signed digital attestations when uploading their projects, providing an additional layer of trust and verification for users.What Are Digital Attestations?Digital attestations are cryptographic statements or .. --------------------------------------------- https://socket.dev/blog/pypi-introduces-digital-attestations ∗∗∗ 60 Hours of Cyber Defense: Hong Kong’s Innovative Cybersecurity Drill Begins ∗∗∗ --------------------------------------------- Hong Kong has initiated its first-ever cybersecurity drill, set to run for a total of 60 hours. The Hong Kong cybersecurity drill commenced on Friday, with plans to establish it as an annual event moving forward. Innovation minister Sun Dong emphasized the importance of this initiative, stating that maintaining cybersecurity is essential for .. --------------------------------------------- https://thecyberexpress.com/hong-kong-cybersecurity-drill/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Laravel Flaw (CVE-2024-52301) Exposes Millions of Web Applications to Attack ∗∗∗ --------------------------------------------- https://securityonline.info/critical-laravel-flaw-cve-2024-52301-exposes-mi… ∗∗∗ [webapps] SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/52082 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.11.2024
by Daily end-of-shift report 14 Nov '24

14 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-11-2024 18:00 − Donnerstag 14-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575 ∗∗∗ --------------------------------------------- While the FortiJump patch does effectively neutralise the devastating RCE that is FortiJump, we’re still a little concerned about FortiManager’s overall code quality. We note that our som/export vulnerability, ‘FortiJump Higher’, is still functional, even in patched versions, allowing adversaries to elevate from one managed FortiGate appliance to the central FortiManager appliance. --------------------------------------------- https://labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-2311… ∗∗∗ New PXA Stealer targets government and education sectors for sensitive information ∗∗∗ --------------------------------------------- Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia. --------------------------------------------- https://blog.talosintelligence.com/new-pxa-stealer/ ∗∗∗ Advertisers are pushing ad and pop-up blockers using old tricks ∗∗∗ --------------------------------------------- A malvertising campaign using an old school trick was found pushing to different ad blockers. [..] In the olden days, that something extra used to be video codecs or specific video players, but now we’ll be told we need a browser extension to “continue watching in safe mode.” [..] To us, this looks like a campaign executed by an affiliate, a company that promotes products or services from another company. If someone buys something through the affiliate’s efforts, the affiliate earns a commission. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/11/advertisers-are-pushing-ad-a… ∗∗∗ Сrimeware and financial cyberthreats in 2025 ∗∗∗ --------------------------------------------- Kasperskys GReAT looks back on the 2024 predictions about financial and crimeware threats, and explores potential cybercrime trends for 2025. --------------------------------------------- https://securelist.com/ksb-financial-and-crimeware-predictions-2025/114565/ ∗∗∗ Malware: Erkennung entgehen durch angeflanschtes ZIP ∗∗∗ --------------------------------------------- IT-Forscher haben Malware entdeckt, die der Erkennung durch Virenscanner durch Verkettung von ZIP-Dateien entgeht. --------------------------------------------- https://www.heise.de/-10034752 ∗∗∗ Gratis-Tool: Sicherheitsforscher knacken ShrinkLocker-Verschlüsselung ∗∗∗ --------------------------------------------- Der Erpressungstrojaner ShrinkLocker nutzt Microsofts Bitlocker, um Windows-Systeme zu verschlüsseln. Ein Entschlüsselungstool hilft. --------------------------------------------- https://www.heise.de/-10034933 ∗∗∗ PHP Reinfector and Backdoor Malware Target WordPress Sites ∗∗∗ --------------------------------------------- We recently observed a surge in WordPress websites being infected by a sophisticated PHP reinfector and backdoor malware. While we initially believed that the infection was linked to the wpcode plugin, we found that several sites without this plugin were compromised as well. Upon deeper investigation, we discovered that this malware not only reinfects website files but also embeds malicious code into other plugins and database tables wp_posts and wp_options. --------------------------------------------- https://blog.sucuri.net/2024/11/php-reinfector-and-backdoor-malware-target-… ∗∗∗ Malware Spotlight: A Deep-Dive Analysis of WezRat ∗∗∗ --------------------------------------------- Check Point Research (CPR) provides a comprehensive analysis of a custom modular infostealer, tracked as WezRat, after the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate (INCD) released a joint Cybersecurity Advisory and attributed the malware to the Iranian cyber group Emennet Pasargad. --------------------------------------------- https://research.checkpoint.com/2024/wezrat-malware-deep-dive/ ∗∗∗ Lazarus Group Targets macOS with RustyAttr Trojan in Fake Job PDFs ∗∗∗ --------------------------------------------- Group-IB has uncovered Lazarus group’s stealthy new trojan and technique of hiding malicious code in extended attributes on macOS. --------------------------------------------- https://hackread.com/lazarus-group-macos-rustyattr-trojan-fake-job-pdfs/ ===================== = Vulnerabilities = ===================== ∗∗∗ 4,000,000 WordPress Sites Using Really Simple Security Free and Pro Versions Affected by Critical Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This is one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress. This vulnerability affects Really Simple Security, formerly known as Really Simple SSL, installed on over 4 million websites, and allows an attacker to remotely gain full administrative access to a site running the plugin. CVE-2024-10924, CVSS Score: 9.8 (Critical) --------------------------------------------- https://www.wordfence.com/blog/2024/11/really-simple-security-vulnerability/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (llama-cpp, mingw-expat, python3.6, webkit2gtk4.0, and xorg-x11-server-Xwayland), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk & java-latest-openjdk and libarchive), Oracle (expat, gstreamer1-plugins-base, kernel, libsoup, podman, and tigervnc), SUSE (buildah, java-1_8_0-openjdk, and switchboard-plug-bluetooth), and Ubuntu (zlib). --------------------------------------------- https://lwn.net/Articles/998143/ ∗∗∗ CISA Releases Nineteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- Siemens, Rockwell, Hitachi, 2N, Elvaco, Baxter --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-releases-nineteen-i… ∗∗∗ GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7 ∗∗∗ --------------------------------------------- These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. [..] An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations. CVE-2024-9693, CVE-2024-7404, CVE-2024-8648, CVE-2024-8180, CVE-2024-10240 --------------------------------------------- https://thecyberthrone.in/2024/11/14/gitlab-fixes-high-severity-vulnerabili… ∗∗∗ Drupal: POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-060 ∗∗∗ Drupal: POST File - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-059 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-059 ∗∗∗ Fortinet: Lack of capacity to filter logs by administrator access ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-267 ∗∗∗ Palo Alto: CVE-2024-2551 PAN-OS: Firewall Denial of Service (DoS) Using a Specially Crafted Packet (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-2551 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.11.2024
by Daily end-of-shift report 13 Nov '24

13 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-11-2024 18:00 − Mittwoch 13-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Itsmydata: Hackerin veröffentlicht erneut Bonitätsdaten von Jens Spahn ∗∗∗ --------------------------------------------- Erst über Bonify, nun über Itsmydata: Lilith Wittmann hat sich mal wieder Bonitätsdaten von Jens Spahn beschafft. Immerhin hat sich sein Score verbessert. --------------------------------------------- https://www.golem.de/news/itsmydata-hackerin-veroeffentlicht-erneut-bonitae… ∗∗∗ Threats in space (or rather, on Earth): internet-exposed GNSS receivers ∗∗∗ --------------------------------------------- Internet-exposed GNSS receivers pose a significant threat to sensitive operations. Kaspersky shares statistics on internet-exposed receivers for July 2024 and advice on how to protect against GNSS attacks. --------------------------------------------- https://securelist.com/internet-exposed-gnss-receivers-in-2024/114548/ ∗∗∗ Chinas Volt Typhoon crew and its botnet surge back with a vengeance ∗∗∗ --------------------------------------------- Ohm, for flux sake Chinas Volt Typhoon crew and its botnet are back, compromising old Cisco routers once again to break into critical infrastructure networks and kick off cyberattacks, according to security researchers. --------------------------------------------- https://www.theregister.com/2024/11/13/china_volt_typhoon_back/ ∗∗∗ Stromanbieter Tibber gehackt, 50.000 deutsche Kunden betroffen ∗∗∗ --------------------------------------------- Tibber bestätigt, dass Hacker eingedrungen sind und Kundendaten an sich gebracht haben. Im Darknet werden diese nun verkauft. --------------------------------------------- https://www.heise.de/news/Stromanbieter-Tibber-gehackt-50-000-deutsche-Kund… ∗∗∗ Sicherheitsupdates: Zoom Room Client & Co. angreifbar ∗∗∗ --------------------------------------------- Die Entwickler rüsten verschiedene Zoom-Apps gegen mögliche Angriffe. Davon sind unter anderem macOS und Windows betroffen. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Zoom-Room-Client-Co-angreifbar… ∗∗∗ Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them ∗∗∗ --------------------------------------------- We discuss North Koreas use of IT workers to infiltrate companies, detailing detection strategies like IT asset management and IP analysis to counter this. --------------------------------------------- https://unit42.paloaltonetworks.com/north-korean-it-workers/ ∗∗∗ The November 2024 Security Update Review ∗∗∗ --------------------------------------------- It’s not quite the holiday season, despite what some early decorators will have you believe. It is the second Tuesday of the month, and that means Adobe and Microsoft have released their regularly scheduled updates. Take a break from your regular activities and join us as we review the details of their latest security alerts.If you’d rather watch the .. --------------------------------------------- https://www.thezdi.com/blog/2024/11/12/the-november-2024-security-update-re… ∗∗∗ How Italy became an unexpected spyware hub ∗∗∗ --------------------------------------------- Italy is home to six major spyware vendors and one supplier, with many smaller and harder-to-track enterprises emerging all the time, experts say. --------------------------------------------- https://therecord.media/how-italy-became-an-unexpected-spyware-hub ∗∗∗ Germany warns of potential cyber threats from Russia ahead of snap election ∗∗∗ --------------------------------------------- “We must be especially prepared against threats like hacker attacks, manipulation, and disinformation," German Interior Minister Nancy Faeser said. --------------------------------------------- https://therecord.media/germany-cyber-threats-russia-elections ∗∗∗ Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions ∗∗∗ --------------------------------------------- Trend Micros Threat Hunting Team has observed EDRSilencer, a red team tool that threat actors are attempting to abuse for its ability to block EDR traffic and conceal malicious activity. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpo… ∗∗∗ Bitdefender Finds New ShrinkLocker Ransomware, Releases Its Decryptor Tool ∗∗∗ --------------------------------------------- Bitdefender has released a free decryptor for ShrinkLocker ransomware, which exploits Windows BitLocker to encrypt .. --------------------------------------------- https://hackread.com/bitdefender-shrinklocker-ransomware-decryptor-tool/ ∗∗∗ Emerging Threats: Cybersecurity Forecast 2025 ∗∗∗ --------------------------------------------- Every November, we start sharing forward-looking insights on threats and other cybersecurity topics to help organizations and defenders prepare for the year ahead. The Cybersecurity Forecast 2025 report, available today, plays a big role in helping us accomplish this mission.This year’s report draws on insights directly from Google .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-fore… ∗∗∗ Defending Your Directory: An Expert Guide to Fortifying Active Directory Certificate Services (ADCS) Against Exploitation ∗∗∗ --------------------------------------------- In our latest technical blog series, our DFIR team are highlighting the most prominent Active Directory (AD) threats, describing the tell-tale signs that your AD might be at risk, and give experienced insight into the best prevention and mitigation strategies to shore up your AD security and bolster your digital identity protection. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ∗∗∗ Making Sense of Kubernetes Initial Access Vectors Part 1 – Control Plane ∗∗∗ --------------------------------------------- Explore Kubernetes control plane access vectors, risks, and security strategies to prevent unauthorized access and protect your clusters from potential threats. --------------------------------------------- https://www.wiz.io/blog/making-sense-of-kubernetes-initial-access-vectors-p… ∗∗∗ Time Boxed Penetration Testing for Web Applications ∗∗∗ --------------------------------------------- This article defines time boxed penetration testing and explains how it’s approached from a methodological standpoint. By focusing on high-risk areas, client-specific priorities, and sampling, time boxed testing can deliver efficient assessments within a limited timeframe. --------------------------------------------- https://projectblack.io/blog/time-boxed-penetration-testing/ ∗∗∗ Killing Filecoin nodes ∗∗∗ --------------------------------------------- By Simone Monica In January, we identified and reported a vulnerability in the Lotus and Venus clients of the Filecoin network that allowed an attacker to remotely crash a node and trigger a denial of service. This issue is .. --------------------------------------------- https://blog.trailofbits.com/2024/11/13/killing-filecoin-nodes/ ∗∗∗ Fault Injection – Down the Rabbit Hole ∗∗∗ --------------------------------------------- This series of articles describes fault injection attack techniques in order to understand their real potential by testing their limits and applicability with limited hardware (available on the market at an acceptable cost). It explores possible ways of using an attack that, in my opinion, is greatly underestimated. --------------------------------------------- https://security.humanativaspa.it/fault-injection-down-the-rabbit-hole/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (expat), Fedora (chromium and golang-github-nvidia-container-toolkit), Mageia (curl, expat, mpg123, networkmanager-libreswan, openssl, php-tcpdf, qbittorrent, and x11-server, x11-server-xwayland, and tigervnc), Red Hat (kernel and libsoup), Slackware (mozilla), SUSE (firefox, kernel, python-PyPDF2, and xen), and Ubuntu (dotnet9, ghostscript, linux-aws, linux-oem-6.8, and pydantic). --------------------------------------------- https://lwn.net/Articles/998044/ ∗∗∗ ZDI-24-1472: Veeam Backup Enterprise Manager AuthorizeByVMwareSsoToken Improper Certificate Validation Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1472/ ∗∗∗ ZDI-24-1486: (0Day) G DATA Total Security Incorrect Permission Assignment Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1486/ ∗∗∗ Critical Security Vulnerabilities Discovered in MZ Automation’s MMS Client ∗∗∗ --------------------------------------------- https://encs.eu/news/critical-security-vulnerabilities-discovered-in-mz-aut… ∗∗∗ Online Installer DLL Hijacking ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-205 ∗∗∗ Fortinet Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/11/12/fortinet-releases-securi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.11.2024
by Daily end-of-shift report 12 Nov '24

12 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Montag 11-11-2024 18:00 − Dienstag 12-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Daten von Amazon-Mitarbeiter wurden in einem Hackerforum veröffentlicht ∗∗∗ --------------------------------------------- Der Datensatz dürfte von einem Immobilienverwalter stammen und auf die kritische Lücke in der Software von Moveit zurückgehen --------------------------------------------- https://www.derstandard.at/story/3000000244555/daten-von-amazon-mitarbeiter… ∗∗∗ ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI ∗∗∗ --------------------------------------------- New research reveals two vulnerabilities in Googles Vertex AI that may lead to privilege escalation or data theft through custom jobs or malicious models. --------------------------------------------- https://unit42.paloaltonetworks.com/privilege-escalation-llm-model-exfil-ve… ∗∗∗ 2023 Top Routinely Exploited Vulnerabilities ∗∗∗ --------------------------------------------- This advisory provides details, collected and compiled by the authoring agencies, on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs). Malicious cyber actors exploited more zero-day vulnerabilities to compromise .. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a ∗∗∗ Building a Resilient Network Architecture: Key Trends for 2025 ∗∗∗ --------------------------------------------- As organizations continue to align their operational strategies with evolving digital ecosystems and technologies, the concept of network resilience has become a priority. A major mindset shift is that modern networks must be designed not just for speed and efficiency but also for flexibility, security, and the ability to hold out against .. --------------------------------------------- https://levelblue.com/blogs/security-essentials/building-a-resilient-networ… ∗∗∗ LodaRAT: Established malware, new victim patterns ∗∗∗ --------------------------------------------- Rapid7 has observed an ongoing malware campaign involving a new version of LodaRAT. This version possesses the ability to steal cookies and passwords from Microsoft Edge and Brave. --------------------------------------------- https://www.rapid7.com/blog/post/2024/11/12/lodarat-established-malware-new… ∗∗∗ ICS Security Is a Team Sport ∗∗∗ --------------------------------------------- Brandon Smith discusses some of the challenges an Automation Engineer face, Bitsights partnership with Schneider Electric, and what manufacturers in general are doing to tackle ICS security. --------------------------------------------- https://www.bitsight.com/blog/ics-security-team-sport ∗∗∗ Visionaries Have Democratised Remote Network Access - Citrix Virtual Apps and Desktops (CVE Unknown) ∗∗∗ --------------------------------------------- Well, we’re back again, with yet another fresh-off-the-press bug chain (and associated Interactive Artifact Generator). This time, it’s in Citrix’s “Virtual Apps and Desktops” offering. --------------------------------------------- https://labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-n… ∗∗∗ SAP Patchday: Acht neue Sicherheitslücken, davon eine hochriskant ∗∗∗ --------------------------------------------- Admins können etwas entspannter auf den aktuellen SAP-Patchday schauen: Von acht neuen Sicherheitslücken gilt lediglich eine als hohes Risiko. --------------------------------------------- https://heise.de/-10020168 ∗∗∗ Attack of the Evil Baristas ∗∗∗ --------------------------------------------- I use the term “hacklore” to refer to the urban legends surrounding cybersecurity. Hacklore is everywhere, and this holiday season, you’re bound to hear it nonstop: “The Russians will load your phone with malware if you scan QR codes!” or “Hackers will steal your banking details if you use a USB charger at the airport!” and so on. --------------------------------------------- https://medium.com/@boblord/attack-of-the-evil-baristas-b204436f0853 ∗∗∗ Reverse Engineering: Finding Exploits in Video Games ∗∗∗ --------------------------------------------- In this guide, I'll walk you through how I create tools to find exploits in video games for bug bounty programs. Specifically, I'll focus on my research into the game Sword of Convallaria. This exploration is purely for educational purposes. As such, I have removed some of the assets as an exercise for .. --------------------------------------------- https://shalzuth.com/Blog/FindingExploitsInGames ∗∗∗ Critical WPLMS WordPress Theme Vulnerability Puts Websites at Risk of RCE Attacks ∗∗∗ --------------------------------------------- A newly discovered vulnerability in the WPLMS WordPress theme threatens websites with potential Remote Code Execution (RCE) due to a critical path traversal flaw. CVE-2024-10470, a vulnerability in the WPLMS .. --------------------------------------------- https://thecyberexpress.com/critical-wplms-wordpress-theme-vulnerability/ ∗∗∗ Harnessing Chisel for Covert Operations: Unpacking a Multi-Stage PowerShell Campaign ∗∗∗ --------------------------------------------- The Cyble Research and Intelligence Lab (CRIL) has recently uncovered a sophisticated multi-stage infection chain, primarily driven by PowerShell scripts. This campaign, which targets organizations through a variety of .. --------------------------------------------- https://thecyberexpress.com/new-powershell-campaign/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gstreamer1-plugins-base), Debian (chromium, ghostscript, libarchive, mpg123, ruby-saml, and symfony), Fedora (buildah and podman), Red Hat (buildah, containernetworking-plugins, podman, skopeo, and xorg-x11-server-Xwayland), Slackware (wget), SUSE (pcp), and Ubuntu (linux, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, .. --------------------------------------------- https://lwn.net/Articles/997903/ ∗∗∗ Citrix Releases Security Updates for NetScaler and Citrix Session Recording ∗∗∗ --------------------------------------------- Citrix released security updates to address multiple vulnerabilities in NetScaler ADC, NetScaler Gateway, and Citrix Session Recording. A cyber threat actor could exploit some of these vulnerabilities to take control .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/11/12/citrix-releases-security… ∗∗∗ November Security Update ∗∗∗ --------------------------------------------- At Ivanti, our top priority is upholding our commitment to deliver and maintain secure products for our customers. Our vulnerability management program is designed to enable us to find, fix and disclose vulnerabilities in collaboration with the broader security ecosystem, and communicate responsibly and transparently with customers. Ivanti is .. --------------------------------------------- https://www.ivanti.com/blog/november-2024-security-update ∗∗∗ XSA-464 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-464.html ∗∗∗ XSA-463 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-463.html ∗∗∗ Mehrere Schwachstelen in Siemens Energy Omnivise T3000 ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelen… ∗∗∗ Zyxel security advisory for post-authentication command injection and buffer overflow vulnerabilities in GS1900 series switches ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.11.2024
by Daily end-of-shift report 11 Nov '24

11 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-11-2024 18:00 − Montag 11-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Palo Alto untersucht mögliche Sicherheitslücke in PAN-OS-Webinterface ∗∗∗ --------------------------------------------- Palo Alto untersucht eine angebliche Codeschmuggel-Lücke in der Verwaltungsoberfläche von PAN-OS. Ein Teil betroffener Kunden wird informiert. [..] Palo Alto empfiehlt Kunden dringend, sicherzustellen, dass der Zugang zur Verwaltungsoberfläche korrekt und im Einklang mit den empfohlenen Best-Practices-Richtlinien erfolgt. Dafür stellt das Unternehmen auch eine Anleitung bereit. --------------------------------------------- https://www.heise.de/-10013896.html ∗∗∗ Zugangsdaten aus 2023 für Zugriff ausgenutzt - "Helldown Leaks"-Ransomware kompromittiert Unternehmen über Zyxel-Firewalls ∗∗∗ --------------------------------------------- Seit etwa Anfang August 2024 werden international Unternehmen durch die Ransomware-Gruppe "Helldown Leaks" verschlüsselt. Als initialer Angriffsvektor können durchgängig Zyxel-Firewalls ausgemacht werden, selbst wenn diese auf dem letzten Software-Stand sind. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/11/zugangsdaten-aus-2023-fur-zugriff-… ∗∗∗ Testing the Koord2ool ∗∗∗ --------------------------------------------- As part of the EU-funded project “AWAKE”, we built the Koord2ool, which is a tool that allowed us to track the state of an incident across our constituency over time. We implemented this application as an extension to LimeSurvey (an Open Source survey tool) which generates a dashboard to visualize the state of the answers over time. --------------------------------------------- https://www.cert.at/en/blog/2024/11/testing-the-koord2ool ∗∗∗ Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new phishing campaign that spreads a new fileless variant of known commercial malware called Remcos RAT. [..] The malicious Excel document is designed to exploit a known remote code execution flaw in Office (CVE-2017-0199, CVSS score: 7.8) to download an HTML Application (HTA) file ("cookienetbookinetcahce.hta") from a remote server ("192.3.220[.]22") and launch it using mshta.exe. --------------------------------------------- https://thehackernews.com/2024/11/cybercriminals-use-excel-exploit-to.html ∗∗∗ #StopRansomware: Black Basta ∗∗∗ --------------------------------------------- Updates to this advisory, originally published May 10, 2024 [..] The advisory was updated to reflect new TTPs employed by Black Basta affiliates, as well as provide current IOCs/remove outdated IOCs for effective threat hunting. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a ∗∗∗ Cyberattack causes credit card readers to malfunction in Israel ∗∗∗ --------------------------------------------- As reported by the Jerusalem Post, the cause was a distributed denial-of-service attack (DDoS) that targeted the payment gateway company Hyp’s CreditGuard product. The attack disrupted communications between the card terminals and the wider payment system, but was not capable of stealing information or payments. --------------------------------------------- https://therecord.media/cyberattack-causes-credit-card-readers-in-israel-to… ∗∗∗ Malware Steals Account Credentials ∗∗∗ --------------------------------------------- It’s common for malware to target e-commerce sites, and these attackers are usually seeking to steal credit card details. In most cases, they will insert scripts that extract data from the checkout forms to siphon fields like the cardholder name, card number and expiration date. [..] However, every now and then we encounter a case where in addition to that they are also looking to steal details for accounts that customers have created on these sites along with admin account credentials. We’ll explore one such case. --------------------------------------------- https://blog.sucuri.net/2024/11/malware-steals-account-credentials.html ∗∗∗ Known Attacks On Elliptic Curve Cryptography ∗∗∗ --------------------------------------------- In recent years the Elliptic Curve Cryptography approach has become popular due to its high efficiency and strong security. The purpose of this article is to present this topic in a relatively clearer way than it exists today on the internet. --------------------------------------------- https://github.com/elikaski/ECC_Attacks ∗∗∗ Pishi: Coverage guided macOS KEXT fuzzing ∗∗∗ --------------------------------------------- In this blog post I will try to explain everything as clearly as possible so that even those who are not familiar with fuzzing can enjoy and understand it. I’ll break down the concepts, provide relatable examples, and resources, My goal is to make fuzzing approachable and interesting. --------------------------------------------- https://r00tkitsmm.github.io/fuzzing/2024/11/08/Pishi.html ===================== = Vulnerabilities = ===================== ∗∗∗ Veeam Backup Enterprise Manager: Unbefugte Zugriffe durch Angreifer möglich ∗∗∗ --------------------------------------------- Setzen Angreifer erfolgreich an der Schwachstelle (CVE-2024-40715 "hoch") an, können sie die Authentifizierung umgehen und Verbindungen als Man-in-the-Middle belauschen. Wie das im Detail ablaufen könnte, ist bislang nicht bekannt. [..] Ein Sicherheitspatch steht zum Download bereit. --------------------------------------------- https://www.heise.de/-10018234.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (podman), Debian (guix, libarchive, and nss), Fedora (expat, iaito, opendmarc, python-werkzeug, radare2, squid, and xorg-x11-server), Mageia (htmldoc, libheif, nspr, nss, firefox & rust, python-urllib3, python-werkzeug, quictls, ruby-webrick, and thunderbird), Oracle (firefox and NetworkManager-libreswan), SUSE (apache2, chromedriver, chromium, coredns, expat, govulncheck-vulndb, httpcomponents-client, java-17-openjdk, java-21-openjdk, libheif, python-wxPython, python311, python312, qbittorrent, ruby3.3-rubygem-actionmailer, ruby3.3-rubygem-actiontext, ruby3.3-rubygem-puma, ruby3.3-rubygem-rails, and virtualbox), and Ubuntu (openjdk-17, openjdk-21, openjdk-8, openjdk-lts, and qemu). --------------------------------------------- https://lwn.net/Articles/997774/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.11.2024
by Daily end-of-shift report 08 Nov '24

08 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-11-2024 18:00 − Freitag 08-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Google To Make MFA Mandatory for Google Cloud in 2025 ∗∗∗ --------------------------------------------- Google has recently announced that it plans to implement mandatory multi-factor authentication (MFA) on all Cloud accounts by the end of 2025. [..] The implementation will affect both admins and users with access to Google Cloud. General consumer Google accounts will not be affected. --------------------------------------------- https://heimdalsecurity.com/blog/google-cloud-mfa/ ∗∗∗ 2024 Credit Card Theft Season Arrives ∗∗∗ --------------------------------------------- In today’s post we’re going to perform a malware analysis of the most common MageCart injections identified so that eCommerce website owners can better understand the risks, and (hopefully) protect themselves, their websites, and their customers from attackers. --------------------------------------------- https://blog.sucuri.net/2024/11/2024-credit-card-theft-season-arrives.html ∗∗∗ ESET APT Activity Report Q2 2024–Q3 2024 ∗∗∗ --------------------------------------------- An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 2024 and Q3 2024 --------------------------------------------- https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2… ∗∗∗ Helldown Ransomware Group – A New Emerging Ransomware Threat ∗∗∗ --------------------------------------------- As of November 2024, the online resources available related to the Helldown ransomware group’s Tactics Techniques and Procedures (TTP’s) were effectively none-existent – this blogpost aims to address that and will be updated continuously as more investigations are completed. --------------------------------------------- https://www.truesec.com/hub/blog/helldown-ransomware-group ∗∗∗ TLPT & ME: Everything you need to know about Threat-Led Penetration Testing (TLPT) in a TIBER world. ∗∗∗ --------------------------------------------- While the TLPT RTS does come with some additional requirements or nuances compared to the TIBER framework, we can all be certain that adopting TIBER is indeed the way to fulfill DORA’s TLPT requirements. As mentioned in our initial post, we expect many more European countries to publish a TIBER implementation guide and/or a TIBER-EU 2.0 to be published for additional convergence. --------------------------------------------- https://blog.nviso.eu/2024/11/08/tlpt-me-everything-you-need-to-know-about-… ∗∗∗ Breaking Down Earth Estries Persistent TTPs in Prolonged Cyber Operations ∗∗∗ --------------------------------------------- Discover how Earth Estries employs a diverse set of tactics, techniques, and tools, including malware such as Zingdoor and Snappybee, for its campaigns. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-… ∗∗∗ Defending Your Directory: An Expert Guide to Securing Active Directory Against DCSync Attacks ∗∗∗ --------------------------------------------- Last time we took a dive deep into Kerberoasting. Up next, let's unravel the sinister secrets of DCSync attacks - a stealthy technique that can bring your entire Active Directory to its knees. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ∗∗∗ Nameless and shameless: Ransomware Encryption via BitLocker ∗∗∗ --------------------------------------------- This post will delve into a recent incident response engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team, involving an unknown ransomware strain but known TTPs. --------------------------------------------- https://www.nccgroup.com/us/research-blog/nameless-and-shameless-ransomware… ∗∗∗ Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond ∗∗∗ --------------------------------------------- Wiz Research looks at phishing tactics, along with how to trace and investigate these campaigns. --------------------------------------------- https://www.wiz.io/blog/unmasking-phishing-strategies-for-identifying-0ktap… ===================== = Vulnerabilities = ===================== ∗∗∗ Max-Critical Cisco Bug Enables Command-Injection Attacks ∗∗∗ --------------------------------------------- Though Cisco reports of no known malicious exploitation attempts, but thanks to a CVSS 10 out of 10 security vulnerability (CVE-2024-20418) three of its wireless access points are vulnerable to remote, unauthenticated cyberattacks. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/cisco-bug-command-injec… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (edk2), Debian (webkit2gtk), Fedora (thunderbird), Oracle (bzip2, container-tools:ol8, edk2, go-toolset:ol8, libtiff, python-idna, python3.11, and python3.12), Slackware (expat), and SUSE (apache2, govulncheck-vulndb, grub2, java-1_8_0-openjdk, python3, python39, qemu, xorg-x11-server, and xwayland). --------------------------------------------- https://lwn.net/Articles/997480/ ∗∗∗ Delta Electronics DIAScreen ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-312-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.11.2024
by Daily end-of-shift report 07 Nov '24

07 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-11-2024 18:00 − Donnerstag 07-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers increasingly use Winos4.0 post-exploitation kit in attacks ∗∗∗ --------------------------------------------- Hackers are increasingly targeting Windows users with the malicious Winos4.0 framework, distributed via seemingly benign game-related apps. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-increasingly-use-win… ∗∗∗ A look at the latest post-quantum signature standardization candidates ∗∗∗ --------------------------------------------- NIST has standardized four post-quantum signature schemes so far, and they’re not done yet: there are fourteen new candidates in the running for standardization. In this blog post we take .. --------------------------------------------- https://blog.cloudflare.com/another-look-at-pq-signatures ∗∗∗ The Power of Process in Creating a Successful Security Posture ∗∗∗ --------------------------------------------- Establishing realistic, practitioner-driven processes prevents employee burnout, standardizes experiences, and closes many of the gaps exposed by repeated one-offs. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/process-in-creating-su… ∗∗∗ Microsoft Windows Server 2025 Upgrade Triggers Licensing Conflicts and Operational Fallout ∗∗∗ --------------------------------------------- A recent Microsoft update has unexpectedly forced several organizations to upgrade from Windows Server 2022 to Windows Server 2025, resulting in unexpected licensing demands and operational setbacks. First reported on November 5, 2024, this incident has affected organizations .. --------------------------------------------- https://heimdalsecurity.com/blog/microsoft-windows-server-2025-upgrade/ ∗∗∗ Steam Account Checker Poisoned with Infostealer ∗∗∗ --------------------------------------------- I found an interesting script targeting Steam users. Steam[1] is a popular digital distribution platform for purchasing, downloading, and playing video games on personal computers. The script is called "steam-account-checker" .. --------------------------------------------- https://isc.sans.edu/forums/diary/Steam+Account+Checker+Poisoned+with+Infos… ∗∗∗ China-Aligned MirrorFace Hackers Target EU Diplomats with World Expo 2025 Bait ∗∗∗ --------------------------------------------- The China-aligned threat actor known as MirrorFace has been observed targeting a diplomatic organization in the European Union, marking the first time the hacking crew has targeted an organization in the region."During this attack, the threat .. --------------------------------------------- https://thehackernews.com/2024/11/china-aligned-mirrorface-hackers-target.h… ∗∗∗ North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS ∗∗∗ --------------------------------------------- A threat actor with ties to the Democratic Peoples Republic of Korea (DPRK) has been observed targeting cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices.Cybersecurity company SentinelOne, .. --------------------------------------------- https://thehackernews.com/2024/11/north-korean-hackers-target-crypto.html ∗∗∗ Office unter Windows 11 24H2 mit installiertem Crowdstrike lahmgelegt ∗∗∗ --------------------------------------------- Wer Crowdstrike-Sicherheitssoftware einsetzt und auf Windows 11 24H2 aktualisiert hat, hatte womöglich mit nicht funktionierenden Apps zu kämpfen. --------------------------------------------- https://www.heise.de/news/Crowdstrike-legte-Office-unter-Windows-11-24H2-la… ∗∗∗ Large eBay malvertising campaign leads to scams ∗∗∗ --------------------------------------------- Consumers are being swamped by Google ads claiming to be eBays customer service. --------------------------------------------- https://www.malwarebytes.com/blog/scams/2024/11/large-ebay-malvertising-cam… ∗∗∗ Vorsicht vor gefälschten Willhaben-Mails ∗∗∗ --------------------------------------------- Kriminelle geben sich als Willhaben aus und versenden massenhaft gefälschte E-Mails. In den teilweise echt aussehenden E-Mails wird behauptet, dass Sie Ihre Identität bestätigen müssen oder eine Rückerstattung erhalten. Eine andere gefälschte E-Mail enthält im Anhang angeblich eine Rechnung. Wir raten zur Vorsicht! --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-phishing/ ∗∗∗ Silent Skimmer Gets Loud (Again) ∗∗∗ --------------------------------------------- We discuss a new campaign from the cybercrime group behind Silent Skimmer, showcasing the exploit of ... --------------------------------------------- https://unit42.paloaltonetworks.com/silent-skimmer-latest-campaign/ ∗∗∗ Unwrapping the emerging Interlock ransomware attack ∗∗∗ --------------------------------------------- Cisco Talos Incident Response (Talos IR) recently observed an attacker conducting big-game .. --------------------------------------------- https://blog.talosintelligence.com/emerging-interlock-ransomware/ ∗∗∗ Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Vulnerabilities ∗∗∗ --------------------------------------------- CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and .. --------------------------------------------- https://hackread.com/androxgh0st-botnet-integrate-mozi-iot-vulnerabilities/ ∗∗∗ Malicious Python Package Typosquats Popular fabric SSH Library, Exfiltrates AWS Credentials ∗∗∗ --------------------------------------------- The Socket Research Team has discovered a malicious Python package, fabrice, that is typosquatting the popular fabric SSH automation library. The threat of malware delivered through typosquatted libraries remains a significant .. --------------------------------------------- https://socket.dev/blog/malicious-python-package-typosquats-fabric-ssh-libr… ===================== = Vulnerabilities = ===================== ∗∗∗ Zahlreiche Schwachstellen in HASOMED Elefant and Elefant Software Updater ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.11.2024
by Daily end-of-shift report 06 Nov '24

06 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-11-2024 18:00 − Mittwoch 06-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Germany drafts law to protect researchers who find security flaws ∗∗∗ --------------------------------------------- The Federal Ministry of Justice in Germany has drafted a law to provide legal protection to security researchers who discover and responsibly report security vulnerabilities to vendors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/germany-drafts-law-to-protec… ∗∗∗ Attackers Breach IT-Based Networks Before Jumping to ICS/OT Systems ∗∗∗ --------------------------------------------- SANS recently published its 2024 State of ICS.OT Cybersecurity report, highlighting the skills of cyber professionals working in critical infrastructure, budget estimates, and emerging technologies. The report .. --------------------------------------------- https://www.darkreading.com/ics-ot-security/attackers-breach-network-provid… ∗∗∗ Verbraucherschützer warnen: Smarte Fritteusen lauschen und senden Daten nach China ∗∗∗ --------------------------------------------- Verbraucherschützer haben bei verschiedenen smarten Geräten Datenschutzprobleme aufgedeckt. Ganz vorne mit dabei: Heißluftfritteusen! --------------------------------------------- https://www.golem.de/news/verbraucherschuetzer-warnen-smarte-fritteusen-lau… ∗∗∗ New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency ∗∗∗ --------------------------------------------- Kaspersky experts have discovered a new SteelFox Trojan that mimics popular software like Foxit PDF Editor and JetBrains to spread a stealer-and-miner bundle. --------------------------------------------- https://securelist.com/steelfox-trojan-drops-stealer-and-miner/114414/ ∗∗∗ INTERPOL Disrupts Over 22,000 Malicious Servers in Global Crackdown on Cybercrime ∗∗∗ --------------------------------------------- INTERPOL on Tuesday said it took down more than 22,000 malicious servers linked to various cyber threats as part of a global operation.Dubbed Operation Synergia II, the coordinated effort ran from April 1 to .. --------------------------------------------- https://thehackernews.com/2024/11/interpols-operation-synergia-ii.html ∗∗∗ Angreifer nutzen emulierte Linux-Umgebung als Backdoor ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben eine ungewöhnliche Angriffsart entdeckt: Die Täter haben eine emulierte Linux-Umgebung als Backdoor eingerichtet. --------------------------------------------- https://www.heise.de/news/CRON-TRAP-Emulierte-Linux-Umgebung-als-Backdoor-n… ∗∗∗ Canadian Man Arrested in Snowflake Data Extortions ∗∗∗ --------------------------------------------- A 26-year-old man in Ontario, Canada has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data service Snowflake. On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States. Bloomberg first .. --------------------------------------------- https://krebsonsecurity.com/2024/11/canadian-man-arrested-in-snowflake-data… ∗∗∗ You lost your iPhone, but it’s locked. That’s fine, right? ∗∗∗ --------------------------------------------- TL;DR Default iOS configuration leaves your locked device vulnerable Ensure your emergency contacts are set. Use ‘FindMy’ to track / wipe lost devices. Take regular backups. Consider turning off the .. --------------------------------------------- https://www.pentestpartners.com/security-blog/you-lost-your-iphone-but-its-… ∗∗∗ Tückische Zahlungsanweisung: Stammt diese Mail wirklich von Ihrem Chef? ∗∗∗ --------------------------------------------- Von der Buchhaltung im internationalen Großkonzern bis zur Verwaltung im Kleinbetrieb nebenan. In letzter Zeit erhalten immer mehr Mitarbeiter:innen betrügerische Mails im Namen der Geschäftsführung .. --------------------------------------------- https://www.watchlist-internet.at/news/tueckische-zahlungsanweisung-chef/ ∗∗∗ Guidance for brands to help advertising partners counter malvertising ∗∗∗ --------------------------------------------- Advice to make it harder for cyber criminals to deliver malicious advertising, and reduce the risk of cyber-facilitated fraud. --------------------------------------------- https://www.ncsc.gov.uk/guidance/guidance-brands-advertising-partners-count… ∗∗∗ With 2FA Enabled: NPM Package lottie-player Taken Over by Attackers ∗∗∗ --------------------------------------------- The popular NPM package @lottiefiles/lottie-player enables developers to seamlessly integrate Lottie animations into websites and applications. On October 30, the community reported existence of malicious code within versions 2.0.5, 2.0.6, and 2.0.7 of the npm package. The package maintainers replied and confirmed the attackers were able to .. --------------------------------------------- https://checkmarx.com/uncategorized/with-2fa-enabled-npm-package-lottie-pla… ∗∗∗ CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits ∗∗∗ --------------------------------------------- While we finalized this blog post, a technical analysis of this activity was published by fellow researchers from Cisco Talos. While it overlaps with our findings to some extent, our report provides additional extended information about the activity. Introduction Since July 2024, Check Point Research (CPR) has been tracking an extensive a.. --------------------------------------------- https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-late… ∗∗∗ (In)tuned to Takeovers: Abusing Intune Permissions for Lateral Movement and Privilege Escalation in Entra ID Native Environments ∗∗∗ --------------------------------------------- The Mandiant Red Team recently supported a client to visualize the possible impact of a compromise by an advanced threat actor. During the assessment, Mandiant moved laterally from the customer’s on-premises environment to their Microsoft Entra ID .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/abusing-intune-per… ∗∗∗ Threat Campaign Spreads Winos4.0 Through Game Application ∗∗∗ --------------------------------------------- FortiGuard Labs reveals a threat actor spreads Winos4.0, infiltrating gaming apps and targeting the education sector --------------------------------------------- https://www.fortinet.com/blog/threat-research/threat-campaign-spreads-winos… ∗∗∗ Defending Your Directory: An Expert Guide to Combating Kerberoasting in Active Directory ∗∗∗ --------------------------------------------- 16 hours or less, that’s all it takes for attackers to gain access to Microsoft Active Directory (AD) and unleash mayhem on your organization. If that attack happens on a Friday afternoon, they have all weekend to wreak havoc, escalating their privileges, deploying ransomware, exploiting your VPN, or exfiltrating your data. .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Nexus Dashboard Fabric Controller SQL Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit .. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Contact Center Management Portal Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) could allow an authenticated, remote attacker with low privileges to conduct a stored .. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libtiff), Debian (context, libheif, and thunderbird), Fedora (php-tcpdf, syncthing, and thunderbird), Gentoo (EditorConfig core C library, Flatpak, Neat VNC, and Ubiquiti UniFi), Oracle (bcc, bpftrace, grafana-pcp, haproxy, kernel, krb5, libtiff, python-gevent, python3.11-urllib3, python3.12-urllib3, and xmlrpc-c), .. --------------------------------------------- https://lwn.net/Articles/997182/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.11.2024
by Daily end-of-shift report 05 Nov '24

05 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Montag 04-11-2024 18:00 − Dienstag 05-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows Server 2025 released—here are the new features ∗∗∗ --------------------------------------------- Microsoft has announced that Windows Server 2025, the latest version of its server operating system, is generally available starting Friday, November 1st. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-server-2025-release… ∗∗∗ Nokia investigates breach after hacker claims to steal source code ∗∗∗ --------------------------------------------- Nokia is investigating whether a third-party vendor was breached after a hacker claimed to be selling the companys stolen source code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nokia-investigates-breach-af… ∗∗∗ Google fixes two Android zero-days used in targeted attacks ∗∗∗ --------------------------------------------- Google fixed two actively exploited Android zero-day flaws as part of its November security updates, addressing a total of 51 vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-fixes-two-android-zer… ∗∗∗ Angriff auf Schneider Electric: Hungrige Hacker fordern Baguettes als Lösegeld ∗∗∗ --------------------------------------------- Die Angreifer behaupten, über 40 GBytes an Daten von Schneider Electric erbeutet zu haben. Ihre Forderung: 125.000 US-Dollar in Form von Baguettes. --------------------------------------------- https://www.golem.de/news/angriff-auf-schneider-electric-hungrige-hacker-fo… ∗∗∗ Olympia-Kassensysteme: Registrierkassen seit drei Jahren ohne Sicherheitsupdates ∗∗∗ --------------------------------------------- Registrierkassen der Marke Olympia laufen auf Android 11 und bergen Risiken für den Zahlungsverkehr. --------------------------------------------- https://www.golem.de/news/olympia-kassensysteme-registrierkassen-seit-drei-… ∗∗∗ Python RAT with a Nice Screensharing Feature ∗∗∗ --------------------------------------------- While hunting, I found another interesting Python RAT in the wild. This is not brand new because the script was released two years ago. The script I found is based on the same tool and still .. --------------------------------------------- https://isc.sans.edu/diary/Python+RAT+with+a+Nice+Screensharing+Feature/314… ∗∗∗ Maritime lawyers assemble! ∗∗∗ --------------------------------------------- Maritime cyber insurance has been playing catch-up with maritime cyber security for a while now. It was all pretty good until the availability of cheap VSAT meant that ships .. --------------------------------------------- https://www.pentestpartners.com/security-blog/maritime-lawyers-assemble/ ∗∗∗ In final check-in before Election Day, CISA cites low-level threats, and not much else ∗∗∗ --------------------------------------------- Incidents to date have included “low level” distributed denial-of-service activity, criminal destruction of ballot drop boxes and continued threats targeting election officials, CISA Director Jen Easterly .. --------------------------------------------- https://therecord.media/cisa-2024-presidential-election-threats ∗∗∗ Smart Cities gegen Cyberattacken resilient machen ∗∗∗ --------------------------------------------- Ob es uns gefällt oder nicht – Städte weltweit wandeln sich in sogenannte "Smart Cities". Die Protagonisten versprechen Innovation, Nachhaltigkeit und digitales Wachstum. Aber diese Infrastruktur bzw. die .. --------------------------------------------- https://www.borncity.com/blog/2024/11/05/smart-cities-gegen-cyberattacken-r… ∗∗∗ SOC Around the Clock: World Tour Survey Findings ∗∗∗ --------------------------------------------- Trend surveyed 750 cybersecurity professionals in 49 countries to learn more about the state of .. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/k/world-tour-survey-results.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, openexr, and thunderbird), Fedora (llama-cpp and python-quart), Oracle (firefox, openexr, thunderbird, and xorg-x11-server and xorg-x11-server-Xwayland), SUSE (chromium, govulncheck-vulndb, openssl-1_1, python311, and python312), and Ubuntu (linux-azure, linux-bluefield, linux-azure, linux-gcp, linux-ibm, openjpeg2, and ruby3.0, ruby3.2, ruby3.3). --------------------------------------------- https://lwn.net/Articles/997030/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.11.2024
by Daily end-of-shift report 04 Nov '24

04 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-10-2024 18:00 − Montag 04-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Thousands of hacked TP-Link routers used in years-long account takeover attacks ∗∗∗ --------------------------------------------- The botnet is being skillfully used to launch "highly evasive" password-spraying attacks. --------------------------------------------- https://arstechnica.com/information-technology/2024/11/microsoft-warns-of-8… ∗∗∗ DDoS site Dstat.cc seized and two suspects arrested in Germany ∗∗∗ --------------------------------------------- The Dstat.cc DDoS review platform has been seized by law enforcement, and two suspects have been arrested after the service helped fuel distributed denial-of-service attacks for years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ddos-site-dstatcc-seized-and… ∗∗∗ Cisco says DevHub site leak won’t enable future breaches ∗∗∗ --------------------------------------------- Cisco says that non-public files recently downloaded by a threat actor from a misconfigured public-facing DevHub portal dont contain information that could be exploited in future breaches of the companys systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-says-devhub-site-leak-… ∗∗∗ Ware nicht geliefert: Betrüger hacken Tausende Webshops und kassieren Millionen ∗∗∗ --------------------------------------------- Hacker haben seit 2019 im Rahmen einer Betrugskampagne unzählige Onlineshops infiltriert. Käufer bestimmter Produkte erhielten .. --------------------------------------------- https://www.golem.de/news/ware-nicht-geliefert-betrueger-hacken-tausende-we… ∗∗∗ From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code ∗∗∗ --------------------------------------------- In our previous post, Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models, we introduced our framework for large-language-model-assisted vulnerability research and demonstrated its potential by improving the state-of-the-art performance on Meta's CyberSecEval2 benchmarks. Since then, Naptime has evolved into Big Sleep, a collaboration between Google Project Zero and Google DeepMind. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/10/from-naptime-to-big-sleep.ht… ∗∗∗ Inside Iran’s Cyber Playbook: AI, Fake Hosting, and Psychological Warfare ∗∗∗ --------------------------------------------- U.S. and Israeli cybersecurity agencies have published a new advisory attributing an Iranian cyber group to targeting the 2024 Summer Olympics and compromising a French commercial dynamic display provider to show messages denouncing Israels participation .. --------------------------------------------- https://thehackernews.com/2024/11/inside-irans-cyber-playbook-ai-fake.html ∗∗∗ Financial institutions told to get their house in order before the next CrowdStrike strikes ∗∗∗ --------------------------------------------- Calls for improvements will soon turn into demands when new rules come into force The UKs finance regulator is urging all institutions under its remit to better prepare for IT meltdowns like .. --------------------------------------------- https://www.theregister.com/2024/11/02/fca_it_resilience/ ∗∗∗ Booking.com Phishers May Leave You With Reservations ∗∗∗ --------------------------------------------- A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. Well .. --------------------------------------------- https://krebsonsecurity.com/2024/11/booking-com-phishers-may-leave-you-with… ∗∗∗ Kostenlose Webinare zum Schutz im Internet ∗∗∗ --------------------------------------------- Ab 2. Dezember finden in Kooperation mit der AK Oberösterreich und Saferinternet.at spannende Webinare zum sicheren und verantwortungsvollen Umgang mit Handy und Internet statt. Erweitern Sie Ihre digitalen Kompetenzen und .. --------------------------------------------- https://www.watchlist-internet.at/news/kostenlose-webinare-zum-schutz-im-in… ∗∗∗ TA Phone Home: EDR Evasion Testing Reveals Extortion Actors Toolkit ∗∗∗ --------------------------------------------- A threat actor attempted to use an AV/EDR bypass tool in an extortion attempt. Instead, the tool provided Unit 42 insight into the threat actor. --------------------------------------------- https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/ ∗∗∗ FBI wants more info on hackers behind Sophos exploitation after report on China’s intrusions ∗∗∗ --------------------------------------------- The FBI is asking the public for help in tracking down the people behind a series of intrusions into edge devices and networks. --------------------------------------------- https://therecord.media/fbi-hackers-china-wants-info ∗∗∗ Kimsuky Group’s Malware Disguised as Lecture Request Form (MSC, HWP) ∗∗∗ --------------------------------------------- Recently, malware disguised as a lecture request form targeting specific users was identified. The distributed files include Hangul Word Processor (HWP) documents and files in MSC format, which download additional malicious files. Decoy document files used to disguise as legitimate documents have been found to sometimes contain .. --------------------------------------------- https://asec.ahnlab.com/en/84181/ ∗∗∗ Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform Malware ∗∗∗ --------------------------------------------- age “jest-fet-mock,” which implements a different approach using Ethereum smart contracts for command-and-control operations. The package masquerades as a popular testing utility while distributing malware across Windows, Linux, and macOS platforms. This discovery represents a notable difference in supply chain attack methodologies, combining .. --------------------------------------------- https://checkmarx.com/blog/supply-chain-attack-using-ethereum-smart-contrac… ∗∗∗ Hackers Claim Access to Nokia Internal Data, Selling for $20,000 ∗∗∗ --------------------------------------------- Hackers claim to have breached Nokia through a third-party contractor, allegedly stealing SSH keys, source code, and internal --------------------------------------------- https://hackread.com/hackers-claim-access-nokia-internal-data-selling-20k/ ∗∗∗ Mallox Ransomware ∗∗∗ --------------------------------------------- FortiGuard Labs continue to see increase in Mallox ransomware related activities detecting Mallox ransomware on multiple hundred FortiGuard sensors. Ransomware infection may cause disruption, damage to daily operations, .. --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/mallox-ransomware ∗∗∗ Missing Link: Wie ein Unternehmen bei einem Cyberangriff die Kontrolle verlor ∗∗∗ --------------------------------------------- Eigentlich fühlt sich der IT-Chef recht sicher. Bis Hacker mitten am Tag in die Firma marschieren – und unbehelligt wieder raus. Die Beute: volle Kontrolle. --------------------------------------------- https://heise.de/-9984869 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, grafana, kernel, and mod_http2), Debian (chromium, openssl, and thunderbird), Fedora (chromium, krb5, mysql8.0, polkit, python-single-version, and webkitgtk), Mageia (bind, buildah, podman, skopeo, kernel, kmod-xtables-addons. kmod-virtualbox, kernel-firmware & kernel-firmware-nonfree radeon-firmware, .. --------------------------------------------- https://lwn.net/Articles/996908/ ∗∗∗ WordPress Vulnerability & Patch Roundup October 2024 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2024/11/wordpress-vulnerability-patch-roundup-octob… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.10.2024
by Daily end-of-shift report 31 Oct '24

31 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-10-2024 18:00 − Donnerstag 31-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ With 2FA Enabled: NPM Package lottie-player Taken Over by Attackers ∗∗∗ --------------------------------------------- On October 30, the community reported existence of malicious code within versions 2.0.5, 2.0.6, and 2.0.7 of the npm package. The package maintainers replied and confirmed the attackers were able to take over the NPM package using a leaked automation token which was used to automate publications of NPM packages. --------------------------------------------- https://checkmarx.com/blog/with-2fa-enabled-npm-package-lottie-player-taken… ∗∗∗ GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI ∗∗∗ --------------------------------------------- Affected devices are typically high-cost live streaming cameras, sometimes exceeding several thousand dollars. [..] Affected devices use VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. These cameras, which feature an embedded web server allowing for direct access by web browser, are reportedly deployed in environments where reliability and privacy are crucial, including: Industrial and manufacturing plants [..] Business conferences [..] Healthcare settings [..] State and local government environments [..] Houses of worship --------------------------------------------- https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vul… ∗∗∗ Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files ∗∗∗ --------------------------------------------- Microsoft is releasing this blog to notify the public and disrupt this threat actor activity. This blog provides context on these external spear-phishing attempts, which are common attack techniques and do not represent any new compromise of Microsoft. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-… ∗∗∗ Discovering Hidden Vulnerabilities in Portainer with CodeQL ∗∗∗ --------------------------------------------- In this blog, we will show how we used CodeQL to find these vulnerabilities and even wrote custom queries to find a specific vulnerability. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/discovering-hidden-… ∗∗∗ Loose-lipped neural networks and lazy scammers ∗∗∗ --------------------------------------------- As large language models improve, their strengths and weaknesses, as well as the tasks they do well or poorly, are becoming better understood. Threat actors are exploring applications of this technology in a range of automation scenarios. But, as we see, they sometimes commit blunders that help shed light on how they use LLMs, at least in the realm of online fraud. --------------------------------------------- https://securelist.com/llm-phish-blunders/114367/ ∗∗∗ Mounting memory with MemProcFS for advanced memory forensics ∗∗∗ --------------------------------------------- Whilst this blog does not intend to go into any detail into some of the most popular tools available to analyse memory, nor a deep dive into analysis techniques it is intended to provide high level information about some significant enhances to memory forensics in the last few years and the difference in tooling. This also covers three memory forensic tools; many others are available. --------------------------------------------- https://www.pentestpartners.com/security-blog/mounting-memory-with-memprocf… ∗∗∗ The Persistent Perimeter Threat: Strategic Insights from a Multi-Year APT Campaign Targeting Edge Devices ∗∗∗ --------------------------------------------- Discover insights from a multi-year APT campaign that exploited network perimeter vulnerabilities to target high-value entities, revealing critical gaps in edge device security. --------------------------------------------- https://www.greynoise.io/blog/the-persistent-perimeter-threat-strategic-ins… ∗∗∗ Auditing K3s Clusters ∗∗∗ --------------------------------------------- K3s shares a great deal with standard Kubernetes, but its lightweight implementation comes with some challenges and opportunities in the security sphere. --------------------------------------------- https://www.nccgroup.com/us/research-blog/auditing-k3s-clusters/ ===================== = Vulnerabilities = ===================== ∗∗∗ LiteSpeed Cache WordPress plugin bug lets hackers get admin access ∗∗∗ --------------------------------------------- The free version of the popular WordPress plugin LiteSpeed Cache has fixed a dangerous privilege elevation flaw on its latest release that could allow unauthenticated site visitors to gain admin rights. [..] The newly discovered high-severity flaw tracked as CVE-2024-50550 is caused by a weak hash check in the plugin's "role simulation" feature, designed to simulate user roles to aid the crawler in site scans from different user levels. --------------------------------------------- https://www.bleepingcomputer.com/news/security/litespeed-cache-wordpress-pl… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and openssl), Fedora (firefox, libarchive, micropython, NetworkManager-libreswan, and xorg-x11-server-Xwayland), Red Hat (nano), Slackware (mozilla-firefox, mozilla-thunderbird, tigervnc, and xorg), SUSE (389-ds, Botan, go1.21-openssl, govulncheck-vulndb, java-11-openjdk, lxc, python-Werkzeug, and uwsgi), and Ubuntu (firefox, libarchive, linux-azure-fde, linux-azure-fde-5.15, python-pip, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04). --------------------------------------------- https://lwn.net/Articles/996526/ ∗∗∗ Drupal: Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-055 ∗∗∗ Bosch: DoS vulnerability on IndraDrive ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-315415.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.10.2024
by Daily end-of-shift report 30 Oct '24

30 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-10-2024 18:00 − Mittwoch 30-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hackers steal 15,000 cloud credentials from exposed Git config files ∗∗∗ --------------------------------------------- A global large-scale dubbed "EmeraldWhale" exploited misconfigured Git configuration files to steal over 15,000 cloud account credentials from thousands of private repositories. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-15-000-cloud-c… ∗∗∗ Jumpy Pisces Engages in Play Ransomware ∗∗∗ --------------------------------------------- Jumpy Pisces, also known as Andariel and Onyx Sleet, was historically involved in cyberespionage, financial crime and ransomware attacks. [..] We expect their attacks will increasingly target a wide range of victims globally. Network defenders should view Jumpy Pisces activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance. --------------------------------------------- https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomwa… ∗∗∗ Writing a BugSleep C2 server and detecting its traffic with Snort ∗∗∗ --------------------------------------------- In June 2024, security researchers published their analysis of a novel implant dubbed “MuddyRot”(aka "BugSleep"). [..] This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort. --------------------------------------------- https://blog.talosintelligence.com/writing-a-bugsleep-c2-server/ ∗∗∗ Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack ∗∗∗ --------------------------------------------- Cryptocurrency enthusiasts have been the target of another sophisticated and invasive malware campaign. This campaign was orchestrated through multiple attack vectors, including a malicious Python package named “cryptoaitools” on PyPI and deceptive GitHub repositories. This multi-stage malware, masquerading as a suite of cryptocurrency trading tools, aims to steal a wide range of sensitive data and drain victims’ crypto wallets. --------------------------------------------- https://checkmarx.com/blog/cryptocurrency-enthusiasts-targeted-in-multi-vec… ∗∗∗ New “Scary” FakeCall Malware Captures Photos and OTPs on Android ∗∗∗ --------------------------------------------- A new, more sophisticated variant of the FakeCall malware is targeting Android devices. [..] The FakeCall malware typically infiltrates a device through a malicious app downloaded from a compromised website or a phishing email. The app requests permission to become the default call handler. If granted, the malware gains extensive privileges. --------------------------------------------- https://hackread.com/scary-fakecall-malware-captures-photos-otps-android/ ===================== = Vulnerabilities = ===================== ∗∗∗ Nach Pwn2Own: QNAP und Synology patchen ausgenutzte NAS-Lücken ∗∗∗ --------------------------------------------- Für auf der Pwn2Own ausgenutzte TrueNAS-Lücken scheint es derweil noch keine Patches zu geben – dafür aber Hinweise, wie Nutzer ihre Systeme vor möglichen Angriffen schützen können. [..] Erste Patches gibt es beispielsweise von Synology. Das Unternehmen hat schon am 25. Oktober Updates für Beephotos für Beestation OS 1.0 und 1.1 sowie Synology Photos 1.7 und 1.6 für DSM 7.2 bereitgestellt. Diese schließen jeweils eine kritische Sicherheitslücke, die es Angreifern erlaubt, aus der Ferne Schadcode auszuführen. --------------------------------------------- https://www.golem.de/news/nach-pwn2own-qnap-und-synology-patchen-ausgenutzt… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah), Debian (python-git, texlive-bin, and xorg-server), Mageia (chromium-browser-stable), Red Hat (kernel), SUSE (Botan, go1.22-openssl, go1.23-openssl, grafana, libgsf, pcp, pgadmin4, python310-pytest-html, python313, xorg-x11-server, and xwayland), and Ubuntu (nano, python-urllib3, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/996310/ ∗∗∗ QNAP: Vulnerability in SMB Service (PWN2OWN 2024) ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-42 ∗∗∗ SPLUNK: SVD-2024-1015: Third-Party Package Updates in the Splunk Add-on for Cisco Meraki - October 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1015 ∗∗∗ SPLUNK: SVD-2024-1014: Third-Party Package Updates in the Splunk Add-on for Google Cloud Platform - October 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1014 ∗∗∗ Ping Identity PingIDM: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/query-filter-injectio… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.10.2024
by Daily end-of-shift report 29 Oct '24

29 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 28-10-2024 18:00 − Dienstag 29-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New tool bypasses Google Chrome’s new cookie encryption system ∗∗∗ --------------------------------------------- A researcher has released a tool to bypass Googles new App-Bound encryption cookie-theft defenses and extract saved credentials from the Chrome web browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-tool-bypasses-google-chr… ∗∗∗ Exchange Online: Inbound SMTP DANE mit DNSSEC verfügbar ∗∗∗ --------------------------------------------- Microsoft hat das Inbound SMTP DANE mit DNSSEC für Exchange Online allgemein freigegeben, nachdem das Ganze bereits im Juli 2024 als Preview verfügbar war. Mit der neuen Funktion Inbound SMTP DANE with DNSSEC in Exchange Online soll die Sicherheit der E-Mail-Kommunikation durch die Unterstützung zweier Sicherheitsstandards erhöht werden. --------------------------------------------- https://www.borncity.com/blog/2024/10/29/exchange-online-inbound-smtp-dane-… ∗∗∗ Ransomware-Angriffe auf Sonicwall SSL-VPNs ∗∗∗ --------------------------------------------- IT-Forscher haben Attacken auf Sonicwall SSL-VPNs untersucht und dabei Ransomware-Aktivitäten von Akira und Fog entdeckt. [..] Die Sonicwall-Geräte, durch die die Täter einbrechen konnten, waren allesamt nicht gegen die Schwachstelle CVE-2024-40766 gepatcht – mit einem CVSS-Wert von 9.3 gilt sie als kritisches Risiko. Anfang September warnte Sonicwall, dass diese Sicherheitslücke in den SSL-VPNs bereits aktiv angegriffen wird, und wies nochmals auf die verfügbaren Updates hin, die das Sicherheitsleck stopfen. --------------------------------------------- https://heise.de/-9998068 ∗∗∗ New Research Reveals Spectre Vulnerability Persists in Latest AMD and Intel Processors ∗∗∗ --------------------------------------------- More than six years after the Spectre security flaw impacting modern CPU processors came to light, new research has found that the latest AMD and Intel processors are still susceptible to speculative execution attacks. [..] The attack has been described as the first, practical "end-to-end cross-process Spectre leak." --------------------------------------------- https://thehackernews.com/2024/10/new-research-reveals-spectre.html ∗∗∗ What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE ∗∗∗ --------------------------------------------- Few months ago I was assigned to do a pentest on a target running CyberPanel. It seemed to be installed by default by some VPS providers & it was also sponsored by Freshworks. [..] if you’re a beginner with a creative mind looking to get started with code review, I definitely recommend you read this blog. --------------------------------------------- https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v2… ∗∗∗ Vorsicht vor dieser Instagram-Nachricht: „Ich brauche deine Hilfe“ ∗∗∗ --------------------------------------------- „Ich brauche deine Hilfe“ schreibt eine bekannte Person oder auch ein Freund oder eine Freundin auf Instagram. Die Person bittet Sie, bei einem Voting für sie abzustimmen und schickt Ihnen einen Link. Vorsicht: Es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/instagram-nachricht-hilfe/ ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP: Vulnerability in HBS 3 Hybrid Backup Sync (PWN2OWN 2024) ∗∗∗ --------------------------------------------- An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. Critical, CVE-2024-50388 --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-41 ∗∗∗ Spring: Authorization Bypass of Static Resources in WebFlux Applications ∗∗∗ --------------------------------------------- Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. CRITICAL, CVE-2024-38821 --------------------------------------------- https://spring.io/security/cve-2024-38821/ ∗∗∗ Auch verfügbar: Updates für iOS 17, macOS 14 und macOS 13 – mit Sicherheitsfixes ∗∗∗ --------------------------------------------- Apple hat neben iOS 18.1, iPadOS 18.1 und macOS 15.1 auch Updates für ältere Betriebssysteme bereitgestellt. Sie beheben nur Sicherheitsprobleme. --------------------------------------------- https://heise.de/-9997116 ∗∗∗ Mozilla Security Advisories October 29, 2024 ∗∗∗ --------------------------------------------- Thunderbird 132, Thunderbird 128.4, Firefox ESR 115.17, Firefox ESR 128.4 and Firefox 132. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4) and SUSE (chromium, openssl-1_1, and openssl-3). --------------------------------------------- https://lwn.net/Articles/996196/ ∗∗∗ 0patch: We Patched CVE-2024-38030, Found Another Windows Themes Spoofing Vulnerability (0day) ∗∗∗ --------------------------------------------- https://blog.0patch.com/2024/10/we-patched-cve-2024-38030-found-another.html ∗∗∗ OneDev Security Update Advisory (CVE-2024-45309) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/84118/ ∗∗∗ Solar-Log Base 15 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-303-02 ∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-303-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.10.2024
by Daily end-of-shift report 28 Oct '24

28 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-10-2024 18:00 − Montag 28-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Amazon seizes domains used in rogue Remote Desktop campaign to steal data ∗∗∗ --------------------------------------------- Amazon has seized domains used by the Russian APT29 hacking group in targeted attacks against government and military organizations to steal Windows credentials and data using malicious Remote Desktop Protocol connection files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-seizes-domains-used-i… ∗∗∗ Redline, Meta infostealer malware operations seized by police ∗∗∗ --------------------------------------------- The Dutch National Police seized the network infrastructure for the Redline and Meta infostealer malware operations in "Operation Magnus," warning cybercriminals that their data is now in the hands of the law enforcement. --------------------------------------------- https://www.bleepingcomputer.com/news/legal/redline-meta-infostealer-malwar… ∗∗∗ 70 Zero-Day-Lücken ausgenutzt: Pwn2Own-Hacker knacken Samsung Galaxy S24 und mehr ∗∗∗ --------------------------------------------- Bei dem Wettbewerb wurden auch diverse Kameras, Drucker und NAS-Systeme attackiert. An ein Pixel 8 oder iPhone 15 hat sich aber niemand rangetraut. --------------------------------------------- https://www.golem.de/news/70-zero-day-luecken-ausgenutzt-pwn2own-hacker-kna… ∗∗∗ The Windows Registry Adventure #4: Hives and the registry layout ∗∗∗ --------------------------------------------- To a normal user or even a Win32 application developer, the registry layout may seem simple: there are five root keys that we know from Regedit (abbreviated as HKCR, HKLM, HKCU, HKU and HKCC), and each of them contains a nested tree structure that serves a specific role in the system. But as one tries to dig deeper and understand how the registry .. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/10/the-windows-registry-adventu… ∗∗∗ Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining ∗∗∗ --------------------------------------------- The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties."The group is currently .. --------------------------------------------- https://thehackernews.com/2024/10/notorious-hacker-group-teamtnt-launches.h… ∗∗∗ Cybercriminals Pose a Greater Threat of Disruptive US Election Hacks Than Russia or China ∗∗∗ --------------------------------------------- A report distributed by the US Department of Homeland Security warned that financially motivated cybercriminals are more likely to attack US election infrastructure than state-backed hackers. --------------------------------------------- https://www.wired.com/story/cybercriminals-disruptive-hacking-us-elections-… ∗∗∗ Vulnerabilities of Realtek SD card reader driver, part 1 ∗∗∗ --------------------------------------------- These vulnerabilities enable non-privileged users to leak the contents of kernel pool and kernel stack, write to arbitrary kernel memory, and, the most interesting, read and write physical memory from user mode via the DMA capability of the device. The vulnerabilities have remained undisclosed for years, affecting many OEMs, including Dell, .. --------------------------------------------- https://zwclose.github.io/2024/10/14/rtsper1.html ∗∗∗ Inside the Open Directory of the “You Dun” Threat Group ∗∗∗ --------------------------------------------- The DFIR Report’s Threat Intel Team detected an open directory in January 2024 and analyzed it for trade craft and threat actor activity. Once reviewed, we identified it was related to the Chinese speaking hacking group that call themselves “You Dun” .. --------------------------------------------- https://thedfirreport.com/2024/10/28/inside-the-open-directory-of-the-you-d… ∗∗∗ Die NSA empfiehlt wöchentliches Smartphone-Reboot ∗∗∗ --------------------------------------------- Interessante Information, die mir die Woche untergekommen ist. Die US-Sicherheitsbehörde NSA (National Security Agency, Inlandsgeheimdienst) empfiehlt einmal wöchentlich sein Smartphone neu zu starten. Das ganze hat einen sicherheitstechnischen Hintergrund. Durch den Neustart soll Malware, die nicht persistent .. --------------------------------------------- https://www.borncity.com/blog/2024/10/27/die-nsa-empfiehlt-woechentliches-s… ∗∗∗ Anatomy of an LLM RCE ∗∗∗ --------------------------------------------- As large language models (LLMs) become more advanced and are granted additional capabilities by developers, security risks increase dramatically. Manipulated LLMs are no longer just a .. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/anatomy-of-an-llm-r… ∗∗∗ Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives ∗∗∗ --------------------------------------------- In September 2024, Google Threat Intelligence Group (consisting of Google’s Threat Analysis Group (TAG) and Mandiant) discovered UNC5812, a suspected Russian hybrid espionage and influence operation, delivering Windows and Android malware using a Telegram persona named "Civil Defense". "Civil Defense" claims to be a provider of free .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-… ∗∗∗ Secure Coding: Unbefugten Zugriff durch Path Traversal (CWE-22) verhindern ∗∗∗ --------------------------------------------- CWE-22 beschreibt die unsachgemäße Veränderung eines Pfadnamens auf ein eingeschränktes Verzeichnis. Wie lässt sich die Schwachstelle in den Griff bekommen? --------------------------------------------- https://heise.de/-9982270 ∗∗∗ Black Basta-Gruppe nutzt Microsoft Teams-Chatfunktion ∗∗∗ --------------------------------------------- Die als "Black Basta" bekannte Ransomware-Gruppe hat einen neuen Mechanismus entwickelt, der die Chatfunktion von Microsoft Teams zur Kontaktaufnahme ausnutzt. --------------------------------------------- https://heise.de/-9995322 ∗∗∗ Nvidia: Rechteausweitung durch Sicherheitslücken in Grafiktreiber möglich ∗∗∗ --------------------------------------------- Nvidia warnt vor mehreren Sicherheitslücken in den Grafiktreibern, die etwa das Ausweiten der Rechte ermöglichen. Updates stehen bereit. --------------------------------------------- https://heise.de/-9995842 ∗∗∗ Lagebericht 2024: Fast 8 Millionen Mal installierte Malware in Google Play ∗∗∗ --------------------------------------------- IT-Forscher haben die mobile-Malware-Situation der vergangenen 12 Monate untersucht. Mehr als 200 App-Fälschungen lauerten in Google Play. --------------------------------------------- https://heise.de/-9996456 ∗∗∗ VMware Tanzu Spring Security: Umgehung von Autorisierungsregeln möglich ∗∗∗ --------------------------------------------- In VMware Tanzu Spring Security klafft eine kritische Sicherheitslücke, die Angreifern die Umgehung von Autorisierungsregeln ermöglicht. --------------------------------------------- https://heise.de/-9996582 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, python3.12, and python3.9), Debian (activemq, chromium, libheif, nss, and twisted), Fedora (chromium, dnsdist, dotnet8.0, edk2, glibc, libdigidocpp, mbedtls3.6, NetworkManager-libreswan, oath-toolkit, podman-tui, prometheus-podman-exporter, python-fastapi, python-openapi-core, .. --------------------------------------------- https://lwn.net/Articles/996085/ ∗∗∗ Chatwork Desktop Application (Windows) uses a potentially dangerous function ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78335885/ ∗∗∗ K000148252: Python tarfile vulnerability CVE-2024-6232 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148252 ∗∗∗ K000148256: libarchive vulnerability CVE-2018-1000880 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148256 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2024
by Daily end-of-shift report 25 Oct '24

25 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-10-2024 18:00 − Freitag 25-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Denial of Service in Cisco ASA & FTD und weitere Cisco Advisories ∗∗∗ --------------------------------------------- Cisco berichtet in einem kürzlich veröffentlichten Advisory, sich "malicious use" einer Denial-of-Service Sicherheitslücke in Cisco Adaptive Security Appliance & Firepower Threat Defense Software Remote Access VPN bewusst zu sein. Berichten nach handelt es sich hierbei aber nicht um gezielte Denial-of-Service Angriffe, sondern um Seiteneffekte von breitgestreuten Brute-Force oder Credential-Spraying Attacken. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/10/denial-of-service-in-cisco-asa-ftd… ∗∗∗ Objektorientiert und weniger redundant: Das BSI stellt den IT-Grundschutz++ vor ∗∗∗ --------------------------------------------- Das BSI hat sich das Ziel gesetzt, den IT-Grundschutz anwenderfreundlicher zu machen. Dafür setzt man auf Maschinenlesbarkeit und eine schlankere Dokumentation. --------------------------------------------- https://heise.de/-9994010 ∗∗∗ AWS Cloud Development Kit Vulnerability Exposes Users to Potential Account Takeover Risks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a security flaw impacting Amazon Web Services (AWS) Cloud Development Kit (CDK) that could have resulted in an account takeover under specific circumstances. [..] Following responsible disclosure on June 27, 2024, the issue was addressed by the project maintainers in CDK version 2.149.0 released in July. --------------------------------------------- https://thehackernews.com/2024/10/aws-cloud-development-kit-vulnerability.h… ∗∗∗ NotLockBit: ransomware discovery serves as wake-up call for Mac users ∗∗∗ --------------------------------------------- Historically, Mac users havent had to worry about malware as much as their Windows-using cousins. But that doesnt mean that Mac users should be complacent. And the recent discovery of a new malware strain emphasises that the threat - even if much smaller than on Windows - remains real. --------------------------------------------- https://www.tripwire.com/state-of-security/notlockbit-rransomware-discovery… ∗∗∗ Embargo ransomware: Rock’n’Rust ∗∗∗ --------------------------------------------- Novice ransomware group Embargo is testing and deploying a new Rust-based toolkit --------------------------------------------- https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrus… ∗∗∗ From crisis to confidence: How the University of Rijeka used a network breach to reboot their cybersecurity ∗∗∗ --------------------------------------------- How would your institution respond if a seemingly ordinary system check uncovered a major security incident? That’s exactly what the University of Rijeka faced when a member of the IT team discovered an unauthorised virtual machine template during a routine check — just as a new academic year began. --------------------------------------------- https://connect.geant.org/2024/10/25/from-crisis-to-confidence-how-the-univ… ∗∗∗ Moderne Datenkraken: Smart-TVs tracken sogar HDMI-Inhalte ∗∗∗ --------------------------------------------- Smart-TVs werten sogar dann Bildinhalte aus, wenn ein HDMI-Zuspieler genutzt wird. Die Analysen dienen gezielter Werbung. --------------------------------------------- https://heise.de/-9994787 ∗∗∗ Vonovia in der Kritik: Smarte Rauchmelder bergen Risiko der Spionage ∗∗∗ --------------------------------------------- Die Rauchmelder erfassen allerhand Informationen über die Luftqualität und schicken sie durchs Internet - für Kriminelle ein willkommener Datenschatz. [..] Vonovia selbst verarbeitet die Daten angeblich nur in anonymisierter Form. --------------------------------------------- https://www.golem.de/news/vonovia-in-der-kritik-smarte-rauchmelder-bergen-r… ===================== = Vulnerabilities = ===================== NTR -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.10.2024
by Daily end-of-shift report 24 Oct '24

24 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-10-2024 18:00 − Donnerstag 24-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Qilin ransomware encryptor features stronger encryption, evasion ∗∗∗ --------------------------------------------- A new Rust-based variant of the Qilin (Agenda) ransomware strain, dubbed Qilin.B, has been spotted in the wild, featuring stronger encryption, better evasion from security tools, and the ability to disrupt data recovery mechanisms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-qilin-ransomware-encrypt… ∗∗∗ Neue OpenSSL-Lücke ist gefährlich, aber sehr schwer auszunutzen ∗∗∗ --------------------------------------------- Während SuSE und BSI ein hohes Risiko sehen, verweist das OpenSSL-Projekt auf umfangreiche Vorbedingungen eines Exploits. Vorerst kommen keine Updates. [..] Das Risiko der Lücke mit der CVE-ID CVE-2024-9143 schätzten sie als niedrig ein, weil der Fehler schwierig auszunutzen sei. --------------------------------------------- https://heise.de/-9992067 ∗∗∗ Location tracking of phones is out of control. Here’s how to fight back. ∗∗∗ --------------------------------------------- Unique IDs assigned to Android and iOS devices threaten your privacy. Who knew? You likely have never heard of Babel Street or Location X, but chances are good that they know a lot about you and anyone else you know who keeps a phone nearby around the clock. --------------------------------------------- https://arstechnica.com/information-technology/2024/10/phone-tracking-tool-… ∗∗∗ Investigating volatile data with advanced memory forensics tools – part 1 ∗∗∗ --------------------------------------------- In this two post series I want to highlight how memory forensics plays a crucial role in enhancing forensic investigations. Specifically by providing access to volatile data that cannot be retrieved from storage devices like hard drives. --------------------------------------------- https://www.pentestpartners.com/security-blog/investigating-volatile-data-w… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Zero-Day Schwachstelle in FortiManager wird aktiv ausgenutzt - Update verfügbar ∗∗∗ --------------------------------------------- In FortiManager wurde eine kritische Sicherheitslücke entdeckt, die bereits aktiv von Angreifern ausgenutzt wird. Die Schwachstelle ermöglicht es einem nicht authentifizierten Angreifer aus der Ferne, beliebigen Code oder Befehle auszuführen. CVE-2024-47575, CVSS Base Score: 9.8 --------------------------------------------- https://www.cert.at/de/warnungen/2024/10/kritische-zero-day-schwachstelle-i… ∗∗∗ Cisco meldet mehr als 35 Sicherheitslücken in Firewall-Produkten ∗∗∗ --------------------------------------------- Ciscos ASA, Firepower und Secure Firewall Management Center weisen teils kritische Sicherheitslücken auf. Mehr als 35 schließen nun verfügbare Updates. [..] Drei der Sicherheitsmeldungen behandeln als kritisches Risiko eingestufte Sicherheitslücken, elf solche mit hohem Risiko, 21 als mittleren Bedrohungsgrad eingestufte Schwachstellen und eine weitere Meldung hat informativen Charakter ohne Risikobewertung. --------------------------------------------- https://heise.de/-9992639 ∗∗∗ Drupal Security Advisories 2024-10-23 ∗∗∗ --------------------------------------------- Drupal released 5 security advisories. (1 Critical, 3 Moderately Critical, 1 Less Critical) --------------------------------------------- https://www.drupal.org/security ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (grafana, NetworkManager-libreswan, python3.11, and python39:3.9 and python39-devel:3.9), Fedora (dotnet6.0, koji, python-fastapi, python-openapi-core, python-platformio, python-starlette, rust-pyo3, rust-pyo3-build-config, rust-pyo3-ffi, rust-pyo3-macros, rust-pyo3-macros-backend, and yarnpkg), Oracle (grafana, kernel, linux-firmware, NetworkManager-libreswan, and python3.11), Slackware (php81), and SUSE (apache2, buildah, cups-filters, go1.21-openssl, podman, postgresql16, python-pyOpenSSL, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/995550/ ∗∗∗ VU#123336: Vulnerable WiFi Alliance example code found in Arcadyan FMIMG51AX000J ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/123336 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 14, 2024 to October 20, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Unauthentifizierte Path Traversal Schwachstelle in Lawo AG vsm LTC Time Sync (vTimeSync) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/unauthenticated-path-… ∗∗∗ iniNet Solutions SpiderControl SCADA PC HMI Editor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-02 ∗∗∗ VIMESA VHF/FM Transmitter Blue Plus ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-01 ∗∗∗ Deep Sea Electronics DSE855 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2024
by Daily end-of-shift report 23 Oct '24

23 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-10-2024 18:00 − Mittwoch 23-10-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Exploit released for new Windows Server "WinReg" NTLM Relay attack ∗∗∗ --------------------------------------------- Proof-of-concept exploit code is now public for a vulnerability in Microsofts Remote Registry client that could be used to take control of a Windows domain by downgrading the security of the authentication process. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-new-win… ∗∗∗ Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland ∗∗∗ --------------------------------------------- On the first day of Pwn2Own Ireland, participants demonstrated 52 zero-day vulnerabilities across a range of devices, earning a total of $486,250 in cash prizes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-52-zero-days… ∗∗∗ Fortinet warns of new critical FortiManager flaw used in zero-day attacks ∗∗∗ --------------------------------------------- Fortinet publicly disclosed today a critical FortiManager API vulnerability, tracked as CVE-2024-47575, that was exploited in zero-day attacks to steal sensitive files containing configurations, IP addresses, and credentials for managed devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critic… ∗∗∗ Android und iOS: Fest codierte Cloud-Zugangsdaten in populären Apps entdeckt ∗∗∗ --------------------------------------------- Betroffen sind mehrere Apps mit teils Millionen von Downloads. Den Entdeckern zufolge gefährdet dies nicht nur Backend-Dienste, sondern auch Nutzerdaten. --------------------------------------------- https://www.golem.de/news/android-und-ios-fest-codierte-cloud-zugangsdaten-… ∗∗∗ Grandoreiro, the global trojan with grandiose ambitions ∗∗∗ --------------------------------------------- In this report, Kaspersky experts analyze recent Grandoreiro campaigns, new targets, tricks, and banking trojan versions. --------------------------------------------- https://securelist.com/grandoreiro-banking-trojan/114257/ ∗∗∗ The Crypto Game of Lazarus APT: Investors vs. Zero-days ∗∗∗ --------------------------------------------- Kaspersky GReAT experts break down the new campaign of Lazarus APT which uses social engineering and exploits a zero-day vulnerability in Google Chrome for financial gain. --------------------------------------------- https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/ ∗∗∗ CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094) ∗∗∗ --------------------------------------------- A high-severity flaw impacting Microsoft SharePoint has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active .. --------------------------------------------- https://thehackernews.com/2024/10/cisa-warns-of-active-exploitation-of.html ∗∗∗ Achtung Fake-Shop: sparhimmel24.de ∗∗∗ --------------------------------------------- sparhimmel24.de ist ein betrügerischer Online-Shop, der Sie mit vermeintlichen Schnäppchen in die Falle lockt. Bestellungen werden trotz Bezahlung nicht geliefert. Wir zeigen Ihnen wie Sie Fake-Shops erkennen und sich vor Betrug schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-sparhimmel24de ∗∗∗ Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction ∗∗∗ --------------------------------------------- We examine an LLM jailbreaking technique called "Deceptive Delight," a technique that mixes harmful topics with benign ones to trick AIs, with a high success rate.The post Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/jailbreak-llms-through-camouflage-distr… ∗∗∗ Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs ∗∗∗ --------------------------------------------- Did you know there’s widespread exploitation of FortiNet products going on using a zero day, and that there’s no CVE? Now you do. --------------------------------------------- https://doublepulsar.com/burning-zero-days-fortijump-fortimanager-vulnerabi… ∗∗∗ Threat Spotlight: WarmCookie/BadSpace ∗∗∗ --------------------------------------------- WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. --------------------------------------------- https://blog.talosintelligence.com/warmcookie-analysis/ ∗∗∗ Sicherheitslücke in Samsung-Android-Treiber wird angegriffen ∗∗∗ --------------------------------------------- Treiber für Samsungs Mobilprozessoren ermöglichen Angreifern das Ausweiten ihrer Rechte. Google warnt vor laufenden Angriffen darauf. --------------------------------------------- https://heise.de/-9991521 ∗∗∗ Public Report: WhatsApp Contacts Security Assessment ∗∗∗ --------------------------------------------- In May 2024, Meta engaged NCC Group’s Cryptography Services practice to perform a cryptography security assessment of selected aspects of the WhatsApp Identity Proof Linked Storage (IPLS) protocol implementation. IPLS underpins the WhatsApp Contacts solution, which aims to store .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/public-report-whatsapp-contacts-s… ===================== = Vulnerabilities = ===================== ∗∗∗ SSA-333468: Multiple Vulnerabilities in InterMesh Subscriber Devices ∗∗∗ --------------------------------------------- InterMesh Subscriber devices contain multiple vulnerabilities that could allow an unauthenticated remote attacker to execute arbitrary code with root privileges. CVSS v4.0 Base Score: 10.0, CVE-2024-47901 --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-333468.html?ste_sid=23… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dmitry, libheif, and python-sql), Fedora (suricata and wireshark), SUSE (cargo-c, libeverest, protobuf, and qemu), and Ubuntu (golang-1.22, libheif, unbound, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/995293/ ∗∗∗ 2024-10-21: Cyber Security Advisory - ABB Relion 611, 615, 620, 630 series, REX610, REX640, SMU615, SSC600, Arctic solution, COM600, SPA ZC-400, SUE3000 Guidelines to Prevent Unauthorized Modifications of Firmware and Configuration ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001911&Language… ∗∗∗ Authenticated Remote Code Execution in multiple Xerox printers ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/authenticated-remote-cod… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2024
by Daily end-of-shift report 22 Oct '24

22 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 21-10-2024 18:00 − Dienstag 22-10-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FortiManager: Update dichtet offenbar attackiertes Sicherheitsleck ab ∗∗∗ --------------------------------------------- Ohne öffentliche Informationen hat Fortinet Updates für FortiManager veröffentlicht. Sie schließen offenbar attackierte Sicherheitslücken. --------------------------------------------- https://heise.de/-9990393 ∗∗∗ Auch ein .rdp File kann gefährlich sein ∗∗∗ --------------------------------------------- Heute wurde in ganz Europa eine Spear-Phishing Kampagne beobachtet, bei der es darum geht, dass der Empfänger ein angehängtes RDP File öffnen soll. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/10/auch-rdp-file-kann-gefahrlich-sein ∗∗∗ Security Flaw in Styras OPA Exposes NTLM Hashes to Remote Attackers ∗∗∗ --------------------------------------------- Details have emerged about a now-patched security flaw in Styras Open Policy Agent (OPA) that, if successfully exploited, could have led to leakage of New Technology LAN Manager (NTLM) hashes. --------------------------------------------- https://thehackernews.com/2024/10/security-flaw-in-styras-opa-exposes.html ∗∗∗ Pixel perfect Ghostpulse malware loader hides inside PNG image files ∗∗∗ --------------------------------------------- The Ghostpulse malware strain now retrieves its main payload via a PNG image file's pixels. This development, security experts say, is "one of the most significant changes" made by the crooks behind it since launching in 2023. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/22/ghostpulse_m… ∗∗∗ OpenSSL 3.4.0 released ∗∗∗ --------------------------------------------- Version 3.4.0 of the OpenSSL SSL/TLS library has been released. It adds anumber of new encryption algorithms, support for "directly fetchedcomposite signature algorithms such as RSA-SHA2-256", and more. See therelease notes for details. --------------------------------------------- https://lwn.net/Articles/995098/ ∗∗∗ Akira ransomware continues to evolve ∗∗∗ --------------------------------------------- As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the groups attack chain, targeted verticals, and potential future TTPs. --------------------------------------------- https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/ ∗∗∗ Threat actor abuses Gophish to deliver new PowerRAT and DCRAT ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. [..] Talos discovered an undocumented PowerShell RAT we’re calling PowerRAT, as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT. --------------------------------------------- https://blog.talosintelligence.com/gophish-powerrat-dcrat/ ∗∗∗ Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach ∗∗∗ --------------------------------------------- In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/j/using-grpc-http-2-for-crypto… ∗∗∗ Web Application Security for DevOps: Site and Origin Dynamics and Cross-Site Request Forgery ∗∗∗ --------------------------------------------- This is a continuation of the series on web application security where we dive into cookie dynamics. --------------------------------------------- https://www.bitsight.com/blog/web-application-security-devops-site-and-orig… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware fixes bad patch for critical vCenter Server RCE flaw ∗∗∗ --------------------------------------------- VMware has released another security update for CVE-2024-38812, a critical VMware vCenter Server remote code execution vulnerability that was not correctly fixed in the first patch from September 2024. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-fixes-bad-patch-for-c… ∗∗∗ Zyxel security advisory for insufficiently protected credentials vulnerability in firewalls ∗∗∗ --------------------------------------------- The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series firewalls could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, ghostscript, libsepol, openjdk-11, openjdk-17, perl, and python-sql), Oracle (389-ds-base, buildah, containernetworking-plugins, edk2, httpd, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, python-setuptools, skopeo, and webkit2gtk3), Red Hat (buildah), Slackware (openssl), SUSE (apache2, firefox, libopenssl-3-devel, podman, and python310-starlette), and Ubuntu (cups-browsed, firefox, libgsf, and linux-gke). --------------------------------------------- https://lwn.net/Articles/995095/ ∗∗∗ Dell Product Security Update Advisory (CVE-2024-45766) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/83995/ ∗∗∗ SolarWinds Product Security Update Advisory (CVE-2024-45711) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/84002/ ∗∗∗ ICONICS and Mitsubishi Electric Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-296-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2024
by Daily end-of-shift report 21 Oct '24

21 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-10-2024 18:00 − Montag 21-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New macOS vulnerability, “HM Surf”, could lead to unauthorized data access ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence uncovered a macOS vulnerability that could potentially allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s protected data. The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent. [..] Apple released a fix for this vulnerability, now identified as CVE-2024-44133, as part of security updates for macOS Sequoia, released on September 16, 2024. At present, only Safari uses the new protections afforded by TCC. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerab… ∗∗∗ Hooked by the Call: A Deep Dive into The Tricks Used in Callback Phishing Emails ∗∗∗ --------------------------------------------- Previously, Trustwave SpiderLabs covered a massive fake order spam scheme that impersonated a tech support company and propagated via Google Groups. Since then, we have observed more spam campaigns using this hybrid form of cyberattack with varying tactics, techniques, and procedures (TTP). [..] In this blog, we will showcase the different spam techniques used in these phishing emails. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hooked-by-t… ∗∗∗ Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials ∗∗∗ --------------------------------------------- Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. [..] The attack chain, per Positive Technologies, is an attempt to exploit CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting (XSS) vulnerability via SVG animate attributes that allows for execution of arbitrary JavaScript in the context of the victim's web browser. --------------------------------------------- https://thehackernews.com/2024/10/hackers-exploit-roundcube-webmail-xss.html ∗∗∗ Severe flaws in E2EE cloud storage platforms used by millions ∗∗∗ --------------------------------------------- Several end-to-end encrypted (E2EE) cloud storage platforms are vulnerable to a set of security issues that could expose user data to malicious actors. [..] The researchers notified Sync, pCloud, Seafile, and Icedrive of their findings on April 23, 2024, and contacted Tresorit on September 27, 2024, to discuss potential improvements in their particular cryptographic designs. [..] BleepingComputer contacted all five cloud service providers for a comment on Hofmann's and Truong's research, and we received the below statements. --------------------------------------------- https://www.bleepingcomputer.com/news/security/severe-flaws-in-e2ee-cloud-s… ∗∗∗ Open source LLM tool primed to sniff out Python zero-days ∗∗∗ --------------------------------------------- The static analyzer uses Claude AI to identify vulns and suggest exploit code Researchers with Seattle-based Protect AI plan to release a free, open source tool that can find zero-day vulnerabilities in Python codebases with the help of Anthropics Claude AI model. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/20/python_zero_… ∗∗∗ Hunting for Remote Management Tools: Detecting RMMs ∗∗∗ --------------------------------------------- Given the wide range of different RMM tools available, performing a threat hunt to identify all different available tools used in the organization brings a couple of challenges. In this blog, we’ll dive a little deeper into how we tackled this challenge and share this knowledge so you can use it to keep your organization safe. --------------------------------------------- https://blog.nviso.eu/2024/10/21/hunting-for-remote-management-tools-detect… ∗∗∗ Cisco bestätigt Attacke auf DevHub-Portal und nimmt es offline ∗∗∗ --------------------------------------------- Cisco hat aktuell laufende Untersuchungen zu einem IT-Sicherheitsvorfall vorangetrieben und nun eine Attacke bestätigt. Dabei sollen Angreifer Zugriff auf nicht für die Öffentlichkeit bestimmte Daten gehabt haben. --------------------------------------------- https://heise.de/-9987412 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, chromium, php-horde-mime-viewer, and php-horde-turba), Fedora (apache-commons-io, buildah, chromium, containers-common, libarchive, libdigidocpp, oath-toolkit, podman, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, rust-tower0.4, thunderbird, and unbound), SUSE (buildah, chromedriver, chromium, element-desktop, element-web, jetty-annotations, nodejs-electron, php7, php74, php8, podman, python3-virtualbox, qemu, thunderbird, and valkey), and Ubuntu (amd64-microcode). --------------------------------------------- https://lwn.net/Articles/994941/ ∗∗∗ Angreifer können PCs mit Virenschutz von Bitdefender und Trend Micro attackieren ∗∗∗ --------------------------------------------- Sicherheitslücken in Virenschutz-Software von Bitdefender und Trend Micro gefährden Systeme. Admins sollten die verfügbaren Sicherheitsupdates zeitnah installieren, um Attacken vorzubeugen. [..] Im Supportbereich der Bitdefender-Website geben die Entwickler an, in diesem Kontext insgesamt fünf Sicherheitslücken (CVE-2023-49567, CVE-2023-49570, CVE-2023-6055, CVE-2023-6056, CVE-2023-6057) mit dem Bedrohungsgrad "hoch" geschlossen zu haben. Damit so eine Attacke klappt, können Angreifer etwa über Hashkollsionen (MD5 und SHA1) Zertifikate erzeugen, die als legitim durchgewunken werden. Die Sicherheitsprobleme sollen in der sich automatisch installierenden Total-Security-Version 27.0.25.11 gelöst sein. --------------------------------------------- https://heise.de/-9987394 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2024
by Daily end-of-shift report 18 Oct '24

18 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-10-2024 18:00 − Freitag 18-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia ∗∗∗ --------------------------------------------- A close look at the utilities, techniques, and infrastructure used by the hacktivist group Crypt Ghouls has revealed links to groups such as Twelve, BlackJack, etc. --------------------------------------------- https://securelist.com/crypt-ghouls-hacktivists-tools-overlap-analysis/1142… ∗∗∗ Feline Hackers Among Us? (A Deep Dive and Simulation of the Meow Attack) ∗∗∗ --------------------------------------------- Introduction In the perpetually evolving field of cybersecurity, new threats materialize daily. Attackers are on the prowl for weaknesses in infrastructure and software like a cat eyeing its helpless prey. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/feline-hack… ∗∗∗ U.S. and Allies Warn of Iranian Cyberattacks on Critical Infrastructure in Year-Long Campaign ∗∗∗ --------------------------------------------- Cybersecurity and intelligence agencies from Australia, Canada, and the U.S. have warned about a year-long campaign undertaken by Iranian cyber actors to infiltrate critical infrastructure organizations via brute-force attacks."Since October 2023, Iranian ..d --------------------------------------------- https://thehackernews.com/2024/10/us-and-allies-warn-of-iranian.html ∗∗∗ Intel hits back at Chinas accusations it bakes in NSA backdoors ∗∗∗ --------------------------------------------- Chipzilla says it obeys the law wherever it is, which is nice Intel has responded to Chinese claims that its chips include security backdoors at the direction of Americas NSA. --------------------------------------------- https://www.theregister.com/2024/10/18/intel_china_security_allegations/ ∗∗∗ Alleged Bitcoin crook faces 5 years after SECs X account pwned ∗∗∗ --------------------------------------------- SIM swappers strike again, warping cryptocurrency prices An Alabama man faces five years in prison for allegedly attempting to manipulate the price of Bitcoin by pwning the US Securities and Exchange Commissions X account earlier this year. --------------------------------------------- https://www.theregister.com/2024/10/18/sec_bitcoin_arrest/ ∗∗∗ Brazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach ∗∗∗ --------------------------------------------- Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being "USDoD," a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBIs InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led .. --------------------------------------------- https://krebsonsecurity.com/2024/10/brazil-arrests-usdod-hacker-in-fbi-infr… ∗∗∗ EIW — ESET Israel Wiper — used in active attacks targeting Israeli orgs ∗∗∗ --------------------------------------------- One of my Mastodon followers sent me an interesting toot today, which lead to this forum post .. --------------------------------------------- https://doublepulsar.com/eiw-eset-israel-wiper-used-in-active-attacks-targe… ∗∗∗ What I’ve learned in my first 7-ish years in cybersecurity ∗∗∗ --------------------------------------------- Plus, a zero-day vulnerability in Qualcomm chips, exposed health care devices, and the latest on the Salt Typhoon threat actor. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-oct-17-2024/ ∗∗∗ Call stack spoofing explained using APT41 malware ∗∗∗ --------------------------------------------- Summary Call stack spoofing isn’t a new technique, but it has become more popular in the last few years. Call stacks are a telemetry source for EDR software that can be used to determine if a process made suspicious actions (requesting a handle to the lsass process, writing suspicious code to a newly allocated area, .. --------------------------------------------- https://cybergeeks.tech/call-stack-spoofing-explained-using-apt41-malware/ ∗∗∗ Fake North Korean IT Workers Infiltrate Western Firms, Demand Ransom ∗∗∗ --------------------------------------------- North Korean hackers are infiltrating Western companies using fraudulent IT workers to steal sensitive data and extort ransom. --------------------------------------------- https://hackread.com/fake-north-korean-it-workers-west-firms-demand-ransom/ ∗∗∗ U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now ∗∗∗ --------------------------------------------- Joint U.S. and UK advisory identifies 24 vulnerabilities exploited by Russian state-sponsored APT 29, with GreyNoise detecting active probing on nine of these critical CVEs. Stay informed with real-time .. --------------------------------------------- https://www.greynoise.io/blog/u-s-and-uk-warn-of-russian-cyber-threats-9-of… ∗∗∗ Apple Passwörter: So lautet das Rezept für generierte Passwörter ∗∗∗ --------------------------------------------- Ein leitender Softwareentwickler Apples erklärt in einem Blogpost, nach welchem Muster Apple Passwörter generiert. --------------------------------------------- https://heise.de/-9986503 ===================== = Vulnerabilities = ===================== ∗∗∗ SVD-2024-1013: Third-Party Package Updates in Splunk Add-on for Office 365 - October 2024 ∗∗∗ --------------------------------------------- Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Add-on for Office 365 versions 4.5.2 and higher. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1013 ∗∗∗ Synology-SA-24:17 Synology Camera ∗∗∗ --------------------------------------------- The vulnerabilities allow remote attackers to execute arbitrary code, remote attackers to bypass security constraints and remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Camera BC500 Firmware, Synology Camera TC500 Firmware and Synology Camera CC400W Firmware. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_17 ∗∗∗ ZDI-24-1419: Trend Micro Deep Security Improper Access Control Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1419/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.10.2024
by Daily end-of-shift report 17 Oct '24

17 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-10-2024 18:00 − Donnerstag 17-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Iranian hackers act as brokers selling critical infrastructure access ∗∗∗ --------------------------------------------- Iranian hackers are breaching critical infrastructure organizations to collect credentials and network data that can be sold on cybercriminal forums to enable cyberattacks from other threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/iranian-hackers-act-as-broke… ∗∗∗ Mit Standard-Zugangsdaten: Kubernetes-Lücke ermöglicht Root-Zugriff per SSH ∗∗∗ --------------------------------------------- Betroffen sind Images, die mit dem Kubernetes Image Builder erstellt wurden. Es gibt zwar einen Patch, doch der schützt bestehende Images nicht. --------------------------------------------- https://www.golem.de/news/mit-standard-zugangsdaten-kubernetes-luecke-ermoe… ∗∗∗ The 2024 State of ICS/OT Cybersecurity: Our Past and Our Future ∗∗∗ --------------------------------------------- The 2024 State of ICS/OT report shows our industry’s growth since 2019 and offers insight into how we may improve going into 2029. --------------------------------------------- https://www.sans.org/blog/the-2024-state-of-ics-ot-cybersecurity-our-past-a… ∗∗∗ DORA-Kernkonzepte verstehen: Fokus auf "Kritische oder wichtige Funktionen" ∗∗∗ --------------------------------------------- Mit dem Ziel, ein hohes Maß an digitaler operativer Widerstandsfähigkeit zu erreichen, bietet DORA einen umfassenden Rahmen für das wirksame .. --------------------------------------------- https://sec-consult.com/de/blog/detail/dora-core-concepts-critical-or-impor… ∗∗∗ Cisco confirms ongoing investigation after crims brag about selling tons of data ∗∗∗ --------------------------------------------- Networking giant says no evidence of impact on its systems but will tell customers if their info has been stolen UPDATED Cisco has confirmed it is investigating claims of stealing — and now selling — data belonging .. --------------------------------------------- https://www.theregister.com/2024/10/15/cisco_confirm_ongoing_investigation/ ∗∗∗ New ThreatLabz Report: Mobile remains a top threat vector with 111% spyware growth while IoT attacks rise 45% ∗∗∗ --------------------------------------------- The role of the CISO continues to expand, driven by the rising number of breaches and cyberattacks like ransomware, as well as SEC requirements for public organizations to disclose material breaches. Among the fastest-moving .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/new-threatlabz-report-mobil… ∗∗∗ Sudanese Brothers Arrested in ‘AnonSudan’ Takedown ∗∗∗ --------------------------------------------- The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. One of the .. --------------------------------------------- https://krebsonsecurity.com/2024/10/sudanese-brothers-arrested-in-anonsudan… ∗∗∗ Russische Hackergruppe bekennt sich zu Angriff auf das Internet Archive ∗∗∗ --------------------------------------------- Eine Gruppe namens "SN_BLACKMETA" hat nach eigenen Angaben DDoS-Attacken auf die Internetbibliothek durchgeführt --------------------------------------------- https://www.derstandard.at/story/3000000241091/russische-hackergruppe-beken… ∗∗∗ Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism ∗∗∗ --------------------------------------------- Explore how macOS Gatekeepers security could be compromised by third-party apps not enforcing quarantine attributes effectively. --------------------------------------------- https://unit42.paloaltonetworks.com/gatekeeper-bypass-macos/ ∗∗∗ Ransomware: Threat Level Remains High in Third Quarter ∗∗∗ --------------------------------------------- Recently established RansomHub group overtakes LockBit to become most prolific ransomware operation. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ Cyber Resilience Act beschlossen ∗∗∗ --------------------------------------------- Der Cyber Resilience Act (CRA) ist eine EU-Verordnung für die Sicherheit in Hard- und Softwareprodukten mit digitalen Elementen, die am 10.10.2024 im Rat der Europäischen Union verabschiedet wurde. Nach der Veröffentlichung im Amtsblatt der EU wird das .. --------------------------------------------- https://certitude.consulting/blog/de/cyber-resilience-act-beschlossen/ ∗∗∗ Hacker allegedly behind attacks on FBI, Airbus, National Public Data arrested in Brazil ∗∗∗ --------------------------------------------- Police did not name the suspect, but a threat actor known as USDoD has long boasted of being behind the attacks that were highlighted by Brazilian law enforcement following the arrest. --------------------------------------------- https://therecord.media/hacker-behind-fbi-npd-airbus-attacks-arrested-brazil ∗∗∗ Why Hackers May Be Targeting You ∗∗∗ --------------------------------------------- In todays evolving cyber threat landscape, small and mid-sized businesses can reduce their risk by understanding cybercriminals, addressing misconceptions, and enhancing their cybersecurity and incident .. --------------------------------------------- https://www.emsisoft.com/en/blog/46073/why-hackers-may-be-targeting-you/ ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Releases Quarterly Critical Patch Update Advisory for October 2024 ∗∗∗ --------------------------------------------- Oracle released its quarterly Critical Patch Update Advisory for October 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/17/oracle-releases-quarterl… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/994630/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.10.2024
by Daily end-of-shift report 16 Oct '24

16 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-10-2024 18:00 − Mittwoch 16-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ASEC and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178) ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) and the National Cyber Security Center (NCSC) have discovered a new zero-day vulnerability in the Microsoft Internet Explorer (IE) browser and have conducted a detailed analysis on attacks that exploit this vulnerability. This post shares the joint analysis report “Operation Code on Toast by TA-RedAnt” which details the findings of the ASEC and NCSC joint analysis and the responses to the threat. --------------------------------------------- https://asec.ahnlab.com/en/83877/ ∗∗∗ Exfiltration over Telegram Bots: Skidding Infostealer Logs ∗∗∗ --------------------------------------------- Bitsight’s visibility over infostealer malware which exfiltrates over Telegram suggests that the most infected countries are the USA, Turkey, and Russia, followed by India and Germany. --------------------------------------------- https://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-info… ∗∗∗ EDRSilencer red team tool used in attacks to bypass security ∗∗∗ --------------------------------------------- A tool for red-team operations called EDRSilencer has been observed in malicious incidents attempting to identify security tools and mute their alerts to management consoles. --------------------------------------------- https://www.bleepingcomputer.com/news/security/edrsilencer-red-team-tool-us… ∗∗∗ Mehrere Dienste betroffen: Microsoft warnt Kunden vor Datenverlust beim Logging ∗∗∗ --------------------------------------------- Durch einen Softwarefehler hat Microsoft einige für seine Kunden wichtige Protokolldaten verloren. Betroffen sind mehrere Clouddienste des Konzerns. --------------------------------------------- https://www.golem.de/news/mehrere-dienste-betroffen-microsoft-warnt-kunden-… ∗∗∗ New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists ∗∗∗ --------------------------------------------- The malware is "installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs," a security researcher who goes by HaxRob said. --------------------------------------------- https://thehackernews.com/2024/10/new-linux-variant-of-fastcash-malware.html ∗∗∗ Windows 11 24H2: Probleme mit VPN-Verbindungen, Direct Access … ∗∗∗ --------------------------------------------- Seit Microsoft Windows 11 24H2 allgemein freigegeben hat, sind mir Meldungen zu Problemen rund um das Thema VPN-Verbindungen (CheckPoint VPN, WireGuard, Direct Access) untergekommen. Ich fasse mal einige dieser Meldungen in einem Beitrag zusammen, auch um ein Bild zu bekommen, ob es nur Einzelfälle sind oder ob mehr Leute betroffen sind. --------------------------------------------- https://www.borncity.com/blog/2024/10/15/windows-11-24h2-probleme-mit-vpn-v… ∗∗∗ Windows 11 24H2: Recall nicht deinstallierbar … ∗∗∗ --------------------------------------------- Trotz gegenteiliger Zusicherungen stellt sich momentan heraus, dass Microsofts umstrittene Funktion Recall sich nicht [ohne Kollateralschäden] unter Windows 11 24H2 deinstallieren lässt – das Ganze ist aktuell aber wohl noch im Fluss. --------------------------------------------- https://www.borncity.com/blog/2024/10/16/windows-11-24h2-recall-nicht-deins… ∗∗∗ Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data ∗∗∗ --------------------------------------------- This article uncovers a Golang ransomware abusing AWS S3 for data theft, and masking as LockBit to further pressure victims. The discovery of hard-coded AWS credentials in these samples led to AWS account suspensions. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/j/fake-lockbit-real-damage-ran… ∗∗∗ Comparing AI Against Traditional Static Analysis Tools to Highlight Buffer Overflows ∗∗∗ --------------------------------------------- The idea of this blog post is to use open-source software tools to analyze unknown binaries for buffer overflows. In particular we are focusing on using Ollama3 to access multiple large language models. Ollama is a platform designed to simplify the deployment and usage of LLMs on local machines.This enables private data to be held locally instead of being sent to a cloud for processing. --------------------------------------------- https://www.nccgroup.com/us/research-blog/comparing-ai-against-traditional-… ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - October 2024 ∗∗∗ --------------------------------------------- A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. --------------------------------------------- https://www.oracle.com/security-alerts/cpuoct2024.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, containernetworking-plugins, and skopeo), Fedora (pdns-recursor and valkey), Mageia (unbound), Red Hat (fence-agents, firefox, java-11-openjdk, python-setuptools, python3-setuptools, resource-agents, and thunderbird), SUSE (etcd-for-k8s, libsonivox3, rubygem-puma, and unbound), and Ubuntu (apr, libarchive, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, nano, and vim). --------------------------------------------- https://lwn.net/Articles/994436/ ∗∗∗ HP-DesignJet-Drucker: Angreifer können SMTP-Server-Logins abgreifen ∗∗∗ --------------------------------------------- Wie aus einer Warnmeldung hervorgeht, ist die Schwachstelle (CVE-2024-5749) mit dem Bedrohungsgrad "hoch" eingestuft. Klappen Attacken, sind SMTP-Server-Zugangsdaten einsehbar. Wie so ein Angriff ablaufen könnte, führen die HP-Entwickler derzeit nicht aus. Konkret davon betroffen sind die DesignJet-Modelle T730 und T830. --------------------------------------------- https://heise.de/-9983364 ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox for iOS 131.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-54/ ∗∗∗ Synology-SA-24:14 Synology Photos ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_14 ∗∗∗ Synology-SA-24:13 BeePhotos ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_13 ∗∗∗ Bosch: Unrestricted resource consumption in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-162032-bt.html ∗∗∗ F5: K000141463: Multiple Angular JS vulnerabilities CVE-2019-10768, CVE-2023-26116, CVE-2023-26117, and CVE-2023-26118 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141463 ∗∗∗ F5: K000141459: Angular JS vulnerabilities CVE-2019-14863 and CVE-2022-25869 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141459 ∗∗∗ F5: K000141302: Quarterly Security Notification (October 2024) ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141302 ∗∗∗ F5: K000140061: BIG-IP monitors vulnerability CVE-2024-45844 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140061 ∗∗∗ F5: K000141080: BIG-IQ vulnerability CVE-2024-47139 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141080 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.10.2024
by Daily end-of-shift report 15 Oct '24

15 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 14-10-2024 18:00 − Dienstag 15-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ TrickMo malware steals Android PINs using fake lock screen ∗∗∗ --------------------------------------------- Forty new variants of the TrickMo Android banking trojan have been identified in the wild, linked to 16 droppers and 22 distinct command and control (C2) infrastructures, with new features designed to steal Android PINs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickmo-malware-steals-andro… ∗∗∗ New FIDO proposal lets you securely move passkeys across platforms ∗∗∗ --------------------------------------------- The Fast IDentity Online (FIDO) Alliance has published a working draft of a new specification that aims to enable the secure transfer of passkeys between different providers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-fido-proposal-lets-you-s… ∗∗∗ BEC-ware the phish (part 1). Investigating incidents in M365 ∗∗∗ --------------------------------------------- This blog post is the first of three, that look at the key steps for an effective investigation, response, and remediation to email-based threats in M365. Part two covers response actions as well as short- and long-term remediations to prevent attackers getting back in. Part three considers the native detection and prevention options in M365. --------------------------------------------- https://www.pentestpartners.com/security-blog/bec-ware-the-phish-part-1-inv… ∗∗∗ Vorsicht vor Anrufen vom „Bankbetrugssystem Österreich“ ∗∗∗ --------------------------------------------- Derzeit werden uns wieder vermehrt Tonbandanrufe gemeldet. Eine computergenerierte Stimme gibt sich als Bankbetrugssystem Österreich aus und behauptet, dass eine Zahlung von 1500 Euro abgelehnt wurde und Ihr Konto möglicherweise gehackt wurde. Sie werden aufgefordert, die Taste „1“ zu drücken, um mit einer echten Person verbunden zu werden. Legen Sie auf, das ist Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-anrufen-vom-bankbetrugs… ∗∗∗ New Telekopye Scam Toolkit Targeting Booking.com and Airbnb Users ∗∗∗ --------------------------------------------- ESET Research found the Telekopye scam network targeting Booking.com and Airbnb. Scammers use phishing pages via compromised accounts to steal personal and payment details from travelers. --------------------------------------------- https://hackread.com/telekopye-scam-toolkit-hit-booking-com-airbnb-users/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-30088 Microsoft Windows Kernel TOCTOU Race Condition Vulnerability, CVE-2024-9680 Mozilla Firefox Use-After-Free Vulnerability, CVE-2024-28987 SolarWinds Web Help Desk Hardcoded Credential Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/15/cisa-adds-three-known-ex… ∗∗∗ Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024 ∗∗∗ --------------------------------------------- Today wed like to share a recent journey into (yet another) SSLVPN appliance vulnerability - a Format String vulnerability, unusually, in Fortinets FortiGate devices. It affected (before patching) all currently-maintained branches, and recently was highlighted by CISA as being exploited-in-the-wild. --------------------------------------------- https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-comple… ===================== = Vulnerabilities = ===================== ∗∗∗ Splunk Security Advisories 2024-10-14 ∗∗∗ --------------------------------------------- Splunk released 12 security advisories: 4x high, 8x medium --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ Kritische Schwachstellen in Industrieroutern mbNET ∗∗∗ --------------------------------------------- In industriellen Fernwartungsgateways und Industrieroutern mbNET wurden mehrere, teils schwerwiegende Sicherheitsschwachstellen identifiziert. Sie ermöglichen es, das Gerät vollständig zu kompromittieren sowie verschlüsselte Konfigurationen zu entschlüsseln. --------------------------------------------- https://www.syss.de/pentest-blog/kritische-schwachstellen-in-industrieroute… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, firefox, OpenIPMI, podman, and thunderbird), Debian (libapache-mod-jk, php7.4, and webkit2gtk), Fedora (edk2, koji, libgsf, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, and rust-tower0.4), Mageia (packages and thunderbird), Oracle (bind, container-tools:ol8, kernel, kernel-container, OpenIPMI, podman, and thunderbird), Red Hat (container-tools:rhel8, containernetworking-plugins, podman, and skopeo), SUSE (argocd-cli, bsdtar, keepalived, kernel, kyverno, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, OpenIPMI, opensc, php8, thunderbird, and xen), and Ubuntu (configobj, haproxy, imagemagick, nginx, and postgresql-10, postgresql-9.3). --------------------------------------------- https://lwn.net/Articles/994268/ ∗∗∗ WordPress plugin Jetpack fixes nearly decade-old critical security flaw ∗∗∗ --------------------------------------------- The popular WordPress plugin Jetpack has released a critical security update, addressing a vulnerability that could have affected 27 million websites. [..] The flaw, which is not believed to have been exploited, was found in the plugin’s contact form feature and had remained unpatched since 2016. This vulnerability could be exploited by any logged-in user on a site to read forms submitted by other users, according to Jetpack engineer Jeremy Herve. --------------------------------------------- https://therecord.media/wordpress-jetpack-plugin-fixes-flaw ∗∗∗ ZDI-24-1382: QEMU SCSI Use-After-Free Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1382/ ∗∗∗ Zahlreiche Schwachstellen im Rittal IoT Interface & CMC III Processing Unit ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… ∗∗∗ GitHub Enterprise Server (GHES) Security Update Advisory (CVE-2024-9487) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/83868/ ∗∗∗ Kubernetes: CVE-2024-9594 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/128007 ∗∗∗ Kubernetes: CVE-2024-9486 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/128006 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.10.2024
by Daily end-of-shift report 14 Oct '24

14 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-10-2024 18:00 − Montag 14-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server ∗∗∗ --------------------------------------------- Microsoft has officially deprecated the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) in future versions of Windows Server, recommending admins switch to different protocols that offer increased security. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-deprecates-pptp-a… ∗∗∗ Google warns uBlock Origin and other extensions may be disabled soon ∗∗∗ --------------------------------------------- Googles Chrome Web Store is now warning that the uBlock Origin ad blocker and other extensions may soon be blocked as part of the companys deprecation of the Manifest V2 extension specification. --------------------------------------------- https://www.bleepingcomputer.com/news/google/google-warns-ublock-origin-and… ∗∗∗ Microsoft’s guidance to help mitigate Kerberoasting ∗∗∗ --------------------------------------------- Kerberoasting, a well-known Active Directory (AD) attack vector, enables threat actors to steal credentials and navigate through devices and networks. Microsoft is sharing recommended actions administrators can take now to help prevent successful Kerberoasting cyberattacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidanc… ∗∗∗ Nation-State Attackers Exploiting Ivanti CSA Flaws for Network Infiltration ∗∗∗ --------------------------------------------- A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions. That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the credentials of those users. --------------------------------------------- https://thehackernews.com/2024/10/nation-state-attackers-exploiting.html ∗∗∗ Chatbot Traps: How to Avoid Job Scams ∗∗∗ --------------------------------------------- While the strategies outlined here can help you detect AI-powered scams, it is important to recognise that AI technology is advancing rapidly. Many current weaknesses—such as difficulties with complex questions or live conversations—may diminish as AI continues to improve. --------------------------------------------- https://connect.geant.org/2024/10/14/chatbot-traps-how-to-avoid-job-scams ∗∗∗ Casio says ransomware attack exposed info of employees, customers and business partners ∗∗∗ --------------------------------------------- Japanese electronics manufacturer Casio confirmed on Friday that a cyber incident announced earlier this week was a ransomware attack that potentially exposed the information of employees, customers, business partners and affiliates. --------------------------------------------- https://therecord.media/casio-ransomware-attack-exposed-emplyee-customer-da… ∗∗∗ Achtung: Neue textbasierte QR-Code-Phishing-Varianten ∗∗∗ --------------------------------------------- Sicherheitsforscher von Barracuda sind auf eine neue Variante zur Gestaltung von Phishing-Nachrichten gestoßen. Diese verwenden QR-Codes aus textbasierten ASCII/Unicode-Zeichen, statt wie üblich aus statischen Bildern erstellt zu werden, um herkömmliche Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://www.borncity.com/blog/2024/10/13/achtung-neue-textbasierte-qr-code-… ∗∗∗ Sicherheitslücke in Ecovacs-Saugrobotern erlaubt Remote-Steuerung durch Hacker ∗∗∗ --------------------------------------------- In den USA häufen sich Fälle, in denen gehackte Saugroboter offenbar fremdgesteuert Beleidigungen zurufen und Bilder über die interne Kamera übertragen. --------------------------------------------- https://heise.de/-9979104 ===================== = Vulnerabilities = ===================== ∗∗∗ Notfall-Update: Tor-Nutzer über kritische Firefox-Lücke attackiert ∗∗∗ --------------------------------------------- Eine kritische Firefox-Schwachstelle betrifft auch den Tor-Browser und Thunderbird. Patches stehen bereit, kommen für einige Tor-Nutzer aber zu spät. --------------------------------------------- https://www.golem.de/news/notfall-update-tor-nutzer-ueber-kritische-firefox… ∗∗∗ Moxa: Missing Authentication and OS Command Injection Vulnerabilities in Cellular Routers, Secure Routers, and Network Security Appliances ∗∗∗ --------------------------------------------- The first vulnerability, CVE-2024-9137, allows attackers to manipulate device configurations without authentication. The second vulnerability, CVE-2024-9139, permits OS command injection through improperly restricted commands, potentially enabling attackers to execute arbitrary codes. --------------------------------------------- https://www.moxa.com/en/support/product-support/security-advisory/mpsa-2411… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (docker.io, libreoffice, node-dompurify, python-reportlab, and thunderbird), Fedora (buildah, chromium, kernel, kernel-headers, libgsf, mosquitto, p7zip, podman, python-cramjam, python-virtualenv, redis, rust-async-compression, rust-brotli, rust-brotli-decompressor, rust-libcramjam, rust-libcramjam0.2, rust-nu-command, rust-nu-protocol, rust-redlib, rust-tower-http, thunderbird, and webkit2gtk4.0), Oracle (.NET 6.0, .NET 8.0, e2fsprogs, firefox, golang, openssl, python3-setuptools, systemd, and thunderbird), SUSE (chromium, firefox, java-jwt, libmozjs-128-0, libwireshark18, ntpd-rs, OpenIPMI, thunderbird, and wireshark), and Ubuntu (firefox, python2.7, python3.5, thunderbird, and ubuntu-advantage-desktop-daemon). --------------------------------------------- https://lwn.net/Articles/994080/ ∗∗∗ Sicherheitsupdate: Angreifer können Netzwerkanalysetool Wireshark crashen lassen ∗∗∗ --------------------------------------------- Wireshark ist in einer gegen mögliche Angriffe abgesicherten Version erschienen. Darin haben die Entwickler auch mehrere Bugs gefixt. --------------------------------------------- https://heise.de/-9979991 ∗∗∗ ZDI-24-1374: IrfanView SID File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1374/ ∗∗∗ ZDI-24-1369: Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1369/ ∗∗∗ Security Vulnerability fixed in Firefox 131.0.3 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-53/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2024
by Daily end-of-shift report 11 Oct '24

11 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-10-2024 18:00 − Freitag 11-10-2024 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Akira and Fog ransomware now exploit critical Veeam RCE flaw ∗∗∗ --------------------------------------------- Ransomware gangs now exploit a critical security vulnerability that lets attackers gain remote code execution (RCE) on vulnerable Veeam Backup & Replication (VBR) servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now… ∗∗∗ Digitaler Krieg: Russische Hacker sollen Zimbra- und Teamcity-Exploits nutzen ∗∗∗ --------------------------------------------- Staatliche russische Hacker nähmen Zimbra- und Jetbrains Teamcity-Installationen westlicher Unternehmen aufs Korn, warnen die USA und Großbritannien. --------------------------------------------- https://www.golem.de/news/digitaler-krieg-russische-hacker-sollen-zimbra-un… ∗∗∗ Bohemia and Cannabia Dark Web Markets Taken Down After Joint Police Operation ∗∗∗ --------------------------------------------- The Dutch police have announced the takedown of Bohemia and Cannabia, which has been described as the worlds largest and longest-running dark web market for illegal goods, drugs, and cybercrime services.The takedown is the result of a collaborative investigation with Ireland, the United Kingdom, and the United States that began towards the end of 2022, the Politie said. --------------------------------------------- https://thehackernews.com/2024/10/bohemia-and-cannabia-dark-web-markets.html ∗∗∗ Perfecting Ransomware on AWS — Using keys to the kingdom to change the locks ∗∗∗ --------------------------------------------- If someone asked me what was the best way to make money from a compromised AWS Account (assume root access even) — I would have answered “dump the data and hope that no-one notices you before you finish it up.” This answer would have been valid until ~8 months ago when I stumbled upon a lesser known feature of AWS KMS which allows an attacker to do devastating ransomware attacks on a compromised AWS account. --------------------------------------------- https://medium.com/@harsh8v/redefining-ransomware-attacks-on-aws-using-aws-… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 30, 2024 to October 6, 2024) ∗∗∗ --------------------------------------------- Last week, there were 161 vulnerabilities disclosed in 147 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database --------------------------------------------- https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Lynx Ransomware: A Rebranding of INC Ransomware ∗∗∗ --------------------------------------------- Lynx ransomware shares a significant portion of its source code with INC ransomware. INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux. While we haven't confirmed any Linux samples yet for Lynx ransomware, we have noted Windows samples. This ransomware operates using a ransomware-as-a-service (RaaS) model. --------------------------------------------- https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/ ∗∗∗ Octo2 Malware Uses Fake NordVPN, Chrome Apps to Infect Android Devices ∗∗∗ --------------------------------------------- Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome. --------------------------------------------- https://hackread.com/octo2-malware-fake-nordvpn-chrome-apps-android-device/ ∗∗∗ Best Practices to Configure BIG-IP LTM Systems to Encrypt HTTP Persistence Cookies ∗∗∗ --------------------------------------------- CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network. [..] CISA urges organizations to encrypt persistent cookies employed in F5 BIG-IP devices and review the following article for details on how to configure the BIG-IP LTM system to encrypt HTTP cookies. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/10/best-practices-configure… ∗∗∗ EU-Rat bringt Cyber Resilience Act auf den Weg ∗∗∗ --------------------------------------------- Künftig müssen vernetzte Produkte, die in der EU in Verkehr gebracht werden, gegen Angriffe gesichert sein und das mit dem CE-Zeichen signalisieren. --------------------------------------------- https://heise.de/-9977103 ===================== = Vulnerabilities = ===================== ∗∗∗ New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution ∗∗∗ --------------------------------------------- GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) to address eight security flaws, including a critical bug that could allow running Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches. --------------------------------------------- https://thehackernews.com/2024/10/new-critical-gitlab-vulnerability-could.h… ∗∗∗ Priviledged admin able to view device summary for device in different [FortiManager] ADOM ∗∗∗ --------------------------------------------- An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManager Administrative Domain (ADOM) may allow a remote authenticated attacker assigned to an ADOM to access device summary of other ADOMs via crafted HTTP requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-472 ∗∗∗ Aw, Sugar. Critical Vulnerabilities in SugarWOD ∗∗∗ --------------------------------------------- It is possible to: * Enumerate 2 million users, names, profile pics, birthday, height, weight, and email addresses * Extract all Gyms join passwords [..] * Bypass user-chosen privacy settings --------------------------------------------- https://www.n00py.io/2024/10/critical-vulnerabilities-in-sugarwod/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 6.0, .NET 8.0, and openssl), Debian (firefox-esr), Fedora (firefox), Mageia (php, quictls, and vim), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, firefox, podman, skopeo, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, kernel, and xen), and Ubuntu (golang-1.17, libgsf, and linux-aws-6.8, linux-oracle-6.8). --------------------------------------------- https://lwn.net/Articles/993778/ ∗∗∗ Security Vulnerability fixed in Thunderbird 131.0.1, Thunderbird 128.3.1, Thunderbird 115.16.0 ∗∗∗ --------------------------------------------- * CVE-2024-9680: Use-after-free in Animation timeline --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-52/ ∗∗∗ Livewire Security Update Advisory (CVE-2024-47823) ∗∗∗ --------------------------------------------- The extension of a loaded file is guessed based on its MIME type, which could allow an attacker to conduct a remote code execution (RCE) attack by uploading a “.php” file with a valid MIME type. --------------------------------------------- https://asec.ahnlab.com/en/83775/ ∗∗∗ Apache Software Security Update Advisory (CVE-2024-45720, CVE-2024-47561) ∗∗∗ --------------------------------------------- * CVE-2024-45720: Subversion versions: ~ 1.14.3 (inclusive) (Windows) * CVE-2024-47561: Apache Avro Java SDK versions: ~ 1.11.4 (excluded) --------------------------------------------- https://asec.ahnlab.com/en/83776/ ∗∗∗ Anonymisierendes Linux: Tails 6.8.1 schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Das zum anonymen Surfen gedachte Tails-Linux schließt in Version 6.8.1 eine Sicherheitslücke. Es verbessert zudem den Umgang mit persistentem Speicher. --------------------------------------------- https://heise.de/-9977905 ∗∗∗ baserCMS plugin "BurgerEditor" vulnerable to directory listing ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN54676967/ ∗∗∗ ABB Cylon Aspect 3.07.02 (sshUpdate.php) Unauthenticated Remote SSH Service Control ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5838.php -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.10.2024
by Daily end-of-shift report 10 Oct '24

10 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-10-2024 18:00 − Donnerstag 10-10-2024 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Firefox Zero-Day Under Attack: Update Your Browser Immediately ∗∗∗ --------------------------------------------- Mozilla has revealed that a critical security flaw impacting Firefox and Firefox Extended Support Release (ESR) has come under active exploitation in the wild.The vulnerability, tracked as CVE-2024-9680, has been described as a use-after-free bug in the Animation timeline component. --------------------------------------------- https://thehackernews.com/2024/10/mozilla-warns-of-active-exploitation-in.h… ∗∗∗ CISA says critical Fortinet RCE flaw now exploited in attacks ∗∗∗ --------------------------------------------- Today, CISA revealed that attackers actively exploit a critical FortiOS remote code execution (RCE) vulnerability in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-says-critical-fortinet-… ∗∗∗ Benutzt hier jemand ein Smartphone mit Qualcomm-SOC? ∗∗∗ --------------------------------------------- Für viele Android-Geräte da draußen ist die Antwort: Ja.The zero-day vulnerability, officially designated CVE-2024-43047, “may be under limited, targeted exploitation,” according to Qualcomm, citing unspecified “indications” from Google’s Threat Analysis Group, the company’s research unit that investigates government hacking threats. --------------------------------------------- http://blog.fefe.de/?ts=99f9d232 ∗∗∗ Magenta ID wurde deaktiviert: Vorsicht vor täuschend echter Phishing-Mail ∗∗∗ --------------------------------------------- Ein sehr gut gefälschtes Magenta-Mail ist gerade in Österreich in Umlauf. Wer genau hinsieht, kann es entlarven. --------------------------------------------- https://futurezone.at/digital-life/magenta-id-wurde-deaktiviert-mail-phishi… ∗∗∗ Malware by the (Bit)Bucket: Unveiling AsyncRAT ∗∗∗ --------------------------------------------- Recently, we uncovered a sophisticated attack campaign employing a multi-stage approach to deliver AsyncRAT via a legitimate platform called Bitbucket. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/10/38043-asyncrat-bitbucket ∗∗∗ File hosting services misused for identity phishing ∗∗∗ --------------------------------------------- Since mid-April 2024, Microsoft has observed an increase in defense evasion tactics used in campaigns abusing file hosting services like SharePoint, OneDrive, and Dropbox. These campaigns use sophisticated techniques to perform social engineering, evade detection, and compromise identities, and include business email compromise (BEC) attacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-servi… ∗∗∗ Technical Analysis of DarkVision RAT ∗∗∗ --------------------------------------------- IntroductionDarkVision RAT is a highly customizable remote access trojan (RAT) that first surfaced in 2020, offered on Hack Forums and their website for as little as $60. Written in C/C++, and assembly, DarkVision RAT has gained popularity due to its affordability and extensive feature set, making it accessible even to low-skilled cybercriminals. The RAT’s capabilities include keylogging, taking screenshots, file manipulation, process injection, remote code execution, and password theft. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-darkvisi… ∗∗∗ Ransom & Dark Web Issues Week 2, October 2024 ∗∗∗ --------------------------------------------- * New Target of KillSec Ransomware Attack: South Korean Commercial Property Content Provider * Dark Web Market Bohemia/Cannabia Shut Down by Law Enforcement, Two Administrators Arrested * New Ransomware Gang Sarcoma: Conducted Attacks on a Total of 30 Companies --------------------------------------------- https://asec.ahnlab.com/en/83739/ ∗∗∗ Internet Archive unter Beschuss: Über 30 Millionen Nutzerdaten gestohlen ∗∗∗ --------------------------------------------- Bislang Unbekannte vergriffen sich mehrfach am Internet Archive. Bereits im September wurden Nutzerdaten und Passwort-Hashes abgezogen. --------------------------------------------- https://heise.de/-9975986 ===================== = Vulnerabilities = ===================== ∗∗∗ GitLab warns of critical arbitrary branch pipeline execution flaw ∗∗∗ --------------------------------------------- GitLab has released security updates to address multiple flaws in Community Edition (CE) and Enterprise Edition (EE), including a critical arbitrary branch pipeline execution flaw. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-arb… ∗∗∗ Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems ∗∗∗ --------------------------------------------- Cybersecurity security researchers are warning about an unpatched vulnerability in Nice Linear eMerge E3 access controller systems that could allow for the execution of arbitrary operating system (OS) commands.The flaw, assigned the CVE identifier CVE-2024-9441, carries a CVSS score of 9.8 out of a maximum of 10.0, according to VulnCheck. --------------------------------------------- https://thehackernews.com/2024/10/experts-warn-of-critical-unpatched.html ∗∗∗ wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049 ∗∗∗ --------------------------------------------- Project: wkhtmltopdfDate: 2024-October-09Security risk: Highly critical 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Proof/TD:AllVulnerability: UnsupportedAffected versions: *Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupportedSol…: If you use this project, --------------------------------------------- https://www.drupal.org/sa-contrib-2024-049 ∗∗∗ Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047 ∗∗∗ --------------------------------------------- Project: FacetsDate: 2024-October-09Security risk: Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: Description: This module enables you to to easily create and manage faceted search interfaces.The module doesnt sufficiently filter for malicious script leading to a reflected cross site scripting (XSS) vulnerability.Solution: Install the latest version:If you use the Facets module, upgrade to Facets --------------------------------------------- https://www.drupal.org/sa-contrib-2024-047 ∗∗∗ Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046 ∗∗∗ --------------------------------------------- Project: Block permissionsDate: 2024-October-09Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=1.0.0 Description: This module enables you to manage blocks from specific modules in the specific themes.The module doesnt sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/{plugin_id}/{theme}" (route --------------------------------------------- https://www.drupal.org/sa-contrib-2024-046 ∗∗∗ Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045 ∗∗∗ --------------------------------------------- Project: Monster MenusDate: 2024-October-09Security risk: Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypass, Information DisclosureAffected versions: Description: This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure.A function which can be used by third-party code does not return valid data under certain rare circumstances. If the third-party code relies on this --------------------------------------------- https://www.drupal.org/sa-contrib-2024-045 ∗∗∗ Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048 ∗∗∗ --------------------------------------------- Project: GutenbergDate: 2024-October-09Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryAffected versions: =3.0.0 Description: This module provides a new UI experience for node editing using the Gutenberg Editor library.The module did not sufficiently protect some routes against a Cross Site Request Forgery attack.This vulnerability is mitigated by the fact that the tricked user needs to have an --------------------------------------------- https://www.drupal.org/sa-contrib-2024-048 ∗∗∗ VMSA-2024-0020:VMware NSX updates address multiple vulnerabilities (CVE-2024-38818, CVE-2024-38817, CVE-2024-38815) ∗∗∗ --------------------------------------------- Multiple vulnerabilities in VMware NSX were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in the affected VMware products. --------------------------------------------- https://support.broadcom.com/web/ecx/support-=content-notification/-/extern… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (firefox, koji, unbound, webkit2gtk4.0, and xen), Red Hat (glibc, net-snmp, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, buildah, cups-filters, liboath-devel, libreoffice, libunbound8, podman, and redis), and Ubuntu (cups-browsed, cups-filters, edk2, linux-raspi-5.4, and oath-toolkit). --------------------------------------------- https://lwn.net/Articles/993595/ ∗∗∗ Redis Vulnerability Security Update Advisory (CVE-2024-31449) ∗∗∗ --------------------------------------------- An update has been released to address vulnerabilities in Redis. Users of the affected versions are advised to update to the latest version. --------------------------------------------- https://asec.ahnlab.com/en/83704/ ∗∗∗ Ivanti Product Security Update Advisory ∗∗∗ --------------------------------------------- * CVE-2024-9380, CVE-2024-9381: Ivanti Cloud Services Appliance (CSA) versions: ~ 5.0.1 (inclusive) * CVE-2024-7612: Ivanti EPMM (Core) versions: ~ 12.1.0.3 (inclusive) * CVE-2024-9167: Velocity License Server versions: 5.1 (inclusive) ~ 5.1.2 (inclusive) --------------------------------------------- https://asec.ahnlab.com/en/83706/ ∗∗∗ Adobe Family October 2024 Routine Security Update Advisory ∗∗∗ --------------------------------------------- Adobe has released a security update that addresses a vulnerability in its supplied products. Users of affected systems are advised to update to the latest version. --------------------------------------------- https://asec.ahnlab.com/en/83710/ ∗∗∗ SAP Product Security Update Advisory ∗∗∗ --------------------------------------------- * CVE-2024-37179: SAP BusinessObjects Business Intelligence Platform, ENTERPRISE 420, 430, 2025, Enterprise clienttools 420 * CVE-2024-41730: SAP BusinessObjects Business Intelligence Platform, ENTERPRISE 430, 440 * CVE-2024-39592: SAP PDCE, S4CORE 102, S4CORE 103, S4COREOP 104, S4COREOP 105, S4COREOP 106, S4COREOP 107, S4COREOP 108 --------------------------------------------- https://asec.ahnlab.com/en/83736/ ∗∗∗ SonicWall SSL-VPN SMA1000 and Connect Tunnel Windows Client Affected By Multiple Vulnerabilities ∗∗∗ --------------------------------------------- 1) CVE-2024-45315 - SonicWALL SMA1000 Connect Tunnel Windows Client Link Following Denial-of-Service Vulnerability 2) CVE-2024-45316 - SonicWALL SMA1000 Connect Tunnel Windows Client Link Following Local Privilege Escalation Vulnerability 3) CVE-2024-45317 - Unauthenticated SMA1000 12.4.x Server-Side Request Forgery (SSRF) Vulnerability --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0017 ∗∗∗ CISA Releases Twenty-One Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-24-284-01 Siemens SIMATIC S7-1500 and S7-1200 CPUs * ICSA-24-284-02 Siemens Simcenter Nastran * ICSA-24-284-03 Siemens Teamcenter Visualization and JT2Go * ICSA-24-284-04 Siemens SENTRON PAC3200 Devices * ICSA-24-284-05 Siemens Questa and ModelSim * ICSA-24-284-06 Siemens SINEC Security Monitor * ICSA-24-284-07 Siemens JT2Go * ICSA-24-284-08 Siemens HiMed Cockpit * ICSA-24-284-09 Siemens PSS SINCAL * ICSA-24-284-10 Siemens SIMATIC S7-1500 CPUs * ICSA-24-284-11 Siemens RUGGEDCOM APE1808 * ICSA-24-284-12 Siemens Sentron Powercenter 1000 * ICSA-24-284-13 Siemens Tecnomatix Plant Simulation * ICSA-24-284-14 Schneider Electric Zelio Soft 2 * ICSA-24-284-15 Rockwell Automation DataMosaix Private Cloud * ICSA-24-284-16 Rockwell Automation DataMosaix Private Cloud * ICSA-24-284-17 Rockwell Automation Verve Asset Manager * ICSA-24-284-18 Rockwell Automation Logix Controllers * ICSA-24-284-19 Rockwell Automation PowerFlex 6000T * ICSA-24-284-20 Rockwell Automation ControlLogix * ICSA-24-284-21 Delta Electronics CNCSoft-G2 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/10/cisa-releases-twenty-one… ∗∗∗ Synacor Zimbra Collaboration Command Execution Vulnerability ∗∗∗ --------------------------------------------- Threat Actors are exploiting a recently fixed RCE vulnerability in Zimbra email servers, which can be exploited just by sending specially crafted emails to the SMTP server. --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/zimbra-collaboration-rce ∗∗∗ Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-048 ∗∗∗ 2024-10-10: Cyber Security Advisory - ABB IRC5 RobotWare – PROFINET Stack Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=SI20337&LanguageCod… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: BGP update message containing aggregator attribute with an ASN value of zero (0) is accepted (CVE-2024-47507) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series: A large amount of traffic being processed by ATP Cloud can lead to a PFE crash (CVE-2024-47506) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Specific low privileged CLI commands and SNMP GET requests can trigger a resource leak ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: Multiple vulnerabilities in OSS component nginx resolved ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX5000 Series: Receipt of a specific malformed packet will cause a flowd crash (CVE-2024-47504) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX4600 and SRX5000 Series: Sequence of specific PIM packets causes a flowd crash (CVE-2024-47503) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: TCP session state is not always cleared on the Routing Engine (CVE-2024-47502) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: MX304, MX with MPC10/11/LC9600, and EX9200 with EX9200-15C: In a VPLS or Junos Fusion scenario specific show commands cause an FPC crash (CVE-2024-47501) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: In a BMP scenario receipt of a malformed AS PATH attribute can cause an RPD core (CVE-2024-47499) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: QFX5000 Series: Configured MAC learning and move limits are not in effect (CVE-2024-47498) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series, QFX Series, MX Series and EX Series: Receiving specific HTTPS traffic causes resource exhaustion (CVE-2024-47497) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: MX Series: The PFE will crash on running specific command (CVE-2024-47496) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: In a dual-RE scenario a locally authenticated attacker with shell privileges can take over the device (CVE-2024-47495) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: Due to a race condition AgentD process causes a memory corruption and FPC reset (CVE-2024-47494) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: J-Web: Multiple vulnerabilities resolved in PHP software. ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX5K, SRX4600 and MX Series: Trio-based FPCs: Continuous physical interface flaps causes local FPC to crash (CVE-2024-47493) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: Receipt of a specific malformed BGP path attribute leads to an RPD crash (CVE-2024-47491) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: ACX 7000 Series: Receipt of specific transit MPLS packets causes resources to be exhausted (CVE-2024-47490) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Multiple vulnerabilities resolved in c-ares 1.18.1 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: ACX Series: Receipt of specific transit protocol packets is incorrectly processed by the RE (CVE-2024-47489) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos Space: Remote Command Execution (RCE) vulnerability in web application (CVE-2024-39563) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: cRPD: Receipt of crafted TCP traffic can trigger high CPU utilization (CVE-2024-39547) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: Multiple vulnerabilities resolved in OpenSSL ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Low privileged local user able to view NETCONF traceoptions files (CVE-2024-39544) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Connections to the network and broadcast address accepted (CVE-2024-39534) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series: Low privileged user able to access sensitive information on file system (CVE-2024-39527) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: MX Series with MPC10/MPC11/LC9600, MX304, EX9200, PTX Series: Receipt of malformed DHCP packets causes interfaces to stop processing packets (CVE-2024-39526) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: When BGP nexthop traceoptions is enabled, receipt of specially crafted BGP packet causes RPD crash (CVE-2024-39525) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: Junos OS and Junos OS Evolved: Receipt of a specifically malformed BGP packet causes RPD crash when segment routing is enabled (CVE-2024-39516) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: With BGP traceoptions enabled, receipt of specially crafted BGP update causes RPD crash (CVE-2024-39515) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos Space: OS command injection vulnerability in OpenSSH (CVE-2023-51385) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: With BGP traceoptions enabled, receipt of specifically malformed BGP update causes RPD crash (CVE-2024-39516) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: In a BMP scenario receipt of a malformed AS PATH attribute can cause an RPD core (CVE-2024-47499) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: When BGP traceoptions is enabled, receipt of specially crafted BGP packet causes RPD crash (CVE-2024-39525) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ SSA-438590 V1.0: Buffer Overflow Vulnerability in Siveillance Video Camera Drivers ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-438590.html ∗∗∗ CVE-2024-9469 Cortex XDR Agent: Local Windows User Can Disable the Agent (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9469 ∗∗∗ CVE-2024-9471 PAN-OS: Privilege Escalation (PE) Vulnerability in XML API (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9471 ∗∗∗ CVE-2024-9468 PAN-OS: Firewall Denial of Service (DoS) via a Maliciously Crafted Packet (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9468 ∗∗∗ PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities Lead to Firewall Admin Account Takeover (Severity: CRITICAL) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0010 ∗∗∗ CVE-2024-9473 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9473 ∗∗∗ PAN-SA-2024-0011 Chromium: Monthly Vulnerability Updates (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0011 ∗∗∗ CVE-2024-9470 Cortex XSOAR: Information Disclosure Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9470 ∗∗∗ PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials (Severity: CRITICAL) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0010 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2024
by Daily end-of-shift report 09 Oct '24

09 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-10-2024 18:00 − Mittwoch 09-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Two never-before-seen tools, from same group, infect air-gapped devices ∗∗∗ --------------------------------------------- Its hard enough creating one air-gap-jumping tool. GoldenJackal did it 2x in 5 years. --------------------------------------------- https://arstechnica.com/security/2024/10/two-never-before-seen-tools-from-s… ∗∗∗ European govt air-gapped systems breached using custom malware ∗∗∗ --------------------------------------------- An APT hacking group known as GoldenJackal has successfully breached air-gapped government systems in Europe using two custom toolsets to steal sensitive data, like emails, encryption keys, images, archives, and documents. --------------------------------------------- https://www.bleepingcomputer.com/news/security/european-govt-air-gapped-sys… ∗∗∗ New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks ∗∗∗ --------------------------------------------- An automated scanner has been released to help security professionals scan environments for devices vulnerable to the Common Unix Printing System (CUPS) RCE flaw tracked as CVE-2024-47176. --------------------------------------------- https://www.bleepingcomputer.com/news/software/new-scanner-finds-linux-unix… ∗∗∗ Sicherheitslücke: RDP-Server von Windows aus der Ferne angreifbar ∗∗∗ --------------------------------------------- Ein erfolgreicher Angriff erfordert zwar eine gewonnene Race Condition, dafür aber keinerlei Authentifizierung oder Nutzer-Interaktion. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-rdp-server-von-windows-aus-der-… ∗∗∗ Cisco warnt: Kinder erhöhen Cyberrisiko im Homeoffice ∗∗∗ --------------------------------------------- Laut Cisco erlauben rund zwei Drittel aller Eltern im Homeoffice ihren Kindern den Zugriff auf beruflich genutzte Geräte - häufig sogar unbeaufsichtigt. --------------------------------------------- https://www.golem.de/news/cisco-warnt-kinder-erhoehen-cyberrisiko-im-homeof… ∗∗∗ From Perfctl to InfoStealer ∗∗∗ --------------------------------------------- A few days ago, a new stealthy malware targeting Linux hosts made a lot of noise: perfctl[1]. The malware has been pretty well analyzed and I wont repeat what has been already disclosed. I found a .. --------------------------------------------- https://isc.sans.edu/diary/From+Perfctl+to+InfoStealer/31334 ∗∗∗ Ransomware gang Trinity joins pile of scumbags targeting healthcare ∗∗∗ --------------------------------------------- As if hospitals and clinics didnt have enough to worry about At least one US healthcare provider has been infected by Trinity, an emerging cybercrime gang with eponymous ransomware that uses double extortion and other "sophisticated" tactics that make it a "significant threat," according to the feds. --------------------------------------------- https://www.theregister.com/2024/10/09/trinity_ransomware_targets_healthcar… ∗∗∗ Patch Tuesday, October 2024 Edition ∗∗∗ --------------------------------------------- Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes .. --------------------------------------------- https://krebsonsecurity.com/2024/10/patch-tuesday-october-2024-edition/ ∗∗∗ How to handle vulnerability reports in aviation ∗∗∗ --------------------------------------------- TL;DR Always thank researchers for reporting vulnerabilities. Acknowledging their efforts can set the right tone. Lead all communications with researchers. Don’t let legal or PR teams take over. Provide .. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-handle-vulnerability-r… ∗∗∗ So stehlen Kriminelle mit gefälschten FinanzOnline-Benachrichtigungen Ihre Bankomatkarte ∗∗∗ --------------------------------------------- Sie werden per SMS über eine Rückerstattung vom Finanzamt informiert und klicken auf den Link. Sie gelangen auf die Webseite des Finanzamts – zumindest sieht es so aus. Sie wählen Ihre Bank aus, um das Geld zu erhalten. Doch plötzlich kommt eine Fehlermeldung von Ihrer Bank. Sie erhalten eine neue Bankomatkarte und müssen die alte zerschneiden und .. --------------------------------------------- https://www.watchlist-internet.at/news/so-stehlen-kriminelle-kartenwechsel-… ∗∗∗ Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware ∗∗∗ --------------------------------------------- Discover how North Korean attackers, posing as recruiters, used an updated downloader and backdoor in a campaign targeting tech job seekers. --------------------------------------------- https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-jo… ∗∗∗ Schwachstellen in Intels Sicherheitstechnologie TDX entdeckt ∗∗∗ --------------------------------------------- Wissenschaftler von der Universität zu Lübeck haben Schwachstellen in Intels Trusted Domain Extensions identifiziert. Intel hat eine Lücke bereits geschlossen. --------------------------------------------- https://heise.de/-9974224 ===================== = Vulnerabilities = ===================== ∗∗∗ Synology-SA-24:12 GitLab ∗∗∗ --------------------------------------------- A vulnerability allows remote attacker to bypass authentication via a susceptible version of GitLab. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_12 ∗∗∗ DSA-5729-2 apache2 - regression update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00200.html ∗∗∗ Announcement: Drupal core issues with some risk levels may be treated as bugs in the public issue queue, not as private security issues - PSA-2023-07-12 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2023-07-12 ∗∗∗ Local Privilege Escalation mittels MSI installer in Palo Alto Networks GlobalProtect ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… ∗∗∗ October Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/october-2024-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.10.2024
by Daily end-of-shift report 08 Oct '24

08 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 07-10-2024 18:00 − Dienstag 08-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ ADT discloses second breach in 2 months, hacked via stolen credentials ∗∗∗ --------------------------------------------- Home and small business security company ADT disclosed it suffered a breach after threat actors gained access to its systems using stolen credentials and exfiltrated employee account data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adt-discloses-second-breach-… ∗∗∗ Casio reports IT systems failure after weekend network breach ∗∗∗ --------------------------------------------- Japanese tech giant Casio has suffered a cyberattack after an unauthorized actor accessed its networks on October 5, causing system disruption that impacted some of its services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/casio-reports-it-systems-fai… ∗∗∗ New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new botnet malware family called Gorilla (aka GorillaBot) that draws its inspiration from the leaked Mirai botnet source code.Cybersecurity firm NSFOCUS, which identified the activity last month, said the botnet "issued over 300,000 attack commands, with a shocking attack density" between September 4 and September 27, 2024. --------------------------------------------- https://thehackernews.com/2024/10/new-gorilla-botnet-launches-over-300000.h… ∗∗∗ Feds reach for sliver of crypto-cash nicked by North Koreas notorious Lazarus Group ∗∗∗ --------------------------------------------- The US government is attempting to claw back more than $2.67 million stolen by North Koreas Lazarus Group, filing two lawsuits to force the forfeiture of millions in Tether and Bitcoin.… --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/08/us_lazarus_g… ∗∗∗ Shining Light on the Dark Angels Ransomware Group ∗∗∗ --------------------------------------------- The Dark Angels ransomware threat group launched attacks beginning in April 2022, and has since been quietly executing highly targeted attacks. Dark Angels operate with more stealthy and sophisticated strategies than many other ransomware groups. Instead of outsourcing breaches to third-party initial access brokers that target a wide range of victims, Dark Angels launch their own attacks that focus on a limited number of large companies. --------------------------------------------- https://www.zscaler.com/blogs/security-research/shining-light-dark-angels-r… ∗∗∗ 7,000 WordPress Sites Affected by Unauthenticated Critical Vulnerabilities in LatePoint WordPress Plugin ∗∗∗ --------------------------------------------- On September 17, 2024, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for two critical vulnerabilities in the LatePoint plugin, which is estimated to be actively installed on more than 7,000 WordPress websites. --------------------------------------------- https://www.wordfence.com/blog/2024/10/7000-wordpress-sites-affected-by-una… ∗∗∗ Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware ∗∗∗ --------------------------------------------- In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP Scanner. Nitrogen was leveraged to deploy Sliver and Cobalt Strike beacons on the beachhead host and perform further malicious actions. --------------------------------------------- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-end… ∗∗∗ Ukrainian pleads guilty to running Raccoon Infostealer malware, agrees to pay nearly $1 million ∗∗∗ --------------------------------------------- A Ukrainian national pleaded guilty in U.S. federal court to running the Raccoon Infostealer malware, and agreed to pay victims more than $900,000 as part of the plea deal. --------------------------------------------- https://therecord.media/raccoon-stealer-operator-pleads-guilty ∗∗∗ TAG Bulletin: Q3 2024 ∗∗∗ --------------------------------------------- This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2024. It was last updated on October 7, 2024. --------------------------------------------- https://blog.google/threat-analysis-group/tag-bulletin-q3-2024/ ∗∗∗ Crypto-Stealing Code Lurking in Python Package Dependencies ∗∗∗ --------------------------------------------- On September 22nd, a new PyPI user orchestrated a wide-ranging attack by uploading multiple packages within a short timeframe. These packages, bearing names like “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes,” masqueraded as legitimate tools for decoding and managing data from an array of popular cryptocurrency wallets. --------------------------------------------- https://checkmarx.com/blog/crypto-stealing-code-lurking-in-python-package-d… ∗∗∗ Okta Fixes Critical Vulnerability Allowing Sign-On Policy Bypass ∗∗∗ --------------------------------------------- Okta fixed a vulnerability in its Classic product that allowed attackers to bypass sign-on policies. Exploitation required valid credentials and the use of an “unknown” device. Affected users should review system logs. --------------------------------------------- https://hackread.com/okta-fixes-sign-on-policy-bypass-vulnerability/ ∗∗∗ Cyberattack on American Water Shuts Down Customer Portal, Halts Billing ∗∗∗ --------------------------------------------- American Water faces a cyberattack, disrupting its customer portal and billing operations. The company assures that water services remain unaffected while cybersecurity experts manage the incident. --------------------------------------------- https://hackread.com/american-water-cyberattack-shuts-down-portal-billing/ ∗∗∗ Storm-1575 Threat Actor Deploys New Login Panels for Phishing Infrastructure ∗∗∗ --------------------------------------------- The Storm-1575 group is known for frequently rebranding its phishing infrastructure. Recently, ANY.RUN analysts identified the deployment of new login panels, which are part of the threat actor’s ongoing efforts to compromise users’ Microsoft and Google accounts. --------------------------------------------- https://hackread.com/storm-1575-threat-actor-new-login-panels-phishing-infr… ∗∗∗ Lua Malware Targeting Student Gamers via Fake Game Cheats ∗∗∗ --------------------------------------------- Morphisec Threat Labs uncovers sophisticated Lua malware targeting student gamers and educational institutions. Learn how these attacks work and how to stay protected. --------------------------------------------- https://hackread.com/lua-malware-hit-student-gamers-fake-game-cheats/ ===================== = Vulnerabilities = ===================== ∗∗∗ Qualcomm patches high-severity zero-day exploited in attacks ∗∗∗ --------------------------------------------- Qualcomm has released security patches for a zero-day vulnerability in the Digital Signal Processor (DSP) service that impacts dozens of chipsets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severi… ∗∗∗ TYPO3-CORE-SA-2024-012: Information Disclosure in TYPO3 Page Tree ∗∗∗ --------------------------------------------- It has been discovered that TYPO3 CMS is susceptible to information disclosure. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-012 ∗∗∗ TYPO3-CORE-SA-2024-011: Denial of Service in TYPO3 Bookmark Toolbar ∗∗∗ --------------------------------------------- It has been discovered that TYPO3 CMS is susceptible to denial of service. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-011 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Fedora (webkitgtk), Mageia (cups), Oracle (e2fsprogs, kernel, and kernel-container), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, grafana-pcp, podman, and skopeo), SUSE (Mesa, mozjs115, podofo, and redis7), and Ubuntu (cups and cups-filters). --------------------------------------------- https://lwn.net/Articles/993276/ ∗∗∗ Kritische Sicherheitslücken in Draytek-Geräten erlauben Systemübernahme ∗∗∗ --------------------------------------------- Forscher fanden im Betriebssystem der Vigor-Router vierzehn neue Lücken, betroffen sind zwei Dutzend teilweise veraltete Typen. Patches stehen bereit. --------------------------------------------- https://heise.de/-9973906 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.10.2024
by Daily end-of-shift report 07 Oct '24

07 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-10-2024 18:00 − Montag 07-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Russia arrests US-sanctioned Cryptex founder, 95 other linked suspects ∗∗∗ --------------------------------------------- Russian law enforcement detained almost 100 suspects linked to the Cryptex cryptocurrency exchange, the UAPS anonymous payment service, and 33 other online services and platforms used to make illegal payments and sell stolen credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/russia-arrests-us-sanctioned… ∗∗∗ MoneyGram: No evidence ransomware is behind recent cyberattack ∗∗∗ --------------------------------------------- MoneyGram says there is no evidence that ransomware is behind a recent cyberattack that led to a five-day outage in September. --------------------------------------------- https://www.bleepingcomputer.com/news/security/moneygram-no-evidence-ransom… ∗∗∗ Spielzeugmarke: Hack der Lego-Webseite zielt auf Kryptobetrug ab ∗∗∗ --------------------------------------------- Am 4. Oktober 2024 wurde die offizielle Website von Lego Opfer eines Hacks. Unbekannte bewarben eine Kryptowährung namens Lego-Coin. --------------------------------------------- https://www.golem.de/news/spielzeugmarke-hack-der-lego-webseite-zielt-auf-k… ∗∗∗ Nach US-Bann: Kaspersky fliegt weltweit aus dem Google Play Store ∗∗∗ --------------------------------------------- Kaspersky-Software ist seit Tagen nicht mehr im Play Store erhältlich. Ursache ist das US-Verbot des russischen Herstellers - mit globalen Auswirkungen. --------------------------------------------- https://www.golem.de/news/nach-us-bann-kaspersky-fliegt-weltweit-aus-dem-go… ∗∗∗ Awaken Likho is awake: new techniques of an APT group ∗∗∗ --------------------------------------------- Kaspersky experts have discovered a new version of the APT Awaken Likho RAT Trojan, which uses AutoIt scripts and the MeshCentral system to target Russian organizations. --------------------------------------------- https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/ ∗∗∗ HUMINT and its Role within Cybersecurity ∗∗∗ --------------------------------------------- This blog explores HUMINTs role in cybersecurity, detailing its implementation, benefits, and potential risks. --------------------------------------------- https://www.sans.org/blog/humint-and-its-role-within-cybersecurity ∗∗∗ Largest Recorded DDoS Attack is 3.8 Tbps ∗∗∗ --------------------------------------------- Cloudflare just blocked the current record DDoS attack: 3.8 terabits per second. (Lots of good information on the attack, and DDoS in general, at the link.) --------------------------------------------- https://www.schneier.com/blog/archives/2024/10/largest-recorded-ddos-attack… ∗∗∗ Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in the Apache Avro Java Software Development Kit (SDK) that, if successfully exploited, could allow the execution of arbitrary code on susceptible instances.The flaw, tracked as CVE-2024-47561, .. --------------------------------------------- https://thehackernews.com/2024/10/critical-apache-avro-sdk-flaw-allows.html ∗∗∗ Chinesische Hacker stehlen sensible Daten von US-Gerichten ∗∗∗ --------------------------------------------- Via Internetdienstanbieter verschafft sich die "Salt Typhoon"-Kampagne Zugriff zu heiklen Daten. US-Behörden befürchten weitere Angriffe --------------------------------------------- https://www.derstandard.at/story/3000000239609/chinesische-hacker-stehlen-s… ∗∗∗ No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection ∗∗∗ --------------------------------------------- Four DNS tunneling campaigns identified through a new machine learning tool expose intricate tactics when targeting vital sectors like finance, healthcare and more. --------------------------------------------- https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/ ∗∗∗ From Pwn2Own Automotive: More Autel Maxicharger Vulnerabilities ∗∗∗ --------------------------------------------- This blog post highlights two additional vulnerabilities in the Autel Maxicharger that were exploited at Pwn2Own Automotive 2024. Details of the patches are also included. --------------------------------------------- https://www.thezdi.com/blog/2024/10/2/from-pwn2own-automotive-more-autel-ma… ∗∗∗ Russian state media company operation disrupted by ‘unprecedented’ cyberattack ∗∗∗ --------------------------------------------- Russian state television and radio broadcasting company VGTRK was hit by a cyberattack on Monday that disrupted its operations, the company confirmed in a statement to local news agencies. --------------------------------------------- https://therecord.media/russian-state-media-company-disrupted-cyberattack ∗∗∗ Engaging with Boards to improve the management of cyber security risk ∗∗∗ --------------------------------------------- How to communicate more effectively with board members to improve cyber security decision making. --------------------------------------------- https://www.ncsc.gov.uk/guidance/board-level-cyber-discussions-communicatin… ∗∗∗ Forensic Readiness in Container Environments ∗∗∗ --------------------------------------------- One of the most frustrating issues that Digital Forensics and Incident Response (DFIR) consultants encounter is a lack of forensic data available for analysis. This article aims to mitigate such situations by providing key considerations for improving forensic readiness. --------------------------------------------- https://www.nccgroup.com/us/research-blog/forensic-readiness-in-container-e… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5785-1 mediawiki - security update ∗∗∗ --------------------------------------------- Dom Walden discovered that the AbuseFilter extension in MediaWiki, a website engine for collaborative work, performed incomplete authorisation checks. --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00198.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (go-toolset:rhel8 and linux-firmware), Arch Linux (oath-toolkit), Debian (e2fsprogs, firefox-esr, libgsf, mediawiki, and oath-toolkit), Fedora (aws, chromium, firefox, p7zip, pgadmin4, python-gcsfs, unbound, webkitgtk, znc, znc-clientbuffer, and znc-push), Mageia (ghostscript and rootcerts nss firefox firefox-l10n), .. --------------------------------------------- https://lwn.net/Articles/993160/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0