- Daily - CERT.at

Tageszusammenfassung - 14.05.2024
by Daily end-of-shift report 14 May '24

14 May '24

===================== = End-of-Day report = ===================== Timeframe: Montag 13-05-2024 18:00 − Dienstag 14-05-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ PyPi package backdoors Macs using the Sliver pen-testing suite ∗∗∗ --------------------------------------------- A new package mimicked the popular requests library on the Python Package Index (PyPI) to target macOS devices with the Sliver C2 adversary framework, used for gaining initial access to corporate .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-package-backdoors-macs-… ∗∗∗ Apple and Google add alerts for unknown Bluetooth trackers to iOS, Android ∗∗∗ --------------------------------------------- On Monday, Apple and Google jointly announced a new privacy feature that warns Android and iOS users when an unknown Bluetooth tracking device travels with .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apple-and-google-add-alerts-… ∗∗∗ Incident response analyst report 2023 ∗∗∗ --------------------------------------------- The report shares statistics and observations from incident response practice in 2023, analyzes trends and gives cybersecurity recommendations. --------------------------------------------- https://securelist.com/kaspersky-incident-response-report-2023/112504/ ∗∗∗ Apple Patches Everything: macOS, iOS, iPadOS, watchOS, tvOS updated., (Tue, May 14th) ∗∗∗ --------------------------------------------- Apple today released updates for its various operating systems. The updates cover iOS, iPadOS, macOS, watchOS and tvOS. A standalone update for Safari was released for older versions of macOS. One already exploited vulnerability, CVE-2024-23296 is patched for older versions of macOS and iOS. In March, Apple patched this vulnerability for more recent versions of iOS and macOS. --------------------------------------------- https://isc.sans.edu/diary/rss/30916 ∗∗∗ Ongoing Campaign Bombarded Enterprises with Spam Emails and Phone Calls ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered an ongoing social engineering campaign that bombards enterprises with spam emails with the goal of obtaining initial access to their environments for follow-on exploitation. --------------------------------------------- https://thehackernews.com/2024/05/ongoing-campaign-bombarded-enterprises.ht… ∗∗∗ Critical Flaws in Cacti Framework Could Let Attackers Execute Malicious Code ∗∗∗ --------------------------------------------- The maintainers of the Cacti open-source network monitoring and fault management framework have addressed a dozen security flaws, including two critical issues that could lead to the execution of arbitrary code.The most severe of the vulnerabilities are listed below -CVE-2024-25641 (CVSS score: 9.1) - An arbitrary file write vulnerability in the "Package Import" feature that --------------------------------------------- https://thehackernews.com/2024/05/critical-flaws-in-cacti-framework-could.h… ∗∗∗ Log4J shows no sign of fading, spotted in 30% of CVE exploits ∗∗∗ --------------------------------------------- Organizations continue to run insecure protocols across their wide access networks (WAN), making it easier for cybercriminals to move across networks, according to a Cato Networks survey. Enterprises are too trusting within their networks The Cato CTRL SASE Threat Report Q1 2024 provides insight into the security threats and their .. --------------------------------------------- https://www.helpnetsecurity.com/2024/05/14/log4j-wan-insecure-protocols/ ∗∗∗ Google Patches Second Chrome Zero-Day in One Week ∗∗∗ --------------------------------------------- Google has announced patches for another Chrome vulnerability that has been exploited in attacks. This is the second zero-day addressed by the company in one week and the third flaw leveraged in malicious attacks in 2024. The new zero-day, tracked as CVE-2024-4761, has been described as a high-severity out-of-bounds write issue .. --------------------------------------------- https://www.securityweek.com/google-patches-second-chrome-zero-day-in-one-w… ∗∗∗ Falsche Gewinnbenachrichtigungen in echten Gewinnspielen ∗∗∗ --------------------------------------------- An einem Facebook-Gewinnspiel teilgenommen? Vorsicht, Kriminelle nutzen echte Gewinnspiele für Betrugsmaschen. Mit Fake-Profilen kommentieren sie die Kommentare der Teilnehmer:innen und behaupten, sie hätten gewonnen. Mit einem Link locken sie auf eine betrügerische Webseite. Wir zeigen Ihnen, wie Sie sicher an Gewinnspielen teilnehmen! --------------------------------------------- https://www.watchlist-internet.at/news/falsche-gewinnbenachrichtigungen-in-… ∗∗∗ Foxit PDF Reader “Flawed Design” : Hidden Dangers Lurking in Common Tools ∗∗∗ --------------------------------------------- Heightened vulnerability: Check Point Research has identified an unusual pattern of behavior involving PDF exploitation, mainly targeting users of Foxit PDF Reader. This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands, exploiting human psychology to manipulate users into accidentally providing .. --------------------------------------------- https://blog.checkpoint.com/research/foxit-pdf-reader-flawed-design-hidden-… ∗∗∗ Guidance for organisations considering payment in ransomware incidents ∗∗∗ --------------------------------------------- Advice for organisations experiencing a ransomware attack and the partner organisations supporting them. --------------------------------------------- https://www.ncsc.gov.uk/guidance/organisations-considering-payment-in-ranso… ∗∗∗ Avast Q1/2024 Threat Report ∗∗∗ --------------------------------------------- Nearly 90% of Threats Blocked are Social Engineering, Revealing a Huge Surge of Scams, and Discovery of the Lazarus APT CampaignThe post Avast Q1/2024 Threat Report appeared first on Avast Threat Labs. --------------------------------------------- https://decoded.avast.io/threatresearch/avast-q1-2024-threat-report/ ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3-CORE-SA-2024-010: Uncontrolled Resource Consumption in ShowImageController ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-010 ∗∗∗ TYPO3-CORE-SA-2024-009: Cross-Site Scripting in ShowImageController ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-009 ∗∗∗ TYPO3-CORE-SA-2024-008: Cross-Site Scripting in Form Manager Module ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-008 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/973667/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.11 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/ ∗∗∗ Security Vulnerabilities fixed in Firefox 126 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.05.2024
by Daily end-of-shift report 13 May '24

13 May '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-05-2024 18:00 − Montag 13-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ GoTo Meeting loads Remcos RAT via Rust Shellcode Loader ∗∗∗ --------------------------------------------- Legitimate applications can unwittingly become conduits for malware execution. This is also the case for recent malware loaders which abuse GoTo Meeting, an online meeting software, to deploy Remcos RAT. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/05/37906-gotomeeting-loads-remcos ∗∗∗ API missbraucht: Hacker teilt Details zum Cyberangriff auf Dell ∗∗∗ --------------------------------------------- Ein Cyberkrimineller hat rund 49 Millionen Kundendatensätze von Dell abgegriffen. Möglich gewesen ist ihm dies über eine unzureichend geschützte API eines Partnerportals. --------------------------------------------- https://www.golem.de/news/api-missbraucht-hacker-teilt-details-zum-cyberang… ∗∗∗ FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT ∗∗∗ --------------------------------------------- The financially motivated threat actor known as FIN7 has been observed leveraging malicious Google ads spoofing legitimate brands as a means to deliver MSIX installers that culminate in the deployment of NetSupport RAT. --------------------------------------------- https://thehackernews.com/2024/05/fin7-hacker-group-leverages-malicious.html ∗∗∗ Vorsicht vor falschen Anrufen von PayPal oder Amazon ∗∗∗ --------------------------------------------- Derzeit werden uns vermehrt Anrufe im Namen von PayPal und Amazon gemeldet. Die Kriminellen geben vor, ein Problem mit Ihrem Konto zu haben und bieten Ihnen telefonische Hilfe an. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-anrufen-von-pa… ∗∗∗ Leveraging DNS Tunneling for Tracking and Scanning ∗∗∗ --------------------------------------------- We provide a walkthrough of how attackers leverage DNS tunneling for tracking and scanning, an expansion of the way this technique is usually exploited. --------------------------------------------- https://unit42.paloaltonetworks.com/three-dns-tunneling-campaigns/ ∗∗∗ Side-by-Side with HelloJackHunter: Unveiling the Mysteries of WinSxS ∗∗∗ --------------------------------------------- This post explores Windows Side-by-Side (WinSxS) and DLL hijacking, deep-diving some tooling Ive written and some of the fun along the way. --------------------------------------------- https://blog.zsec.uk/hellojackhunter-exploring-winsxs/ ∗∗∗ Not all scams are easy to spot ∗∗∗ --------------------------------------------- Even the most intelligent individuals can fall victim to scams due to coincidental timing and convincing tactics, so staying skeptical, verifying communications and using anti-scam tools is key to reducing the risk. --------------------------------------------- https://www.emsisoft.com/en/blog/45650/not-all-scams-are-easy-to-spot/ ∗∗∗ Europol sperrt eigenes Forum nach erfolgreichem Einbruch ∗∗∗ --------------------------------------------- Die europäische Polizeibehörde hat ihren Dienst "Europol for Experts" vom Netz genommen. Zuvor waren unter anderem Strategiepapiere daraus angeboten worden. --------------------------------------------- https://heise.de/-9715410 ∗∗∗ Ransomware Black Basta zählt nach zwei Jahren weltweit über 500 Opfer ∗∗∗ --------------------------------------------- Das FBI teilt wichtige Fakten im Kampf gegen den Erpressungstrojaner Black Basta. Die Ransomware macht auch vor kritischen Infrastrukturen nicht halt. --------------------------------------------- https://heise.de/-9715674 ===================== = Vulnerabilities = ===================== ∗∗∗ Widely used modems in industrial IoT devices open to SMS attack ∗∗∗ --------------------------------------------- Security flaws in Telit Cinterion cellular modems, widely used in sectors including industrial, healthcare, and telecommunications, could allow remote attackers to execute arbitrary code via SMS. --------------------------------------------- https://www.bleepingcomputer.com/news/security/widely-used-modems-in-indust… ∗∗∗ Malicious Python Package Hides Sliver C2 Framework in Fake Requests Library Logo ∗∗∗ --------------------------------------------- Cybersecurity researchers have identified a malicious Python package that purports to be an offshoot of the popular requests library and has been found concealing a Golang-version of the Sliver command-and-control (C2) framework within a PNG image of the projects logo. --------------------------------------------- https://thehackernews.com/2024/05/malicious-python-package-hides-sliver.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (nodejs:18 and shim), Debian (atril and chromium), Fedora (chromium, glib2, gnome-shell, mediawiki, php-wikimedia-cdb, php-wikimedia-utfnormal, stb, and tcpdump), Gentoo (Kubelet, PoDoFo, Rebar3, and thunderbird), Mageia (glibc and libnbd), Oracle (kernel), Red Hat (bind and dhcp and varnish), and SUSE (chromium, cpio, freerdp, giflib, gnutls, opera, python-Pillow, python-Werkzeug, tinyproxy, and tpm2-0-tss). --------------------------------------------- https://lwn.net/Articles/973496/ ∗∗∗ Microsoft fixt DLL-Hijacking-Schwachstelle in Store-App Telemetrie-Wrapper-Installer ∗∗∗ --------------------------------------------- Microsoft hat damit vor einiger Zeit seine Store-Apps mit einem neuen Installer versehen. Dieser enthält einen ausführbaren .NET-Wrapper der Telemetrie und weiteren Code in die App integriert. In der ersten Version wies dieser .NET-Wrapper aber eine DLL-Hijacking-Schwachstelle auf [...] --------------------------------------------- https://www.borncity.com/blog/2024/05/11/microsoft-fixt-dll-hijacking-schwa… ∗∗∗ Self-Signed Zertifikate im SAP® Cloud Connector zugelassen ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/self-signed-zertifika… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.05.2024
by Daily end-of-shift report 10 May '24

10 May '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-05-2024 18:00 − Freitag 10-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Datenschutzvorfall: Dell informiert über Abfluss von Kundendaten ∗∗∗ --------------------------------------------- Zu den abgeflossenen Informationen zählen laut Dell Namen, Adressdaten sowie weitere Daten über Bestellungen und darin enthaltene Dell-Hardware. --------------------------------------------- https://www.golem.de/news/datenschutzvorfall-dell-informiert-ueber-abfluss-… ∗∗∗ APT trends report Q1 2024 ∗∗∗ --------------------------------------------- The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity. --------------------------------------------- https://securelist.com/apt-trends-report-q1-2024/112473/ ∗∗∗ Mirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery ∗∗∗ --------------------------------------------- Two recently disclosed security flaws in Ivanti Connect Secure (ICS) devices are being exploited to deploy the infamous Mirai botnet. --------------------------------------------- https://thehackernews.com/2024/05/mirai-botnet-exploits-ivanti-connect.html ∗∗∗ GhostStripe attack haunts self-driving cars by making them ignore road signs ∗∗∗ --------------------------------------------- Six boffins mostly hailing from Singapore-based universities have proven it's possible to attack autonomous vehicles by exploiting the system's reliance on camera-based computer vision and cause it to not recognize road signs. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/05/10/baidu_apollo… ∗∗∗ Back to the Hype: An Update on How Cybercriminals Are Using GenAI ∗∗∗ --------------------------------------------- Generative AI continues to be misused and abused by malicious individuals. In this article, we dive into new criminal LLMs, criminal services with ChatGPT-like capabilities, and deepfakes being offered on criminal sites. --------------------------------------------- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-th… ∗∗∗ Zscaler Investigates Hacking Claims After Data Offered for Sale ∗∗∗ --------------------------------------------- Zscaler says its customer, production and corporate environments are not impacted after a notorious hacker offers to sell access. --------------------------------------------- https://www.securityweek.com/zscaler-investigates-hacking-claims-after-data… ∗∗∗ With nation-state threats in mind, nearly 70 software firms agree to Secure by Design pledge ∗∗∗ --------------------------------------------- The nation’s top cybersecurity agency said 68 of the world’s leading software manufacturers have signed on to a voluntary pledge to design products that have security built in from the beginning. --------------------------------------------- https://therecord.media/secure-by-design-companies-cisa-rsa ∗∗∗ In interview, LockbitSupp says authorities outed the wrong guy ∗∗∗ --------------------------------------------- The leader of the LockBit ransomware gang, who goes by the name LockbItSupp, told Click Here in an interview that international law enforcement has made a mistake. --------------------------------------------- https://therecord.media/lockbitsupp-interview-ransomware-cybercrime-lockbit ∗∗∗ Krypto-Betrüger: Sechs Österreicher festgenommen ∗∗∗ --------------------------------------------- Weil sie einen Online-Handel mit angeblich neuer Kryptowährung aufgezogen und damit Investoren abgezockt haben, wurden nun sechs Österreicher verhaftet. --------------------------------------------- https://heise.de/-9714300 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (ansible-core, avahi, bind, buildah, containernetworking-plugins, edk2, fence-agents, file, freeglut, freerdp, frr, git-lfs, gnutls, golang, grafana, grafana-pcp, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd, ipa, libjpeg-turbo, libnbd, LibRaw, libreswan, libsndfile, libssh, libtiff, libvirt, libX11, libXpm, mingw components, mingw-glib2, mingw-pixman, mod_http2, mod_jk and mod_proxy_cluster, motif, [...] --------------------------------------------- https://lwn.net/Articles/973071/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:4.0, container-tools:rhel8, git-lfs, glibc, libxml2, nodejs:18, and nodejs:20), Debian (dav1d and libpgjava), Fedora (kernel and pypy), Red Hat (glibc and nodejs:16), SUSE (ffmpeg, ffmpeg-4, ghostscript, go1.21, go1.22, less, python-python-jose, python-Werkzeug, and sssd), and Ubuntu (fossil, glib2.0, and libspreadsheet-parsexlsx-perl). --------------------------------------------- https://lwn.net/Articles/973206/ ∗∗∗ Admins müssen selbst handeln: PuTTY-Sicherheitslücke bedroht Citrix Hypervisor ∗∗∗ --------------------------------------------- Um XenCenter für Citrix Hypervisor abzusichern, müssen Admins händisch ein Sicherheitsupdate für das SSH-Tool PuTTY installieren. --------------------------------------------- https://heise.de/-9713898 ∗∗∗ Google Chrome: Exploit für Zero-Day-Lücke gesichtet ∗∗∗ --------------------------------------------- In Googles Webbrowser Chrome klafft eine Sicherheitslücke, für die ein Exploit existiert. Google reagiert mit einem Notfall-Update. --------------------------------------------- https://heise.de/-9714519 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ 2024-05 Reference Advisory: Junos OS and Junos OS Evolved: Multiple CVEs reported in OpenSSH ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-05-Reference-Advisory-Juno… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2024
by Daily end-of-shift report 08 May '24

08 May '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-05-2024 18:00 − Mittwoch 08-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Der Briefkasten daheim als Einfallstor für Internet-Betrugsmaschen? ∗∗∗ --------------------------------------------- Online-Betrug lauert nicht nur im Internet. Zu Anrufen und SMS, die oft in Online-Betrugsmaschen führen, gesellt sich nun auch der Postkasten des Eigenheims als Einfallstor für Kriminelle hinzu. Sie nutzen die Briefkästen ihrer Opfer beispielsweise, um Sendungen aus Bestellbetrug zu erhalten, Daten und in weiterer Folge Geld zu stehlen oder um betrügerische Handwerksdienste und dazugehörige Websites zu bewerben. --------------------------------------------- https://www.watchlist-internet.at/news/der-briefkasten-daheim-als-einfallst… ∗∗∗ Massive webshop fraud ring steals credit cards from 850,000 people ∗∗∗ --------------------------------------------- A massive network of 75,000 fake online shops called BogusBazaar tricked over 850,000 people in the US and Europe into making purchases, allowing the criminals to steal credit card information and attempt to process an estimated $50 million in fake orders. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-webshop-fraud-ring-s… ∗∗∗ Detecting XFinity/Comcast DNS Spoofing, (Mon, May 6th) ∗∗∗ --------------------------------------------- DNS interception, even if well-meaning, does undermine some of the basic "internet trust issues". Even if it is used to block users from malicious sites, it needs to be properly declared to the user, and switches to turn it off will have to function. This could be a particular problem if queries to other DNS filtering services are intercepted. I have yet to test this for Comcast and, for example, OpenDNS. --------------------------------------------- https://isc.sans.edu/diary/rss/30898 ∗∗∗ Analyzing Synology Disks on Linux, (Wed, May 8th) ∗∗∗ --------------------------------------------- Synology NAS solutions are popular devices. They are also used in many organizations. [..] They offer multiple disk management options but rely on many open-source software (like most appliances). [..] Synology NAS run a Linux distribution called DSM. This operating system has plenty of third-party tools but lacks pure forensics tools. In a recent investigation, I had to investigate a NAS that was involved in a ransomware attack. Many files (backups) were deleted. The attacker just deleted some shared folders. --------------------------------------------- https://isc.sans.edu/diary/rss/30904 ∗∗∗ Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version ∗∗∗ --------------------------------------------- A newer version of a malware loader called Hijack Loader has been observed incorporating an updated set of anti-analysis techniques to fly under the radar. --------------------------------------------- https://thehackernews.com/2024/05/hijack-loader-malware-employs-process.html ∗∗∗ New Spectre-Style Pathfinder Attack Targets Intel CPU, Leak Encryption Keys and Data ∗∗∗ --------------------------------------------- Researchers have discovered two novel attack methods targeting high-performance Intel CPUs that could be exploited to stage a key recovery attack against the Advanced Encryption Standard (AES) algorithm. The techniques have been collectively dubbed Pathfinder by a group of academics from the University of California San Diego, Purdue University, UNC Chapel Hill, Georgia Institute of Technology, and Google. [..] Following responsible disclosure in November 2023, Intel, in an advisory released last month, said Pathfinder builds on Spectre v1 attacks and that previously deployed mitigations for Spectre v1 and traditional side-channels mitigate the reported exploits. There is no evidence that it impacts AMD CPUs. --------------------------------------------- https://thehackernews.com/2024/05/new-spectre-style-pathfinder-attack.html ∗∗∗ Ghidra nanoMIPS ISA module ∗∗∗ --------------------------------------------- Here we will demonstrate how to load a MediaTek baseband firmware into Ghidra for analysis with our nanoMIPS ISA module. --------------------------------------------- https://research.nccgroup.com/2024/05/07/ghidra-nanomips-isa-module/ ∗∗∗ Vorsicht vor gefälschten Online-Banking-Seiten auf Bing, Google & Co ∗∗∗ --------------------------------------------- Kriminelle schalten Anzeigen in Suchmaschinen (vor allem BING) und locken so Opfer auf gefälschte Online-Banking-Seiten. Vorsicht: Wenn Sie hier Ihre Daten eingeben, können hohe Beträge von Ihrem Konto abgebucht werden! Vergewissern Sie sich immer, dass Sie auf der echten Login-Seite Ihrer Bank sind! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-online-banking-suchmasc… ∗∗∗ RemcosRAT Distributed Using Steganography ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has recently identified RemcosRAT being distributed using the steganography technique. Attacks begin with a Word document using the template injection technique, after which an RTF that exploits a vulnerability in the equation editor (EQNEDT32.EXE) is downloaded and executed. --------------------------------------------- https://asec.ahnlab.com/en/65111/ ===================== = Vulnerabilities = ===================== ∗∗∗ F5: K000139404: Quarterly Security Notification (May 2024) ∗∗∗ --------------------------------------------- F5 has released 13 security advisories (7x high, 6x medium) and 3 security exposures. --------------------------------------------- https://my.f5.com/manage/s/article/K000139404 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glib2.0 and php7.3), Gentoo (Commons-BeanUtils, Epiphany, glibc, MariaDB, Node.js, NVIDIA Drivers, qtsvg, rsync, U-Boot tools, and ytnef), Oracle (kernel), Red Hat (git-lfs and kernel), SUSE (flatpak, less, python311, rpm, and sssd), and Ubuntu (libde265, libvirt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-oem-6.5, and nghttp2). --------------------------------------------- https://lwn.net/Articles/972861/ ∗∗∗ WordPress: Cross-Site-Scripting-Schwachstelle in älteren Cores; und WordPress 6.5.3 verfügbar ∗∗∗ --------------------------------------------- Ich hoffe, ihr seid auf der aktuellen WordPress-Version, denn in älteren WordPress-Versionen gibt es eine Cross-Site-Scripting-Schwachstelle [..] und wer LightSpeed Cache als Plugin nutzt, sollte dringend updaten. --------------------------------------------- https://www.borncity.com/blog/2024/05/07/wordpress-cross-site-scripting-sch… ∗∗∗ VMware Avi Load Balancer: Rechteausweitung zu root möglich ∗∗∗ --------------------------------------------- Im Load Balancer VMware Avi können Angreifer ihre Rechte erhöhen oder unbefugt auf Informationen zugreifen. Updates korrigieren das. --------------------------------------------- https://heise.de/-9711733 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.05.2024
by Daily end-of-shift report 07 May '24

07 May '24

===================== = End-of-Day report = ===================== Timeframe: Montag 06-05-2024 18:00 − Dienstag 07-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Case Study: The Malicious Comment ∗∗∗ --------------------------------------------- How safe is your comments section? Discover how a seemingly innocent thank you comment on a product page concealed a malicious vulnerability, underscoring the necessity of robust security measures. --------------------------------------------- https://thehackernews.com/2024/05/new-case-study-malicious-comment.html ∗∗∗ Ransomware evolves from mere extortion to psychological attacks ∗∗∗ --------------------------------------------- RSAC Ransomware infections and extortion attacks have become "a psychological attack against the victim organization," as criminals use increasingly personal and aggressive tactics to force victims to pay up. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/05/07/ransomware_e… ∗∗∗ Betrug am Telefon: Kriminelle täuschen hohe Abbuchungen vor ∗∗∗ --------------------------------------------- Vorsicht, wenn Ihnen jemand am Telefon erklärt, dass es „versteckte Abbuchungen“ von Ihrem Bankkonto gibt. Hierbei handelt es sich um eine Betrugsmasche. Um glaubwürdig zu wirken, nennen die Kriminellen persönliche Daten von Ihnen. Diese wurden aber im Zuge einer Phishing-Falle gesammelt. Legen Sie auf! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-am-telefon-kriminelle-taeusch… ∗∗∗ Ein Kopf (Administrator) der LockBit-Gruppe enttarnt? ∗∗∗ --------------------------------------------- Der "Kopf" und gleichzeitig Administrator der Ransomware-Gruppe LockBit ist laut Mitteilung der Strafverfolger identifiziert. --------------------------------------------- https://www.borncity.com/blog/2024/05/07/ein-kopf-administrator-der-lockbit… ===================== = Vulnerabilities = ===================== ∗∗∗ TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak ∗∗∗ --------------------------------------------- Recently, we identified a novel network technique that bypasses VPN encapsulation. An attacker can use this technique to force a target user’s traffic off their VPN tunnel using built-in features of DHCP (Dynamic Host Configuration Protocol). --------------------------------------------- https://www.leviathansecurity.com/blog/tunnelvision ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Gentoo (libjpeg-turbo, xar, and Xpdf), Red Hat (bind, dhcp and glibc), and SUSE (bouncycastle, curl, flatpak, less, and xen). --------------------------------------------- https://lwn.net/Articles/972679/ ∗∗∗ Android-Patchday: Angreifer können Rechte im System ausweiten ∗∗∗ --------------------------------------------- Google schließt am Android-Patchday mehrere Lücken, durch die Angreifer ihre Rechte ausweiten können. --------------------------------------------- https://heise.de/-9710075 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ PTC Codebeamer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-128-01 ∗∗∗ SUBNET Substation Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-128-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2024
by Daily end-of-shift report 06 May '24

06 May '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-05-2024 18:00 − Montag 06-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Vorsicht vor gefälschten RTR-Briefen ∗∗∗ --------------------------------------------- Kriminelle geben sich in einem Brief als Rundfunk und Telekom Regulierungs-GmbH (RTR) aus. Im Schreiben steht, dass für den Anschluss an Mobilfunknetze und die Wartung von Basisstationen ein Entgelt von € 8,90 zu bezahlen sei. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-rtr-briefe… ∗∗∗ Microsoft: Sicherheit oberste Priorität in Produkten, Diensten und intern ∗∗∗ --------------------------------------------- In einem internen Memo und einem Blogpost stellt Microsoft Security bei allen Entwicklungen an erste Stelle. Das gilt für Produkte wie Services. [..] Charlie Bell zufolge will sich sein Unternehmen strikt an die Vorgaben des CSRB halten. --------------------------------------------- https://heise.de/-9708577 ∗∗∗ Breaking down Microsoft’s pivot to placing cybersecurity as a top priority ∗∗∗ --------------------------------------------- Recently, Microsoft had quite frankly a kicking from the US Department of Homeland Security over their security practices in a Cyber Safety Review Board report. I’ve tried to keep as quiet as possible about this one for various reasons (and I was not involved in the CSRB report, even anonymously) — although long time followers will know I’ve been often critical of Microsoft’s security posture. The CSRB report is well worth a read — they did a great job. [..] As always, the proof is in the pudding, not the vendor blog. I think these changes will take a few years to start to work through, and fully expect a few more clanger breaches in the mean time. And that’s annoying but okay, because hard work is hard. --------------------------------------------- https://doublepulsar.com/breaking-down-microsofts-pivot-to-placing-cybersec… ∗∗∗ Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution ∗∗∗ --------------------------------------------- More than 50% of the 90,310 hosts have been found exposing a Tinyproxy service on the internet thats vulnerable to a critical unpatched security flaw in the HTTP/HTTPS proxy tool. The issue, tracked as CVE-2023-49606, carries a CVSS score of 9.8 out of a maximum of 10, per Cisco Talos, which described it as a use-after-free bug impacting versions 1.10.0 and 1.11.1, which is the latest version. --------------------------------------------- https://thehackernews.com/2024/05/critical-tinyproxy-flaw-opens-over.html ∗∗∗ Lockbits seized site comes alive to tease new police announcements ∗∗∗ --------------------------------------------- The NCA, FBI, and Europol have revived a seized LockBit ransomware data leak site to hint at new information being revealed by law enforcement this Tuesday. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbits-seized-site-comes-a… ∗∗∗ Why Your VPN May Not Be As Secure As It Claims ∗∗∗ --------------------------------------------- Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a targets traffic off of the protection provided by their VPN without triggering any alerts to the user. --------------------------------------------- https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it… ∗∗∗ Financial cyberthreats in 2023 ∗∗∗ --------------------------------------------- In this report, we share our insights into the 2023 trends and statistics on financial threats, such as phishing, PC and mobile banking malware. --------------------------------------------- https://securelist.com/financial-threat-report-2023/112526/ ∗∗∗ HijackLoader Updates ∗∗∗ --------------------------------------------- HijackLoader (a.k.a. IDAT Loader) is a malware loader initially spotted in 2023 that is capable of using a variety of modules for code injection and execution. It uses a modular architecture, a feature that most loaders do not have – which we discussed in a previous HijackLoader blog. ThreatLabz researchers recently analyzed a new HijackLoader sample that has updated evasion techniques. --------------------------------------------- https://www.zscaler.com/blogs/security-research/hijackloader-updates ∗∗∗ New Goldoon Botnet Targeting D-Link Devices by Exploiting 9-Year-Old Flaw ∗∗∗ --------------------------------------------- By WaqasA new botnet called Goldoon targets D-Link routers and NAS devices putting them at risk of DDoS attacks and more. Learn how weak credentials leave you vulnerable and how to secure your network. pen_sparkThis is a post from HackRead.com Read the original post: New Goldoon Botnet Targeting D-Link Devices by Exploiting 9-Year-Old Flaw --------------------------------------------- https://www.hackread.com/goldoon-botnet-targeting-d-link-devices/ ∗∗∗ End-to-end encryption may be the bane of cops, but they cant close that Pandoras Box ∗∗∗ --------------------------------------------- Police can complain all they like about strong end-to-end encryption making their jobs harder, but it doesn't matter because the technology is here and won't go away. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/05/05/e2ee_police/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glibc, intel-microcode, less, libkf5ksieve, and ruby3.1), Fedora (chromium, gdcm, httpd, and stalld), Gentoo (Apache Commons BCEL, borgmatic, Dalli, firefox, HTMLDOC, ImageMagick, MediaInfo, MediaInfoLib, MIT krb5, MPlayer, mujs, Pillow, Python, PyPy3, QtWebEngine, Setuptools, strongSwan, and systemd), Oracle (grub2 and shim), Red Hat (git-lfs, kpatch-patch, unbound, and varnish), and SUSE (avahi, grafana and mybatis, java-11-openjdk, java-17-openjdk, skopeo, SUSE Manager Client Tools, SUSE Manager Salt Bundle, and SUSE Manager Server 4.3). --------------------------------------------- https://lwn.net/Articles/972571/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.05.2024
by Daily end-of-shift report 03 May '24

03 May '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-05-2024 18:00 − Freitag 03-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft rolls out passkey auth for personal Microsoft accounts ∗∗∗ --------------------------------------------- Microsoft announced that Windows users can now log into their Microsoft consumer accounts using a passkey, allowing users to authenticate using password-less methods such as Windows Hello, FIDO2 security keys, biometric data (facial scans or fingerprints), or device PINs. [..] Microsoft had already added passkey support to Windows for logging into websites and applications, but with the additional support for Microsoft accounts, consumers can now easily log in without entering a password. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-rolls-out-passkey… ∗∗∗ Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796, (Thu, May 2nd) ∗∗∗ --------------------------------------------- Before diving into the vulnerability, a bit about the affected devices. LB-Link, the make of the devices affected by this vulnerability, produces various wireless equipment that is sometimes sold under different brands and labels. This will make it difficult to identify affected devices. These devices are often low-cost "no name" solutions or, in some cases, may even be embedded, which makes it even more difficult to find firmware updates. [..] And yes, the vulnerability evolves around the "user=admin" cookie and a command injection in the password parameter. This is too stupid to waste any more time on, but it is common enough to just give up and call it a day. --------------------------------------------- https://isc.sans.edu/diary/rss/30890 ∗∗∗ Mal.Metrica Redirects Users to Scam Sites ∗∗∗ --------------------------------------------- One of our analysts recently identified a new Mal.Metrica redirect scam on compromised websites, but one that requires a little bit of effort on the part of the victim. It’s another lesson for web users to be careful what they click on, and to be wary of anything suspicious that pops up in their browser — even if it’s coming from a website that they would otherwise trust. --------------------------------------------- https://blog.sucuri.net/2024/05/mal-metrica-redirects-users-to-scam-sites.h… ∗∗∗ Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications ∗∗∗ --------------------------------------------- Since January 2022, multiple nation-state-aligned hacking groups have been observed using Microsoft Graph API for C&C. This includes threat actors tracked as APT28, REF2924, Red Stinger, Flea, APT29, and OilRig. --------------------------------------------- https://thehackernews.com/2024/05/hackers-increasingly-abusing-microsoft.ht… ∗∗∗ Europol op shutters 12 scam call centers and cuffs 21 suspected fraudsters ∗∗∗ --------------------------------------------- A Europol-led operation dubbed “Pandora” has shut down a dozen phone scam centers, and arrested 21 suspects. [..] Beginning in December 2023, German investigators deployed more than 100 officers to trace the scam calls back to the source - call centers run by crooks - and then monitored them. That effort resulted in the interception of more than 1.3 million "nefarious conversations." Baden-Württemberg State Criminal Police officers had to set up a call center of their own so that they could contact potential victims, warning more than 80 percent of them. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/05/03/operation_pa… ∗∗∗ These Dangerous Scammers Don’t Even Bother to Hide Their Crimes ∗∗∗ --------------------------------------------- “Yahoo Boy” cybercriminals are openly running dozens of scams across Facebook, WhatsApp, Telegram, TikTok, YouTube, and more. [..] While the Yahoo Boys have been active for years, all the experts spoken to for this piece say they should be treated more seriously by social media companies and law enforcement. --------------------------------------------- https://www.wired.com/story/yahoo-boys-scammers-facebook-telegram-tiktok-yo… ∗∗∗ Adding insult to injury: crypto recovery scams ∗∗∗ --------------------------------------------- Once your crypto has been stolen, it is extremely difficult to get back – be wary of fake promises to retrieve your funds and learn how to avoid becoming a victim twice over. --------------------------------------------- https://www.welivesecurity.com/en/scams/crypto-recovery-scams-insult-injury/ ∗∗∗ CVE-2024-2887: A Pwn2Own Winning Bug in Google Chrome ∗∗∗ --------------------------------------------- In this guest blog from Master of Pwn winner Manfred Paul, he details CVE-2024-2887 – a type confusion bug that occurs in both Google Chrome and Microsoft Edge (Chromium). He used this bug as a part of his winning exploit that led to code execution in the renderer of both browsers. This bug was quickly patched by both Google and Microsoft. Manfred has graciously provided this detailed write-up of the vulnerability and how he exploited it at the contest. --------------------------------------------- https://www.thezdi.com/blog/2024/5/2/cve-2024-2887-a-pwn2own-winning-bug-in… ∗∗∗ CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate Directory Traversal Vulnerabilities ∗∗∗ --------------------------------------------- This Alert was crafted in response to recent well-publicized threat actor campaigns that exploited directory traversal vulnerabilities in software (e.g., CVE-2024-1708, CVE-2024-20345) to compromise users of the software—impacting critical infrastructure sectors, including the Healthcare and Public Health Sector. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/05/02/cisa-and-fbi-release-sec… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, grub2, httpd, kernel, libcoap, matrix-synapse, python-pip, and rust-pythonize), Red Hat (kernel and libxml2), SUSE (kernel), and Ubuntu (eglibc, glibc and php7.4, php8.1, php8.2). --------------------------------------------- https://lwn.net/Articles/972351/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.05.2024
by Daily end-of-shift report 02 May '24

02 May '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-04-2024 18:00 − Donnerstag 02-05-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CVD - Notizen zur Pressekonferenz ∗∗∗ --------------------------------------------- Ich wurde eingeladen, heute bei einer Pressekonferenz von Epicenter.works am Podium zu sitzen. Es ging um einen Fall, bei dem es im Zuge einer klassischen verantwortungsvollen Offenlegung einer Schwachstelle (Responsible Disclosure, bzw Coordinated Vulnerability Disclosure [CVD]) zu einer Anzeige gekommen ist. Nachzulesen ist der Fall auf der Epicenter Webseite. Ich will hier kurz meine Notizen / Speaking Notes zusammenfassen. --------------------------------------------- https://cert.at/de/blog/2024/4/cvd-policy ∗∗∗ CISA warnt: MS Smartscreen- und Gitlab-Sicherheitslücke werden angegriffen ∗∗∗ --------------------------------------------- Die US-Cybersicherheitsbehörde CISA hat Angriffe auf eine Lücke im Microsoft Smartscreen und auf eine Gitlab-Schwachstelle gesichtet. --------------------------------------------- https://heise.de/-9705715 ∗∗∗ Digitale Signatur: Datenleak bei Dropbox Sign ∗∗∗ --------------------------------------------- Unbekannte Angreifer konnten auf Kundendaten des digitalen Signaturservices Dropbox Sign zugreifen. Andere Dropbox-Produkte sollen nicht betroffen sein. --------------------------------------------- https://heise.de/-9705355 ∗∗∗ Windows 10/11/Server 2022: Kein Fix für den Installationsfehler 0x80070643 beim WinRE-Update mehr ∗∗∗ --------------------------------------------- Seit Januar 2024 kämpfen Nutzer von Windows 10 und Windows 11 (sowie Windows Server 2022) mit dem Versuch Microsofts, ein Update der WinRE-Umgebung zu installieren. Im Januar 2024 ließen zahlreiche Nutzer im Umfeld des Patchday beim Versuch, das Update KB5034441 zu installieren, in den Installationsfehler 0x80070643. Trotz mehrerer Versuche zur Nachbesserung in den Folgemonaten ist es Microsoft nicht gelungen, den Installationsfehler zu beseitigen. Nun kommt das Eingeständnis, dass es keinen automatischen Fix für das Update gibt – es ist Handarbeit angesagt. --------------------------------------------- https://www.borncity.com/blog/2024/05/02/windows-10-11-kein-fix-fr-den-inst… ∗∗∗ “Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps ∗∗∗ --------------------------------------------- Microsoft discovered a vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application’s internal data storage directory, which could lead to arbitrary code execution and token theft, among other impacts. We have shared our findings with Google’s Android Application Security Research team, as well as the developers of apps found vulnerable to this issue. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/05/01/dirty-stream-attac… ∗∗∗ Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474, (Tue, Apr 30th) ∗∗∗ --------------------------------------------- Yesterday, I talked about attacks against a relatively recent D-Link NAS vulnerability. Today, scanning my honeypot logs, I found an odd URL that I didn't recognize. The vulnerability is a bit older but turns out to be targeting yet another NAS. [..] Based on our logs, only one IP address exploits the vulnerability: %%ip: 89.190.156.248%%. --------------------------------------------- https://isc.sans.edu/diary/rss/30884 ∗∗∗ Android Malware Wpeeper Uses Compromised WordPress Sites to Hide C2 Servers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a previously undocumented malware targeting Android devices that uses compromised WordPress sites as relays for its actual command-and-control (C2) servers for detection evasion. The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to secure its C2 communications. [..] The ELF binary is embedded within a repackaged application that purports to be the UPtodown App Store app for Android (package name "com.uptodown"), with the APK file acting as a delivery vehicle for the backdoor in a manner that evades detection. --------------------------------------------- https://thehackernews.com/2024/05/android-malware-wpeeper-uses.html ∗∗∗ New Cuttlefish Malware Hijacks Router Connections, Sniffs for Cloud Credentials ∗∗∗ --------------------------------------------- A new malware called Cuttlefish is targeting small office and home office (SOHO) routers with the goal of stealthily monitoring all traffic through the devices and gather authentication data from HTTP GET and POST requests. [..] Cuttlefish has been active since at least July 27, 2023, with the latest campaign running from October 2023 through April 2024 and predominantly infecting 600 unique IP addresses associated with two Turkish telecom providers. --------------------------------------------- https://thehackernews.com/2024/05/new-cuttlefish-malware-hijacks-router.html ∗∗∗ Autodesk: Important Security Update for Autodesk Drive ∗∗∗ --------------------------------------------- In March, Autodesk was made aware of an incident where an external user published documents to Autodesk Drive containing links to a phishing web site. Our Cyber Threat Management & Response Team immediately responded to this incident, and the malicious files are no longer being hosted on Autodesk Drive. No customers have reported being impacted by this incident. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-autodesk-dr… ∗∗∗ Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware) ∗∗∗ --------------------------------------------- While monitoring attacks targeting MS-SQL servers, AhnLab SEcurity intelligence Center (ASEC) recently identified cases of the TargetCompany ransomware group installing the Mallox ransomware. The TargetCompany ransomware group primarily targets improperly managed MS-SQL servers to install the Mallox ransomware. While these attacks have been ongoing for several years, here we will outline the correlation between the newly identified malware and previous attack cases involving the distribution of the Tor2Mine CoinMiner and BlueSky ransomware. --------------------------------------------- https://asec.ahnlab.com/en/64921/ ∗∗∗ CISA and Partners Release Fact Sheet on Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity ∗∗∗ --------------------------------------------- This fact sheet provides information and mitigations associated with cyber operations conducted by pro-Russia hacktivists who seek to compromise industrial control systems (ICS) and small-scale operational technology (OT) systems in North American and European critical infrastructure sectors, including Water and Wastewater Systems, Dams, Energy, and Food and Agriculture Sectors. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/05/01/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücken in ArubaOS - Updates verfügbar ∗∗∗ --------------------------------------------- In ArubaOS, dem Betriebssystem vieler Geräte von HPE Aruba Networks, existieren mehrere kritische Sicherheitslücken. Diese ermöglichen unter anderem die Ausführung von beliebigem Code und Denial-of-Service (DoS) Angriffe. CVE-Nummern: CVE-2024-26304, CVE-2024-26305, CVE-2024-33511, CVE-2024-33512, CVE-2024-33513, CVE-2024-33514, CVE-2024-33515, CVE-2024-33516, CVE-2024-33517, CVE-2024-33518 CVSSv3 Scores: bis zu 9.8 (kritisch) --------------------------------------------- https://cert.at/de/warnungen/2024/5/kritische-sicherheitslucken-in-arubaos-… ∗∗∗ CISCO Talos: Vulnerability Roundup ∗∗∗ --------------------------------------------- Peplink Smart Reader, Silicon Labs Gecko Platform, open-source library for DICOM files, Grassroots DICOM library and Foxit PDF Reader. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-may-1-2024/ ∗∗∗ Sonicwall: GMS ECM multiple vulnerabilities ∗∗∗ --------------------------------------------- CVE-2024-29010 - GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability. CVE-2024-29011 - GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0007 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and distro-info-data), Fedora (et, php-tcpdf, python-aiohttp, python-openapi-core, thunderbird, tpm2-tools, and tpm2-tss), Red Hat (nodejs:16 and podman), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/972186/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nghttp2 and qtbase-opensource-src), Mageia (cjson, freerdp, guava, krb5, libarchive, and mediawiki), Oracle (container-tools:4.0 and container-tools:ol8), Red Hat (bind, buildah, container-tools:3.0, container-tools:rhel8, expat, gnutls, golang, grafana, kernel, kernel-rt, libreswan, libvirt, linux-firmware, mod_http2, pcp, pcs, podman, python-jwcrypto, rhc-worker-script, shadow-utils, skopeo, sssd, tigervnc, unbound, and yajl), SUSE (kernel and python311), and Ubuntu (gerbv and node-json5). --------------------------------------------- https://lwn.net/Articles/972029/ ∗∗∗ Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover ∗∗∗ --------------------------------------------- Three vulnerabilities in the Judge0 open source service could allow attackers to escape the sandbox and obtain root privileges on the host. --------------------------------------------- https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-san… ∗∗∗ Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ F5: K000139430 : Linux kernel vulnerability CVE-2024-1086 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139430 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 22, 2024 to April 28, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/05/wordfence-intelligence-weekly-wordpr… ∗∗∗ ZDI-24-419: (Pwn2Own) Xiaomi Pro 13 GetApps integral-dialog-page Cross-Site Scripting Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-419/ ∗∗∗ ZDI-24-418: (Pwn2Own) Xiaomi Pro 13 mimarket manual-upgrade Cross-Site Scripting Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-418/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CyberPower PowerPanel ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01 ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.04.2024
by Daily end-of-shift report 30 Apr '24

30 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 29-04-2024 18:00 − Dienstag 30-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Gefälschte SMS im Namen von Bundeskanzleramt ∗∗∗ --------------------------------------------- Vorsicht: Kriminelle geben sich als Bundeskanzleramt Österreich aus. In der SMS wird behauptet, dass eine Nachricht auf Sie wartet. Klicken Sie auf keinen Fall auf den Link, Sie werden auf eine gefälschte Webseite weitergeleitet. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-sms-im-namen-von-bundesk… ∗∗∗ FBI warns of fake verification schemes targeting dating app users ∗∗∗ --------------------------------------------- The FBI is warning of fake verification schemes promoted by fraudsters on online dating platforms that lead to costly recurring subscription charges. [..] It starts with fraudsters approaching victims on a dating app or site and developing a romantic rapport. This lays the ground for requesting to take the conversation outside the platform onto a supposedly safer communications tool. At this stage, the fraudster sends a link to the victim that will take them to a seemingly legitimate verification platform where the victim will have to verify they're not a sexual offender. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-verificati… ∗∗∗ Millions of Malicious Imageless Containers Planted on Docker Hub Over 5 Years ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered multiple campaigns targeting Docker Hub by planting millions of malicious "imageless" containers over the past five years, once again underscoring how open-source registries could pave the way for supply chain attacks. [..] Of the 4.79 million imageless Docker Hub repositories uncovered, 3.2 million of them are said to have been used as landing pages to redirect unsuspecting users to fraudulent sites as part of three broad campaigns. --------------------------------------------- https://thehackernews.com/2024/04/millions-of-malicious-imageless.html ∗∗∗ The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen ∗∗∗ --------------------------------------------- McAfee Labs has recently uncovered a novel infection chain associated with DarkGate malware. This chain commences with an HTML-based entry point and progresses to exploit the AutoHotkey utility in its subsequent stages. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-darkgate-menace-le… ∗∗∗ Chrome 124 macht TLS-Handshake kaputt ∗∗∗ --------------------------------------------- Google hat kürzlich seinen Google Chrome-Browser in der Version 124 veröffentlicht. Neben Schwachstellen haben die Entwickler auch etwas an der TLS-Verschlüsselung (X25519Kyber768-Schlüsselkapselung für TLS) geändert. Inzwischen gibt es aber Rückmeldungen von Nutzern, die sich darüber beklagen, dass diese Änderung das TLS-Handshake zu Webservern kaputt machen kann. Das betrifft auch auf Chromium basierende Browser wie den Edge 124. --------------------------------------------- https://www.borncity.com/blog/2024/04/30/chrome-124-macht-tls-handshake-kap… ∗∗∗ Google Play blockiert mehr als 2 Millionen Trojaner-Apps – Tendenz steigend ∗∗∗ --------------------------------------------- Dank strengerer Sicherheitschecks sperrte Google 2023 knapp 2,3 Millionen böse Apps aus. Trotz gesteigerter Bemühungen schlüpfen aber immer noch welche durch. --------------------------------------------- https://heise.de/-9703405 ∗∗∗ CISA Rolls Out New Guidelines to Mitigate AI Risks to US Critical Infrastructure ∗∗∗ --------------------------------------------- New CISA guidelines categorize AI risks into three significant types and pushes a four-part mitigation strategy. [..] The guidelines calls on management to act decisively on identified AI risks to enhance safety and security, ensuring that risk management controls are implemented and maintained to optimize the benefits of AI systems while minimizing adverse effects. --------------------------------------------- https://www.securityweek.com/cisa-rolls-out-new-guidelines-to-mitigate-ai-r… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (org-mode), Oracle (shim and tigervnc), Red Hat (ansible-core, avahi, buildah, container-tools:4.0, containernetworking-plugins, edk2, exfatprogs, fence-agents, file, freeglut, freerdp, frr, grub2, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd, ipa, kernel, libjpeg-turbo, libnbd, LibRaw, libsndfile, libssh, libtiff, libvirt, libX11, libXpm, mingw components, mingw-glib2, mingw-pixman, mod_http2, mod_jk and mod_proxy_cluster, motif, mutt, openssl and openssl-fips-provider, osbuild and osbuild-composer, pam, pcp, pcs, perl, pmix, podman, python-jinja2, python3.11, python3.11-cryptography, python3.11-urllib3, qemu-kvm, qt5-qtbase, runc, skopeo, squashfs-tools, systemd, tcpdump, tigervnc, toolbox, traceroute, webkit2gtk3, wpa_supplicant, xorg-x11-server, xorg-x11-server-Xwayland, and zziplib), SUSE (docker, ffmpeg, ffmpeg-4, frr, and kernel), and Ubuntu (anope, freerdp3, and php7.0, php7.2, php7.4, php8.1). --------------------------------------------- https://lwn.net/Articles/971740/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ ChromeOS: Long Term Support Channel Update for ChromeOS ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2024/04/long-term-support-channel-upda… ∗∗∗ [R1] Nessus Network Monitor 6.4.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-07 ∗∗∗ Delta Electronics CNCSoft-G2 DOPSoft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/icsa-24-121-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.04.2024
by Daily end-of-shift report 29 Apr '24

29 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-04-2024 18:00 − Montag 29-04-2024 18:01 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Winrar: Gefälschte Ausgaben unter Linux möglich und MotW-Probleme in Windows ∗∗∗ --------------------------------------------- Die Version 7.00 der Archiv-Software Winrar schließt auch Sicherheitslücken. Unter Linux lassen sich Ausgaben fälschen, in Windows MotW-Markierungen. [..] Winrar 7.00 wurde schon vor einigen Wochen veröffentlicht. --------------------------------------------- https://heise.de/-9701474 ∗∗∗ Okta warns of "unprecedented" credential stuffing attacks on customers ∗∗∗ --------------------------------------------- Okta warns of an "unprecedented" spike in credential stuffing attacks targeting its identity and access management solutions, with some customer accounts breached in the attacks. [..] Okta also provides in its advisory a list of more generic recommendations that can help mitigate the risk of account takover. --------------------------------------------- https://www.bleepingcomputer.com/news/security/okta-warns-of-unprecedented-… ∗∗∗ D-Link NAS Device Backdoor Abused, (Mon, Apr 29th) ∗∗∗ --------------------------------------------- End of March, NetworkSecurityFish disclosed a vulnerability in various D-Link NAS devices. The vulnerability allows access to the device using the user "messagebus" without credentials. [..] Initial exploit attempts were detected as soon as April 8th. The vulnerability is particularly dangerous as some affected devices are no longer supported by DLink, and no patch is expected to be released. --------------------------------------------- https://isc.sans.edu/diary/rss/30878 ∗∗∗ New R Programming Vulnerability Exposes Projects to Supply Chain Attacks ∗∗∗ --------------------------------------------- A security vulnerability has been discovered in the R programming language that could be exploited by a threat actor to create a malicious RDS (R Data Serialization) file such that it results in code execution when loaded and referenced. [..] The security defect has been addressed in version 4.4.0 released on April 24, 2024, following responsible disclosure. --------------------------------------------- https://thehackernews.com/2024/04/new-r-programming-vulnerability-exposes.h… ∗∗∗ Discord dismantles Spy.pet site that snooped on millions of users ∗∗∗ --------------------------------------------- The site, which has been slurping up public data on Discord users since November of last year, was outed to the world last week after it was discovered the platform contained messages belonging to nearly 620 million users from more than 14,000 Discord servers. Any and all of the data was available for a price – Spy.pet offered to help law enforcement, people spying on their friends, or even those training AI models. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/04/29/infosec_in_b… ∗∗∗ Google-Bewertungen entfernen lassen? Vorsicht vor entferno.at ∗∗∗ --------------------------------------------- entferno.at verspricht, Google-Rezensionen entfernen zu lassen – angeblich mit einer Erfolgsquote von 95 Prozent. Wer auf dieses Angebot eingeht, wird aber enttäuscht, denn trotz Bezahlung wurden in aktuellen Fällen keine Bewertungen gelöscht und auf schriftliche und telefonische Anfragen wurde nicht mehr reagiert. Das Geld ist weg! --------------------------------------------- https://www.watchlist-internet.at/news/google-bewertungen-entfernen-lassen-… ∗∗∗ From IcedID to Dagon Locker Ransomware in 29 Days ∗∗∗ --------------------------------------------- In August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID. [..] This case had a TTR (time to ransomware) of 29 days. --------------------------------------------- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware… ∗∗∗ Britische Regierung verbietet Geräte mit schwachen Passwörtern ∗∗∗ --------------------------------------------- Unternehmen sind gesetzlich verpflichtet, ihre Geräte vor Cyberkriminellen zu schützen. Smartphones mit unsicheren Passwörtern müssen künftig gemeldet werden. --------------------------------------------- https://heise.de/-9702215 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, go-toolset:rhel8, golang, java-11-openjdk, java-21-openjdk, libreswan, thunderbird, and tigervnc), Debian (chromium, emacs, frr, mediawiki, ruby-rack, trafficserver, and zabbix), Fedora (chromium, grub2, python-idna, and python-reportlab), Mageia (chromium-browser-stable, firefox, opencryptoki, and thunderbird), Red Hat (container-tools:4.0, container-tools:rhel8, git-lfs, and shim), SUSE (frr, java-11-openjdk, java-1_8_0-openjdk, kernel, pdns-recursor, and shim), and Ubuntu (apache2, cpio, curl, glibc, gnutls28, less, libvirt, and pillow). --------------------------------------------- https://lwn.net/Articles/971487/ ∗∗∗ Qnap schließt NAS-Sicherheitslücken aus Hacker-Wettbewerb Pwn2Own ∗∗∗ --------------------------------------------- NAS-Modelle von Qnap sind verwundbar. Nun hat der Hersteller Sicherheitsupdates für das Betriebssystem und Apps veröffentlicht. --------------------------------------------- https://heise.de/-9701977 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.04.2024
by Daily end-of-shift report 26 Apr '24

26 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-04-2024 18:00 − Freitag 26-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ NIS2 – Richtlinie: Ein zweiter Blick auf den Text ∗∗∗ --------------------------------------------- Beim Schreiben unserer Stellungnahmen zum Entwurf des NISG 2024 habe ich mir die Paragrafen, die uns betreffen, genauer angesehen. Diesmal nicht mit dem Blickwinkel „macht das Sinn“, sondern mit Fokus auf die Formulierungen. Das erinnert mich ein bisschen an die Zeit, als ich bei der Erstellung von RFCs mitgearbeitet habe und da auch bei Reviews jedes Wort genau auf mögliche Fehldeutungen abgeklopft habe. Ich hatte beim Lesen drei Dokumente offen: den Gesetzesentwurf, die Richtlinie in der deutschen Version und auch die englische Fassung. Und viele der schlechten Formulierungen waren keine Erfindungen aus Wien, sondern wurden schon in Brüssel erfunden. Ich will das hier dokumentieren. --------------------------------------------- https://cert.at/de/blog/2024/4/nis2-formulierungen ∗∗∗ Researchers sinkhole PlugX malware server with 2.5 million unique IPs ∗∗∗ --------------------------------------------- Researchers have sinkholed a command and control server for a variant of the PlugX malware and observed in six months more than 2.5 million connections from unique IP addresses. [..] Sekoia has formulated two strategies to clean computers reaching their sinkhole and called for national cybersecurity teams and law enforcement agencies to join the disinfection effort. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-sinkhole-plugx-m… ∗∗∗ Per Brute Force: Schwachstelle beim GLS-Tracking legt Empfängeradressen offen ∗∗∗ --------------------------------------------- Durch einen fehlenden Brute-Force-Schutz ist es möglich gewesen, einer API von GLS genaue Adressdaten der Empfänger von GLS-Paketen zu entlocken. --------------------------------------------- https://www.golem.de/news/per-brute-force-schwachstelle-beim-gls-tracking-l… ∗∗∗ Per GPU geknackt: So sicher sind 8-Zeichen-Passwörter 2024 ∗∗∗ --------------------------------------------- Ein gutes Passwort sollte mindestens 8 Zeichen lang sein, lautet oftmals die Empfehlung. Neue Untersuchungen zeigen jedoch: Die Zeit ist reif für mehr. [..] Ein neuer Bericht des Cybersecurity-Unternehmens Hive Systems zeigt jedoch, dass sich 8-Zeichen-Passwörter je nach verwendetem Hashing-Algorithmus und verfügbarer GPU-Leistung inzwischen in einer überschaubaren Zeit knacken lassen. --------------------------------------------- https://www.golem.de/news/per-gpu-geknackt-so-sicher-sind-8-zeichen-passwoe… ∗∗∗ Fake-Rechnungen von firmenradar.com im Umlauf! ∗∗∗ --------------------------------------------- Unternehmen wenden sich derzeit an uns, weil sie Rechnungen erhalten und nicht wissen, wofür sie zahlen sollen. Die Rechnungen stammen von firmenradar.com, verlangt werden 899 Euro für einen „Platin-Eintrag“. Zahlen Sie nichts! Es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/fake-rechnungen-von-firmenradarcom-i… ∗∗∗ “Junk gun” ransomware: the cheap new threat to small businesses ∗∗∗ --------------------------------------------- A wave of cheap, crude, amateurish ransomware has been spotted on the dark web - and although it may not make as many headlines as LockBit, Rhysida, and BlackSuit, it still presents a serious threat to organizations. [..] "Junk gun" ransomware is appealing to a criminal who wants to operate independently but lacks technical skills. [..] A low entry barrier means potentially more ransomware attackers. --------------------------------------------- https://www.tripwire.com/state-of-security/junk-gun-ransomware-cheap-new-th… ∗∗∗ C-DATA Web Management System RCE Attack ∗∗∗ --------------------------------------------- FortiGuard Labs observed a critical level of attack attempts in the wild targeting a 2-year-old vulnerability found on C-DATA Web Management System. [..] The vulnerability CVE-2022-4257 allows a remote attacker to execute arbitrary commands on the target system. --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/c-data-rce-attack ∗∗∗ Chinesische Tastatur-Apps haben Schwachstelle und verraten, was Nutzer tippen ∗∗∗ --------------------------------------------- Bereits im August 2023 stellten die Forscher des Citizen Lab fest, dass die beliebte Tastatur-App Sogou bei der Übertragung von Tastenanschlagsdaten an ihren Cloud-Server für bessere Tippvorhersagen keine Transport Layer Security (TLS) nutzte. Ohne TLS können Tastatureingaben jedoch von Dritten mitgeschnitten werden. Obwohl Sogou das Problem nach Bekanntwerden im letzten Jahr behoben hat, sind viele vorinstallierte Sogou-Tastaturen nicht auf dem neuesten Stand und können weiterhin abgehört werden. --------------------------------------------- https://heise.de/-9699644 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (knot-resolver, pdns-recursor, and putty), Fedora (xen), Mageia (editorconfig-core-c, glibc, mbedtls, webkit2, and wireshark), Oracle (buildah), Red Hat (buildah and yajl), Slackware (libarchive), SUSE (dcmtk, openCryptoki, php7, php74, php8, python-gunicorn, python-idna, qemu, and thunderbird), and Ubuntu (cryptojs, freerdp2, nghttp2, and zabbix). --------------------------------------------- https://lwn.net/Articles/971289/ ∗∗∗ QNAP Security Advisories 2024-04-26 ∗∗∗ --------------------------------------------- QNAP released 6 new security Advisories. --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mattermost security updates 9.7.2 / 9.6.2 / 9.5.4 (ESR) / 8.1.13 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-7-2-9-6-2-9-5-4-e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.04.2024
by Daily end-of-shift report 25 Apr '24

25 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-04-2024 18:00 − Donnerstag 25-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New Brokewell malware takes over Android devices, steals data ∗∗∗ --------------------------------------------- Security researchers have discovered a new Android banking trojan they named Brokewell that can capture every event on the device, from touches and information displayed to text input and the applications the user launches. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-… ∗∗∗ Does it matter if iptables isnt running on my honeypot?, (Thu, Apr 25th) ∗∗∗ --------------------------------------------- I've been working on comparing data from different DShield honeypots to understand differences when the honeypots reside on different networks. --------------------------------------------- https://isc.sans.edu/diary/rss/30862 ∗∗∗ Sifting through the spines: identifying (potential) Cactus ransomware victims ∗∗∗ --------------------------------------------- This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. --------------------------------------------- https://research.nccgroup.com/2024/04/25/sifting-through-the-spines-identif… ∗∗∗ ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices ∗∗∗ --------------------------------------------- ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. --------------------------------------------- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaig… ∗∗∗ Talos IR trends: BEC attacks surge, while weaknesses in MFA persist ∗∗∗ --------------------------------------------- Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information. --------------------------------------------- https://blog.talosintelligence.com/talos-ir-quarterly-trends-q1-2024/ ∗∗∗ Threat Bulletin – New variant of IDAT Loader ∗∗∗ --------------------------------------------- Morphisec has successfully identified and prevented a new variant of IDAT loader. --------------------------------------------- https://blog.morphisec.com/threat-bulletin-new-variant-idat-variant ∗∗∗ Ransomware Roundup - KageNoHitobito and DoNex ∗∗∗ --------------------------------------------- The KageNoHitobito and DoNex are recent ransomware that are financially motivated, demanding payment from victims to decrypt files. --------------------------------------------- https://feeds.fortinet.com/~/882489596/0/fortinet/blogs~Ransomware-Roundup-… ===================== = Vulnerabilities = ===================== ∗∗∗ Maximum severity Flowmon bug has a public exploit, patch now ∗∗∗ --------------------------------------------- Proof-of-concept exploit code has been released for a top-severity security vulnerability in Progress Flowmon, a tool for monitoring network performance and visibility. --------------------------------------------- https://www.bleepingcomputer.com/news/security/maximum-severity-flowmon-bug… ∗∗∗ WP Automatic WordPress plugin hit by millions of SQL injection attacks ∗∗∗ --------------------------------------------- Hackers have started to target a critical severity vulnerability in the WP Automatic plugin for WordPress to create user accounts with administrative privileges and to plant backdoors for long-term access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wp-automatic-wordpress-plugi… ∗∗∗ Über Zero-Day-Schwachstellen: Cisco-Firewalls werden seit Monaten attackiert ∗∗∗ --------------------------------------------- Eine zuvor unbekannte Hackergruppe nutzt mindestens seit November 2023 zwei Zero-Day-Schwachstellen in Cisco-Firewalls aus, um Netzwerke zu infiltrieren. --------------------------------------------- https://www.golem.de/news/ueber-zero-day-schwachstellen-cisco-firewalls-wer… ∗∗∗ Unter Windows: Schwachstelle in Virtualbox verleiht Angreifern Systemrechte ∗∗∗ --------------------------------------------- Zwei Forscher haben unabhängig voneinander eine Schwachstelle in Oracles Virtualbox entdeckt. Angreifer können damit auf Windows-Hosts ihre Rechte ausweiten. --------------------------------------------- https://www.golem.de/news/unter-windows-schwachstelle-in-virtualbox-verleih… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl, filezilla, flatpak, kubernetes, libfilezilla, thunderbird, and xen), Oracle (go-toolset:ol8, kernel, libreswan, shim, and tigervnc), Red Hat (buildah, gnutls, libreswan, tigervnc, and unbound), SUSE (cockpit-wicked, nrpe, and python-idna), and Ubuntu (dnsmasq, freerdp2, linux-azure-6.5, and thunderbird). --------------------------------------------- https://lwn.net/Articles/971140/ ∗∗∗ Vulnerabilities Expose Brocade SAN Appliances, Switches to Hacking ∗∗∗ --------------------------------------------- The Brocade SANnav management application is affected by multiple vulnerabilities, including a publicly available root password. --------------------------------------------- https://www.securityweek.com/vulnerabilities-expose-brocade-san-appliances-… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Cisco Security Advisories 2024-04-25 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/publicationListing.x ∗∗∗ Multiple Vulnerabilities in Hitachi Energy RTU500 Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-01 ∗∗∗ Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-04 ∗∗∗ Hitachi Energy MACH SCM ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-02 ∗∗∗ PAN-SA-2024-0005 Informational Bulletin: Proof of Concept (PoC) Bypasses Protection Modules (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0005 ∗∗∗ PAN-SA-2024-0005 Informational Bulletin: Proof of Concept (PoC) Bypasses Protection Modules in Cortex XDR Agent (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0005 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.04.2024
by Daily end-of-shift report 24 Apr '24

24 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-04-2024 18:00 − Mittwoch 24-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft pulls fix for Outlook bug behind ICS security alerts ∗∗∗ --------------------------------------------- Microsoft reversed the fix for an Outlook bug causing erroneous security warnings after installing December 2023 security updates. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-pulls-fix-for-out… ∗∗∗ Assessing the Y, and How, of the XZ Utils incident ∗∗∗ --------------------------------------------- In this article we analyze social engineering aspects of the XZ backdoor incident. Namely pressuring the XZ maintainer to pass on the project to Jia Cheong Tan, and then urging major downstream maintainers to commit the backdoored code to their projects. --------------------------------------------- https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/ ∗∗∗ Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered an ongoing attack campaign thats leveraging phishing emails to deliver malware called SSLoad. --------------------------------------------- https://thehackernews.com/2024/04/researchers-detail-multistage-attack.html ∗∗∗ Decrypting FortiOS 7.0.x ∗∗∗ --------------------------------------------- Decrypting Fortinet’s FortiGate FortiOS firmware is a topic that has been thoroughly covered, in part because of the many variants and permutations of FortiOS firmware, all differing based on hardware architecture and versioning. --------------------------------------------- https://www.labs.greynoise.io/grimoire/2024-04-23-decrypting-fortios/ ∗∗∗ New Password Cracking Analysis Targets Bcrypt ∗∗∗ --------------------------------------------- Hive Systems conducts another study on cracking passwords via brute-force attacks, but it’s no longer targeting MD5. --------------------------------------------- https://www.securityweek.com/new-password-cracking-analysis-targets-bcrypt/ ∗∗∗ Musiker:innen aufgepasst: Spam-Mails versprechen wertvolles Piano ∗∗∗ --------------------------------------------- Musiker:innen und insbesondere Pianist:innen müssen sich aktuell vor betrügerischen E-Mails in Acht nehmen, in denen ihnen ein teures Piano versprochen wird. Kriminelle geben sich als Witwe aus und suchen nach Abnehmer:innen für teure Instrumente wie beispielsweise wie das Yamaha Baby Grand Piano ihres verstorbenen Ehemanns. --------------------------------------------- https://www.watchlist-internet.at/news/musikerinnen-aufgepasst-spam-mails-v… ∗∗∗ Windows-Frage: Wo speichert Bitlocker den Recovery-Key? ∗∗∗ --------------------------------------------- Bitlocker, das "unbekannte Wesen" möchte ich mal den Blog-Beitrag umschreiben. Es geht um die Frage, wo die Windows-Funktion Bitlocker eigentlich den Recovery-Key, der immer mal wieder gebraucht wird, überhaupt speichert. --------------------------------------------- https://www.borncity.com/blog/2024/04/24/windows-frage-wo-speichert-bitlock… ∗∗∗ Exchange Server April 2024 Hotfix-Updates (24. April 2024) ∗∗∗ --------------------------------------------- Microsoft hat zum 24. April Hotfix-Updates (HU) für Exchange Server 2016 und 2019 veröffentlicht. Diese Hotfix-Updates bieten Unterstützung für neue Funktionen und sollen Probleme, die durch das März 2024 Security Update (SU) hervorgerufen wurden, beheben. --------------------------------------------- https://www.borncity.com/blog/2024/04/24/exchange-server-april-2024-hotfix-… ∗∗∗ Distribution of Infostealer Made With Electron ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has discovered an Infostealer strain made with Electron. --------------------------------------------- https://asec.ahnlab.com/en/64445/ ===================== = Vulnerabilities = ===================== ∗∗∗ Grafana backend sql injection affected all version ∗∗∗ --------------------------------------------- To exploit this sql injection vulnerability, someone must use a valid account login to the grafana web backend, then send malicious POST request to /api/ds/query “rawSql” entry. --------------------------------------------- https://fdlucifer.github.io/2024/04/22/grafana-sql-injection/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (abseil-cpp, chromium, filezilla, libfilezilla, and xorg-x11-server-Xwayland), Oracle (firefox, gnutls, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, libreswan, mod_http2, owO: thunderbird, and thunderbird), Red Hat (container-tools:rhel8, gnutls, grub2, kernel, kernel-rt, less, linux-firmware, opencryptoki, pcs, postgresql-jdbc, and thunderbird), Slackware (ruby), SUSE (kubernetes1.23, kubernetes1.24, [...] --------------------------------------------- https://lwn.net/Articles/971004/ ∗∗∗ Google Patches Critical Chrome Vulnerability ∗∗∗ --------------------------------------------- Google patches CVE-2024-4058, a critical Chrome vulnerability for which researchers earned a $16,000 reward. --------------------------------------------- https://www.securityweek.com/google-patches-critical-chrome-vulnerability/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security Advisory - Connection Hijacking Vulnerability in Some Huawei Home Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-chvishhr-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.04.2024
by Daily end-of-shift report 23 Apr '24

23 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 22-04-2024 18:00 − Dienstag 23-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials ∗∗∗ --------------------------------------------- Since 2019, Forest Blizzard has used a custom post-compromise tool to exploit a vulnerability in the Windows Print Spooler service that allows elevated permissions. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-b… ∗∗∗ Struts "devmode": Still a problem ten years later?, (Tue, Apr 23rd) ∗∗∗ --------------------------------------------- Like many similar frameworks and languages, Struts 2 has a "developer mode" (devmode) offering additional features to aid debugging. Error messages will be more verbose, and the devmode includes an OGNL console. OGNL, the Object-Graph Navigation Language, can interact with Java, but in the end, executing OGNL results in arbitrary code execution. --------------------------------------------- https://isc.sans.edu/diary/rss/30866 ∗∗∗ An Analysis of the DHEat DoS Against SSH in Cloud Environments ∗∗∗ --------------------------------------------- The DHEat attack remains viable against most SSH installations, as default settings are inadequate at deflecting it. Very little bandwidth is needed to cause a dramatic effect on targets, including those with a high degree of resources. --------------------------------------------- https://www.positronsecurity.com/blog/2024-04-23-an-analysis-of-dheat-dos-a… ∗∗∗ Neu auf Vinted? Scannen Sie keinen QR-Code! ∗∗∗ --------------------------------------------- Vorsicht! Kriminelle kontaktieren gezielt neue Vinted-Nutzer:innen. Sie geben vor, den Artikel kaufen zu wollen und schicken einen QR-Code. Der QR-Code führt jedoch zu einer gefälschten Zahlungsseite von Vinted. Dort erfragen die Kriminellen Ihre Bankdaten und versuchen Ihnen Geld zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/neu-auf-vinted-scannen-sie-keinen-qr… ∗∗∗ Suspected CoralRaider continues to expand victimology using three information stealers ∗∗∗ --------------------------------------------- Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys. --------------------------------------------- https://blog.talosintelligence.com/suspected-coralraider-continues-to-expan… ∗∗∗ GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining ∗∗∗ --------------------------------------------- Avast discovered and analyzed GuptiMiner, a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers. --------------------------------------------- https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-fo… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glibc and samba), Fedora (chromium, cjson, mingw-python-idna, and pgadmin4), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, kernel-linus, and perl-Clipboard), Red Hat (go-toolset:rhel8, golang, java-11-openjdk, kpatch-patch, and shim), Slackware (freerdp), SUSE (apache-commons-configuration, glibc, jasper, polkit, and qemu), and Ubuntu (google-guest-agent, google-osconfig-agent, linux-lowlatency-hwe-6.5, pillow, and squid). --------------------------------------------- https://lwn.net/Articles/970889/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Welotec: Clickjacking Vulnerability in WebUI ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-023/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.04.2024
by Daily end-of-shift report 22 Apr '24

22 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-04-2024 18:00 − Montag 22-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Double Agents and User Agents: Navigating the Realm of Malicious Python Packages ∗∗∗ --------------------------------------------- Have you ever encountered the term double agent? Recently, weve had the opportunity to revisit this concept in Austria. Setting aside real-world affairs for prosecutors and journalists, let’s explore what this term means in the digital world as I continue my journey tracking malicious Python packages. --------------------------------------------- https://cert.at/en/blog/2024/4/double-agents-and-user-agents-navigating-the… ∗∗∗ Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack ∗∗∗ --------------------------------------------- Palo Alto Networks has shared more details of a critical security flaw impacting PAN-OS that has come under active exploitation in the wild by malicious actors. The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), as "intricate" and a combination of two bugs in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software. --------------------------------------------- https://thehackernews.com/2024/04/palo-alto-networks-discloses-more.html ∗∗∗ Research Shows How Attackers Can Abuse EDR Security Products ∗∗∗ --------------------------------------------- Vulnerabilities in Palo Alto Networks Cortex XDR allowed a security researcher to turn it into a malicious offensive tool. --------------------------------------------- https://www.securityweek.com/research-shows-how-attackers-can-abuse-edr-sec… ∗∗∗ HelloKitty ransomware rebrands, releases CD Projekt and Cisco data ∗∗∗ --------------------------------------------- The Cisco entry on the data leak site contains a list of NTLM (NT LAN Manager) hashes (encrypted account passwords) supposedly extracted during a security breach. Cisco previously admitted in 2022 that it had been hacked by the Yanluowang ransomware group, an incident allegedly limited to the theft of non-sensitive data from a single compromised account. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-rebran… ∗∗∗ GitLab affected by GitHub-style CDN flaw allowing malware hosting ∗∗∗ --------------------------------------------- BleepingComputer recently reported how a GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with Microsoft repositories, making the files appear trustworthy. It turns out, GitLab is also affected by this issue and could be abused in a similar fashion. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-affected-by-github-st… ∗∗∗ Sicherheitslücke aufgedeckt: Forscher knackt Cisco-Appliance und zockt Doom ∗∗∗ --------------------------------------------- Mit einem eigens entwickelten Exploit-Toolkit hat er sich auf dem BMC einer Cisco ESA C195 einen Root-Zugriff verschafft. [..] Um auf der C195 Doom auszuführen, reicht CVE-2024-20356 allein allerdings nicht aus. Thacker nahm zuerst diverse Modifikationen am Bios der Cisco ESA vor und verschaffte sich erst danach mit Ciscown über das Netzwerk einen Root-Zugriff auf den BMC. [..] Eine Liste der Systeme, die in der Standardkonfiguration anfällig sind, ist im Sicherheitshinweis von Cisco zu finden – ebenso wie die jeweiligen Systemversionen, die einen Patch beinhalten. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-aufgedeckt-forscher-knackt-cisc… ∗∗∗ ToddyCat is making holes in your infrastructure ∗∗∗ --------------------------------------------- We continue to report on the APT group ToddyCat. This time, we’ll talk about traffic tunneling, constant access to a target infrastructure and data extraction from hosts. --------------------------------------------- https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112… ∗∗∗ Vorsicht vor Jobangeboten per WhatsApp, SMS oder Telegram ∗∗∗ --------------------------------------------- Die Betrugsmasche beginnt direkt auf Ihrem Smartphone: Sie bekommen auf WhatsApp, Telegram oder einen anderen Messenger eine Nachricht von einer Jobvermittlung. Ihnen wird ein Nebenjob mit flexibler Zeiteinteilung angeboten. Ihre Aufgabe ist es, Hotels, Online-Shops oder andere Dienstleistungen zu bewerten oder zu testen. Angeblich kann man damit zwischen 300 und 1000 Euro pro Tag verdienen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-jobangeboten-per-whatsa… ∗∗∗ NATO-Cyberübung "Locked Shields": Phishing verhindern, Container verteidigen ∗∗∗ --------------------------------------------- Das Cybersicherheitszentrum der NATO bittet zur Großübung. Sie simuliert, wie kritische Infrastruktur vor digitalen Angriffen geschützt werden kann. --------------------------------------------- https://heise.de/-9691854 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Forminator plugin flaw impacts over 300k WordPress sites ∗∗∗ --------------------------------------------- On Thursday, Japan's CERT published an alert on its vulnerability notes portal (JVN) warning about the existence of a critical severity flaw (CVE-2024-28890, CVSS v3: 9.8) in Forminator that may allow a remote attacker to upload malware on sites using the plugin. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-forminator-plugin-f… ∗∗∗ Siemens: SSA-750274 V1.0: Impact of CVE-2024-3400 on RUGGEDCOM APE1808 devices configured with Palo Alto Networks Virtual NGFW ∗∗∗ --------------------------------------------- Palo Alto Networks has published information on CVE-2024-3400 in PAN-OS. This advisory addresses Siemens Industrial products affected by this vulnerability. --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-750274.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox and java-1.8.0-openjdk), Debian (chromium, flatpak, guix, openjdk-11, openjdk-17, thunderbird, and tomcat9), Fedora (chromium, firefox, glibc, nghttp2, nodejs18, python-aiohttp, python-django3, python-pip, and uxplay), Mageia (putty & filezilla), Red Hat (Firefox, firefox, java-1.8.0-openjdk, java-21-openjdk, nodejs:18, shim, and thunderbird), Slackware (freerdp), SUSE (apache-commons-configuration2, nodejs14, perl-CryptX, putty, shim, and wireshark), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.5, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-nvidia-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, lxd, percona-xtrabackup, and pillow). --------------------------------------------- https://lwn.net/Articles/970793/ ∗∗∗ Jetzt patchen! Attacken auf Dateiübertragungsserver CrushFTP beobachtet ∗∗∗ --------------------------------------------- Der Anbieter der Dateiübertragungsserversoftware CrushFTP warnt vor einer Sicherheitslücke, die Angreifer Sicherheitsforschern zufolge bereits ausnutzen. Dagegen gerüstete Versionen stehen zum Download bereit. Aus einer Sicherheitswarnung geht hervor, dass die Ausgaben 10.7.1 und 11.1.0 gegen die Angriffe gerüstet sind. --------------------------------------------- https://heise.de/-9693009 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 115.10 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-20/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2024
by Daily end-of-shift report 19 Apr '24

19 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-04-2024 18:02 − Freitag 19-04-2024 18:02 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google ad impersonates Whales Market to push wallet drainer malware ∗∗∗ --------------------------------------------- A legitimate-looking Google Search advertisement for the crypto trading platform Whales Market redirects visitors to a wallet-draining phishing site that steals all of your assets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-ad-impersonates-whale… ∗∗∗ Fake cheat lures gamers into spreading infostealer malware ∗∗∗ --------------------------------------------- A new info-stealing malware linked to Redline poses as a game cheat called Cheat Lab, promising downloaders a free copy if they convince their friends to install it too. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-cheat-lures-gamers-into… ∗∗∗ SAP Applications Increasingly in Attacker Crosshairs, Report Shows ∗∗∗ --------------------------------------------- Malicious hackers are targeting SAP applications at an alarming pace, according to warnings from Onapsis and Flashpoint. --------------------------------------------- https://www.securityweek.com/sap-applications-increasingly-in-attacker-cros… ∗∗∗ Erneut Phishing-Mails im Namen der ÖGK im Umlauf! ∗∗∗ --------------------------------------------- Derzeit erreichen uns wieder zahlreiche Meldungen über betrügerische Nachrichten, die im Namen der Österreichischen Gesundheitskasse ÖGK versendet werden. Darin wird Ihnen vorgegaukelt, dass Sie eine Rückerstattung von 150,95 Euro erhalten. --------------------------------------------- https://www.watchlist-internet.at/news/erneut-phishing-mails-im-namen-der-o… ∗∗∗ #StopRansomware: Akira Ransomware ∗∗∗ --------------------------------------------- The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this joint CSA to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third party reporting as recently as February 2024. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a ∗∗∗ "iMessage abschalten": Warnung vor angeblichem Exploit verunsichert Nutzer ∗∗∗ --------------------------------------------- Ein bekanntes Krypto-Wallet warnt iOS-Nutzer vor einem "hochriskanten Zero-Day-Exploit für iMessage". Der angebliche Exploit könnte aber ein Scam sein. --------------------------------------------- https://heise.de/-9690778 ∗∗∗ DDoS-Plattform von internationalen Strafverfolgern abgeschaltet ∗∗∗ --------------------------------------------- Internationale Strafverfolger haben eine DDoS-as-a-service-Plattform abgeschaltet und die Domain beschlagnahmt. --------------------------------------------- https://heise.de/-9691053 ∗∗∗ Ionos-Phishing: Masche mit neuen EU-Richtlinien soll Opfer überzeugen ∗∗∗ --------------------------------------------- Das Phishingradar warnt vor einer Phishing-Masche, bei der Ionos-Kunden angeblich zu neuen EU-Richtlinien zustimmen müssen. --------------------------------------------- https://heise.de/-9691259 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gnutls, java-17-openjdk, mod_http2, and squid), Debian (firefox-esr), Fedora (editorconfig, perl-Clipboard, php, rust, and wordpress), Mageia (less, libreswan, puppet, and x11-server, x11-server-xwayland, and tigervnc), Slackware (aaa_glibc), and SUSE (firefox, graphviz, kernel, nodejs12, pgadmin4, tomcat, and wireshark). --------------------------------------------- https://lwn.net/Articles/970508/ ∗∗∗ FIDO2-Sticks: Lücke in Yubikey-Verwaltungssoftware erlaubt Rechteausweitung ∗∗∗ --------------------------------------------- Um die FIDO2-Sticks von Yubikey zu verwalten, stellt der Hersteller eine Software bereit. Eine Lücke darin ermöglicht die Ausweitung der Rechte. --------------------------------------------- https://heise.de/-9690597 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.04.2024
by Daily end-of-shift report 18 Apr '24

18 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-04-2024 18:00 − Donnerstag 18-04-2024 18:02 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Stellungnahme von CERT.at zum NISG 2024 ∗∗∗ --------------------------------------------- Die EU hat noch Ende 2022 die NIS2-Richtlinie angenommen, was den EU Mitgliedstaaten eine Frist bis Herbst 2024 einräumt, diese in nationales Recht zu gießen. Jetzt liegt ein Entwurf für dieses Gesetz vor und wir haben uns genau angesehen, wie die Punkte umgesetzt sind, die uns als nationales CSIRT betreffen. Dabei sind uns einige Stellen aufgefallen, wo wir klares und einfaches Verbesserungspotential sehen. --------------------------------------------- https://cert.at/de/blog/2024/4/nisg2024-stellungnahme ∗∗∗ Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks ∗∗∗ --------------------------------------------- Microsoft, which first spotted the attacks, says the five flaws have been actively exploited since early April to hijack Internet-exposed OpenMedata workloads left unpatched. [..] The security vulnerabilities exploited in these attacks (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254) were patched one month ago, on March 15, in OpenMedata versions 1.2.4 and 1.3.1. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hijack-openmetadata-… ∗∗∗ Cybercriminals pose as LastPass staff to hack password vaults ∗∗∗ --------------------------------------------- The attacker combines multiple social engineering techniques that involve contacting the potential victim (voice phishing) and pretending to be a LastPass employee trying to help with securing the account following unauthorized access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercriminals-pose-as-lastp… ∗∗∗ Mit CVE-Beschreibung: GPT-4 kann eigenständig bekannte Sicherheitslücken ausnutzen ∗∗∗ --------------------------------------------- Forscher haben festgestellt, dass GPT-4 allein anhand der zugehörigen Schwachstellenbeschreibungen 13 von 15 Sicherheitslücken erfolgreich ausnutzen kann. --------------------------------------------- https://www.golem.de/news/mit-cve-beschreibung-gpt-4-kann-eigenstaendig-bek… ∗∗∗ Malicious Google Ads Pushing Fake IP Scanner Software with Hidden Backdoor ∗∗∗ --------------------------------------------- A new Google malvertising campaign is leveraging a cluster of domains mimicking a legitimate IP scanner software to deliver a previously unknown backdoor dubbed MadMxShell."The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites," Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh said. --------------------------------------------- https://thehackernews.com/2024/04/malicious-google-ads-pushing-fake-ip.html ∗∗∗ Redline Stealer: A Novel Approach ∗∗∗ --------------------------------------------- A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform malicious behavior. [..] In this blog, we saw the various techniques threat actors use to infiltrate user systems and exfiltrate their data. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-nove… ∗∗∗ Analysis of Pupy RAT Used in Attacks Against Linux Systems ∗∗∗ --------------------------------------------- Pupy is a RAT malware strain that offers cross-platform support. Because it is an open-source program published on GitHub, it is continuously being used by various threat actors including APT groups. --------------------------------------------- https://asec.ahnlab.com/en/64258/ ∗∗∗ Kapeka: Neuartige Malware aus Russland? ∗∗∗ --------------------------------------------- Berichte über eine neuartige "Kapeka"-Malware tauchen allerorten auf. Die ist jedoch gar nicht neu und seit fast einem Jahr nicht mehr aktiv. [..] Die Entdeckung der Malware als "großen Schlag gegen Russland" zu werten, wie sich ein WithSecure-Sprecher gegenüber der Presseagentur dpa zitieren ließ, wirkt jedoch wie ein PR-Manöver. Schließlich wurde Kapeka auch ohne Intervention von Schadsoftware-Jägern seit Mitte vergangenen Jahres nicht mehr in freier Wildbahn gesichtet. --------------------------------------------- https://heise.de/-9688970 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, jetty9, libdatetime-timezone-perl, tomcat10, and tzdata), Fedora (cockpit, filezilla, and libfilezilla), Red Hat (firefox, gnutls, java-1.8.0-openjdk, java-17-openjdk, kernel, kernel-rt, less, mod_http2, nodejs:18, rhc-worker-script, and shim), Slackware (mozilla), SUSE (kernel), and Ubuntu (apache2, glibc, and linux-xilinx-zynqmp). --------------------------------------------- https://lwn.net/Articles/970324/ ∗∗∗ Update für Solarwinds FTP-Server Serv-U schließt Lücke mit hohem Risiko ∗∗∗ --------------------------------------------- Im Solarwinds Serv-U-FTP-Server klafft eine als hohes Risiko eingestufte Sicherheitslücke. Der Hersteller dichtet sie mit einem Update ab. --------------------------------------------- https://heise.de/-9689092 ∗∗∗ Jetzt patchen! Root-Attacken auf Cisco IMC können bevorstehen ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Cisco Integrated Management Controller und IOS erschienen. Exploitcode ist in Umlauf. --------------------------------------------- https://heise.de/-9689086 ∗∗∗ Cisco Integrated Management Controller Web-Based Management Interface Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS and IOS XE Software SNMP Extended Named Access Control List Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Integrated Management Controller CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 8, 2024 to April 14, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/04/wordfence-intelligence-weekly-wordpr… ∗∗∗ Unitronics Vision Series PLCs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-109-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.04.2024
by Daily end-of-shift report 17 Apr '24

17 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-04-2024 18:00 − Mittwoch 17-04-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ SoumniBot: the new Android banker’s unique techniques ∗∗∗ --------------------------------------------- We review the new mobile Trojan banker SoumniBot, which exploits bugs in the Android manifest parser to dodge analysis and detection. --------------------------------------------- https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112… ∗∗∗ Malicious PDF File Used As Delivery Mechanism, (Wed, Apr 17th) ∗∗∗ --------------------------------------------- Billions of PDF files are exchanged daily and many people trust them because they think the file is "read-only" and contains just "a bunch of data". In the past, badly crafted PDF files could trigger nasty vulnerabilities in PDF viewers. --------------------------------------------- https://isc.sans.edu/diary/rss/30848 ∗∗∗ Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware ∗∗∗ --------------------------------------------- Threat actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware. The attacks leverage CVE-2023-22518 (CVSS score: 9.1), a critical security vulnerability impacting the Atlassian Confluence Data Center and Server that allows an unauthenticated attacker to reset Confluence and create an administrator account. --------------------------------------------- https://thehackernews.com/2024/04/critical-atlassian-flaw-exploited-to.html ∗∗∗ Hackers Exploit Fortinet Flaw, Deploy ScreenConnect, Metasploit in New Campaign ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new campaign thats exploiting a recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads. --------------------------------------------- https://thehackernews.com/2024/04/hackers-exploit-fortinet-flaw-deploy.html ∗∗∗ Neue Phishing-Masche: Gefälschte Postbriefe ∗∗∗ --------------------------------------------- Die Polizei warnt vor vermehrten Phishing-Fällen in der Steiermark. In Postkästen hinterlegten unbekannte Täter gefälschte Postbenachrichtigungen mit angeführten QR-Codes. Damit sollen Opfer auf eine gefälschte Website gelockt und persönliche Daten abgesaugt werden. --------------------------------------------- https://steiermark.orf.at/stories/3253261/ ∗∗∗ Vorsicht vor unseriösen Ticketangeboten für die UEFA EURO 2024 in Deutschland! ∗∗∗ --------------------------------------------- Fußball-Fans aufgepasst: Wenn Sie jetzt noch auf der Suche nach Eintrittskarten in die Europameisterschaftsstadien für die EM 2024 sind, müssen Sie sich vor betrügerischen und unseriösen Angeboten in Acht nehmen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-ticketangebote-euro2024/ ∗∗∗ OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal ∗∗∗ --------------------------------------------- The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. --------------------------------------------- https://blog.talosintelligence.com/offlrouter-virus-causes-upload-confident… ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti warns of critical flaws in its Avalanche MDM solution ∗∗∗ --------------------------------------------- Ivanti has released security updates to fix 27 vulnerabilities in its Avalanche mobile device management (MDM) solution, two of them critical heap overflows that can be exploited for remote command execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-fla… ∗∗∗ VU#253266: Keras 2 Lambda Layers Allow Arbitrary Code Injection in TensorFlow Models ∗∗∗ --------------------------------------------- Lambda Layers in third party TensorFlow-based Keras models allow attackers to inject arbitrary code into versions built prior to Keras 2.13 that may then unsafely run with the same permissions as the running application. --------------------------------------------- https://kb.cert.org/vuls/id/253266 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and cockpit), Fedora (firefox, kernel, mbedtls, python-cbor2, wireshark, and yyjson), Mageia (nghttp2), Red Hat (kernel, kernel-rt, opencryptoki, pcs, shim, squid, and squid:4), Slackware (firefox), SUSE (emacs, firefox, and kernel), and Ubuntu (linux-aws, linux-aws-5.15, linux-aws-6.5, linux-raspi, and linux-iot). --------------------------------------------- https://lwn.net/Articles/970169/ ∗∗∗ Oracle Critical Patch Update Advisory - April 2024 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/cpuapr2024.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Huawei Security Bulletins ∗∗∗ --------------------------------------------- https://securitybulletin.huawei.com/enterprise/en/security-advisory -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2024
by Daily end-of-shift report 16 Apr '24

16 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 15-04-2024 18:00 − Dienstag 16-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400) ∗∗∗ --------------------------------------------- At watchTowr, we no longer publish Proof of Concepts. Why prove something is vulnerable when we can just believe its so? Iinstead, weve decided to do something better - thats right! Were proud to release another detection artefact generator tool, this time in the form of an HTTP request: --------------------------------------------- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-c… ∗∗∗ Quick Palo Alto Networks Global Protect Vulnerablity Update (CVE-2024-3400), (Mon, Apr 15th) ∗∗∗ --------------------------------------------- One of our readers, Mark, observed attacks attempting to exploit the vulnerability from two IP addresses: 173.255.223.159: An Akamai/Linode IP address. We do not have any reports from this IP address. Shodan suggests that the system may have recently hosted a WordPress site. 146.70.192.174: A system in Singapore that has been actively scanning various ports in March and April. --------------------------------------------- https://isc.sans.edu/diary/rss/30838 ∗∗∗ New SteganoAmor attacks use steganography to target 320 orgs globally ∗∗∗ --------------------------------------------- A new campaign conducted by the TA558 hacking group is concealing malicious code inside images using steganography to deliver various malware tools onto targeted systems. [..] The attacks begin with malicious emails containing seemingly innocuous document attachments (Excel and Word files) that exploit the CVE-2017-11882 flaw, a commonly targeted Microsoft Office Equation Editor vulnerability fixed in 2017. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-steganoamor-attacks-use-… ∗∗∗ AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs ∗∗∗ --------------------------------------------- New cybersecurity research has found that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations. The vulnerability has been codenamed LeakyCLI by cloud security firm Orca. [..] Unlike Microsoft, however, both Amazon and Google consider this to be expected behavior, requiring that organizations take steps to avoid storing secrets in environment variables and instead use a dedicated secrets store service like AWS Secrets Manager or Google Cloud Secret Manager. --------------------------------------------- https://thehackernews.com/2024/04/aws-google-and-azure-cli-tools-could.html ∗∗∗ Vorsicht vor falschen Bankanrufen ∗∗∗ --------------------------------------------- Sie erhalten einen Anruf – angeblich von einer Bank. Die Person am Telefon behauptet, Sie hätten einen Kreditantrag eingereicht. Wenn Sie widersprechen, erklärt die Person am Telefon, dass dann wohl Kriminelle in Ihrem Namen den Kreditantrag gestellt hätten. Legen Sie auf! Es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-bankanrufen/ ∗∗∗ Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials ∗∗∗ --------------------------------------------- Cisco Talos is actively monitoring a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024. [..] We are including the usernames and passwords used in these attacks in the IOCs for awareness. IP addresses and credentials associated with these attacks can be found in our GitHub repository here. --------------------------------------------- https://blog.talosintelligence.com/large-scale-brute-force-activity-targeti… ∗∗∗ Zugriffsmanagement: Kritische Admin-Lücke in Delinea Secret Server geschlossen ∗∗∗ --------------------------------------------- Die Privileged-Access-Management-Lösung (PAM) Secret Server von Delinea ist verwundbar. Ein Sicherheitsupdate ist verfügbar. --------------------------------------------- https://heise.de/-9686457 ===================== = Vulnerabilities = ===================== ∗∗∗ Schwere Sicherheitslücke in PuTTY - CVE-2024-31497 ∗∗∗ --------------------------------------------- Sicherheitsforscher:innen haben in PuTTY, einer verbreiteten quelloffenen Software zur Herstellung von Verbindungen über Secure Shell (SSH), eine schwere Sicherheitslücke gefunden. Die Ausnutzung von CVE-2024-31497 erlaubt es Angreifer:innen unter bestimmten Umständen, den privaten Schlüssel eines kryptographischen Schlüsselpaares wiederherzustellen. --------------------------------------------- https://cert.at/de/aktuelles/2024/4/schwere-sicherheitslucke-in-putty-cve-2… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.4 and php8.2), Fedora (c-ares), Mageia (python-pillow and upx), Oracle (bind and dhcp, bind9.16, httpd:2.4/mod_http2, kernel, rear, and unbound), SUSE (eclipse, maven-surefire, tycho, emacs, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nodejs16, nodejs18, nodejs20, texlive, vim, webkit2gtk3, and xen), and Ubuntu (gnutls28, klibc, libvirt, nodejs, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/970036/ ∗∗∗ Proscend Communications M330-W and M330-W5 vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN23835228/ ∗∗∗ B&R: 2024-04-15: Cyber Security Advisory - Impact of LogoFail vulnerability on B&R Industrial PCs and HMI products ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P002_xPCs_vulnerable_to_LogoFai… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox ESR 115.10 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 125 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/ ∗∗∗ Libreswan: IKEv1 default AH/ESP responder can crash and restart ∗∗∗ --------------------------------------------- https://libreswan.org/security/CVE-2024-3652/CVE-2024-3652.txt ∗∗∗ Measuresoft ScadaPro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-01 ∗∗∗ Electrolink FM/DAB/TV Transmitter ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02 ∗∗∗ Rockwell Automation ControlLogix and GuardLogix ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-03 ∗∗∗ RoboDK RoboDK ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2024
by Daily end-of-shift report 15 Apr '24

15 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-04-2024 18:00 − Montag 15-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) ∗∗∗ --------------------------------------------- On April 10, 2024, Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers. During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. Details on this backdoor are included further on in this report. --------------------------------------------- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthent… ∗∗∗ Cisco Duo warns third-party data breach exposed SMS MFA logs ∗∗∗ --------------------------------------------- Cisco Duos security team warns that hackers stole some customers VoIP and SMS logs for multi-factor authentication (MFA) messages in a cyberattack on their telephony provider. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-duo-warns-third-party-… ∗∗∗ Angriff via WebGPU: Sensible Nutzerdaten lassen sich per Javascript auslesen ∗∗∗ --------------------------------------------- Einem Forscherteam der TU Graz ist es gelungen, durch drei verschiedene Seitenkanalangriffe über die in modernen Webbrowsern integrierte Grafikschnittstelle WebGPU sicherheitsrelevante Nutzerdaten wie Tastatureingaben oder Verschlüsselungsschlüssel auszuspähen. Durch die Forschungsarbeit will das Team vor allem auf die Risiken aufmerksam machen, die mit der Implementierung von WebGPU einhergehen können. --------------------------------------------- https://www.golem.de/news/angriff-via-webgpu-sensible-nutzerdaten-lassen-si… ∗∗∗ Using the LockBit builder to generate targeted ransomware ∗∗∗ --------------------------------------------- Kaspersky researchers revisit the leaked LockBit 3.0 builder and share insights into a real-life incident involving a custom targeted ransomware variant created with this builder. --------------------------------------------- https://securelist.com/lockbit-3-0-based-custom-targeted-ransomware/112375/ ∗∗∗ Delinea Secret Server customers should apply latest patches ∗∗∗ --------------------------------------------- Customers of Delinea's Secret Server are being urged to upgrade their installations "immediately" after a researcher claimed a critical vulnerability could allow attackers to gain admin-level access. [..] Delinea sent us a statement post publication: "We confirm there was a vulnerability in Secret Server. Delinea Platform and Secret Server Cloud have been patched and are no longer vulnerable. We have provided a remediation guide for our on-premise customers to fix the vulnerability. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/04/15/delinea_secr… ∗∗∗ Unpacking the Blackjack Groups Fuxnet Malware ∗∗∗ --------------------------------------------- Blackjack claims its initial compromise of Moscollector began in June 2023, and since then the group said it has worked slowly in an attempt to cripple the industrial sensors and monitoring infrastructure managed by the company. [..] Screenshots released by the attackers indicate that the impacted sensors are manufactured by a company named AO SBK, a Russian company that manufactures a variety of sensor types, ranging from gas measurement sensors to environmental monitoring equipment. --------------------------------------------- https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-m… ∗∗∗ Falsche Google-Anrufe zu Ihrem Google-Business-Eintrag ∗∗∗ --------------------------------------------- Vorsicht, wenn Anrufer:innen vorgeben, von Google zu sein. Vermehrt geben sich Kriminelle als Google aus und behaupten, dass die Testphase Ihres Google-Business-Profils abgelaufen und der Eintrag nun kostenpflichtig sei. Legen Sie gleich auf! --------------------------------------------- https://www.watchlist-internet.at/news/falsche-google-anrufe-zu-ihrem-googl… ∗∗∗ “Totally Unexpected” Package Malware Using Modified Notepad++ Plug-in (WikiLoader) ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has recently identified the distribution of a modified version of “mimeTools.dll”, a default Notepad++ plug-in. The malicious mimeTools.dll file in question was included in the package installation file of a certain version of the Notepad++ package and disguised as a legitimate package file. --------------------------------------------- https://asec.ahnlab.com/en/64106/ ∗∗∗ Lancom-Setup-Assistent leert Root-Passwort ∗∗∗ --------------------------------------------- Wer Lancom-Router mit dem Windows-Setup-Assistenten konfiguriert, läuft Gefahr, das Root-Passwort durch ein leeres zu ersetzen. --------------------------------------------- https://heise.de/-9682694 ===================== = Vulnerabilities = ===================== ∗∗∗ Palo Alto Networks Releases Urgent Fixes for Exploited PAN-OS Vulnerability ∗∗∗ --------------------------------------------- Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild. --------------------------------------------- https://thehackernews.com/2024/04/palo-alto-networks-releases-urgent.html ∗∗∗ Sicherheitsupdates: Schwachstellen in PHP gefährden Websites ∗∗∗ --------------------------------------------- Die PHP-Entwickler haben mehrere Schwachstellen geschlossen. Eine Sicherheitslücke gilt als kritisch. --------------------------------------------- https://heise.de/-9684558 ∗∗∗ Telegram Desktop: Tippfehler im Quellcode mündet in RCE-Schwachstelle ∗∗∗ --------------------------------------------- Ein Tippfehler im Code der Windows-App von Telegram ermöglicht die Ausführung von Schadcode auf fremden Systemen. Es reicht ein Klick auf ein vermeintliches Video. [..] Der Tippfehler im Telegram-Quellcode bezieht sich aber nicht auf .exe, sondern auf die Dateiendung .pyzw, die ausführbaren Python-Zip-Archiven zugeordnet wird. Diese war im Code noch bis zum 11. April als .pywz hinterlegt, so dass die oben genannte Sicherheitswarnung bei einem Klick auf eine .pyzw-Datei gar nicht erst erschien. [..] Zwar hat Telegram den Fehler im Quellcode inzwischen behoben, ein entsprechendes Update für die Windows-App wurde bisher aber offenbar nicht verteilt. --------------------------------------------- https://www.golem.de/news/telegram-desktop-tippfehler-im-quellcode-muendet-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bind, bind and dhcp, bind9.16, gnutls, httpd:2.4/mod_http2, squid:4, and unbound), Debian (kernel, trafficserver, and xorg-server), Fedora (chromium, kernel, libopenmpt, and rust-h2), Mageia (apache-mod_jk, golang, indent, openssl, perl-HTTP-Body, php, rear, ruby-rack, squid, varnish, and xfig), Oracle (bind, squid, unbound, and X.Org server), Red Hat (bind and dhcp and unbound), Slackware (less and php), SUSE (gnutls, python-Pillow, webkit2gtk3, xen, xorg-x11-server, and xwayland), and Ubuntu (yard). --------------------------------------------- https://lwn.net/Articles/969873/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Xen: XSA-456 ∗∗∗ --------------------------------------------- https://xenbits.xenproject.org/people/gdunlap/xsa-draft/advisory-456.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2024
by Daily end-of-shift report 12 Apr '24

12 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-04-2024 18:00 − Freitag 12-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Anweisung von oben: US-Behörden müssen nach Cyberangriff auf Microsoft aufräumen ∗∗∗ --------------------------------------------- Die Angreifer haben offenbar auch E-Mails abgegriffen, die zwischen Microsoft und US-Behörden ausgetauscht wurden. Letztere müssen nun handeln. --------------------------------------------- https://www.golem.de/news/anweisung-von-oben-us-behoerden-muessen-nach-cybe… ∗∗∗ Sicherheit: Apple warnt iPhone-Nutzer großflächig vor Spyware-Attacke ∗∗∗ --------------------------------------------- Apple hat iPhone-Besitzer in 92 Ländern vor Auftrags-Spyware-Angriffen gewarnt. Betroffene sollten die Warnung ernst nehmen und sich Hilfe suchen. --------------------------------------------- https://www.golem.de/news/sicherheit-apple-warnt-iphone-nutzer-grossflaechi… ∗∗∗ XZ backdoor story – Initial analysis ∗∗∗ --------------------------------------------- Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process. --------------------------------------------- https://securelist.com/xz-backdoor-story-part-1/112354/ ∗∗∗ Sneaky Credit Card Skimmer Disguised as Harmless Facebook Tracker ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a credit card skimmer thats concealed within a fake Meta Pixel tracker script in an attempt to evade detection. --------------------------------------------- https://thehackernews.com/2024/04/sneaky-credit-card-skimmer-disguised-as.h… ∗∗∗ Betrügerische Casino-Apps werden massiv über Facebook und Instagram beworben! ∗∗∗ --------------------------------------------- Mit zahlreichen Werbeanzeigen versuchen Kriminelle, ihre Opfer zum Download verschiedener Casino-Apps zu bewegen. Meist werden unglaubliche Gewinne versprochen, dazu kommen Freispiele und Boni von mehreren tausend Euro. In manchen Werbeanzeigen werden sogar Deepfake-Videos eingesetzt. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-casino-apps-werden-ma… ∗∗∗ IBM QRadar - When The Attacker Controls Your Security Stack (CVE-2022-26377) ∗∗∗ --------------------------------------------- Today, in this iteration of 'watchTowr Labs takes aim at yet another piece of software' we wonder why the industry panics about backdoors in libraries that have taken 2 years to be unsuccessfully introduced - while security vendors like IBM can't even update libraries used in their flagship security products that subsequently allow for trivial exploitation. [..] For those unfamiliar with defensive security products, QRadar is the mastermind application that can sit on-premise or in the cloud via IBM's SaaS offering. Quite simply, it's IBM's Security Information and Event Management (SIEM) product - and is the heart of many enterprise's security software stack. --------------------------------------------- https://labs.watchtowr.com/ibm-qradar-when-the-attacker-controls-your-secur… ∗∗∗ Krypto-Scams: Coinbase warnt EU-Kunden vor iPhone-Sideloading ∗∗∗ --------------------------------------------- Die Kryptobörse weist europäische Kunden an, die App nur aus Apples App Store zu beziehen. Auch dort wurden zuletzt aber Fake-Wallets gesichtet. --------------------------------------------- https://heise.de/-9683728 ∗∗∗ Intellexa: Spyware des Predator-Herstellers kommt über Online-Werbung ∗∗∗ --------------------------------------------- Der Malware-Dealer Intellexa stellt Spähsoftware vor, die Handys rein über Werbebanner infiziert. [..] Die neue Malware heißt Aladdin und installiert sich ohne Klick des Opfers (Zero-Click-Exploits). [..] Das Gesamtpaket kostet vier Millionen Euro, inklusive einjähriger Garantie und 24-Stunden-Support. Telefonnummern aus den USA, Griechenland und Israel sollen nicht angegriffen werden dürfen, was offenbar auf verhängte Sanktionen zurückgeht. --------------------------------------------- https://heise.de/-9682500 ∗∗∗ Sicherheitslücken: Angreifer können Juniper-Netzwerkgeräte lahmlegen ∗∗∗ --------------------------------------------- Wichtige Patches schließen mehrere Schwachstellen in Junos OS, die Firewalls, Router und Switches verwundbar machen. --------------------------------------------- https://heise.de/-9682955 ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Palo Alto PAN-OS (Global Protect) ∗∗∗ --------------------------------------------- n Palo Altos PAN-OS GlobalProtect-Funktion wurde eine kritische Sicherheitslücke identifiziert, welche das Einschleusen von Kommandos erlaubt. Zur Ausnutzung der Schwachstelle muss ein Gateway konfiguriert, und die sogenannte "Device Telemetry" aktiviert sein (zweiteres ist den betroffenen Versionen standardmäßig gegeben). Da noch keine Updates verfügbar sind, kann die Schwachstelle lediglich durch Konfigurationsänderungen mitigiert werden - beachten Sie den Abschnitt "Abhilfe". [..] CVE-2024-3400 --------------------------------------------- https://cert.at/de/warnungen/2024/4/palo-alto-cve-2024-3400 ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CVE-2024-3400 Palo Alto Networks PAN-OS Command Injection Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/04/12/cisa-adds-one-known-expl… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (rust, trafficserver, and upx), Mageia (postgresql-jdbc and x11-server, x11-server-xwayland, tigervnc), Red Hat (bind, bind9.16, gnutls, httpd:2.4, squid, unbound, and xorg-x11-server), SUSE (perl-Net-CIDR-Lite), and Ubuntu (apache2, maven-shared-utils, and nss). --------------------------------------------- https://lwn.net/Articles/969590/ ∗∗∗ Linux-Kernel: Neuer Exploit verschafft Root-Rechte ∗∗∗ --------------------------------------------- Ob die Lücke in den jüngsten Kernelversionen behoben ist, ist selbst Sicherheitsexperten unklar. Auch um die Urheberschaft gibt es Streit. --------------------------------------------- https://heise.de/-9682586 ∗∗∗ B&R: 2024-04-10: Cyber Security Advisory - B&R APROL Several vulnerabilities in the Docker Engine ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P006_Several_vulnerabilities_in… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2024
by Daily end-of-shift report 11 Apr '24

11 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-04-2024 18:00 − Donnerstag 11-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Spectre v2 attack impacts Linux systems on Intel CPUs ∗∗∗ --------------------------------------------- Researchers have demonstrated the "first native Spectre v2 exploit" for a new speculative execution side-channel flaw that impacts Linux systems running on many modern Intel processors. [..] The hardware vendor has indicated that future processors will include mitigations for BHI and potentially other speculative execution vulnerabilities. For a complete list of impacted Intel processors to the various speculative execution side-channel flaws, check this page updated by the vendor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-spectre-v2-attack-impact… ∗∗∗ CISA says Sisense hack impacts critical infrastructure orgs ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is investigating the recent breach of data analytics company Sisense, an incident that also impacted critical infrastructure organizations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-says-sisense-hack-impac… ∗∗∗ DragonForce Ransomware - What You Need To Know ∗∗∗ --------------------------------------------- A relatively new strain of ransomware called DragonForce has making the headlines after a series of high-profile attacks. Like many other ransomware groups, DragonForce attempts to extort money from its victims in two ways - locking companies out of their computers and data through encryption, and exfiltrating data from compromised systems with the threat of releasing it to others via the dark web. So far, so normal. How did DragonForce come to prominence? --------------------------------------------- https://www.tripwire.com/state-of-security/dragonforce-ransomware-what-you-… ∗∗∗ CISA Releases Malware Next-Gen Analysis System for Public Use ∗∗∗ --------------------------------------------- CISAs Malware Next-Gen system is now available for any organization to submit malware samples and other suspicious artifacts for analysis. --------------------------------------------- https://www.securityweek.com/cisa-releases-malware-next-gen-analysis-system… ∗∗∗ Metasploit Meterpreter Installed via Redis Server ∗∗∗ --------------------------------------------- Redis is an abbreviation of Remote Dictionary Server, which is an open-source in-memory data structure storage that is also used as a database. It is presumed that the threat actors abused inappropriate settings or ran commands through vulnerability attacks. --------------------------------------------- https://asec.ahnlab.com/en/64034/ ∗∗∗ Control Web Panel - Fingerprinting Open-Source Software using a Consolidation Algorithm approach ∗∗∗ --------------------------------------------- This blog post details one of these very unique cases: `CVE-2022-44877`, an unauthenticated Command Injection issue, flagged by CISA as a Known Exploited Vulnerability (CISA KEV), affecting Control Web Panel, an open-source control panel for servers and VPS management. Initially, the team could not find a way to straightforwardly fingerprint the software’s version, nor another way to detect it without intrusive exploitation - thus we used a novelty technique: an algorithm that retrieves the web application’s static web content files and consolidates them to pin-point the software’s version. --------------------------------------------- https://www.bitsight.com/blog/control-web-panel-fingerprinting-open-source-… ===================== = Vulnerabilities = ===================== ∗∗∗ Node.js Security Advisories Apr 10, 2024 ∗∗∗ --------------------------------------------- Node v21.7.3 (Current), Node v20.12.2 (LTS), Node v18.20.2 (LTS): CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows. --------------------------------------------- https://nodejs.org/en/blog/release/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, less, libreoffice, nodejs:18, nodejs:20, rear, thunderbird, and varnish), Debian (pillow), Fedora (dotnet7.0), SUSE (sngrep, texlive-specs-k, tomcat, tomcat10, and xorg-x11-server), and Ubuntu (nss, squid, and util-linux). --------------------------------------------- https://lwn.net/Articles/969468/ ∗∗∗ Citrix: XenServer and Citrix Hypervisor Security Update for CVE-2023-46842, CVE-2024-2201 and CVE-2024-31142 ∗∗∗ --------------------------------------------- Two issues have been identified that affect XenServer and Citrix Hypervisor; each issue may allow malicious unprivileged code in a guest VM to infer the contents of memory belonging to its own or other VMs on the same host. --------------------------------------------- https://support.citrix.com/article/CTX633151/xenserver-and-citrix-hyperviso… ∗∗∗ Google Chrome: Sandbox-Ausbruch durch bestimmte Gesten möglich ∗∗∗ --------------------------------------------- Mit etwas Verspätung haben Googles Entwickler das wöchentliche Update für den Chrome-Webbrowser veröffentlicht. Insgesamt drei Sicherheitslücken stopfen die Programmierer darin. Alle tragen die Risikoeinstufung "hoch". --------------------------------------------- https://heise.de/-9681413 ∗∗∗ WLAN-Access-Points von TP-Link 15 Minuten nach Reboot attackierbar ∗∗∗ --------------------------------------------- Angreifer können die WLAN-Access-Points von TP-Link AC1350 Wireless und N300 Wireless N Ceiling Mount attackieren und unter anderem auf Werksweinstellungen zurücksetzen. [..] Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-9681863 ∗∗∗ Palo Alto Security Advisories ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Juniper Security Advisories ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sor… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.04.2024
by Daily end-of-shift report 10 Apr '24

10 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-04-2024 18:00 − Mittwoch 10-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Verzögerte Aussendung der CERT.at-Tagesberichte ∗∗∗ --------------------------------------------- Aufgrund einer Fehlkonfiguration unserer Firewall kam es gestern, am 09.04.2024, zu einer teilweise verzögerten Aussendung unserer Tagesberichte. Wir bitten um Entschuldigung für entstandene Unannehmlichkeiten. --------------------------------------------- https://cert.at/de/aktuelles/2024/4/verzogerte-aussendung-der-certat-tagesb… ∗∗∗ VU#123335: Multiple Programming Languages Fail to Escape Arguments Properly in Microsoft Windows ∗∗∗ --------------------------------------------- Various programming languages lack proper validation mechanisms for commands and in some cases also fail to escape arguments correctly when invoking commands within a Microsoft Windows environment. The command injection vulnerability in these programming languages, when running on Windows, allows attackers to execute arbitrary code disguised as arguments to the command. --------------------------------------------- https://kb.cert.org/vuls/id/123335 ∗∗∗ Wie sich NIS 2 auf Mitarbeiter in Unternehmen auswirken wird ∗∗∗ --------------------------------------------- ÖGB Datenschutzexperte Sebastian Klocker im Interview über Schulungsmaßnahmen, Zutrittskontrollen und Überwachung. --------------------------------------------- https://futurezone.at/netzpolitik/nis-2-cybersicherheit-richtlinie-eu-geset… ∗∗∗ Datenpanne bei Microsoft: Passwörter und Quellcode lagen wohl offen im Netz ∗∗∗ --------------------------------------------- Microsoft hatte offenbar einen Azure-Storage-Server falsch konfiguriert. Angeblich sind allerhand sensible Daten des Konzerns für jedermann abrufbar gewesen. --------------------------------------------- https://www.golem.de/news/datenpanne-bei-microsoft-passwoerter-und-quellcod… ∗∗∗ Raspberry Robin Returns: New Malware Campaign Spreading Through WSF Files ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new Raspberry Robin campaign wave that propagates the malware through malicious Windows Script Files (WSFs) since March 2024. --------------------------------------------- https://thehackernews.com/2024/04/raspberry-robin-returns-new-malware.html ∗∗∗ Active Nitrogen campaign delivered via malicious ads for PuTTY, FileZilla ∗∗∗ --------------------------------------------- Threat actors once again target system administrators via their favorite tools. Learn more about their TTPs and use the IOCs provide to investigate. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/04/active-nitrog… ∗∗∗ Muddled Libra’s Evolution to the Cloud ∗∗∗ --------------------------------------------- Muddled Libra now actively targets CSP environments and SaaS applications. Using the MITRE ATT&CK framework, we outline observed TTPs from incident response. --------------------------------------------- https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/ ∗∗∗ Datendiebstahl unter macOS: Zwei neue Kampagnen aufgedeckt ∗∗∗ --------------------------------------------- Den Cyberkriminellen geht es um vertrauliche Nutzerdaten wie Passwörter. Unter anderem kommen gefälschte Werbeanzeigen zum Einsatz, um einen Infostealer einzuschleusen. --------------------------------------------- https://www.zdnet.de/88415282/datendiebstahl-unter-macos-zwei-neue-kampagne… ∗∗∗ New Technique to Trick Developers Detected in an Open Source Supply Chain Attack ∗∗∗ --------------------------------------------- In a recent attack campaign, cybercriminals were discovered cleverly manipulating GitHub’s search functionality, and using meticulously crafted repositories to distribute malware. --------------------------------------------- https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical BatBadBut Rust Vulnerability Exposes Windows Systems to Attacks ∗∗∗ --------------------------------------------- A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks. --------------------------------------------- https://thehackernews.com/2024/04/critical-batbadbut-rust-vulnerability.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gtkwave), Fedora (dotnet7.0, dotnet8.0, and python-pillow), Mageia (apache, gstreamer1.0, libreoffice, perl-Data-UUID, and xen), Oracle (kernel, kernel-container, and varnish), Red Hat (edk2, kernel, rear, and unbound), SUSE (apache2-mod_jk, gnutls, less, and xfig), and Ubuntu (bind9, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, [...] --------------------------------------------- https://lwn.net/Articles/969314/ ∗∗∗ Patchday: Angreifer umgehen erneut Sicherheitsfunktion und attackieren Windows ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für unter anderem Bitlocker, Office und Windows Defender veröffentlicht. Zwei Lücken nutzen Angreifer bereits aus. --------------------------------------------- https://heise.de/-9679989 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-455 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-455.html ∗∗∗ Pepperl+Fuchs: ICE2- * and ICE3- * are affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-017/ ∗∗∗ PC System Recovery Bootloader Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500613-PC-SYSTEM-RECOVERY-BOOT… ∗∗∗ AMI MegaRAC Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500612-AMI-MEGARAC-VULNERABILI… ∗∗∗ System Management Module (SMM v1 and v2) and Fan Power Controller (FPC) Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/SYSTEM-MANAGEMENT-MODULE-SMM-V1-… ∗∗∗ AMD Radeon Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500615 ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/04/09/adobe-releases-security-… ∗∗∗ Sunhillo SureLine Command Injection Attack ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/sunhillo-sureline-attack -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.04.2024
by Daily end-of-shift report 09 Apr '24

09 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 08-04-2024 18:00 − Dienstag 09-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New SharePoint flaws help hackers evade detection when stealing files ∗∗∗ --------------------------------------------- Researchers have discovered two techniques that could enable attackers to bypass audit logs or generate less severe entries when downloading files from SharePoint. [..] Varonis disclosed these bugs in November 2023, and Microsoft added the flaws to a patch backlog for future fixing. However, the issues were rated as moderate severity, so they won't receive immediate fixes. Therefore, SharePoint admins should be aware of these risks and learn to identify and mitigate them until patches become available. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-sharepoint-flaws-help-ha… ∗∗∗ Researchers Discover LG Smart TV Vulnerabilities Allowing Root Access ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and gain root access on the devices. [..] The issues were fixed by LG as part of updates released on March 22, 2024. [..] "Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, identified over 91,000 devices that expose this service to the Internet," Bitdefender said. --------------------------------------------- https://thehackernews.com/2024/04/researchers-discover-lg-smart-tv.html ∗∗∗ Vorsicht vor falschen Nachrichten vom Finanzamt ∗∗∗ --------------------------------------------- Sie erwarten eine Nachricht vom Finanzamt? Wir raten zur Vorsicht: Derzeit sind zahlreiche gefälschte SMS- und E-Mail-Benachrichtigungen von FinanzOnline bzw. vom Finanzamt im Umlauf. Klicken Sie nicht voreilig auf Links und fragen Sie im Zweifelsfall bei der jeweiligen Behörde nach! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-nachrichten-vo… ∗∗∗ It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise ∗∗∗ --------------------------------------------- We describe the characteristics of malware-initiated scanning attacks. These attacks differ from direct scanning and are increasing according to our data. --------------------------------------------- https://unit42.paloaltonetworks.com/malware-initiated-scanning-attacks/ ∗∗∗ Notepad++: Entwickler warnt vor Parasiten-Webseite und bittet um Mithilfe ∗∗∗ --------------------------------------------- Die unautorisierte Webseite bezeichnet sich als "Fan-Projekt", der Notepad++-Entwickler fürchtet jedoch schädliche Auswirkungen. Die Community soll helfen. --------------------------------------------- https://heise.de/-9678725 ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet Security Advisories 2024-04-09 ∗∗∗ --------------------------------------------- Fortinet has released 12 security advisories: FortiOS, FortiManager, FortiClientLinux, FortiClientMac, FortiProxy, FortiMai, FortiSandbox, FortiNAC-F (1x critical, 4x high, 7x medium) --------------------------------------------- https://www.fortiguard.com/psirt?product=FortiOS-6K7K%2CFortiOS&product=For… ∗∗∗ Fortinet: SMTP Smuggling ∗∗∗ --------------------------------------------- FortiMail may be susceptible to smuggling attacks if some measures are not put in place. We therefore recommend to adhere to the following indications in order to mitigate the potential risk associated to the smuggling attacks [..] --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-009 ∗∗∗ OpenSSL 3.3 Series Release Notes ∗∗∗ --------------------------------------------- Fixed unbounded memory growth with session handling in TLSv1.3 ([CVE-2024-2511]) --------------------------------------------- https://www.openssl.org/news/openssl-3.3-notes.html ∗∗∗ Technical Advisory – Ollama DNS Rebinding Attack (CVE-2024-28224) ∗∗∗ --------------------------------------------- Ollama is an open-source system for running and managing large language models (LLMs). [..] Ollama fixed this issue in release v0.1.29. --------------------------------------------- https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebi… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat), Oracle (less and nodejs:20), Slackware (libarchive), SUSE (kubernetes1.23, nghttp2, qt6-base, and util-linux), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/969141/ ∗∗∗ ICS Patch Tuesday: Siemens Addresses Palo Alto Networks Product Vulnerabilities ∗∗∗ --------------------------------------------- Siemens and Schneider Electric release their ICS Patch Tuesday advisories for April 2024, informing customers about dozens of vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-addresses-palo-alto-… ∗∗∗ SSA-885980 V1.0: Multiple Vulnerabilities in Scalance W1750D ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-885980.html ∗∗∗ SSA-822518 V1.0: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW before V11.0.1 on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-822518.html ∗∗∗ SSA-730482 V1.0: Denial of Service Vulnerability in SIMATIC WinCC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-730482.html ∗∗∗ SSA-556635 V1.0: Multiple Vulnerabilities in Telecontrol Server Basic before V3.1.2.0 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-556635.html ∗∗∗ SSA-455250 V1.0: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-455250.html ∗∗∗ SSA-265688 V1.0: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-265688.html ∗∗∗ SSA-222019 V1.0: X_T File Parsing Vulnerabilities in Parasolid ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-222019.html ∗∗∗ SSA-128433 V1.0: Multiple Vulnerabilities in SINEC NMS before V2.0 SP2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-128433.html ∗∗∗ Xen: XSA-454 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-454.html ∗∗∗ Welotec: Two vulnerabilities in TK500v1 router series ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-009/ ∗∗∗ SUBNET PowerSYSTEM Server and Substation Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-100-01 ∗∗∗ Multiple vulnerabilities in WordPress Plugin "Ninja Forms" ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN50361500/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ SAP-Patchday: Zehn Sicherheitsmitteilungen im April ∗∗∗ --------------------------------------------- https://heise.de/-9678796 ∗∗∗ HP Poly CCX IP-Telefone erlauben unbefugten Zugriff ∗∗∗ --------------------------------------------- https://heise.de/-9679027 ∗∗∗ Robot Operating System: Zahlreiche Schwachstellen gefunden und geschlossen ∗∗∗ --------------------------------------------- https://heise.de/-9679260 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2024
by Daily end-of-shift report 08 Apr '24

08 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-04-2024 18:00 − Montag 08-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Rund 16.500 VPN-Instanzen von Ivanti potenziell angreifbar ∗∗∗ --------------------------------------------- Scans zeigen, dass weltweit tausende VPN-Instanzen von Ivanti des Typs Connect Secure und Policy Secure Gateway verwundbar sind. [..] Eigenen Angaben zufolge sind Sicherheitsforscher von Shadowserver weltweit auf rund 16.500 VPN-Instanzen gestoßen, die mit hoher Wahrscheinlichkeit für Attacken empfänglich sind (CVE-2024-21894 „hoch“, CVE-2024-22053 „hoch“). Sind Angriffe erfolgreich, kann Schadcode auf Appliances gelangen. Im Anschluss gelten Systeme in der Regel als vollständig kompromittiert. --------------------------------------------- https://heise.de/-9677551 ∗∗∗ Over 92,000 exposed D-Link NAS devices have a backdoor account ∗∗∗ --------------------------------------------- A threat researcher has disclosed a new arbitrary command injection and hardcoded backdoor flaw in multiple end-of-life D-Link Network Attached Storage (NAS) device models. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-n… ∗∗∗ Fake Facebook MidJourney AI page promoted malware to 1.2 million people ∗∗∗ --------------------------------------------- Hackers are using Facebook advertisements and hijacked pages to promote fake Artificial Intelligence services, such as MidJourney, OpenAIs SORA and ChatGPT-5, and DALL-E, to infect unsuspecting users with password-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-facebook-midjourney-ai-… ∗∗∗ Tastatursteuerung: Amazon untersucht Sicherheitslücke in Fire-TV-Funktion ∗∗∗ --------------------------------------------- Amazon hat eine Komfort-Funktion für Fire-TV-Geräte aufgrund möglicher Sicherheitsbedenken von Green Line Analytics vorübergehend zurückgezogen. --------------------------------------------- https://www.golem.de/news/tastatursteuerung-amazon-untersucht-sicherheitslu… ∗∗∗ Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites ∗∗∗ --------------------------------------------- Threat actors have been found exploiting a critical flaw in Magento to inject a persistent backdoor into e-commerce websites. The attack leverages CVE-2024-20720 (CVSS score: 9.1), which has been described by Adobe as a case of "improper neutralization of special elements" that could pave the way for arbitrary code execution. It was addressed by the company as part of security updates released on February 13, 2024. --------------------------------------------- https://thehackernews.com/2024/04/hackers-exploit-magento-bug-to-steal.html ∗∗∗ Automating Pikabot’s String Deobfuscation ∗∗∗ --------------------------------------------- Pikabot is a malware loader that originally emerged in early 2023 with one of the prominent features being the code obfuscation that it leverages to evade detection and thwart technical analysis. Pikabot employed the obfuscation method to encrypt binary strings, including the address of the command-and-control (C2) servers. In this article, we briefly describe the obfuscation method used by Pikabot and we present an IDA plugin (with source code) that we developed to assist in our binary analysis. --------------------------------------------- https://www.zscaler.com/blogs/security-research/automating-pikabot-s-string… ∗∗∗ Confidential VMs Hacked via New Ahoi Attacks ∗∗∗ --------------------------------------------- New Ahoi attacks Heckler and WeSee target AMD SEV-SNP and Intel TDX with malicious interrupts to hack confidential VMs. --------------------------------------------- https://www.securityweek.com/confidential-vms-hacked-via-new-ahoi-attacks/ ∗∗∗ Vorsicht vor kostenlosen Diensten zur Anpassung und Veränderung von Dateien ∗∗∗ --------------------------------------------- Sie möchten Dateien konvertieren, verkleinern oder Dokumente zusammenfügen? Im Internet gibt es dafür zahlreiche vermeintlich kostenlose Dienste. Wir raten davon ab, denn hinter vielen Angeboten steckt eine Abofalle. Zudem ist oft unklar, was mit Ihren Dokumenten geschieht. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-kostenlosen-diensten-zu… ∗∗∗ IBIS-Hotel: Check-In-Terminal gibt Zugangsdaten fremder Zimmer aus ∗∗∗ --------------------------------------------- Nächster Sicherheitsunfall bei Hotels: Bei den Check-In-Terminals der IBIS-Hotels war es durch Eingabe einer speziellen nicht alphanumerischen Buchungsnummer möglich, die Tastencodes von fast die Hälfte der Zimmer abzurufen. Dritte hätten in die Zimmer eindringen und Wertsachen stehlen können. --------------------------------------------- https://www.borncity.com/blog/2024/04/06/ibis-hotel-check-in-terminal-gibt-… ∗∗∗ ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins ∗∗∗ --------------------------------------------- FortiGuard Labs uncovered a threat actor using ScrubCrypt to spread VenomRAT along with multiple RATs. --------------------------------------------- https://feeds.fortinet.com/~/875486669/0/fortinet/blogs~ScrubCrypt-Deploys-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9, libcaca, libgd2, tomcat9, and util-linux), Fedora (chromium, micropython, and upx), Mageia (chromium-browser-stable, dav1d, libreswan, libvirt, nodejs, texlive-20220321, and util-linux), Red Hat (less, nodejs:20, and varnish), Slackware (tigervnc), and SUSE (buildah, c-ares, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, curl, expat, go1.21, go1.22, guava, helm, indent, krb5, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libcares2, libvirt, ncurses, nghttp2, podman, postfix, python-Django, python-Pillow, python310, qemu, rubygem-rack, thunderbird, ucode-intel, and xen). --------------------------------------------- https://lwn.net/Articles/968999/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.04.2024
by Daily end-of-shift report 05 Apr '24

05 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-04-2024 18:00 − Freitag 05-04-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fake AI law firms are sending fake DMCA threats to generate fake SEO gains ∗∗∗ --------------------------------------------- If you run a personal or hobby website, getting a copyright notice from a law firm about an image on your site can trigger some fast-acting panic. Ernie Smith, the prolific, ever-curious writer behind the newsletter Tedium, received a "DMCA Copyright Infringement Notice" in late March from "Commonwealth Legal," representing the "Intellectual Property division" of Tech4Gods. --------------------------------------------- https://arstechnica.com/?p=2014933 ∗∗∗ Continuation Flood: DoS-Angriffstechnik legt HTTP/2-Server ohne Botnetz lahm ∗∗∗ --------------------------------------------- Für einen erfolgreichen Angriff ist in einigen Fällen nur eine einzige TCP-Verbindung erforderlich. Es kommt zu einer Überlastung von Systemressourcen. --------------------------------------------- https://www.golem.de/news/continuation-flood-dos-angriffstechnik-legt-http-… ∗∗∗ AI-as-a-Service Providers Vulnerable to PrivEsc and Cross-Tenant Attacks ∗∗∗ --------------------------------------------- New research has found that artificial intelligence (AI)-as-a-service providers such as Hugging Face are susceptible to two critical risks that could allow threat actors to escalate privileges, gain cross-tenant access to other customers models, and even take over the continuous integration and continuous deployment (CI/CD) pipelines. [..] To mitigate the issue, it's recommended to enable IMDSv2 with Hop Limit so as to prevent pods from accessing the Instance Metadata Service (IMDS) and obtaining the role of a Node within the cluster. --------------------------------------------- https://thehackernews.com/2024/04/ai-as-service-providers-vulnerable-to.html ∗∗∗ Bing ad for NordVPN leads to SecTopRAT ∗∗∗ --------------------------------------------- Threat actors are luring victims to a fake NordVPN website that installs a Remote Access Trojan. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/04/bing-ad-for-n… ∗∗∗ Neue Dreiecksbetrugsmasche: Kriminelle bestellen in Ihrem Namen ∗∗∗ --------------------------------------------- Sie kaufen online ein, bezahlen und erhalten die gewünschte Ware. Doch nach einigen Wochen erreicht Sie plötzlich eine Mahnung, ein Inkassoschreiben oder sogar eine Betrugsanzeige. Der Grund: Eine nicht bezahlte Rechnung von einem Onlineshop, bei dem Sie gar nichts bestellt haben. In diesem Fall wurden Sie und der Onlineshop betrogen. Wir zeigen Ihnen wie diese neue Masche funktioniert und wie Sie sich schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/neue-dreiecksbetrugsmasche-kriminell… ∗∗∗ The Illusion of Privacy: Geolocation Risks in Modern Dating Apps ∗∗∗ --------------------------------------------- Key takeaways Introduction Dating apps traditionally utilize location data, offering the opportunity to connect with people nearby, and enhancing the chances of real-life meetings. Some apps can also display the distance of the user to other users. This feature is quite useful for coordinating meetups, indicating whether a potential match is just a short distance away or a kilometer apart. However, openly sharing your distance with other users can create serious security issues. The risks become apparent when you consider the potential misuse by a curious individual armed with advanced knowledge of techniques like trilateration. --------------------------------------------- https://research.checkpoint.com/2024/the-illusion-of-privacy-geolocation-ri… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/968561/ ∗∗∗ Lexmark: Hochriskante Lücken erlauben Codeschmuggel auf Drucker ∗∗∗ --------------------------------------------- Lexmark warnt vor Sicherheitslücken in diversen Drucker-Firmwares. Angreifer können Schadcode einschleusen. Updates sind verfügbar. --------------------------------------------- https://heise.de/-9675861 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2024
by Daily end-of-shift report 04 Apr '24

04 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-04-2024 18:00 − Donnerstag 04-04-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SurveyLama data breach exposes info of 4.4 million users ∗∗∗ --------------------------------------------- In early February, HIBP's creator, Troy Hunt, received information about a data breach impacting the service, which involved various data types, including: Dates of birth. Email addresses. IP addresses, Full Names, Passwords, Phone numbers, Physical addresses [..] The data set contains information about 4,426,879 accounts and was added to HIBP yesterday, so impacted users should have already received an email notification. --------------------------------------------- https://www.bleepingcomputer.com/news/security/surveylama-data-breach-expos… ∗∗∗ New HTTP/2 DoS attack can crash web servers with a single connection ∗∗∗ --------------------------------------------- Newly discovered HTTP/2 protocol vulnerabilities called "CONTINUATION Flood" can lead to denial of service (DoS) attacks, crashing web servers with a single TCP connection in some implementations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-http-2-dos-attack-can-cr… ∗∗∗ Angriff mit neuer Ransomware: SEXi-Hacker verschlüsseln ESXi-Server ∗∗∗ --------------------------------------------- Die neue SEXi-Ransomware ist kürzlich in einem Rechenzentrum von Powerhost zum Einsatz gekommen. Betroffene Kundensysteme sind wohl teilweise nicht wiederherstellbar. [..] Bei der Bezeichnung scheint es sich um ein Wortspiel zu handeln, denn die Angreifer haben es damit offenkundig auf VMware ESXi-Server abgesehen. --------------------------------------------- https://www.golem.de/news/angriff-mit-neuer-ransomware-sexi-hacker-verschlu… ∗∗∗ Windows NTLM Credentials-Schwachstelle CVE-2024-21320: Fix durch 0patch ∗∗∗ --------------------------------------------- In Windows gibt es eine Schwachstelle (CVE-2024-21320), die NTLM-Anmeldeinformationen über Windows-Themen offen legt. Microsoft hat zwar im Januar 2024 die Schwachstelle CVE-2024-21320 mit einem Patch versehen. Dieser Patch stellt eine Richtlinie bereit, um das Abrufen der NTLM-Anmeldeinformationen zu verhindern, wenn Theme-Dateien auf Netzlaufwerken liegen. ACROS Security hat nun einen Micropatch für den 0patch-Agenten veröffentlicht, der die Schwachstelle generell (ohne Registrierungseingriff) schließt. --------------------------------------------- https://www.borncity.com/blog/2024/04/04/windows-ntlm-credentials-schwachst… ∗∗∗ Latrodectus: This Spider Bytes Like Ice ∗∗∗ --------------------------------------------- We share Proofpoint’s assessment that Latrodectus will become increasingly used by financially motivated threat actors across the criminal landscape, particularly those who previously distributed IcedID.. This research highlights the value of collaborative work between commercial threat intelligence companies, piecing together distinct viewpoints to provide a more complete picture of malicious activities. --------------------------------------------- https://www.team-cymru.com/post/latrodectus-this-spider-bytes-like-ice ∗∗∗ Byakugan – The Malware Behind a Phishing Attack ∗∗∗ --------------------------------------------- FortiGuard Labs has uncovered the Byakugan malware behind a recent malware campaign distributed by malicious PDF files [..] In January 2024, FortiGuard Labs collected a PDF file written in Portuguese that distributes a multi-functional malware known as Byakugan. While investigating this campaign, a report about it was published. Therefore, this report will only provide a brief analysis of the overlap between that attack and this and focus primarily on the details of the infostealer. --------------------------------------------- https://www.fortinet.com/blog/threat-research/byakugan-malware-behind-a-phi… ∗∗∗ Politische Parteien vor der EU-Wahl häufiger Ziel von Cyberangriffen ∗∗∗ --------------------------------------------- Cyberangreifer konzentrieren sich derzeit offenbar stark auf politische Akteure und Parteien. Gefahr bestehe besonders durch sogenannte Hack-and-Leak-Angriffe. --------------------------------------------- https://heise.de/-9674511 ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks ∗∗∗ --------------------------------------------- IT security software company Ivanti has released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways. Unauthenticated attackers can exploit one of them, a high-severity flaw tracked as CVE-2024-21894, to gain remote code execution and trigger denial of service states on unpatched appliances in low-complexity attacks that don't require user interaction. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ivanti-fixes-vpn-gateway-vul… ∗∗∗ Cisco Security Advisories 2024-04-03 ∗∗∗ --------------------------------------------- Security Impact Rating: 1x High, 11x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-29745 Android Pixel Information Disclosure Vulnerability, CVE-2024-29748 Android Pixel Privilege Escalation Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/04/04/cisa-adds-two-known-expl… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Hitachi Energy Asset Suite 9 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-095-01 ∗∗∗ Schweitzer Engineering Laboratories SEL ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-095-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2024
by Daily end-of-shift report 03 Apr '24

03 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-04-2024 18:00 − Mittwoch 03-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ NIS2-Begutachtungsverfahren gestartet ∗∗∗ --------------------------------------------- Die Regierung hat am 3. April 2024 das Cybersicherheitsgesetz zur europäischen NIS2-Verordnung in Begutachtung geschickt. --------------------------------------------- https://www.bmi.gv.at/news.aspx?id=7567384169746C75366D413D ∗∗∗ Kritik nach Cyberangriff: Microsoft hat seine Kronjuwelen nicht im Griff ∗∗∗ --------------------------------------------- Ein im Sommer 2023 festgestellter Cyberangriff auf Microsofts Server hatte für einige Kunden verheerende Folgen. Eine US-Kommission erhebt nun schwere Vorwürfe gegen den Konzern. --------------------------------------------- https://www.golem.de/news/us-kommission-aeussert-kritik-hackerangriff-auf-m… ∗∗∗ The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind ∗∗∗ --------------------------------------------- As scrutiny around Jia Tan has mounted since the revelation of the XZ Utils backdoor last Friday, researchers have noted that the persona has remarkably good operational security. [..] The Jia Tan persona has vanished since the backdoor was discovered [..] In fact, the only real footprints Jia Tan appears to have left behind were their contributions to the open source development community, where they were a prolific contributor: Disturbingly, Jia Tan’s first code change was to the “libarchive” compression library, another very widely used open source component. [..] In total, Jia Tan made 6,000 code changes to at least seven projects between 2021 and February 2024 [..] Security researchers agree, at least, that it’s unlikely that Jia Tan is a real person, or even one person working alone. Instead, it seems clear that the persona was the online embodiment of a new tactic from a new, well-organized organization—a tactic that nearly worked. --------------------------------------------- https://www.wired.com/story/jia-tan-xz-backdoor/ ∗∗∗ XZ Utils Backdoor Attack Brings Another Similar Incident to Light ∗∗∗ --------------------------------------------- In a post on Mastodon, Hans-Christoph Steiner, a maintainer of F-Droid, recalled a similar story from 2020, when an individual attempted to get F-Droid developers to add what later was determined to be a SQL injection vulnerability. That attempt was unsuccessful, but has some similarities to the XZ incident. --------------------------------------------- https://www.securityweek.com/xz-utils-backdoor-attack-brings-another-simila… ∗∗∗ Distinctive Campaign Evolution of Pikabot Malware ∗∗∗ --------------------------------------------- PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a loader and a core component. [..] During February 2024, McAfee Labs observed a significant change in the campaigns that distribute Pikabot. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/distinctive-campaign-e… ∗∗∗ Hohe Handyrechnung durch ungewolltes Abo? ∗∗∗ --------------------------------------------- Per E-Mail oder SMS werden Sie plötzlich von Ihrem Mobilfunkanbieter darüber informiert, dass Sie ein Abo abgeschlossen haben. Sie sind sich aber sicher, dass Sie keinem Vertrag zugestimmt haben und wissen auch nicht, wie es dazu gekommen ist? Wir zeigen Ihnen, was Sie gegen unseriöse Abbuchungen von Ihrer Handyrechnung tun können und wie Sie sich vor Abofallen schützen. --------------------------------------------- https://www.watchlist-internet.at/news/hohe-handyrechnung-durch-ungewolltes… ∗∗∗ Another Path to Exploiting CVE-2024-1212 in Progress Kemp LoadMaster ∗∗∗ --------------------------------------------- Rhino Labs discovered a pre-authentication command injection vulnerability in the Progress Kemp LoadMaster. [..] This was a really cool find by Rhino Labs. Here I add one additional exploitation path and some additional ways to test for this vulnerability. --------------------------------------------- https://medium.com/tenable-techblog/another-path-to-exploiting-cve-2024-121… ∗∗∗ Unveiling the Fallout: Operation Cronos Impact on LockBit Following Landmark Disruption ∗∗∗ --------------------------------------------- Our new article provides key highlights and takeaways from Operation Cronos disruption of LockBits operations, as well as telemetry details on how LockBit actors operated post-disruption. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti). --------------------------------------------- https://lwn.net/Articles/968218/ ∗∗∗ Critical Vulnerability Found in LayerSlider Plugin Installed on a Million WordPress Sites ∗∗∗ --------------------------------------------- A critical SQL injection vulnerability in the LayerSlider WordPress plugin allows attackers to extract sensitive information. --------------------------------------------- https://www.securityweek.com/critical-vulnerability-found-in-layerslider-pl… ∗∗∗ CVE-2024-0394: Rapid7 Minerva Armor Privilege Escalation (FIXED) ∗∗∗ --------------------------------------------- Rapid7 is disclosing CVE-2024-0394, a privilege escalation vulnerability in Rapid7 Minerva’s Armor product family. The root cause of this vulnerability is Minerva’s implementation of OpenSSL’s OPENSSLDIR parameter, which was set to a path accessible to low-privileged users. --------------------------------------------- https://www.rapid7.com/blog/post/2024/04/03/cve-2024-0394-rapid7-minerva-ar… ∗∗∗ Patchday Android: Angreifer können sich höhere Rechte verschaffen ∗∗∗ --------------------------------------------- Neben Google haben auch Samsung und weitere Hersteller wichtige Sicherheitsupdates für Androidgeräte veröffentlicht. --------------------------------------------- https://heise.de/-9673480 ∗∗∗ Codeschmuggellücke in VMware SD-WAN Edge und Orchestrator ∗∗∗ --------------------------------------------- Drei Sicherheitslücken in VMwares SD-WAN Edge und Orchestrator ermöglichen Angreifern unter anderem, Schadcode einzuschleusen. --------------------------------------------- https://heise.de/-9673416 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox for iOS 124 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-17/ ∗∗∗ Unify: Credentials disclosure vulnerability in Unify OpenScape Desk Phones CP ∗∗∗ --------------------------------------------- https://networks.unify.com/security/advisories/OBSO-2404-01.pdf -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.04.2024
by Daily end-of-shift report 02 Apr '24

02 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-03-2024 18:00 − Dienstag 02-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Staatlich gesponserte "Entwicklung" quelloffener Software ∗∗∗ --------------------------------------------- Wer auf der Suche nach einer kurzen Zusammenfassung der Geschehnisse rund um die (höchstwahrscheinliche) Backdoor in xz, CVE-2024-3094, ist, möge einen Blick auf diese durch den Sicherheitsforscher Thomas Roccia erstellte Grafik werfen. Darin sind die wichtigsten Details zusammengefasst, die in den folgenden Absätze wesentlich ausführlicher beleuchtet werden. Alternativ hätte dieser Blogpost auch einen deutlich knackigeren Titel haben können - "CVE-2024-3094", um jene geht es in diesem Beitrag nämlich. --------------------------------------------- https://cert.at/de/blog/2024/4/staatlich-gesponserte-entwicklung-quelloffen… ∗∗∗ The amazingly scary xz sshd backdoor, (Mon, Apr 1st) ∗∗∗ --------------------------------------------- The whole story around this is both fascinating and scary – and I’m sure will be told around numerous time, so in this diary I will put some technical things about the backdoor that I reversed for quite some time (and I have a feeling I could spend 2 more weeks on this). [..] Let’s take a look at couple of fascinating things in this backdoor. --------------------------------------------- https://isc.sans.edu/diary/rss/30802 ∗∗∗ On Cybersecurity Alert Levels ∗∗∗ --------------------------------------------- Last week I was invited to provide input to a tabletop exercise for city-level crisis managers on cyber security risks and the role of CSIRTs. The organizers brought a color-coded threat-level sheet (based on the CISA Alert Levels) to the discussion and asked whether we also do color-coded alerts in Austria and what I think of these systems. My answer was negative on both questions, and I think it might be useful if I explain my rationale here. --------------------------------------------- https://cert.at/en/blog/2024/4/on-cybersecurity-alert-levels ∗∗∗ Heartbleed is 10 Years Old – Farewell Heartbleed, Hello QuantumBleed! ∗∗∗ --------------------------------------------- Heartbleed made most certificates vulnerable. The future problem is that quantum decryption will make all certificates and everything else using RSA encryption vulnerable to everyone. --------------------------------------------- https://www.securityweek.com/heartbleed-is-10-years-old-farewell-heartbleed… ∗∗∗ From OneNote to RansomNote: An Ice Cold Intrusion ∗∗∗ --------------------------------------------- In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method. After loading IcedID and establishing persistence, there were no further actions, other than beaconing for over 30 days. The threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server. The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware. --------------------------------------------- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold… ∗∗∗ Adversaries are leveraging remote access tools now more than ever — here’s how to stop them ∗∗∗ --------------------------------------------- While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns. --------------------------------------------- https://blog.talosintelligence.com/adversaries-are-leveraging-remote-access… ∗∗∗ Earth Freybug Uses UNAPIMON for Unhooking Critical APIs ∗∗∗ --------------------------------------------- This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we’ve discovered and dubbed UNAPIMON. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html ===================== = Vulnerabilities = ===================== ∗∗∗ Update #1: Kritische Sicherheitslücke/Hintertüre in xz-utils (CVE-2024-3094) ∗∗∗ --------------------------------------------- In den Versionen 5.6.0 und 5.6.1 der weit verbreiteten Bibliothek xz-utils wurde eine Hintertür entdeckt. xz-utils wird häufig zur Komprimierung von Softwarepaketen, Kernel-Images und initramfs-Images verwendet. Die Lücke ermöglicht es nicht authentifizierten Angreifer:innen, die sshd-Authentifizierung auf verwundbaren Systemen zu umgehen und unauthorisierten Zugriff auf das gesamte System zu erlangen. Aktuell liegen uns keine Informationen über eine aktive Ausnutzung vor. --------------------------------------------- https://cert.at/de/warnungen/2024/3/kritische-sicherheitslucke-in-fedora-41… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (xz), Debian (libvirt, mediawiki, util-linux, and xz-utils), Fedora (apache-commons-configuration, cockpit, ghc-base64, ghc-hakyll, ghc-isocline, ghc-toml-parser, gitit, gnutls, pandoc, pandoc-cli, patat, podman-tui, prometheus-podman-exporter, seamonkey, suricata, and xen), Gentoo (XZ utils), Mageia (aide & mhash, emacs, microcode, opensc, and squid), Red Hat (ruby:3.1), and SUSE (kanidm and qpid-proton). --------------------------------------------- https://lwn.net/Articles/967851/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel and webkitgtk), Mageia (unixODBC and w3m), and SUSE (libvirt, netty, netty-tcnative, and perl-DBD-SQLite). --------------------------------------------- https://lwn.net/Articles/967959/ ∗∗∗ Security Flaw in WP-Members Plugin Leads to Script Injection ∗∗∗ --------------------------------------------- A cross-site scripting vulnerability in the WP-Members Membership plugin could allow attackers to inject scripts into user profile pages. --------------------------------------------- https://www.securityweek.com/security-flaw-in-wp-members-plugin-leads-to-sc… ∗∗∗ Bitdefender hat hochriskante Sicherheitslücke abgedichtet ∗∗∗ --------------------------------------------- Durch eine Sicherheitslücke konnten Angreifer auf Rechnern mit Bitdefender-Virenschutz ihre Rechte ausweiten. Die Lücke wurde geschlossen. --------------------------------------------- https://heise.de/-9672841 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ F5: K000139092 : DNS vulnerability CVE-2023-50387 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139092 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2024
by Daily end-of-shift report 29 Mar '24

29 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-03-2024 18:00 − Freitag 29-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Doctor Web’s January 2024 review of virus activity on mobile devices ∗∗∗ --------------------------------------------- According to detection statistics collected by the Dr.Web for Android anti-virus, in January 2024, users were most likely to encounter Android.HiddenAds trojan applications; these were detected on protected devices 54.45% more often than in December 2023. At the same time, the activity of another adware trojan family, Android.MobiDash, remained virtually unchanged, increasing by only 0.90%. --------------------------------------------- https://news.drweb.com/show/review/?lng=en&i=14833 ∗∗∗ Quick Forensics Analysis of Apache logs, (Fri, Mar 29th) ∗∗∗ --------------------------------------------- Sometimes, you’ve to quickly investigate a webserver logs for potential malicious activity. If you're lucky, logs are already indexed in real-time in a log management solution and you can automatically launch some hunting queries. If that's not the case, you can download all logs on a local system or a cloud instance and index them manually. But it's not always the easiest/fastest way due to the amount of data to process. These days, I'm always trying to process data as close as possible of their location/source and only download the investigation results. --------------------------------------------- https://isc.sans.edu/diary/rss/30792 ∗∗∗ New Linux Bug Could Lead to User Password Leaks and Clipboard Hijacking ∗∗∗ --------------------------------------------- Details have emerged about a vulnerability impacting the "wall" command of the util-linux package that could be potentially exploited by a bad actor to leak a users password or alter the clipboard on certain Linux distributions. The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante. --------------------------------------------- https://thehackernews.com/2024/03/new-linux-bug-could-lead-to-user.html ∗∗∗ Dormakaba Locks Used in Millions of Hotel Rooms Could Be Cracked in Seconds ∗∗∗ --------------------------------------------- Security vulnerabilities discovered in Dormakabas Saflok electronic RFID locks used in hotels could be weaponized by threat actors to forge keycards and stealthily slip into locked rooms. [..] They were reported to the Zurich-based company in September 2022. [..] Dormakaba is estimated to have updated or replaced 36% of the impacted locks as of March 2024 as part of a rollout process that commenced in November 2023. Some of the vulnerable locks have been in use since 1988. --------------------------------------------- https://thehackernews.com/2024/03/dormakaba-locks-used-in-millions-of.html ∗∗∗ Pentagon Outlines Cybersecurity Strategy for Defense Industrial Base ∗∗∗ --------------------------------------------- US Defense Department releases defense industrial base cybersecurity strategy with a focus on four key goals. [..] The cybersecurity strategy published this week covers fiscal years 2024 through 2027 and its primary mission is to ensure the generation, reliability and preservation of warfighting capabilities by protecting operational capabilities, sensitive information, and product integrity. --------------------------------------------- https://www.securityweek.com/pentagon-outlines-cybersecurity-strategy-for-d… ∗∗∗ E-Mail über „fragwürdige Transaktion“ führt zu Schadsoftware ∗∗∗ --------------------------------------------- Aktuell versenden Kriminelle wahllos E-Mails an Unternehmen mit dem Betreff „Questionable Transaction on Credit Card - Need Explanation“. Die Kriminellen bitten darum, auf die E-Mail zu antworten, um zu erklären, woher die „fragwürdige Transaktion“ auf der Kreditkarte kommt. Wer antwortet, erhält prompt eine neue E-Mail. Diesmal wird ein Kontoauszug als Beweis mitgeschickt. Das behaupten zumindest die Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-ueber-fragwuerdige-transaktio… ∗∗∗ Stories from the SOC Part 1: IDAT Loader to BruteRatel ∗∗∗ --------------------------------------------- In August 2023, Rapid7 identified a new malware loader named the IDAT Loader. Malware loaders are a type of malicious software designed to deliver and execute additional malware onto a victim's system. [..] In this two-part blog series, we will examine the attack chain observed in two separate incidents, offering in-depth analysis of the malicious behavior detected. --------------------------------------------- https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-ida… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (apache-commons-configuration, chromium, csmock, ofono, onnx, php-tcpdf, and podman-tui), Mageia (curl), Oracle (libreoffice), Slackware (coreutils, seamonkey, and util), SUSE (minidlna, PackageKit, and podman), and Ubuntu (linux-azure-6.5 and linux-intel-iotg, linux-intel-iotg-5.15). --------------------------------------------- https://lwn.net/Articles/967134/ ∗∗∗ 26 Security Issues Patched in TeamCity ∗∗∗ --------------------------------------------- TeamCity 2024.03, released on March 27, patches 26 ‘security problems’, according to JetBrains. The company highlighted that it’s not sharing the details of security-related issues “to avoid compromising clients that keep using previous bugfix and/or major versions of TeamCity”. --------------------------------------------- https://www.securityweek.com/26-security-issues-patched-in-teamcity/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ F5: K000139084 : DNS vulnerability CVE-2023-50868 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139084 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2024
by Daily end-of-shift report 28 Mar '24

28 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-03-2024 18:00 − Donnerstag 28-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Darcula phishing service targets iPhone users via iMessage ∗∗∗ --------------------------------------------- A new phishing-as-a-service (PhaaS) named Darcula uses 20,000 domains to spoof brands and steal credentials from Android and iPhone users in more than 100 countries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-darcula-phishing-service… ∗∗∗ Cisco warns of password-spraying attacks targeting VPN services ∗∗∗ --------------------------------------------- Cisco has shared a set of recommendations for customers to mitigate password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-warns-of-password-spra… ∗∗∗ DinodasRAT Linux implant targeting entities worldwide ∗∗∗ --------------------------------------------- In this article, we share our analysis of a recent version of the DinodasRAT implant for Linux, which may have been active since 2022. --------------------------------------------- https://securelist.com/dinodasrat-linux-implant/112284/ ∗∗∗ From JavaScript to AsyncRAT, (Thu, Mar 28th) ∗∗∗ --------------------------------------------- It has been a while since I found an interesting piece of JavaScript. This one was pretty well obfuscated. It was called “_Rechnung_01941085434_PDF.js” (Invoice in German) with a low VT score. --------------------------------------------- https://isc.sans.edu/diary/rss/30788 ∗∗∗ Android Malware Vultur Expands Its Wingspan ∗∗∗ --------------------------------------------- The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. [..] In this blog we provide a comprehensive analysis of Vultur, beginning with an overview of its infection chain. --------------------------------------------- https://research.nccgroup.com/2024/03/28/android-malware-vultur-expands-its… ∗∗∗ Netz-digitalisierung.com eröffnet Konten in Ihrem Namen! ∗∗∗ --------------------------------------------- Verlockende Nebenjob-Angebote als App-Tester:in oder Studienteilnehmer:in über die Seite netz-digitalisierung.com führen zu Identitätsdiebstahl! Die Kriminellen eröffnen Konten in Ihrem Namen und verwenden diese möglicherweise für kriminelle Zwecke. --------------------------------------------- https://www.watchlist-internet.at/news/jobbetrug-netz-digitalisierungcom/ ∗∗∗ Pre-Ransomware Aktivität: Schadakteure nutzen CitrixBleed (CVE-2023-4966) noch immer und verstärkt für Initialzugriff ∗∗∗ --------------------------------------------- Aktuell sind uns einige Ransomware-Vorfälle in Österreich bekannt, bei denen mit sehr hoher Wahrscheinlichkeit CitrixBleed (CVE-2023-4966) als primärer Angriffsvektor für den initialen Zugriff auf die Organisationsnetzwerke benutzt wurde. Ein Patch steht seit geraumer Zeit zur Verfügung. --------------------------------------------- https://cert.at/de/aktuelles/2024/3/pre-ransomware-aktivitat-schadakteure-n… ∗∗∗ Schon wieder zu viel Schadcode: Keine neuen Projekte für Python-Registry PyPI ∗∗∗ --------------------------------------------- Ein Ansturm von Paketen mit Schadcode hat die Betreiber des Python Package Index dazu veranlasst, die Aufnahme neuer Projekte und User zu stoppen. --------------------------------------------- https://heise.de/-9670240 ===================== = Vulnerabilities = ===================== ∗∗∗ Nvidias newborn ChatRTX bot patched for security bugs ∗∗∗ --------------------------------------------- ChatRTX, formerly known as Chat with RTX, was launched in February to provide Nvidia GPU owners with an AI chatbot that could run locally on RTX 30 and 40-series hardware with at least 8 GB of VRAM. [..] CVE‑2024‑0083 could allow attackers to perform denial of service attacks, steal data, and even perform remote code execution (RCE). --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/03/28/nvidia_chatr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (perl-Data-UUID, python-pygments, and thunderbird), Mageia (clojure, grub2, kernel,kmod-xtables-addons,kmod-virtualbox, kernel-linus, nss firefox, nss, python3, python, tcpreplay, and thunderbird), Oracle (nodejs:18), Red Hat (.NET 6.0 and dnsmasq), SUSE (avahi and python39), and Ubuntu (curl, linux-intel-iotg, linux-intel-iotg-5.15, unixodbc, and util-linux). --------------------------------------------- https://lwn.net/Articles/966961/ ∗∗∗ Splunk Patches Vulnerabilities in Enterprise Product ∗∗∗ --------------------------------------------- Splunk patches high-severity vulnerabilities in Enterprise, including an authentication token exposure issue. --------------------------------------------- https://www.securityweek.com/splunk-patches-vulnerabilities-in-enterprise-p… ∗∗∗ Neue SugarCRM-Versionen schließen kritische Lücken ∗∗∗ --------------------------------------------- Insgesamt 18, teils kritische Lücken schließen die neuen Versionen SugarCRM 13.03. und 12.05. --------------------------------------------- https://heise.de/-9670436 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 18, 2024 to March 24, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/03/wordfence-intelligence-weekly-wordpr… ∗∗∗ Synology-SA-24:05 Synology Surveillance Station Client ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_05 ∗∗∗ Synology-SA-24:04 Surveillance Station ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2024
by Daily end-of-shift report 27 Mar '24

27 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-03-2024 18:00 − Mittwoch 27-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Ransomware as a Service and the Strange Economics of the Dark Web ∗∗∗ --------------------------------------------- Ransomware is quickly changing in 2024, with massive disruptions and large gangs shutting down. Learn from Flare how affiliate competition is changing in 2024, and what might come next. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-as-a-service-and-… ∗∗∗ CISA tags Microsoft SharePoint RCE bug as actively exploited ∗∗∗ --------------------------------------------- CISA warns that attackers are now exploiting a Microsoft SharePoint code injection vulnerability that can be chained with a critical privilege escalation flaw for pre-auth remote code execution attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-tags-microsoft-sharepoi… ∗∗∗ Row breaks out over true severity of two DNSSEC flaws ∗∗∗ --------------------------------------------- Two DNSSEC vulnerabilities were disclosed last month with similar descriptions and the same severity score, but they are not the same issue. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/03/26/software_ris… ∗∗∗ Gefälschte Booking.com-Kontaktnummern locken in die Falle! ∗∗∗ --------------------------------------------- Nehmen Sie sich vor betrügerischen Telefonnummern in Acht, wenn Sie nach Booking.com Kontaktinfos googeln. Kriminelle erstellen Fake-Websites mit Booking-Logo und blenden Telefonnummern ein. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-bookingcom-kontaktnummer… ∗∗∗ Advanced Nmap Scanning Techniques ∗∗∗ --------------------------------------------- Beyond its fundamental port scanning capabilities, Nmap offers a suite of advanced techniques designed to uncover vulnerabilities, bypass security measures, and gather valuable insights about target systems. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/advanced-nmap-scann… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers exploit Ray framework flaw to breach servers, hijack resources ∗∗∗ --------------------------------------------- A new hacking campaign dubbed "ShadowRay" targets an unpatched vulnerability in Ray, a popular open-source AI framework, to hijack computing power and leak sensitive data from thousands of companies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-ray-framewor… ∗∗∗ Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious Extensions ∗∗∗ --------------------------------------------- A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users systems and carry out malicious actions. --------------------------------------------- https://thehackernews.com/2024/03/microsoft-edge-bug-could-have-allowed.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (composer and nodejs), Fedora (w3m), Mageia (tomcat), Oracle (expat, firefox, go-toolset:ol8, grafana, grafana-pcp, nodejs:18, and thunderbird), Red Hat (dnsmasq, expat, kernel, kernel-rt, libreoffice, and squid), and SUSE (firefox, krb5, libvirt, and shadow). --------------------------------------------- https://lwn.net/Articles/966835/ ∗∗∗ Exposing a New BOLA Vulnerability in Grafana ∗∗∗ --------------------------------------------- Unit 42 researchers discovered CVE-2024-1313, a broken object level authorization (BOLA) vulnerability in open-source data visualization platform Grafana. --------------------------------------------- https://unit42.paloaltonetworks.com/new-bola-vulnerability-grafana/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Cisco Security Advisories 2024-03-27 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Splunk Security Advisories ∗∗∗ --------------------------------------------- https://advisory.splunk.com/advisories ∗∗∗ Google Chrome: Kritische Schwachstelle bedroht Browser-Nutzer ∗∗∗ --------------------------------------------- https://heise.de/-9668035 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2024
by Daily end-of-shift report 26 Mar '24

26 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 25-03-2024 18:00 − Dienstag 26-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Free VPN apps on Google Play turned Android phones into proxies ∗∗∗ --------------------------------------------- Over 15 free VPN apps on Google Play were found using a malicious software development kit that turned Android devices into unwitting residential proxies, likely used for cybercrime and shopping bots. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-vpn-apps-on-google-play… ∗∗∗ New tool: linux-pkgs.sh, (Sun, Mar 24th) ∗∗∗ --------------------------------------------- During a recent Linux forensic engagement, a colleague asked if there was anyway to tell what packages were installed on a victim image. As we talk about in FOR577, depending on which tool you run on a live system and how you define "installed" you may get different answers, but at least on the live system you can use things like apt list or dpkg -l or rpm -qa or whatever to try to list them, but if all you have is a disk image, what do you do? --------------------------------------------- https://isc.sans.edu/diary/rss/30774 ∗∗∗ Agent Teslas New Ride: The Rise of a Novel Loader ∗∗∗ --------------------------------------------- This blog provides an in-depth analysis of a newly identified loader, highlighting the attack's evasiveness and the advanced tactics, techniques, and procedures (TTPs) used in both the loader and its command and control (C2) framework. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-tesla… ∗∗∗ The Darkside of TheMoon ∗∗∗ --------------------------------------------- The Black Lotus Labs team at Lumen Technologies has identified a multi-year campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices, associated with an updated version of “TheMoon” malware. [..] While Lumen has previously documented this malware family, our latest tracking has shown TheMoon appears to enable Faceless’ growth at of a rate of nearly 7,000 new users per week. Through Lumen’s global network visibility, Black Lotus Labs has identified the logical map of the Faceless proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours. --------------------------------------------- https://blog.lumen.com/the-darkside-of-themoon/ ∗∗∗ Recent ‘MFA Bombing’ Attacks Targeting Apple Users ∗∗∗ --------------------------------------------- Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apples password reset feature. In this scenario, a targets Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds "Allow" or "Dont Allow" to each prompt. [..] But the attackers in this campaign had an ace up their sleeves: Patel said after denying all of the password reset prompts from Apple, he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line). --------------------------------------------- https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-ap… ∗∗∗ Suspicious NuGet Package Harvesting Information From Industrial Systems ∗∗∗ --------------------------------------------- A suspicious NuGet package likely targets developers working with technology from Chinese firm Bozhon. --------------------------------------------- https://www.securityweek.com/suspicious-nuget-package-harvesting-informatio… ∗∗∗ Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script ∗∗∗ --------------------------------------------- This blog entry discusses the Agenda ransomware groups use of its latest Rust variant to propagate to VMWare vCenter and ESXi servers. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (firefox-esr), Fedora (webkitgtk), Mageia (curaengine & blender and gnutls), Red Hat (firefox, grafana, grafana-pcp, libreoffice, nodejs:18, and thunderbird), SUSE (glade), and Ubuntu (crmsh, debian-goodies, linux-aws, linux-aws-6.5, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-oracle, linux-azure, linux-azure-5.4, linux-oracle, linux-oracle-5.15, pam, and thunderbird). --------------------------------------------- https://lwn.net/Articles/966678/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0002 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2024-23252, CVE-2024-23254,CVE-2024-23263, CVE-2024-23280,CVE-2024-23284, CVE-2023-42950,CVE-2023-42956, CVE-2023-42843. --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0002.html ∗∗∗ macOS 14.4.1 mit jeder Menge Bugfixes – Sicherheitshintergründe zu iOS 17.4.1 ∗∗∗ --------------------------------------------- Apple hat am Montagabend ein weiteres Update für macOS 14 veröffentlicht. Es behebt diverse Fehler. Parallel gibt es Infos zu iOS 17.4.1 und dessen Fixes. --------------------------------------------- https://heise.de/-9666170 ∗∗∗ Loadbalancer: Sicherheitslücken in Loadmaster von Progress/Kemp ∗∗∗ --------------------------------------------- In der Loadbalancer-Software Loadmaster von Progress/Kemp klaffen Sicherheitslücken, durch die Angreifer etwa Befehle einschleusen können. --------------------------------------------- https://heise.de/-9666253 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Siemens: SSB-201698 V1.0: Risk for Denial of Service attack through Discovery and Basic Configuration Protocol (DCP) communication functionality ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssb-201698.html ∗∗∗ Rockwell Automation FactoryTalk View ME ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-04 ∗∗∗ Rockwell Automation PowerFlex 527 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-02 ∗∗∗ Rockwell Automation Arena Simulation ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-03 ∗∗∗ Automation-Direct C-MORE EA9 HMI ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2024
by Daily end-of-shift report 25 Mar '24

25 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-03-2024 18:00 − Montag 25-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New ZenHammer memory attack impacts AMD Zen CPUs ∗∗∗ --------------------------------------------- Academic researchers developed ZenHammer, the first variant of the Rowhammer DRAM attack that works on CPUs based on recent AMD Zen microarchitecture that map physical addresses on DDR4 and DDR5 memory chips. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-zenhammer-memory-attack-… ∗∗∗ New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts ∗∗∗ --------------------------------------------- Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named Tycoon 2FA to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. [..] In 2024, Tycoon 2FA released a new version that is stealthier, indicating a continuous effort to improve the kit. Currently, the service leverages 1,100 domains and has been observed in thousands of phishing attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-k… ∗∗∗ Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others ∗∗∗ --------------------------------------------- Unidentified adversaries orchestrated a sophisticated attack campaign that has impacted several individual developers as well as the GitHub organization account associated with Top.gg, a Discord bot discovery site. [..] The software supply chain attack is said to have led to the theft of sensitive information, including passwords, credentials, and other valuable data. --------------------------------------------- https://thehackernews.com/2024/03/hackers-hijack-github-accounts-in.html ∗∗∗ New Go loader pushes Rhadamanthys stealer ∗∗∗ --------------------------------------------- A malicious ad for the popular admin tool PuTTY leads victims to a fake site that downloads malware. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/03/new-go-loader… ∗∗∗ Phishing mit gefälschten Rechnungen von Anwaltskanzleien ∗∗∗ --------------------------------------------- Laut BlueVoyant geben sich die Angreifer als Anwaltskanzleien aus und missbrauchen das Vertrauen, das ihre Opfer "seriösen" Juristen entgegenbringen. [..] Die NaurLegal-Kampagne täuscht Legitimität vor, indem sie PDF-Dateien mit seriös anmutenden Dateinamen wie „Rechnung_[Nummer]_von_[Name der Anwaltskanzlei].pdf“ erstellt und versendet. [..] Die Infrastruktur der NaurLegal-Kampagne umfasst Domänen, die mit WikiLoader verknüpft sind und deren Folgeaktivitäten auf eine Zuordnung zu dieser Malware-Familie schließen lassen. WikiLoader ist bekannt für ausgefeilte Verschleierungstechniken, wie z. B. die Überprüfung von Wikipedia-Antworten auf bestimmte Zeichenfolgen, um Sandbox-Umgebungen zu umgehen. --------------------------------------------- https://www.zdnet.de/88414996/phishing-mit-gefaelschten-rechnungen-von-anwa… ∗∗∗ CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate SQL Injection Vulnerabilities ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Secure by Design Alert, Eliminating SQL Injection Vulnerabilities in Software. This Alert was crafted in response to a recent, well-publicized exploitation of SQL injection (SQLi) defects in a managed file transfer application that impacted thousands of organizations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/25/cisa-and-fbi-release-sec… ∗∗∗ APT29 Uses WINELOADER to Target German Political Parties ∗∗∗ --------------------------------------------- In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. Based on the SVR’s responsibility to collect political intelligence and this APT29 cluster’s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum. --------------------------------------------- https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti, firefox-esr, freeipa, gross, libnet-cidr-lite-perl, python2.7, python3.7, samba, and thunderbird), Fedora (amavis, chromium, clojure, firefox, gnutls, kubernetes, and tcpreplay), Mageia (freeimage, libreswan, nodejs-hawk, and python, python3), Oracle (golang, nodejs, nodejs:16, and postgresql-jdbc), Slackware (emacs and mozilla), SUSE (dav1d, ghostscript, go1.22, indent, kernel, openvswitch, PackageKit, python-uamqp, rubygem-rack-1_4, shadow, ucode-intel, xen, and zziplib), and Ubuntu (firefox, graphviz, libnet-cidr-lite-perl, and qpdf). --------------------------------------------- https://lwn.net/Articles/966611/ ∗∗∗ Firefox: Notfall-Update schließt kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Die Mozilla-Entwickler haben zwei kritische Sicherheitslücken mit dem Update auf Firefox 124.0.1 und Firefox ESR 115.9.1 geschlossen. --------------------------------------------- https://heise.de/-9664148 ∗∗∗ Sicherheitslücken in Microsofts WiX-Installer-Toolset gestopft ∗∗∗ --------------------------------------------- Das quelloffene WiX-Installer-Toolset von Microsoft hat zwei Sicherheitslücken. Die dichten aktualisierte Versionen ab. --------------------------------------------- https://heise.de/-9664602 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ MISP 2.4.188 released major performance improvements and many bugs fixed. ∗∗∗ --------------------------------------------- https://www.misp-project.org/2024/03/25/MISP.2.4.188.released.html/ ∗∗∗ MISP 2.4.187 released with security fixes, new features and bugs fixes. ∗∗∗ --------------------------------------------- https://www.misp-project.org/2024/03/24/MISP.2.4.187.released.html/ ∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 5.23.1, 6.1.1, 6.2.0 and 6.2.1: SC-202403.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-06 ∗∗∗ F5: K000138990 : BIND vulnerability CVE-2023-4408 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138990 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2024
by Daily end-of-shift report 22 Mar '24

22 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-03-2024 18:00 − Freitag 22-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Windows 11, Tesla, and Ubuntu Linux hacked at Pwn2Own Vancouver ∗∗∗ --------------------------------------------- On the first day of Pwn2Own Vancouver 2024, contestants demoed 19 zero-day vulnerabilities in Windows 11, Tesla, Ubuntu Linux and other devices and software to win $732,500 and a Tesla Model 3 car. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-11-tesla-and-ubuntu-… ∗∗∗ Darknet marketplace Nemesis Market seized by German police ∗∗∗ --------------------------------------------- The German police have seized infrastructure for the darknet Nemesis Market cybercrime marketplace in Germany and Lithuania, disrupting the sites operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/darknet-marketplace-nemesis-… ∗∗∗ Mit gefälschten Keycards: Hacker können weltweit Millionen von Hoteltüren öffnen ∗∗∗ --------------------------------------------- Mehr als drei Millionen Türen in Hotels und Mehrfamilienhäusern sind anfällig für Angriffe mit gefälschten RFID-Schlüsselkarten. Teure Spezialausrüstung braucht es dafür nicht. --------------------------------------------- https://www.golem.de/news/mit-gefaelschten-keycards-hacker-koennen-weltweit… ∗∗∗ Whois "geofeed" Data, (Thu, Mar 21st) ∗∗∗ --------------------------------------------- Attributing a particular IP address to a specific location is hard and often fails miserably. --------------------------------------------- https://isc.sans.edu/diary/rss/30766 ∗∗∗ Unterstützungsmail im Namen von Marlene Engelhorn ist Fake! ∗∗∗ --------------------------------------------- Derzeit kursieren zahlreiche E-Mails im Namen der österreichischen Millionärin Marlene Engelhorn: Angeblich will sie mit einem Teil ihres Erbes „aufstrebende Unternehmer und lokale Projekte“ unterstützen. Achtung: Hinter dieser E-Mail stecken Kriminelle. Antworten Sie daher auf keinen Fall. --------------------------------------------- https://www.watchlist-internet.at/news/fake-marlene-engelhorn/ ∗∗∗ Large-Scale StrelaStealer Campaign in Early 2024 ∗∗∗ --------------------------------------------- We unravel the details of two large-scale StrelaStealer campaigns from 2023 and 2024. This email credential stealer has a new variant delivered through zipped JScript. --------------------------------------------- https://unit42.paloaltonetworks.com/strelastealer-campaign/ ∗∗∗ “Pig butchering” is an evolution of a social engineering tactic we’ve seen for years ∗∗∗ --------------------------------------------- In the case of pig butchering scams, it’s not really anything that can be solved by a cybersecurity solution or sold in a package. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-march-21-2024/ ∗∗∗ Sicherheit contra Offenheit – ein Kommentar zu Secure Boot ∗∗∗ --------------------------------------------- Secure Boot ist kompliziert, frickelig und wird von Microsoft dominiert. Stattdessen brauchen wir offene sichere Systeme, meint Christof Windeck. --------------------------------------------- https://heise.de/-9659071 ===================== = Vulnerabilities = ===================== ∗∗∗ KDE advises extreme caution after theme wipes Linux users files ∗∗∗ --------------------------------------------- On Wednesday, the KDE team warned Linux users to exercise "extreme caution" when installing global themes, even from the official KDE Store, because these themes run arbitrary code on devices to customize the desktops appearance. --------------------------------------------- https://www.bleepingcomputer.com/news/linux/kde-advises-extreme-caution-aft… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, pillow, and thunderbird), Fedora (apptainer, chromium, ovn, and webkitgtk), Mageia (apache-mod_auth_openidc, ffmpeg, fontforge, libuv, and nodejs-tough-cookie), Oracle (kernel, libreoffice, postgresql-jdbc, ruby:3.1, squid, and squid:4), Red Hat (go-toolset:rhel8 and libreoffice), SUSE (firefox, jbcrypt, trilead-ssh2, jsch-agent-proxy, kernel, tiff, and zziplib), and Ubuntu (linux-aws and openssl1.0). --------------------------------------------- https://lwn.net/Articles/966415/ ∗∗∗ Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect ∗∗∗ --------------------------------------------- During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. --------------------------------------------- https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-s… ∗∗∗ Microsoft schließt Sicherheitslücke in Xbox-Gaming-Dienst – nach Hickhack ∗∗∗ --------------------------------------------- Microsoft hat ein Sicherheitsleck im Xbox Gaming Service abgedichtet. Dem ging jedoch eine Diskussion voraus. --------------------------------------------- https://heise.de/-9662746 ∗∗∗ Kritische Sicherheitslücke in FortiClientEMS wird angegriffen ∗∗∗ --------------------------------------------- Eine kritische Schwachstelle in FortiClientEMS wird inzwischen aktiv angegriffen. Zudem ist ein Proof-of-Concept-Exploit öffentlich geworden. --------------------------------------------- https://heise.de/-9662866 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2024
by Daily end-of-shift report 21 Mar '24

21 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-03-2024 18:00 − Donnerstag 21-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Unpatchable vulnerability in Apple chip leaks secret encryption keys ∗∗∗ --------------------------------------------- A newly discovered vulnerability baked into Apple’s M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday. --------------------------------------------- https://arstechnica.com/?p=2011812 ∗∗∗ Spa Grand Prix email account hacked to phish banking info from fans ∗∗∗ --------------------------------------------- Hackers hijacked the official contact email for the Belgian Grand Prix event and used it to lure fans to a fake website promising a €50 gift voucher. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spa-grand-prix-email-account… ∗∗∗ Evasive Sign1 malware campaign infects 39,000 WordPress sites ∗∗∗ --------------------------------------------- A previously unknown malware campaign called Sign1 has infected over 39,000 websites over the past six months, causing visitors to see unwanted redirects and popup ads. [..] While Sucuri's client was breached through a brute force attack, Sucuri has not shared how the other detected sites were compromised. However, based on previous WordPress attacks, it probably involves a combination of brute force attacks and exploiting plugin vulnerabilities to gain access to the site. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evasive-sign1-malware-campai… ∗∗∗ AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a tool referred to as AndroxGh0st thats used to target Laravel applications and steal sensitive data. [..] Earlier this January, U.S. cybersecurity and intelligence agencies warned of attackers deploying the AndroxGh0st malware to create a botnet for "victim identification and exploitation in target networks." --------------------------------------------- https://thehackernews.com/2024/03/androxgh0st-malware-targets-laravel.html ∗∗∗ Vulnerability Allowed One-Click Takeover of AWS Service Accounts ∗∗∗ --------------------------------------------- The vulnerability, named FlowFixation by Tenable, has been patched by AWS and it can no longer be exploited, but the security company pointed out that its research uncovered a wider problem that may again emerge in the future. --------------------------------------------- https://www.securityweek.com/vulnerability-allowed-one-click-takeover-of-aw… ∗∗∗ Betrügerische Europol-SMS führt zu Schadsoftware ∗∗∗ --------------------------------------------- In der massenhaft verschickten, betrügerischen SMS wird behauptet, dass Sie als Beteiligter in einem EUROPOL-Fall geführt werden. Um Einspruch zu erheben, sollen Sie eine App installieren. Vorsicht – Sie installieren Schadsoftware auf Ihrem Gerät und geben Kriminellen Zugang zu Ihren Daten! --------------------------------------------- https://www.watchlist-internet.at/news/fake-europol-sms/ ∗∗∗ Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention ∗∗∗ --------------------------------------------- Curious Serpens (aka Peach Sandstorm) is a known espionage group that has previously targeted the aerospace and energy sectors. FalseFont is the latest tool in Curious Serpens’ arsenal. The examples we analyzed show how the threat actors mimic legitimate human resources software, using a fake job recruitment process to trick victims into installing the backdoor. --------------------------------------------- https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/ ∗∗∗ Rescoms rides waves of AceCryptor spam ∗∗∗ --------------------------------------------- Insight into ESET telemetry statistics about AceCryptor in H2 2023 with a focus on Rescoms campaigns in European countries. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryp… ∗∗∗ Warning Against Infostealer Disguised as Installer ∗∗∗ --------------------------------------------- The StealC malware disguised as an installer is being distributed en masse. It was identified as being downloaded via Discord, GitHub, Dropbox, etc. Considering the cases of distribution using similar routes, it is expected to redirect victims multiple times from a malicious webpage disguised as a download page for a certain program to the download URL. StealC is an Infostealer that extorts a variety of key information such as system, browser, cryptocurrency wallet, Discord, Telegram, and mail client data. --------------------------------------------- https://asec.ahnlab.com/en/63308/ ∗∗∗ New details on TinyTurla’s post-compromise activity reveal full kill chain ∗∗∗ --------------------------------------------- We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. --------------------------------------------- https://blog.talosintelligence.com/tinyturla-full-kill-chain/ ∗∗∗ The Updated APT Playbook: Tales from the Kimsuky threat actor group ∗∗∗ --------------------------------------------- In this blog we will detail new techniques that we have observed used by this actor group over the recent months. We believe that sharing these evolving techniques gives defenders the latest insights into measures required to protect their assets. --------------------------------------------- https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-… ∗∗∗ CISA, FBI, and MS-ISAC Release Update to Joint Guidance on Distributed Denial-of-Service Techniques ∗∗∗ --------------------------------------------- Today, CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated joint guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, to address the specific needs and challenges faced by organizations in defending against DDoS attacks. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/21/cisa-fbi-and-ms-isac-rel… ===================== = Vulnerabilities = ===================== ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 11, 2024 to March 17, 2024) ∗∗∗ --------------------------------------------- Last week, there were 159 vulnerabilities disclosed in 123 WordPress Plugins and 1 WordPress Theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 68 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2024/03/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pdns-recursor and php-dompdf-svg-lib), Fedora (grub2, libreswan, rubygem-yard, and thunderbird), Mageia (libtiff and python-scipy), Red Hat (golang, nodejs, and nodejs:16), Slackware (python3), and Ubuntu (linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-4.15, linux-kvm, linux-laptop, linux-oem-6.1, and linux-raspi). --------------------------------------------- https://lwn.net/Articles/966246/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-081-01 ∗∗∗ F5: K000138966 : Intel Xeon CPU vulnerability CVE-2023-23908 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138966 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2024
by Daily end-of-shift report 20 Mar '24

20 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-03-2024 18:00 − Mittwoch 20-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Misconfigured Firebase instances leaked 19 million plaintext passwords ∗∗∗ --------------------------------------------- Three cybersecurity researchers discovered close to 19 million plaintext passwords exposed on the public internet by misconfigured instances of Firebase, a Google platform for hosting databases, cloud computing, and app development. --------------------------------------------- https://www.bleepingcomputer.com/news/security/misconfigured-firebase-insta… ∗∗∗ Android malware, Android malware and more Android malware ∗∗∗ --------------------------------------------- In this report, we share our latest Android malware findings: the Tambir spyware, Dwphon downloader and Gigabud banking Trojan. --------------------------------------------- https://securelist.com/crimeware-report-android-malware/112121/ ∗∗∗ Scans for Fortinet FortiOS and the CVE-2024-21762 vulnerability, (Wed, Mar 20th) ∗∗∗ --------------------------------------------- Late last week, an exploit surfaced on GitHub for CVE-2024-21762. This vulnerability affects Fortinet's FortiOS. A patch was released on February 8th. Owners of affected devices had over a month to patch. --------------------------------------------- https://isc.sans.edu/diary/rss/30762 ∗∗∗ Phishing im Namen der Österreichischen Gesundheitskasse ÖGK ∗∗∗ --------------------------------------------- Nehmen Sie sich vor betrügerischen E-Mails in Acht, die Sie im Namen der Österreichischen Gesundheitskasse ÖGK erhalten. Aktuell spielt man Ihnen vor, dass es eine ausstehende Rückerstattung für Sie gibt. Folgen Sie hier keinen Links und geben Sie keine Daten bekannt. Man versucht Ihnen Geld und Daten zu stehlen! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-gesundheitskasse-oegk/ ∗∗∗ Gotta Hack ‘Em All: Pokémon passwords reset after attack ∗∗∗ --------------------------------------------- Are you using the same passwords in multiple places online? Well, stop. Stop right now. And make sure that youve told your friends and family to stop being reckless too. --------------------------------------------- https://www.bitdefender.com/blog/hotforsecurity/gotta-hack-em-all-pokemon-p… ∗∗∗ A prescription for privacy protection: Exercise caution when using a mobile health app ∗∗∗ --------------------------------------------- Given the unhealthy data-collection habits of some mHealth apps, you’re well advised to tread carefully when choosing with whom you share some of your most sensitive data. --------------------------------------------- https://www.welivesecurity.com/en/privacy/prescription-privacy-protection-e… ∗∗∗ Loop DoS: Verschiedene Netzwerkdienste leiden unter Protokoll-Endlosschleife ∗∗∗ --------------------------------------------- Unter den Diensten, die Sicherheitsforscher als Gefahr identifiziert haben, sind auch solche aus der Frühzeit des Internets. Nun sind Netzwerk-Admins gefragt. --------------------------------------------- https://heise.de/-9660179 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fontforge and imagemagick), Fedora (firefox), Mageia (cherrytree, python-django, qpdf, and sqlite3), Red Hat (bind, cups, emacs, fwupd, gmp, kernel, libreoffice, libX11, nodejs, opencryptoki, postgresql-jdbc, postgresql:10, postgresql:13, and ruby:3.1), Slackware (gnutls and mozilla), and Ubuntu (firefox, linux, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, [...] --------------------------------------------- https://lwn.net/Articles/966053/ ∗∗∗ Netgear wireless router open to code execution after buffer overflow vulnerability ∗∗∗ --------------------------------------------- There is also a newly disclosed vulnerability in a graphics driver for some NVIDIA GPUs that could lead to a memory leak. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-march-20-2024/ ∗∗∗ Atlassian: Patch-Reigen im März für Bamboo, Bitbucket, Confluence und Jira ∗∗∗ --------------------------------------------- Atlassian behandelt 25 Sicherheitslücken in Bamboo, Bitbucket, Confluence und Jira. Eine davon gilt als kritisch. --------------------------------------------- https://heise.de/-9660075 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Command Injection in Bosch Network Synchronizer ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-152190-bt.html ∗∗∗ Security Update for Ivanti Neurons for ITSM ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-neurons-for-itsm ∗∗∗ Security Update for Ivanti Standalone Sentry ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-standalone-sentry ∗∗∗ Webbrowser Chrome: Google dichtet mehrere Sicherheitslecks ab ∗∗∗ --------------------------------------------- https://heise.de/-9659978 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2024
by Daily end-of-shift report 19 Mar '24

19 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 18-03-2024 18:00 − Dienstag 19-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New AcidPour data wiper targets Linux x86 network devices ∗∗∗ --------------------------------------------- A new destructive malware named AcidPour was spotted in the wild, featuring data-wiper functionality and targeting Linux x86 IoT and networking devices. [..] AcidPour shares many similarities with AcidRain, such as targeting specific directories and device paths common in embedded Linux distributions, but their codebase overlaps by an estimated 30%. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-acidpour-data-wiper-targ… ∗∗∗ Turnier verschoben: Mögliche RCE-Schwachstelle bedroht Apex-Legends-Spieler ∗∗∗ --------------------------------------------- Der weitverbreitete Free-to-play-Shooter Apex Legends steht derzeit im Verdacht, unter einer Sicherheitslücke zu leiden, die es Angreifern ermöglicht, aus der Ferne die Kontrolle über die Computer der Spieler zu übernehmen. Ob die Schwachstelle das Spiel selbst oder dessen Anti-Cheat-Software betrifft, ist wohl noch unklar. --------------------------------------------- https://www.golem.de/news/turnier-verschoben-moegliche-rce-schwachstelle-be… ∗∗∗ ARM MTE: Androids Hardwareschutz gegen Speicherlücken umgehbar ∗∗∗ --------------------------------------------- Mit dem Memory-Tagging moderner ARM-CPUs soll das Potenzial bestimmter Sicherheitslücken verkleinert werden. Die Idee hat deutliche Grenzen. Das Security-Forschungsteam des Code-Hosters Github hat die Ausnutzung einer Speicherlücke beschrieben, bei der der dafür eigentlich vorgesehene Schutz, das Memory-Tagging, offenbar gar keine Rolle spielt. Den Beteiligten ist es demnach gelungen, eine Sicherheitslücke in ARMs GPU-Treiber, die vollen Kernelzugriff und das Erlangen von Root-Rechten ermöglicht, auch auf einem aktuellen Pixel 8 auszunutzen, auf dem die sogenannten Memory Tagging Extension (MTE) aktiviert ist. --------------------------------------------- https://www.golem.de/news/arm-mte-androids-hardwareschutz-gegen-speicherlue… ∗∗∗ Threat landscape for industrial automation systems. H2 2023 ∗∗∗ --------------------------------------------- Kaspersky ICS CERT shares industrial threat statistics for H2 2023: most commonly detected malicious objects, threat sources, threat landscape by industry and region. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-h… ∗∗∗ Attacker Hunting Firewalls, (Tue, Mar 19th) ∗∗∗ --------------------------------------------- The competition for freshly deployed vulnerable devices, or devices not patched for the latest greatest vulnerability, is immense. Your success in the ransomware or access broker ecosystem depends on having a consistently updated list of potential victims. As a result, certain IP addresses routinely scan the internet for specific types of vulnerabilities. One such example is 77.90.185.152. This IP address has been scanning for a different vulnerability each day. --------------------------------------------- https://isc.sans.edu/diary/rss/30758 ∗∗∗ New DEEP#GOSU Malware Campaign Targets Windows Users with Advanced Tactics ∗∗∗ --------------------------------------------- A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information. [..] A notable aspect of the infection procedure is that it leverages legitimate services such as Dropbox or Google Docs for command-and-control (C2), thus allowing the threat actor to blend undetected into regular network traffic. [..] The starting point is said to be a malicious email attachment containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file ("IMG_20240214_0001.pdf.lnk"). --------------------------------------------- https://thehackernews.com/2024/03/new-deepgosu-malware-campaign-targets.html ∗∗∗ Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor ∗∗∗ --------------------------------------------- This article announces the publication of our first collaborative effort with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP). This collaborative research focuses on recent Smoke Loader malware activity observed throughout Ukraine from May to November 2023 from a group the CERT-UA designates as UAC-0006. --------------------------------------------- https://unit42.paloaltonetworks.com/unit-42-scpc-ssscip-uncover-smoke-loade… ∗∗∗ Claroty-Report: Zahlreiche Schwachstellen in medizinischen Netzwerken und Geräten ∗∗∗ --------------------------------------------- Sicherheitsanbieter Claroty hat sein Team82, eine Forschungseinheit von Claroty, auf das Thema Sicherheit im Medizinbereich, bezogen auf Geräte und Netzwerke, angesetzt, um die Auswirkungen der zunehmenden Vernetzung medizinischer Geräte zu untersuchen. Ziel des Berichts ist es, die umfassende Konnektivität kritischer medizinischer Geräte – von bildgebenden Systemen bis hin zu Infusionspumpen – aufzuzeigen und die damit verbundenen Risiken zu beleuchten. [..] Das erschreckende Ergebnis: Im Rahmen der Untersuchungen von Team82 tauchen häufig Schwachstellen und Implementierungsfehler auf. --------------------------------------------- https://www.borncity.com/blog/2024/03/19/claroty-report-zahlreiche-schwachs… ∗∗∗ Jenkins Args4j CVE-2024-23897: Files Exposed, Code at Risk ∗∗∗ --------------------------------------------- Jenkins, a popular open-source automation server, was discovered to be affected by a file read vulnerability, CVE-2024-23897. [..] Given its high severity we would like to emphasize the need for swift measures to secure Jenkins installations. [..] Jenkins patched CVE-2024-23897 in versions 2.442 and LTS 2.426.3 by disabling the problematic command parser feature. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/cve-2024-23897.html ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2024-1212: Unauthenticated Command Injection In Progress Kemp LoadMaster ∗∗∗ --------------------------------------------- LoadMaster is a load balancer and application delivery controller. Exploiting this vulnerability enables command execution on the LoadMaster if you have access to the administrator web user interface. Once command execution is obtained, it is possible to escalate privileges to root from the default admin “bal” user by abusing sudo entries, granting full control of the device. A proof of concept exploit is available in our CVE GitHub repository. --------------------------------------------- https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti, postgresql-11, and zfs-linux), Fedora (freeimage, mingw-expat, and mingw-freeimage), Mageia (apache-mod_security-crs, expat, and multipath-tools), Oracle (.NET 7.0 and kernel), Red Hat (kernel, kernel-rt, and kpatch-patch), and Ubuntu (bash, kernel, linux, linux-aws, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, and vim). --------------------------------------------- https://lwn.net/Articles/965958/ ∗∗∗ RaspberryMatic: Kritische Lücke erlaubt Codeschmuggel ∗∗∗ --------------------------------------------- Im freien HomeMatic-Server RaspberryMatic klafft eine Codeschmuggel-Lücke. Sie gilt als kritisch. Ein Update steht bereit. --------------------------------------------- https://heise.de/-9658709 ∗∗∗ Sicherheitsupdates für Firefox und Thunderbird ∗∗∗ --------------------------------------------- Mozilla dichtet zahlreiche Sicherheitslücken im Webbrowser Firefox und Mailer Thunderbird ab. --------------------------------------------- https://heise.de/-9659433 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Franklin Fueling System EVO 550/5000 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-079-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2024
by Daily end-of-shift report 18 Mar '24

18 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-03-2024 18:00 − Montag 18-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New acoustic attack determines keystrokes from typing patterns ∗∗∗ --------------------------------------------- Researchers have demonstrated a new acoustic side-channel attack on keyboards that can deduce user input based on their typing patterns, even in poor conditions, such as environments with noise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-acoustic-attack-determin… ∗∗∗ Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malware campaign that leverages bogus Google Sites pages and HTML smuggling to distribute a commercial malware called AZORult in order to facilitate information theft. --------------------------------------------- https://thehackernews.com/2024/03/hackers-using-sneaky-html-smuggling-to.ht… ∗∗∗ Opening Pandora’s box - Supply Chain Insider Threats in Open Source projects ∗∗∗ --------------------------------------------- Granting repository "Write" access in an Open Source project is a high-stakes decision. We delve into the risks of insider threats, using a responsible disclosure for the AWS Karpenter project to demonstrate why strict safeguards are essential. --------------------------------------------- https://boostsecurity.io/blog/opening-pandora-box-supply-chain-insider-thre… ∗∗∗ Saisonale Betrugsmaschen: Vorsicht bei der Urlaubsbuchung! ∗∗∗ --------------------------------------------- Passend zur Jahreszeit, in der besonders viele Urlaubsbuchungen vorgenommen werden, veröffentlichen Kriminelle betrügerische Urlaubsbuchungsplattformen wie fincas-und-villen.com. Lassen Sie sich nicht von den günstigen Preisen und schönen Bildern blenden: Hier verlieren Sie Ihr Geld und enden im schlimmsten Fall ohne Unterkunft am Urlaubsziel. --------------------------------------------- https://www.watchlist-internet.at/news/saisonale-betrugsmaschen-urlaubsbuch… ∗∗∗ Wie OAuth-Anwendungen über Tenant-Grenzen schützen/detektieren? ∗∗∗ --------------------------------------------- Es ist eine Frage, die sich wohl jeder Sicherheitsverantwortliche stellt, wenn es um die Cloud und den Zugriff auf Dienste mittels OAuth geht. Die Fragestellung: Wie lassen sich OAuth-Anwendungen über Tenant-Grenzen schützen/detektieren? Und wie kann man das mit Microsoft-Technologie erledigen. --------------------------------------------- https://www.borncity.com/blog/2024/03/17/wie-oauth-anwendungen-ber-tenant-g… ∗∗∗ Top things that you might not be doing (yet) in Entra Conditional Access – Advanced Edition ∗∗∗ --------------------------------------------- In this second part, we’ll go over more advanced security controls within Conditional Access that, in my experience, are frequently overlooked in environments during security assessments. --------------------------------------------- https://blog.nviso.eu/2024/03/18/top-things-that-you-might-not-be-doing-yet… ∗∗∗ Ethereum’s CREATE2: A Double-Edged Sword in Blockchain Security ∗∗∗ --------------------------------------------- Ethereum’s CREATE2 function is being exploited by attackers to compromise the security of digital wallets, bypassing traditional security measures and facilitating unauthorized access to funds. --------------------------------------------- https://research.checkpoint.com/2024/ethereums-create2-a-double-edged-sword… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers exploit Aiohttp bug to find vulnerable networks ∗∗∗ --------------------------------------------- The ransomware actor ShadowSyndicate was observed scanning for servers vulnerable to CVE-2024-23334, a directory traversal vulnerability in the aiohttp Python library. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-aiohttp-bug-… ∗∗∗ Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762 ∗∗∗ --------------------------------------------- In this post we detail the steps we took to identify the patched vulnerability and produce a working exploit. --------------------------------------------- https://www.assetnote.io/resources/research/two-bytes-is-plenty-fortigate-r… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, spip, and unadf), Fedora (chromium, iwd, opensc, openvswitch, python3.6, shim, shim-unsigned-aarch64, and shim-unsigned-x64), Mageia (batik, imagemagick, irssi, jackson-databind, jupyter-notebook, ncurses, and yajl), Oracle (.NET 7.0, .NET 8.0, and dnsmasq), Red Hat (postgresql:10), SUSE (chromium, kernel, openvswitch, python-rpyc, and tiff), and Ubuntu (openjdk-8). --------------------------------------------- https://lwn.net/Articles/965829/ ∗∗∗ PoC Published for Critical Fortra Code Execution Vulnerability ∗∗∗ --------------------------------------------- A critical directory traversal vulnerability in Fortra FileCatalyst Workflow could lead to remote code execution. --------------------------------------------- https://www.securityweek.com/poc-published-for-critical-fortra-code-executi… ∗∗∗ Kritische Sicherheitslücke CVE-2024-21762 in Fortinet FortiOS wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- In unserer Warnung vom 09. Februar 2024 haben wir bereits über die Sicherheitslücken CVE-2024-21762 und CVE-2024-23113 berichtet und in Folge Besitzer:innen über die für die IP-Adressen hinterlegten Abuse-Kontakten informiert. CVE-2024-21762 wird seit kurzem nun aktiv ausgenutzt. Unauthentifizierte Angreifer:innen können auf betroffenen Geräten beliebigen Code ausführen. --------------------------------------------- https://cert.at/de/aktuelles/2024/3/kritische-sicherheitslucke-cve-2024-217… ∗∗∗ Spring Framework: Updates beheben neue, alte Sicherheitslücke ∗∗∗ --------------------------------------------- Nutzen Spring-basierte Anwendungen eine URL-Parsing-Funktion des Frameworks, öffnen sie sich für verschiedene Attacken. Nicht zum ersten Mal. --------------------------------------------- https://heise.de/-9657496 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Stack-based Overflow Vulnerability in the TrueViewTM Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0006 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2024
by Daily end-of-shift report 15 Mar '24

15 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-03-2024 18:00 − Freitag 15-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SIM swappers hijacking phone numbers in eSIM attacks ∗∗∗ --------------------------------------------- SIM swappers have adapted their attacks to steal a targets phone number by porting it into a new eSIM card, a digital SIM stored in a rewritable chip present on many recent smartphone models. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sim-swappers-hijacking-phone… ∗∗∗ StopCrypt: Most widely distributed ransomware now evades detection ∗∗∗ --------------------------------------------- A new variant of StopCrypt ransomware (aka STOP) was spotted in the wild, employing a multi-stage execution process that involves shellcodes to evade security tools. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stopcrypt-most-widely-distri… ∗∗∗ 5Ghoul Revisited: Three Months Later, (Fri, Mar 15th) ∗∗∗ --------------------------------------------- About three months ago, I wrote about the implications and impacts of 5Ghoul in a previous diary. The 5Ghoul family of vulnerabilities could cause User Equipment (UEs) to be continuously exploited (e.g. dropping/freezing connections, which would require manual rebooting or downgrading a 5G connection to 4G) once they are connected to the malicious 5Ghoul gNodeB (gNB, or known as the base station in traditional cellular networks). Given the potential complexities in the realm of 5G mobile network modems used in a multitude of devices (such as mobile devices and 5G-enabled environments such as Industrial Internet-of-Things and IP cameras), I chose to give the situation a bit more time before revisiting the 5Ghoul vulnerability. --------------------------------------------- https://isc.sans.edu/diary/rss/30746 ∗∗∗ Third-Party ChatGPT Plugins Could Lead to Account Takeovers ∗∗∗ --------------------------------------------- Cybersecurity researchers have found that third-party plugins available for OpenAI ChatGPT could act as a new attack surface for threat actors looking to gain unauthorized access to sensitive data. According to new research published by Salt Labs, security flaws found directly in ChatGPT and within the ecosystem could allow attackers to install malicious plugins without users' consent and hijack accounts on third-party websites like GitHub. --------------------------------------------- https://thehackernews.com/2024/03/third-party-chatgpt-plugins-could-lead.ht… ∗∗∗ Vorsicht vor Abo-Falle auf produktretter.at! ∗∗∗ --------------------------------------------- Einmal registrieren und schon erhalten Sie hochwertige und voll funktionsfähige Produkte, die andere retourniert haben. Es fallen lediglich Versandkosten von maximal 2,99 Euro an. Klingt zu schön, um wahr zu sein? Ist es auch. Denn Seiten wie produktretter.at, produkttest-anmeldung.com oder retourenheld.io locken in eine Abo-Falle. Die versprochenen Produkte kommen nie an. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-abo-falle-auf-produktre… ∗∗∗ Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled ∗∗∗ --------------------------------------------- We analyze recent samples of BunnyLoader 3.0 to illuminate this malware’s evolved and upscaled capabilities, including its new downloadable module system. --------------------------------------------- https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/ ∗∗∗ How to share sensitive files securely online ∗∗∗ --------------------------------------------- Here are a few tips for secure file transfers and what else to consider when sharing sensitive documents so that your data remains safe. --------------------------------------------- https://www.welivesecurity.com/en/how-to/share-sensitive-files-securely-onl… ∗∗∗ The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions ∗∗∗ --------------------------------------------- Talos explores the recent law enforcement takedown of LockBit, a prolific ransomware group that claimed to resume their operations 7 days later. --------------------------------------------- https://blog.talosintelligence.com/ransomware-affiliate-model/ ∗∗∗ Zwei Backdoors in Ivanti-Appliances analysiert ∗∗∗ --------------------------------------------- Anfang 2024 wurden die Pulse Secure Appliances von Ivanti durch die damals gemeldeten Schwachstellen CVE-2023-46805 und CVE-2024-21887 weiträumig ausgenutzt. Zwei Exemplare dieser Backdoors haben Sicherheitsforscher jetzt ausführlich beschrieben. --------------------------------------------- https://heise.de/-9656137 ∗∗∗ Sicherheitsforscher genervt: Lücken-Datenbank NVD seit Wochen unvollständig ∗∗∗ --------------------------------------------- Die von der US-Regierung betriebene Datenbank reichert im CVE-System gemeldete Sicherheitslücken mit wichtigen Metadaten an. Das blieb seit Februar aus. [..] Von über 2.200 seit 15. Februar veröffentlichten Sicherheitslücken mit CVE-ID sind lediglich 59 mit Metadaten versehen, 2.152 liegen brach. [..] Darüber, wie sie die Tausenden offenen Sicherheitslücken abarbeiten will und vor allem, wann sie ihre Arbeit wieder aufnimmt, schweigt sich die NVD derzeit aus. --------------------------------------------- https://heise.de/-9656574 ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP7 IF06 ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been resolved in 7.5.0 UP7 IF06. Severity Critical --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ Micropatches Released for Microsoft Outlook "MonikerLink" Remote Code Execution Vulnerability (CVE-2024-21413) ∗∗∗ --------------------------------------------- In February 2024, still-Supported Microsoft Outlook versions got an official patch for CVE-2024-21413, a vulnerability that allowed an attacker to execute arbitrary code on users computer when the user opened a malicious hyperlink in attackers email. The micropatch was written for the following security-adopted versions of Office with all available updates installed: Microsoft Office 2013, Microsoft Office 2010 --------------------------------------------- https://blog.0patch.com/2024/03/micropatches-released-for-microsoft.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (composer and node-xml2js), Fedora (baresip), Mageia (fonttools, libgit2, mplayer, open-vm-tools, and packages), Red Hat (dnsmasq, gimp:2.8, and kernel-rt), and SUSE (389-ds, gdb, kernel, python-Django, python3, python36-pip, spectre-meltdown-checker, sudo, and thunderbird). --------------------------------------------- https://lwn.net/Articles/965576/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CVE-2024-2247: JFrog Artifactory Cross-Site Scripting ∗∗∗ --------------------------------------------- https://jfrog.com/help/r/jfrog-release-information/cve-2024-2247-jfrog-arti… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2024
by Daily end-of-shift report 14 Mar '24

14 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-03-2024 18:00 − Donnerstag 14-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ PixPirate Android malware uses new tactic to hide on phones ∗∗∗ --------------------------------------------- The latest version of the PixPirate banking trojan for Android employs a previously unseen method to hide from the victim while remaining active on the infected device even if its dropper app has been removed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pixpirate-android-malware-us… ∗∗∗ Increase in the number of phishing messages pointing to IPFS and to R2 buckets, (Thu, Mar 14th) ∗∗∗ --------------------------------------------- Interesting trends do emerge from time to time. One such recent trend seems to be connected with an increased use of IPFS and R2 buckets to host phishing pages. --------------------------------------------- https://isc.sans.edu/diary/rss/30744 ∗∗∗ Breaking Down APT29’s Latest Tactics and How to Defend Against Them ∗∗∗ --------------------------------------------- Recently, the US National Security Agency (NSA) joined United Kingdom’s National Cyber Security Center (NCSC) in releasing an advisory detailing the recent TTPs (or tactics, techniques, and procedures) of the group known as APT29 (or, in other taxonomies of threat actors, Midnight Blizzard, the Dukes, and Cozy Bear). --------------------------------------------- https://orca.security/resources/blog/how-to-defend-against-apt29-cozy-bear-… ===================== = Vulnerabilities = ===================== ∗∗∗ A patched Windows attack surface is still exploitable ∗∗∗ --------------------------------------------- In this report, we highlight the key points about a class of recently-patched elevation-of-privilege vulnerabilities affecting Microsoft Windows, and then focus on how to check if any of them have been exploited or if there have been any attempts to exploit them. --------------------------------------------- https://securelist.com/windows-vulnerabilities/112232/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and openvswitch), Fedora (chromium, python-multipart, thunderbird, and xen), Mageia (java-17-openjdk and screen), Red Hat (.NET 7.0, .NET 8.0, kernel-rt, kpatch-patch, postgresql:13, and postgresql:15), Slackware (expat), SUSE (glibc, python-Django, python-Django1, sudo, and vim), and Ubuntu (expat, linux-ibm, linux-ibm-5.4, linux-oracle, linux-oracle-5.4, linux-lowlatency, linux-raspi, python-cryptography, texlive-bin, and xorg-server). --------------------------------------------- https://lwn.net/Articles/965470/ ∗∗∗ Kubernetes Vulnerability Allows Remote Code Execution on Windows Endpoints ∗∗∗ --------------------------------------------- A high-severity Kubernetes vulnerability tracked as CVE-2023-5528 can be exploited to execute arbitrary code on Windows endpoints. --------------------------------------------- https://www.securityweek.com/kubernetes-vulnerability-allows-remote-code-ex… ∗∗∗ Cisco schließt hochriskante Lücken in IOS XR ∗∗∗ --------------------------------------------- Cisco warnt vor SIcherheitslücken mit teils hohem Risiko im Router-Betriebssystem IOS XR. Updates stehen bereit. --------------------------------------------- https://heise.de/-9654542 ∗∗∗ Schnell upgraden: Problematische Sicherheitslücke in Apples GarageBand ∗∗∗ --------------------------------------------- Neue Funktionen liefert GarageBand 10.4.11 laut Apple nicht. Dafür steckt ein wichtiger Sicherheitsfix drin. Nutzer sollten die macOS-App schnell aktualisieren. --------------------------------------------- https://heise.de/-9654638 ∗∗∗ HP: Viele Laptops und PCs von Codeschmuggel-Lücke betroffen ∗∗∗ --------------------------------------------- Eine BIOS-Sicherheitsfunktion von HP-Laptops und -PCs kann von Angreifern umgangen werden. BIOS-Updates stehen bereit oder werden grad entwickelt. --------------------------------------------- https://heise.de/-9654678 ∗∗∗ VU#488902: CPU hardware utilizing speculative execution may be vulnerable to speculative race conditions ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/488902 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Softing edgeConnector ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-13 ∗∗∗ Mitsubishi Electric MELSEC-Q/L Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-14 ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.03.2024
by Daily end-of-shift report 13 Mar '24

13 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-03-2024 18:00 − Mittwoch 13-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ RisePro stealer targets Github users in “gitgub” campaign ∗∗∗ --------------------------------------------- We identified at least 13 such repositories belonging to a RisePro stealer campaign that was named “gitgub” by the threat actors. The repositories look similar, featuring a README.md file with the promise of free cracked software. [..] RisePro resurfaces with new string encryption and a bloated MSI installer that crashes reversing tools like IDA. The "gitgub" campaign already sent more than 700 archives of stolen data to Telegram. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/03/37885-risepro-stealer-campaign-g… ∗∗∗ Using ChatGPT to Deobfuscate Malicious Scripts, (Wed, Mar 13th) ∗∗∗ --------------------------------------------- Today, most of the malicious scripts in the wild are heavily obfuscated. [...] There was a huge amount of obfuscated strings (443 in total). Let's try tro process them with ChatGPT [..] The request took a few seconds to get some feedback but results were perfect (I only submitted a small part of the script). --------------------------------------------- https://isc.sans.edu/diary/rss/30740 ∗∗∗ FakeBat delivered via several active malvertising campaigns ∗∗∗ --------------------------------------------- A number of software brands are being impersonated with malicious ads and fake sites to distribute malware. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/03/fakebat-deliv… ∗∗∗ Geldwäsche statt Babysitting: Vorsicht vor diesem Jobbetrug! ∗∗∗ --------------------------------------------- Kriminelle suchen über Babysitter-Börsen angeblich eine Betreuung für ihr Kind oder ihre Kinder. Das vermeintliche Elternteil behauptet, derzeit noch im Ausland zu leben und erst zu einem späteren Zeitpunkt nach Österreich zu ziehen. Damit sich die Kinder gleich von Anfang an wohl fühlen, sollen die neuen Babysitter:innen bereits im Vorfeld Spielzeug einkaufen. --------------------------------------------- https://www.watchlist-internet.at/news/geldwaesche-statt-babysitting-vorsic… ∗∗∗ JetBrains vulnerability exploitation highlights debate over silent patching ∗∗∗ --------------------------------------------- Czech software giant JetBrains harshly criticized security company Rapid7 this week following a dispute over two recently-discovered vulnerabilities. In a blog post published Monday, JetBrains attributed the compromise of several customers’ servers to Rapid7’s decision to release detailed information on the vulnerabilities. --------------------------------------------- https://therecord.media/jetbrains-rapid7-silent-patching-dispute ∗∗∗ Unpacking Flutter hives ∗∗∗ --------------------------------------------- The goal of this blogpost is to obtain the content of an encrypted Hive without having access to the source code. --------------------------------------------- https://blog.nviso.eu/2024/03/13/unpacking-flutter-hives/ ∗∗∗ Threat actors leverage document publishing sites for ongoing credential and session token theft ∗∗∗ --------------------------------------------- Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks. Threat actors have used a similar tactic of deploying phishing lures on well-known cloud storage and contract management sites such as Google Drive, OneDrive, SharePoint, DocuSign and Oneflow. --------------------------------------------- https://blog.talosintelligence.com/threat-actors-leveraging-document-publis… ∗∗∗ CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign ∗∗∗ --------------------------------------------- The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers. [..] This campaign was part of the larger Water Hydra APT zero-day analysis. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-ope… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2024-03-13 ∗∗∗ --------------------------------------------- Security Impact Rating: 3x High, 4x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Palo Alto Security Advisories 2024-03-13 ∗∗∗ --------------------------------------------- Security Impact Rating: 3x Medium --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ Critical Vulnerability Remains Unpatched in Two Permanently Closed MiniOrange WordPress Plugins – $1,250 Bounty Awarded ∗∗∗ --------------------------------------------- Both miniOrange’s Malware Scanner and Web Application Firewall plugins contain a critical privilege escalation vulnerability, and both have been permanently closed. So we urge all users to delete these plugins from their websites immediately! [..] This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password. --------------------------------------------- https://www.wordfence.com/blog/2024/03/critical-vulnerability-remains-unpat… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (edk2, freeipa, kernel, and liblas), Oracle (kernel), Red Hat (docker, edk2, kernel, kernel-rt, and kpatch-patch), SUSE (axis, fontforge, gnutls, java-1_8_0-openjdk, kernel, python3, sudo, and zabbix), and Ubuntu (dotnet7, dotnet8, libgoogle-gson-java, openssl, and ovn). --------------------------------------------- https://lwn.net/Articles/965278/ ∗∗∗ März-Patchday: Microsoft stopft zwei kritische Löcher in Hyper-V ∗∗∗ --------------------------------------------- Insgesamt bringt der März-Patchday Fixes für 61 Sicherheitslücken. --------------------------------------------- https://www.zdnet.de/88414822/maerz-patchday-microsoft-stopft-zwei-kritisch… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe Experience Manager, Adobe Premiere Pro, Adobe ColdFusion, Adobe Bridge, Adobe Lightroom, Adobe Animate --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/12/adobe-releases-security-… ∗∗∗ AMD und Intel schließen CPU-Sicherheitslücken in Core- und Ryzen-CPUs ∗∗∗ --------------------------------------------- Zum Patch-Tuesday räumen AMD und Intel weitere Sicherheitslücken in ihren Prozessoren ein. Es geht unter anderem um Race Conditions. --------------------------------------------- https://heise.de/-9653846 ∗∗∗ Fortinet-Patchday: Updates gegen kritische Schwachstellen ∗∗∗ --------------------------------------------- Fortinet hat zum März-Patchday Sicherheitslücken in FortiOS, FortiProxy, FortiClientEMS und im FortiManager geschlossen. --------------------------------------------- https://heise.de/-9653730 ∗∗∗ Citrix Hypervisor Security Update for CVE-2023-39368 and CVE-2023-38575 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX616982/citrix-hypervisor-security-upd… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Lenovo Security Advisories 2024-03-12 ∗∗∗ --------------------------------------------- https://support.lenovo.com/at/de/product_security/home ∗∗∗ Xen Security Advisory CVE-2024-2193 / XSA-453 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-453.html ∗∗∗ Xen Security Advisory CVE-2023-28746 / XSA-452 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-452.html ∗∗∗ Wago: Multiple vulnerabilities in web-based management of multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-039/ ∗∗∗ Bosch: BVMS affected by Autodesk Design Review Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-246962-bt.html ∗∗∗ Bosch: RPS and RPS-LITE operator and communication process vulnerabilities. ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-099637-bt.html ∗∗∗ Canon: CPE2024-002 – Vulnerability Mitigation/Remediation for Small Office Multifunction Printers and Laser Printers – 14 March 2024 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ SonicWall: SonicWall Email Security Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0006 ∗∗∗ SonicWall: SonicOS SSLVPN Portal Stored Cross-site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0005 ∗∗∗ SonicWall: Integer-Based Buffer Overflow Vulnerability In SonicOS via IPSec ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0004 ∗∗∗ Google Chrome: Drei Sicherheitslöcher gestopft ∗∗∗ --------------------------------------------- https://heise.de/-9653082 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2024
by Daily end-of-shift report 12 Mar '24

12 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 11-03-2024 18:00 − Dienstag 12-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Inception Attack: Neue Angriffstechnik ermöglicht Manipulation von VR-Inhalten ∗∗∗ --------------------------------------------- Angreifer können nicht nur sensible Informationen abgreifen, sondern auch dem VR-Nutzer angezeigte Inhalte verändern, ohne dass dieser etwas merkt. --------------------------------------------- https://www.golem.de/news/inception-attack-neue-angriffstechnik-ermoeglicht… ∗∗∗ Verträge und Abos kündigen: Vorsicht vor kostenpflichtigen Angeboten ∗∗∗ --------------------------------------------- Sie möchten Ihren Vertrag kündigen, wissen aber nicht wie? Oft sind die Informationen zur Kündigung und Kontaktadressen des jeweiligen Unternehmens auch unauffindbar. Aus gutem Grund suchen Konsument:innen daher nach Diensten, die den Kündigungsprozess übernehmen. Oft sind diese Dienste kostenpflichtig oder selbst eine Abofalle. --------------------------------------------- https://www.watchlist-internet.at/news/vertraege-und-abos-kuendigen-vorsich… ∗∗∗ Ransomware: Attacks Continue to Rise as Operators Adapt to Disruption ∗∗∗ --------------------------------------------- Available evidence suggests vulnerability exploitation has replaced botnets as a prime infection vector. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ CISA Publishes SCuBA Hybrid Identity Solutions Guidance ∗∗∗ --------------------------------------------- CISA has published Secure Cloud Business Applications (SCuBA) Hybrid Identity Solutions Guidance (HISG) to help users better understand identity management capabilities and securely integrate their traditional on-premises enterprise networks with cloud-based solutions. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/12/cisa-publishes-scuba-hyb… ∗∗∗ VCURMS: A Simple and Functional Weapon ∗∗∗ --------------------------------------------- ForitGuard Labs uncovers a rat VCURMS weapon and STRRAT in a phishing campaign --------------------------------------------- https://feeds.fortinet.com/~/873512375/0/fortinet/blogs~VCURMS-A-Simple-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qemu), Mageia (libtiff and thunderbird), Red Hat (kernel, kpatch-patch, postgresql, and rhc-worker-script), SUSE (compat-openssl098, openssl, openssl1, python-Django, python-Django1, and wpa_supplicant), and Ubuntu (accountsservice, libxml2, linux-bluefield, linux-raspi-5.4, linux-xilinx-zynqmp, linux-oem-6.1, openvswitch, postgresql-9.5, and ruby-rack). --------------------------------------------- https://lwn.net/Articles/965113/ ∗∗∗ SAP schließt zehn Sicherheitslücken am März-Patchday ∗∗∗ --------------------------------------------- SAP hat zehn neue Sicherheitsmitteilungen zum März-Patchday veröffentlicht. Zwei der geschlossenen Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-9652057 ∗∗∗ Synology dichtet Sicherheitslecks in SRM ab ∗∗∗ --------------------------------------------- Im Synology Router Manager (SRM) klaffen Sicherheitslecks, durch die Angreifer etwa Scripte einschleusen können. Ein Update steht bereit. --------------------------------------------- https://heise.de/-9652225 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Fortiguard Security Advisories ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt ∗∗∗ SSA-918992 V1.0: Unused HTTP Service on SENTRON 3KC ATC6 Ethernet Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-918992.html ∗∗∗ SSA-832273 V1.0: Multiple Vulnerabilities in Fortigate NGFW on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-832273.html ∗∗∗ SSA-792319 V1.0: Missing Read Out Protection in SENTRON 7KM PAC3x20 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-792319.html ∗∗∗ SSA-770721 V1.0: Multiple Vulnerabilities in SIMATIC RF160B before V2.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-770721.html ∗∗∗ SSA-653855 V1.0: Information Disclosure vulnerability in SINEMA Remote Connect Client before V3.1 SP1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-653855.html ∗∗∗ SSA-576771 V1.0: Multiple Vulnerabilities in SINEMA Remote Connect Server before V3.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-576771.html ∗∗∗ SSA-382651 V1.0: File Parsing Vulnerability in Solid Edge before V223.0.11 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-382651.html ∗∗∗ SSA-366067 V1.0: Multiple Vulnerabilities in Fortigate NGFW before V7.4.1 on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-366067.html ∗∗∗ SSA-353002 V1.0: Multiple Vulnerabilities in SCALANCE XB-200 / XC-200 / XP-200 / XF-200BA / XR-300WG Family ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-353002.html ∗∗∗ SSA-225840 V1.0: Vulnerabilities in the Network Communication Stack in Sinteso EN and Cerberus PRO EN Fire Protection Systems ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-225840.html ∗∗∗ SSA-145196 V1.0: Authorization Bypass Vulnerability in Siveillance Control ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-145196.html ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in CHARX SEC charge controllers ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-011/ ∗∗∗ Citrix SDWAN Security Bulletin for CVE-2024-2049 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX617071/citrix-sdwan-security-bulletin… ∗∗∗ Stack-based Overflow Vulnerability in the TrueViewTM Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0005 ∗∗∗ Missing PSK secret for IKEv2 connection can cause libreswan to restart ∗∗∗ --------------------------------------------- https://libreswan.org/security/CVE-2024-2357/CVE-2024-2357.txt ∗∗∗ Schneider Electric EcoStruxure Power Design ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-072-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2024
by Daily end-of-shift report 11 Mar '24

11 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-03-2024 18:00 − Montag 11-03-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fake Leather wallet app on Apple App Store is a crypto drainer ∗∗∗ --------------------------------------------- The developers of the Leather cryptocurrency wallet are warning of a fake app on the Apple App Store, with users reporting it is a wallet drainer that stole their digital assets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-leather-wallet-app-on-a… ∗∗∗ What happens when you accidentally leak your AWS API keys? [Guest Diary], (Sun, Mar 10th) ∗∗∗ --------------------------------------------- As a college freshman taking my first computer science class, I wanted to create a personal project that would test my abilities and maybe have some sort of return. I saw a video online of someone who created a python script that emailed colleges asking for free swag to be shipped to him. I liked the idea and adapted it. --------------------------------------------- https://isc.sans.edu/diary/rss/30730 ∗∗∗ Check your email security, and protect your customers ∗∗∗ --------------------------------------------- Free online tool from the NCSC prevents cyber criminals using your email to conduct cyber attacks. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/cyes-protect-customers ∗∗∗ Leicht verdientes Geld auf Instagram? Vorsicht vor dieser Betrugsmasche ∗∗∗ --------------------------------------------- Sie erhalten eine Nachricht auf Instagram – angeblich von einer Künstlerin bzw. einem Künstler. Die Person behauptet, dass sie eines Ihrer Bilder auf Instagram als Vorlage für ein Gemälde nutzen möchte. Sie bekommen dafür angeblich 500 Euro. Gehen Sie nicht auf dieses Angebot ein, Sie werden betrogen! --------------------------------------------- https://www.watchlist-internet.at/news/leicht-verdientes-geld-auf-instagram… ∗∗∗ Misconfiguration Manager: Overlooked and Overprivileged ∗∗∗ --------------------------------------------- Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance. We’re also presenting this material at SO-CON 2024 on March 11, 2024. We’ll update this post with a link to the recording when it becomes available. --------------------------------------------- https://posts.specterops.io/misconfiguration-manager-overlooked-and-overpri… ∗∗∗ Ransomware tracker: The latest figures [March 2024] ∗∗∗ --------------------------------------------- Note: this Ransomware Tracker is updated on the second Sunday of each month to stay current. --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures ∗∗∗ Kritische Schwachstelle (CVE-2024-1403) in Progress OpenEdge Authentication Gateway/AdminServer – PoC öffentlich ∗∗∗ --------------------------------------------- Es gibt eine kritische Schwachstelle (CVE-2024-1403) in diesem Produkt (CVSS 10.0), die die Umgehung der Authentifizierung ermöglicht. Nun ist ein Exploit zur Ausnutzung dieser Schwachstelle bekannt geworden. --------------------------------------------- https://www.borncity.com/blog/2024/03/11/kritische-schwachstelle-cve-2024-1… ===================== = Vulnerabilities = ===================== ∗∗∗ Unauthenticated Stored XSS Vulnerability Patched in Ultimate Member WordPress Plugin ∗∗∗ --------------------------------------------- The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. --------------------------------------------- https://www.wordfence.com/blog/2024/03/unauthenticated-stored-xss-vulnerabi… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libuv1, nss, squid, tar, tiff, and wordpress), Fedora (chromium, exercism, grub2, qpdf, and wpa_supplicant), Oracle (edk2 and opencryptoki), and SUSE (cpio, openssl-1_0_0, openssl-1_1, openssl-3, sudo, tomcat, and xen). --------------------------------------------- https://lwn.net/Articles/965032/ ∗∗∗ ArubaOS: Sicherheitslücken erlauben Befehlsschmuggel ∗∗∗ --------------------------------------------- HPE Aruba warnt vor zum Teil hochriskanten Sicherheitslücken im Betriebssystem ArubaOS für Switches aus dem Hause. Mehrere gelten als hohes Risiko und erlauben das Einschmuggeln von Befehlen. --------------------------------------------- https://heise.de/-9650985 ∗∗∗ Qnap hat teils kritische Lücken in seinen Betriebssystemen geschlossen ∗∗∗ --------------------------------------------- Qnap hat Warnungen vor Sicherheitslücken in QTS, QuTS Hero und QuTScloud veröffentlicht. Aktualisierte Firmware dichtet sie ab. --------------------------------------------- https://heise.de/-9650933 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2024
by Daily end-of-shift report 08 Mar '24

08 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-03-2024 18:00 − Freitag 08-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard ∗∗∗ --------------------------------------------- This blog provides an update on the nation-state attack that was detected by the Microsoft Security Team on January 12, 2024. As we shared, on January 19, the security team detected this attack on our corporate email systems and immediately activated our response process. --------------------------------------------- https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-followi… ∗∗∗ New Malware Campaign Found Exploiting Stored XSS in Popup Builder < 4.2.3 ∗∗∗ --------------------------------------------- In the past three weeks, we’ve started seeing an uptick in attacks from a new malware campaign targeting this same Popup Builder vulnerability. According to PublicWWW, over 3,300 websites have already been infected by this new campaign. Our own SiteCheck remote malware scanner has detected this malware on over 1,170 sites. --------------------------------------------- https://blog.sucuri.net/2024/03/new-malware-campaign-found-exploiting-store… ∗∗∗ Google-Präsenz verbessern? Vorsicht vor Abzocker-Unternehmen! ∗∗∗ --------------------------------------------- Unternehmen wenden sich derzeit an uns und berichten von unseriösen Anbietern, die sich als Kooperationspartner von Google ausgeben. Das Angebot: Sie helfen dabei, den Unternehmensauftritt bei Google zu verbessern, ein angebotenes Beratungsgespräch soll nach dem Gespräch bezahlt werden und koste einmalig bis zu 80 Euro. Doch weit gefehlt: Erfahrungsberichten zufolge tappt man hier in eine Abo-Falle, die nur schwer zu kündigen ist. --------------------------------------------- https://www.watchlist-internet.at/news/abzocke-google-praesenz/ ∗∗∗ Online scam taxonomy: the many ways to trick us ∗∗∗ --------------------------------------------- Because there are so many different types of online scams, we have compiled a list of scam taxonomy, shortly explaining what these scams mean. It’s important to stay vigilant against these threats, so it’s easier to avoid them. --------------------------------------------- https://blog.f-secure.com/online-scam-taxonomy/ ∗∗∗ Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities ∗∗∗ --------------------------------------------- Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887), the exploit entered the group’s arsenal as fast as within 1 day after a POC for it was published. Campaigns that we were able to attribute to this actor targeted Ivanti, Magento, Qlink Sense and possibly Apache ActiveMQ. --------------------------------------------- https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-… ∗∗∗ Cisco: Angreifer können sich zum Root-Nutzer unter Linux machen ∗∗∗ --------------------------------------------- Cisco AppDynamics, Duo Authentication, Secure Client, Secure Client for Linux und Wireless Access Points der Small-Business-Reihe sind angreifbar. Sicherheitspatches stehen zum Download bereit. --------------------------------------------- https://heise.de/-9649863 ∗∗∗ Angeblicher Tesla-Hack mit Flipper Zero entpuppt sich als Sturm im Wasserglas ∗∗∗ --------------------------------------------- Mittels eines gefälschten Gast-WLANs im Tesla-Design könnten Angreifer an Superchargern oder in Service-Centern Zugänge abgreifen, warnen die Experten. --------------------------------------------- https://heise.de/-9650018 ===================== = Vulnerabilities = ===================== ∗∗∗ pgAdmin (<=8.3) Path Traversal in Session Handling Leads to Unsafe Deserialization and Remote Code Execution (RCE) ∗∗∗ --------------------------------------------- “pgAdmin is the most popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world. [..] If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them and gain code execution. --------------------------------------------- https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_… ∗∗∗ QNAP Security Advisories 2024-03-09 ∗∗∗ --------------------------------------------- Security Impact Rating: 1x Critical, 4x Medium --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fontforge), Fedora (chromium, iwd, libell, and thunderbird), Oracle (buildah, kernel, skopeo, and tomcat), Red Hat (opencryptoki), Slackware (ghostscript), SUSE (go1.21, go1.22, google-oauth-java-client, jetty-minimal, openssl-1_0_0, python310, sudo, wpa_supplicant, and xmlgraphics-batik), and Ubuntu (libhtmlcleaner-java, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-lowlatency-hwe-5.15, linux-nvidia, linux-azure, linux-azure-6.5, linux-hwe-6.5, mqtt-client, ncurses, and puma). --------------------------------------------- https://lwn.net/Articles/964832/ ∗∗∗ macOS 14.4 und mehr: Apple patcht schwere Sicherheitslücken ∗∗∗ --------------------------------------------- Apples Update-Reigen geht weiter: Nach iOS und iPadOS hat der Hersteller in der Nacht auf Freitag neue Versionen und Patches veröffentlicht, die für macOS, watchOS, tvOS und visionOS veröffentlicht. Neben kleineren Funktionserweiterungen und Bugfixes sollen die Aktualisierungen auch zwei gravierende Zero-Day-Schwachstellen im Kernel ausräumen, die nach Informationen von Apple wohl bereits aktiv für Angriffe ausgenutzt wurden. --------------------------------------------- https://heise.de/-9649559 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2024
by Daily end-of-shift report 07 Mar '24

07 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-03-2024 18:00 − Donnerstag 07-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Hacked WordPress sites use visitors browsers to hack other sites ∗∗∗ --------------------------------------------- Hackers are conducting widescale attacks on WordPress sites to inject scripts that force visitors browsers to bruteforce passwords for other sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacked-wordpress-sites-use-v… ∗∗∗ New Python-Based Snake Info Stealer Spreading Through Facebook Messages ∗∗∗ --------------------------------------------- Facebook messages are being used by threat actors to a Python-based information stealer dubbed Snake that’s designed to capture credentials and other sensitive data. --------------------------------------------- https://thehackernews.com/2024/03/new-python-based-snake-info-stealer.html ∗∗∗ Code injection on Android without ptrace ∗∗∗ --------------------------------------------- I came up with the idea to port linux_injector. The project has a simple premise: injecting code into a process without using ptrace. --------------------------------------------- https://erfur.github.io/blog/dev/code-injection-without-ptrace ∗∗∗ CVE-2023-36049: Microsoft .NET CRLF Injection Arbitrary File Write/Deletion Vulnerability ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability would allow a remote attacker to write or delete files in the context of the FTP server. The following is a portion of their write-up covering CVE-2023-36049, with a few minimal modifications. --------------------------------------------- https://www.thezdi.com/blog/2024/3/6/cve-2023-36049-microsoft-net-crlf-inje… ∗∗∗ Delving into Dalvik: A Look Into DEX Files ∗∗∗ --------------------------------------------- Through a case study of the banking trojan sample, this blog post aims to give an insight into the Dalvik Executable file format, how it is constructed, and how it can be altered to make analysis easier. --------------------------------------------- https://www.mandiant.com/resources/blog/dalvik-look-into-dex-files ∗∗∗ Staatstrojaner: Infrastruktur der Spyware Predator erneut abgeschaltet ∗∗∗ --------------------------------------------- Die Betreiber der Plattform hinter Predator haben offenbar Server vom Netz genommen, die sie zum Ausliefern und Steuern der Überwachungssoftware verwendeten. --------------------------------------------- https://heise.de/-9648238 ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2024-1403: Progress OpenEdge Authentication Bypass Deep-Dive ∗∗∗ --------------------------------------------- On February 27, 2024, Progress released a security advisory for OpenEdge, their application development and deployment platform suite. The advisory details that there exists an authentication bypass vulnerability which effects certain components of the OpenEdge platform. --------------------------------------------- https://www.horizon3.ai/attack-research/cve-2024-1403-progress-openedge-aut… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and yard), Fedora (cpp-jwt, golang-github-tdewolff-argp, golang-github-tdewolff-minify, golang-github-tdewolff-parse, and suricata), Mageia (wpa_supplicant), Oracle (curl, edk2, golang, haproxy, keylime, mysql, openssh, and rear), Red Hat (kernel and postgresql:12), SUSE (containerd, giflib, go1.21, gstreamer-plugins-bad, java-1_8_0-openjdk, python3, python311, python39, sudo, and vim), and Ubuntu (frr, linux, linux-gcp, linux-gcp-5.4, [...] --------------------------------------------- https://lwn.net/Articles/964725/ ∗∗∗ VMware schließt Schlupflöcher für Ausbruch aus virtueller Maschine ∗∗∗ --------------------------------------------- Angreifer können Systeme mit VMware ESXi, Fusion und Workstation attackieren. Sicherheitsupdates stehen zum Download. --------------------------------------------- https://heise.de/-9648396 ∗∗∗ VU#949046: Sceiner firmware locks and associated devices are vulnerable to encryption downgrade and arbitrary file upload attacks ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/949046 ∗∗∗ Registration role - Critical - Access bypass - SA-CONTRIB-2024-015 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-015 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Local Privilege Escalation via writable files in CheckMK Agent ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalati… ∗∗∗ Mattermost security updates 9.5.2 (ESR) / 9.4.4 / 9.3.3 / 8.1.11 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-5-2-esr-9-4-4-9-3… ∗∗∗ Apple Releases Security Updates for iOS and iPadOS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/07/apple-releases-security-… ∗∗∗ Chirp Systems Chirp Access ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-067-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.03.2024
by Daily end-of-shift report 06 Mar '24

06 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-03-2024 18:00 − Mittwoch 06-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Why Your Firewall Will Kill You, (Tue, Mar 5th) ∗∗∗ --------------------------------------------- The last few years have been great for attackers exploiting basic web application vulnerabilities. Usually, home and small business products from companies like Linksys, D-Link, and Ubiquity are known to be favorite targets. But over the last couple of years, enterprise products from companies like Ivanti, Fortigate, Sonicwall, and Citrix (among others) have become easy to exploit targets. The high value of the networks protected by these "solutions" has made them favorites for ransomware attackers. --------------------------------------------- https://isc.sans.edu/diary/rss/30714 ∗∗∗ Scanning and abusing the QUIC protocol, (Wed, Mar 6th) ∗∗∗ --------------------------------------------- The QUIC protocol has slowly (pun intended) crawled into our browsers and many other protocols. Last week, at BSides Zagreb I presented some research I did about applications using (and abusing) this protocol, so it made sense to put this into one diary. --------------------------------------------- https://isc.sans.edu/diary/rss/30720 ∗∗∗ Living off the land with native SSH and split tunnelling ∗∗∗ --------------------------------------------- Lately I was involved in an assumed compromise project where stealth and simplicity was required, reducing the opportunity to use a sophisticated C2 infrastructure. We did note that the built-in Windows SSH client could make this simpler for us. [..] Windows native SSH can be a convenient attack path IF an organisation doesn’t have the ability to block and monitor the forwarded internal traffic. [..] The obvious route is to restrict access to the SSH command for all users who don’t have a business need, or to uninstall it from your default Windows build and use something like PuTTY instead. --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-land-with-nati… ∗∗∗ Schneeballsystem-Alarm bei DCPTG.com! ∗∗∗ --------------------------------------------- An die Watchlist Internet wird aktuell vermehrt ein Schneeball- bzw. Pyramidensystem mit dem Namen dcptg.com gemeldet. Versprochen werden Erfahrungsberichten nach völlig unrealistische und risikofreie Gewinnmöglichkeiten von 2 bis 5 Prozent des eingesetzten Kapitals pro Tag. Außerdem müssen laufend weitere Menschen angeworben werden, um langfristig an dem System teilnehmen zu können. Vorsicht: DCPTG.com ist betrügerisch! --------------------------------------------- https://www.watchlist-internet.at/news/schneeballsystem-alarm-bei-dctpgcom/ ∗∗∗ Fake-Gewinnspiel im Namen vom Tiergarten Schönbrunn ∗∗∗ --------------------------------------------- Über ein Fake-Profil des Tiergartens Schönbrunn wird derzeit ein betrügerisches Gewinnspiel auf Facebook verbreitet. Die Facebook-Seite „Tiergarten Wien“ verlost angeblich 4 Eintrittskarten. Sie müssen lediglich die Versandgebühren für die Karten bezahlen. Vorsicht: Sie tappen in eine Abo-Falle und geben Ihre persönlichen Daten an Kriminelle weiter. --------------------------------------------- https://www.watchlist-internet.at/news/fake-gewinnspiel-im-namen-vom-tierga… ∗∗∗ Whoops! ACEMAGIC ships mini PCs with free bonus pre-installed malware ∗∗∗ --------------------------------------------- Chinese mini PC manufacturer ACEMAGIC has made life a bit more interesting for its customers, by admitting that it has also been throwing in free malware with its products. --------------------------------------------- https://grahamcluley.com/whoops-acemagic-ships-mini-pcs-with-free-bonus-pre… ∗∗∗ Data Exfiltration: Increasing Number of Tools Leveraged by Ransomware Attackers ∗∗∗ --------------------------------------------- Ransomware actors are deploying a growing array of data-exfiltration tools in their attacks and, over the past three months alone, Symantec has found attackers using at least dozen different tools capable of data exfiltration. While some exfiltration tools are malware, the vast majority are dual-use – legitimate software used by the attackers for malicious purposes. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ Badgerboard: A PLC backplane network visibility module ∗∗∗ --------------------------------------------- Analysis of the traffic between networked devices has always been of interest since devices could even communicate with one another. As the complexity of networks grew, the more useful dedicated traffic analysis tools became. Major advancements have been made over the years with tools like Snort or Wireshark, but these tools are only useful when accurate information is provided to them. By only sending a subset of the information being passed across a network to monitoring tools, analysts will be provided with an incomplete picture of the state of their network. --------------------------------------------- https://blog.talosintelligence.com/badgerboard-research/ ∗∗∗ Coper / Octo - A Conductor for Mobile Mayhem… With Eight Limbs? ∗∗∗ --------------------------------------------- In this blog post, we will detail our analysis and understanding of the Coper/Octo Android malware, examining the malware’s continued development, as well as providing insights into attack patterns, infrastructure utilization and management, and hunting tips. --------------------------------------------- https://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-wi… ∗∗∗ New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps ∗∗∗ --------------------------------------------- According to Cado Security’s research research shared with Hackread.com ahead of publication on Wednesday, Spinning Yarn is a malicious campaign that exploits weaknesses in popular Linux software used by businesses across various sectors. --------------------------------------------- https://www.hackread.com/new-linux-malware-alert-spinning-yarn-docker-apps/ ∗∗∗ Fritz.box: Domain aus dem Verkehr gezogen ∗∗∗ --------------------------------------------- Unbekannte sicherten sich im Januar die Domain fritz.box. Doch die Verwirrung hielt nicht lange an. Jetzt wurde die Adresse aus dem Verkehr gezogen. --------------------------------------------- https://heise.de/-9647776 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2024-02-28 ∗∗∗ --------------------------------------------- Security Impact Rating: 2x High, 5x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ VMSA-2024-0006 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3 for Workstation/Fusion and in the Important severity range with a maximum CVSSv3 base score of 8.4 for ESXi. [..] A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2024-0006.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libapache2-mod-auth-openidc, libuv1, php-phpseclib, and phpseclib), Red Hat (buildah, cups, curl, device-mapper-multipath, emacs, fence-agents, frr, fwupd, gmp, gnutls, golang, haproxy, keylime, libfastjson, libmicrohttpd, linux-firmware, mysql, openssh, rear, skopeo, sqlite, squid, systemd, and tomcat), Slackware (mozilla), SUSE (kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, postgresql-jdbc, python, python-cryptography, rubygem-rack, wpa_supplicant, and xmlgraphics-batik), and Ubuntu (c-ares, firefox, libde265, libgit2, and ruby-image-processing). --------------------------------------------- https://lwn.net/Articles/964559/ ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-23225 / CVE-2024-23296 Apple iOS and iPadOS Memory Corruption Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/06/cisa-adds-two-known-expl… ∗∗∗ Foxit: Sicherheitsupdates in Foxit PDF Reader 2024.1 und Foxit PDF Editor 2024.1 verfügbar ∗∗∗ --------------------------------------------- https://www.foxit.com/de/support/security-bulletins.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Bosch: Git for Windows Multiple Security Vulnerabilities in Bosch DIVAR IP all-in-one Devices ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-637386-bt.html ∗∗∗ Bosch: Multiple OpenSSL vulnerabilities in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-090577-bt.html ∗∗∗ F5: K000138827 : OpenSSH vulnerability CVE-2023-51385 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138827 ∗∗∗ iOS 17.4 und iOS 16.7.6: Wichtige sicherheitskritische Bugfixes ∗∗∗ --------------------------------------------- https://heise.de/-9647164 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.03.2024
by Daily end-of-shift report 05 Mar '24

05 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 04-03-2024 18:00 − Dienstag 05-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ScreenConnect flaws exploited to drop new ToddleShark malware ∗∗∗ --------------------------------------------- The North Korean APT hacking group Kimsuky is exploiting ScreenConnect flaws, particularly CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed ToddleShark. --------------------------------------------- https://www.bleepingcomputer.com/news/security/screenconnect-flaws-exploite… ∗∗∗ Network tunneling with… QEMU? ∗∗∗ --------------------------------------------- While investigating an incident, we detected uncommon malicious activity inside one of the systems. We ran an analysis on the artifacts, only to find that the adversary had deployed and launched the QEMU hardware emulator. --------------------------------------------- https://securelist.com/network-tunneling-with-qemu/111803/ ∗∗∗ Warning: Thread Hijacking Attack Targets IT Networks, Stealing NTLM Hashes ∗∗∗ --------------------------------------------- The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager (NTLM) hashes. --------------------------------------------- https://thehackernews.com/2024/03/warning-thread-hijacking-attack-targets.h… ∗∗∗ Pegasus spyware creator ordered to reveal code used to spy on WhatsApp users ∗∗∗ --------------------------------------------- Meta has won a court case against spyware vendor NSO Group to reveal the Pegasus spyware code that allows spying on WhatsApp users. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/03/pegasus-spyware-creator-orde… ∗∗∗ AnyDesk: Zugriffsversuche aus Spanien; Unsignierter Client verteilt ∗∗∗ --------------------------------------------- Das Drama bei AnyDesk geht anscheinend weiter, obwohl ich die Hoffnung hatte, das Thema langsam abschließen zu können... --------------------------------------------- https://www.borncity.com/blog/2024/03/05/anydesk-zugriffsversuche-aus-spani… ∗∗∗ WogRAT Malware Exploits aNotepad (Windows, Linux) ∗∗∗ --------------------------------------------- AhnLab Security intelligence Center (ASEC) has recently discovered the distribution of backdoor malware via aNotepad, a free online notepad platform. --------------------------------------------- https://asec.ahnlab.com/en/62446/ ∗∗∗ GhostSec’s joint ransomware operation and evolution of their arsenal ∗∗∗ --------------------------------------------- Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware. --------------------------------------------- https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/ ∗∗∗ Ransomware: ALPHV/Blackcat betrügt offensichtlich Partner und zieht sich zurück ∗∗∗ --------------------------------------------- Die Fakten legen nahe, dass ALPHV/Blackcat einen Cybercrime-Partner um 22 Millionen US-Dollar betrogen und sich nun zurückgezogen hat. --------------------------------------------- https://heise.de/-9646707 ===================== = Vulnerabilities = ===================== ∗∗∗ Exploit available for new critical TeamCity auth bypass bug, patch now ∗∗∗ --------------------------------------------- A critical vulnerability (CVE-2024-27198) in the TeamCity On-Premises CI/CD solution from JetBrains can let a remote unauthenticated attacker take control of the server with administrative permissions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-available-for-new-cr… ∗∗∗ Multiple vulnerabilities in RT-Thread RTOS ∗∗∗ --------------------------------------------- I reviewed RT-Thread’s source code hosted on GitHub and identified multiple security vulnerabilities that may cause memory corruption and security feature bypass. Their impacts range from denial of service to potential arbitrary code execution. --------------------------------------------- https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rto… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (yard), Oracle (buildah and kernel), Red Hat (389-ds:1.4, edk2, frr, gnutls, haproxy, libfastjson, libX11, postgresql:12, sqlite, squid, squid:4, tcpdump, and tomcat), SUSE (apache2-mod_auth_openidc and glibc), and Ubuntu (linux-gke, python-cryptography, and python-django). --------------------------------------------- https://lwn.net/Articles/964450/ ∗∗∗ Zeek Security Tool Vulnerabilities Allow ICS Network Hacking ∗∗∗ --------------------------------------------- Vulnerabilities in a plugin for the Zeek network security monitoring tool can be exploited in attacks aimed at ICS environments. --------------------------------------------- https://www.securityweek.com/zeek-security-tool-vulnerabilities-allow-ics-n… ∗∗∗ VU#782720: TCG TPM2.0 implementations vulnerable to memory corruption ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/782720 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 115.8.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-11/ ∗∗∗ Nice Linear eMerge E3-Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-065-01 ∗∗∗ Santesoft Sante FFT Imaging ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-065-01 ∗∗∗ K000138814 : OpenLDAP vulnerability CVE-2023-2953 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138814 ∗∗∗ Patchday: Kritische Schadcode-Lücken bedrohen Android 12, 13 und 14 ∗∗∗ --------------------------------------------- https://heise.de/-9646073 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2024
by Daily end-of-shift report 04 Mar '24

04 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-03-2024 18:00 − Montag 04-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Gemini, ChatGPT und LLaVA: Neuer Wurm verbreitet sich in KI-Ökosystemen selbst ∗∗∗ --------------------------------------------- Forscher haben einen KI-Wurm entwickelt. Dieser kann nicht nur sensible Daten abgreifen, sondern sich auch selbst in einem GenAI-Ökosystem ausbreiten. --------------------------------------------- https://www.golem.de/news/gemini-chatgpt-und-llava-neuer-wurm-verbreitet-si… ∗∗∗ Hunting For Integer Overflows In Web Servers ∗∗∗ --------------------------------------------- In order to overflow something (e.g. an integer overflow) we clearly need some way to be able to do that (think pouring water from a kettle into a cup), and that’s the source (us using the kettle) to overflow the cup. Cup of tea aside, what things can be accessed remotely and take user input (those sources)? Web servers! This blog post title does not lie! --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hunting-for… ∗∗∗ New Wave of SocGholish Infections Impersonates WordPress Plugins ∗∗∗ --------------------------------------------- SocGholish malware, otherwise known as “fake browser updates”, is one of the most common types of malware infections that we see on hacked websites. This long-standing malware campaign leverages a JavaScript malware framework that has been in use since at least 2017. The malware attempts to trick unsuspecting users into downloading what is actually a Remote Access Trojan (RAT) onto their computers, which is often the first stage in a ransomware infection. Late last week our incident response team identified a fresh wave of SocGholish (fake browser update) infections targeting WordPress websites. --------------------------------------------- https://blog.sucuri.net/2024/03/new-wave-of-socgholish-infections-impersona… ∗∗∗ Rise in Deceptive PDF: The Gateway to Malicious Payloads ∗∗∗ --------------------------------------------- McAfee Labs has recently observed a significant surge in the distribution of prominent malware through PDF files. Malware is not solely sourced from dubious websites or downloads; certain instances of malware may reside within apparently harmless emails, particularly within the PDF file attachments accompanying them. The subsequent trend observed in the past three months through McAfee telemetry pertains to the prevalence of malware distributed through non-portable executable (non-PE) vectors. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-in-deceptive-pdf-… ∗∗∗ Remote Stuxnet-Style Attack Possible With Web-Based PLC Malware: Researchers ∗∗∗ --------------------------------------------- A team of researchers has developed malware designed to target modern programmable logic controllers (PLCs) in an effort to demonstrate that remote Stuxnet-style attacks can be launched against such industrial control systems (ICS). --------------------------------------------- https://www.securityweek.com/remote-stuxnet-style-attack-possible-with-web-… ∗∗∗ Vorsicht vor falschen Paketbenachrichtigungen ∗∗∗ --------------------------------------------- Sie erwarten ein Paket? Prüfen Sie Benachrichtigungen über den Sendungsstatus sehr genau! Derzeit sind gefälschte Paketbenachrichtigungen im Namen aller gängigen Zustelldiensten im Umlauf. Klicken Sie niemals voreilig auf Links in E-Mails und SMS und geben Sie keine Kreditkartendaten preis! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-paketbenachric… ∗∗∗ Threat Brief: WordPress Exploit Leads to Godzilla Web Shell, Discovery & New CVE ∗∗∗ --------------------------------------------- Below is a recent Threat Brief that we shared with our customers. Each year, we produce over 50 detailed Threat Briefs, which follow a format similar to the below. Typically, these reports include specific dates and times to provide comprehensive insights; however, please note that such information has been redacted in this public version. IOCs are available to customers within Event 27236 (uuid – fe12e833-6f0c-45c9-97d6-83337ea6c5d3). --------------------------------------------- https://thedfirreport.com/2024/03/04/threat-brief-wordpress-exploit-leads-t… ∗∗∗ Microsoft schließt ausgenutzte Windows 0-day Schwachstelle CVE-2024-21338 sechs Monate nach Meldung ∗∗∗ --------------------------------------------- Im Februar 2024 hat Microsoft die Schwachstelle CVE-2024-21338 im Kernel von Windows 10/11 und diversen Windows Server-Versionen geschlossen. Super! Der Fehler an der Geschichte: Die Schwachstelle wurde von AVAST im August 2023 gemeldet, und die Schwachstelle wurde zu dieser Zeit als 0-day ausgenutzt. --------------------------------------------- https://www.borncity.com/blog/2024/03/03/microsoft-schliet-ausgenutzte-wind… ∗∗∗ Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO ∗∗∗ --------------------------------------------- The RA World (previously the RA Group) ransomware has managed to successfully breach organizations around the world since its first appearance in April 2023. Although the threat actor casts a wide net with its attacks, many of its targets were in the US, with a smaller number of attacks occurring in countries such as Germany, India, and Taiwan. When it comes to industries, the group focuses its efforts on businesses in the healthcare and financial sectors. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/multistage-ra-world-ransomwa… ∗∗∗ GitHub als Malware-Schleuder ∗∗∗ --------------------------------------------- Eine Sicherheitsfirma berichtet über eine neue Masche, wie Schadcode im großen Stil verteilt wird: über kompromittierte Klon-Repositories auf GitHub. --------------------------------------------- https://heise.de/-9644525 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical vulnerabilities in TeamCity JetBrains fixed, release of technical details imminent, patch quickly! (CVE-2024-27198, CVE-2024-27199) ∗∗∗ --------------------------------------------- JetBrains has fixed two critical security vulnerabilities (CVE-2024-27198, CVE-2024-27199) affecting TeamCity On-Premises and is urging customers to patch them immediately. --------------------------------------------- https://www.helpnetsecurity.com/2024/03/04/cve-2024-27198-cve-2024-27199/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and thunderbird), Fedora (dotnet6.0, dotnet8.0, and mod_auth_openidc), Gentoo (Blender, Tox, and UltraJSON), Oracle (kernel), Red Hat (edk2), SUSE (sendmail and zabbix), and Ubuntu (nodejs and thunderbird). --------------------------------------------- https://lwn.net/Articles/964376/ ∗∗∗ Hikvision Patches High-Severity Vulnerability in Security Management System ∗∗∗ --------------------------------------------- Chinese video surveillance equipment manufacturer Hikvision has announced patches for two vulnerabilities in its security management system HikCentral Professional. The most important of these flaws is CVE-2024-25063, a high-severity bug that could lead to unauthorized access to certain URLs. --------------------------------------------- https://www.securityweek.com/hikvision-patches-high-severity-vulnerability-… ∗∗∗ Aruba: Codeschmuggel durch Sicherheitslücken im Clearpass Manager möglich ∗∗∗ --------------------------------------------- Im Aruba Clearpass Manager von HPE klaffen teils kritische Sicherheitslücken. Updates zum Schließen stehen bereit. [..] Eine Lücke betrifft den mitgelieferten Apache Struts-Server und erlaubt das Einschleusen von Befehlen (CVE-2023-50164, CVSS 9.8, Risiko "kritisch"). --------------------------------------------- https://heise.de/-9644607 ∗∗∗ Solarwinds: Schadcode-Lücke in Security Event Manager ∗∗∗ --------------------------------------------- Sicherheitslücken in Solarwinds Secure Event Manager können Angreifer zum Einschleusen von Schadcode missbrauchen. Updates stopfen die Lecks. --------------------------------------------- https://heise.de/-9644643 ∗∗∗ Angreifer können Systeme mit Dell-Software kompromittieren ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitspatches für Dell Data Protection Advisor, iDRAC8 und Secure Connect Gateway erschienen. --------------------------------------------- https://heise.de/-9644978 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ F5: K000138726 : Linux kernel vulnerability CVE-2023-3611 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138726 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.03.2024
by Daily end-of-shift report 01 Mar '24

01 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-02-2024 18:00 − Freitag 01-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ CISA cautions against using hacked Ivanti VPN gateways even after factory resets ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-cautions-against-using-… ∗∗∗ Angriffe auf Windows-Lücke – Update seit einem halben Jahr verfügbar ∗∗∗ --------------------------------------------- Die CISA warnt vor Angriffen auf eine Lücke in Microsofts Streaming Service. Updates gibt es seit mehr als einem halben Jahr. --------------------------------------------- https://heise.de/-9643763 ∗∗∗ Wireshark Tutorial: Exporting Objects From a Pcap ∗∗∗ --------------------------------------------- This Wireshark tutorial guides the reader in exporting different packet capture objects. It builds on a foundation of malware traffic analysis skills. --------------------------------------------- https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-… ∗∗∗ Blue Team toolkit: 6 open-source tools to assess and enhance corporate defenses ∗∗∗ --------------------------------------------- Here’s how the blue team wards off red teamers and a few open-source tools it may leverage to identify chinks in the corporate armor. --------------------------------------------- https://www.welivesecurity.com/en/business-security/blue-team-toolkit-6-ope… ∗∗∗ Researchers spot new infrastructure likely used for Predator spyware ∗∗∗ --------------------------------------------- Cybersecurity researchers have identified new infrastructure likely used by the operators of the commercial spyware known as Predator in at least 11 countries. --------------------------------------------- https://therecord.media/new-predator-spyware-infrastructure-identified ∗∗∗ Covert TLS n-day backdoors: SparkCockpit & SparkTar ∗∗∗ --------------------------------------------- This report documents two covert TLS-based backdoors identified by NVISO: SparkCockpit & SparkTar. Both backdoors employ selective interception of TLS communication towards the legitimate Ivanti server applications. --------------------------------------------- https://blog.nviso.eu/2024/03/01/covert-tls-n-day-backdoors-sparkcockpit-sp… ∗∗∗ How To Hunt For UEFI Malware Using Velociraptor ∗∗∗ --------------------------------------------- UEFI threats have historically been limited in number and mostly implemented bynation state actors as stealthy persistence. However, the recent proliferationof Black Lotus on the dark web, Trickbot enumeration module (late 2022), andGlupteba (November 2023) indicates that this historical trend may be changing. With this context, it is becoming important for security practitioners to understand visibility and collection capabilities for UEFI threats. This post covers some of these areas and presents several recent Velociraptor artifacts that can be used in the field. --------------------------------------------- https://www.rapid7.com/blog/post/2024/02/29/how-to-hunt-for-uefi-malware-us… ∗∗∗ Bluetooth Unleashed: Syncing Up with the RattaGATTa Series! Part 1 ∗∗∗ --------------------------------------------- This post introduces GreyNoise Labs series on BTLE, highlighting its privacy and security implications, as well as the journey from basic usage to sophisticated system development, offering insights for cybersecurity professionals and tech enthusiasts alike. --------------------------------------------- https://www.greynoise.io/blog/bluetooth-unleashed-syncing-up-with-the-ratta… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and thunderbird), Debian (gsoap, python-django, and wireshark), Fedora (dotnet7.0 and gifsicle), Mageia (sympa), Oracle (postgresql:10, postgresql:12, thunderbird, and unbound), Red Hat (kpatch-patch, python-pillow, and squid:4), SUSE (nodejs12, nodejs14, nodejs16, nodejs18, and openvswitch3), and Ubuntu (linux-azure, linux-lowlatency, linux-starfive-6.5, php-guzzlehttp-psr7, and php-nyholm-psr7). --------------------------------------------- https://lwn.net/Articles/964166/ ∗∗∗ Sicherheitsupdate: Nividia-Grafikkarten-Treiber als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Insgesamt hat Nvidia mit den Updates acht Sicherheitslücken geschlossen. Davon sind vier (CVE-2024-0071, CVE-2024-0073, CVE-2024-0075, CVE-2024-0077) mit dem Bedrohungsgrad "hoch" eingestuft. An diesen Stellen können Angreifer auf einem nicht näher beschriebenen Weg Speicherfehler auslösen und so Schadcode auf Systeme schieben und ausführen. Im Anschluss gelten Computer in der Regel als vollständig kompromittiert. --------------------------------------------- https://heise.de/-9643306 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Autodesk: Multiple Vulnerabilities in the Autodesk AutoCAD Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0004 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.02.2024
by Daily end-of-shift report 29 Feb '24

29 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-02-2024 18:00 − Donnerstag 29-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ LockBit ransomware returns to attacks with new encryptors, servers ∗∗∗ --------------------------------------------- The LockBit ransomware gang is once again conducting attacks, using updated encryptors with ransom notes linking to new servers after last weeks law enforcement disruption. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-t… ∗∗∗ Neue Ransomwaregruppe: Angeblicher Cyberangriff auf Epic Games bleibt zweifelhaft ∗∗∗ --------------------------------------------- Die Hackergruppe Mogilevich bietet im Darknet Daten von Epic Games im Umfang von 189 GByte zum Verkauf an. Zweifel an dem Angebot sind jedoch angebracht. --------------------------------------------- https://www.golem.de/news/daten-stehen-zum-verkauf-neue-ransomwaregruppe-ha… ∗∗∗ GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks ∗∗∗ --------------------------------------------- Threat hunters have discovered a new Linux malware called GTPDOOR that’s designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges (GRX). The malware is novel in the fact that it leverages the GPRS Tunnelling Protocol (GTP) for command-and-control (C2) communications. --------------------------------------------- https://thehackernews.com/2024/02/gtpdoor-linux-malware-targets-telecoms.ht… ∗∗∗ New Silver SAML Attack Evades Golden SAML Defenses in Identity Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new attack technique called Silver SAML that can be successful even in cases where mitigations have been applied against Golden SAML attacks. --------------------------------------------- https://thehackernews.com/2024/02/new-silver-saml-attack-evades-golden.html ∗∗∗ #StopRansomware: Phobos Ransomware ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a ∗∗∗ ALPHV is singling out healthcare sector, say FBI and CISA ∗∗∗ --------------------------------------------- CISA, FBI and HHS are warning about the ALPHV/ Blackcat ransomware group targeting the healthcare industry. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/02/alphv-is-singling-out-health… ∗∗∗ GUloader Unmasked: Decrypting the Threat of Malicious SVG Files ∗∗∗ --------------------------------------------- This sophisticated malware loader has garnered attention for its stealthy techniques and ability to evade detection, posing a significant risk to organizations and individuals. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-unmasked-decr… ∗∗∗ Amazon-Vishing: Vorsicht vor Fake-Amazon-Anrufen! ∗∗∗ --------------------------------------------- Am Telefon geben sich Kriminelle als Amazon-Mitarbeiter:innen aus. Unter verschiedenen Vorwänden bringen sie Sie dazu, TeamViewer oder AnyDesk zu installieren und räumen Ihr Konto leer! Sollten Sie so einen Anruf erhalten, legen Sie auf und blockieren Sie die Nummer. --------------------------------------------- https://www.watchlist-internet.at/news/amazon-vishing-vorsicht-vor-fake-ama… ∗∗∗ ADCS ESC14 Abuse Technique ∗∗∗ --------------------------------------------- In this blog post, we will explore the variations of abuse of explicit certificate mapping in AD, what the requirements are, and how you can protect your environment against it. --------------------------------------------- https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9 ∗∗∗ The Art of Domain Deception: Bifrosts New Tactic to Deceive Users ∗∗∗ --------------------------------------------- The RAT Bifrost has a new Linux variant that leverages a deceptive domain in order to compromise systems. We analyze this expanded attack surface. --------------------------------------------- https://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/ ∗∗∗ Vulnerabilities in business VPNs under the spotlight ∗∗∗ --------------------------------------------- As adversaries increasingly set their sights on vulnerable enterprise VPN software to infiltrate corporate networks, concerns mount about VPNs themselves being a source of cyber risk. --------------------------------------------- https://www.welivesecurity.com/en/business-security/vulnerabilities-busines… ∗∗∗ IT-Sicherheitsprodukte von Sophos verschlucken sich am Schaltjahr ∗∗∗ --------------------------------------------- Aufgrund eines Fehlers können Sophos Endpoint, Home und Server vor dem Besucht legitimer Websites warnen. Erste Lösungen sind bereits verfügbar. --------------------------------------------- https://heise.de/-9642801 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (moodle), Red Hat (kernel, kernel-rt, and postgresql:15), Slackware (wpa_supplicant), SUSE (Java and rear27a), and Ubuntu (libcpanel-json-xs-perl, libuv1, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.4, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, python-openstackclient, and unbound). --------------------------------------------- https://lwn.net/Articles/964039/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved in JSA Applications ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-S… ∗∗∗ On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP7 IF05 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ Delta Electronics CNCSoft-B ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-060-01 ∗∗∗ MicroDicom DICOM Viewer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-060-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.02.2024
by Daily end-of-shift report 28 Feb '24

28 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-02-2024 18:00 − Mittwoch 28-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ivanti: Enhanced External Integrity Checking Tool to Provide Additional Visibility and Protection for Customers Against Evolving Threat Actor Techniques in Relation to Previously Disclosed Vulnerabilities ∗∗∗ --------------------------------------------- As part of our exhaustive investigation into the recent attack against our customers, Ivanti and Mandiant released findings today regarding evolving threat actor tactics, techniques and procedures (TTPs). These findings were identified in the ongoing analysis of the previously disclosed vulnerabilities affecting Ivanti Connect Secure, Policy Secure and ZTA gateways, and include potential persistence techniques that we are monitoring, even though to date they have not been deployed successfully in the wild. --------------------------------------------- https://www.ivanti.com/blog/enhanced-external-integrity-checking-tool-to-pr… ∗∗∗ Savvy Seahorse gang uses DNS CNAME records to power investor scams ∗∗∗ --------------------------------------------- A threat actor named Savvy Seahorse is abusing CNAME DNS records Domain Name System to create a traffic distribution system that powers financial scam campaigns. --------------------------------------------- https://www.bleepingcomputer.com/news/security/savvy-seahorse-gang-uses-dns… ∗∗∗ Take Downs and the Rest of Us: Do they matter?, (Tue, Feb 27th) ∗∗∗ --------------------------------------------- Last week, the US Department of Justice published a press release entitled "Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federations Main Intelligence Directorate of the General Staff (GRU)". The disruption targeted a botnet built using the "Moobot" malware. According to the press release, this particular botnet focused on routers made by Ubiquity, using well-known default credentials. Why do nation-state actors go after "simple" home devices? --------------------------------------------- https://isc.sans.edu/diary/rss/30694 ∗∗∗ European diplomats targeted by SPIKEDWINE with WINELOADER ∗∗∗ --------------------------------------------- Zscalers ThreatLabz discovered a suspicious PDF file uploaded to VirusTotal from Latvia on January 30th, 2024. This PDF file is masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024. The PDF also included a link to a fake questionnaire that redirects users to a malicious ZIP archive hosted on a compromised site, initiating the infection chain. --------------------------------------------- https://www.zscaler.com/blogs/security-research/european-diplomats-targeted… ∗∗∗ Hacker-Gruppe fordert Bitcoins: Erpresserische E-Mails enthalten Wohnadresse als Druckmittel ∗∗∗ --------------------------------------------- „Es freut uns sehr dir mitteilen zu können, das du keine Ahnung von Cyber Security Hast und wir dein Handy infizieren konnten“ beginnt ein E-Mail von einer angeblichen Hacker-Gruppe mit dem Namen „Russian Blakmail Army“. Angeblich wurden private Fotos und Inhalte von Ihnen gesammelt. Wenn Sie nicht wollen, dass diese veröffentlicht werden, sollten Sie 1000 Euro an eine Bitcoin-Wallet senden. Ignorieren Sie dieses E-Mail, es handelt sich um Fake. --------------------------------------------- https://www.watchlist-internet.at/news/hacker-gruppe-fordert-bitcoins-erpre… ∗∗∗ Navigating the Cloud: Exploring Lateral Movement Techniques ∗∗∗ --------------------------------------------- We illuminate lateral movement techniques observed in the wild within cloud environments, including Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. --------------------------------------------- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/ ∗∗∗ Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day ∗∗∗ --------------------------------------------- Avast discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver. Thanks to Avast’s prompt report, Microsoft addressed this vulnerability as CVE-2024-21338 in the February Patch Tuesday update. The exploitation activity was orchestrated by the notorious Lazarus Group, with the end goal of establishing a kernel read/write primitive. This primitive enabled Lazarus to perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit, a previous version of which was analyzed by ESET and AhnLab. --------------------------------------------- https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyo… ∗∗∗ Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations ∗∗∗ --------------------------------------------- This advisory provides observed tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and recommendations to mitigate the threat posed by APT28 threat actors related to compromised EdgeRouters. --------------------------------------------- https://www.ic3.gov/Media/News/2024/240227.pdf ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (knot-resolver and wpa), Fedora (chromium, kernel, thunderbird, and yarnpkg), Mageia (c-ares), Oracle (firefox, kernel, opensc, postgresql:13, postgresql:15, and thunderbird), Red Hat (edk2, gimp:2.8, and kernel), SUSE (bind, bluez, container-suseconnect, dnsdist, freerdp, gcc12, gcc7, glib2, gnutls, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libqt5-qtbase, libqt5-qtsvg, nodejs18, nodejs20, openssl, openssl-1_0_0, poppler, python-crcmod, python-cryptography, python-cryptography- vectors, python-pip, python-requests, python3-requests, python311, python39, rabbitmq-c, samba, sccache, shim, SUSE Manager 4.2, SUSE Manager Server 4.2, the Linux-RT Kernel, and thunderbird), and Ubuntu (less, openssl, php7.0, php7.2, php7.4, and tiff). --------------------------------------------- https://lwn.net/Articles/963957/ ∗∗∗ TeamViewer Passwort-Schwachstelle CVE-2024-0819 ∗∗∗ --------------------------------------------- Der Client für Windows sollte dringend auf die Version 15.51.5 aktualisiert werden. Der Hersteller hat einen Sicherheitshinweis veröffentlicht, aus dem hervorgeht, dass ältere Software-Versionen nur einen unvollständigen Schutz der persönlichen Kennworteinstellungen bieten. --------------------------------------------- https://www.borncity.com/blog/2024/02/28/teamviewer-passwort-schwachstelle-… ∗∗∗ Cisco Security Advisories 2024-02-28 ∗∗∗ --------------------------------------------- Security Impact Rating: 2x High, 3x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Checkmk: Werk #16361: Privilege escalation in Windows agent ∗∗∗ --------------------------------------------- https://checkmk.com/werk/16361 ∗∗∗ ARISTA Security Advisory 0093 ∗∗∗ --------------------------------------------- https://www.arista.com/en/support/advisories-notices/security-advisory/1903… ∗∗∗ Wiesemann & Theis: Multiple products prone to unquoted search path ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-018/ ∗∗∗ F5: K000138731 : Linux vulnerability CVE-2023-3776 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138731 ∗∗∗ Google Chrome: Sicherheitsupdate bessert vier Schwachstellen aus ∗∗∗ --------------------------------------------- https://heise.de/-9641080 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.02.2024
by Daily end-of-shift report 27 Feb '24

27 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Montag 26-02-2024 18:00 − Dienstag 27-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub ∗∗∗ --------------------------------------------- An "intricately designed" remote access trojan (RAT) called Xeno RAT has been made available on GitHub, making it available to other actors at no extra cost. --------------------------------------------- https://thehackernews.com/2024/02/open-source-xeno-rat-trojan-emerges-as.ht… ∗∗∗ Achtung Betrug: Kriminelle locken mit gratis Spar-Geschenkkarten und Klimatickets ∗∗∗ --------------------------------------------- Aktuell kursieren gefälschte Gewinnspiele für kostenlose Spar-Geschenkkarten und Klimatickets. Die Angebote werden per E-Mail, in Sozialen Netzwerken oder per Direktnachricht auf Ihr Handy verbreitet. Die verlockenden Angebote dienen dazu, Ihnen persönliche Daten und Geld zu stehlen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-betrug-kriminelle-locken-mit… ∗∗∗ Booking.com refund request? It might be an Agent Tesla malware attack ∗∗∗ --------------------------------------------- Always be wary of opening unsolicited attachments - they might harbour malware. --------------------------------------------- https://grahamcluley.com/booking-com-refund-request-it-might-be-an-agent-te… ∗∗∗ Phishing Malware That Sends Stolen Information Using Telegram API ∗∗∗ --------------------------------------------- Recently, several phishing scripts using Telegram are being distributed indiscriminately through keywords such as remittance and receipts. --------------------------------------------- https://asec.ahnlab.com/en/62177/ ∗∗∗ Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities ∗∗∗ --------------------------------------------- This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-includin… ∗∗∗ Hunting PrivateLoader: The malware behind InstallsKey PPI service ∗∗∗ --------------------------------------------- Read the latest Bitsight research on PrivateLoader including important updates recently, including a new string encryption algorithm, a new alternative communication protocol and more. --------------------------------------------- https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installs… ∗∗∗ Februar-Sicherheitsupdates für Windows 11 können fehlschlagen ∗∗∗ --------------------------------------------- Microsoft arbeitet an der Lösung eines Problems, das die Installation der Februar-Sicherheitsupdates in Windows 11 verhindert. --------------------------------------------- https://heise.de/-9639866 ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk ∗∗∗ --------------------------------------------- A security vulnerability has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable unauthenticated users to escalate their privileges. --------------------------------------------- https://thehackernews.com/2024/02/wordpress-litespeed-plugin.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (engrampa and libgit2), Fedora (libxls, perl-Spreadsheet-ParseXLSX, and wpa_supplicant), Gentoo (PyYAML), Mageia (packages and thunderbird), Red Hat (firefox, kernel, linux-firmware, thunderbird, and unbound), Slackware (openjpeg), SUSE (golang-github-prometheus-prometheus, installation-images, kernel, python-azure-core, python-azure-storage-blob, salt and python-pyzmq, SUSE Manager 4.2.11, SUSE Manager 4.3, SUSE Manager Server 4.2, and wayland), [...] --------------------------------------------- https://lwn.net/Articles/963805/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-451 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-451.html ∗∗∗ Zyxel Patches Remote Code Execution Bug in Firewall Products ∗∗∗ --------------------------------------------- https://www.securityweek.com/zyxel-patches-remote-code-execution-bug-in-fir… ∗∗∗ Festo: Multiple vulnerabilities affect MES PC shipped with Windows 10 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-065/ ∗∗∗ Nagios XI: Schwachstellen CVE-2024-24401 und CVE-2024-24402; PoC öffentlich ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2024/02/27/nagios-xi-schwachstellen-cve-2024-… ∗∗∗ Mitsubishi Electric Multiple Factory Automation Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-058-01 ∗∗∗ Santesoft Sante DICOM Viewer Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-058-01 ∗∗∗ VMSA-2024-0005 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2024-0005.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.02.2024
by Daily end-of-shift report 26 Feb '24

26 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-02-2024 18:00 − Montag 26-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hijacked subdomains of major brands used in massive spam campaign ∗∗∗ --------------------------------------------- A massive ad fraud campaign named "SubdoMailing" is using over 8,000 legitimate internet domains and 13,000 subdomains to send up to five million emails per day to generate revenue through scams and malvertising. [..] As these domains belong to trusted companies, they gain the benefit of being able to bypass spam filters and, in some cases, take advantage of configured SPF and DKIM email policies that tell secure email gateways that the emails are legitimate and not spam. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hijacked-subdomains-of-major… ∗∗∗ New IDAT Loader Attacks Using Steganography to Deploy Remcos RAT ∗∗∗ --------------------------------------------- Ukrainian entities based in Finland have been targeted as part of a malicious campaign distributing a commercial remote access trojan known as Remcos RAT using a malware loader called IDAT Loader. --------------------------------------------- https://thehackernews.com/2024/02/new-idat-loader-attacks-using.html ∗∗∗ Actively exploited open redirect in Google Web Light ∗∗∗ --------------------------------------------- An open redirect vulnerability exists in the remains of Google Web Light service, which is being actively exploited in multiple phishing campaigns. Google decided not to fix it, so it might be advisable to block access to the Web Light domain in corporate environments. --------------------------------------------- https://untrustednetwork.net/en/2024/02/26/google-open-redirect/ ∗∗∗ Webinar: Wie schütze ich mich vor Identitätsdiebstahl? ∗∗∗ --------------------------------------------- n diesem Webinar schauen wir uns aktuelle Betrugsmaschen an und besprechen Tools, mit denen man sicherer im Internet unterwegs ist. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-wie-schuetze-ich-mich-vor-id… ∗∗∗ Mattermost: Support for Extended Support Release 8.1 is ending soon ∗∗∗ --------------------------------------------- As of May 15, 2024, Mattermost Extended Support Release (ESR) version 8.1 will no longer be supported. If any of your servers are not on ESR 9.5 or later, upgrading is recommended. --------------------------------------------- https://mattermost.com/blog/support-for-extended-support-release-8-1-is-end… ∗∗∗ SVR Cyber Actors Adapt Tactics for Initial Cloud Access ∗∗∗ --------------------------------------------- This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a ∗∗∗ Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT’s Variant) ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) recently discovered that Nood RAT is being used in malware attacks. Nood RAT is a variant of Gh0st RAT that works in Linux. Although the number of Gh0st RAT for Linux is fewer compared to Gh0st RAT for Windows, the cases of Gh0st RAT for Linux are continuously being collected. --------------------------------------------- https://asec.ahnlab.com/en/62144/ ∗∗∗ Ransomware Roundup – Abyss Locker ∗∗∗ --------------------------------------------- FortiGuard Labs highlights the Abyss Locker ransomware group that steals information from victims and encrypts files for financial gain. --------------------------------------------- https://www.fortinet.com/blog/threat-research/ransomware-roundup-abyss-lock… ∗∗∗ Ransomware: LockBit gibt Fehler zu, plant Angriffe auf staatliche Einrichtungen ∗∗∗ --------------------------------------------- Die Ransomware-Gruppe LockBit gesteht Fehler aus Faulheit ein, macht sich über das FBI lustig und will Angriffe auf staatliche Einrichtungen intensivieren. --------------------------------------------- https://heise.de/-9638063 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnutls28, iwd, libjwt, and thunderbird), Fedora (chromium, expat, mingw-expat, mingw-openexr, mingw-python3, mingw-qt5-qt3d, mingw-qt5-qtactiveqt, mingw-qt5-qtbase, mingw-qt5-qtcharts, mingw-qt5-qtdeclarative, mingw-qt5-qtgraphicaleffects, mingw-qt5-qtimageformats, mingw-qt5-qtlocation, mingw-qt5-qtmultimedia, mingw-qt5-qtquickcontrols, mingw-qt5-qtquickcontrols2, mingw-qt5-qtscript, mingw-qt5-qtsensors, mingw-qt5-qtserialport, mingw-qt5-qtsvg, mingw-qt5-qttools, mingw-qt5-qttranslations, mingw-qt5-qtwebchannel, mingw-qt5-qtwebsockets, mingw-qt5-qtwinextras, mingw-qt5-qtxmlpatterns, and thunderbird), Gentoo (btrbk, Glances, and GNU Aspell), Mageia (clamav and xen, qemu and libvirt), Oracle (firefox and postgresql), Red Hat (firefox, opensc, postgresql:10, postgresql:12, postgresql:13, postgresql:15, thunderbird, and unbound), SUSE (firefox, java-1_8_0-ibm, libxml2, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-oracle, linux-raspi, linux-starfive, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-oem-6.1, and roundcube). --------------------------------------------- https://lwn.net/Articles/963725/ ∗∗∗ Critical Flaw in Popular ‘Ultimate Member’ WordPress Plugin ∗∗∗ --------------------------------------------- The vulnerability carries a CVSS severity score of 9.8/10 and affects web sites running the Ultimate Member WordPress membership plugin. --------------------------------------------- https://www.securityweek.com/critical-flaw-in-popular-ultimate-member-wordp… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Local Privilege Escalation via DLL Hijacking im Qognify VMS Client Viewer ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… ∗∗∗ F5: K000138695 : OpenSSL vulnerability CVE-2024-0727 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138695 ∗∗∗ F5: K000138682 : libssh vulnerability CVE-2023-2283 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138682 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.02.2024
by Daily end-of-shift report 23 Feb '24

23 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-02-2024 18:00 − Freitag 23-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Web3 Crypto Malware: Angel Drainer – From Phishing Sites to Malicious Injections ∗∗∗ --------------------------------------------- In this post, we’ll describe how bad actors have started using crypto drainers to monetize traffic to compromised sites. Our analysis starts with a brief overview of the threat landscape and investigation of Wave 2 (the most massive infection campaign) before covering Angel Drainer scan statistics, predecessors, and most recent variants of website hacks that involve crypto drainers. --------------------------------------------- https://blog.sucuri.net/2024/02/web3-crypto-malware-angel-drainer.html ∗∗∗ Shortcuts-Lücke: Zero-Day-Exploit konnte Apples Systemsicherheit aushebeln ∗∗∗ --------------------------------------------- Apples TCC-Verfahren soll eigentlich verhindern, dass böswillige Apps ausgeführt werden. Mittels Shortcuts war das doch möglich. Die Lücke ist gestopft. --------------------------------------------- https://www.heise.de/-9636600 ∗∗∗ Intruders in the Library: Exploring DLL Hijacking ∗∗∗ --------------------------------------------- Dynamic-link library (DLL) hijacking remains a popular technique to run malware. We address its evolution using examples from the realm of cybercrime and more. --------------------------------------------- https://unit42.paloaltonetworks.com/dll-hijacking-techniques/ ∗∗∗ Everything you need to know about IP grabbers ∗∗∗ --------------------------------------------- You would never give your personal ID to random strangers, right? So why provide the ID of your computer? Unsuspecting users beware, IP grabbers do not ask for your permission. --------------------------------------------- https://www.welivesecurity.com/en/cybersecurity/everything-you-need-to-know… ∗∗∗ Weitere Informationen zu Angriffen gegen ConnectWise ScreenConnect ∗∗∗ --------------------------------------------- Sophos hat einen Überblick über Angriffe gegen ConnectWise ScreenConnect veröffentlicht. Demnach wurden bereits verschiedene Arten von Ransomware, verschiedene Information Stealer und auch unterschiedliche Remote-Access-Trojans (RATs) auf Basis der kürzlich von ConnectWise veröffentlichten Vulnerabilities in ScreenConnect deployt. Diese heterogene Bedrohungslage bedingt zur Abklärung einer bereits stattgefundenen Kompromittierung auch einen abstrahierten Blick auf etwaige eigene Installationen. Sophos beschreibt in den Kapiteln "Recommendations" und "Threat hunting information" Empfehlungen zur Vorgangsweise, selbst betriebene Instanzen auf Kompromittierungen zu untersuchen. Wir empfehlen weiterhin, etwaige eigene Installationen von ConnectWise ScreenConnect eine genaueren Untersuchung zuzuführen - auch wenn die vom Hersteller herausgegebenen Updates bereits eingespielt wurden. --------------------------------------------- https://cert.at/de/aktuelles/2024/2/weitere-informationen-zu-angriffen-gege… ∗∗∗ ProxyNotShell: Scan-Problematik der "false positives" bei Exchange (nmap, Greenbone) ∗∗∗ --------------------------------------------- Ende September 2022 scheuchte die als ProxyNotShell bekannt gewordene Schwachstelle in Microsoft Exchange Server Administratoren auf. Die Anfang August 2022 entdeckte Schwachstelle wurde als 0-day mit Exploits angegriffen und Microsoft brauchte mehrere Versuche, die Sicherheitslücke zu schließen. Inzwischen gibt es Scanner wie nmap oder Greenbone, um Exchange Server auf diese Schwachstelle zu prüfen. Allerdings liefern diese Scanner ggf. auch Fehlalarme. --------------------------------------------- https://www.borncity.com/blog/2024/02/23/proxynotshell-scan-problematik-der… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Root-Lücke bedroht Servermonitoringtool Nagios XI ∗∗∗ --------------------------------------------- Admins sollten das Dienste-Monitoring mit Nagios XI aus Sicherheitsgründen zeitnah auf den aktuellen Stand bringen. --------------------------------------------- https://www.heise.de/-9636505 ∗∗∗ Sicherheitslücken: GitLab gegen mögliche Attacken abgesichert ∗∗∗ --------------------------------------------- Updates schließen mehrere Schwachstellen in GitLab. Eine Lücke bleibt aber offensichtlich erstmal bestehen. --------------------------------------------- https://www.heise.de/-9636995 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, imagemagick, and iwd), Fedora (chromium, firefox, and pdns-recursor), Mageia (nodejs and yarnpkg), Red Hat (firefox, postgresql, and postgresql:15), and SUSE (bind, mozilla-nss, openssh, php-composer2, python-pycryptodome, python-uamqp, python310, and tiff). --------------------------------------------- https://lwn.net/Articles/963352/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Sonicwall: SMA100 MFA Improper Access Control Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0001 ∗∗∗ F5: K000138693 : Linux kernel vulnerabilities CVE-2023-4206, CVE-2023-4207, and CVE-2023-4208 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138693 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.02.2024
by Daily end-of-shift report 22 Feb '24

22 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-02-2024 18:00 − Donnerstag 22-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New SSH-Snake malware steals SSH keys to spread across the network ∗∗∗ --------------------------------------------- A threat actor is using an open-source network mapping tool named SSH-Snake to look for private keys undetected and move laterally on the victim infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ssh-snake-malware-steals… ∗∗∗ Google Play Store: Banking-Trojaner nimmt europäische Nutzer ins Visier ∗∗∗ --------------------------------------------- Im Google Play Store tauchen Varianten des Anatsa-Banking-Trojaners auf. Sie kommen auf über 100.000 Installationen. --------------------------------------------- https://www.heise.de/news/Google-Play-Store-Banking-Trojaner-nimmt-europaei… ∗∗∗ Why ransomware gangs love using RMM tools—and how to stop them ∗∗∗ --------------------------------------------- More and more ransomware gangs are using RMM tools in their attacks. --------------------------------------------- https://www.malwarebytes.com/blog/business/2024/02/why-ransomware-gangs-lov… ∗∗∗ Unmasking Lorenz Ransomware: A Dive into Recent Tactics, Techniques and Procedures ∗∗∗ --------------------------------------------- In the ever-evolving landscape of cyber threats, ransomware remains a persistent menace, with groups like Lorenz actively exploiting vulnerabilities in small to medium businesses globally. --------------------------------------------- https://research.nccgroup.com/2024/02/22/unmasking-lorenz-ransomware-a-dive… ∗∗∗ Angriffe gegen ConnectWise ScreenConnect ∗∗∗ --------------------------------------------- Die Remote Desktop und Access Software ConnectWise ScreenConnect ist aktuell Ziel von Cyberangriffen. Der Hersteller der Software hatte kürzlich ein Security Advisory bezüglich Authentication Bypass und Path Traversal Vulnerabilities veröffentlicht und dieses inzwischen um Hinweise auf bereits laufende Angriff und Indikatoren für eine bereits stattgefundene Kompromittierung erweitert. --------------------------------------------- https://cert.at/de/aktuelles/2024/2/angriffe-gegen-connectwise-screenconnect ∗∗∗ TinyTurla-NG in-depth tooling and command and control analysis ∗∗∗ --------------------------------------------- Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed. --------------------------------------------- https://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/ ∗∗∗ LockBit Attempts to Stay Afloat With a New Version ∗∗∗ --------------------------------------------- This research is the result of our collaboration with the National Crime Agency in the United Kingdom, who took action against LockBit as part of Operation Cronos, an international effort resulting in the undermining of its operations. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afl… ∗∗∗ Decrypted: HomuWitch Ransomware ∗∗∗ --------------------------------------------- HomuWitch is a ransomware strain that initially emerged in July 2023. Unlike the majority of current ransomware strains, HomuWitch targets end-users - individuals - rather than institutions and companies. --------------------------------------------- https://decoded.avast.io/threatresearch/decrypted-homuwitch-ransomware/ ∗∗∗ “To live is to fight, to fight is to live! - IBM ODM Remote Code Execution ∗∗∗ --------------------------------------------- In today’s match-up, we’re looking at various versions(both old and new!) of IBM’s “Operational Decision Manager” (ODM). --------------------------------------------- https://labs.watchtowr.com/double-k-o-rce-in-ibm-operation-decision-manager/ ===================== = Vulnerabilities = ===================== ∗∗∗ Codeschmuggel-Lücke in diversen HP Laser-Druckern ∗∗∗ --------------------------------------------- HP warnt mit gleich zwei Sicherheitsmeldungen vor Lücken in diversen Laserjet-Druckern. Firmwareupdates sollen sie schließen. --------------------------------------------- https://www.heise.de/news/Codeschmuggel-Luecke-in-diversen-HP-Laser-Drucker… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (python-pillow), Debian (firefox-esr and imagemagick), Fedora (kernel, mbedtls, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Gentoo (LibreOffice), Red Hat (kpatch-patch), Slackware (mozilla), SUSE (docker, python-pycryptodome, python3, and qemu), [...] --------------------------------------------- https://lwn.net/Articles/963205/ ∗∗∗ Progress Kemp LoadMaster (Load-Balancer) Schwachstelle CVE-2024-1212 ∗∗∗ --------------------------------------------- Zum 8. Februar 2024 gab es den Hinweis für Administratoren, die den Load-Balancer LoadMaster von Progress Kemp verwenden, dessen Firmware zu aktualisieren. --------------------------------------------- https://www.borncity.com/blog/2024/02/22/progress-kemp-loadmaster-load-bala… ∗∗∗ 2024-02-22: Cyber Security Advisory - B&R Automation Studio & Technology Guarding products use insufficient communication encryption ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA23P019_Automation_Studio_Upgrade_… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ WAGO: Multiple products affected by Terrapin ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-014/ ∗∗∗ [R1] Tenable Identity Exposure Secure Relay Version 3.59.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-03 ∗∗∗ [R1] Tenable Identity Exposure Version 3.59.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-04 ∗∗∗ Delta Electronics CNCSoft-B DOPSoft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-053-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.02.2024
by Daily end-of-shift report 21 Feb '24

21 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-02-2024 18:00 − Mittwoch 21-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Open Source in Enterprise Environments - Where Are We Now and What Is Our Way Forward? ∗∗∗ --------------------------------------------- We have been used to hearing that free and open source software and enterprise environments in Big Business are fundamentally opposed and do not mix well. Is that actually the case, or should we rather explore how business and free software can both benefit going forward? --------------------------------------------- https://bsdly.blogspot.com/2022/09/open-source-in-enterprise-environments.h… ∗∗∗ VoltSchemer attacks use wireless chargers to inject voice commands, fry phones ∗∗∗ --------------------------------------------- A team of academic researchers show that a new set of attacks called VoltSchemer can inject voice commands to manipulate a smartphones voice assistant through the magnetic field emitted by an off-the-shelf wireless charger. --------------------------------------------- https://www.bleepingcomputer.com/news/security/voltschemer-attacks-use-wire… ∗∗∗ Security: Forscher erzeugen Fingerabdrücke aus Wischgeräuschen ∗∗∗ --------------------------------------------- Die Methode basiert auf einer Reihe komplexer Algorithmen, mit denen sich schließlich ein Master-Fingerabdruck erzeugen lässt. --------------------------------------------- https://www.golem.de/news/security-forscher-erzeugen-fingerabdruecke-aus-wi… ∗∗∗ Phishing pages hosted on archive.org, (Wed, Feb 21st) ∗∗∗ --------------------------------------------- The Internet Archive is a well-known and much-admired institution, devoted to creating a “digital library of Internet sites and other cultural artifacts in digital form”[1]. [...] Unfortunately, since it allows for uploading of files by users, it is also used by threat actors to host malicious content from time to time[2,3]. --------------------------------------------- https://isc.sans.edu/diary/rss/30676 ∗∗∗ Breakdown of Tycoon Phishing-as-a-Service System ∗∗∗ --------------------------------------------- Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/breakdown-o… ∗∗∗ re: Zyxel VPN Series Pre-auth Remote Command Execution ∗∗∗ --------------------------------------------- An unauthenticated command injection exploit affecting Zyxel firewalls was published in late January without an associated CVE. The vulnerability turns out to be CVE-2023-33012. The associated disclosure did not mention any caveats to exploitation, but it turns out only an uncommon configuration is affected. --------------------------------------------- https://vulncheck.com/blog/zyxel-cve-2023-33012 ∗∗∗ Vibrator virus steals your personal information ∗∗∗ --------------------------------------------- One of our customers found their vibrator was buzzing with a hint of malware. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/02/vibrator-virus-steals-your-p… ∗∗∗ Redis Servers Targeted With New ‘Migo’ Malware ∗∗∗ --------------------------------------------- Attackers weaken Redis instances to deploy the new Migo malware and install a rootkit and cryptominers. --------------------------------------------- https://www.securityweek.com/redis-servers-targeted-with-new-migo-malware/ ∗∗∗ Fake-SMS zum Ablauf der Finanz-Online ID im Umlauf! ∗∗∗ --------------------------------------------- Kriminelle versenden aktuell massenhaft SMS im Namen des BMF zum angeblichen Ablauf der FinanzOnline ID, beziehungsweise ID Austria. Links in den Smishing-Nachrichten führen auf gefälschte Finanz-Online-Websites, auf denen persönliche Daten abgegriffen werden. Diese Daten können anschließend für personalisierte Folgebetrugsmaschen eingesetzt werden. Ignorieren Sie diese SMS-Nachrichten! --------------------------------------------- https://www.watchlist-internet.at/news/fake-sms-zum-ablauf-der-finanz-onlin… ∗∗∗ Detecting Malicious Actors By Observing Commands in Shell History ∗∗∗ --------------------------------------------- Among the myriad techniques and tools at the disposal of cybersecurity experts, one subtle yet powerful method often goes unnoticed: the analysis of shell history to detect malicious actors. --------------------------------------------- https://orca.security/resources/blog/understand-shell-commands-detect-malic… ∗∗∗ Practical Vulnerability Archaeology Starring Ivantis CVE-2021-44529 ∗∗∗ --------------------------------------------- In 2021, Ivanti patched a vulnerability that they called “code injection”. Rumors say it was a backdoor in an open source project. Let’s find out what actually happened! --------------------------------------------- https://www.greynoise.io/blog/practical-vulnerability-archaeology-starring-… ∗∗∗ CISA, EPA, and FBI Release Top Cyber Actions for Securing Water Systems ∗∗∗ --------------------------------------------- Today, CISA, the Environmental Protection Agency (EPA), and the Federal Bureau of Investigation (FBI) released the joint fact sheet Top Cyber Actions for Securing Water Systems. This fact sheet outlines the following practical actions Water and Wastewater Systems (WWS) Sector entities can take to better protect water systems from malicious cyber activity and provides actionable guidance [...] --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/21/cisa-epa-and-fbi-release… ∗∗∗ Lucifer DDoS botnet Malware is Targeting Apache Big-Data Stack ∗∗∗ --------------------------------------------- Aqua Nautilus has unveiled a new campaign targeting Apache big-data stack, specifically Apache Hadoop and Apache Druid. Upon investigation, it was discovered that the attacker exploits existing misconfigurations and vulnerabilities within our Apache cloud honeypots to execute the attacks. --------------------------------------------- https://blog.aquasec.com/lucifer-ddos-botnet-malware-is-targeting-apache-bi… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Unified Intelligence Center Insufficient Access Control Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Live Data server of Cisco Unified Intelligence Center could allow an unauthenticated, local attacker to read and modify data in a repository that belongs to an internal service on an affected device. This vulnerability is due to insufficient access control implementations on cluster configuration CLI requests. An attacker could exploit this vulnerability by sending a cluster configuration CLI request to specific directories on an affected device. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- In February 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ WS_FTP Server Service Pack (February 2024) ∗∗∗ --------------------------------------------- This article contains the details of the specific updates within the WS_FTP Server February 2024 Service Pack. The Service Pack contains a fix for the newly disclosed CVE described below. Progress highly recommends you apply this Service Pack for product updates and security improvements. For Service Pack content, please review the Service Pack Release Notes and this knowledgebase article carefully. --------------------------------------------- https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-Februar… ∗∗∗ Broadcom schließt Sicherheitslücken in VMware Aria Operations und EAP-Plug-in ∗∗∗ --------------------------------------------- Broadcom verteilt Updates für VMware Aria Operations und das EAP Browser Plug-in. Sie bessern teils kritische Sicherheitslücken aus. --------------------------------------------- https://www.heise.de/-9634714.html ∗∗∗ Firefox und Thunderbird: Neue Versionen liefern Sicherheitsfixes ∗∗∗ --------------------------------------------- Neue Versionen von Firefox, Firefox ESR und Thunderbird stehen bereit. Sie dichten im Kern Sicherheitslücken ab. --------------------------------------------- https://www.heise.de/-9634418.html ∗∗∗ VMSA-2024-0003 ∗∗∗ --------------------------------------------- Addressing Arbitrary Authentication Relay and Session Hijack Vulnerabilities in Deprecated VMware Enhanced Authentication Plug-in (EAP) (CVE-2024-22245, CVE-2024-22250) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2024-0003.html ∗∗∗ VMSA-2024-0004 ∗∗∗ --------------------------------------------- VMware Aria Operations updates address local privilege escalation vulnerability. (CVE-2024-22235) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2024-0004.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (linux-firmware and python-reportlab), Debian (unbound), Fedora (freeglut and syncthing), Red Hat (edk2, go-toolset:rhel8, java-1.8.0-ibm, kernel, kernel-rt, mysql:8.0, oniguruma, and python-pillow), Slackware (libuv and mozilla), SUSE (abseil-cpp, grpc, opencensus-proto, protobuf, python- abseil, python-grpcio, re2, bind, dpdk, firefox, hdf5, libssh, libssh2_org, libxml2, mozilla-nss, openssl-1_1, openvswitch, postgresql12, postgresql13, postgresql14, postgresql15, postgresql16, python-aiohttp, python-time-machine, python-pycryptodomex, runc, and webkit2gtk3), and Ubuntu (kernel, libspf2, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux, linux-aws, linux-kvm, linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/963035/ ∗∗∗ Chrome 122, Firefox 123 Patch High-Severity Vulnerabilities ∗∗∗ --------------------------------------------- Google and Mozilla resolve high-severity memory safety vulnerabilities with the latest Chrome and Firefox updates. --------------------------------------------- https://www.securityweek.com/chrome-122-firefox-123-patch-high-severity-vul… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000138649 : GnuTLS vulnerability CVE-2023-5981 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138649 ∗∗∗ K000138650 : cURL vulnerability CVE-2023-46218 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138650 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.02.2024
by Daily end-of-shift report 20 Feb '24

20 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Montag 19-02-2024 18:00 − Dienstag 20-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ransomware: Lockbit durch Ermittler zerschlagen - zwei Festnahmen ∗∗∗ --------------------------------------------- Operation Cronos: Je eine Verhaftung in Polen und der Ukraine, Ermittler haben Datenschatz sowie Zugriff auf Kryptogeld und Websites von Lockbit erbeutet. --------------------------------------------- https://www.heise.de/-9633327 ∗∗∗ Hackers exploit critical RCE flaw in Bricks WordPress site builder ∗∗∗ --------------------------------------------- Hackers are actively exploiting a critical remote code execution (RCE) flaw impacting the Brick Builder Theme to run malicious PHP code on vulnerable sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-rce… ∗∗∗ Cactus ransomware claim to steal 1.5TB of Schneider Electric data ∗∗∗ --------------------------------------------- The Cactus ransomware gang claims they stole 1.5TB of data from Schneider Electric after breaching the companys network last month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cactus-ransomware-claim-to-s… ∗∗∗ Over 28,500 Exchange servers vulnerable to actively exploited bug ∗∗∗ --------------------------------------------- Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical severity privilege escalation flaw tracked as CVE-2024-21410 that hackers are actively exploiting. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-28-500-exchange-servers… ∗∗∗ Vorsicht vor falschen Microsoft-Sicherheitswarnungen beim Surfen im Internet ∗∗∗ --------------------------------------------- Beim Surfen im Internet taucht plötzlich eine Sicherheitswarnung von Microsoft auf. Darin heißt es, dass Ihr Gerät von einem Virus befallen sei und Sie die „Windowshilfe“ anrufen sollen. Rufen Sie diese Nummer keinesfalls an. Es handelt sich um ein betrügerisches Pop-Up-Fenster. Wenn Sie anrufen, stehlen Kriminelle Daten und Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-microsoft-sich… ∗∗∗ Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns ∗∗∗ --------------------------------------------- Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe. The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly observe new email distribution campaigns. --------------------------------------------- https://blog.talosintelligence.com/google-cloud-run-abuse/ ∗∗∗ A technical analysis of the BackMyData ransomware used to attack hospitals in Romania ∗∗∗ --------------------------------------------- Summary According to BleepingComputer, a ransomware attack that occurred starting 0n February 11 forced 100 hospitals across Romania to take their systems offline. BackMyData ransomware, which took credit for it, belongs to the Phobos family. --------------------------------------------- https://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-u… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Flaws Found in ConnectWise ScreenConnect Software - Patch Now ∗∗∗ --------------------------------------------- ConnectWise has released software updates to address two security flaws in its ScreenConnect remote desktop and access software, including a critical bug that could enable remote code execution on affected systems. The vulnerabilities, which currently lack CVE identifiers, are listed below - Authentication bypass using an alternate path or channel (CVSS score: 10.0) - Improper limitation of a pathname to a restricted directory aka "path traversal" (CVSS score: 8.4) --------------------------------------------- https://thehackernews.com/2024/02/critical-flaws-found-in-connectwise.html ∗∗∗ Multiple Stored Cross-Site-Scripting Vulnerabilities in OpenOLAT (Frentix GmbH) ∗∗∗ Several stored XSS vulnerabilities were identified in the open source e-learning application OpenOLAT, as well as missing security measures in the standard configurations regarding content security policy (CSP). [..] The vendor provides a patch which should be installed immediately. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/mutiple-stored-cross-sit… ∗∗∗ SQL Injection Vulnerability Patched in RSS Aggregator by Feedzy WordPress Plugin ∗∗∗ --------------------------------------------- On February 1st, 2024, during our second Bug Bounty Extravaganza, we received a submission for a SQL Injection vulnerability in RSS Aggregator by Feedzy, a WordPress plugin with more than 50,000+ active installations. The vulnerability enables threat actors with contributor-level permissions or higher to extract sensitive data from the database, such as password hashes. --------------------------------------------- https://www.wordfence.com/blog/2024/02/sql-injection-vulnerability-patched-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (freeglut, hugin, libmodsecurity, qemu, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Mageia (packages, radare2, ruby-rack, and wireshark), Oracle (.NET 8.0 and python-pillow), Red Hat (gimp:2.8, java-1.8.0-ibm, and kpatch-patch), SUSE (dpdk and opera), and Ubuntu (bind9, curl, linux-raspi, linux-raspi-5.4, node-ip, and tiff). --------------------------------------------- https://lwn.net/Articles/962881/ ∗∗∗ Zyxel security advisory for multiple vulnerabilities in firewalls and APs ∗∗∗ --------------------------------------------- Zyxel has released patches addressing multiple vulnerabilities in some firewall and access point (AP) versions. Users are advised to install the patches for optimal protection. CVEs: CVE-2023-6397, CVE-2023-6398, CVE-2023-6399, CVE-2023-6764 --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Joomla: [20240205] - Core - Inadequate content filtering within the filter code ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/929-20240205-core-inadequa… ∗∗∗ Joomla: [20240204] - Core - XSS in mail address outputs ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/928-20240204-core-xss-in-m… ∗∗∗ Joomla: [20240203] - Core - XSS in media selection fields ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/927-20240203-core-xss-in-m… ∗∗∗ Joomla: [20240202] - Core - Open redirect in installation application ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/926-20240202-core-open-red… ∗∗∗ Joomla: [20240201] - Core - Insufficient session expiration in MFA management views ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/925-20240201-core-insuffic… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 123 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/ ∗∗∗ MISP 2.4.185 released with sighting performance improvements, security and bugs fixes. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.185 ∗∗∗ Ethercat Zeek Plugin ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-02 ∗∗∗ Mitsubishi Electric Electrical Discharge Machines ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-03 ∗∗∗ Commend WS203VICM ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.02.2024
by Daily end-of-shift report 19 Feb '24

19 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-02-2024 18:00 − Montag 19-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Anatsa Android malware downloaded 150,000 times via Google Play ∗∗∗ --------------------------------------------- The Anatsa banking trojan has been targeting users in Europe by infecting Android devices through malware droppers hosted on Google Play. --------------------------------------------- https://www.bleepingcomputer.com/news/security/anatsa-android-malware-downl… ∗∗∗ Mirai-Mirai On The Wall... [Guest Diary], (Sun, Feb 18th) ∗∗∗ --------------------------------------------- This article is about one of the ways attackers on the open Internet are attempting to use the Mirai Botnet [1][2] malware to exploit vulnerabilities on exposed IoT devices. --------------------------------------------- https://isc.sans.edu/diary/rss/30658 ∗∗∗ Remote Access Trojan (RAT): Types, Mitigation & Removal ∗∗∗ --------------------------------------------- Remote Access Trojans (RATs) are a serious threat capable of giving attackers control over infected systems. This malware stealthily enters systems (often disguised as legitimate software or by exploiting a vulnerability in the system) and opens backdoors for attackers to perform a wide range of malicious activities on the victim’s computer. This blog post is designed to educate readers on RATs - how they work, the risks they pose, and how to protect against them. --------------------------------------------- https://blog.sucuri.net/2024/02/remote-access-trojan-rat-types-mitigation-r… ∗∗∗ The scary DNS “KeyTrap” bug explained in plain words ∗∗∗ --------------------------------------------- If you were following the IT media last week, you’d have been forgiven for awaiting the imminent implosion of the internet, with DNS itself in desperate danger. [...] Obviously, the next step is for the community to update the DNSSEC specifications, and thereby to protect proactively against this sort of extreme denial-of-service attack by building in new precautions for everyone to follow. --------------------------------------------- https://pducklin.com/2024/02/18/the-scary-dns-keytrap-bug-explained-in-plai… ∗∗∗ KI: OpenAI und Microsoft schließen Konten staatlicher Bedrohungsakteure ∗∗∗ --------------------------------------------- Microsoft und OpenAI haben Konten mutmaßlicher staatlicher Bedrohungsakteure geschlossen, die ChatGPT für kriminelle Zwecke nutzten. --------------------------------------------- https://www.heise.de/-9631899.html ∗∗∗ Mastodon: Spamwelle zeigt Schwächen auf und weckt Sorge vor schlimmerer Methode ∗∗∗ --------------------------------------------- Seit Tagen klagen einige User auf Mastodon über eine Spamwelle. Der liegen automatisierte Angriffe auf unzureichend geschützte Teile des Fediverse zugrunde. --------------------------------------------- https://www.heise.de/-9632055.html ∗∗∗ CVE Prioritizer: Open-source tool to prioritize vulnerability patching ∗∗∗ --------------------------------------------- CVE Prioritizer is an open-source tool designed to assist in prioritizing the patching of vulnerabilities. It integrates data from CVSS, EPSS, and CISA’s KEV catalog to offer insights into the probability of exploitation and the potential effects of vulnerabilities on your systems. --------------------------------------------- https://www.helpnetsecurity.com/2024/02/19/cve-prioritizer-open-source-vuln… ∗∗∗ Why keeping track of user accounts is important ∗∗∗ --------------------------------------------- CISA has issued an advisory after the discovery of documents containing information about a state government organization’s network environment on a dark web brokerage site. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/02/why-keeping-track-of-user-ac… ∗∗∗ Gefälschtes Flixbus-Angebot: „Verlorenes Gepäck für 2 Euro“ ∗∗∗ --------------------------------------------- Auf Facebook und Instagram kursiert eine gefälschte Flixbus-Werbung. In der Anzeige steht, dass Flixbus angeblich verlorenes Gepäck um 2 Euro verkauft. Geködert werden Sie mit dem Versprechen, dass sich in den Koffern oft Handys, Laptops oder Schmuck befinden. Es handelt sich aber um eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-flixbus-angebot-verlore… ∗∗∗ The Most Dangerous Entra Role You’ve (Probably) Never Heard Of ∗∗∗ --------------------------------------------- Entra ID has a built-in role called “Partner Tier2 Support” that enables escalation to Global Admin, but [...] --------------------------------------------- https://posts.specterops.io/the-most-dangerous-entra-role-youve-probably-ne… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2024-23724: Ghost CMS Stored XSS Leading to Owner Takeover ∗∗∗ --------------------------------------------- During research on the Ghost CMS application, the Rhino research team identified a Stored Cross-Site Scripting (XSS) vulnerability which can be triggered by a malicious profile image. [...] The vendor does not view this as a valid vector so will not be releasing an official patch, but it’s important to us at Rhino to not release unpatched vulnerabilities. While this is a unique case, we’ve decided to make the patch ourselves [...] --------------------------------------------- https://rhinosecuritylabs.com/research/cve-2024-23724-ghost-cms-stored-xss/ ∗∗∗ Solarwinds: Codeschmuggel möglich, Updates verfügbar ∗∗∗ --------------------------------------------- Solarwinds schließt Sicherheitslücken in Access Rights Manager und Platform (Orion). Angreifer können Schadcode einschleusen. --------------------------------------------- https://www.heise.de/-9632541.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (engrampa, openvswitch, pdns-recursor, and runc), Fedora (caddy, expat, freerdp, libgit2, libgit2_1.6, mbedtls, python-cryptography, qt5-qtbase, and sudo), Gentoo (Apache Log4j, Chromium, Google Chrome, Microsoft Edge, CUPS, e2fsprogs, Exim, firefox, Glade, GNU Tar, intel-microcode, libcaca, QtNetwork, QtWebEngine, Samba, Seamonkey, TACACS+, Thunar, and thunderbird), Mageia (dnsmasq, unbound, and vim), Oracle (container-tools:4.0, container-tools:ol8, dotnet6.0, dotnet7.0, kernel, nss, openssh, and sudo), Red Hat (python-pillow), and SUSE (bitcoin, dpdk, libssh, openvswitch, postgresql12, and postgresql13). --------------------------------------------- https://lwn.net/Articles/962753/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ ADS-TEC Industrial IT: Docker vulnerability affects multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-016/ ∗∗∗ K000138640 : Perl vulnerability CVE-2023-47038 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138640 ∗∗∗ K000138641 : cURL vulnerability CVE-2023-46219 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138641 ∗∗∗ K000138643 : OpenSSH vulnerability CVE-2023-51767 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138643 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.02.2024
by Daily end-of-shift report 16 Feb '24

16 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-02-2024 18:00 − Freitag 16-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ RansomHouse gang automates VMware ESXi attacks with new MrAgent tool ∗∗∗ --------------------------------------------- The RansomHouse ransomware operation has created a new tool named MrAgent that automates the deployment of its data encrypter across multiple VMware ESXi hypervisors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomhouse-gang-automates-v… ∗∗∗ Berliner Kritis-Lieferant: PSI Software nimmt Systeme nach Cyberangriff offline ∗∗∗ --------------------------------------------- Der Softwarekonzern beliefert unter anderem Betreiber von Energienetzen und Verkehrsinfrastrukturen sowie Kunden aus den Bereichen Industrie und Logistik. --------------------------------------------- https://www.golem.de/news/berliner-kritis-lieferant-psi-software-nimmt-syst… ∗∗∗ Phishing und Spoofing: BSI gibt Hinweise zur E-Mail-Authentifizierung ∗∗∗ --------------------------------------------- Gewappnet mit Standards wie SPF, DKIM und DMARC könnten Anbieter selbst neue Angriffe wie SMTP-Smuggling erschweren, heißt es in einer Technischen Richtlinie. --------------------------------------------- https://www.heise.de/-9631309 ∗∗∗ F5 behebt 20 Sicherheitslücken in Big-IP-Loadbalancer, WAF und nginx ∗∗∗ --------------------------------------------- Unter anderem konnten Angreifer eigenen Code in den Loadbalancer einschmuggeln, nginx hingegen verschluckte sich an HTTP3/QUIC-Anfragen. --------------------------------------------- https://www.heise.de/-9629983 ∗∗∗ Falsche DHL-Boten fordern am Telefon SMS-Code für vermeintliche Paketzustellung ∗∗∗ --------------------------------------------- Kriminelle ergaunern SMS-Codes für Paket-Zustellungen. Dabei geben sich die Täter gegenüber potenziellen Opfern als angebliche DHL-Mitarbeiter aus. --------------------------------------------- https://www.heise.de/-9630541 ∗∗∗ Alpha Ransomware Emerges From NetWalker Ashes ∗∗∗ --------------------------------------------- Alpha, a new ransomware that first appeared in February 2023 and stepped up its operations in recent weeks, has strong similarities to the long-defunct NetWalker ransomware, which disappeared in January 2021 following an international law enforcement operation. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/alpha-ne… ===================== = Vulnerabilities = ===================== ∗∗∗ CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched security flaw impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to its Known Exploited Vulnerabilities (KEV) catalog, following reports that its being likely exploited in Akira ransomware attacks. --------------------------------------------- https://thehackernews.com/2024/02/cisa-warning-akira-ransomware.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (bind), Red Hat (.NET 8.0 and kpatch-patch), SUSE (golang-github-prometheus-alertmanager, java-1_8_0-openj9, kernel, libaom, openssl-3, postgresql15, salt, SUSE Manager Client Tools, SUSE Manager Server 4.3, and webkit2gtk3), and Ubuntu (shadow). --------------------------------------------- https://lwn.net/Articles/962506/ ∗∗∗ Eight Vulnerabilities Disclosed in the AI Development Supply Chain ∗∗∗ --------------------------------------------- Details of eight vulnerabilities found in the open source supply chain used to develop in-house AI and ML models have been disclosed. All have CVE numbers, one has critical severity, and seven have high severity. [..] They are: CVE-2023-6975: arbitrary file write in MLFLow, CVSS 9.8, CVE-2023-6753: arbitrary file write on Windows in MLFlow, CVSS 9.6, CVE-2023-6730: RCE in Hugging Face Transformers via RagRetriever.from_pretrained(), CVSS 9.0, CVE-2023-6940: server side template injection bypass in MLFlow, CVSS 9.0, CVE-2023-6976: arbitrary file upload patch bypass in MLFlow, CVSS 8.8, CVE-2023-31036: RCE via arbitrary file overwrite in Triton Inference Server, CVSS 7.5, CVE-2023-6909: local file inclusion in MLFlow, CVSS 7.5, CVE-2024-0964: LFI in Gradio, CVSS 7.5 --------------------------------------------- https://www.securityweek.com/eight-vulnerabilities-disclosed-in-the-ai-deve… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.02.2024
by Daily end-of-shift report 15 Feb '24

15 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-02-2024 18:00 − Donnerstag 15-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Warnung vor kritischer Outlook RCE-Schwachstelle CVE-2024-21413 ∗∗∗ --------------------------------------------- In Microsoft Outlook wurde eine als kritisch eingestufte CVE-2024-21413 bekannt, die mit den Februar 2024 Sicherheitsupdates geschlossen wird. Die Remote Code Execution-Schwachstelle lässt sich geradezu trivial ausnutzen. [..] Die von Checkpoint Security aufgedeckte Schwachstelle ermöglicht einem Angreifer die geschützte Office-Ansicht zu umgehen und das Dokument im Bearbeitungsmodus statt im geschützten Modus zu öffnen. [..] Dazu muss der Angreifer einen bösartigen Link erstellen, der das Protected View-Protokoll umgeht. Das führt dann zum Abfluss lokaler NTLM-Anmeldeinformationen und zur Remotecodeausführung (RCE). --------------------------------------------- https://www.borncity.com/blog/2024/02/15/warnung-vor-kritischer-outlook-rce… ∗∗∗ Nachlese zu CU 14 für Exchange 2019 und Schwachstelle CVE-2024-21410 (Feb. 2024) ∗∗∗ --------------------------------------------- Zum 13. Februar 2024 wurde ja eine kritische Schwachstelle CVE-2024-21410 in Microsoft Exchange Server öffentlich. [..] Was ist mit Exchange Server 2016 und was muss ich tun, um vor CVE-2024-21410 geschützt zu sein. Hier eine Nachlese mit einem groben Abriss. --------------------------------------------- https://www.borncity.com/blog/2024/02/15/nachlese-zu-cu-14-fr-exchange-2019… ∗∗∗ New ‘Gold Pickaxe’ Android, iOS malware steals your face for fraud ∗∗∗ --------------------------------------------- A new iOS and Android trojan named GoldPickaxe employs a social engineering scheme to trick victims into scanning their faces and ID documents, which are believed to be used to generate deepfakes for unauthorized banking access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-gold-pickaxe-android-ios… ∗∗∗ QR Phishing. Fact or Fiction? ∗∗∗ --------------------------------------------- To understand the attack you need understand the challenge that the attacker faces. Currently, most initial access attempts are carried out with social engineering, commonly phishing. Why is that? Well, it looks like people have finally got good at patching. According to the 2022 Verizon data breach incident report only 5% of data breaches investigated by them were caused by software vulnerabilities. --------------------------------------------- https://www.pentestpartners.com/security-blog/qr-phishing-fact-or-fiction/ ∗∗∗ Vorsicht vor dieser Fake Erste Bank SMS ∗∗∗ --------------------------------------------- Kriminelle versenden SMS im Namen der Erste Bank bzw. George. Darin behaupten sie, dass eine Überweisung über einen hohen Geldbetrag freigegeben oder ein Darlehen aufgenommen wurde und bitten um Kontaktaufnahmen. Kontaktieren Sie nicht die angegebene Nummer, Sie werden dazu verleitet Schadsoftware zu installieren! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-dieser-fake-erste-bank-… ∗∗∗ The Complete Guide to Advanced Persistent Threats ∗∗∗ --------------------------------------------- Understanding the mechanics and implications of APTs is essential to safeguard organizations and individuals. In this comprehensive guide, we explore the world of APTs, explaining their nature, mechanisms, and the best strategies to counteract them. --------------------------------------------- https://www.emsisoft.com/en/blog/44815/the-complete-guide-to-advanced-persi… ∗∗∗ TinyTurla Next Generation - Turla APT spies on Polish NGOs ∗∗∗ --------------------------------------------- Talos, in cooperation with CERT.NGO, investigated another compromise by the Turla threat actor, with a new backdoor quite similar to TinyTurla, that we are calling TinyTurla-NG (TTNG). [..] Talos identified the existence of three different TinyTurla-NG samples, but only obtained access to two of them. This campaign’s earliest compromise date was Dec. 18, 2023, and was still active as recently as Jan. 27, 2024. However, we assess that the campaign may have started as early as November 2023 based on malware compilation dates. --------------------------------------------- https://blog.talosintelligence.com/tinyturla-next-generation/ ===================== = Vulnerabilities = ===================== ∗∗∗ AlphaESS Wechselrichter: WLAN-Zugang mit unveränderlichem Passwort ∗∗∗ --------------------------------------------- Wechselrichter und Speichersysteme von AlphaESS kommen mit optionalem WLAN-Modul. Das spannt einen Zugangspunkt mit Standard-Passwort auf. --------------------------------------------- https://www.heise.de/-9628912 ∗∗∗ Node.js: Sicherheitsupdates beheben Codeschmuggel und Serverabstürze ∗∗∗ --------------------------------------------- Neben Problemen im Kern des Projekts aktualisiert das Node-Projekt auch einige externe Bibliotheken. --------------------------------------------- https://www.heise.de/-9629299 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (edk2, postgresql-13, and postgresql-15), Fedora (engrampa, vim, and xen), Mageia (mbedtls and quictls), Oracle (nss, openssh, and tcpdump), Red Hat (.NET 8.0), SUSE (hugin, kernel, pdns-recursor, python3, tomcat, and tomcat10), and Ubuntu (clamav, edk2, linux-gcp-6.2, linux-intel-iotg-5.15, linux-oem-6.1, and ujson). --------------------------------------------- https://lwn.net/Articles/962284/ ∗∗∗ Drupal: CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-009 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (February 5, 2024 to February 11, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/02/wordfence-intelligence-weekly-wordpr… ∗∗∗ Autodesk: ZDI reported security vulnerabilities in the Autodesk AutoCAD Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 ∗∗∗ Palo Alto: CVE-2024-0011 PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in Captive Portal Authentication (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0011 ∗∗∗ Palo Alto: CVE-2024-0008 PAN-OS: Insufficient Session Expiration Vulnerability in the Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0008 ∗∗∗ Palo Alto: CVE-2024-0010 PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Portal (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0010 ∗∗∗ Palo Alto: CVE-2024-0007 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0007 ∗∗∗ Palo Alto: CVE-2024-0009 PAN-OS: Improper IP Address Verification in GlobalProtect Gateway (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0009 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.02.2024
by Daily end-of-shift report 14 Feb '24

14 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-02-2024 18:00 − Mittwoch 14-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ubuntu command-not-found tool can be abused to spread malware ∗∗∗ --------------------------------------------- A logic flaw between Ubuntus command-not-found package suggestion system and the snap package repository could enable attackers to promote malicious Linux packages to unsuspecting users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ubuntu-command-not-found-too… ∗∗∗ Security review for Microsoft Edge version 121 ∗∗∗ --------------------------------------------- Microsoft Edge version 121 introduced 11 new computer settings and 11 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Fake-Angebote für Samsungs Galaxy S24, S24+ und S24 Ultra mit Nachnahmezahlung! ∗∗∗ --------------------------------------------- Vor wenigen Wochen hat Samsung das Galaxy S24, das Galaxy S24+ sowie das Galaxy S24 Ultra vorgestellt. Die Preise für die neuen Geräte bewegen sich zum Marktstart zwischen 780 und 1800 Euro für die unterschiedlichen Modelle. Um vieles billiger versprechen Kriminelle das Gerät. Für 269 Euro per Nachnahme gibt es das teuerste Gerät auf shop.mgmmgme.shop. So viel ist sicher: Das versprochene Gerät wird hier nie geliefert und Zahlungen per Nachnahme sind verloren. --------------------------------------------- https://www.watchlist-internet.at/news/fake-angebote-fuer-samsungs-galaxy-s… ∗∗∗ The Risks of the #MonikerLink Bug in Microsoft Outlook and the Big Picture ∗∗∗ --------------------------------------------- Recently, Check Point Research released a white paper titled “The Obvious, the Normal, and the Advanced: A Comprehensive Analysis of Outlook Attack Vectors”, detailing various attack vectors on Outlook to help the industry understand the security risks the popular Outlook app may bring into organizations. As mentioned in the paper, we discovered an interesting security issue in Outlook when the app handles specific hyperlinks. In this blog post, we will share our research on the issue with the security community and help defend against it. We will also highlight the broader impact of this bug in other software. --------------------------------------------- https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-mi… ∗∗∗ TicTacToe Dropper ∗∗∗ --------------------------------------------- We analyzed multiple samples of this dropper. The executable malware file was usually delivered through an .iso file. From cases directly observed in the wild, these iso files were delivered to the victim via phishing as an attachment (T1566.001). This technique of packing malware inside an iso file is typically employed to avoid detection by antivirus software and as a mark-of-the-web (MOTW) bypass technique (T1553.005). --------------------------------------------- https://feeds.fortinet.com/~/869921006/0/fortinet/blogs~TicTacToe-Dropper ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Adobe schließt Schadcode-Lücken in Acrobat & Co. ∗∗∗ --------------------------------------------- Für mehrere Adobe-Produkte sind wichtige Sicherheitsupdates erschienen. Damit haben die Entwickler unter anderem kritische Schwachstellen geschlossen. --------------------------------------------- https://www.heise.de-9627753 ∗∗∗ Webkonferenz-Tool Zoom: Rechteausweitung durch kritische Schwachstelle ∗∗∗ --------------------------------------------- Zoom warnt vor mehreren Schwachstellen in den Produkten des Unternehmens. Eine gilt als kritisches Sicherheitsrisiko. --------------------------------------------- https://www.heise.de/-9627817 ∗∗∗ Microsoft Security Update Summary (13. Februar 2024) ∗∗∗ --------------------------------------------- Am 13. Februar 2024 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 73 Schwachstellen (CVEs), zwei sind 0-day Sicherheitslücken, die bereits ausgenutzt werden. --------------------------------------------- https://www.borncity.com/blog/2024/02/13/microsoft-security-update-summary-… ∗∗∗ Released: 2024 H1 Cumulative Update for Exchange Server ∗∗∗ --------------------------------------------- Today we are announcing the availability of the 2024 H1 Cumulative Update (CU) for Exchange Server 2019 (aka CU14). CU14 includes fixes for customer reported issues, a security change, and all previously released Security Updates (SUs). --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-2024-h1-… ∗∗∗ Chipmaker Patch Tuesday: AMD and Intel Patch Over 100 Vulnerabilities ∗∗∗ --------------------------------------------- AMD and Intel patch dozens of vulnerabilities on February 2024 Patch Tuesday, including multiple high-severity bugs.The post Chipmaker Patch Tuesday: AMD and Intel Patch Over 100 Vulnerabilities appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/chipmaker-patch-tuesday-amd-and-intel-patch-ov… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and unbound), Fedora (clamav, firecracker, libkrun, rust-event-manager, rust-kvm-bindings, rust-kvm-ioctls, rust-linux-loader, rust-userfaultfd, rust-versionize, rust-vhost, rust-vhost-user-backend, rust-virtio-queue, rust-vm-memory, rust-vm-superio, rust-vmm-sys-util, and virtiofsd), Red Hat (.NET 6.0, dotnet6.0, and dotnet7.0), Slackware (bind and dnsmasq), and Ubuntu (dotnet6, dotnet7, dotnet8, linux-lowlatency, linux-raspi, linux-nvidia-6.2, and ujson). --------------------------------------------- https://lwn.net/Articles/962077/ ∗∗∗ F5: K000138353 : Quarterly Security Notification (February 2024) ∗∗∗ --------------------------------------------- On February 14, 2024, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. --------------------------------------------- https://my.f5.com/manage/s/article/K000138353 ∗∗∗ F5: K98606833 : BIG-IP and BIG-IQ scp vulnerability CVE-2024-21782 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K98606833 ∗∗∗ F5: K91054692 : BIG-IP Appliance mode iAppsLX vulnerability CVE-2024-23976 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K91054692 ∗∗∗ F5: K000137521 : BIG-IP AFM vulnerability CVE-2024-21763 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137521 ∗∗∗ F5: K000137334 : F5 Application Visibility and Reporting module and BIG-IP Advanced WAF/ASM vulnerability CVE-2024-23805 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137334 ∗∗∗ 2024-02-14: Cyber Security Advisory - B&R APROL SSH service vulnerable to Terrapin attack ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P004_SSH_Service_Vulnerable_To_… ∗∗∗ tenable: [R1] Security Center Version 6.3.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-02 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Lenovo Security Advisories ∗∗∗ --------------------------------------------- https://support.lenovo.com/at/en/product_security/home -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.02.2024
by Daily end-of-shift report 13 Feb '24

13 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Montag 12-02-2024 18:00 − Dienstag 13-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ The (D)Evolution of Pikabot ∗∗∗ --------------------------------------------- Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. There was a significant increase in usage in the second half of 2023 following the FBI-led takedown of Qakbot. This was likely the result of a BlackBasta ransomware affiliate replacing Qakbot with Pikabot for initial access. However, Pikabot ceased activity shortly after Christmas 2023, with its version number being 1.1.19 at that time. In recent campaigns, which started in February 2024, Pikabot reemerged with significant changes in its code base and structure. --------------------------------------------- https://www.zscaler.com/blogs/security-research/d-evolution-pikabot ∗∗∗ GMX, Web.de, Online-Dienste: Angriffe auf Zugangsdaten nehmen zu ∗∗∗ --------------------------------------------- Etwas alarmistisch melden einige Medien, dass es vermehrt Angriffe auf Zugangskonten von GMX oder Web.de gebe, die unter anderem sehr populäre Webmail-Dienste bereitstellen. Es werden dort bei zahlreichen Konten sehr hohe Zahlen für fehlerhafte Log-in-Versuche angezeigt. Es handelt sich offenbar um die alltäglichen Angriffe auf Zugangsdaten von Cyberkriminellen, die versuchen, mit gestohlenen Accountinformationen auf Online-Dienste zuzugreifen. --------------------------------------------- https://www.heise.de/-9626994 ∗∗∗ Vorsicht vor gefälschten WKÖ-E-Mails ∗∗∗ --------------------------------------------- Kriminelle geben sich als Wirtschaftskammer Österreich aus und bitten Unternehmen in einem E-Mail, Kontaktdaten zu aktualisieren. Klicken Sie keinesfalls auf den Link, Sie werden auf eine gefälschte WKÖ-Seite geführt. Dort stehlen Kriminelle Firmen- und Bankdaten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-wkoe-e-mai… ∗∗∗ Directory.ReadWrite.All Is Not As Powerful As You Might Think ∗∗∗ --------------------------------------------- Directory.ReadWrite.All is an MS Graph permission that is frequently cited as granting high amounts of privilege, even being equated to the Global Admin Entra ID role [..] Misleading or incorrect documentation create most of the misconceptions regarding this permission. --------------------------------------------- https://posts.specterops.io/directory-readwrite-all-is-not-as-powerful-as-y… ∗∗∗ Ongoing Microsoft Azure account hijacking campaign targets executives ∗∗∗ --------------------------------------------- A phishing campaign detected in late November 2023 has compromised hundreds of user accounts in dozens of Microsoft Azure environments, including those of senior executives. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ongoing-microsoft-azure-acco… ∗∗∗ Fileless Revenge RAT Malware ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of Revenge RAT malware that had been developed based on legitimate tools. It appears that the attackers have used tools such as ‘smtp-validator’ and ‘Email To Sms’. At the time of execution, the malware creates and runs both a legitimate tool and a malicious file, making it difficult for users to realize that a malicious activity has occurred. --------------------------------------------- https://asec.ahnlab.com/en/61584/ ===================== = Vulnerabilities = ===================== ∗∗∗ Request Tracker Write-up (CVE-2023-41259, CVE-2023-41260) ∗∗∗ --------------------------------------------- Without authentication we were able to extract file-attachments that were uploaded to RT, including e-mails received from and to users regarding tickets and issues. We also found it was possible to obtain information about tickets and users. --------------------------------------------- https://www.linkedin.com/pulse/request-tracker-write-up-tom-wolters-ygsae ∗∗∗ PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor ∗∗∗ --------------------------------------------- An attacker can publish a zone that contains crafted DNSSEC related records. While validating results from queries to that zone using the RFC mandated algorithms, the Recursor’s resource usage can become so high that processing of other queries is impacted, resulting in a denial of service. Note that any resolver following the RFCs can be impacted, this is not a problem of this particular implementation. --------------------------------------------- https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-202… ∗∗∗ DNS-Server: Bind und Unbound stolpern über Sicherheitslücke "KeyTrap" ∗∗∗ --------------------------------------------- Mit einer präparierten DNS-Anfrage können Angreifer eine hohe Prozessorlast verursachen und den Dienst für legitime Nutzer so blockieren. Patches stehen bereit. --------------------------------------------- https://www.heise.de/-9627276 ∗∗∗ Sicherheitslücken: Angreifer können Dell Unity kompromittieren ∗∗∗ --------------------------------------------- Die Fehler stecken in Dell Unity Operating Enviroment (OE). Die Entwickler geben an, die Ausgabe 5.4.0.0.5.094 repariert zu haben. Von den Sicherheitsproblemen sind unter anderem Dell EMC Unity, Dell EMC Unity XT 380F und Dell EMC Unity Hybrid betroffen. Alle verwundbaren Produkte sind in der Warnmeldung aufgelistet. --------------------------------------------- https://www.heise.de/-9626407 ∗∗∗ Qnap: Sicherheitslücken in Firmware erlauben Einschleusen von Befehlen ∗∗∗ --------------------------------------------- In der Sicherheitswarnung schreibt Qnap, dass es sich um zwei Schwachstellen handelt. Die Beschreibung für beide lautet: Eine Befehlsschmuggel-Schwachstelle wurde in mehreren Qnap-Betriebssystemversionen gemeldet. Sofern sie missbraucht werden, erlauben sie Nutzern, Befehle über das Netzwerk auszuführen (CVE-2023-47218, CVE-2023-50358, CVSS 5.8, Risiko "mittel"). --------------------------------------------- https://www.heise.de/-9626319 ∗∗∗ SAP patcht: 13 Sicherheitslücken abgedichtet ∗∗∗ --------------------------------------------- SAP verteilt Software-Updates, die Schwachstellen aus 13 Sicherheitsmitteilungen ausbessern. Eine Lücke ist kritisch. --------------------------------------------- https://www.heise.de/-9626592 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (clamav and virtiofsd), Oracle (gimp), Red Hat (gnutls and nss), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t and squid), and Ubuntu (openssl). --------------------------------------------- https://lwn.net/Articles/961937/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ TYPO3 Security Advisories ∗∗∗ --------------------------------------------- https://typo3.org/help/security-advisories ∗∗∗ Autodesk: Multiple Vulnerabilities in Autodesk InfraWorks software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0001 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series Safety CPU ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-044-01 ∗∗∗ HIMA: Multiple products affected by DoS and Port-Based-VLAN Crossing ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-013/ ∗∗∗ Schneider Electric Security Advisories ∗∗∗ --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ SSA-943925 V1.0: Multiple Vulnerabilities in SINEC NMS before V2.0 SP1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-943925.html ∗∗∗ SSA-871717 V1.0: Multiple Vulnerabilities in Polarion ALM ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-871717.html ∗∗∗ SSA-806742 V1.0: Multiple Vulnerabilities in SCALANCE XCM-/XRM-300 before V2.4 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-806742.html ∗∗∗ SSA-797296 V1.0: XT File Parsing Vulnerability in Parasolid ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-797296.html ∗∗∗ SSA-753746 V1.0: Denial of Service Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-753746.html ∗∗∗ SSA-716164 V1.0: Multiple Vulnerabilities in Scalance W1750D ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-716164.html ∗∗∗ SSA-665034 V1.0: Vulnerability in Nozomi Guardian/CMC before 23.3.0 on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-665034.html ∗∗∗ SSA-647068 V1.0: Ripple20 in SIMATIC RTLS Gateways ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-647068.html ∗∗∗ SSA-602936 V1.0: Multiple Vulnerabilities in SCALANCE SC-600 Family before V3.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-602936.html ∗∗∗ SSA-580228 V1.0: Use of Hard-Coded Credentials Vulnerability in Location Intelligence before V4.3 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-580228.html ∗∗∗ SSA-543502 V1.0: Local Privilege Escalation Vulnerability in Unicam FX ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-543502.html ∗∗∗ SSA-516818 V1.0: TCP Sequence Number Validation Vulnerability in the TCP/IP Stack of CP343-1 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-516818.html ∗∗∗ SSA-108696 V1.0: Multiple Vulnerabilities in SIDIS Prime before V4.0.400 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-108696.html ∗∗∗ SSA-017796 V1.0: Multiple File Parsing Vulnerabilities in Tecnomatix Plant Simulation ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-017796.html ∗∗∗ SSA-000072 V1.0: Multiple File Parsing Vulnerabilities in Simcenter Femap ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-000072.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.02.2024
by Daily end-of-shift report 12 Feb '24

12 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-02-2024 18:00 − Montag 12-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Free Rhysida ransomware decryptor for Windows exploits RNG flaw ∗∗∗ --------------------------------------------- South Korean researchers have publicly disclosed an encryption flaw in the Rhysida ransomware encryptor, allowing the creation of a Windows decryptor to recover files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-rhysida-ransomware-decr… ∗∗∗ Hackers exploit Ivanti SSRF flaw to deploy new DSLog backdoor ∗∗∗ --------------------------------------------- Hackers are exploiting a server-side request forgery (SSRF) vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy the new DSLog backdoor on vulnerable devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-ivanti-ssrf-… ∗∗∗ Exploit against Unnamed "Bytevalue" router vulnerability included in Mirai Bot, (Mon, Feb 12th) ∗∗∗ --------------------------------------------- Today, I noticed the following URL showing up in our "First Seen" list: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/30642 ∗∗∗ Microsoft Defender: Der Erkennung mit Komma entgehen ∗∗∗ --------------------------------------------- Ein IT-Forscher hat entdeckt, dass sich die Erkennung des Microsoft Defenders mit einem Komma austricksen lässt. --------------------------------------------- https://www.heise.de/-9625770.html ∗∗∗ SiCat: Open-source exploit finder ∗∗∗ --------------------------------------------- SiCat is an open-source tool for exploit research designed to source and compile information about exploits from open channels and internal databases. Its primary aim is to assist in cybersecurity, enabling users to search the internet for potential vulnerabilities and corresponding exploits. --------------------------------------------- https://www.helpnetsecurity.com/2024/02/12/sicat-open-source-exploit-finder/ ∗∗∗ Warzone RAT Shut Down by Law Enforcement, Two Arrested ∗∗∗ --------------------------------------------- Warzone RAT dismantled in international law enforcement operation that also involved arrests of suspects in Malta and Nigeria. --------------------------------------------- https://www.securityweek.com/warzone-rat-shut-down-by-law-enforcement-two-a… ∗∗∗ Diving Into Gluptebas UEFI Bootkit ∗∗∗ --------------------------------------------- A 2023 Glupteba campaign includes an unreported feature - a UEFI bootkit. We analyze its complex architecture and how this botnet has evolved. --------------------------------------------- https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/ ∗∗∗ Bitdefender warnt vor neuer Backdoor für macOS ∗∗∗ --------------------------------------------- Sie bleibt vermutlich mindestens drei Monate unentdeckt. RustDoor erlaubt die gezielte Suche nach Daten und deren Übertragung an einen externen Server. --------------------------------------------- https://www.zdnet.de/88414203/bitdefender-warnt-vor-neuer-backdoor-fuer-mac… ∗∗∗ Angreifer spoofen Temu ∗∗∗ --------------------------------------------- Die Popularität des E-Commerce-Shops lockt Betrüger, die sich auf gefälschte Werbegeschenkcodes spezialisieren. --------------------------------------------- https://www.zdnet.de/88414209/angreifer-spoofen-temu/ ===================== = Vulnerabilities = ===================== ∗∗∗ ExpressVPN: Fehler führt zu ungeschützter Übertragung von DNS-Anfragen ∗∗∗ --------------------------------------------- Durch den Fehler können Drittanbieter potenziell nachverfolgen, welche Webseiten ExpressVPN-Nutzer besucht haben - trotz aktiver VPN-Verbindung. --------------------------------------------- https://www.golem.de/news/expressvpn-fehler-fuehrt-zu-ungeschuetzter-uebert… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CVE-2024-21762 Fortinet FortiOS Out-of-Bound Write Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/09/cisa-adds-one-known-expl… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CVE-2023-43770 Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/12/cisa-adds-one-known-expl… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libgit2), Fedora (chromium, firecracker, libkrun, openssh, python-nikola, runc, rust-event-manager, rust-kvm-bindings, rust-kvm-ioctls, rust-linux-loader, rust-userfaultfd, rust-versionize, rust-vhost, rust-vhost-user-backend, rust-virtio-queue, rust-vm-memory, rust-vm-superio, rust-vmm-sys-util, virtiofsd, webkitgtk, and wireshark), Mageia (filezilla and xpdf), Oracle (gimp), Red Hat (libmaxminddb, linux-firmware, squid:4, and tcpdump), Slackware (xpdf), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont and suse-build-key), and Ubuntu (python-glance-store and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/961842/ ∗∗∗ Mehrere Cross-Site Scripting Schwachstellen in Statamic CMS ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-cross-site-sc… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.02.2024
by Daily end-of-shift report 09 Feb '24

09 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-02-2024 18:00 − Freitag 09-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ SonicOS SSL-VPN: Angreifer können Authentifzierung umgehen ∗∗∗ --------------------------------------------- Sonicwall warnt vor einer Sicherheitslücke im SonicOS SSL-VPN, durch die Angreifer die Authentifizierung umgehen können. --------------------------------------------- https://www.heise.de/-9623611.html ∗∗∗ Sicherheitsupdates: Authentifizierung von Ivanti Connect Secure & Co. defekt ∗∗∗ --------------------------------------------- Angreifer können ohne Anmeldung auf Ivanti Connect Secure, Policy Secure und ZTA Gateway zugreifen. --------------------------------------------- https://www.heise.de/-9623653.html ∗∗∗ Elastic Stack: Pufferüberlauf ermöglicht Codeschmuggel in Kibana-Komponente ∗∗∗ --------------------------------------------- Der in Kibana integrierte Chromium-Browser verursachte das Problem nur auf bestimmten Plattformen. Updates und eine Übergangslösung stehen bereit. --------------------------------------------- https://www.heise.de/-9624274.html ∗∗∗ Android XLoader malware can now auto-execute after installation ∗∗∗ --------------------------------------------- A new version of the XLoader Android malware was discovered that automatically executes on devices it infects, requiring no user interaction to launch. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-xloader-malware-can-… ∗∗∗ New RustDoor macOS malware impersonates Visual Studio update ∗∗∗ --------------------------------------------- A new Rust-based macOS malware spreading as a Visual Studio update to provide backdoor access to compromised systems uses infrastructure linked to the infamous ALPHV/BlackCat ransomware gang. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-rustdoor-macos-malware-i… ∗∗∗ Form Tools Remote Code Execution: We Need To Talk About PHP ∗∗∗ --------------------------------------------- To whet your appetite for what we’re going to demonstrate, below is a deep dive into a Local File Inclusion vulnerability which can lead to Remote Code Execution in installations of ‘Form Tools’, an open-source PHP-based application for creating, storing and sharing forms on the Internet, of over 15 year vintage. A short search across open data platforms reveals over 1,000 installations with "we just discovered Shodan"-tier fingerprints. --------------------------------------------- https://labs.watchtowr.com/form-tools-we-need-to-talk-about-php/ ∗∗∗ Juniper Support Portal Exposed Customer Device Info ∗∗∗ --------------------------------------------- Until earlier this week, the support website for networking equipment vendor Juniper Networks was exposing potentially sensitive information tied to customer products, including the exact devices each customer bought, as well as each devices warranty status, service contracts and serial numbers. Juniper said it has since fixed the problem, and that the inadvertent data exposure stemmed from a recent upgrade to its support portal. --------------------------------------------- https://krebsonsecurity.com/2024/02/juniper-support-portal-exposed-customer… ∗∗∗ Zahlreiche betrügerische E-Mails im Namen der Österreichischen Gesundheitskasse im Umlauf! ∗∗∗ --------------------------------------------- Derzeit werden der Watchlist Internet zahlreiche E-Mails gemeldet, die Kriminelle im Namen der Österreichischen Gesundheitskasse versenden. Angeblich erhalten die Empfänger:innen eine Rückerstattung durch die Krankenasse. Dazu sollen sie einen Link anklicken und Kreditkartendaten eingeben. Machen Sie das auf keinen Fall, da es sich um eine Phishing-Falle handelt. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-betruegerische-e-mails-im… ∗∗∗ CISA Partners With OpenSSF Securing Software Repositories Working Group to Release Principles for Package Repository Security ∗∗∗ --------------------------------------------- Today, CISA partnered with the Open Source Security Foundation (OpenSSF) Securing Software Repositories Working Group to publish the Principles for Package Repository Security framework. Recognizing the critical role package repositories play in securing open source software ecosystems, this framework lays out voluntary security maturity levels for package repositories. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/08/cisa-partners-openssf-se… ∗∗∗ Raspberry Robin: Evolving Cyber Threat with Advanced Exploits and Stealth Tactics ∗∗∗ --------------------------------------------- Raspberry Robin leverages new 1-day Local Privilege Escalation (LPE) exploits developed ahead of public knowledge, hinting at either an in-house development capability or access to a sophisticated exploit market. --------------------------------------------- https://blog.checkpoint.com/security/raspberry-robin-evolving-cyber-threat-… ∗∗∗ January 2024’s Most Wanted Malware: Major VexTrio Broker Operation Uncovered and Lockbit3 Tops the Ransomware Threats ∗∗∗ --------------------------------------------- Researchers uncovered a large cyber threat distributor known as VexTrio, which serves as a major traffic broker for cybercriminals to distribute malicious content. Meanwhile, LockBit3 topped the list of active ransomware groups and Education was the most impacted industry worldwide --------------------------------------------- https://blog.checkpoint.com/research/january-2024s-most-wanted-malware-majo… ∗∗∗ Niederlande: Militärnetzwerk über FortiGate gehackt; Volt Typhoon-Botnetz seit 5 Jahren in US-Systemen ∗∗∗ --------------------------------------------- Gerade ist eine Spionageaktion der chinesischen Regierung in einem Computernetzwerk des niederländischen Militärs aufgeflogen. Das Militärnetzwerk wurde über eine Schwachstelle in FortiGate gehackt. Das ist auch für andere Fortinet-Kunden relevant. Und mittlerweile wurde bekannt, dass das mutmaßlich von staatsnahen chinesischen [...] --------------------------------------------- https://www.borncity.com/blog/2024/02/08/niederlande-militrnetzwerk-ber-for… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (atril, chromium, gnutls, python-aiohttp, and webkitgtk), Gentoo (libxml2), Mageia (gnutls, gpac, kernel, kernel-linus, microcode, pam, and postfix), Red Hat (container-tools:2.0, container-tools:3.0, container-tools:4.0, container-tools:rhel8, gimp, libmaxminddb, python-pillow, runc, and unbound), SUSE (cosign, netpbm, python, python-Pillow, python3, and python36), and Ubuntu (libde265, linux-gcp, linux-gcp-5.4, and linux-intel-iotg). --------------------------------------------- https://lwn.net/Articles/961584/ ∗∗∗ Kritische Sicherheitslücken in Fortinet FortiOS, Updates verfügbar ∗∗∗ --------------------------------------------- Fortinet hat zwei kritische Security Advisories veröffentlicht. Beide Security Advisories behandeln Sicherheitslücken, die es unauthentifizierten Angreifer:innen erlauben, Code auf betroffenen Geräten auszuführen. Fortinet gibt bezüglich einer dieser Sicherheitslücken an, dass diese potentiell bereits aktiv für Angriffe ausgenutzt wird. --------------------------------------------- https://cert.at/de/warnungen/2024/2/kritische-sicherheitslucken-in-fortinet… ∗∗∗ Wichtige ESET Produkt-Updates verfügbar (8. Feb. 2024) ∗∗∗ --------------------------------------------- Kurzer, weiterer Informationssplitter für Administratoren, die ESET Endpoint Antivirus/Security unter Windows einsetzen. Der Hersteller hat ein wichtiges Produkt-Update für seine Windows-Produktlinie herausgegeben, welches sofort installiert werden sollte. Das Update behebt eine Schwachstelle, [...] --------------------------------------------- https://www.borncity.com/blog/2024/02/08/wichtige-eset-produkt-updates-verf… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ FortiClientEMS - Improper privilege management for site super administrator ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-357 ∗∗∗ FortiManager - Informative error messages ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-268 ∗∗∗ FortiNAC - XSS in Show Audit Log ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-063 ∗∗∗ FortiOS - Format String Bug in fgfmd ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-029 ∗∗∗ FortiOS - Fortilink lack of certificate validation ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-301 ∗∗∗ FortiOS - Out-of-bound Write in sslvpnd ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-015 ∗∗∗ FortiOS & FortiProxy - CVE-2023-44487 - Rapid Reset HTTP/2 vulnerability ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-397 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.02.2024
by Daily end-of-shift report 08 Feb '24

08 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-02-2024 18:00 − Donnerstag 08-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fortinet: APTs Exploiting FortiOS Vulnerabilities in Critical Infrastructure Attacks ∗∗∗ --------------------------------------------- One of the exploited vulnerabilities is CVE-2022-42475, which Fortinet patched in December 2022, when it warned that it had been aware of in-the-wild exploitation. [..] The second vulnerability described in Fortinet’s new warning is CVE-2023-27997, which came to light in June 2023, when the cybersecurity firm informed customers that it had been exploited as a zero-day in limited attacks. Fortinet noted on Wednesday that some customers have yet to patch the two FortiOS vulnerabilities and the company has seen several attacks and attack clusters, including ones aimed at the government, service provider, manufacturing, consultancy, and critical infrastructure sectors. --------------------------------------------- https://www.securityweek.com/fortinet-apts-exploiting-fortios-vulnerabiliti… ∗∗∗ State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure ∗∗∗ --------------------------------------------- CISA, NSA, FBI and the following partners are releasing this advisory to warn critical infrastructure organizations about this assessment, which is based on observations from the U.S. authoring agencies’ incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus). --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a ∗∗∗ Fortinet warns of new FortiSIEM RCE bugs in confusing disclosure ∗∗∗ --------------------------------------------- Fortinet is warning of two new unpatched patch bypasses for a critical remote code execution vulnerability in FortiSIEM, Fortinets SIEM solution. [..] Earlier today, BleepingComputer published an article that the CVEs were released by mistake after being told by Fortinet that they were duplicates of the original CVE-2023-34992. [..] After contacting Fortinet once again, we were told their previous statement was “misstated” and that the two new CVEs are variants of the original flaw. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortis… ∗∗∗ Coyote: A multi-stage banking Trojan abusing the Squirrel installer ∗∗∗ --------------------------------------------- We will delve into the workings of the infection chain and explore the capabilities of the new Trojan that specifically targets users of more than 60 banking institutions, mainly from Brazil. --------------------------------------------- https://securelist.com/coyote-multi-stage-banking-trojan/111846/ ∗∗∗ Facebook ads push new Ov3r_Stealer password-stealing malware ∗∗∗ --------------------------------------------- A new password-stealing malware named Ov3r_Stealer is spreading through fake job advertisements on Facebook, aiming to steal account credentials and cryptocurrency. --------------------------------------------- https://www.bleepingcomputer.com/news/security/facebook-ads-push-new-ov3r-s… ∗∗∗ The toothbrush DDoS attack: How misinformation spreads in the cybersecurity world ∗∗∗ --------------------------------------------- No, three million smart toothbrushes didnt launch a DDoS attack against a Swiss company. --------------------------------------------- https://grahamcluley.com/the-toothbrush-ddos-attack-how-misinformation-spre… ∗∗∗ Fake LastPass password manager spotted on Apple’s App Store ∗∗∗ --------------------------------------------- LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-lastpass-password-manag… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiGate / FortiOS 7.4.3 FortiOS Release Notes ∗∗∗ --------------------------------------------- 2024-02-07 Initial release --------------------------------------------- https://docs.fortinet.com/document/fortigate/7.4.3/fortios-release-notes/55… ∗∗∗ SonicOS SSL-VPN Improper Authentication ∗∗∗ --------------------------------------------- An improper authentication vulnerability has been identified in SonicWall SonicOS SSL-VPN feature, which in specific conditions could allow a remote attacker to bypass authentication.This issue affects only firmware version SonicOS 7.1.1-7040. CVE: CVE-2024-22394 Last updated: Feb. 6, 2024, 4:44 p.m. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0003 ∗∗∗ SSD Advisory – TOTOLINK LR1200GB Auth Bypass ∗∗∗ --------------------------------------------- A vulnerability in TOTOLINK LR1200GB allows remote unauthenticated attackers to become authenticated due to a stack overflow vulnerability in the web interface. [..] Multiple emails to the vendor went unanswered, we are releasing this information without being able to get from the vendor a patch or response. --------------------------------------------- https://ssd-disclosure.com/ssd-advisory-totolink-lr1200gb-auth-bypass/ ∗∗∗ Sicherheitslücken: Codeschmuggel und Leistungsverweigerung bei ClamAV ∗∗∗ --------------------------------------------- Der Parser für das OLE2-Dateiformat enthält einen Pufferüberlauf und mit speziell präparierten Dateinamen lassen sich offenbar eigene Befehlszeilen ausführen. --------------------------------------------- https://www.heise.de/-9622674 ∗∗∗ Samsung Magician: Update stopft Sicherheitsleck im SSD-Tool ∗∗∗ --------------------------------------------- Samsung bietet mit Magician eine Software zum Verwalten von SSDs, Speichersticks und -Karten des Herstellers. Ein Update schließt eine Lücke darin. --------------------------------------------- https://www.heise.de/-9622729 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Red Hat (gimp, kernel, kernel-rt, and runc), Slackware (expat), SUSE (libavif), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, and linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive). --------------------------------------------- https://lwn.net/Articles/961330/ ∗∗∗ Drupal: Migrate Tools - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-008 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (January 29, 2024 to February 4, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/02/wordfence-intelligence-weekly-wordpr… ∗∗∗ Qolsys IQ Panel 4, IQ4 HUB ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.02.2024
by Daily end-of-shift report 07 Feb '24

07 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-02-2024 18:00 − Mittwoch 07-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fortinet snafu: Critical FortiSIEM CVEs are duplicates, issued in error ∗∗∗ --------------------------------------------- It turns out that critical Fortinet FortiSIEM vulnerabilities tracked as CVE-2024-23108 and CVE-2024-23109 are not new and have been published this year in error. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-snafu-critical-fort… ∗∗∗ Schlüssel ausgelesen: Bastler umgeht Bitlocker-Schutz mit Raspberry Pi Pico ∗∗∗ --------------------------------------------- Möglich war ihm dies durch das Abfangen der Kommunikation des auf dem Mainboard des Notebooks verlöteten TPM-Chips mit der CPU. [..] Auf die Möglichkeit solcher Angriffe auf Systeme mit externen TPM-Chips wiesen Sicherheitsforscher schon im Sommer 2021 hin. Grund dafür sei die unverschlüsselte Übertragung des Verschlüsselungsschlüssels, so dass sich der Schlüssel einfach über die Kontakte des TPMs abfangen lasse, hieß es schon damals. --------------------------------------------- https://www.golem.de/news/schluessel-ausgelesen-bastler-umgeht-bitlocker-sc… ∗∗∗ Unleashing the Power of Scapy for Network Fuzzing ∗∗∗ --------------------------------------------- Cybersecurity is a critical aspect of any network or software system, and fuzzing is arguably one of the most potent techniques used to identify such security vulnerabilities. Fuzzing involves injecting unexpected or invalid data into the system, which can trigger unforeseen behaviours, potentially leading to security breaches or crashes. Scapy is one of the many tools that can be used for fuzzing, and it stands out as a versatile and efficient option. --------------------------------------------- https://www.darkrelay.com/post/unleashing-the-power-of-scapy-for-network-fu… ∗∗∗ Anydesk-Einbruch: Französisches BSI-Pendant vermutet Dezember als Einbruchsdatum ∗∗∗ --------------------------------------------- Der IT-Sicherheitsvorfall bei Anydesk datiert womöglich auf den Dezember 2023, wie den Hinweisen der französischen IT-Sicherheitsbehörde zu entnehmen ist. --------------------------------------------- https://www.heise.de/news/Anydesk-Einbruch-datiert-vermutlich-auf-Dezember-… ∗∗∗ E-Mail von DNS EU ist betrügerisch ∗∗∗ --------------------------------------------- Derzeit erhalten viele Website-Betreiber:innen E-Mails von einer vermeintlichen Firma namens DNS EU. Im E-Mail behauptet das Unternehmen, dass es einen „Registrierungsantrag“ für eine Domain erhalten hat, die Ihrer eigenen Domain sehr ähnlich ist. Ihnen wird angeboten, diese Domain für € 297,50 zu kaufen. Ignorieren Sie dieses E-Mail, das Angebot ist Fake. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-von-dns-eu-ist-betruegerisch/ ∗∗∗ Vermehrte Ransomware-Angriffe mit Lockbit 3.0 ∗∗∗ --------------------------------------------- In den letzten Tagen sind österreichische Unternehmen und Organisationen vermehrt von Angriffen mit der Ransomware Lockbit 3.0 betroffen. Dabei handelt es sich um Ransomware-as-a-Service, was es einer Vielzahl von Kriminellen ermöglicht, unabhängig voneinander zu agieren und eine grössere Anzahl von Zielen zu attackieren. Bedrohungsakteure, die im Rahmen ihrer Angriffe Lockbit 3.0 einsetzen erlangen vor allem über den Missbrauch von RDP-Verbindungen (beispielsweise unter Einsatz anderweitig gestohlener Zugangsdaten) und die Ausnutzung von Schwachstellen in aus dem Internet erreichbaren Applikationen Zugang zu den Netzwerken ihrer Opfer. Wir empfehlen nachdrücklich, die eigenen Sicherheitsmaßnahmen zu überprüfen [..] --------------------------------------------- https://cert.at/de/aktuelles/2024/2/vermehrte-ransomware-angriffe-mit-lockb… ∗∗∗ Cyber Security Glossary: The Ultimate List ∗∗∗ --------------------------------------------- If you have anything to do with cyber security, you know it employs its own unique and ever-evolving language. Jargon and acronyms are the enemies of clear writing—and are beloved by cyber security experts. So Morphisec has created a comprehensive cyber security glossary that explains commonly used cybersecurity terms, phrases, and technologies. We designed this list to demystify the terms that security professionals use when describing security tools, threats, processes, and techniques. We will periodically update it, and hope you find it useful. --------------------------------------------- https://blog.morphisec.com/cyber-security-glossary ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in JetBrains TeamCity On-Premises ∗∗∗ --------------------------------------------- Das Softwareunternehmen JetBrains hat Informationen über eine kritische Sicherheitslücke in JetBrains TeamCity On-Premises veröffentlicht. Eine Ausnutzung der Schwachstelle, CVE-2024-23917, erlaubt unauthentifizierten Angreifer:innen mit HTTP(s)-Zugriff auf eine verwundbare Instanz von TeamCity das Umgehen von Authentifizierungskontrollen und somit die vollständige Übernahme der betroffenen Installation. --------------------------------------------- https://cert.at/de/aktuelles/2024/2/kritische-sicherheitslucke-in-jetbrains… ∗∗∗ Shim: Kritische Schwachstelle gefährdet Secure Boot unter Linux ∗∗∗ --------------------------------------------- In einer von den meisten gängigen Linux-Distributionen verwendeten EFI-Anwendung namens Shim wurde eine kritische Schwachstelle entdeckt, die es Angreifern ermöglicht, Schadcode auszuführen und die vollständige Kontrolle über ein Zielsystem zu übernehmen. Ausgenutzt werden könne der Fehler durch eine speziell gestaltete HTTP-Anfrage, die zu einem kontrollierten Out-of-bounds-Schreibvorgang führe, heißt es in der Beschreibung zu CVE-2023-40547. --------------------------------------------- https://www.golem.de/news/shim-kritische-schwachstelle-gefaehrdet-secure-bo… ∗∗∗ Zeroshell vulnerable to OS command injection ∗∗∗ --------------------------------------------- Zeroshell Linux distribution contains an OS command injection vulnerability. This vulnerability was reported on August 2020. The Zeroshell project reached EOL on April 2021. The communication with the developer was established on November 2023, and this JVN publication was agreed upon. --------------------------------------------- https://jvn.jp/en/jp/JVN44033918/ ∗∗∗ Cisco: (High) ClamAV OLE2 File Format Parsing Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. CVE-2024-20290 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco: (Critical) Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks, which could allow the attacker to perform arbitrary actions on an affected device. CVE-2024-20255, CVE-2024-20254, CVE-2024-20252 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ SolarWinds Platform 2024.1 Release Notes ∗∗∗ --------------------------------------------- SQL Injection Remote Code Execution Vulnerability was found using an update statement in the SolarWinds Platform. This vulnerability requires user authentication to be exploited and has not been reported outside of the initial report by the researcher. 8.0 High, CVE-2023-50395, CVE-2023-35188 --------------------------------------------- https://documentation.solarwinds.com/en/success_center/orionplatform/conten… ∗∗∗ VMware Aria: Sicherheitslücken erlauben etwa Rechteausweitung ∗∗∗ --------------------------------------------- Insgesamt fünf Sicherheitslücken dichtet VMware in Aria Operations for Networks – ehemals mit dem Namen vRealize im Umlauf – mit aktualisierter Software ab. Der Schweregrad reicht nach Einschätzung der Entwickler des Unternehmens bis zur Risikostufe "hoch". Bösartige Akteure können durch die Schwachstellen unbefugt ihre Rechte an verwundbaren Systemen erhöhen. --------------------------------------------- https://www.heise.de/-9621415 ∗∗∗ Rechtausweitung durch Lücken in Veeam Recovery Orchestrator möglich ∗∗∗ --------------------------------------------- Veeam flickt die Recovery Orchestrator-Software. Sicherheitslücken darin erlauben bösartigen Akteuren die Ausweitung von Rechten. --------------------------------------------- https://www.heise.de/-9621609 ∗∗∗ Sicherheitsupdates: Dell schließt ältere Lücken in Backuplösungen wie Avamar ∗∗∗ --------------------------------------------- Schwachstellen in Komponenten von Drittanbietern gefährden die Sicherheit von Dell-Backup-Software. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://www.heise.de/9621283 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (gimp) and Ubuntu (firefox, linux-oracle, linux-oracle-5.15, and python-django). --------------------------------------------- https://lwn.net/Articles/961173/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Google Chrome 121.0.6167.160/161 / 120.0.6099.283 mit Sicherheitsfixes ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2024/02/07/google-chrome-121-0-6167-160-161-1… ∗∗∗ [R1] Nessus Version 10.7.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.02.2024
by Daily end-of-shift report 06 Feb '24

06 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Montag 05-02-2024 18:00 − Dienstag 06-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Rust Won’t Save Us: An Analysis of 2023’s Known Exploited Vulnerabilities ∗∗∗ --------------------------------------------- We have analyzed all critical vulnerabilities from the CISA KEV catalog starting from January 2023 through January 2024, categorized the vulnerability root causes, and attempted to analyze if the current efforts in the information security industry match with the current threat vectors being abused. --------------------------------------------- https://www.horizon3.ai/analysis-of-2023s-known-exploited-vulnerabilities/ ∗∗∗ Unseriöse Dirndl-Shops drohen mit Anzeige? Ignorieren Sie die Nachrichten! ∗∗∗ --------------------------------------------- Zahlreiche Betroffene wenden sich aktuell an die Watchlist Internet, weil unseriöse Bekleidungs- und Dirndl-Shops Monate nach den Bestellungen versuchen, Kund:innen einzuschüchtern und zu einer Zahlung zu drängen. Da völlig falsche Produkte geliefert wurden, besteht aber kein Grund zur Zahlung und somit auch kein Grund zur Sorge! --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-dirndl-shops-drohen-mit-a… ∗∗∗ How are user credentials stolen and used by threat actors? ∗∗∗ --------------------------------------------- You’ve probably heard the phrase, “Attackers don’t hack anyone these days. They log on.” In this blog, we describe the various tools and techniques bad actors are using to steal credentials so they can log on with valid account details, and outline our recommendations for defense. --------------------------------------------- https://blog.talosintelligence.com/how-are-user-credentials-stolen-and-used… ∗∗∗ Navigating the Rising Tide of CI/CD Vulnerabilities: The Jenkins and TeamCity Case Studies ∗∗∗ --------------------------------------------- In the evolving landscape of cybersecurity, a new threat has emerged, targeting the core of software development processes. Recently, an alarming incident has brought to light a significant vulnerability in Jenkins CI/CD servers. Approximately 45,000 Jenkins servers have been left exposed to remote code execution (RCE) attacks, leveraging multiple exploit public POCs. This breach is not just a standalone event but a symptom of a growing trend of attacks on Continuous Integration/Continuous Deployment (CI/CD) software supply chains. --------------------------------------------- https://checkmarx.com/blog/navigating-the-rising-tide-of-ci-cd-vulnerabilit… ∗∗∗ Experts Detail New Flaws in Azure HDInsight Spark, Kafka, and Hadoop Services ∗∗∗ --------------------------------------------- Three new security vulnerabilities have been discovered in Azure HDInsights Apache Hadoop, Kafka, and Spark services that could be exploited to achieve privilege escalation and a regular expression denial-of-service (ReDoS) condition. [..] Following responsible disclosure, Microsoft has rolled out fixes as part of updates released on October 26, 2023. --------------------------------------------- https://thehackernews.com/2024/02/high-severity-flaws-found-in-azure.html ∗∗∗ Exploring the (Not So) Secret Code of Black Hunt Ransomware ∗∗∗ --------------------------------------------- In this analysis we examined the BlackHunt sample shared on X (formerly Twitter). During our analysis we found notable similarities between BlackHunt ransomware and LockBit, which suggested that it uses leaked code of Lockbit. In addition, it uses some techniques similar to REvil ransomware. --------------------------------------------- https://www.rapid7.com/blog/post/2024/02/05/exploring-the-not-so-secret-cod… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday Android: Kritische Schadcode-Lücke auf Systemebene geschlossen ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken gefährden Android-Geräte. Für bestimmte Smartphones und Tablets sind Updates erschienen. --------------------------------------------- https://www.heise.de/-9619910 ∗∗∗ Sicherheitsupdate: Mehrere Lücken gefährden Server-Monitoring-Tool Nagios XI ∗∗∗ --------------------------------------------- Unter bestimmten Bedingungen können Angreifer Schadcode auf Server mit Nagios XI laden. Ein Sicherheitsupdate schließt diese und weitere Schwachstellen. --------------------------------------------- https://www.heise.de/-9620155 ∗∗∗ Kritische Schwachstellen in Multifunktions- und Laserdruckern von Canon ∗∗∗ --------------------------------------------- Canon warnt vor kritischen Sicherheitslücken in einigen SOHO-Multifunktions- und Laserdruckern. Gegenmaßnahmen sollen helfen. --------------------------------------------- https://www.heise.de/-9620345 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, gstreamer1-plugins-bad-free, and tigervnc), Debian (ruby-sanitize), Fedora (kernel, kernel-headers, qt5-qtwebengine, and runc), Oracle (gnutls, kernel, libssh, rpm, runc, and tigervnc), Red Hat (runc), and SUSE (bouncycastle, jsch, python, and runc). --------------------------------------------- https://lwn.net/Articles/961083/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0001 ∗∗∗ --------------------------------------------- CVE identifiers: CVE-2024-23222, CVE-2024-23206, CVE-2024-23213, CVE-2023-40414, CVE-2023-42833, CVE-2014-1745 --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0001.html ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- Google Chromium V8 Type Confusion Vulnerability CVE-2023-4762 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/06/cisa-adds-one-known-expl… ∗∗∗ MISP 2.4.184 released with performance improvements, security and bugs fixes. ∗∗∗ --------------------------------------------- A series of security fixes were done in this release, the vulnerabilities are accessible to authenticated users, especially those with specific privileges like Org admin. We urge users to update to this version especially if you have different organisations having access to your instances. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.184 ∗∗∗ ZDI-24-086: TP-Link Omada ER605 Access Control Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-086/ ∗∗∗ ZDI-24-085: (Pwn2Own) TP-Link Omada ER605 DHCPv6 Client Options Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-085/ ∗∗∗ ZDI-24-087: (Pwn2Own) Western Digital MyCloud PR4100 RESTSDK Server-Side Request Forgery Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-087/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Pilz: Multiple products affected by uC/HTTP vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-002/ ∗∗∗ HID Global Encoders ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-037-01 ∗∗∗ HID Global Reader Configuration Cards ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-037-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.02.2024
by Daily end-of-shift report 05 Feb '24

05 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-02-2024 18:00 − Montag 05-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Newest Ivanti SSRF zero-day now under mass exploitation ∗∗∗ --------------------------------------------- An Ivanti Connect Secure and Ivanti Policy Secure server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893 is currently under mass exploitation by multiple attackers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/newest-ivanti-ssrf-zero-day-… ∗∗∗ Cyberangriff: Fernwartungssoftware-Anbieter Anydesk gehackt ∗∗∗ --------------------------------------------- Anydesk ist Opfer eines Cyberangriffs geworden. Die Folgen sind noch nicht klar, aber möglicherweise gravierend. --------------------------------------------- https://www.golem.de/news/cyberangriff-fernwartungssoftware-anbieter-anydes… ∗∗∗ Darknet: Anydesk-Zugangsdaten in Hackerforen aufgetaucht ∗∗∗ --------------------------------------------- Quelle der Daten ist nach aktuellen Erkenntnissen wohl nicht der jüngste Sicherheitsvorfall bei Anydesk. Ein Passwortwechsel wird dennoch empfohlen. --------------------------------------------- https://www.golem.de/news/darknet-anydesk-zugangsdaten-in-hackerforen-aufge… ∗∗∗ How to hack the Airbus NAVBLUE Flysmart+ Manager ∗∗∗ --------------------------------------------- Airbus Navblue Flysmart+ Manager allowed attackers to tamper with the engine performance calculations and intercept data. Flysmart+ is a suite of apps for pilot EFBs, helping deliver efficient and safe departure and arrival of flights. Researchers from Pen Test Partners discovered a vulnerability in Navblue Flysmart+ Manager that can be exploited [...] --------------------------------------------- https://securityaffairs.com/158661/hacking/airbus-flysmart-flaw.html ∗∗∗ Encrypted Attacks: Impact on Public Sector ∗∗∗ --------------------------------------------- Following FBI and CISA warnings to public sector defenders in November regarding increased targeting by infamous ransomware groups, the imperative to understand and defend against evolving - and increasingly covert - cyber threats has intensified. According to Zscaler ThreatLabz analysis of the 2023 threat landscape, 86% of threats hide within encrypted traffic. What does this mean for the public sector? --------------------------------------------- https://www.zscaler.com/blogs/security-research/encrypted-attacks-impact-pu… ∗∗∗ Hacking a Smart Home Device ∗∗∗ --------------------------------------------- How I reverse engineered an ESP32-based smart home device to gain remote control access and integrate it with Home Assistant. --------------------------------------------- https://jmswrnr.com/blog/hacking-a-smart-home-device ∗∗∗ Videokonferenz voller KI-Klone: Angestellter schickt Betrügern 24 Millionen Euro ∗∗∗ --------------------------------------------- Bislang werden im Rahmen der "Chef-Masche" Angestellte zumeist von einer Person überzeugt, Geld herauszugeben. Ein Fall in Hongkong hat nun eine neue Qualität. --------------------------------------------- https://www.heise.de/-9618064.html ∗∗∗ Hartkodiertes Passwort: Wärmepumpen von Alpha Innotec und Novelan angreifbar ∗∗∗ --------------------------------------------- Ein IT-Forscher hat in der Firmware von Alpha Innotec- und Novelan-Wärmepumpen das hartkodierte Root-Passwort gefunden. Updates bieten Abhilfe. --------------------------------------------- https://www.heise.de/-9618846.html ∗∗∗ Ivanti Zero Day – Threat Actors observed leveraging CVE-2021-42278 and CVE-2021-42287 for quick privilege escalation to Domain Admin ∗∗∗ --------------------------------------------- TL;dr NCC Group has observed what we believe to be the attempted exploitation of CVE-2021-42278 and CVE-2021-42287 as a means of privilege escalation, following the successful compromise of an Ivanti Secure Connect VPN using the following zero-day vulnerabilities reported by Volexity1 on 10/01/2024: [...] --------------------------------------------- https://research.nccgroup.com/2024/02/05/ivanti-zero-day-threat-actors-obse… ∗∗∗ Achtung: E-Card mit 500 Euro Guthaben für Apothekenkäufe ist Fake ∗∗∗ --------------------------------------------- Auf Facebook wird eine „E-Card-Gutscheinkarte“ beworben. Wenn Sie eine kurze Umfrage ausfüllen und 2 Euro überweisen, erhalten Sie angeblich 500 Euro für Apothekeneinkäufe. Achtung, dabei handelt es sich um Betrug. Ein solches Angebot gibt es nicht! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-e-card-mit-500-euro-guthaben… ∗∗∗ Sicherheitsvorfall bei der AnyDesk Software GmbH ∗∗∗ --------------------------------------------- Der deutsche Softwarehersteller AnyDesk Software GmbH, Entwickler der Fernwartungssoftware AnyDesk, hat am Abend des 02.02.2024 im Rahmen einer Pressemeldung über einen erfolgreichen Angriff gegen seine Infrastruktur informiert. Laut dem Unternehmen wurde direkt nach Entdeckung des Vorfalles ein externer Sicherheitsdienstleister zur Behandlung des Vorfalls hinzugezogen und die zuständigen Behörden informiert. Weiters gibt das Unternehmen an, dass keinerlei private Schlüssel, [...] --------------------------------------------- https://cert.at/de/aktuelles/2024/2/sicherheitsvorfall-bei-der-anydesk-soft… ===================== = Vulnerabilities = ===================== ∗∗∗ Docker, Kubernetes und co.: Hacker können aus Containern auf Hostsysteme zugreifen ∗∗∗ --------------------------------------------- Die Schwachstellen dafür beziehen sich auf Buildkit und das CLI-Tool runc. Eine davon erreicht mit einem CVSS von 10 den maximal möglichen Schweregrad. --------------------------------------------- https://www.golem.de/news/docker-kubernetes-und-co-hacker-koennen-aus-conta… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (rear, runc, sudo, and zbar), Fedora (chromium, grub2, libebml, mingw-python-pygments, and python-aiohttp), Gentoo (FreeType, GNAT Ada Suite, Microsoft Edge, NBD Tools, OpenSSL, QtGui, SDDM, Wireshark, and Xen), Mageia (dracut, glibc, nss and firefox, openssl, packages, perl, and thunderbird), Slackware (libxml2), SUSE (java-11-openjdk, java-17-openjdk, perl, python-uamqp, slurm, and xerces-c), and Ubuntu (libssh and openssl). --------------------------------------------- https://lwn.net/Articles/960952/ ∗∗∗ 2024-02-05: Cyber Security Advisory - B&R Automation Runtime FTP uses unsecure encryption mechanisms ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA23P004_FTP_uses_unsecure_encrypti… ∗∗∗ Canon: CPE2024-001 – Regarding vulnerabilities for Small Office Multifunction Printers and Laser Printers – 05 February 2024 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ QNAP: Neue Firmware-Versionen beheben Befehlsschmuggel-Lücke ∗∗∗ --------------------------------------------- https://www.heise.de/-9617332.html ∗∗∗ IT-Sicherheitsüberwachung Juniper JSA für mehrere Attacken anfällig ∗∗∗ --------------------------------------------- https://www.heise.de/-9617677.html ∗∗∗ HCL schließt Sicherheitslücken in Bigfix, Devops Deploy und Launch ∗∗∗ --------------------------------------------- https://www.heise.de/-9618224.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.02.2024
by Daily end-of-shift report 02 Feb '24

02 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-02-2024 18:00 − Freitag 02-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Abschaltbefehl: US-Behörden müssen Ivanti-Geräte vom Netz nehmen ∗∗∗ --------------------------------------------- In einer Notfallanordnung trägt die US-Cybersicherheitsbehörde betroffenen Stellen auf, in den nächsten Stunden zu handeln. Ivanti-Geräte sollen vom Netz. --------------------------------------------- https://www.heise.de/news/Abschaltbefehl-US-Behoerden-muessen-Ivanti-Geraet… ∗∗∗ Bericht: Wie Angreifer in das Netzwerk von Cloudflare eingedrungen sind ∗∗∗ --------------------------------------------- Nach Abschluss der Untersuchungen eines IT-Sicherheitsvorfalls schildert der CDN-Betreiber Cloudflare, wie die Attacke abgelaufen ist. --------------------------------------------- https://www.heise.de/news/Bericht-Wie-Angreifer-in-das-Netzwerk-von-Cloudfl… ∗∗∗ VajraSpy: Ein Patchwork-Sammelsurium voller Spionage-Apps ∗∗∗ --------------------------------------------- ESET-Forscher entdeckten mehrere Android-Apps, die VajraSpy beinhalten, ein RAT, der von der Patchwork APT-Gruppe verwendet wird. --------------------------------------------- https://www.welivesecurity.com/fr/cybersecurite/vajraspy-ein-patchwork-samm… ∗∗∗ Scheinbar harmloser PDF-Viewer leert Bankkonten ahnungsloser Android-Nutzer:innen ∗∗∗ --------------------------------------------- Derzeit ist eine neue Welle von Schadsoftware im Umlauf, die bereits in der Vergangenheit zahlreiche Bankkonten leergeräumt hat. Es handelt sich dabei um den Banking-Trojaner Anatsa, der über die Installation von Apps wie PDF Viewer oder PDF Reader über den Google Play Store verbreitet wird. --------------------------------------------- https://www.watchlist-internet.at/news/scheinbar-harmloser-pdf-viewer-leert… ∗∗∗ Exploring the Latest Mispadu Stealer Variant ∗∗∗ --------------------------------------------- Evaluation of a new variant of Mispadu, a banking Trojan, highlights how infostealers evolve over time and can be hard to pin to past campaigns. --------------------------------------------- https://unit42.paloaltonetworks.com/mispadu-infostealer-variant/ ∗∗∗ How Memory Forensics Revealed Exploitation of Ivanti Connect Secure VPN Zero-Day Vulnerabilities ∗∗∗ --------------------------------------------- As outlined in the previous blog series, while Volexity leveraged network packet captures and disk images to reconstruct parts of the attack, it was ultimately a memory sample that allowed Volexity to confirm exploitation. --------------------------------------------- https://www.volexity.com/blog/2024/02/01/how-memory-forensics-revealed-expl… ∗∗∗ Threat Actors Installing Linux Backdoor Accounts ∗∗∗ --------------------------------------------- Threat actors install malware by launching brute force and dictionary attacks against Linux systems that are poorly managed, such as using default settings or having a simple password. --------------------------------------------- https://asec.ahnlab.com/en/61185/ ∗∗∗ How We Were Able to Infiltrate Attacker Telegram Bots ∗∗∗ --------------------------------------------- It is not uncommon for attackers to publish malicious packages that exfiltrate victims’ data to them using Telegram bots. However, what if we could eavesdrop on what the attacker sees? --------------------------------------------- https://checkmarx.com/blog/how-we-were-able-to-infiltrate-attacker-telegram… ∗∗∗ Jenkins Vulnerability Estimated to Affect 43% of Cloud Environments ∗∗∗ --------------------------------------------- >From our scans on the Orca Cloud Security Platform, we found that 43% of organizations operate at least one unmanaged Jenkins server in their environment. --------------------------------------------- https://orca.security/resources/blog/jenkins-arbitrary-file-read-vulnerabil… ===================== = Vulnerabilities = ===================== ∗∗∗ CISA-Warnung: Alte iPhone-Schwachstelle wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Eine von Apple gestopfte Kernel-Lücke wird der US-Sicherheitsbehörde zufolge für Angriffe aktiv genutzt. Für ältere iPhones scheint es keinen Patch zu geben. --------------------------------------------- https://www.heise.de/news/CISA-Warnung-Alte-iPhone-Schwachstelle-wird-aktiv… ∗∗∗ Sicherheitsupdate: IBM-Sicherheitslösung QRadar SIEM unter Linux angreifbar ∗∗∗ --------------------------------------------- Mehrere Komponenten eines Add ons von IBMs Security Information and Event Management-System QRadar sind verwundbar. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdate-IBM-Sicherheitsloesung-QRadar-S… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, man-db, and openjdk-17), Fedora (chromium, indent, jupyterlab, kernel, and python-notebook), Gentoo (glibc), Oracle (firefox, thunderbird, and tigervnc), Red Hat (rpm), SUSE (cpio, gdb, gstreamer, openconnect, slurm, slurm_18_08, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, squid, webkit2gtk3, and xerces-c), and Ubuntu (imagemagick and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/960604/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ QNAP Security Advisories ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisories/ ∗∗∗ Moby and Open Container Initiative Release Critical Updates for Multiple Vulnerabilities Affecting Docker-related Components ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/01/moby-and-open-container-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.02.2024
by Daily end-of-shift report 01 Feb '24

01 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 31-01-2024 18:00 − Donnerstag 01-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Exploit released for Android local elevation flaw impacting 7 OEMs ∗∗∗ --------------------------------------------- A proof-of-concept (PoC) exploit for a local privilege elevation flaw impacting at least seven Android original equipment manufacturers (OEMs) is now publicly available on GitHub. However, as the exploit requires local access, its release will mostly be helpful to researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-android… ∗∗∗ Hackers push USB malware payloads via news, media hosting sites ∗∗∗ --------------------------------------------- A financially motivated threat actor using USB devices for initial infection has been found abusing legitimate online platforms, including GitHub, Vimeo, and Ars Technica, to host encoded payloads embedded in seemingly benign content. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-push-usb-malware-pay… ∗∗∗ The Fun and Dangers of Top Level Domains (TLDs), (Wed, Jan 31st) ∗∗∗ --------------------------------------------- In the beginning, life was easy. We had a very limited set of top-level domains: .com, .edu, .gov, ..int, org, .mil, .net, .org, .edu. In addition, we had .arpa for infrastructure use and various two letter country level domains. [..] But yesterday, I noticed some news about a new interesting TLD that you may want to consider adopting: .internal. --------------------------------------------- https://isc.sans.edu/diary/rss/30608 ∗∗∗ FritzFrog Returns with Log4Shell and PwnKit, Spreading Malware Inside Your Network ∗∗∗ --------------------------------------------- The threat actor behind a peer-to-peer (P2P) botnet known as FritzFrog has made a return with a new variant that leverages the Log4Shell vulnerability to propagate internally within an already compromised network. --------------------------------------------- https://thehackernews.com/2024/02/fritzfrog-returns-with-log4shell-and.html ∗∗∗ Stealthy Persistence & PrivEsc in Entra ID by using the Federated Auth Secondary Token-signing Cert. ∗∗∗ --------------------------------------------- Microsoft Entra ID (formerly known as Azure AD) offers a feature called federation that allows you to delegate authentication to another Identity Provider (IdP), such as AD FS with on-prem Active Directory. When users log in, they will be redirected to the external IdP for authentication, before being redirected back to Entra ID who will then verify the successful authentication on the external IdP and the user’s identity. [..] The external IdP signs the token with a private key, which has an associated public key stored in a certificate. [..] In this post, I’ll show you where this certificate can be found and how attackers can add it (given the necessary privileges) and use it to forge malicious tokens. Finally, I will provide some recommendations for defense in light of this. --------------------------------------------- https://medium.com/tenable-techblog/stealthy-persistence-privesc-in-entra-i… ∗∗∗ OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges ∗∗∗ --------------------------------------------- Open Automation Software recently released patches for multiple vulnerabilities in their OAS Engine. Cisco Talos publicly disclosed these issues after working with Open Automation Software to ensure that patches were available for users. Now that a fix has been released with Version 19, we want to take the time to dive into a few of these vulnerabilities and show how a handful of bugs that could be viewed as low-impact could be exploited as a series to carry out various malicious actions, even going as far to gaining access to the underlying system. --------------------------------------------- https://blog.talosintelligence.com/oas-engine-deep-dive/ ===================== = Vulnerabilities = ===================== ∗∗∗ Mastodon: Diebstahl beliebiger Identitäten im föderierten Kurznachrichtendienst ∗∗∗ --------------------------------------------- Angreifer können jeden beliebigen Account übernehmen und fälschen. [..] Die Sicherheitslücke hat die CVE-ID CVE-2024-23832 erhalten und hat immerhin 9,4 von 10 CVSS-Punkten. Es handelt sich nach Einschätzung des Mastodon-Teams um eine leicht aus der Ferne ausnutzbare Lücke, die keinerlei Vorbedingungen mitbringt. Weder muss der Angreifer über besondere Privilegien verfügen, noch einen legitimen Nutzer austricksen, etwa mit einem gefälschten Link. Weitere Details verraten die Entwickler erst am 15. Februar. --------------------------------------------- https://www.heise.de/-9615961 ∗∗∗ Security Update for Ivanti Connect Secure and Ivanti Policy Secure Gateways ∗∗∗ --------------------------------------------- Update 1 February: A patch addressing all known vulnerabilities is now available for Ivanti Connect Secure version 22.5R2.2 and Ivanti Policy Secure 22.5R1.1. --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-i… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-security-support, firefox-esr, openjdk-11, and python-asyncssh), Fedora (glibc, python-templated-dictionary, thunderbird, and xorg-x11-server-Xwayland), Gentoo (Chromium, Google Chrome, Microsoft Edge and WebKitGTK+), Red Hat (firefox, gnutls, libssh, thunderbird, and tigervnc), SUSE (mbedtls, rear116, rear1172a, runc, squid, and tinyssh), and Ubuntu (glibc and runc). --------------------------------------------- https://lwn.net/Articles/960436/ ∗∗∗ Gessler GmbH WEB-MASTER ∗∗∗ --------------------------------------------- Successful exploitation of these vulnerabilities could allow a user to take control of the web management of the device. An attacker with access to the device could also extract and break the password hashes for all users stored on the device. CVSS v3 9.8 --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01 ∗∗∗ Entity Delete Log - Moderately critical - Access bypass - SA-CONTRIB-2024-007 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-007 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Lexmark Security Advisories ∗∗∗ --------------------------------------------- https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisorie… ∗∗∗ Juniper: (Critical) 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved in JSA Applications ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-S… ∗∗∗ Juniper: (Medium) 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved in 7.5.0 UP7 IF04 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-S… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (January 22, 2024 to January 28, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/02/wordfence-intelligence-weekly-wordpr… ∗∗∗ AVEVA Edge products (formerly known as InduSoft Web Studio) ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.01.2024
by Daily end-of-shift report 31 Jan '24

31 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-01-2024 18:00 − Mittwoch 31-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Debian, Ubuntu und mehr: glibc-Schwachstelle ermöglicht Root-Zugriff unter Linux ∗∗∗ --------------------------------------------- Darüber hinaus wurden weitere Schwachstellen in der Gnu-C-Bibliothek aufgedeckt. Eine davon existiert wohl schon seit über 30 Jahren. --------------------------------------------- https://www.golem.de/news/debian-ubuntu-und-mehr-glibc-schwachstelle-ermoeg… ∗∗∗ Tracking 15 Years of Qakbot Development ∗∗∗ --------------------------------------------- Qakbot (aka QBot or Pinkslipbot) is a malware trojan that has been used to operate one of the oldest and longest running cybercriminal enterprises. Qakbot has evolved from a banking trojan to a malware implant that can be used for lateral movement and the eventual deployment of ransomware. In August 2023, the Qakbot infrastructure was dismantled by law enforcement. However, just several months later in December 2023, the fifth (and latest) version of Qakbot was released, [...] --------------------------------------------- https://www.zscaler.com/blogs/security-research/tracking-15-years-qakbot-de… ∗∗∗ Ransomware: Online-Tool entschlüsselt unter Umständen BlackCat & Co. ∗∗∗ --------------------------------------------- Stimmen die Voraussetzungen, können Ransomwareopfer auf einer Website Daten entschlüsseln, ohne Lösegeld zu zahlen. --------------------------------------------- https://www.heise.de/-9614278.html ∗∗∗ A zero-day vulnerability (and PoC) to blind defenses relying on Windows event logs ∗∗∗ --------------------------------------------- A zero-day vulnerability that, when triggered, could crash the Windows Event Log service on all supported (and some legacy) versions of Windows could spell trouble for enterprise defenders. Discovered by a security researcher named Florian and reported to Microsoft, the vulnerability is yet to be patched. In the meantime, the researcher has gotten the go-ahead from the company to publish a PoC exploit. --------------------------------------------- https://www.helpnetsecurity.com/2024/01/31/windows-event-log-vulnerability/ ∗∗∗ Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation ∗∗∗ --------------------------------------------- Update (Jan. 31): We released a follow-up blog post containing additional details from our investigations into this threat, along with more recommendations for defenders. Note: This is a developing campaign under active analysis by Mandiant and Ivanti. We will continue to add more indicators, detections, and information to this blog post as needed. --------------------------------------------- https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-d… ∗∗∗ CISA and FBI Release Secure by Design Alert Urging Manufacturers to Eliminate Defects in SOHO Routers ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) published guidance on Security Design Improvements for SOHO Device Manufacturers as a part of the new Secure by Design (SbD) Alert series that focuses on how manufacturers should shift the burden of security away from customers by integrating security into product design and development. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-and-fbi-release-sec… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and glibc), Fedora (ncurses), Gentoo (containerd, libaom, and xorg-server, xwayland), Mageia (python-pillow and zlib), Oracle (grub2 and tomcat), Red Hat (avahi, c-ares, container-tools:3.0, curl, firefox, frr, kernel, kernel-rt, kpatch-patch, libfastjson, libmicrohttpd, linux-firmware, oniguruma, openssh, perl-HTTP-Tiny, python-pip, python-urllib3, python3, rpm, samba, sqlite, tcpdump, thunderbird, tigervnc, and virt:rhel and virt-devel:rhel modules), SUSE (python-Pillow, slurm, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, and xen), and Ubuntu (libde265, linux-nvidia, mysql-8.0, openldap, pillow, postfix, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/960248/ ∗∗∗ Mattermost security updates 9.4.2 / 9.3.1 / 9.2.5 / 8.1.9 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-4-2-9-3-1-9-2-5-8… ∗∗∗ CISA ICS Advisories ∗∗∗ --------------------------------------------- - Hitron Systems Security Camera DVR - Rockwell Automation ControlLogix and GuardLogix - Rockwell Automation FactoryTalk Service Platform - Rockwell Automation LP30/40/50 and BM40 Operator Interface --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories?f%5B0%5D=advisory… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2022-48618 Apple Multiple Products Improper Authentication Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-adds-one-known-expl… ∗∗∗ Security Advisory Report - OBSO-2401-03 ∗∗∗ --------------------------------------------- A Command injection vulnerability has been identified in the MyPortal@Work application of Atos OpenScape Business which, if successfully exploited, could allow a malicious actor to execute arbitrary scripts on a client machine. The severity is rated high. Customers are advised to update the systems with the available fix release. --------------------------------------------- https://networks.unify.com/security/advisories/OBSO-2401-03.pdf ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Google Chrome: Update schließt vier Sicherheitslücken ∗∗∗ --------------------------------------------- https://www.heise.de/-9613823.html ∗∗∗ SVD-2024-0112: Third-Party Package Updates in Splunk Add-on Builder - January 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0112 ∗∗∗ SVD-2024-0111: Sensitive Information Disclosure to Internal Log Files in Splunk Add-on Builder ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0111 ∗∗∗ SVD-2024-0110: Session Token Disclosure to Internal Log Files in Splunk Add-on Builder ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0110 ∗∗∗ The WordPress 6.4.3 Security Update – What You Need to Know ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/01/the-wordpress-6-4-3-security-update-… ∗∗∗ Tor Code Audit Finds 17 Vulnerabilities ∗∗∗ --------------------------------------------- https://www.securityweek.com/tor-code-audit-finds-17-vulnerabilities/ ∗∗∗ Update #5: Kritische Sicherheitslücken in Ivanti Connect Secure und Ivanti Policy Secure - aktiv ausgenützt - Patches verfügbar ∗∗∗ --------------------------------------------- https://cert.at/de/warnungen/2024/1/kritische-sicherheitslucken-in-ivanti-c… ∗∗∗ List of Security Fixes and Improvements in Veeam Backup for Nutanix AHV ∗∗∗ --------------------------------------------- https://www.veeam.com/kb4236 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.01.2024
by Daily end-of-shift report 30 Jan '24

30 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Montag 29-01-2024 18:00 − Dienstag 30-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ransomwareattacke: Hacker greifen interne Daten von Schneider Electric ab ∗∗∗ --------------------------------------------- Angeblich steckt die Ransomwaregruppe Cactus hinter dem Angriff. Sie hat offenbar mehrere TByte an Daten exfiltriert und fordert ein Lösegeld. --------------------------------------------- https://www.golem.de/news/ransomwareattacke-hacker-greifen-interne-daten-vo… ∗∗∗ What did I say to make you stop talking to me?, (Tue, Jan 30th) ∗∗∗ --------------------------------------------- We use Cowrie to emulate an SSH and Telnet server for our honeypots. Cowrie is great software maintained by Michel Oosterhof. --------------------------------------------- https://isc.sans.edu/diary/rss/30604 ∗∗∗ New ZLoader Malware Variant Surfaces with 64-bit Windows Compatibility ∗∗∗ --------------------------------------------- Threat hunters have identified a new campaign that delivers the ZLoader malware, resurfacing nearly two years after the botnets infrastructure was dismantled in April 2022. --------------------------------------------- https://thehackernews.com/2024/01/new-zloader-malware-variant-surfaces.html ∗∗∗ Is Your SAP Cloud Connector Safe? The Risk You Can’t Ignore ∗∗∗ --------------------------------------------- In this article, we will discuss security issues and provide recommendations to mitigate the risks associated with using SAP CC on the Windows platform. --------------------------------------------- https://redrays.io/blog/sap-cloud-connector-security/ ∗∗∗ Ransomware-Bericht: Immer weniger Opfer zahlen Lösegeld ∗∗∗ --------------------------------------------- Sicherheitsforscher zeigen aktuelle Trends bei Verschlüsselungstrojanern auf. Unter anderem schrumpfen die Summen von Lösegeldern. --------------------------------------------- https://www.heise.de/news/Ransomware-Bericht-Immer-weniger-Opfer-zahlen-Loe… ∗∗∗ Lieber nicht: Abnehm-Pillen von Keto Base ∗∗∗ --------------------------------------------- In einem gefälschten Online-Artikel werden Abnehm-Pillen von Keto Base beworben. Angeblich wurde dieses „Wundermittel“ zum schnellen Abnehmen in der TV-Show „Höhle des Löwen“ vorgestellt und finanziert. Dabei handelt es sich aber um Fake News. Dieses Angebot ist unseriös und schädigt im schlimmsten Fall Ihrer Gesundheit. --------------------------------------------- https://www.watchlist-internet.at/news/lieber-nicht-abnehm-pillen-von-keto-… ∗∗∗ Trigona Ransomware Threat Actor Uses Mimic Ransomware ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has recently identified a new activity of the Trigona ransomware threat actor installing Mimic ransomware. --------------------------------------------- https://asec.ahnlab.com/en/61000/ ∗∗∗ DarkGate malware delivered via Microsoft Teams - detection and response ∗∗∗ --------------------------------------------- While most end users are well-acquainted with the dangers of traditional phishing attacks, such as those delivered via email or other media, a large proportion are likely unaware that Microsoft Teams chats could be a phishing vector. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-de… ===================== = Vulnerabilities = ===================== ∗∗∗ DLL Proxying: Trend Micro liefert Updates, weitere Hersteller angreifbar ∗∗∗ --------------------------------------------- Bei Antivirenprogrammen mehrerer Hersteller haben IT-Forscher DLL-Proxying-Schwachstellen gefunden. Trend Micro hat schon Updates. --------------------------------------------- https://www.heise.de/news/DLL-Proxying-Trend-Micro-liefert-Updates-weitere-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pillow, postfix, and redis), Fedora (python-templated-dictionary and selinux-policy), Red Hat (gnutls, kpatch-patch, libssh, and tomcat), and Ubuntu (amanda, ceph, linux-azure, linux-azure-4.15, linux-kvm, and tinyxml). --------------------------------------------- https://lwn.net/Articles/960008/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-450 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-450.html ∗∗∗ XSA-449 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-449.html ∗∗∗ Festo: Multiple products contain CoDe16 vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-063/ ∗∗∗ Pilz: Vulnerabiiity in PASvisu and PMI v8xx ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-050/ ∗∗∗ Emerson Rosemount GC370XA, GC700XA, GC1500XA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01 ∗∗∗ Mitsubishi Electric FA Engineering Software Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-02 ∗∗∗ Mitsubishi Electric MELSEC WS Series Ethernet Interface Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-03 ∗∗∗ Zyxel security advisory for post-authentication command injection vulnerability in NAS products ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.01.2024
by Daily end-of-shift report 29 Jan '24

29 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-01-2024 18:00 − Montag 29-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Token-Leak: Quellcode von Mercedes-Benz lag wohl frei zugänglich im Netz ∗∗∗ --------------------------------------------- Ein Authentifizierungstoken von Mercedes-Benz lag wohl für mehrere Monate in einem öffentlichen Github-Repository - mit weitreichenden Zugriffsrechten. --------------------------------------------- https://www.golem.de/news/token-leak-quellcode-von-mercedes-benz-lag-wohl-f… ∗∗∗ Exploit Flare Up Against Older Altassian Confluence Vulnerability, (Mon, Jan 29th) ∗∗∗ --------------------------------------------- Last October, Atlassian released a patch for CVE-2023-22515 [1]. This vulnerability allowed attackers to create new admin users in Confluence. Today, I noticed a bit a "flare up" in a specific exploit variant. --------------------------------------------- https://isc.sans.edu/diary/rss/30600 ∗∗∗ Trusted Domain, Hidden Danger: Deceptive URL Redirections in Email Phishing Attacks ∗∗∗ --------------------------------------------- In this ever-evolving landscape of cyberthreats, email has become a prime target for phishing attacks. Cybercriminals continue to adapt and employ more sophisticated methods to effectively deceive users and bypass detection measures. One of the most prevalent tactics nowadays involves exploiting legitimate platforms for redirection through deceptive links. In this blog post, well explore how trusted platforms are increasingly being exploited as redirectors, [...] --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trusted-dom… ∗∗∗ Albabat, Kasseika, Kuiper: New Ransomware Gangs Rise with Rust and Golang ∗∗∗ --------------------------------------------- Cybersecurity researchers have detected in the wild yet another variant of the Phobos ransomware family known as Faust. Fortinet FortiGuard Labs, which detailed the latest iteration of the ransomware, said its being propagated by means of an infection that delivers a Microsoft Excel document (.XLAM) containing a VBA script. --------------------------------------------- https://thehackernews.com/2024/01/albabat-kasseika-kuiper-new-ransomware.ht… ∗∗∗ Jetzt updaten! Exploits für kritische Jenkins-Sicherheitslücke im Umlauf ∗∗∗ --------------------------------------------- Für die in der vergangenen Woche bekanntgewordene kritische Sicherheitslücke in Jenkins ist Exploit-Code aufgetaucht. Höchste Zeit zum Aktualisieren! --------------------------------------------- https://www.heise.de/-9611923.html ∗∗∗ Erpressung in Südwestfalen: Akira kam mit geratenem Passwort ins kommunale Netz ∗∗∗ --------------------------------------------- Ein nun vorliegender forensischer Bericht stellt dem kommunalen IT-Verbund ein mittelprächtiges Zeugnis aus. Die Krisenbewältigung läuft weiter. --------------------------------------------- https://www.heise.de/-9610102.html ∗∗∗ 10 things to do to improve your online privacy ∗∗∗ --------------------------------------------- Its Data Privacy Week so here are 10 tips from our VP of Consumer Privacy, Oren Arar, about how to stay private online. --------------------------------------------- https://www.malwarebytes.com/blog/personal/2024/01/10-things-to-do-to-impro… ∗∗∗ So werden Sie bei der Wohnungssuche abgezockt ∗∗∗ --------------------------------------------- Zentrale Lage, frisch renoviert, hochwertige Möbel - und das vergleichsweise günstig. Wer auf Wohnungssuche ist, stößt früher oder später auf ein solches Angebot und ist überwältigt. Leider handelt es sich hierbei sehr wahrscheinlich um ein betrügerisches Inserat. Kriminelle versuchen Ihnen mit einmaligen Angeboten, Vorauszahlungen zu entlocken. Wir zeigen Ihnen, wie Sie bei der Wohnungssuche nicht betrogen werden. --------------------------------------------- https://www.watchlist-internet.at/news/so-werden-sie-bei-der-wohnungssuche-… ∗∗∗ Akira Ransomware and exploitation of Cisco Anyconnect vulnerability CVE-2020-3259 ∗∗∗ --------------------------------------------- In several recent incident response missions, the Truesec CSIRT team made forensic observations indicating that the old vulnerability CVE-2020-3259 is likely to be actively exploited --------------------------------------------- https://www.truesec.com/hub/blog/akira-ransomware-and-exploitation-of-cisco… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (gstreamer-plugins-bad-free, java-1.8.0-openjdk, java-11-openjdk, kernel, LibRaw, python-pillow, and xorg-x11-server), Debian (gst-plugins-bad1.0, libspreadsheet-parsexlsx-perl, mariadb-10.3, and slurm-wlm), Fedora (atril, dotnet8.0, gnutls, prometheus-podman-exporter, python-jinja2, sudo, and vips), Oracle (frr, kernel, php:8.1, python-urllib3, python3.9, rpm, sqlite, and tomcat), Slackware (pam), SUSE (cpio, rear23a, rear27a, sevctl, and xorg-x11-server), and Ubuntu (exim4 and firefox). --------------------------------------------- https://lwn.net/Articles/959882/ ∗∗∗ Vulnerabilities in WatchGuard, Panda Security Products Lead to Code Execution ∗∗∗ --------------------------------------------- Two memory safety vulnerabilities in WatchGuard and Panda Security products could lead to code execution with System privileges. --------------------------------------------- https://www.securityweek.com/vulnerabilities-in-watchguard-panda-security-p… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Trumpf: Multiple products contain WIBU CodeMeter vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-001/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.01.2024
by Daily end-of-shift report 26 Jan '24

26 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-01-2024 18:00 − Freitag 26-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Über Push-Benachrichtigungen: Prominente iOS-Apps spähen heimlich Gerätedaten aus ∗∗∗ --------------------------------------------- Zu den Datensammlern zählen wohl iOS-Apps namhafter Onlinedienste wie Tiktok, Facebook, Instagram, Threads, Linkedin, Bing und X. --------------------------------------------- https://www.golem.de/news/ueber-push-benachrichtigungen-prominente-ios-apps… ∗∗∗ MFA war inaktiv: Microsoft deckt auf, wie Hacker an interne Mails kamen ∗∗∗ --------------------------------------------- Die Angreifer haben laut Microsoft zuerst einen Testaccount mit inaktiver MFA infiltriert - unter Einsatz einer Proxy-Infrastruktur. --------------------------------------------- https://www.golem.de/news/mfa-war-inaktiv-microsoft-deckt-auf-wie-hacker-an… ∗∗∗ Präparierte URL kann für Juniper-Firewalls und Switches gefährlich werden ∗∗∗ --------------------------------------------- Entwickler von Juniper haben in Junos OS mehrere Sicherheitslücken geschlossen. Noch sind aber nicht alle Updates verfügbar. --------------------------------------------- https://www.heise.de/-9609333.html ∗∗∗ Verwirrend: Internet-Domain fritz.box zeigt NFT-Galerie statt Router-Verwaltung ∗∗∗ --------------------------------------------- Bereits vor einer Woche haben Unbekannte die Domain "fritz.box" für sich registriert. Ihr Vorhaben ist unklar, Fritz-Besitzer sollten sich vorsehen. --------------------------------------------- https://www.heise.de/-9610149.html ∗∗∗ Blackwood hackers hijack WPS Office update to install malware ∗∗∗ --------------------------------------------- A previously unknown advanced threat actor tracked as Blackwood is using sophisticated malware called NSPX30 in cyberespionage attacks against companies and individuals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackwood-hackers-hijack-wps… ∗∗∗ Midnight Blizzard: Guidance for responders on nation-state attack ∗∗∗ --------------------------------------------- The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-… ∗∗∗ A Batch File With Multiple Payloads, (Fri, Jan 26th) ∗∗∗ --------------------------------------------- Windows batch files (.bat) are often seen by people as very simple but they can be pretty complex or.. contain interesting encoded payloads! I found one that contains multiple payloads decoded and used by a Powershell process. The magic is behind how comments can be added to such files. --------------------------------------------- https://isc.sans.edu/diary/rss/30592 ∗∗∗ Erbschaft per SMS: Ignorieren Sie diese betrügerische Nachricht ∗∗∗ --------------------------------------------- Immer wieder warnen wir vor E-Mails, in denen Betrüger:innen das große Geld versprechen: Millionengewinne, eine Spende oder eine Erbschaft sollen die Empfänger:innen plötzlich reich machen. Aktuell setzen Kriminelle jedoch nicht nur auf E-Mails, sondern auch auf SMS, um mit potenziellen Opfern in Kontakt zu treten. Danach läuft die Masche wie gewohnt ab: Mit Angeboten, die zu schön sind, um wahr zu sein, werden gutgläubige Opfer um ihr Geld gebracht. --------------------------------------------- https://www.watchlist-internet.at/news/erbschaft-per-sms-ignorieren-sie-die… ∗∗∗ Assessing and mitigating supply chain cybersecurity risks ∗∗∗ --------------------------------------------- Blindly trusting your partners and suppliers on their security posture is not sustainable – it’s time to take control through effective supplier risk management --------------------------------------------- https://www.welivesecurity.com/en/business-security/assessing-mitigating-cy… ∗∗∗ Cybersecurity for Industrial Control Systems: Best practices ∗∗∗ --------------------------------------------- Network segmentation, software patching, and continual threats monitoring are key cybersecurity best practices for Industrial Control Systems (ICS). --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/cybersecurity-for-i… ∗∗∗ Guidance: Assembling a Group of Products for SBOM ∗∗∗ --------------------------------------------- Today, CISA published Guidance on Assembling a Group of Products created by the Software Bill of Materials (SBOM) Tooling & Implementation Working Group, one of the five SBOM community-driven workstreams facilitated by CISA. CISA’s community-driven working groups publish documents and reports to advance and refine SBOM and ultimately promote adoption. Specifically, software producers often need to assemble and test products together before releasing them to customers. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/26/guidance-assembling-grou… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Unified Communications Products Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Version 1.1 - Updated list of affected products and products confirmed not vulnerable. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Jenkins CLI PoC CVE-2024-23897 ∗∗∗ --------------------------------------------- Remote Code Execution: Jenkins CLI arbitrary read (CVE-2024-23897 applies to versions below 2.442 and LTS 2.426.3) --------------------------------------------- https://github.com/gquere/pwn_jenkins/blob/master/README.md#jenkins-cli-arb… ∗∗∗ Microsoft Edge 121 unterstützt moderne Codecs und stopft Sicherheitslecks ∗∗∗ --------------------------------------------- Microsoft hat den Webbrowser Edge in Version 121 herausgegeben. Sie stopft eine kritische Sicherheitslücke und liefert Support für AV1-Videos. --------------------------------------------- https://www.heise.de/-9609475.html ∗∗∗ Diesmal bitte patchen: Security-Update behebt kritische Schwachstelle in GitLab ∗∗∗ --------------------------------------------- GitLab 16.x enthält fünf Schwachstellen, von denen eine als kritisch eingestuft ist. Patchen ist nicht selbstverständlich, wie jüngst eine Untersuchung zeigte. --------------------------------------------- https://www.heise.de/-9609319.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server), Fedora (chromium, dotnet8.0, firefox, freeipa, and thunderbird), Red Hat (avahi, c-ares, curl, edk2, expat, freetype, frr, git, gnutls, grub2, kernel, kernel-rt, libcap, libfastjson, libssh, libtasn1, libxml2, linux-firmware, ncurses, oniguruma, openssh, openssl, perl-HTTP-Tiny, protobuf-c, python-urllib3, python3, python3.9, rpm, samba, shadow-utils, sqlite, tcpdump, tomcat, and virt:rhel and virt-devel:rhel modules), SUSE (cpio, jasper, rear23a, thunderbird, and xorg-x11-server), and Ubuntu (jinja2, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-oem-6.1, and mariadb, mariadb-10.3, mariadb-10.6). --------------------------------------------- https://lwn.net/Articles/959640/ ∗∗∗ 2024-01 Reference Advisory: Junos OS and Junos OS Evolved: Impact of Terrapin SSH Attack (CVE-2023-48795) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Reference-Advisory-Juno… ∗∗∗ 2024-01 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web have been addressed ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Out-of-Cycle-Security-B… ∗∗∗ Security Vulnerabilities fixed in Focus for iOS 122 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-03/ ∗∗∗ Open redirect in parameter might affect IBM Storage Defender Data Protect. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7106918 ∗∗∗ AIX is vulnerable to a denial of service (CVE-2023-5678, CVE-2023-6129, CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7111837 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to multiple issues due to Eclipse Jetty. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7111880 ∗∗∗ Vulnerabilities in GNU Binutils, Bootstrap, PortSmash, Node.js, and libarchive might affect IBM Storage Defender Data Protect. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7091980 ∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2023-22006, CVE-2023-22036 & CVE-2023-22049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7112089 ∗∗∗ IBM Security Directory Integrator affected by multiple vulnerabilities affecting IBM Java SDK ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7047118 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2024
by Daily end-of-shift report 25 Jan '24

25 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-01-2024 18:00 − Donnerstag 25-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New CherryLoader Malware Mimics CherryTree to Deploy PrivEsc Exploits ∗∗∗ --------------------------------------------- A new Go-based malware loader called CherryLoader has been discovered by threat hunters in the wild to deliver additional payloads onto compromised hosts for follow-on exploitation. --------------------------------------------- https://thehackernews.com/2024/01/new-cherryloader-malware-mimics.html ∗∗∗ SystemBC Malwares C2 Server Analysis Exposes Payload Delivery Tricks ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on the command-and-control (C2) server of a known malware family called SystemBC. --------------------------------------------- https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html ∗∗∗ Memory Scanning for the Masses ∗∗∗ --------------------------------------------- In this blog post we will go into a user-friendly memory scanning Python library that was created out of the necessity of having more control during memory scanning. --------------------------------------------- https://research.nccgroup.com/2024/01/25/memory-scanning-for-the-masses/ ∗∗∗ ADCS Attack Paths in BloodHound — Part 1 ∗∗∗ --------------------------------------------- This blog post details the ESC1 domain escalation requirements and explains how BloodHound incorporates the relevant components. --------------------------------------------- https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-1-799f3d3b… ∗∗∗ CERT.at/GovCERT Austria PGP Teamkey Rotation ∗∗∗ --------------------------------------------- Da diese in einem Monat ablaufen, haben wir gestern neue PGP Keys für team(a)cert.at, reports(a)cert.at, team(a)govcert.gv.at sowie reports(a)govcert.gv.at generiert und ausgerollt. --------------------------------------------- https://cert.at/de/aktuelles/2024/1/certatgovcert-austria-pgp-teamkey-rotat… ∗∗∗ Ablauf einer Schwachstellen-Information durch CERT.at am Beispiel Ivanti Connect Secure VPN (CVE-2024-21887, CVE-2023-46805) ∗∗∗ --------------------------------------------- Nach der Veröffentlichung begann nun der normale Prozess für CERTs weltweit, ebenso natürlich für CERT.at ... die Verbreitung der Information über die Schwachstellen vorzubreiten beziehungsweise zu finalisieren. Die CERTs veröffentlichten und sendeten ihre Warnung aus. Unsere Warnung, die laufend aktualisiert wird, wurde Donnerstag 11.01.24 gegen Mittag ins Netz gestellt, über den freien RSS-Feed für Abonnenten zugänglich gemacht und ausgesandt. --------------------------------------------- https://cert.at/de/blog/2024/1/ablauf-einer-schwachstellen-information-durc… ===================== = Vulnerabilities = ===================== ∗∗∗ Konfigurationsfehler: Unzählige Kubernetes-Cluster sind potenziell angreifbar ∗∗∗ --------------------------------------------- Viele Nutzer räumen der Gruppe system:authenticated ihres GKE-Clusters aufgrund einer Fehlannahme zu viele Rechte ein - mit gravierenden Folgen. --------------------------------------------- https://www.golem.de/news/konfigurationsfehler-unzaehlige-kubernetes-cluste… ∗∗∗ Trend Micro Apex Central: Update schließt im zweiten Anlauf Sicherheitslücken ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in Trend Micros Apex Central ermöglichen Angreifern etwa, Schadcode einzuschleusen. Ein erstes Update machte Probleme. --------------------------------------------- https://www.heise.de/news/Trend-Micro-Apex-Central-Update-schliesst-im-zwei… ∗∗∗ Tausende Gitlab-Server noch für Zero-Click-Kontoklau anfällig ∗∗∗ --------------------------------------------- IT-Forscher haben das Netz durchforstet und dabei mehr als 5000 verwundbare Gitlab-Server gefunden. Angreifer können dort einfach Konten übernehmen. --------------------------------------------- https://www.heise.de/news/Tausende-Gitlab-Server-noch-fuer-Zero-Click-Konto… ∗∗∗ Cisco: Lücke erlaubt komplette Übernahme von Unified Communication-Produkten ∗∗∗ --------------------------------------------- Cisco warnt vor einer kritischen Lücke in Unified Communication-Produkten, durch die Angreifer die Kontrolle übernehmen können. --------------------------------------------- https://www.heise.de/news/Cisco-Luecke-erlauben-komplette-Uebernahme-von-Un… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, php-phpseclib, phpseclib, thunderbird, and zabbix), Fedora (dotnet7.0, firefox, fonttools, and python-jinja2), Mageia (avahi and chromium-browser-stable), Oracle (java-1.8.0-openjdk, java-11-openjdk, LibRaw, openssl, and python-pillow), Red Hat (gnutls, kpatch-patch, php:8.1, and squid:4), SUSE (apache-parent, apache-sshd, bluez, cacti, cacti-spine, erlang, firefox, java-11-openjdk, opera, python-Pillow, tomcat, tomcat10, [...] --------------------------------------------- https://lwn.net/Articles/959455/ ∗∗∗ Potentielle Remote Code Execution in Jenkins - Patch verfügbar ∗∗∗ --------------------------------------------- Mit der neuesten Version der CI/CD-Plattform Jenkins haben die Entwickler:innen neun Sicherheitslücken behoben - darunter befindet sich auch eine kritische Schwachstelle, CVE-2024-23987. --------------------------------------------- https://cert.at/de/aktuelles/2024/1/potentielle-remote-code-execution-in-je… ∗∗∗ Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-006 ∗∗∗ Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-005 ∗∗∗ Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-004 ∗∗∗ Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-003 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Publish SBA-ADV-20200707-02: CloudLinux CageFS Insufficiently Restric… ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/fd86295907334f9cd81d8c1a7f… ∗∗∗ Publish SBA-ADV-20200707-01: CloudLinux CageFS Token Disclosure ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/c2db0b1da76486e2876f1c64f9… ∗∗∗ SystemK NVR 504/508/516 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.01.2024
by Daily end-of-shift report 24 Jan '24

24 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-01-2024 18:00 − Mittwoch 24-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Firefox: Passkey-Unterstützung und Sicherheitsfixes ∗∗∗ --------------------------------------------- Die Version 122 von Firefox kann mit Passkeys umgehen. Außerdem schließen die Entwickler darin wie in Firefox ESR und Thunderbird 115.7 Sicherheitslecks. --------------------------------------------- https://www.heise.de/-9606909 ∗∗∗ "Mother of all Breaches": 26 Milliarden altbekannte Datensätze ∗∗∗ --------------------------------------------- Was die Entdecker als "Mutter aller Lücken" bezeichnen, entpuppt sich laut dem "Have I Been Pwned"- Gründer Troy Hunt als Sammlung längst bekannter Daten. --------------------------------------------- https://www.heise.de/-9604882 ∗∗∗ Trello API abused to link email addresses to 15 million accounts ∗∗∗ --------------------------------------------- An exposed Trello API allows linking private email addresses with Trello accounts, enabling the creation of millions of data profiles containing both public and private information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trello-api-abused-to-link-em… ∗∗∗ Cybercrime’s Silent Operator: The Unraveling of VexTrio’s Malicious Network Empire ∗∗∗ --------------------------------------------- VexTrio is a massive and complex malicious TDS (traffic direction system) organization. It has a network of more than 60 affiliates that divert traffic into VexTrio, while it also operates its own TDS network. While aspects of the operation have been discovered and analyzed by different researchers, the core network has remained largely unknown. --------------------------------------------- https://www.securityweek.com/cybercrimes-silent-operator-the-unraveling-of-… ∗∗∗ Orca Flags Dangerous Google Kubernetes Engine Misconfiguration ∗∗∗ --------------------------------------------- A misconfiguration in Google Kubernetes Engine (GKE) could allow attackers to take over Kubernetes clusters and access sensitive information, according to a warning from cloud security startup Orca Security. The issue is related to the privileges granted to users in the system:authenticated group, which includes all users with a Google account, although it could be mistakenly believed to include only verified identities. --------------------------------------------- https://www.securityweek.com/orca-flags-dangerous-google-kubernetes-engine-… ∗∗∗ PC- und Online-Gamer:innen: Vorsicht beim Account-Handel über Marktplätze! ∗∗∗ --------------------------------------------- Aktuell erreichen uns immer wieder Meldungen zu betrügerischen Angeboten im Gaming-Bereich auf Marktplätzen wie difmark.com oder in diversen Internet-Foren. Kriminelle bieten dort unter anderem Gaming-Accounts und Nutzungsprofile an. Das Problem: Diese dürften laut Nutzungsbedingungen eigentlich gar nicht verkauft werden und Sperren sind möglich. Auch nach erfolgreichen Käufen lauern noch Fallen, durch die Spielende plötzlich durch die Finger schauen können. --------------------------------------------- https://www.watchlist-internet.at/news/pc-und-online-gamerinnen-vorsicht-be… ∗∗∗ Update #3: Kritische Sicherheitslücken in Ivanti Connect Secure und Ivanti Policy Secure - aktiv ausgenützt ∗∗∗ --------------------------------------------- Update #3: 24. Jänner 2024: Mandiant und Volexity berichten davon, Exploits gegen diese Sicherheitslücken bereits Anfang Dezember 2023 beobachtet zu haben. Es empfiehlt sich daher, gegebenenfalls den Zeitraum etwaiger Untersuchungen auf stattgefundene Angriffsversuche zumindest bis inklusive Dezember 2023 auszudehnen. --------------------------------------------- https://cert.at/de/warnungen/2024/1/kritische-sicherheitslucken-in-ivanti-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra GoAnywhere MFT: Kritische Lücke macht Angreifer zu Admins ∗∗∗ --------------------------------------------- Jetzt patchen! Es ist Exploitcode für die Dateiübertragungslösung Fortra GoAnywhere MFT in Umlauf. --------------------------------------------- https://www.heise.de/-9606659 ∗∗∗ Codeschmuggel-Lücke in HPE Oneview ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in der IT-Infrastrukturverwaltung HPE Oneview ermöglichen Angreifern, etwa Schadcode einzuschleusen. Updates stehen bereit. --------------------------------------------- https://www.heise.de/-9607490 ∗∗∗ Chrome-Update dichtet 17 Sicherheitslecks ab ∗∗∗ --------------------------------------------- Googles Entwickler aktualisieren den Chrome-Webbrowser und schließen 17 Sicherheitslücken darin. Einige ermöglichen wohl Codeschmuggel. --------------------------------------------- https://www.heise.de/-9606618 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jinja2, openjdk-11, ruby-httparty, and xorg-server), Fedora (ansible-core and mingw-jasper), Gentoo (GOCR, Ruby, and sudo), Oracle (gstreamer-plugins-bad-free, java-17-openjdk, java-21-openjdk, python-cryptography, and xorg-x11-server), Red Hat (kernel, kernel-rt, kpatch-patch, LibRaw, python-pillow, and python-pip), Slackware (mozilla), SUSE (python-Pillow, rear118a, and redis7), and Ubuntu (libapache-session-ldap-perl and pycryptodome). --------------------------------------------- https://lwn.net/Articles/959325/ ∗∗∗ Cisco Unified Communications Products Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. CVE-2024-20253, CVSS Score: Base 9.9 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unity Connection Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Small Business Series Switches Stacked Reload ACL Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ High Severity Arbitrary File Upload Vulnerability Patched in File Manager Pro WordPress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/01/high-severity-arbitrary-file-upload-… ∗∗∗ APsystems Energy Communication Unit (ECU-C) Power Control Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-01 ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/24/cisa-adds-one-known-expl… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.01.2024
by Daily end-of-shift report 23 Jan '24

23 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Montag 22-01-2024 18:00 − Dienstag 23-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MavenGate Attack Could Let Hackers Hijack Java and Android via Abandoned Libraries ∗∗∗ --------------------------------------------- Several public and popular libraries abandoned but still used in Java and Android applications have been found susceptible to a new software supply chain attack method called MavenGate. --------------------------------------------- https://thehackernews.com/2024/01/hackers-hijack-popular-java-and-android.h… ∗∗∗ Cactus Ransomware malware analysis ∗∗∗ --------------------------------------------- On January 20th the Cactus ransomware group attacked a number of victims across varying industries. The attacks were disclosed on their leak site with the accompanying victim data. --------------------------------------------- https://www.shadowstackre.com/analysis/cactus ∗∗∗ Vorsicht vor Peek & Cloppenburg Fake-Shops ∗∗∗ --------------------------------------------- Auf Facebook und Instagram werden gefälschte Angebote vom Modehaus „Peek & Cloppenburg“ beworben. In den gefälschten Werbeanzeigen werden Rabatte bis zu 90 % versprochen. Wenn Sie auf die Anzeige klicken, landen Sie in einem betrügerischen Shop, mit einer glaubwürdigen Internetadresse: „peek-cloppenburgsale.shop“. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-peek-cloppenburg-fake-s… ∗∗∗ Threat Assessment: BianLian ∗∗∗ --------------------------------------------- We analyze the extremely active ransomware group BianLian. Mostly targeting healthcare, they have moved from double-extortion to extortion without encryption. --------------------------------------------- https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assess… ∗∗∗ Conditional QR Code Routing Attacks ∗∗∗ --------------------------------------------- Over the summer, we saw a somewhat unexpected rise in QR-code based phishing attacks. These attacks were all fairly similar. The main goal was to induce the end-user to scan the QR Code, where they would be redirected to a credential harvesting page. --------------------------------------------- https://blog.checkpoint.com/harmony-email/conditional-qr-code-routing-attac… ∗∗∗ Lazarus Group Uses the DLL Side-Loading Technique (2) ∗∗∗ --------------------------------------------- Through the “Lazarus Group Uses the DLL Side-Loading Technique” [1] blog post, AhnLab SEcurity intelligence Center(ASEC) has previously covered how the Lazarus group used the DLL side-loading attack technique using legitimate applications in the initial access stage to achieve the next stage of their attack process. --------------------------------------------- https://asec.ahnlab.com/en/60792/ ∗∗∗ Kasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec and Exploits Martini Driver ∗∗∗ --------------------------------------------- In this blog, we detail our investigation of the Kasseika ransomware and the indicators we found suggesting that the actors behind it have acquired access to the source code of the notorious BlackMatter ransomware. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra warns of new critical GoAnywhere MFT auth bypass, patch now ∗∗∗ --------------------------------------------- Fortra is warning of a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) versions before 7.4.1 that allows an attacker to create a new admin user. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortra-warns-of-new-critical… ∗∗∗ Exploiting 0-click Android Bluetooth vulnerability to inject keystrokes without pairing ∗∗∗ --------------------------------------------- A recently discovered critical vulnerabilities (CVE-2023-45866, CVE-2024-21306) in Bluetooth can be exploited to inject keystrokes without user confirmation – by accepting any Bluetooth pairing request. --------------------------------------------- https://www.mobile-hacker.com/2024/01/23/exploiting-0-click-android-bluetoo… ∗∗∗ Sicherheitsfixes: Apple aktualisiert ältere Systeme – und räumt Zero Days ein ∗∗∗ --------------------------------------------- Apple hat neben macOS 14.3 und iOS 17.3 auch neue Versionen von iOS 15, 16, macOS 12 und 13 sowie Safari veröffentlicht. Es gab einen erneuten Zero-Day-Exploit. --------------------------------------------- https://www.heise.de/news/Sicherheitsfixes-Apple-aktualisiert-aeltere-Syste… ∗∗∗ Konfigurationsübertragung kann Behelfslösung zum Schutz von Ivanti ICS aufheben ∗∗∗ --------------------------------------------- Bislang können Admins Ivanti Connect Secure und Policy Secure nur über einen Workaround vor laufenden Attacken schützen. Dieser funktioniert aber nicht immer. --------------------------------------------- https://www.heise.de/news/Konfigurationsuebertragung-kann-Behelfsloesung-zu… ∗∗∗ Barracuda WAF: Kritische Sicherherheitslücken ermöglichen Umgehung des Schutzes ∗∗∗ --------------------------------------------- Barracuda hat einen Sicherheitshinweis bezüglich der Web Application Firewall veröffentlicht. Sicherheitslücken ermöglichen das Umgehen des Schutzes. --------------------------------------------- https://www.heise.de/news/Barracuda-WAF-Kritische-Sicherherheitsluecken-erm… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kodi and squid), Fedora (ansible-core, java-latest-openjdk, mingw-python-jinja2, openssh, and pgadmin4), Gentoo (Apache XML-RPC), Red Hat (gnutls and xorg-x11-server), Slackware (postfix), SUSE (bluez and openssl-3), and Ubuntu (gnutls28, libssh, and squid). --------------------------------------------- https://lwn.net/Articles/959127/ ∗∗∗ Splunk Security Advisories 2024-01-22 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-448 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-448.html ∗∗∗ Security Vulnerabilities fixed in Thunderbird 115.7 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.7 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/ ∗∗∗ Security Vulnerabilities fixed in Firefox 122 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/ ∗∗∗ TRUMPF: Oseon contains vulnerable version of OpenSSL 1.1.x ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-006/ ∗∗∗ TRUMPF: Multiple products include a vulnerable version of Notepad++ ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-003/ ∗∗∗ TRUMPF: Multiple products contain vulnerable version of 7-zip ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-005/ ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2023-46838 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX587605/citrix-hypervisor-security-bul… ∗∗∗ Crestron AM-300 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-02 ∗∗∗ Lantronix XPort ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-05 ∗∗∗ Voltronic Power ViewPower Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-03 ∗∗∗ Orthanc Osimis DICOM Web Viewer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-023-01 ∗∗∗ APsystems Energy Communication Unit (ECU-C) Power Control Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-01 ∗∗∗ Westermo Lynx 206-F2G ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.01.2024
by Daily end-of-shift report 22 Jan '24

22 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-01-2024 18:00 − Montag 22-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Cracked software beats gold: new macOS backdoor stealing cryptowallets ∗∗∗ --------------------------------------------- We review a new macOS backdoor that piggybacks on cracked software to replace Bitcoin and Exodus wallets with malware. --------------------------------------------- https://securelist.com/new-macos-backdoor-crypto-stealer/111778/ ∗∗∗ Apache ActiveMQ Flaw Exploited in New Godzilla Web Shell Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers are warning of a "notable increase" in threat actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts. --------------------------------------------- https://thehackernews.com/2024/01/apache-activemq-flaw-exploited-in-new.html ∗∗∗ Confluence: Kritische Sicherheitslücke in veralteten Versionen wird ausgenutzt ∗∗∗ --------------------------------------------- Wie das Shadowserver-Projekt auf Mastodon meldet, durchpflügen Angreifer derzeit von 600 verschiedenen IP-Adressen das Netz nach möglichen Opfern. Eine simple HTTP-POST-Anfrage genügt, um die Sicherheitslücke auszunutzen und den Confluence-Server zu übernehmen. [..] Der Hersteller wies seine Kunden bereits am vergangenen Dienstag auf die Sicherheitslücke hin, die er wie 27 weitere im Rahmen des Atlassian-Patchday behoben hat. --------------------------------------------- https://www.heise.de/-9605028 ∗∗∗ VMware vCenter Server seit Monaten über CVE-2023-3404 angegriffen; Attacken weiten sich aus ∗∗∗ --------------------------------------------- Inzwischen hat auch VMware bestätigt, dass eine im Oktober 2023 gepatchte vCenter Server-Sicherheitslücke jetzt aktiv ausgenutzt wird. vCenter Server ist die Management-Plattform für VMware vSphere-Umgebungen, die Administratoren bei der Verwaltung von ESX- und ESXi-Servern und virtuellen Maschinen (VMs) unterstützt. [..] Sicherheitsforscher von Mandiant haben in diesem Beitrag offen gelegt, dass die chinesische Spionage-Gruppe UNC3886 diese Schwachstelle CVE-2023-34048 längst kannte und diese seit mindestens Ende 2021 aktiv angegriffen habe. --------------------------------------------- https://www.borncity.com/blog/2024/01/22/vmware-vcenter-server-seit-monaten… ∗∗∗ NS-STEALER Uses Discord Bots to Exfiltrate Your Secrets from Popular Browsers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new Java-based "sophisticated" information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts. The malware, named NS-STEALER, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week. --------------------------------------------- https://thehackernews.com/2024/01/ns-stealer-uses-discord-bots-to.html ∗∗∗ Domain Escalation – Backup Operator ∗∗∗ --------------------------------------------- The Backup Operators is a Windows built-in group. Users which are part of this group have permissions to perform backup and restore operations. More specifically, these users have the SeBackupPrivilege assigned which enables them to read sensitive files from the domain controller i.e. Security Account Manager (SAM). --------------------------------------------- https://pentestlab.blog/2024/01/22/domain-escalation-backup-operator/ ∗∗∗ Vorsicht vor PayLife-E-Mails mit einem QR-Code ∗∗∗ --------------------------------------------- In einem gefälschten E-Mail werden Sie informiert, dass Ihre myPayLife App gesperrt ist. Angeblich können Sie keine Aufträge oder Internetzahlungen mehr freigeben. Um die Sperre aufzuheben, müssen Sie einen QR-Code scannen. Ignorieren Sie dieses E-Mail, es handelt sich um eine Phishing-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-paylife-e-mails-mit-ein… ∗∗∗ Parrot TDS: A Persistent and Evolving Malware Campaign ∗∗∗ --------------------------------------------- Traffic detection system Parrot has infected tens of thousands of websites worldwide. We outline the scripting evolution of this injection campaign and its scope. --------------------------------------------- https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysi… ∗∗∗ Is the Google search bar enough to hack Belgian companies? ∗∗∗ --------------------------------------------- In this blog post, we will go over a technique called Google Dorking and demonstrate how it can be utilized to uncover severe security vulnerabilities in web applications hosted right here in Belgium, where NVISO was founded. --------------------------------------------- https://blog.nviso.eu/2024/01/22/is-the-google-search-bar-enough-to-hack-be… ∗∗∗ The Confusing History of F5 BIG-IP RCE Vulnerabilities ∗∗∗ --------------------------------------------- If you want to know way too much about attacks against F5 BIG-IP devices, then this is the blog for you! --------------------------------------------- https://www.greynoise.io/blog/the-confusing-history-of-f5-big-ip-rce-vulner… ===================== = Vulnerabilities = ===================== ∗∗∗ Gambio 4.9.2.0 - Insecure Deserialization ∗∗∗ --------------------------------------------- Gambio is software designed for running online shops. It provides various features and tools to help businesses manage their inventory, process orders, and handle customer interactions. According to their homepage, the software is used by more than 25.000 shops. Security Risk: Critical, CVE Number: Pending, Vendor Status: Not fixed --------------------------------------------- https://herolab.usd.de/security-advisories/usd-2023-0046/ ∗∗∗ Sicherheitsupdates: Schlupflöcher für Schadcode in Lexmark-Druckern geschlossen ∗∗∗ --------------------------------------------- Angreifer können an vielen Druckermodellen von Lexmark ansetzen, um Geräte zu kompromittieren. Derzeit soll es noch keine Attacken geben. --------------------------------------------- https://www.heise.de/-9604795 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (keystone and subunit), Fedora (dotnet6.0, golang, kernel, sos, and tigervnc), Mageia (erlang), Red Hat (openssl), SUSE (bluez, python-aiohttp, and seamonkey), and Ubuntu (postfix and xorg-server). --------------------------------------------- https://lwn.net/Articles/959006/ ∗∗∗ Critical Vulnerabilities Found in Open Source AI/ML Platforms ∗∗∗ --------------------------------------------- Security researchers flag multiple severe vulnerabilities in open source AI/ML solutions MLflow, ClearML, Hugging Face.The post Critical Vulnerabilities Found in Open Source AI/ML Platforms appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/critical-vulnerabilities-found-in-ai-ml-open-s… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ WAGO: WIBU-SYSTEMS CodeMeter Runtime vulnerabilities in multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-007/ ∗∗∗ Spring: CVE-2024-22233: Spring Framework server Web DoS Vulnerability ∗∗∗ --------------------------------------------- https://spring.io/blog/2024/01/22/cve-2024-22233-spring-framework-server-we… ∗∗∗ Roundcube: Update 1.6.6 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2024/01/20/update-1.6.6-released -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.01.2024
by Daily end-of-shift report 19 Jan '24

19 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-01-2024 18:00 − Freitag 19-01-2024 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ TeamViewer abused to breach networks in new ransomware attacks ∗∗∗ --------------------------------------------- Ransomware actors are again using TeamViewer to gain initial access to organization endpoints and attempt to deploy encryptors based on the leaked LockBit ransomware builder. --------------------------------------------- https://www.bleepingcomputer.com/news/security/teamviewer-abused-to-breach-… ∗∗∗ macOS Python Script Replacing Wallet Applications with Rogue Apps, (Fri, Jan 19th) ∗∗∗ --------------------------------------------- Still today, many people think that Apple and its macOS are less targeted by malware. But the landscape is changing and threats are emerging in this ecosystem too. --------------------------------------------- https://isc.sans.edu/diary/rss/30572 ∗∗∗ Experts Warn of macOS Backdoor Hidden in Pirated Versions of Popular Software ∗∗∗ --------------------------------------------- Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines. --------------------------------------------- https://thehackernews.com/2024/01/experts-warn-of-macos-backdoor-hidden.html ∗∗∗ Taking over WhatsApp accounts by reading voicemails ∗∗∗ --------------------------------------------- The investigation is centered on a vulnerability related to the Personal Identification Number (PIN) required for authenticating WhatsApp’s account backup feature. I describe how this PIN could be compromised through a voice call backup delivery method, forcing the call to go voicemail, and spoofing the victims phone number to read their voicemail. --------------------------------------------- https://medium.com/@rramgattie/taking-over-whatsapp-accounts-by-reading-voi… ∗∗∗ Recovery Scam: Kriminelle geben sich als blockchain.com aus und informieren über angeblich ruhende Bitcoin-Wallet ∗∗∗ --------------------------------------------- Opfer einer betrügerischen Trading-Plattform erleiden mitunter erhebliche finanzielle Verluste. Entsprechend groß ist die Verzweiflung und der Wunsch, das Geld zurückzubekommen. Kriminelle nutzen dies aus und kontaktieren die Opfer nach einiger Zeit erneut. --------------------------------------------- https://www.watchlist-internet.at/news/recovery-scam-kriminelle-geben-sich-… ∗∗∗ Virtual kidnapping: How to see through this terrifying scam ∗∗∗ --------------------------------------------- Phone fraud takes a frightening twist as fraudsters can tap into AI to cause serious emotional and financial damage to the victims. --------------------------------------------- https://www.welivesecurity.com/en/scams/virtual-kidnapping-see-through-scam/ ∗∗∗ Ivanti Connect Secure VPN Exploitation: New Observations ∗∗∗ --------------------------------------------- Volexity also recently learned of a potential issue that organizations may be facing when attempting to bring fresh Ivanti Connect Secure VPN appliances back online that leave them in a vulnerable state. These findings may partially account for why there has been an increase in compromised systems in subsequent scans. --------------------------------------------- https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploita… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware confirms critical vCenter flaw now exploited in attacks ∗∗∗ --------------------------------------------- VMware has confirmed that a critical vCenter Server remote code execution vulnerability patched in October is now under active exploitation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-confirms-critical-vce… ∗∗∗ Npm Trojan Bypasses UAC, Installs AnyDesk with "Oscompatible" Package ∗∗∗ --------------------------------------------- A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines. --------------------------------------------- https://thehackernews.com/2024/01/npm-trojan-bypasses-uac-installs.html ∗∗∗ Smartphones und mehr: Auch Umgebungslichtsensoren können spionieren ∗∗∗ --------------------------------------------- Nicht nur Smartphone-Kameras können Personen ausspionieren, sondern auch Umgebungslichtsensoren. Das geht aus einer in "Science" veröffentlichen Studie hervor. --------------------------------------------- https://heise.de/-9601724 ∗∗∗ Angreifer attackieren Ivanti EPMM und MobileIron Core ∗∗∗ --------------------------------------------- Angreifer nutzen derzeit eine kritische Sicherheitslücke in Ivanti EPMM und MobileIron Core aus. --------------------------------------------- https://www.heise.de/news/Angreifer-attackieren-Ivanti-EPMM-und-MobileIron-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (ImageMagick), Debian (chromium), Fedora (golang-x-crypto, golang-x-mod, golang-x-net, golang-x-text, gtkwave, redis, and zbar), Mageia (tinyxml), Oracle (.NET 7.0, .NET 8.0, java-1.8.0-openjdk, java-11-openjdk, python3, and sqlite), Red Hat (gstreamer-plugins-bad-free, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and java-21-openjdk), SUSE (kernel, libqt5-qtbase, libssh, pam, rear23a, and rear27a), and Ubuntu (pam and zookeeper). --------------------------------------------- https://lwn.net/Articles/958676/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, golang-github-facebook-time, podman, and xorg-x11-server-Xwayland), Oracle (.NET 6.0, java-1.8.0-openjdk, java-11-openjdk, and python3.11-cryptography), Red Hat (java-11-openjdk, python-requests, and python-urllib3), SUSE (chromium, kernel, libcryptopp, libuev, perl-Spreadsheet-ParseExcel, suse-module-tools, and xwayland), and Ubuntu (filezilla and xerces-c). --------------------------------------------- https://lwn.net/Articles/958760/ ∗∗∗ Important Progress OpenEdge Critical Alert for Progress Application Server in OpenEdge (PASOE) - Arbitrary File Upload Vulnerability in WEB Transport ∗∗∗ --------------------------------------------- https://community.progress.com/s/article/Important-Progress-OpenEdge-Critic… ∗∗∗ ZDI Security Advisories ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.01.2024
by Daily end-of-shift report 18 Jan '24

18 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-01-2024 18:00 − Donnerstag 18-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Missbrauch möglich: Whatsapp lässt fremde Nutzer Geräteinformationen abgreifen ∗∗∗ --------------------------------------------- Anhand ihrer Rufnummer lässt sich zum Beispiel feststellen, wie viele Geräte eine Zielperson mit Whatsapp verwendet und wann sie diese wechselt. --------------------------------------------- https://www.golem.de/news/missbrauch-moeglich-whatsapp-laesst-fremde-nutzer… ∗∗∗ New Microsoft Incident Response guides help security teams analyze suspicious activity ∗∗∗ --------------------------------------------- Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-microsoft-inci… ∗∗∗ More Scans for Ivanti Connect "Secure" VPN. Exploits Public, (Thu, Jan 18th) ∗∗∗ --------------------------------------------- Exploits around the Ivanti Connect "Secure" VPN appliance, taking advantage of CVE-2023-46805, continue evolving. Late on Tuesday, more details became public, particularly the blog post by Rapid7 explaining the underlying vulnerability in depth. --------------------------------------------- https://isc.sans.edu/diary/rss/30568 ∗∗∗ PixieFail UEFI Flaws Expose Millions of Computers to RCE, DoS, and Data Theft ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in the TCP/IP network protocol stack of an open-source reference implementation of the Unified Extensible Firmware Interface (UEFI) specification used widely in modern computers.Collectively dubbed PixieFail by Quarkslab, the nine issues reside in the TianoCore EFI Development Kit II (EDK II) and could be exploited to --------------------------------------------- https://thehackernews.com/2024/01/pixiefail-uefi-flaws-expose-millions-of.h… ∗∗∗ MFA Spamming and Fatigue: When Security Measures Go Wrong ∗∗∗ --------------------------------------------- MFA spamming refers to the malicious act of inundating a target user's email, phone, or other registered devices with numerous MFA prompts or confirmation codes. The objective behind this tactic is to overwhelm the user with notifications, in the hopes that they will inadvertently approve an unauthorized login. To execute this attack, hackers require the target victim's account credentials (username and password) to initiate the login process and trigger the MFA notifications. --------------------------------------------- https://thehackernews.com/2024/01/mfa-spamming-and-fatigue-when-security.ht… ∗∗∗ Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware ∗∗∗ --------------------------------------------- [..] COLDRIVER has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language.Googles Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence. --------------------------------------------- https://thehackernews.com/2024/01/russian-coldriver-hackers-expand-beyond.h… ∗∗∗ Daten aus GPU belauscht: KI-Sicherheitslücke bei Apple Silicon, AMD und Qualcomm ∗∗∗ --------------------------------------------- Sicherheitsforscher haben ein Problem in den Grafikkernen älterer iPhones und Macs entdeckt, außerdem bei AMD und Qualcomm. Apple patcht – teilweise. --------------------------------------------- https://heise.de/-9600829 ∗∗∗ Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers ∗∗∗ --------------------------------------------- Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. --------------------------------------------- https://blog.talosintelligence.com/exploring-malicious-windows-drivers-part… ∗∗∗ Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024 ∗∗∗ --------------------------------------------- Cisco Talos’ Vulnerability Research team has disclosed dozens of vulnerabilities over the past month, including more than 30 advisories in GTKWave and a critical vulnerability in ManageEngine OpManager. Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator [..] There are also multiple vulnerabilities in AVideo [..] All the vulnerabilities mentioned in this blog post have been patched by their respective vendors --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-jan-17-2024/ ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001 ∗∗∗ --------------------------------------------- The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS). Sites that do not use the Comment module are not affected. --------------------------------------------- https://www.drupal.org/sa-core-2024-001 ∗∗∗ MOVEit Transfer: Updates gegen DOS-Lücke ∗∗∗ --------------------------------------------- Updates für MOVEit Transfer dichten Sicherheitslecks ab, durch die Angreifer Rechenfehler provozieren oder den Dienst lahmlegen können. --------------------------------------------- https://heise.de/-9601492 ∗∗∗ Trend Micro: Sicherheitslücken in Security-Agents ermöglichen Rechteausweitung ∗∗∗ --------------------------------------------- Trend Micro warnt vor Sicherheitslücken in den Security-Agents, durch die Angreifer ihre Rechte ausweiten können. Software-Updates stehen bereit. --------------------------------------------- https://heise.de/-9601595 ∗∗∗ Nextcloud: Lücken in Apps gefährden Nutzerkonten und Datensicherheit ∗∗∗ --------------------------------------------- In mehreren Erweiterungen, etwa zur Lastverteilung, zur Anmeldung per OAuth und ZIP-Download, klaffen Löcher. Updates sind bereits verfügbar. --------------------------------------------- https://heise.de/-9601589 ∗∗∗ 2024-01 Security Bulletin: Junos OS and Junos OS Evolved: rpd process crash due to BGP flap on NSR-enabled devices (CVE-2024-21585) ∗∗∗ --------------------------------------------- An Improper Handling of Exceptional Conditions vulnerability in BGP session processing of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated network-based attacker, using specific timing outside the attacker's control, to flap BGP sessions and cause the routing protocol daemon (rpd) process to crash and restart, leading to a Denial of Service (DoS) condition. Continued BGP session flapping will create a sustained Denial of Service (DoS) condition. --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos… ∗∗∗ 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been resolved in Juniper Secure Analytics in 7.5.0 UP7 IF04. --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-S… ∗∗∗ Oracle Releases Critical Patch Update Advisory for January 2024 ∗∗∗ --------------------------------------------- Oracle released its Critical Patch Update Advisory for January 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/18/oracle-releases-critical… ∗∗∗ Multiple Dahua Technology products vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN83655695/ ∗∗∗ There is a vulnerability in batik-all-1.15.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-44730 and CVE-2022-44729) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7107742 ∗∗∗ IBM Maximo Manage is vulnerable to attack due to Eclipse Jetty ( IBM X-Force ID 261776) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7107716 ∗∗∗ There is a vulnerability in CSRF Token used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-47718) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7107740 ∗∗∗ IBM Asset Data Dictionary Component uses bcprov-jdk18on-1.72.jar which is vulnerable to CVE-2023-33201 and CVE-2023-33202 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108953 ∗∗∗ IBM Maximo Application Suite and IBM Maximo Application Suite - IoT Component uses Werkzeug-2.2.3-py3-none-any.whl which is vulnerable to CVE-2023-46136 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108960 ∗∗∗ IBM Asset Data Dictionary Component uses netty-codec-http2-4.1.94, netty-handler-4.1.86 and netty-handler-4.1.92 which is vulnerable to CVE-2023-44487 and CVE-2023-34462 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108959 ∗∗∗ IBM Storage Ceph is vulnerable to Use After Free in the RHEL UBI (CVE-2023-4813) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108974 ∗∗∗ IBM Storage Ceph is vulnerable to Cross Site Scripting in Grafana (CVE-2022-39324) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108973 ∗∗∗ AVEVA PI Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-018-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.01.2024
by Daily end-of-shift report 17 Jan '24

17 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-01-2024 18:00 − Mittwoch 17-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Vorsicht vor DoS-Angriffen auf Citrix NetScaler ADC und Gateway ∗∗∗ --------------------------------------------- Citrix hat Produkte seiner NetScaler-Serie auf den aktuellen Stand gebracht und gegen laufende Attacken gerüstet. --------------------------------------------- https://www.heise.de/-9599627.html ∗∗∗ Tausende Geräte kompromittiert durch Ivanti-Sicherheitslücken ∗∗∗ --------------------------------------------- Die Schwachstellen in Ivantis VPN-Software werden massiv angegriffen. IT-Forscher haben tausende kompromittierte Systeme gefunden. --------------------------------------------- https://www.heise.de/-9599887.html ∗∗∗ LKA warnt vor WhatsApp-Betrugsmasche ∗∗∗ --------------------------------------------- Eine neue Betrugsmasche setzt auf erneutes Kontaktieren von Opfern vorheriger Betrügereien. Davor warnt das LKA Niedersachsen. --------------------------------------------- https://www.heise.de/-9600403.html ∗∗∗ Apple, AMD, Qualcomm: GPUs mehrerer Hersteller anfällig für Datenklau ∗∗∗ --------------------------------------------- Ein Angriff ist wohl einfach ausführbar und benötigt weniger als 10 Zeilen Code. Abgreifen lassen sich zum Beispiel Unterhaltungen mit KI-Chatbots. --------------------------------------------- https://www.golem.de/news/apple-amd-qualcomm-gpus-mehrerer-hersteller-anfae… ∗∗∗ GitHub rotates keys to mitigate impact of credential-exposing flaw ∗∗∗ --------------------------------------------- GitHub rotated keys potentially exposed by a vulnerability patched in December that could let attackers access credentials within production containers via environment variables. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-rotates-keys-to-mitig… ∗∗∗ PAX PoS Terminal Flaw Could Allow Attackers to Tamper with Transactions ∗∗∗ --------------------------------------------- The point-of-sale (PoS) terminals from PAX Technology are impacted by a collection of high-severity vulnerabilities that can be weaponized by threat actors to execute arbitrary code. --------------------------------------------- https://thehackernews.com/2024/01/pax-pos-terminal-flaw-could-allow.html ∗∗∗ Whats worse than paying an extortion bot that auto-pwned your database? ∗∗∗ --------------------------------------------- Paying one that lied to you and only saved the first 20 rows of each table --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/01/17/extortion_bo… ∗∗∗ Website Takeover Campaign Takes Advantage of Unauthenticated Stored Cross-Site Scripting Vulnerability in Popup Builder Plugin ∗∗∗ --------------------------------------------- On December 11, 2023, we added an Unauthenticated Stored XSS vulnerability in the Popup Builder WordPress plugin to our Wordfence Intelligence Vulnerability Database. This vulnerability, which was originally reported by WPScan, allows an unauthenticated attacker to inject arbitrary JavaScript that will be executed whenever a user accesses an injected page. --------------------------------------------- https://www.wordfence.com/blog/2024/01/website-takeover-campaign-takes-adva… ∗∗∗ Vorsicht vor versteckten Kosten auf prosperi.academy! ∗∗∗ --------------------------------------------- Investieren für alle zugänglich zu machen. So lautet die Mission der Prosperi Academy, die derzeit auf Facebook und Instagram kräftig die Werbetrommel rührt. Mit Hilfe der Prosperi Plattform sollen Interessierte die wichtigsten Begriffe und Regeln rund ums Investieren lernen und zusätzliche Einnahmequellen entdecken. Doch wer sich entscheidet, Prosperi zu testen, muss mit versteckten Kosten rechnen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-versteckten-kosten-auf-… ∗∗∗ Threat Brief: Ivanti Vulnerabilities CVE-2023-46805 and CVE-2024-21887 ∗∗∗ --------------------------------------------- Ivanti VPNs can be exploited by CVE-2023-46805 (High severity) and CVE-2024-21887 (Critical severity), chained together to run commands without authentication. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2023-46805-cve-… ∗∗∗ The 7 deadly cloud security sins and how SMBs can do things better ∗∗∗ --------------------------------------------- By eliminating these mistakes and blind spots, your organization can take massive strides towards optimizing its use of cloud without exposing itself to cyber-risk --------------------------------------------- https://www.welivesecurity.com/en/business-security/7-deadly-cloud-security… ∗∗∗ Countdown für die NIS2-Richtline läuft ∗∗∗ --------------------------------------------- Zahlreiche Unternehmen müssen die NIS2-Richtlinie umsetzen. EU-Direktive schreibt strenge Maßnahmen zur Gewährleistung der Cybersicherheit vor. --------------------------------------------- https://www.zdnet.de/88413795/countdown-fuer-die-nis2-richtline-laeuft%e2%8… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. - CVE-2023-6549 Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability - CVE-2023-6548 Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability - CVE-2024-0519 Google Chromium V8 Out-of-Bounds Memory Access Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/17/cisa-adds-three-known-ex… ∗∗∗ Static Code Analysis: Why Your Company’s Reputation Depends On It ∗∗∗ --------------------------------------------- Static application security testing (SAST) solutions provide organizations with peace of mind that their applications are secure. But SAST platforms differ from each other. A SAST tool that meets developers where they are can make AppSec team’s lives much easier, and significantly enhance the organization’s ability to defend itself from code vulnerabilities in the SDLC. This comprehensive guide covers all aspects of Static Application Security Testing, on your journey to choosing a SAST tool and vendor. --------------------------------------------- https://checkmarx.com/appsec-knowledge-hub/sast/static-code-analysis-why-yo… ===================== = Vulnerabilities = ===================== ∗∗∗ MOVEit Transfer Service Pack (January 2024) ∗∗∗ --------------------------------------------- This article contains the details of the specific updates within the MOVEit Transfer January 2024 Service Pack. The Service Pack contains fixes for (1) newly disclosed CVE described below. Progress Software highly recommends you apply this Service Pack for product updates and security improvements. For Service Pack content, please review the Service Pack Release Notes and this knowledgebase article carefully. --------------------------------------------- https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-Janua… ∗∗∗ MOVEit Automation Service Pack (January 2024) ∗∗∗ --------------------------------------------- As of January 17, 2024, the MOVEit Automation Service Pack is available for download from the Progress Download Center at https://community.progress.com/s/products-list using your Progress ID credentials. Progress Software highly recommends you apply this Service Pack for product updates and security improvements. For Service Pack content, please review the Service Pack Release Notes and this knowledgebase article carefully. --------------------------------------------- https://community.progress.com/s/article/MOVEit-Automation-Service-Pack-Jan… ∗∗∗ Google Chrome: Sicherheitslücke wird in freier Wildbahn ausgenutzt ∗∗∗ --------------------------------------------- Google aktualisiert den Webbrowser Chrome. Das Update schließt hochriskante Sicherheitslücken. Eine davon wird bereits missbraucht. --------------------------------------------- https://www.heise.de/-9599575.html ∗∗∗ Critical Patch Update: Oracle veröffentlicht 389 Sicherheitsupdates ∗∗∗ --------------------------------------------- Oracle hat in seinem Quartalsupdate unter anderem Banking Enterprise, MySQL und Solaris gegen mögliche Angriffe abgesichert. --------------------------------------------- https://www.heise.de/-9600083.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (zabbix), Gentoo (OpenJDK), Red Hat (kernel), Slackware (gnutls and xorg), SUSE (cloud-init, kernel, xorg-x11-server, and xwayland), and Ubuntu (freeimage, postgresql-10, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/958497/ ∗∗∗ 2024-01-10: Cyber Security Advisory - AC500 V3 Multiple DoS vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR011264&Language… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000138178 : Apache Tomcat vulnerability CVE-2023-42795 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138178 ∗∗∗ K000138242 : OpenSSL vulnerability CVE-2023-5678 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138242 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.01.2024
by Daily end-of-shift report 16 Jan '24

16 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Montag 15-01-2024 18:00 − Dienstag 16-01-2024 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ A lightweight method to detect potential iOS malware ∗∗∗ --------------------------------------------- Analyzing Shutdown.log file as a lightweight method to detect indicators of infection with sophisticated iOS malware such as Pegasus, Reign and Predator. --------------------------------------------- https://securelist.com/shutdown-log-lightweight-ios-malware-detection-metho… ∗∗∗ DORA: Noch ein Jahr bis zur vollständigen Einhaltung des neuen Rechtsrahmens ∗∗∗ --------------------------------------------- In einem Jahr, am 17. Januar 2025, wird die EU-Verordnung über die über die digitale operationale Resilienz im Finanzsektor (DORA) in Kraft treten. --------------------------------------------- https://sec-consult.com/de/blog/detail/dora-noch-ein-jahr-bis-zur-vollstaen… ∗∗∗ Phemedrone-Infostealer umgeht Windows Defender Smartscreeen-Filter ∗∗∗ --------------------------------------------- Trend Micro hat den Phemedrone-Infostealer analysiert. Der schaffte es durch eine Lücke im Windows Defender Smartscreen-Filter auf Rechner. --------------------------------------------- https://www.heise.de/news/Phemedrone-Infostealer-umgeht-Windows-Defender-Sm… ∗∗∗ Deepfake-Videos mit bekannten Gesichtern locken in Investmentfallen ∗∗∗ --------------------------------------------- Kriminelle greifen bei der Bewerbung betrügerischer Finanzangebote besonders tief in die Trickkiste. Website-Kopien von Zeitungen mit gefälschten Promi-Artikel kennen wir nur zu gut. Mittlerweile kommen aber auch zum Teil sehr professionelle Deep-Fake-Videos zum Einsatz. Darin erklären Ihnen bekannte Promis, Moderator:innen oder Politiker:innen, wie Sie mit einer „geheimen“ Plattform schnell reich werden. --------------------------------------------- https://www.watchlist-internet.at/news/deepfake-videos-mit-bekannten-gesich… ∗∗∗ Vorsicht vor Kryptoscams, die in Wien auf der Straße liegen ∗∗∗ --------------------------------------------- Ein seltsamer Fund in der Nähe der Wiener Karlskirche legt nahe, dass Passanten derzeit mit gefälschten Paper-Wallets geködert werden --------------------------------------------- https://www.derstandard.at/story/3000000203274/vorsicht-vor-kryptoscams-die… ∗∗∗ CISA and FBI Release Known IOCs Associated with Androxgh0st Malware ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), Known Indicators of Compromise Associated with Androxgh0st Malware, to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/16/cisa-and-fbi-release-kno… ∗∗∗ Ivanti Connect Secure VPN Exploitation Goes Global ∗∗∗ --------------------------------------------- Important: If your organization uses Ivanti Connect Secure VPN and you have not applied the mitigation, then please do that immediately! Organizations should immediately review the results of the built-in Integrity Check Tool for log entries indicating mismatched or new files. --------------------------------------------- https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploita… ===================== = Vulnerabilities = ===================== ∗∗∗ Sonicwall: Angreifer können über 178.000 Firewalls zum Absturz bringen ∗∗∗ --------------------------------------------- Die beiden Schwachstellen, über die der DoS-Angriff gelingt, sind eigentlich schon lange bekannt. Auch ein Exploit steht seit Monaten bereit. --------------------------------------------- https://www.golem.de/news/sonicwall-angreifer-koennen-ueber-178-000-firewal… ∗∗∗ Cross-Site-Scripting in Monitoringsoftware PRTG erlaubt Sessionklau ∗∗∗ --------------------------------------------- Mit einem präparierten Link können Angreifer PRTG-Nutzer in die Irre führen und die Authentifizierung umgehen. Ein Update schafft Abhilfe. --------------------------------------------- https://www.heise.de/news/Cross-Site-Scripting-in-Monitoringsoftware-PRTG-e… ∗∗∗ Atlassian: Updates zum Patchday schließen 28 hochriskante Schwachstellen ∗∗∗ --------------------------------------------- Atlassian veranstaltet einen Patchday und schließt dabei 28 Sicherheitslücken in diversen Programmen, die als hohes Risiko gelten. --------------------------------------------- https://www.heise.de/news/Atlassian-Updates-zum-Patchday-schliessen-28-hoch… ∗∗∗ Kritische Sicherheitslücke: VMware vergaß Zugriffskontrollen in Aria Automation ∗∗∗ --------------------------------------------- Angreifer mit einem gültigen Konto können sich erweiterte Rechte verschaffen. VMWare bietet Patches an, Cloud-Kunden bleiben verschont. --------------------------------------------- https://www.heise.de/news/Kritische-Sicherheitsluecke-VMware-vergass-Zugrif… ∗∗∗ Codeschmuggel in Juniper JunOS: Weltweit tausende Geräte betroffen ∗∗∗ --------------------------------------------- Ist auf einer Firewall der SRX-Serie oder einem Switch der EX-Reihe das Web-Management-Interface aktiviert, drohen Angriffe. Juniper hat Updates in petto. --------------------------------------------- https://www.heise.de/news/Codeschmuggel-in-Juniper-JunOS-Weltweit-tausende-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Gentoo (KTextEditor, libspf2, libuv, and Nettle), Mageia (hplip), Oracle (container-tools:4.0, gnutls, idm:DL1, squid, squid34, and virt:ol, virt-devel:rhel), Red Hat (.NET 6.0, krb5, python3, rsync, and sqlite), SUSE (chromium, perl-Spreadsheet-ParseXLSX, postgresql, postgresql15, postgresql16, and rubygem-actionpack-5_1), and Ubuntu (binutils, libspf2, libssh2, mysql-5.7, w3m, webkit2gtk, and xerces-c). --------------------------------------------- https://lwn.net/Articles/958416/ ∗∗∗ VU#132380: Vulnerabilities in EDK2 NetworkPkg IP stack implementation. ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/132380 ∗∗∗ VU#302671: SMTP end-of-data uncertainty can be abused to spoof emails and bypass policies ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/302671 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ VMSA-2024-0001 - VMware Aria Automation (formerly vRealize Automation) update addresses a Missing Access Control vulnerability (CVE-2023-34063) ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2024-0001.html ∗∗∗ NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-ga… ∗∗∗ Citrix Session Recording Security Bulletin for CVE-2023-6184 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX583930/citrix-session-recording-secur… ∗∗∗ Citrix StoreFront Security Bulletin for CVE-2023-5914 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX583759/citrix-storefront-security-bul… ∗∗∗ SFPMonitor.sys KOOB Write vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-6340 ∗∗∗ SEW-EURODRIVE MOVITOOLS MotionStudio ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-01 ∗∗∗ Integration Objects OPC UA Server Toolkit ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.01.2024
by Daily end-of-shift report 15 Jan '24

15 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-01-2024 18:00 − Montag 15-01-2024 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 2FA war wohl inaktiv: Aufarbeitung des Angriffs auf X-Konto der SEC gefordert ∗∗∗ --------------------------------------------- Die SEC hatte es wohl versäumt, die Zwei-Faktor-Authentifizierung ihres X-Accounts zu aktivieren. Einige US-Senatoren halten dies für "unentschuldbar". --------------------------------------------- https://www.golem.de/news/2fa-war-wohl-inaktiv-aufarbeitung-des-angriffs-au… ∗∗∗ Opera MyFlaw Bug Could Let Hackers Run ANY File on Your Mac or Windows ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system. The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow [...] --------------------------------------------- https://thehackernews.com/2024/01/opera-myflaw-bug-could-let-hackers-run.ht… ∗∗∗ Cybersecurity Alert - Self-Service Password Reset ∗∗∗ --------------------------------------------- Effective controls are essential to authenticate users who access your information systems. As configured by some organizations, applications or features that allow users to reset passwords themselves, do not securely authenticate users. If your organization uses, or is considering using, these features (commonly referred to as self-service password reset or SSPR), please review the information below. --------------------------------------------- https://www.dfs.ny.gov/industry_guidance/industry_letters/il20240112_cyber_… ∗∗∗ Nvidia-Updates schließen kritische Sicherheitslücken in KI-Systemen ∗∗∗ --------------------------------------------- Nvidia hat aktualisierte Firmware für die KI-Systeme DGX A100 und H100 veröffentlicht. Sie dichtet kritische Sicherheitslecks ab. --------------------------------------------- https://www.heise.de/-9597460.html ∗∗∗ Vorsicht vor gefälschten FinanzOnline-E-Mails ∗∗∗ --------------------------------------------- „Bitte überprüfen Sie Ihre Angaben zur zusätzlichen Verpflichtung“ lautet der Betreff eines betrügerischen E-Mails angeblich von FinanzOnline. Im Mail wird behauptet, dass sich in Ihrem Briefkasten ein Dokument befindet. Dieses können Sie über einen Link aufrufen. Wenn Sie auf den Link klicken, landen Sie auf einer gefälschten FinanzOnline-Login-Seite. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-finanzonli… ∗∗∗ Microsoft SharePoint Server: RCE-Schwachstelle CVE-2024-21318 patchen, und alte CVE-2023-29357 wird angegriffen ∗∗∗ --------------------------------------------- Noch ein Nachtrag vom Januar 2024-Patchday zu Microsoft SharePoint Server. Ich hatte in den Patchday-Artikeln die SharePoint Server RCE-Schwachstelle CVE-2024-21318 angesprochen. Diese wurde mit den Sicherheitsupdates vom 9. Januar 2023 geschlossen. Es gibt eine zweite, bereits im Juni 2023 geschlossene, Elevation of Privilege-Schwachstelle CVE-2023-29357, für die ein Exploit bekannt ist. Die US CISA hat eine Warnung veröffentlicht, weil inzwischen Angriffe auf die RCE-Schwachstelle beobachtet wurden. --------------------------------------------- https://www.borncity.com/blog/2024/01/13/microsoft-sharepoint-server-rce-sc… ∗∗∗ Bitdefender findet Schwachstellen in Bosch BCC100-Thermostaten ∗∗∗ --------------------------------------------- Kleiner Nachtrag von dieser Woche, denn der Sicherheitsanbieter Bitdefender hat mich darüber informiert, dass Sicherheitsforscher in seinen Labs Schwachstellen in Bosch BCC100-Thermostaten gefunden haben. Hacker können solche intelligenten Thermostate über diese Schwachstellen unter ihre Kontrolle bringen und sich einen Zugriff auf Smart-Home-Netzwerke verschaffen. --------------------------------------------- https://www.borncity.com/blog/2024/01/14/bitdefender-findet-schwachstellen-… ∗∗∗ Deobfuscating Android ARM64 strings with Ghidra: Emulating, Patching, and Automating ∗∗∗ --------------------------------------------- In a recent engagement I had to deal with some custom encrypted strings inside an Android ARM64 app. I had a lot of fun reversing the app and in the process I learned a few cool new techniques which are discussed in this writeup. This is mostly a beginner guide which explains step-by-step how you [...] --------------------------------------------- https://blog.nviso.eu/2024/01/15/deobfuscating-android-arm64-strings-with-g… ===================== = Vulnerabilities = ===================== ∗∗∗ OpenSSL Security Advisory - Excessive time spent checking invalid RSA public keys (CVE-2023-6237) ∗∗∗ --------------------------------------------- Impact summary: Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a Denial of Service. --------------------------------------------- https://www.openssl.org/news/secadv/20240115.txt ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind, cups, curl, firefox, ipa, iperf3, java-1.8.0-openjdk, java-11-openjdk, kernel, libssh2, linux-firmware, open-vm-tools, openssh, postgresql, python, python3, squid, thunderbird, tigervnc, and xorg-x11-server), Fedora (chromium, python-flask-security-too, and tkimg), Gentoo (libgit2, Opera, QPDF, and zlib), Mageia (chromium-browser-stable, gnutls, openssh, packages, and vlc), Oracle (.NET 6.0, fence-agents, frr, ipa, kernel, nss, pixman, and tomcat), and SUSE (gstreamer-plugins-bad). --------------------------------------------- https://lwn.net/Articles/958315/ ∗∗∗ Mattermost security updates 9.2.4 / 9.1.5 / 8.1.8 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 9.2.4, 9.1.5, and 8.1.8 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-2-4-9-1-5-8-1-8-e… ∗∗∗ CVE-2024-0057 NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability ∗∗∗ --------------------------------------------- Revised the Security Updates table as follows: Added PowerShell 7.2, PowerShell 7.3, and PowerShell 7.4 because these versions of PowerShell 7 are affected by this vulnerability. See [https://github.com/PowerShell/Announcements/issues/72](https://github.com/P… for more information. Corrected Download and Article links for .NET Framework 3.5 and 4.8.1 installed on Windows 10 version 22H2. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0057 ∗∗∗ ZDI-24-073: Paessler PRTG Network Monitor Cross-Site Scripting Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-24-073/ ∗∗∗ ZDI-24-072: Synology RT6600ax Qualcomm LDB Service Improper Input Validation Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-24-072/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000138219 : libssh2 vulnerability CVE-2020-22218 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138219 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.01.2024
by Daily end-of-shift report 12 Jan '24

12 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-01-2024 18:00 − Freitag 12-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitsrisiko: So einfach können Handy-Nutzer heimlich verfolgt werden ∗∗∗ --------------------------------------------- Ein niederländischer Radiosender bekam 80 Gigabyte an Standortdaten von der Berliner Plattform Datarade in die Hände und konnte so etwa Offiziere beschatten. --------------------------------------------- https://www.heise.de/-9596230.html ∗∗∗ Microsoft liefert Abhilfe zur Installation von Updates in WinRE-Partition ∗∗∗ --------------------------------------------- Am Januar-Patchday schlägt die Update-Intallation unter Windows 10 oft mit Fehler 0x80070643 fehl. Ein Microsoft-Skript soll helfen. --------------------------------------------- https://www.heise.de/-9595312.html ∗∗∗ Jetzt patchen! Kritische Sicherheitslücke in GitLab ermöglicht Accountklau ∗∗∗ --------------------------------------------- Der Fehler wird bereits aktiv von Kriminellen ausgenutzt, Administratoren sollten zügig handeln und ihre GitLab-Instanzen aktualisieren oder abschotten. --------------------------------------------- https://www.heise.de/-9595848.html ∗∗∗ Datenleck bei Halara: Persönliche Daten von 941.910 Kunden stehen wohl im Netz ∗∗∗ --------------------------------------------- Die Daten zahlreicher Halara-Kunden sind in einem Hackerforum aufgetaucht. Abgeflossen sein sollen sie über eine Schwachstelle in der Webseiten-API. --------------------------------------------- https://www.golem.de/news/bekleidungshersteller-halara-kundendaten-in-hacke… ∗∗∗ New Balada Injector campaign infects 6,700 WordPress sites ∗∗∗ --------------------------------------------- A new Balada Injector campaign launched in mid-December has infected over 6,700 WordPress websites using a vulnerable version of the Popup Builder campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-balada-injector-campaign… ∗∗∗ Over 150k WordPress sites at takeover risk via vulnerable plugin ∗∗∗ --------------------------------------------- Two vulnerabilities impacting the POST SMTP Mailer WordPress plugin, an email delivery tool used by 300,000 websites, could help attackers take complete control of a site authentication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-150k-wordpress-sites-at… ∗∗∗ One File, Two Payloads, (Fri, Jan 12th) ∗∗∗ --------------------------------------------- It has been a while since I discussed obfuscation techniques in malicious scripts. I found a VB script that pretends to be a PDF file. As usual, it was delivered through a phishing email with a zip archive. The filename is "rfw_po_docs_order_sheet_01_10_202400000000_pdf.vbs" (SHA256:6e6ecd38cc3c58c40daa4020b856550b1cbaf1dbc0fad517f7ca26d6e11a3d75[1]) --------------------------------------------- https://isc.sans.edu/diary/rss/30558 ∗∗∗ Cryptominers Targeting Misconfigured Apache Hadoop and Flink with Rootkit in New Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments. "This attack is particularly intriguing due to the attackers use of packers and rootkits to conceal the malware," Aqua security researchers Nitzan Yaakov and Assaf Morag said in an analysis published earlier [...] --------------------------------------------- https://thehackernews.com/2024/01/cryptominers-targeting-misconfigured.html ∗∗∗ Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families ∗∗∗ --------------------------------------------- As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said [...] --------------------------------------------- https://thehackernews.com/2024/01/nation-state-actors-weaponize-ivanti.html ∗∗∗ Akira ransomware attackers are wiping NAS and tape backups ∗∗∗ --------------------------------------------- “The Akira ransomware malware, which was first detected in Finland in June 2023, has been particularly active at the end of the year,” the Finnish National Cybersecurity Center (NCSC-FI) has shared on Wednesday. NCSC-FI has received 12 reports of Akira ransomware hitting Finnish organizations in 2023, and three of the attacks happened during Christmas vacations. --------------------------------------------- https://www.helpnetsecurity.com/2024/01/12/finland-akira-ransomware/ ∗∗∗ Joomla! vulnerability is being actively exploited ∗∗∗ --------------------------------------------- A vulnerability in the popular Joomla! CMS has been added to CISAs known exploited vulnerabilities catalog. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/01/joomla-vulnerability-is-bein… ∗∗∗ An Introduction to AWS Security ∗∗∗ --------------------------------------------- Cloud providers are becoming a core part of IT infrastructure. Amazon Web Services (AWS), the worlds biggest cloud provider, is used by millions of organizations worldwide and is commonly used to run sensitive and mission-critical workloads. This makes it critical for IT and security professionals to understand the basics of AWS security and take measures to protect their data and workloads. --------------------------------------------- https://www.tripwire.com/state-of-security/introduction-aws-security ∗∗∗ Financial Fraud APK Campaign ∗∗∗ --------------------------------------------- Drawing attention to the ways threat actors steal PII for financial fraud, this article focuses on a malicious APK campaign aimed at Chinese users. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-apks-steal-pii-from-chinese-u… ∗∗∗ CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign ∗∗∗ --------------------------------------------- This blog delves into the Phemedrone Stealer campaigns exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malwares payload. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for… ===================== = Vulnerabilities = ===================== ∗∗∗ Pufferüberlauf und andere Sicherheitslücken in IBM Business Automation Workflow ∗∗∗ --------------------------------------------- Angreifer können Code einschleusen, Komponenten zum Stillstand bringen und geheime Informationen abgreifen. IBM informiert Kunden über Gegenmaßnahmen. --------------------------------------------- https://www.heise.de/-9596204.html ∗∗∗ Splunk, cacti, checkmk: Sicherheitslücken in Monitoring-Software ∗∗∗ --------------------------------------------- In drei beliebten Monitoring-Produkten gibt es Sicherheitsprobleme. Admins sollten sich um Updates kümmern. --------------------------------------------- https://www.heise.de/-9595021.html ∗∗∗ Bluetooth-Lücke: Apple sichert Tastaturen mit neuer Firmware ab ∗∗∗ --------------------------------------------- Aufgrund eines Bugs war es möglich, Bluetooth-Datenverkehr mitzuzeichnen. Allerdings brauchte der Angreifer physischen Zugriff auf die Tastatur. --------------------------------------------- https://www.heise.de/-9595522.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, linux-5.10, php-phpseclib, php-phpseclib3, and phpseclib), Fedora (openssh and tinyxml), Gentoo (FreeRDP and Prometheus SNMP Exporter), Mageia (packages), Red Hat (openssl), SUSE (gstreamer-plugins-rs and python-django-grappelli), and Ubuntu (dotnet6, dotnet7, dotnet8, openssh, and xerces-c). --------------------------------------------- https://lwn.net/Articles/958124/ ∗∗∗ Security Bulletin for Trend Micro Apex Central ∗∗∗ --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000296153?language=en_US ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.01.2024
by Daily end-of-shift report 11 Jan '24

11 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-01-2024 18:00 − Donnerstag 11-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Atomic Stealer rings in the new year with updated version ∗∗∗ --------------------------------------------- Mac users should be aware of an active distribution campaign via malicious ads delivering Atomic Stealer. The latest iteration of the malware is stealthy thanks to added encryption and obfuscation of its code. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-steale… ∗∗∗ SECGlitcher (Part 1) - Reproducible Voltage Glitching on STM32 Microcontrollers ∗∗∗ --------------------------------------------- Voltage glitching is a technique used in hardware security testing to try to bypass or modify the normal operation of a device by injecting a glitch. --------------------------------------------- https://sec-consult.com/blog/detail/secglitcher-part-1-reproducible-voltage… ∗∗∗ Achtung Nachahmer: Gefahren durch gefälschte Messaging-Apps und App-Mods ∗∗∗ --------------------------------------------- Klone und Mods von WhatsApp, Telegram und Signal sind nach wie vor ein beliebtes Mittel zur Verbreitung von Malware. Lassen Sie sich nicht für dumm verkaufen. --------------------------------------------- https://www.welivesecurity.com/de/mobile-sicherheit/achtung-nachahmer-gefah… ∗∗∗ Vorsicht vor Promi-Klonen auf Social Media: So täuschen Kriminelle treue Fans ∗∗∗ --------------------------------------------- Christina Stürmer, Hubert von Goisern oder Christopher Seiler: Das sind nur 3 von zahlreichen österreichischen Prominenten, die auf Facebook und Instagram vertreten sind -allerdings nicht nur mit einem einzigen Profil. Denn Kriminelle erstellen Fake-Profile, auf denen sie sich als diese Stars ausgeben, um den treuen Fans das Geld aus der Tasche zu ziehen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-promi-klonen-auf-social… ∗∗∗ Medusa Ransomware Turning Your Files into Stone ∗∗∗ --------------------------------------------- Medusa ransomware gang has not only escalated activities but launched a leak site. We also analyze new TTPS encountered in an incident response case. --------------------------------------------- https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Kein Patch verfügbar: Ivanti Connect Secure und Policy Secure sind angreifbar ∗∗∗ --------------------------------------------- In Ivanti Connect Secure und Policy Secure klaffen aktiv ausgenutzte Sicherheitslücken. Patches gibt es bisher nicht - nur einen Workaround. --------------------------------------------- https://www.golem.de/news/kein-patch-verfuegbar-ivanti-connect-secure-und-p… ∗∗∗ Zoho ManageEngine: Codeschmuggel in ADSelfService Plus möglich ∗∗∗ --------------------------------------------- In Zoho ManageEngine ADSelfService Plus klafft eine kritische Sicherheitslücke. Angreifer können dadurch Schadcode einschleusen. --------------------------------------------- https://www.heise.de/news/Zoho-ManageEngine-Codeschmuggel-in-ADSelfService-… ∗∗∗ Sicherheitspatch: API-Fehler in Cisco Unity Connection macht Angreifer zum Root ∗∗∗ --------------------------------------------- Verschiedene Netzwerkprodukte von Cisco sind verwundbar. Eine Lücke gilt als kritisch. --------------------------------------------- https://www.heise.de/news/Sicherheitspatch-API-Fehler-in-Cisco-Unity-Connec… ∗∗∗ BIOS-Sicherheitsupdates von Dell und Lenovo ∗∗∗ --------------------------------------------- Dell stellt aktualisierte BIOS-Versionen für einige Geräte bereit. AMI schließt mehrere Sicherheitslücken, Lenovo reicht diese durch. --------------------------------------------- https://www.heise.de/news/BIOS-Sicherheitsupdates-von-Dell-und-Lenovo-95940… ∗∗∗ Sicherheitspatch: IBM Security Verify für Root-Attacken anfällig ∗∗∗ --------------------------------------------- Die Entwickler haben in IBMs Zugriffsmanagementlösung Security Verify mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Sicherheitspatch-IBM-Security-Verify-fuer-Root-At… ∗∗∗ Juniper Networks bessert zahlreiche Schwachstellen aus ∗∗∗ --------------------------------------------- Juniper Networks hat 27 Sicherheitsmitteilungen veröffentlicht. Sie betreffen Junos OS, Junos OS Evolved und diverse Hardware. --------------------------------------------- https://www.heise.de/news/Juniper-Networks-bessert-zahlreiche-Schwachstelle… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (chromium, python-paramiko, tigervnc, and xorg-x11-server), Oracle (ipa, libxml2, python-urllib3, python3, and squid), Red Hat (.NET 6.0, .NET 7.0, .NET 8.0, container-tools:4.0, fence-agents, frr, gnutls, idm:DL1, ipa, kernel, kernel-rt, libarchive, libxml2, nss, openssl, pixman, python-urllib3, python3, tigervnc, tomcat, and virt:rhel and virt-devel:rhel modules), SUSE (gstreamer-plugins-bad), and Ubuntu (firefox, Go, linux-aws, [...] --------------------------------------------- https://lwn.net/Articles/958029/ ∗∗∗ Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN ∗∗∗ --------------------------------------------- Volexity analyzed one of the collected memory samples and uncovered the exploit chain used by the attacker. Volexity discovered two different zero-day exploits which were being chained together to achieve unauthenticated remote code execution (RCE). --------------------------------------------- https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-da… ∗∗∗ Cisco TelePresence Management Suite Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Apache ActiveMQ OpenWire Protocol Class Type Manipulation Arbitrary Code Execution Vulnerability affects Atos Unify OpenScape UC and Atos Unify Common Management Platform ∗∗∗ --------------------------------------------- https://networks.unify.com/security/advisories/OBSO-2401-02.pdf ∗∗∗ ZDI Security Advisories ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Rapid Software LLC Rapid SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.01.2024
by Daily end-of-shift report 10 Jan '24

10 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-01-2024 18:00 − Mittwoch 10-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Absenderdaten entschlüsselt: China hat wohl Apples Airdrop-Protokoll "geknackt" ∗∗∗ --------------------------------------------- Forensikern aus Peking ist es angeblich gelungen, Telefonnummern und E-Mail-Adressen von Airdrop-Absendern zu entschlüsseln. --------------------------------------------- https://www.golem.de/news/absenderdaten-entschluesselt-china-hat-wohl-apple… ∗∗∗ Jenkins Brute Force Scans, (Tue, Jan 9th) ∗∗∗ --------------------------------------------- Our honeypots saw a number of scans for "/j_acegi_security_check" the last two days. This URL has not been hit much lately, but was hit pretty hard last March. The URL is associated with Jenkins, and can be used to brute force passwords. --------------------------------------------- https://isc.sans.edu/diary/rss/30546 ∗∗∗ Vorgaben der CISA: Mehr Sicherheit für die Microsoft-Cloud ∗∗∗ --------------------------------------------- Die Security-Vorgaben der CISA für die Microsoft-Cloud sind fertig. Wir zeigen, was hinter den Empfehlungen steckt und wo sie sich von MS und CIS unterscheiden. --------------------------------------------- https://www.heise.de/-9591800.html ∗∗∗ Patchday Microsoft: Kerberos-Authentifizierung unter Windows verwundbar ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Azure, Office, Windows und Co. erschienen. Attacken können bevorstehen. Ein Bitlocker-Patch macht Probleme. --------------------------------------------- https://www.heise.de/-9592648.html ∗∗∗ Type Juggling Leads to Two Vulnerabilities in POST SMTP Mailer WordPress Plugin ∗∗∗ --------------------------------------------- On December 14th, 2023, during our Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to reset the API key used to authenticate to the mailer and view [...] --------------------------------------------- https://www.wordfence.com/blog/2024/01/type-juggling-leads-to-two-vulnerabi… ∗∗∗ Siemens, Schneider Electric Release First ICS Patch Tuesday Advisories of 2024 ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric publish a total of 7 new security advisories addressing 22 vulnerabilities. --------------------------------------------- https://www.securityweek.com/siemens-schneider-electric-release-first-ics-p… ∗∗∗ Achtung: Vermehrt PayLife Phishing-Mails im Umlauf ∗∗∗ --------------------------------------------- Schützen Sie Ihre Kreditkartendaten und nehmen Sie sich vor Phishing-Mails im Namen von PayLife in Acht. Kriminelle behaupten in den E-Mails, dass Sie aufgrund der Verpflichtung zur Zwei-Faktor-Authentifizierung Schritte setzen und einem Link folgen müssen. Sie landen auf einer kaum als Fälschung erkennbaren Kopie der PayLife-Seite. Geben Sie dort keine Daten ein! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vermehrt-paylife-phishing-ma… ∗∗∗ ‘Yet another Mirai-based botnet’ is spreading an illicit cryptominer ∗∗∗ --------------------------------------------- A well-designed operation is using a version of the infamous Mirai malware to secretly distribute cryptocurrency mining software, researchers said Wednesday. Calling it NoaBot, researchers at Akamai said the campaign has been active for about a year, and it has various quirks that complicate analysis of the malware and point to highly-skilled threat actors. --------------------------------------------- https://therecord.media/mirai-based-botnet-spreading-akamai ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-29357 Microsoft SharePoint Server Privilege Escalation Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/10/cisa-adds-one-known-expl… ∗∗∗ Apache Applications Targeted by Stealthy Attacker ∗∗∗ --------------------------------------------- Researchers at Aqua Nautilus have uncovered a new attack targeting Apache Hadoop and Flink applications. This attack is particularly intriguing due to the attackers use of packers and rootkits to conceal the malware. The simplicity with which these techniques are employed presents a significant challenge to traditional security defenses. --------------------------------------------- https://blog.aquasec.com/threat-alert-apache-applications-targeted-by-steal… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2024-01-10 ∗∗∗ --------------------------------------------- Security Impact Rating: 1x Critical, 6x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Lenovo Security Advisories 2024-01-09 ∗∗∗ --------------------------------------------- - AMI MegaRAC Vulnerabilities - Lenovo XClarity Administrator (LXCA) Vulnerability - Lenovo Vantage Vulnerabilities - Lenovo Tablet Vulnerabilities - TianoCore EDK II BIOS Vulnerabilities --------------------------------------------- https://support.lenovo.com/at/en/product_security/home ∗∗∗ Patchday Adobe: Mehrere Schwachstellen in Substance 3D Stager geschlossen ∗∗∗ --------------------------------------------- Adobes Anwendung zum Erstellen von 3D-Szenen Substance 3D Stager ist angreifbar. Eine fehlerbereinigte Version steht zum Download bereit. --------------------------------------------- https://www.heise.de/-9592712.html ∗∗∗ Update für Google Chrome: Hochriskantes Sicherheitsleck abgedichtet ∗∗∗ --------------------------------------------- Google hat turnusgemäß den Webbrowser Chrome aktualisiert. Dabei haben die Entwickler eine als hohes Risiko eingestufte Sicherheitslücke gestopft. --------------------------------------------- https://www.heise.de/-9592658.html ∗∗∗ Update gegen Rechteausweitung in FortiOS und FortiProxy ∗∗∗ --------------------------------------------- Fortinet warnt vor einem Fehler in der Rechteverwaltung von FortiOS und FortiProxy in HA Clustern. Bösartige Akteure können ihre Rechte ausweiten. --------------------------------------------- https://www.heise.de/-9592816.html ∗∗∗ Webkonferenzen: Zoom-Sicherheitslücken ermöglichen Rechteausweitung ∗∗∗ --------------------------------------------- Zoom verteilt aktualisierte Videokonferenz-Software. Sie schließt eine Sicherheitslücke, durch die Angreifer ihre Rechte ausweiten können. --------------------------------------------- https://www.heise.de/-9593000.html ∗∗∗ 2022-01 Security Bulletin: Junos OS Evolved: Telnet service may be enabled when it is expected to be disabled. (CVE-2022-22164) ∗∗∗ --------------------------------------------- Modification History 2022-01-12: Initial Publication 2024-01-10: updated the JSA with information on an additional PR which fixed some releases which were not completely fixed originally --------------------------------------------- https://supportportal.juniper.net/s/article/2022-01-Security-Bulletin-Junos… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libssh), Gentoo (FAAD2 and RedCloth), Red Hat (kpatch-patch and nss), SUSE (hawk2, LibreOffice, opera, and tar), and Ubuntu (glibc, golang-1.13, golang-1.16, linux-azure, linux-gkeop, monit, and postgresql-9.5). --------------------------------------------- https://lwn.net/Articles/957340/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ SVD-2024-0104: Splunk User Behavior Analytics (UBA) Third-Party Package Updates ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0104 ∗∗∗ SVD-2024-0103: Splunk Enterprise Security (ES) Third-Party Package Updates - January 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0103 ∗∗∗ SVD-2024-0102: Denial of Service in Splunk Enterprise Security of the Investigations manager through Investigation creation ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0102 ∗∗∗ SVD-2024-0101: Denial of Service of an Investigation in Splunk Enterprise Security through Investigation attachments ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0101 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.01.2024
by Daily end-of-shift report 09 Jan '24

09 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Montag 08-01-2024 18:00 − Dienstag 09-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware ∗∗∗ --------------------------------------------- A threat actor called Water Curupira has been observed actively distributing the PikaBot loader malware as part of spam campaigns in 2023. --------------------------------------------- https://thehackernews.com/2024/01/alert-water-curupira-hackers-actively.html ∗∗∗ Skrupel nur vorgeschoben? Ransomware-Banden attackieren Kliniken ∗∗∗ --------------------------------------------- Zwar zürnt der Lockbit-Betreiber öffentlich mit einem Handlanger, ist sich dennoch für Krankenhaus-Erpressung nicht zu schade. Andere bedrohen gar Patienten. --------------------------------------------- https://www.heise.de/news/Skrupel-nur-vorgeschoben-Ransomware-Banden-attack… ∗∗∗ Vorsicht vor Phishing-Mails im Namen der KingBill GmbH ∗∗∗ --------------------------------------------- In einem gefälschten E-Mail im Namen der „KingBill GmbH“ werden Sie gebeten, Ihre offenen Zahlungen an KingBill zu sperren. Angeblich werden ausstehende Rechnungen nun auf eine Nebenkontoverbindung verrechnet. Sie werden aufgefordert, umgehend auf das E-Mail zu antworten. Bei diesem E-Mail handelt es sich aber um Betrug, um Ihnen Geld zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-phishing-mails-im-namen… ∗∗∗ Roles allowing to abuse Entra ID federation for persistence and privilege escalation ∗∗∗ --------------------------------------------- Microsoft Entra ID (formerly known as Azure AD) allows delegation of authentication to another identity provider through the legitimate federation feature. However, attackers with elevated privileges can abuse this feature, leading to persistence and privilege escalation. --------------------------------------------- https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federa… ∗∗∗ New decryptor for Babuk Tortilla ransomware variant released ∗∗∗ --------------------------------------------- Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor. --------------------------------------------- https://blog.talosintelligence.com/decryptor-babuk-tortilla/ ===================== = Vulnerabilities = ===================== ∗∗∗ SAP-Patchday: Teils kritische Lücken in Geschäftssoftware ∗∗∗ --------------------------------------------- Der Januar-Patchday von SAP behandelt teils kritische Sicherheitslücken. Zu insgesamt zehn Schwachstellen gibt es Sicherheitsnotizen. --------------------------------------------- https://www.heise.de/news/SAP-Patchday-Teils-kritische-Luecken-in-Geschaeft… ∗∗∗ Synology warnt vor Sicherheitslücke im DSM-Betriebssystem ∗∗∗ --------------------------------------------- Synology gibt eine Warnung vor einer Sicherheitslücke im DSM-Betriebssystem für NAS-Systeme heraus. Updates stehen länger bereit. --------------------------------------------- https://www.heise.de/news/Synology-warnt-vor-Sicherheitsluecke-im-DSM-Betri… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (squid), Fedora (podman), Mageia (dropbear), SUSE (eclipse-jgit, jsch, gcc13, helm3, opusfile, qt6-base, thunderbird, and wireshark), and Ubuntu (clamav, libclamunrar, and qemu). --------------------------------------------- https://lwn.net/Articles/957236/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ SSA-794653 V1.0: Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-794653.html ∗∗∗ SSA-786191 V1.0: Local Privilege Escalation Vulnerability in Spectrum Power 7 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-786191.html ∗∗∗ SSA-777015 V1.0: Multiple Vulnerabilities in SIMATIC CN 4100 before V2.7 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-777015.html ∗∗∗ SSA-702935 V1.0: Redfish Server Vulnerability in maxView Storage Manager ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-702935.html ∗∗∗ SSA-589891 V1.0: Multiple PAR File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-589891.html ∗∗∗ SSA-583634 V1.0: Command Injection Vulnerability in the CPCI85 Firmware of SICAM A8000 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-583634.html ∗∗∗ Open Port 8899 in BCC Thermostat Product ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-473852.html ∗∗∗ CVE-2023-48795 Impact of Terrapin SSH Attack (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-48795 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.01.2024
by Daily end-of-shift report 08 Jan '24

08 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-01-2024 18:00 − Montag 08-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Post-Quanten-Kryptografie: Verschlüsselungsverfahren Kyber birgt Schwachstellen ∗∗∗ --------------------------------------------- Durch die Messung der für bestimmte Divisionsoperationen benötigten Rechenzeit lassen sich wohl geheime Kyber-Schlüssel rekonstruieren. --------------------------------------------- https://www.golem.de/news/post-quanten-kryptografie-verschluesselungsverfah… ∗∗∗ Suspicious Prometei Botnet Activity, (Sun, Jan 7th) ∗∗∗ --------------------------------------------- On the 31 Dec 2023, after trying multiple username/password combination, actor using IP 194.30.53.68 successfully loging to the honeypot and uploaded eight files where 2 of them are protected with a 7zip password (updates1.7z & updates2.7z). Some of these files have been identified to be related to the Prometei trojan by Virustotal. --------------------------------------------- https://isc.sans.edu/diary/rss/30538 ∗∗∗ Bypass Cognito Account Enumeration Controls ∗∗∗ --------------------------------------------- Amazon Cognito is a popular “sign-in as a service” offering from AWS. It allows developers to push the responsibility of developing authentication, sign up, and secure credential storage to AWS so they can instead focus on building their app. [..] This bypass was originally reported via a GitHub issue in July 2020 and Cognito is still vulnerable as of early 2024. --------------------------------------------- https://hackingthe.cloud/aws/enumeration/bypass_cognito_user_enumeration_co… ∗∗∗ Jetzt patchen! Attacken auf Messaging-Plattform Apache RocketMQ ∗∗∗ --------------------------------------------- Sicherheitsforscher beobachten zurzeit Angriffsversuche auf die Messaging- und Streaming-Plattform Apache RocketMQ. Sicherheitsupdates sind bereits seit Mai 2023 verfügbar. --------------------------------------------- https://www.heise.de/-9590555 ∗∗∗ Sicherheitsupdates: Schadcode- und DoS-Attacken auf Qnap NAS möglich ∗∗∗ --------------------------------------------- Angreifer können Netzwerkspeicher von Qnap ins Visier nehmen. Sicherheitspatches schaffen Abhilfe. --------------------------------------------- https://www.heise.de/-9589870 ∗∗∗ Die OAuth-Hintertür: Google wiegelt ab ∗∗∗ --------------------------------------------- Der Suchmaschinenriese Google sieht keine Sicherheitslücke in der durch Kriminelle ausgenutzten Schnittstelle, sie funktioniere wie vorgesehen. --------------------------------------------- https://www.heise.de/-9589840 ∗∗∗ NIST: No Silver Bullet Against Adversarial Machine Learning Attacks ∗∗∗ --------------------------------------------- NIST has published a report on adversarial machine learning attacks and mitigations, and cautioned that there is no silver bullet for these types of threats. --------------------------------------------- https://www.securityweek.com/nist-no-silver-bullet-against-adversarial-mach… ∗∗∗ Werbung für verlorene Pakete der Post für € 1,95 ist Betrug ∗∗∗ --------------------------------------------- Auf Facebook und im Facebook Messenger kursiert eine Werbung, die verloren gegangene Pakete der Post um € 1,95 verspricht. Die Werbung vermittelt den Eindruck, dass Angebot käme von der Post selbst. In den Paketen befinden sich angeblich hochpreisige Elektronikprodukte wie Laptops, Spielkonsolen oder Smartwatches. Dabei handelt es sich aber um eine betrügerische Werbung, die nichts mit der Österreichischen Post zu tun hat! --------------------------------------------- https://www.watchlist-internet.at/news/werbung-fuer-verlorene-pakete-der-po… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in Lantronix EDS-MD IoT gateway for medical devices ∗∗∗ --------------------------------------------- Pentagrid identified several vulnerabilities in Lantronixs EDS-MD product during a penetration test. The EDS-MD is an IoT gateway for medical devices and equipment. The vulnerabilities include an authenticated command injection, cross-site request forgery, missing authentication for the AES-encrypted communication, cross-site scripting vulnerabilities, outdated software components, and more. --------------------------------------------- https://www.pentagrid.ch/en/blog/multiple-vulnerabilties-in-lantronix-eds-m… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4), Fedora (chromium, perl-Spreadsheet-ParseExcel, python-aiohttp, python-pysqueezebox, and tinyxml), Gentoo (Apache Batik, Eclipse Mosquitto, firefox, R, Synapse, and util-linux), Mageia (libssh2 and putty), Red Hat (squid), SUSE (libxkbcommon), and Ubuntu (gnutls28). --------------------------------------------- https://lwn.net/Articles/957146/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Qt: Security advisory: Potential Integer Overflow in Qts HTTP2 implementation ∗∗∗ --------------------------------------------- https://www.qt.io/blog/security-advisory-potential-integer-overflow-in-qts-… ∗∗∗ BOSCH-SA-711465: Multiple vulnerabilities in Nexo cordless nutrunner ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-711465.html ∗∗∗ CISA Adds Six Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/08/cisa-adds-six-known-expl… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.01.2024
by Daily end-of-shift report 05 Jan '24

05 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-01-2024 18:00 − Freitag 05-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kritische Schadcode-Lücke gefährdet Ivanti Endpoint Manager ∗∗∗ --------------------------------------------- Unter bestimmten Voraussetzungen können Angreifer Schadcode auf Ivanti-EPM-Servern ausführen. --------------------------------------------- https://www.heise.de/-9587991.html ∗∗∗ Ransomware: Nach der Erpressung folgt umgehend die nächste Erpressung ∗∗∗ --------------------------------------------- Online-Kriminelle werden immer dreister und schlachten Opfer von Erpressungstrojanern gleich mehrfach aus. --------------------------------------------- https://www.heise.de/-9588424.html ∗∗∗ Fitness-App „Mad Muscles“: Kostenfalle statt Unterstützung bei Neujahrsvorsätzen ∗∗∗ --------------------------------------------- Der unseriöse Anbieter „Mad Muscles“ schaltet derzeit massiv Werbung auf Facebook und Instagram. Die Botschaft? „Building muscle isnt as hard as it sounds!“ („Muskelaufbau ist nicht so schwer, wie es klingt!“) - gerade zum Jahreswechsel sind solche Botschaften beliebt, sollen die Angebote doch dabei helfen, Neujahrsvorsätze einzuhalten. Was die Werbung verschweigt: Die Betreiber:innen von madmuscles.com und der dazugehörigen „Mad Muscle App“ machen Informationen zum Unternehmen genauso wenig transparent wie die Gesamtkosten. Hinzu kommt: Kündigungen werden laut Erfahrungsberichten erschwert. --------------------------------------------- https://www.watchlist-internet.at/news/fitness-app-mad-muscles-kostenfalle-… ∗∗∗ The source code of Zeppelin Ransomware sold on a hacking forum ∗∗∗ --------------------------------------------- Researchers from cybersecurity firm KELA reported that a threat actor announced on a cybercrime forum the sale of the source code and a cracked version of the Zeppelin ransomware builder for $500. --------------------------------------------- https://securityaffairs.com/156974/cyber-crime/zeppelin-ransomware-source-c… ∗∗∗ New Bandook RAT Variant Resurfaces, Targeting Windows Machines ∗∗∗ --------------------------------------------- A new variant of remote access trojan called Bandook has been observed being propagated via phishing attacks with an aim to infiltrate Windows machines, underscoring the continuous evolution of the malware. Fortinet FortiGuard Labs, which identified the activity in October 2023, said the malware is distributed via a PDF file that embeds a link to a password-protected .7z archive.“ --------------------------------------------- https://thehackernews.com/2024/01/new-bandook-rat-variant-resurfaces.html ∗∗∗ SpectralBlur: New macOS Backdoor Threat from North Korean Hackers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new Apple macOS backdoor called SpectralBlur that overlaps with a known malware family that has been attributed to North Korean threat actors. “SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [...] --------------------------------------------- https://thehackernews.com/2024/01/spectralblur-new-macos-backdoor-threat.ht… ∗∗∗ Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer ∗∗∗ --------------------------------------------- Using extractors written in Python, we detail our system for extracting internal malware configurations from memory dumps. GuLoader and RedLine Stealer are our examples. --------------------------------------------- https://unit42.paloaltonetworks.com/malware-configuration-extraction-techni… ===================== = Vulnerabilities = ===================== ∗∗∗ Inductive Automation Trust Center Updates ∗∗∗ --------------------------------------------- Inductive Automation offers a special thanks to the following security researchers from Trend Micro Zero Day Initiative, Star Labs, Incite Team, and Claroty Research Team82 for their hard work in finding and responsibly disclosing security vulnerabilities described in this tech advisory. All reported issues have been resolved as of Ignition 8.1.35. Inductive Automation recommends upgrading Ignition to the current version to address known vulnerabilities. --------------------------------------------- https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-69… ∗∗∗ QNAP Security Advisories ∗∗∗ --------------------------------------------- - Vulnerability in QcalAgent - Multiple Vulnerabilities in QTS and QuTS hero - Multiple Vulnerabilities in QuMagie - Multiple Vulnerabilities in Video Station - Vulnerability in Netatalk --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, chromium, exim4, netatalk, and tomcat9), Fedora (chromium), Gentoo (BlueZ, c-ares, CUPS filters, RDoc, and WebKitGTK+), Oracle (firefox, squid:4, thunderbird, and tigervnc), SUSE (python-aiohttp and python-paramiko), and Ubuntu (linux-intel-iotg). --------------------------------------------- https://lwn.net/Articles/957005/ ∗∗∗ Security Update for Ivanti EPM ∗∗∗ --------------------------------------------- [...] We are reporting this vulnerability as CVE-2023-39366. We have no indication that customers have been impacted by this vulnerability. This vulnerability impacts all supported versions of the product, and the issue has been resolved in Ivanti EPM 2022 Service Update 5. If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication. --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-epm ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.01.2024
by Daily end-of-shift report 04 Jan '24

04 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-01-2024 18:00 − Donnerstag 04-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Mandiant’s account on X hacked to push cryptocurrency scam ∗∗∗ --------------------------------------------- The Twitter account of American cybersecurity firm and Google subsidiary Mandiant was hijacked earlier today to impersonate the Phantom crypto wallet and share a cryptocurrency scam. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mandiants-account-on-x-hacke… ∗∗∗ UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT ∗∗∗ --------------------------------------------- The threat actor known as UAC-0050 is leveraging phishing attacks to distribute Remcos RAT using new strategies to evade detection from security software. [..] "Leveraging pipes within the Windows operating system provides a covert channel for data transfer, skillfully evading detection by Endpoint Detection and Response (EDR) and antivirus systems," the researchers said. --------------------------------------------- https://thehackernews.com/2024/01/uac-0050-group-using-new-phishing.html ∗∗∗ Three Ways To Supercharge Your Software Supply Chain Security ∗∗∗ --------------------------------------------- If you make software and ever hope to sell it to one or more federal agencies, you have to pay attention to this. Even if you never plan to sell to a government, understanding your Software Supply Chain and learning how to secure it will pay dividends in a stronger security footing and the benefits it provides. --------------------------------------------- https://thehackernews.com/2024/01/three-ways-to-supercharge-your-software.h… ∗∗∗ Internetstörungen in Spanien: Orange-Konto bei RIPE geknackt ∗∗∗ --------------------------------------------- Im spanischen Internet kam es zu Störungen. Das Konto des Anbieters Orange bei RIPE wurde geknackt, die Angreifer haben Routen umgelenkt. [..] Durch ein schwaches Passwort ("ripeadmin") und den Verzicht auf Zwei-Faktor-Authentifizierung hatte der Angreifer leichtes Spiel. [..] Eine Antwort auf eine Anfrage beim RIPE NCC zu weiteren betroffenen oder gefährdeten Accounts und zu einer möglichen Verpflichtung, RIPE Accounts künftig zwingend mit Zwei-Faktor-Authentifizierung zu schützen, steht noch aus. Orange Spanien ist mit einem blauen Auge davongekommen; offenbar ging es dem Angreifer nur darum, den Provider bloßzustellen. --------------------------------------------- https://www.heise.de/-9587184 ∗∗∗ Terrapin-Attacke: Millionen SSH-Server angreifbar, Risiko trotzdem überschaubar ∗∗∗ --------------------------------------------- Zwar ist mehr als die Hälfte aller im Internet erreichbaren SSH-Server betroffen, Admins können jedoch aufatmen: Ein erfolgreicher Angriff ist schwierig. --------------------------------------------- https://www.heise.de/-9587473 ∗∗∗ Beyond Protocols: How Team Camaraderie Fortifies Security ∗∗∗ --------------------------------------------- The most efficient and effective teams have healthy and constructive cultures that encourage team members to go above and beyond the call of duty. --------------------------------------------- https://www.securityweek.com/beyond-protocols-how-team-camaraderie-fortifie… ∗∗∗ „Sofortiges Handeln erforderlich“: Massenhaft Phishing-Mails im Namen von A1 im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche Konsument:innen wenden sich aktuell mit gefälschten E-Mails im Namen von A1 an die Watchlist Internet. Im E-Mail wird behauptet, dass „ungewöhnliche Verbindungen“ festgestellt wurden und daher „Ihre sofortige Aufmerksamkeit“ notwendig ist, „um die Sicherheit Ihres Kontos zu gewährleisten“. Gleichzeitig wird mit der Sperre des Kontos gedroht. Wir können entwarnen: Es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/sofortiges-handeln-erforderlich-mass… ∗∗∗ CVE-2022-1471: SnakeYAML Deserialization Deep Dive ∗∗∗ --------------------------------------------- Get an overview of SnakeYAML deserialization vulnerabilities (CVE-2022-1471) - how it works, why it works, and what it affects. --------------------------------------------- https://www.greynoise.io/blog/cve-2022-1471-snakeyaml-deserialization-deep-… ===================== = Vulnerabilities = ===================== ∗∗∗ Update für Google Chrome schließt sechs Sicherheitslücken ∗∗∗ --------------------------------------------- Google hat aktualisierte Chrome-Versionen herausgegeben. Sie schließen sechs Sicherheitslücken, davon mehrere mit hohem Risiko. --------------------------------------------- https://www.heise.de/-9586697 ∗∗∗ Patchday Android: Angreifer können sich höhere Rechte erschleichen ∗∗∗ --------------------------------------------- Android-Geräte sind für Attacken anfällig. Google, Samsung & Co. stellen Sicherheitsupdates bereit. --------------------------------------------- https://www.heise.de/-9586713 ∗∗∗ Netzwerkanalysetool Wireshark gegen mögliche Attacken abgesichert ∗∗∗ --------------------------------------------- Die Wireshark-Entwickler haben in aktuellen Versionen mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/-9587170 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (firefox, gstreamer1-plugins-bad-free, thunderbird, tigervnc, and xorg-x11-server), Red Hat (squid:4), SUSE (exim, libcryptopp, and proftpd), and Ubuntu (openssh and sqlite3). --------------------------------------------- https://lwn.net/Articles/956855/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mitsubishi Electric Factory Automation Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-004-02 ∗∗∗ Rockwell Automation FactoryTalk Activation ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-004-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.01.2024
by Daily end-of-shift report 03 Jan '24

03 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-01-2024 18:00 − Mittwoch 03-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Leaksmas: Auch Cyberkriminelle haben sich zu Weihnachten beschenkt ∗∗∗ --------------------------------------------- Rund um Weihnachten wurden im Darknet mehr als 50 Millionen neue Datensätze aus verschiedenen Quellen veröffentlicht. Der Zeitpunkt war kein Zufall. Cyberkriminelle haben die Weihnachtszeit offenbar genutzt, um sich gegenseitig mit umfangreichen und von verschiedenen Unternehmen und Behörden erbeuteten Datensätzen zu beschenken. --------------------------------------------- https://www.golem.de/news/leaksmas-auch-cyberkriminelle-haben-sich-zu-weihn… ∗∗∗ Google-Konten in Gefahr: Exploit erlaubt böswilligen Zugriff trotz Passwort-Reset ∗∗∗ --------------------------------------------- Durch eine Schwachstelle in einem OAuth-Endpunkt können sich Cyberkriminelle dauerhaft Zugriff auf das Google-Konto einer Zielperson verschaffen. [..] Eine offizielle Stellungnahme zum Missbrauch des Multilogin-Endpunkts gibt es seitens Google wohl noch nicht. Dass dem Unternehmen das Problem bekannt ist, ist angesichts der Abhilfemaßnahmen aber anzunehmen. --------------------------------------------- https://www.golem.de/news/google-konten-in-gefahr-exploit-erlaubt-boeswilli… ∗∗∗ Interesting large and small malspam attachments from 2023, (Wed, Jan 3rd) ∗∗∗ --------------------------------------------- At the end of a year, or at the beginning of a new one, I like to go over all malicious attachments that were caught in my e-mail trap over the last 12 months, since this can provide a good overview of long-term malspam trends and may sometimes lead to other interesting discoveries. --------------------------------------------- https://isc.sans.edu/diary/rss/30524 ∗∗∗ Don’t trust links with known domains: BMW affected by redirect vulnerability ∗∗∗ --------------------------------------------- Cybernews researchers have discovered two BMW subdomains that were vulnerable to SAP redirect vulnerability. They were used to access the internal workplace systems for BMW dealers and could have been useful to attackers for spear-phishing campaigns or malware distribution. [..] Cybernews researchers immediately disclosed the vulnerability to BMW, and it was promptly fixed. --------------------------------------------- https://securityaffairs.com/156843/reports/bmw-affected-by-redirect-vulnera… ∗∗∗ How to Stop a DDoS Attack in 5 Steps ∗∗∗ --------------------------------------------- In this post, we’ll cover some essential fundamentals on how to stop a DDoS attack and prevent them from happening in the future. --------------------------------------------- https://blog.sucuri.net/2024/01/how-to-stop-a-ddos-attack.html ∗∗∗ Nehmen Sie keine unerwarteten Nachnahme-Sendungen an! ∗∗∗ --------------------------------------------- Aktuell erreichen uns gehäuft Meldungen zu unerwarteten Paketzustellungen, welche bei der Annahme per Nachnahme zu bezahlen sind. Nach einer Übernahme stellt sich häufig heraus, dass der Inhalt wertlos ist, beziehungsweise die Ware nie bestellt wurde. Achtung: Nehmen Sie Nachnahmesendungen nur an, wenn Sie ein entsprechendes Paket erwarten und den Absender kennen. Eine Rückerstattung über die Post ist im Problemfall nämlich nicht mehr möglich! --------------------------------------------- https://www.watchlist-internet.at/news/nehmen-sie-keine-unerwarteten-nachna… ∗∗∗ Decoding ethical hacking: A comprehensive exploration of white hat practices ∗∗∗ --------------------------------------------- In summation, ethical hacking emerges as a linchpin in fortifying cybersecurity defenses. Adopting a proactive approach, ethical hackers play a pivotal role in identifying vulnerabilities, assessing risks, and ensuring that organizations exhibit resilience in the face of evolving cyber threats. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/decoding-ethical-ha… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Fedora (slurm), Oracle (kernel and postgresql:15), Red Hat (firefox, gstreamer1-plugins-bad-free, thunderbird, tigervnc, and xorg-x11-server), SUSE (polkit, postfix, putty, w3m, and webkit2gtk3), and Ubuntu (nodejs). --------------------------------------------- https://lwn.net/Articles/956694/ ∗∗∗ WordPress MyCalendar Plugin — Unauthenticated SQL Injection(CVE-2023–6360) ∗∗∗ --------------------------------------------- WordPress Core is the most popular web Content Management System (CMS). This free and open-source CMS written in PHP allows developers to develop web applications quickly by allowing customization through plugins and themes. In this article, we will analyze an unauthenticated sql injection vulnerability found in the MyCalendar plugin. --------------------------------------------- https://medium.com/tenable-techblog/wordpress-mycalendar-plugin-unauthentic… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.01.2024
by Daily end-of-shift report 02 Jan '24

02 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-12-2023 18:00 − Dienstag 02-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK ∗∗∗ --------------------------------------------- The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information. --------------------------------------------- https://thehackernews.com/2023/12/cert-ua-uncovers-new-malware-wave.html ∗∗∗ Neue Lücke in altem E-Mail-Protokoll: SMTP smuggling ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine Schwäche im Simple Mail Transfer Protocol (SMTP) entdeckt. Sie hebt das Fälschen des Absenders auf ein neues Niveau. --------------------------------------------- https://www.heise.de/-9584467 ∗∗∗ Ransomware: Fehler in Black-Basta-Programmierung ermöglicht Entschlüsselungstool ∗∗∗ --------------------------------------------- Unter bestimmten Bedingungen kann das kostenlose Entschlüsselungstool Black Basta Buster Opfern des Erpressungstrojaners Black Basta helfen. --------------------------------------------- https://www.heise.de/-9584846 ∗∗∗ New DLL Search Order Hijacking Technique Targets WinSxS Folder ∗∗∗ --------------------------------------------- Attackers can abuse a new DLL search order hijacking technique to execute code in applications within the WinSxS folder. --------------------------------------------- https://www.securityweek.com/new-dll-search-order-hijacking-technique-targe… ∗∗∗ Domain (in)security: the state of DMARC ∗∗∗ --------------------------------------------- This blog discusses the state of DMARC, the role that DMARC plays in email authentication, and why it should be a key component of your email security solution. --------------------------------------------- https://www.bitsight.com/blog/domain-insecurity-state-dmarc ===================== = Vulnerabilities = ===================== ∗∗∗ Technical Advisory – Multiple Vulnerabilities in PandoraFMS Enterprise ∗∗∗ --------------------------------------------- In this post I describe the 18 vulnerabilities that I discovered in PandoraFMS Enterprise v7.0NG.767 available at https://pandorafms.com. PandoraFMS is an enterprise scale network monitoring and management application which provides systems administrators with a central ‘hub’ to monitor and manipulate the state of computers (agents) deployed across the network. --------------------------------------------- https://research.nccgroup.com/2024/01/02/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ansible, asterisk, cjson, firefox-esr, kernel, libde265, libreoffice, libspreadsheet-parseexcel-perl, php-guzzlehttp-psr7, thunderbird, tinyxml, and xerces-c), Fedora (podman-tui, proftpd, python-asyncssh, squid, and xerces-c), Mageia (libssh and proftpd), and SUSE (deepin-compressor, gnutls, gstreamer, libreoffice, opera, proftpd, and python-pip). --------------------------------------------- https://lwn.net/Articles/956521/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Gentoo (Joblib), Red Hat (firefox and thunderbird), SUSE (gstreamer-plugins-bad, libssh2_org, and webkit2gtk3), and Ubuntu (firefox and thunderbird). --------------------------------------------- https://lwn.net/Articles/956568/ ∗∗∗ Multiple vulnerabilities in IBM Db2 may affect IBM Storage Protect Server. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7103673 ∗∗∗ Multiple vulnerabilities affect IBM Storage Scale Hadoop Connector ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7104389 ∗∗∗ IBM Maximo Application Suite uses axios-0.25.0.tgz which is vulnerable to CVE-2023-45857 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7104391 ∗∗∗ IBM Maximo Application Suite uses WebSphere Liberty which is vulnerable to CVE-2023-46158, CVE-2023-44483 and CVE-2023-44487 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7104390 ∗∗∗ Vulnerabilities in Apache Ant affect IBM Operations Analytics - Log Analysis (CVE-2020-11023, CVE-2020-23064, CVE-2020-11022) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7104401 ∗∗∗ Multiple vulnerabilities in Golang Go affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7037900 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.12.2023
by Daily end-of-shift report 29 Dec '23

29 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-12-2023 18:00 − Freitag 29-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Malware abuses Google OAuth endpoint to ‘revive’ cookies, hijack accounts ∗∗∗ --------------------------------------------- Multiple information-stealing malware families are abusing an undocumented Google OAuth endpoint named "MultiLogin" to restore expired authentication cookies and log into users accounts, even if an accounts password was reset. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-abuses-google-oauth-… ∗∗∗ Steam game mod breached to push password-stealing malware ∗∗∗ --------------------------------------------- Downfall, a fan expansion for the popular Slay the Spire indie strategy game, was breached on Christmas Day to push Epsilon information stealer malware using the Steam update system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/steam-game-mod-breached-to-p… ∗∗∗ Security: Wie man mit Ransomware-Hackern verhandelt ∗∗∗ --------------------------------------------- Wer Opfer einer Ransomware-Attacke wird, kommt an Verhandlungen mit den Kriminellen manchmal nicht vorbei. Dabei gibt es einige Regeln zu beachten. Ein Bericht von Friedhelm Greis --------------------------------------------- https://www.golem.de/news/security-wie-man-mit-ransomware-hackern-verhandel… ∗∗∗ New Version of Meduza Stealer Released in Dark Web ∗∗∗ --------------------------------------------- On Christmas Eve, Resecurity’s HUNTER unit spotted the author of perspective password stealer Meduza has released a new version (2.2). One of the key significant improvements are support of more software clients [...] --------------------------------------------- https://securityaffairs.com/156598/malware/meduza-stealer-released-dark-web… ∗∗∗ Clash of Clans gamers at risk while using third-party app ∗∗∗ --------------------------------------------- An exposed database and secrets on a third-party app puts Clash of Clans players at risk of attacks from threat actors. The Cybernews research team has discovered that the Clash Base Designer Easy Copy app exposed its Firebase database and user-sensitive information. With 100,000 downloads on the Google Play store, [...] --------------------------------------------- https://securityaffairs.com/156617/security/clash-of-clans-gamers-at-risk.h… ∗∗∗ The Worst Hacks of 2023 ∗∗∗ --------------------------------------------- It was a year of devastating cyberattacks around the globe, from ransomware attacks on casinos to state-sponsored breaches of critical infrastructure. --------------------------------------------- https://www.wired.com/story/worst-hacks-2023/ ∗∗∗ From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence ∗∗∗ --------------------------------------------- >From October-December, the activities of DarkGate, Pikabot, IcedID and more were seen and shared with the broader community via social media [...] --------------------------------------------- https://unit42.paloaltonetworks.com/unit42-threat-intelligence-roundup/ ∗∗∗ Windows: CVE-2021-43890 ausnutzbar: App-Installer-Protokoll deaktiviert; Storm-1152 ausgeschaltet ∗∗∗ --------------------------------------------- Ich packe zum Jahresende noch einige "Gruselgeschichten" rund um das Thema "Sicherheit in Microsoft-Produkten" zusammen. So hat Microsoft den MSXI-App-Installer-Protokoll deaktiviert, weil dieses von Malware-Gruppen missbraucht wurde. Dann gab es die Schwachstelle CVE-2021-43890, die längst gefixt zu sein schien, jetzt [...] --------------------------------------------- https://www.borncity.com/blog/2023/12/29/microsoft-sicherheitssplitter-cve-… ∗∗∗ Velociraptor 0.7.1 Release: Sigma Support, ETW Multiplexing, Local Encrypted Storage and New VQL Capabilities Highlight the Last Release of 2023 ∗∗∗ --------------------------------------------- Rapid7 is excited to announce that version 0.7.1 of Velociraptor is live and available for download. There are several new features and capabilities that add to the power and efficiency of this open-source digital forensic and incident response (DFIR) platform. --------------------------------------------- https://www.rapid7.com/blog/post/2023/12/29/velociraptor-0-7-1-release-sigm… ===================== = Vulnerabilities = ===================== ∗∗∗ Apache OpenOffice 4.1.15 Release Notes ∗∗∗ --------------------------------------------- CVE-2012-5639: Loading internal / external resources without warning, CVE-2022-43680: "Use after free" fixed in libexpat, CVE-2023-1183: Arbitrary file write in Apache OpenOffice Base, CVE-2023-47804: Macro URL arbitrary script execution --------------------------------------------- https://cwiki.apache.org/confluence/display/OOOUSERS/AOO+4.1.15+Release+Not… ∗∗∗ CVE-2019-3773 Spring Web Services Vulnerability in NetApp Products ∗∗∗ --------------------------------------------- Multiple NetApp products incorporate Spring Web Services. Spring Web Services 2.4.3, 3.0.4, and older unsupported versions are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). [...] CVE-2019-3773 9.8 (CRITICAL) --------------------------------------------- https://security.netapp.com/advisory/ntap-20231227-0011/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.12.2023
by Daily end-of-shift report 28 Dec '23

28 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-12-2023 18:00 − Donnerstag 28-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Lockbit ransomware disrupts emergency care at German hospitals ∗∗∗ --------------------------------------------- German hospital network Katholische Hospitalvereinigung Ostwestfalen (KHO) has confirmed that recent service disruptions were caused by a Lockbit ransomware attack where the threat actors gained access to IT systems and encrypted devices on the network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-disrupts-… ∗∗∗ Unveiling the Mirai: Insights into Recent DShield Honeypot Activity [Guest Diary], (Wed, Dec 27th) ∗∗∗ --------------------------------------------- In this post, I dig into my instance of the DShield honeypot to see what attack vectors malicious actors are trying to exploit. What I found were several attempts to upload the Mirai family of malware. --------------------------------------------- https://isc.sans.edu/diary/rss/30514 ∗∗∗ Operation Triangulation: "Raffiniertester Exploit aller Zeiten" auf iPhones ∗∗∗ --------------------------------------------- Im Sommer wurde bekannt, dass iPhones der russischen Sicherheitsfirma Kaspersky per hoch entwickeltem Exploit übernommen wurden. Auf dem 37C3 gab es Details. --------------------------------------------- https://www.heise.de/-9583427 ∗∗∗ Neuer iPhone-Diebstahlschutz: "Wichtige Orte" als Sicherheitsloch ∗∗∗ --------------------------------------------- Apple will bald die Account-Ausplünderung nach iPhone-Diebstählen erschweren. Ein Sicherheitsfeature bietet allerdings eine Umgehungsmöglichkeit. --------------------------------------------- https://www.heise.de/-9582753 ∗∗∗ Jahresrückblick: Diese Themen beschäftigten uns 2023! ∗∗∗ --------------------------------------------- 2023 geht für die Watchlist Internet erfolgreich zu Ende: Mit rund 3,2 Millionen Besucher:innen konnten wir auch heuer wieder zahlreiche Menschen vor Internetbetrug warnen. Monatlich erreichten uns dabei rund 1.000 Meldungen, die wir 2023 in rund 200 Warnartikel und durch die Veröffentlichung von über 12.000 Domains auf unseren Warnlisten verarbeitet haben. Danke an unsere Leser:innen, die diesen Erfolg ermöglichen. --------------------------------------------- https://www.watchlist-internet.at/news/jahresrueckblick-diese-themen-bescha… ∗∗∗ How to report Gmail messages as spam to improve your life and make you a hero ∗∗∗ --------------------------------------------- The act of marking and reporting an email as spam in Gmail has an important side effect that makes it totally worth a few seconds of your day. --------------------------------------------- https://www.zdnet.com/article/how-to-report-gmail-messages-as-spam-to-impro… ∗∗∗ Trend Analysis on Kimsuky Group’s Attacks Using AppleSeed ∗∗∗ --------------------------------------------- While the Kimsuky group typically uses spear phishing attacks for initial access, most of their recent attacks involve the use of shortcut-type malware in LNK file format. Although LNK malware comprise a large part of recent attacks, cases using JavaScripts or malicious documents are continuing to be detected. --------------------------------------------- https://asec.ahnlab.com/en/60054/ ∗∗∗ Cyber Toufan goes Oprah mode, with free Linux system wipes of over 100 organisations ∗∗∗ --------------------------------------------- For the past 6 or so weeks, I’ve been tracking Cyber Toufan on Telegram. They appeared in November, and they’ve been very busy and very naughty boys. They actually set up their infrastructure around October, and started owning things apparently undetected. They’re not a lame DDoS pretend hacktivist group like NoName016 — instead, they claim to be Palestinian state cyber warriors. --------------------------------------------- https://doublepulsar.com/cyber-toufan-goes-oprah-mode-with-free-linux-syste… ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper: 2023-12 Security Bulletin: JSA Series: Multiple vulnerabilities resolved ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been resolved in Juniper Secure Analytics in 7.5.0 UP7 IF03. Severity Assessment (CVSS) Score 9.8 --------------------------------------------- https://supportportal.juniper.net/s/article/2023-12-Security-Bulletin-JSA-S… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (haproxy, libssh, and nodejs), Fedora (filezilla and minizip-ng), Gentoo (Git, libssh, and OpenSSH), and SUSE (gstreamer, postfix, webkit2gtk3, and zabbix). --------------------------------------------- https://lwn.net/Articles/956257/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.12.2023
by Daily end-of-shift report 27 Dec '23

27 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-12-2023 18:00 − Mittwoch 27-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Operation Triangulation: The last (hardware) mystery ∗∗∗ --------------------------------------------- Recent iPhone models have additional hardware-based security protection for sensitive regions of the kernel memory. We discovered that to bypass this hardware-based security protection, the attackers used another hardware feature of Apple-designed SoCs. --------------------------------------------- https://securelist.com/operation-triangulation-the-last-hardware-mystery/11… ∗∗∗ Stealth Backdoor “Android/Xamalicious” Actively Infecting Devices ∗∗∗ --------------------------------------------- McAfee Mobile Research Team identified an Android backdoor implemented with Xamarin, an open-source framework that allows building Android and iOS apps with .NET and C#. Dubbed Android/Xamalicious it tries to gain accessibility privileges with social engineering and then it communicates with the command-and-control server to evaluate whether or not to download a second-stage payload that’s dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps among other actions financially motivated without user consent. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/stealth-backdoor-andro… ∗∗∗ Gefährliche VPN-Extension für Chrome ist millionenfach installiert ∗∗∗ --------------------------------------------- Rund 1,5 Millionen Rechner sind mit Malware infiziert, die sich in den Browsern als VPN-Erweiterung einnistet. [..] Auf den Computern landet die Software über unrechtmäßig kopierte Spiele wie Grand Theft Auto, Assassins Creed und The Sims 4, die von Torrent-Seiten heruntergeladen wurden. --------------------------------------------- https://futurezone.at/digital-life/vpn-extension-chrome-gefaehrlich-million… ∗∗∗ Python Keylogger Using Mailtrap.io, (Sat, Dec 23rd) ∗∗∗ --------------------------------------------- I found another Python keylogger... This is pretty common because Python has plenty of modules to implement this technique in a few lines of code [..} But, in this case, the attacker used another popular online service: mailtrap.io. --------------------------------------------- https://isc.sans.edu/diary/rss/30512 ∗∗∗ New Guide: Broken Access Control ∗∗∗ --------------------------------------------- We are excited to announce the release of our new guide What is Broken Access Control. This handy resource helps you grasp the ins-and-outs of BACs, their potential risks and operation, enabling you to effectively secure your website against unauthorized access and breaches. --------------------------------------------- https://blog.sucuri.net/2023/12/new-guide-broken-access-control.html ∗∗∗ Rogue WordPress Plugin Exposes E-Commerce Sites to Credit Card Theft ∗∗∗ --------------------------------------------- Threat hunters have discovered a rogue WordPress plugin that's capable of creating bogus administrator users and injecting malicious JavaScript code to steal credit card information. The skimming activity is part of a Magecart campaign targeting e-commerce websites, according to Sucuri. --------------------------------------------- https://thehackernews.com/2023/12/rogue-wordpress-plugin-exposes-e.html ∗∗∗ Tesla: Forscher der TU Berlin verschaffen sich Zugriff auf Autopilot-Hardware ∗∗∗ --------------------------------------------- Mit Hilfe eines kurzen Spannungsabfalls konnten sich drei Doktoranden der TU Berlin Zugriff auf die Platine verschaffen, auf der Teslas Autopilot arbeitet. --------------------------------------------- https://www.heise.de/-9583095 ∗∗∗ Dual Privilege Escalation Chain: Exploiting Monitoring and Service Mesh Configurations and Privileges in GKE to Gain Unauthorized Access in Kubernetes ∗∗∗ --------------------------------------------- This article examines two specific issues in Google Kubernetes Engine (GKE). While each issue might not result in significant damage on its own, when combined they create an opportunity for an attacker who already has access to a Kubernetes cluster to escalate their privileges. This article serves as a crucial resource for Kubernetes users and administrators, offering insights on safeguarding their clusters from potential attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/google-kubernetes-engine-privilege-esca… ∗∗∗ Analysis of Attacks That Install Scanners on Linux SSH Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) analyzes attack campaigns against poorly managed Linux SSH servers and shares the results on the ASEC Blog. --------------------------------------------- https://asec.ahnlab.com/en/59972/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Zero-Day in Apache OfBiz ERP System Exposes Businesses to Attack ∗∗∗ --------------------------------------------- A new zero-day security flaw has been discovered in the Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections. The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was released earlier this month. --------------------------------------------- https://thehackernews.com/2023/12/critical-zero-day-in-apache-ofbiz-erp.html ∗∗∗ Kritische Sicherheitslücke in Perl-Bibliothek: Schwachstelle bereits ausgenutzt ∗∗∗ --------------------------------------------- In einer Perl-Bibliothek zum Parsen von Excel-Dateien haben Sicherheitsforscher eine kritische Schwachstelle entdeckt, die Angreifer bereits ausgenutzt haben. [..] Die MITRE hat der Schwachstelle den Eintrag CVE-2023-7101 vergeben. Der Proof of Concept ist von März 2023. Ein Sicherheitspatch ist derzeit noch nicht verfügbar. --------------------------------------------- https://www.heise.de/-9583179 ∗∗∗ Barracuda ESG-Schwachstelle CVE-2023-7102 (Dez. 2023) ∗∗∗ --------------------------------------------- Barracuda hat bei einer laufenden Untersuchung festgestellt, dass ein Bedrohungsakteur die Schwachstelle Schwachstelle CVE-2023-7102 in der Barracuda Email Security Gateway Appliance (ESG) ausnutzt. Die Verwendung einer Bibliothek eines Drittanbieters führte zu dieser Schwachstelle, die die Barracuda ESG Appliance von 5.1.3.001 bis 9.2.1.001 betraf. Barracuda hat zum 21. Dezember 2023 ein Sicherheitsupdate für alle aktiven ESGs bereitgestellt, um die ACE-Schwachstelle zu beheben. --------------------------------------------- https://www.borncity.com/blog/2023/12/27/barracuda-esg-schwachstelle-cve-20… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, openssh, osslsigncode, and putty), Fedora (chromium, filezilla, libfilezilla, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, opensc, thunderbird, unrealircd, and xorg-x11-server-Xwayland), Gentoo (Ceph, FFmpeg, Flatpak, Gitea, and SABnzbd), Mageia (chromium-browser-stable), Slackware (kernel and postfix), and SUSE (cppcheck, distribution, gstreamer-plugins-bad, jbigkit, and ppp). --------------------------------------------- https://lwn.net/Articles/956156/ ∗∗∗ Autodesk: Multiple Vulnerabilities in Autodesk InfoWorks software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0024 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.12.2023
by Daily end-of-shift report 22 Dec '23

22 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-12-2023 18:00 − Freitag 22-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft: Hackers target defense firms with new FalseFont malware ∗∗∗ --------------------------------------------- Microsoft says the APT33 Iranian cyber-espionage group is using recently discovered FalseFont backdoor malware to attack defense contractors worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-hackers-target-def… ∗∗∗ Europol warns 443 online shops infected with credit card stealers ∗∗∗ --------------------------------------------- Europol has notified over 400 websites that their online shops have been hacked with malicious scripts that steal debit and credit cards from customers making purchases. --------------------------------------------- https://www.bleepingcomputer.com/news/security/europol-warns-443-online-sho… ∗∗∗ Have your data and hide it too: An introduction to differential privacy ∗∗∗ --------------------------------------------- Providing software and web services that deliver value for users often requires measuring user behavior. In this blog we discuss emerging cryptographic and statistical techniques that enable collecting such measurements without violating user privacy --------------------------------------------- https://blog.cloudflare.com/have-your-data-and-hide-it-too-an-introduction-… ∗∗∗ Experts Detail Multi-Million Dollar Licensing Model of Predator Spyware ∗∗∗ --------------------------------------------- A new analysis of the sophisticated commercial spyware called Predator has revealed that its ability to persist between reboots is offered as an "add-on feature" and that it depends on the licensing options opted by a customer. --------------------------------------------- https://thehackernews.com/2023/12/multi-million-dollar-predator-spyware.html ∗∗∗ Decoy Microsoft Word Documents Used to Deliver Nim-Based Malware ∗∗∗ --------------------------------------------- A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the Nim programming language. "Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers unfamiliarity can hamper their investigation," [...] --------------------------------------------- https://thehackernews.com/2023/12/decoy-microsoft-word-documents-used-to.ht… ∗∗∗ Cyber sleuths reveal how they infiltrate the biggest ransomware gangs ∗∗∗ --------------------------------------------- How do you break into the bad guys ranks? Master the lingo and research, research, research --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/12/22/how_to_infil… ∗∗∗ Malicious GPT Can Phish Credentials, Exfiltrate Them to External Server: Researcher ∗∗∗ --------------------------------------------- A researcher has shown how malicious actors can create custom GPTs that can phish for credentials and exfiltrate them to external servers. --------------------------------------------- https://www.securityweek.com/malicious-gpt-can-phish-credentials-exfiltrate… ∗∗∗ CISA Releases Microsoft 365 Secure Configuration Baselines and SCuBAGear Tool ∗∗∗ --------------------------------------------- CISA has published the finalized Microsoft 365 Secure Configuration Baselines, designed to bolster the security and resilience of organizations’ Microsoft 365 (M365) cloud services. This guidance release is accompanied by the updated SCuBAGear tool that assesses organizations’ M365 cloud services per CISA’s recommended baselines. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/21/cisa-releases-microsoft-… ∗∗∗ Python Packages Leverage GitHub to Deploy Fileless Malware ∗∗∗ --------------------------------------------- In early December, a number of malicious Python packages captured our attention, not just because of their malicious nature, but for the cleverness of their deployment strategy. --------------------------------------------- https://checkmarx.com/blog/python-packages-leverage-github-to-deploy-filele… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI Security Advisories ∗∗∗ --------------------------------------------- BlueZ, Kofax Power PDF --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bluez, chromium, gst-plugins-bad1.0, openssh, and thunderbird), Fedora (chromium, firefox, kernel, libssh, nss, opensc, and thunderbird), Gentoo (Arduino, Exiv2, LibRaw, libssh, NASM, and QtWebEngine), Mageia (gstreamer), and SUSE (gnutls, gstreamer-plugins-bad, libcryptopp, libqt5-qtbase, ppp, tinyxml, xorg-x11-server, and zbar). --------------------------------------------- https://lwn.net/Articles/956012/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.12.2023
by Daily end-of-shift report 21 Dec '23

21 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-12-2023 18:00 − Donnerstag 21-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New phishing attack steals your Instagram backup codes to bypass 2FA ∗∗∗ --------------------------------------------- A new phishing campaign pretending to be a copyright infringement email attempts to steal the backup codes of Instagram users, allowing hackers to bypass the two-factor authentication configured on the account. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phishing-attack-steals-y… ∗∗∗ Fake F5 BIG-IP zero-day warning emails push data wipers ∗∗∗ --------------------------------------------- The Israel National Cyber Directorate warns of phishing emails pretending to be F5 BIG-IP zero-day security updates that deploy Windows and Linux data wipers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-f5-big-ip-zero-day-warn… ∗∗∗ Android malware Chameleon disables Fingerprint Unlock to steal PINs ∗∗∗ --------------------------------------------- The Chameleon Android banking trojan has re-emerged with a new version that uses a tricky technique to take over devices — disable fingerprint and face unlock to steal device PINs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-chameleon-di… ∗∗∗ Windows CLFS and five exploits used by ransomware operators ∗∗∗ --------------------------------------------- We had never seen so many CLFS driver exploits being used in active attacks before, and then suddenly there are so many of them captured in just one year. Is there something wrong with the CLFS driver? Are all these vulnerabilities similar? These questions encouraged me to take a closer look at the CLFS driver and its vulnerabilities. --------------------------------------------- https://securelist.com/windows-clfs-exploits-ransomware/111560/ ∗∗∗ Increase in Exploit Attempts for Atlassian Confluence Server (CVE-2023-22518), (Wed, Dec 20th) ∗∗∗ --------------------------------------------- Attacks for the vulnerability started early in November, shortly after the vulnerability was announced. At the time, the attacks were more targeted to specific hosts. Now we are seeing more widespread scans typical for attackers trying to "clean up" instances earlier attacks may have missed. --------------------------------------------- https://isc.sans.edu/diary/rss/30502 ∗∗∗ Weaponizing DHCP DNS Spoofing — A Hands-On Guide ∗∗∗ --------------------------------------------- In this second blog post, we aim to elaborate on some of the technical details that are required to exploit this attack surface. We will detail the methods used to collect all the necessary information to conduct the attacks, describe some attack limitations, and explore how we can spoof multiple DNS records by abusing an interesting DHCP server behavior. --------------------------------------------- https://www.akamai.com/blog/security-research/weaponizing-dhcp-dns-spoofing… ∗∗∗ Kritische Lücken in Mobile-Device-Management-Lösung Ivanti Avalanche geschlossen ∗∗∗ --------------------------------------------- Angreifer können Ivanti Avalanche mit Schadcode attackieren. Eine reparierte Version steht zum Download bereit. --------------------------------------------- https://www.heise.de/-9580221 ∗∗∗ BSI veröffentlicht Studie zu Implementierungsangriffen auf QKD-Systeme ∗∗∗ --------------------------------------------- Das BSI hat eine wissenschaftliche Studie über Implementierungsangriffe auf Quantum Key Distribution (QKD)-Systeme veröffentlicht. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Spoofing: Spätestens im Herbst 2024 soll mit dem Betrug Schluss sein ∗∗∗ --------------------------------------------- Alle österreichischen Telefonnummern erhalten ein "Mascherl", das sie als echt ausweist. Provider haben bis 1. September Zeit, die neue Verordnung umzusetzen. --------------------------------------------- https://www.derstandard.at/story/3000000200615/spoofing-spaetestens-im-herb… ∗∗∗ security.txt: A Simple File with Big Value ∗∗∗ --------------------------------------------- Our team at CISA often receives questions about why creation of a “security.txt” file was included as one of the priority Cybersecurity Performance Goals (CPGs). Why is it so important? Well, it’s such a simple concept, but it provides great value to all of those involved in vulnerability management and disclosure. --------------------------------------------- https://www.cisa.gov/news-events/news/securitytxt-simple-file-big-value ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI Security Advisories ∗∗∗ --------------------------------------------- Voltronic Power ViewPower, Hancom Office, Honeywell Saia PG5 Controls Suite --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Google Chrome: Update schließt bereits angegriffene Zero-Day-Lücke ∗∗∗ --------------------------------------------- Googles Entwickler haben ein Update für Chrome veröffentlicht, das eine bereits angegriffene Sicherheitslücke abdichtet. --------------------------------------------- https://www.heise.de/-9580061 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (December 11, 2023 to December 17, 2023) ∗∗∗ --------------------------------------------- Last week, there were 16 vulnerabilities disclosed in 16 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 7 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/12/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (kernel), Mageia (bluez), Oracle (fence-agents, gstreamer1-plugins-bad-free, opensc, openssl, postgresql:10, and postgresql:12), Red Hat (postgresql:15 and tigervnc), Slackware (proftpd), and SUSE (docker, rootlesskit, firefox, go1.20-openssl, go1.21-openssl, gstreamer-plugins-bad, libreoffice, libssh2_org, poppler, putty, rabbitmq-server, wireshark, xen, xorg-x11-server, and xwayland). --------------------------------------------- https://lwn.net/Articles/955914/ ∗∗∗ ESET Patches High-Severity Vulnerability in Secure Traffic Scanning Feature ∗∗∗ --------------------------------------------- ESET has patched CVE-2023-5594, a high-severity vulnerability that can cause a browser to trust websites that should not be trusted. --------------------------------------------- https://www.securityweek.com/eset-patches-high-severity-vulnerability-in-se… ∗∗∗ Drupal: Data Visualisation Framework - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-055 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-055 ∗∗∗ Foxit: Security Advisories for Foxit PDF Reader ∗∗∗ --------------------------------------------- https://www.foxit.com/support/security-bulletins.html ∗∗∗ NETGEAR: Security Advisory for Stored Cross Site Scripting on the NMS300, PSV-2023-0106 ∗∗∗ --------------------------------------------- https://kb.netgear.com/000065901/Security-Advisory-for-Stored-Cross-Site-Sc… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/21/cisa-adds-two-known-expl… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.12.2023
by Daily end-of-shift report 20 Dec '23

20 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-12-2023 18:00 − Mittwoch 20-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Datenleckseite beschlagnahmt: Das FBI und die ALPHV-Hacker spielen Katz und Maus ∗∗∗ --------------------------------------------- Das FBI hat die Datenleckseite der Ransomwaregruppe ALPHV beschlagnahmt. Die Hacker haben jedoch auch noch Zugriff darauf. Sie drohen nun mit neuen Regeln. --------------------------------------------- https://www.golem.de/news/datenleckseite-beschlagnahmt-das-fbi-und-die-alph… ∗∗∗ Remote Encryption Attacks Surge: How One Vulnerable Device Can Spell Disaster ∗∗∗ --------------------------------------------- Ransomware groups are increasingly switching to remote encryption in their attacks, marking a new escalation in tactics adopted by financially motivated actors to ensure the success of their campaigns."Companies can have thousands of computers connected to their network, and with remote ransomware, all it takes is one underprotected device to compromise the entire network," [...] --------------------------------------------- https://thehackernews.com/2023/12/remote-encryption-attacks-surge-how-one.h… ∗∗∗ Threat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla ∗∗∗ --------------------------------------------- First discovered in 2014, Agent Tesla is an advanced keylogger with features like clipboard logging, screen keylogging, screen capturing, and extracting stored passwords from different web browsers. Recently, Zscaler ThreatLabz detected a threat campaign where threat actors leverage CVE-2017-11882 XLAM to spread Agent Tesla to users on vulnerable versions of Microsoft Office. --------------------------------------------- https://www.zscaler.com/blogs/security-research/threat-actors-exploit-cve-2… ∗∗∗ New MetaStealer malvertising campaigns ∗∗∗ --------------------------------------------- In recent malvertising campaigns, threat actors dropped the MetaStealer information stealer, more or less coinciding with a new version release. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/12/new-metasteal… ∗∗∗ BSI und ANSSI veröffentlichen Publikation zu Remote Identity Proofing ∗∗∗ --------------------------------------------- Das BSI hat zusammen mit der französischen Behörde für IT-Sicherheit, ANSSI, eine gemeinsame Publikation veröffentlicht. Die diesjährige Veröffentlichung beschäftigt sich mit den Gefahren und möglichen Angriffsvektoren, die in den verschiedenen Phasen der videobasierten Identifikation entstehen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Why Is an Australian Footballer Collecting My Passwords? The Various Ways Malicious JavaScript Can Steal Your Secrets ∗∗∗ --------------------------------------------- Malicious JavaScript is used to steal PPI via survey sites, web chat APIs and more. We detail how JavaScript malware is implemented and evades detection. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-javascript-steals-sensitive-d… ∗∗∗ Behind the scenes: JaskaGO’s coordinated strike on macOS and Windows ∗∗∗ --------------------------------------------- In recent developments, a sophisticated malware stealer strain crafted in the Go programming language has been discovered by AT&T Alien Labs, posing a severe threat to both Windows and macOS operating systems. As of the time of publishing of this article, traditional antivirus solutions have low or even non-existent detection rates, making it a stealthy and formidable adversary. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/behind-the-scenes-jaskago… ∗∗∗ Spike in Atlassian Exploitation Attempts: Patching is Crucial ∗∗∗ --------------------------------------------- In the blog we discuss the importance of securing your Atlassian products, provide valuable insights on various IP activities, and offer friendly advice on proactive measures to protect your organization. --------------------------------------------- https://www.greynoise.io/blog/spike-in-atlassian-exploitation-attempts-patc… ∗∗∗ Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors ∗∗∗ --------------------------------------------- Earlier this year, Mandiant’s Managed Defense threat hunting team identified an UNC2975 malicious advertising (“malvertising”) campaign presented to users in sponsored search engine results and social media posts, consistent with activity reported in From DarkGate to DanaBot. This campaign dates back to at least June 19, 2023, and has abused search engine traffic and leveraged malicious advertisements to affect multiple organizations, which resulted in the delivery of the DANABOT and DARKGATE backdoors. --------------------------------------------- https://www.mandiant.com/resources/blog/detecting-disrupting-malvertising-b… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-1810: QEMU NVMe Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to disclose sensitive information on affected installations of QEMU. An attacker must first obtain the ability to execute high-privileged code on the target guest system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.0. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1810/ ∗∗∗ ZDI-23-1813: Inductive Automation Ignition ModuleInvoke Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1813/ ∗∗∗ Sitefinity Security Advisory for Addressing Security Vulnerability CVE-2023-6784, December 2023 ∗∗∗ --------------------------------------------- The Progress Sitefinity team recently discovered a MEDIUM CVSS vulnerability in the Sitefinity application available under # CVE-2023-6784. A fix has been developed and tested – and is now available for download. Below you can find information about the discoveries and version-specific product updates for supported versions. --------------------------------------------- https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-A… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ansible and ansible-core), Gentoo (Minecraft Server and thunderbird), Mageia (fusiondirectory), Red Hat (gstreamer1-plugins-bad-free, opensc, and openssl), Slackware (libssh and mozilla), SUSE (avahi, firefox, ghostscript, gstreamer-plugins-bad, mariadb, openssh, openssl-1_1-livepatches, python-aiohttp, python-cryptography, xorg-x11-server, and xwayland), and Ubuntu (libssh and openssh). --------------------------------------------- https://lwn.net/Articles/955786/ ∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in Safari, iOS, iPadOS, and macOS Sonoma. A cyber threat actor could exploit one of these vulnerabilities to obtain sensitive information. CISA encourages users and administrators to review Apple security releases and apply necessary updates. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/20/apple-releases-security-… ∗∗∗ New Ivanti Avalanche Vulnerabilities ∗∗∗ --------------------------------------------- As part of our ongoing strengthening of the security of our products we have discovered twenty new vulnerabilities in the Ivanti Avalanche on-premise product. We are reporting these vulnerabilities as the CVE numbers listed below. These vulnerabilities impact all supported versions of the products – Avalanche versions 6.3.1 and above. Older versions/releases are also at risk. This release corrects multiple memory corruption vulnerabilities, covered in these security advisories: [...] --------------------------------------------- https://www.ivanti.com/blog/new-ivanti-avalanche-vulnerabilities ∗∗∗ Multiple vulnerabilites in D-Link G416 routers ∗∗∗ --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ K000137965 : Apache Tomcat vulnerability CVE-2023-45648 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137965 ∗∗∗ K000137966 : Apache Tomcat vulnerability CVE-2023-42794 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137966 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities. [CVE-2022-42889, CVE-2023-35001, CVE-2023-32233] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7095693 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7087688 ∗∗∗ IBM Maximo Application Suite - IoT Component uses Pygments-2.14.0-py3-none-any.whl which is vulnerable to CVE-2022-40896 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7099774 ∗∗∗ IBM Maximo Application Suite uses urllib3-1.26.16-py2.py3-none-any.whl which is vulnerable to CVE-2023-43804 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7099772 ∗∗∗ IBM Sterling B2B Integrator EBICs client affected by multiple issues due to Jettison ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7099862 ∗∗∗ IBM Security Guardium is affected by a guava-18.0.jar vulnerability (CVE-2023-2976) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7099896 ∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7100525 ∗∗∗ IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-39975, CVE-2023-34042) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7100884 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.12.2023
by Daily end-of-shift report 19 Dec '23

19 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Montag 18-12-2023 18:00 − Dienstag 19-12-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Akute Welle an DDoS Angriffen auf staatsnahe und kritische Infrastruktur in Österreich ∗∗∗ --------------------------------------------- Seit Kurzem sehen sich österreichische staatliche/staatsnahe Organisationen sowie Unternehmen der kritischen Infrastruktur vermehrt mit DDoS Angriffen konfrontiert. Die genauen Hintergründe der Attacken sind uns zurzeit nicht bekannt, Hinweise für eine hacktivistische Motivation liegen jedoch vor. In Anbetracht der aktuellen Geschehnisse empfehlen wir Unternehmen und Organisationen, die eigenen Prozesse und technischen Maßnahmen nochmals auf ihre Wirksamkeit zu überprüfen, um im Fall eines Angriffes bestmöglich gewappnet zu sein. Dies gilt insbesondere, da eine Intensivierung der Angriffe nicht ausgeschlossen werden kann. --------------------------------------------- https://cert.at/de/aktuelles/2023/12/akute-welle-an-ddos-angriffen-auf-staa… ∗∗∗ Neue Angriffstechnik: Terrapin schwächt verschlüsselte SSH-Verbindungen ∗∗∗ --------------------------------------------- Ein Angriff kann wohl zur Verwendung weniger sicherer Authentifizierungsalgorithmen führen. Betroffen sind viele gängige SSH-Implementierungen. --------------------------------------------- https://www.golem.de/news/neue-angriffstechnik-terrapin-schwaecht-verschlue… ∗∗∗ FBI disrupts Blackcat ransomware operation, creates decryption tool ∗∗∗ --------------------------------------------- The Department of Justice announced today that the FBI successfully breached the ALPHV ransomware operations servers to monitor their activities and obtain decryption keys. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-disrupts-blackcat-ransom… ∗∗∗ 8220 Gang Exploiting Oracle WebLogic Server Vulnerability to Spread Malware ∗∗∗ --------------------------------------------- The threat actors associated with the 8220 Gang have been observed exploiting a high-severity flaw in Oracle WebLogic Server to propagate their malware. The security shortcoming is CVE-2020-14883 (CVSS score: 7.2), a remote code execution bug that could be exploited by authenticated attackers to take over susceptible servers. --------------------------------------------- https://thehackernews.com/2023/12/8220-gang-exploiting-oracle-weblogic.html ∗∗∗ Hackers Abusing GitHub to Evade Detection and Control Compromised Hosts ∗∗∗ --------------------------------------------- Threat actors are increasingly making use of GitHub for malicious purposes through novel methods, including abusing secret Gists and issuing malicious commands via git commit messages. --------------------------------------------- https://thehackernews.com/2023/12/hackers-abusing-github-to-evade.html ∗∗∗ Mute the Sound: Chaining Vulnerabilities to Achieve RCE on Outlook: Pt 1 ∗∗∗ --------------------------------------------- In this post, we have detailed the research process that led to the discovery of the two bypasses, including their root-cause analysis. As we’ve shown, Windows path parsing code is complex and often can lead to vulnerabilities. [..] Windows machines with the October 2023 software update installed are protected from these vulnerabilities. Additionally, Outlook clients that use Exchange servers patched with March 2023 software update are protected against the abused feature. --------------------------------------------- https://www.akamai.com/blog/security-research/2023/dec/chaining-vulnerabili… ∗∗∗ Botnet: Qakbot wieder aktiv mit neuer Phishing-Kampagne ∗∗∗ --------------------------------------------- Im August haben internationale Strafverfolger das Quakbot-Botnetz außer Gefecht gesetzt. Jetzt hat Microsoft eine neue Phishing-Kampagne entdeckt. --------------------------------------------- https://www.heise.de/-9577963 ∗∗∗ Retro Gaming Vulnerability Research: Warcraft 2 ∗∗∗ --------------------------------------------- This blog post is part one in a short series on learning some basic game hacking techniques. [..] I leave it as an exercise to the reader to extend wc2shell further to add the first checksum byte and attempt to fuzz other traffic. --------------------------------------------- https://research.nccgroup.com/2023/12/19/retro-gaming-vulnerability-researc… ∗∗∗ Achtung Fake: „Ihr iCloud-Speicher ist voll. Erhalten Sie 50 GB KOSTENLOS !“ ∗∗∗ --------------------------------------------- Ihr iCloud-Speicher ist voll? Sie erhalten aber angeblich 50 GB kostenlos? Vorsicht, bei diesem E-Mail handelt es sich um Phishing. Tippen Sie nicht auf das Feld „Erhalten Sie 50 GB“. Sie würden auf einer gefälschten iCloud-Webseite landen, die Ihre Login-Daten stiehlt. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-ihr-icloud-speicher-ist… ∗∗∗ Apache ActiveMQ Vulnerability (CVE-2023-46604) Continuously Being Exploited in Attacks ∗∗∗ --------------------------------------------- This post will cover the recent additional attacks that installed Ladon, NetCat, AnyDesk, and z0Miner. --------------------------------------------- https://asec.ahnlab.com/en/59904/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (rdiff-backup and xorg-x11-server-Xwayland), Mageia (cjose and ghostscript), Oracle (avahi), Red Hat (postgresql:10), and SUSE (avahi, freerdp, libsass, and ncurses). --------------------------------------------- https://lwn.net/Articles/955678/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ mozilla: Security Vulnerabilities fixed in Firefox 121 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/ ∗∗∗ mozilla: Security Vulnerabilities fixed in Thunderbird 115.6 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/ ∗∗∗ mozilla: Security Vulnerabilities fixed in Firefox ESR 115.6 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/ ∗∗∗ EFACEC UC 500E ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-03 ∗∗∗ Subnet Solutions Inc. PowerSYSTEM Center ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-01 ∗∗∗ Open Design Alliance Drawing SDK ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-04 ∗∗∗ EFACEC BCU 500 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-02 ∗∗∗ EuroTel ETL3100 Radio Transmitter ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-05 ∗∗∗ F5: K000137926 : Apache Tomcat vulnerability CVE-2023-46589 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137926 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily