=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 28-11-2024 18:00 − Freitag 29-11-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ So schützen Sie sich in der Weihnachtszeit vor Fake-Shops! ∗∗∗
---------------------------------------------
Zur Weihnachtszeit möchte man seinen Liebsten gerne eine Freude bereiten. Bei den kalten Temperaturen bietet es sich an, bequem von zu Hause aus online einzukaufen. Damit die Weihnachtsfreude nicht durch eine Bestellung bei einem Fake-Shop getrübt wird, zeigen wir Ihnen die wichtigsten Punkte, an denen Sie betrügerische Online-Shops erkennen können.
---------------------------------------------
https://www.watchlist-internet.at/news/sicher-online-einkaufen-zu-weihnacht…
∗∗∗ Nach Nothalt: Microsoft verteilt korrigierte Exchange-Server-Updates ∗∗∗
---------------------------------------------
Das Exchange-Update zum November-Patchday war fehlerhaft, Microsoft zog die Notbremse. Jetzt stehen korrigierte Sicherheitsupdates bereit.
---------------------------------------------
https://heise.de/-10181645
∗∗∗ Hochriskante Sicherheitslücke in PostgreSQL: Gitlab patcht (noch) nicht ∗∗∗
---------------------------------------------
Postgres hat die Lücken bereits mit einem Update gefixt und empfiehlt, die Versionen 12.21, 13.17, 14.14, 15.9, 16.5 und 17.1 sofort einzuspielen. Wie bereits im März wiesen Leser uns darauf hin, dass GitLab nach wie vor an den alten, gefährdeten Versionen 14.11 und 16.4 festhält und die Updates verzögert.
---------------------------------------------
https://heise.de/-10181730
∗∗∗ QR-Codes an Parkautomaten – Polizei warnt vor Betrugsmasche ∗∗∗
---------------------------------------------
Derzeit tauchen bundesweit vermehrt manipulierte QR-Codes an Parkscheinautomaten auf. Dabei handelt es sich nach Angaben der Polizei um eine Betrugsmasche, bei der Kriminelle versuchen, über QR-Codes an sensible Daten zu gelangen – sogenanntes Quishing.
---------------------------------------------
https://www.heise.de/-10181611
∗∗∗ EU leitet Vertragsverletzungsverfahren gegen Deutschland wegen NIS2 ein ∗∗∗
---------------------------------------------
Gegen 24 Mitgliedstaaten inklusive Deutschland hat die Brüsseler Regierungsinstitution zugleich weitere Verletzungsverfahren gestartet, weil sie ihr keine nationalen Maßnahmen zur Umsetzung der Richtlinie über die Resilienz kritischer Einrichtungen mitgeteilt haben. Dabei handelt es sich quasi um die Analog-Variante der NIS2.
---------------------------------------------
https://heise.de/-10181402
∗∗∗ Ransomware Gangs Seek Pen Testers to Boost Quality ∗∗∗
---------------------------------------------
Qualified applicants must be able to test ransomware encryption and find bugs that might enable defenders to jailbreak the malware.
---------------------------------------------
https://www.darkreading.com/threat-intelligence/ransomware-gangs-seek-pen-t…
∗∗∗ IT threat evolution Q3 2024 ∗∗∗
---------------------------------------------
In this part of the malware report we discuss the most remarkable findings of Q3 2024, including APT and hacktivist attacks, ransomware, stealers, macOS malware and so on.
---------------------------------------------
https://securelist.com/malware-report-q3-2024/114678/
∗∗∗ Race Condition Attacks against LLMs ∗∗∗
---------------------------------------------
In modern LLM systems, there is a lot of code between what you type and what the LLM receives, and between what the LLM produces and what you see. All of that code is exploitable, and I expect many more vulnerabilities to be discovered in the coming year.
---------------------------------------------
https://www.schneier.com/blog/archives/2024/11/race-condition-attacks-again…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, redis, twisted, and tzdata), Fedora (firefox, nss, pam, rust-rustls, rust-zlib-rs, thunderbird, tuned, and xen), and SUSE (cobbler, kernel, libjxl-devel, libuv, postgresql12, postgresql14, postgresql15, python-waitress, seamonkey, tomcat, and tomcat10).
---------------------------------------------
https://lwn.net/Articles/1000185/
∗∗∗ B&R: 2024-11-29: Cyber Security Advisory - B&R Authentication bypass flaw in several mapp components ∗∗∗
---------------------------------------------
https://www.br-automation.com/fileadmin/SA22P014-90c4aa35.pdf
∗∗∗ Windows Server 2012 Mark of the Web Vulnerability (0day) - and Free Micropatches for it ∗∗∗
---------------------------------------------
https://blog.0patch.com/2024/11/windows-server-2012-mark-of-web.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 27-11-2024 18:00 − Donnerstag 28-11-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Zello asks users to reset passwords after security incident ∗∗∗
---------------------------------------------
Zello is warning customers to reset their passwords if their account was created before November 2nd in what appears to be another security breach.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/zello-asks-users-to-reset-pa…
∗∗∗ Sneaky Skimmer Malware Targets Magento Sites Ahead of Black Friday ∗∗∗
---------------------------------------------
A stealthy JavaScript injection attack steals data from the checkout page of sites, either by creating a fake credit card form or extracting data directly from payment fields.
---------------------------------------------
https://www.darkreading.com/application-security/sneaky-skimmer-malware-mag…
∗∗∗ Microsoft-Sicherheitsfunktion "Administrator Protection" jetzt ausprobierbar ∗∗∗
---------------------------------------------
Microsoft will die Windows-Bedienung sicherer machen. "Administrator Protection" soll vor unbefugten Admin-Zugriffen schützen.
---------------------------------------------
https://www.heise.de/-10179558
∗∗∗ Vorsicht vor gefälschte Paketbenachrichtigungen ∗∗∗
---------------------------------------------
Sie erwarten ein Paket? Vorsicht ist geboten! Derzeit kursieren zahlreiche gefälschte Benachrichtigungen über den Lieferstatus von Bestellungen. Prüfen Sie daher Nachrichten von Paketdiensten genau, um nicht in eine Phishing- oder Abo-Falle zu tappen. Wir zeigen Ihnen, wie Sie gefälschte Nachrichten erkennen.
---------------------------------------------
https://www.watchlist-internet.at/news/falsche-paketbenachrichtigungen/
∗∗∗ Malicious NPM Package Exploits React Native Documentation Example ∗∗∗
---------------------------------------------
A recent discovery revealed how official documentation can become an unexpected attack vector for supply chain attacks. It happened when an npm package called “rtn-centered-text” exploited an example from React Native’s Fabric Native Components guide in an attempt to trick developers into downloading their package, putting systems at risk.
---------------------------------------------
https://checkmarx.com/blog/malicious-npm-package-exploits-react-native-docu…
∗∗∗ The Ultimate Handheld Hacking Device - My Experience with NetHunter ∗∗∗
---------------------------------------------
For those unfamiliar, Kali NetHunter is a version of Kali Linux that you can set up on your phone. There are several types of NetHunter setups, each determining the capabilities of your device.
---------------------------------------------
https://andy.codes/blog/security_articles/2024-11-27-the-ultimate-handheld-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitslecks in Entwicklerwerkzeug Jenkins gestopft ∗∗∗
---------------------------------------------
In der Sicherheitsmitteilung listen die Jenkins-Entwickler drei verwundbare Add-ons auf. Am schwersten wiegt die Schwachstelle im Simple Queue Plug-in. Es versieht Namen von Views nicht mit Escape. Das mündet in einer Stored-Cross-Site-Scripting-Lücke, die Angreifer mit "View/Create"-Rechten missbrauchen können (CVE-2024-54003, CVSS 8.0, Risiko "hoch"). Den Fehler korrigieren die Plug-in-Version 1.4.5 sowie neuere.
---------------------------------------------
https://heise.de/-10180515
∗∗∗ Multiple Vulnerabilities in Fuji Electric Products ZDI-24-1614 - ZDI-24-1630 ∗∗∗
---------------------------------------------
Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.
---------------------------------------------
https://www.zerodayinitiative.com/advisories/published/
∗∗∗ Drupal: Tarte au Citron - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-064 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2024-064
∗∗∗ ZABBIX: SQL injection in user.get API (CVE-2024-42327) Critical ∗∗∗
---------------------------------------------
https://support.zabbix.com/browse/ZBX-25623
∗∗∗ NVIDIA Security Bulletin: NVIDIA UFM Enterprise, UFM Appliance, UFM CyberAI - November 2024 ∗∗∗
---------------------------------------------
https://nvidia.custhelp.com/app/answers/detail/a_id/5584
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 26-11-2024 18:05 − Mittwoch 27-11-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ RomCom exploits Firefox and Windows zero days in the wild ∗∗∗
---------------------------------------------
ESET Research details the analysis of a previously unknown vulnerability in Mozilla products exploited in the wild and another previously unknown Microsoft Windows vulnerability, combined in a zero-click exploit.
---------------------------------------------
https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and…
∗∗∗ Betrug auf Telegram und WhatsApp mit Fake Job angeboten ∗∗∗
---------------------------------------------
Unterhalb finden Sie unseren Bericht des Telegram Betrugs und wie wir es sogar geschafft haben die Betrüger auszutricksen. Außerdem geben wir Ticks und Tricks, was Sie machen können und wie Sie solch einen Betrug erkennen.
---------------------------------------------
https://www.zettasecure.com/post/betrug-auf-telegram-und-whatsapp-mit-fake-…
∗∗∗ Critical Flaw in ProjectSend Under Active Exploitation Against Public-Facing Servers ∗∗∗
---------------------------------------------
A critical security flaw impacting the ProjectSend open-source file-sharing application has likely come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability, originally patched over a year-and-a-half ago as part of a commit pushed in May 2023 , was not officially made available until August 2024 with the release of version r1720.
---------------------------------------------
https://thehackernews.com/2024/11/critical-flaw-in-projectsend-under.html
∗∗∗ Gaming Engines: An Undetected Playground for Malware Loaders ∗∗∗
---------------------------------------------
Check Point Research discovered a new technique taking advantage of Godot Engine, a popular open-source game engine, to execute crafted GDScript, code which triggers malicious commands and delivers malware. The technique remains undetected by almost all antivirus engines in VirusTotal.
---------------------------------------------
https://research.checkpoint.com/2024/gaming-engines-an-undetected-playgroun…
∗∗∗ New NachoVPN attack uses rogue VPN servers to install malicious updates ∗∗∗
---------------------------------------------
A set of vulnerabilities dubbed "NachoVPN" allows rogue VPN servers to install malicious updates when unpatched Palo Alto and SonicWall SSL-VPN clients connect to them.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-nachovpn-attack-uses-rog…
∗∗∗ Rockstar 2FA Phishing-as-a-Service (PaaS): Noteworthy Email Campaigns ∗∗∗
---------------------------------------------
Welcome to the second part of our investigation into the Rockstar kit, please check out part one here.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rockstar-2f…
∗∗∗ Researchers Discover "Bootkitty" – First UEFI Bootkit Targeting Linux Kernels ∗∗∗
---------------------------------------------
Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems. Dubbed Bootkitty by its creators who go by the name BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks.
---------------------------------------------
https://thehackernews.com/2024/11/researchers-discover-bootkitty-first.html
∗∗∗ BEC-ware the Phish (part 3): Detect and Prevent Incidents in M365 ∗∗∗
---------------------------------------------
This blog discusses a few options in M365, such as guidance on configuring threat and alert policies and how to deal with these alerts downstream in the SIEM.
---------------------------------------------
https://www.pentestpartners.com/security-blog/bec-ware-the-phish-part-3-det…
∗∗∗ Modern solutions against cross-site attacks ∗∗∗
---------------------------------------------
This article is about cross-site leak attacks and what recent defenses have been introduced to counter them. I also want to finally answer the question why web security best practices is always opt-in and finally how YOU can get increased security controls.
---------------------------------------------
https://frederikbraun.de/modern-solutions-xsleaks.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Palo Alto Globalprotect: Schadcode-Lücke durch unzureichende Zertifikatsprüfung ∗∗∗
---------------------------------------------
Die Entdecker der Sicherheitslücke von Amberwolf schreiben in ihrer detaillierten Analyse, dass die Globalprotect-VPN-Clients sowohl unter macOS als auch unter Windows anfällig für das Ausführen von Schadcode aus dem Netz und der Ausweitung der Rechte sind, und zwar durch den automatischen Update-Mechanismus (CVE-2024-5921, CVSS-B 7.2, Risiko "hoch"). Zwar erfordert der Update-Prozess, dass MSI-Dateien signiert sind, jedoch können Angreifer den PanGPS-Dienst zum Installieren eines bösartigen, dadurch vertrautem Root-Zertifikat missbrauchen.
---------------------------------------------
https://heise.de/-10178649
∗∗∗ Microsoft patcht teils kritische Lücken außer der Reihe ∗∗∗
---------------------------------------------
Microsoft hat in der Nacht zum Mittwoch vier Sicherheitsmitteilungen veröffentlicht. [..] Einige Updates müssen Nutzer installieren.
---------------------------------------------
https://www.heise.de/-10178400
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (mpg123 and php8.2), Fedora (libsndfile, mingw-glib2, mingw-libsoup, mingw-python3, and qbittorrent), Oracle (pam:1.5.1 and perl-App-cpanminus), Red Hat (firefox, thunderbird, and webkit2gtk3), Slackware (mozilla), SUSE (firefox, rclone, tomcat, tomcat10, and xen), and Ubuntu (gh, libsoup2.4, libsoup3, pygments, TinyGLTF, and twisted).
---------------------------------------------
https://lwn.net/Articles/999897/
∗∗∗ GitLab Patch Release: 17.6.1, 17.5.3, 17.4.5 ∗∗∗
---------------------------------------------
https://about.gitlab.com/releases/2024/11/26/patch-release-gitlab-17-6-1-re…
∗∗∗ HPE Insight Remote Support: Monitoring-Software ermöglicht Codeschmuggel ∗∗∗
---------------------------------------------
https://www.heise.de/-10178034
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0007 ∗∗∗
---------------------------------------------
https://webkitgtk.org/security/WSA-2024-0007.html
∗∗∗ Synology-SA-24:27 DSM ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_24_27
∗∗∗ Synology-SA-24:26 BeeDrive for desktop ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_24_26
∗∗∗ Omada Identity: Stored Cross-Site Scripting in Omada Identity ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/stored-xss-in-omada-i…
∗∗∗ F5: K000148716: REXML vulnerability CVE-2024-41123 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000148716
∗∗∗ F5: K000148692: Qt vulnerability CVE-2023-34410 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000148692
∗∗∗ F5: K000148690: Qt vulnerability CVE-2023-32573 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000148690
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 25-11-2024 18:00 − Dienstag 26-11-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Hackers exploit critical bug in Array Networks SSL VPN products ∗∗∗
---------------------------------------------
Americas Cyber Defense Agency has received evidence of hackers actively exploiting a remote code execution vulnerability in SSL VPN products Array Networks AG and vxAG ArrayOS.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-bug…
∗∗∗ Matrix Unleashes A New Widespread DDoS Campaign ∗∗∗
---------------------------------------------
Aqua Nautilus researchers uncovered a new and widespread Distributed Denial-of-Service (DDoS) campaign orchestrated by a threat actor named Matrix. Triggered by activities detected on our honeypots, this investigation dives deep into Matrix’s methods, targets, tools, and overall goals.
---------------------------------------------
https://blog.aquasec.com/matrix-unleashes-a-new-widespread-ddos-campaign
∗∗∗ Wake up and Smell the BitLocker Keys ∗∗∗
---------------------------------------------
>From this demonstration we can see that with a minimal set of tools and a small-time investment it is quite practical to access a drive encrypted with BitLocker. [..] This type of attack can be avoided by implementing a second factor for pre-boot authentication, either a user PIN and/or USB Startup Key.
---------------------------------------------
https://blog.nviso.eu/2024/11/26/wake-up-and-smell-the-bitlocker-keys/
∗∗∗ Detection Opportunities — EDR Silencer, EDRSandblast, Kill AV… ∗∗∗
---------------------------------------------
There are many ways to disable or modify security solutions which you can for. e.g test with at least 53 different Atomic Red Team as starting point, but today I would like to limit myself to a few tools that successful ransomware groups use within the top 20 ransomware groups for October 2024.
---------------------------------------------
https://detect.fyi/detection-opportunities-edr-silencer-edrsandblast-kill-a…
∗∗∗ Web-Security: Mit Content Security Policy gegen Cross-Site Scripting, Teil 2 ∗∗∗
---------------------------------------------
Erweiterte CSP-Direktiven helfen dabei, Anwendungen effizient gegen Cross-Site Scripting zu schützen.
---------------------------------------------
https://heise.de/-10175246
∗∗∗ Graykey: Entschlüsselungswerkzeug kann teilweise iOS 18 aufsperren ∗∗∗
---------------------------------------------
Im Zusammenhang mit Apples neuem Reboot-Schutz vor Entsperrung sind Informationen aufgetaucht, was Forensikunternehmen mit aktuellen iPhones tun können.
---------------------------------------------
https://heise.de/-10175639
=====================
= Vulnerabilities =
=====================
∗∗∗ Dell Wyse Management Suite: Angreifer können Sicherheitsmechanismen umgehen ∗∗∗
---------------------------------------------
Einer Warnmeldung zufolge sind unter anderem DoS-Attacken (CVE-2024-49595 "hoch") denkbar, außerdem können Angreifer nicht näher beschriebene Sicherheitsmechanismen umgehen (CVE-2024-49597 "hoch"). In beiden Fällen sind Attacken aus der Ferne möglich, Angreifer benötigen aber bereits hohe Nutzerrechte.
---------------------------------------------
https://www.heise.de/-10176009
∗∗∗ Trellix: Update dichtet Sicherheitslücken in Enterprise Security Manager ab ∗∗∗
---------------------------------------------
Auf konkrete Sicherheitslücken geht Trellix nicht weiter ein. Jedoch aktualisiert Trellix ESM 11.6.13 etwa Azul Java und geht damit mehrere nicht aufgelistete CVEs an. Ebenso bessert die mitgelieferte libcurl-Bibliothek zwei Sicherheitslücken aus (CVE-2023-38545, CVSS 9.8, Risiko "kritisch"; CVE-2023-38546, CVSS 3.7, niedrig). Auch im "Snow Service" lauerten zuvor zwei "Reverse Shell"-Schwachstellen (CVE-2024-1148, CVSS 9.8, kritisch; CVE-2024-11482 [noch nicht öffentlich]).
---------------------------------------------
https://www.heise.de/-10176250
∗∗∗ Wordpress-Plug-in Anti-Spam by Cleantalk gefährdet 200.000 Seiten ∗∗∗
---------------------------------------------
Nicht authentifizierte Angreifer können dadurch auf angreifbaren Wordpress-Instanzen beliebige Plug-ins installieren und aktivieren und somit am Ende beliebigen Code ausführen (CVE-2024-10542, CVSS 9.8, Risiko "kritisch").
---------------------------------------------
https://heise.de/-10175993
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (pypy3), Fedora (chromium, cobbler, and libsoup3), Oracle (kernel), SUSE (glib2, govulncheck-vulndb, javapackages-tools, xmlgraphics-batik, xmlgraphics- commons, xmlgraphics-fop, libblkid-devel, opentofu, php8, postgresql, postgresql16, postgresql17, thunderbird, traefik, and ucode-intel), and Ubuntu (needrestart and rapidjson).
---------------------------------------------
https://lwn.net/Articles/999744/
∗∗∗ WordPress Plugin "WP Admin UI Customize" vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN87182660/
∗∗∗ VMware: VMSA-2024-0022: VMware Aria Operations updates address multiple vulnerabilities(CVE-2024-38830, CVE-2024-38831, CVE-2024-38832, CVE-2024-38833, CVE-2024-38834) ∗∗∗
---------------------------------------------
https://support.broadcom.com/web/ecx/support-content-notification/-/externa…
∗∗∗ Mozilla Security Advisories November 26, 2024 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/
∗∗∗ Splunk: SVD-2024-1102: Third-Party Package Updates in Splunk Machine Learning Toolkit - November 2024 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-1102
∗∗∗ Splunk: SVD-2024-1101: Third-Party Package Updates in Python for Scientific Computing - November 2024 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-1101
∗∗∗ Synology-SA-24:25 Surveillance Station ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_24_25
∗∗∗ Synology-SA-24:15 BeeFiles ∗∗∗
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_24_15
∗∗∗ Hitachi Energy RTU500 Scripting Interface ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-05
∗∗∗ Hitachi Energy MicroSCADA Pro/X SYS600 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-331-04
∗∗∗ F5: K000148713: libssh2 vulnerabilities CVE-2019-3858 and CVE-2019-3862 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000148713
∗∗∗ PHP Patches Multiple Vulnerabilities Including CVE-2024-8932 ∗∗∗
---------------------------------------------
https://thecyberthrone.in/2024/11/26/php-patches-multiple-vulnerabilities-i…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 22-11-2024 18:00 − Montag 25-11-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ NAS nicht benutzbar: Qnap streicht fehlerhaftes Sicherheitsupdate ∗∗∗
---------------------------------------------
Besitzer von NAS-Geräten des Herstellers Qnap haben nach der Installation eines Patches Probleme sich anzumelden. Bislang hilft nur ein Downgrade. [..] Mittlerweile hat Qnap eine Stellungnahme zur Updateproblematik veröffentlicht. Demzufolge haben sie den Sicherheitspatch QTS 5.2.2.2950 build 20241114 nun repariert und wieder veröffentlicht.
---------------------------------------------
https://heise.de/-10146878
∗∗∗ Nearest Neighbor Attack: Angriff über WLAN des Nachbarn ∗∗∗
---------------------------------------------
Dass man über das Gast-WLAN des Ziels kritische Systeme erreichen konnte, lag daran, dass eines davon sowohl per drahtgebundenem Ethernet wie das Gast-WLAN erreichbar war. Damit fiel MFA weg, es handelte sich offenbar um eine Fehlkonfiguration.
---------------------------------------------
https://heise.de/-10129358
∗∗∗ Researchers Uncover Malware Using BYOVD to Bypass Antivirus Protections ∗∗∗
---------------------------------------------
Cybersecurity researchers have uncovered a new malicious campaign that leverages a technique called Bring Your Own Vulnerable Driver (BYOVD) to disarm security protections and ultimately gain access to the infected system. [..] The starting point of the attack is an executable file (kill-floor.exe) that drops the legitimate Avast Anti-Rootkit driver, which is subsequently registered as a service using Service Control (sc.exe) to perform its malicious actions.
---------------------------------------------
https://thehackernews.com/2024/11/researchers-uncover-malware-using-byovd.h…
∗∗∗ Microsoft testing Windows 11 support for third-party passkeys ∗∗∗
---------------------------------------------
Microsoft is now testing WebAuthn API updates that add support for support for using third-party passkey providers for Windows 11 passwordless authentication.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/microsoft-testing-windows-11…
∗∗∗ Decrypting a PDF With a User Password, (Sat, Nov 23rd) ∗∗∗
---------------------------------------------
In diary entry "Analyzing an Encrypted Phishing PDF", I decrypted a phishing PDF document. Because the PDF was encrypted for DRM (owner password), I didn't have to provide a password. What happens if you try this with a PDF encrypted for confidentiality (user password), where a password is needed to open the document?
---------------------------------------------
https://isc.sans.edu/diary/rss/31466
∗∗∗ Finding vulnerabilities in ClipSp, the driver at the core of Windows’ Client License Platform ∗∗∗
---------------------------------------------
ClipSP (clipsp.sys) is a Windows driver used to implement client licensing and system policies on Windows 10 and 11 systems. Cisco Talos researchers have discovered eight vulnerabilities related to clipsp.sys ranging from signature bypass to elevation of privileges and sandbox escape:TALOS-2024-1964 (CVE-2024-38184)TALOS-2024-1965 (CVE-2024-38185)
---------------------------------------------
https://blog.talosintelligence.com/finding-vulnerabilities-in-clipsp-the-dr…
∗∗∗ Dozens of Machines Infected: Year-Long NPM Supply Chain Attack Combines Crypto Mining and Data Theft ∗∗∗
---------------------------------------------
The package, @0xengine/xmlrpc, began its life as a “legitimate” XML-RPC implementation in October 2023, but strategically transformed into a malicious tool in later versions and has remained active through November of 2024. This discovery serves as a stark reminder that a package’s longevity and consistent maintenance history do not guarantee its safety.
---------------------------------------------
https://checkmarx.com/blog/npm-supply-chain-attack-combines-crypto-mining-a…
∗∗∗ Secure Coding: CWE-377 – TOCTOU-Race-Conditions in den Griff bekommen ∗∗∗
---------------------------------------------
TOCTOU-Schwachstellen zählen zu den schwerwiegendsten in der Common Weakness Enumeration CWE-377 beschriebenen. [..] Der Schlüssel zur Vermeidung dieser Schwachstellen liegt in der Beseitigung der Lücke zwischen dem Zeitpunkt der Überprüfung und dem Zeitpunkt der Nutzung, typischerweise durch den Einsatz atomarer Dateierstellungsmethoden – etwa die von sicheren APIs wie File.createTempFile() oder Files.createTempFile().
---------------------------------------------
https://heise.de/-10081613
∗∗∗ Phishing-Warnung: Kriminelle missbrauchen Black-Friday-Trubel ∗∗∗
---------------------------------------------
Im Phishingradar warnen die Verbraucherzentralen, dass seit Freitag betrügerische E-Mails im Umlauf sind, die zum Gegenstand haben, dass unbekannte Zugriffe auf das Konto zu einer vorübergehenden Sperrung des Kontos führe.
---------------------------------------------
https://heise.de/-10143500
∗∗∗ Advanced threat predictions for 2025 ∗∗∗
---------------------------------------------
Kasperskys Global Research and Analysis Team monitors over 900 APT (Advanced Persistent Threat) groups and operations. In this piece of KSB series, we review the advanced threat trends from the past year and offer insights into what we can expect in 2025.
---------------------------------------------
https://securelist.com/ksb-apt-predictions-2025/114582/
∗∗∗ Webinar: Internetkriminalität - Betrugsfallen & Fakes im Internet ∗∗∗
---------------------------------------------
Dieses Webinar informiert Sie über gängige Betrugsfallen im Internet (Abo-Fallen, Fake Shops, Kleinanzeigenbetrug, Scamming & Co.) und zeigt, wie Sie diese erkennen können. Nehmen Sie kostenlos teil: Montag, 9. Dezember 2024, 18:30 - 20:00 Uhr via zoom.
---------------------------------------------
https://www.watchlist-internet.at/news/webinar-internetkriminalitaet-betrug…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ansible, chromium, ghostscript, glib2.0, intel-microcode, and kernel), Fedora (dotnet9.0, needrestart, php, and python3.6), Oracle (cups, kernel, osbuild-composer, podman, python3.12-urllib3, squid, and xerces-c), Red Hat (buildah, edk2, gnome-shell, haproxy, kernel, kernel-rt, libvpx, pam, python3.11-urllib3, python3.12-urllib3, qemu-kvm, rhc-worker-script, squid:4, and tigervnc), Slackware (php), SUSE (chromedriver, chromium, dcmtk, govulncheck-vulndb, iptraf-ng, and traefik2), and Ubuntu (linux-oracle and openjdk-23).
---------------------------------------------
https://lwn.net/Articles/999597/
∗∗∗ UmweltOffice: SQL Injection in Siempelkamp NIS UmweltOffice <7.4.3 (SYSS-2024-074) ∗∗∗
---------------------------------------------
https://www.syss.de/pentest-blog/sql-injection-in-siempelkamp-nis-umweltoff…
∗∗∗ F5: K000148495: libssh vulnerability CVE-2023-1667 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000148495
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 21-11-2024 18:00 − Freitag 22-11-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Ransomgroup Helldown: Attacks on Zyxel Devices ∗∗∗
---------------------------------------------
SEC Consult has observed a rise of attacks on Zyxel firewalls over the past two months affecting Zyxel ATP firewall (version 5.38 and above - i.e. we have seen successful attacks also on fully patched Zyxel ATP version 5.39 firewalls). [..] We write this blogpost to highlight the need to remain vigilant and monitor activity on the Zyxel Firewalls, especially since there seems to be no official patch from the vendor as of the time of this blog post.
---------------------------------------------
https://sec-consult.com/blog/detail/ransomgroup-helldown-attacks-on-zyxel-d…
∗∗∗ Angriffe auf Citrix-Sicherheitslücke beobachtet ∗∗∗
---------------------------------------------
In der vergangenen Woche hat Citrix Sicherheitslücken im Session Recording geschlossen. Nun haben IT-Forscher Angriffe darauf beobachtet.
---------------------------------------------
https://www.heise.de/-10100614
∗∗∗ Fintech Giant Finastra Investigating Data Breach ∗∗∗
---------------------------------------------
Finastra, which provides software and services to 45 of the worlds top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.
---------------------------------------------
https://it.slashdot.org/story/24/11/21/2043251/fintech-giant-finastra-inves…
∗∗∗ Heres what happens if you dont layer network security – or remove unused web shells ∗∗∗
---------------------------------------------
The US Cybersecurity and Infrastructure Agency often breaks into critical organizations' networks – with their permission, of course – to simulate real-world cyber attacks and thereby help improve their security. [..] In a Thursday blog post, the Agency (CISA) detailed the exercise and opined they "illuminate lessons learned for network defenders and software manufacturers about how to respond to and reduce risk." In other words: give it a read and learn from this critical infrastructure organization's mistakes – and the things it did well – to keep real criminals out of your IT environment.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/11/22/cisa_red_tea…
∗∗∗ Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples ∗∗∗
---------------------------------------------
We uncover macOS lateral movement tactics, such as SSH key misuse and AppleScript exploitation. Strategies to counter this attack trend are also discussed.
---------------------------------------------
https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movem…
∗∗∗ UK drinking water supplies disrupted by record number of undisclosed cyber incidents ∗∗∗
---------------------------------------------
A record number of cyber incidents impacted Britain’s critical drinking water supplies this year without being publicly disclosed, according to information obtained by Recorded Future News.
---------------------------------------------
https://therecord.media/uk-drinking-water-infrastructure-cyber-incident-rep…
∗∗∗ A Bag of RATs: VenomRAT vs. AsyncRAT ∗∗∗
---------------------------------------------
Remote access tools (RATs) have long been a favorite tool for cyber attackers, since they enable remote control over compromised systems and facilitate data theft, espionage, and continuous monitoring of victims. Among the well-known RATs are VenomRAT and AsyncRAT. [..] This comparison explores the core technical differences between VenomRAT and AsyncRAT by analyzing their architecture, capabilities, and tactics.
---------------------------------------------
https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-async…
∗∗∗ Looking at the Attack Surfaces of the Kenwood DMX958XR IVI ∗∗∗
---------------------------------------------
In our previous Kenwood DMX958XR blog post, we detailed the internals of the Kenwood in-vehicle infotainment (IVI) head unit and provided annotated pictures of each PCB. In this post, we aim to outline the attack surface of the DMX958XR in the hopes of providing inspiration for vulnerability research.
---------------------------------------------
https://www.thezdi.com/blog/2024/11/20/looking-at-the-attack-surfaces-of-th…
=====================
= Vulnerabilities =
=====================
∗∗∗ QNAP Security Advisories 2024-11-23 ∗∗∗
---------------------------------------------
QNAP released 8 security advisories: 5x important, 3x moderate
---------------------------------------------
https://www.qnap.com/en-us/security-advisories
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (postgresql-13, postgresql-15, and webkit2gtk), Fedora (libsndfile, microcode_ctl, and trafficserver), Mageia (kanboard, kernel, kmod-xtables-addons, kmod-virtualbox, and bluez, kernel-linus, opendmarc, and radare2), Oracle (.NET 9.0, bubblewrap and flatpak, buildah, expat, firefox, grafana, grafana-pcp, kernel, krb5, libsoup, libvpx, NetworkManager-libreswan, openexr, pcp, python3.11, python3.11-urllib3, python3.12, python3.9, squid, thunderbird, tigervnc, and webkit2gtk3), Red Hat (.NET 9.0, binutils, expat, grafana-pcp, kernel, libsoup, NetworkManager-libreswan, openexr, python3.11, python3.12, python39:3.9, squid, tigervnc, and webkit2gtk3), SUSE (chromedriver, cobbler, govulncheck-vulndb, and icinga2), and Ubuntu (linux-lowlatency, linux-lowlatency-hwe-6.8, python2.7, and zbar).
---------------------------------------------
https://lwn.net/Articles/999102/
∗∗∗ ZDI-24-1605: Adobe InDesign JP2 File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1605/
∗∗∗ ZDI-24-1606: 7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1606/
∗∗∗ ZDI-24-1613: Intel Driver & Support Assistant Log Folder Link Following Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1613/
∗∗∗ SSA-354569 V1.0: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 Devices ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-354569.html
∗∗∗ NVIDIA affected by a Critical vulnerability CVE-2024-0138 ∗∗∗
---------------------------------------------
https://thecyberthrone.in/2024/11/22/nvidia-affected-by-a-critical-vulnerab…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 20-11-2024 18:00 − Donnerstag 21-11-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Fortinet VPN design flaw hides successful brute-force attacks ∗∗∗
---------------------------------------------
A design flaw in the Fortinet VPN servers logging mechanism can be leveraged to conceal the successful verification of credentials during a brute-force attack without tipping off defenders of compromised logins.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fortinet-vpn-design-flaw-hid…
∗∗∗ Wegen Sicherheitslücke: D-Link drängt auf Entsorgung älterer Router ∗∗∗
---------------------------------------------
Mehrere D-Link-Router, von denen einige erst vor wenigen Monaten den EOL-Status erreicht haben, sind angreifbar. Patches gibt es nicht.
---------------------------------------------
https://www.golem.de/news/wegen-sicherheitsluecke-d-link-draengt-auf-entsor…
∗∗∗ Lumma Stealer on the Rise: How Telegram Channels Are Fueling Malware Proliferation ∗∗∗
---------------------------------------------
Authored by: M. Authored by: M, Mohanasundaram and Neil Tyagi In today’s rapidly evolving cyber landscape, malware threats ..
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lumma-stealer-on-the-r…
∗∗∗ Azure Key Vault Tradecraft with BARK ∗∗∗
---------------------------------------------
This post details the existing and new functions in BARK that support adversarial tradecraft research relevant to the Azure Key Vault service. The latter part of the post shows an example of how a red team operator may use these commands during the course of an assessment.
---------------------------------------------
https://posts.specterops.io/azure-key-vault-tradecraft-with-bark-24163abc8d…
∗∗∗ “Free Hugs” – What to be Wary of in Hugging Face – Part 2 ∗∗∗
---------------------------------------------
Enjoy Threat Modeling? Try Threats in Models! Previously… In part 1 of this 4-part blog, we discussed Hugging Face, the potentially dangerous trust relationship between Hugging Face users and the ReadMe file, exploiting users who ..
---------------------------------------------
https://checkmarx.com/blog/free-hugs-what-to-be-wary-of-in-hugging-face-par…
∗∗∗ New Report Reveals Hidden Risks: How Internet-Exposed Systems Threaten Critical Infrastructure ∗∗∗
---------------------------------------------
A new Censys report found 145,000 exposed ICSs and thousands of insecure human-machine interfaces (HMIs), providing attackers with an accessible path to disrupt critical operations. Real-world examples underscore the danger, with Iranian and Russian-backed hackers exploiting HMIs to manipulate water systems in Pennsylvania and Texas. GreyNoise research ..
---------------------------------------------
https://www.greynoise.io/blog/new-report-reveals-hidden-risks-how-internet-…
∗∗∗ Finding Bugs in Chrome with CodeQL ∗∗∗
---------------------------------------------
This blog post discusses how to use a static analysis tool called CodeQL to search for vulnerabilities in Chrome.
---------------------------------------------
https://bughunters.google.com/blog/5085111480877056/finding-bugs-in-chrome-…
∗∗∗ Spelunking in Comments and Documentation for Security Footguns ∗∗∗
---------------------------------------------
Join us as we explore seemingly safe but deceptively tricky ground in Elixir, Python, and the Golang standard library. We cover officially documented, or at least previously discussed, code functionality that could unexpectedly introduce vulnerabilities. Well-documented behavior is not always what it appears!
---------------------------------------------
https://blog.includesecurity.com/2024/11/spelunking-in-comments-and-documen…
∗∗∗ Azure Detection Engineering: Log idiosyncrasies you should know about ∗∗∗
---------------------------------------------
We share a few inconsistencies found in Azure logs which make detection engineering more challenging.
---------------------------------------------
https://tracebit.com/blog/azure-detection-engineering-log-idiosyncrasies-yo…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (kernel, NetworkManager-libreswan, and openssl), Fedora (chromium and llvm-test-suite), Mageia (thunderbird), and Ubuntu (linux-aws-6.8, linux-azure, linux-azure-6.8, linux-oracle-6.8,, linux-azure, and ruby2.7).
---------------------------------------------
https://lwn.net/Articles/998949/
∗∗∗ Progress Kemp LoadMaster OS Command Injection Vulnerability ∗∗∗
---------------------------------------------
FortiGuard network sensors detect attack attempts targeting the Progress Kemp LoadMaster. Successful exploitation of the CVE-2024-1212 vulnerability allows unauthenticated remote attackers to access the system through the management interface, potentially leading to data breaches, service disruptions, or further attacks
---------------------------------------------
https://fortiguard.fortinet.com/outbreak-alert/kemp-loadmaster-os-command-i…
∗∗∗ ZDI-24-1532: 7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1532/
∗∗∗ Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-core-2024-008
∗∗∗ Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-core-2024-007
∗∗∗ Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-core-2024-005
∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-core-2024-004
∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-core-2024-003
∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-core-2024-003
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 19-11-2024 18:00 − Mittwoch 20-11-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Bigger and badder: how DDoS attack sizes have evolved over the last decade ∗∗∗
---------------------------------------------
If we plot the metrics associated with large DDoS attacks observed in the last 10 years, does it show a straight, steady increase in an exponential curve that keeps becoming steeper, or is it closer to a linear growth? Our analysis found the growth is not linear but rather is exponential, with the slope varying depending on the metric (rps, pps or bps).
---------------------------------------------
https://blog.cloudflare.com/bigger-and-badder-how-ddos-attack-sizes-have-ev…
∗∗∗ Kein Angriff auf Idev-Portal: Destatis weist Schuld für Datenleck von sich ∗∗∗
---------------------------------------------
Das Statistische Bundesamt hat sein Idev-Portal untersucht. Von Hackern erbeutete Daten sollen bei den meldenden Unternehmen abgeflossen sein.
---------------------------------------------
https://www.golem.de/news/kein-cyberangriff-auf-meldesystem-destatis-weist-…
∗∗∗ Inside the Threat: Ein Blick hinter die Kulissen zur Abwehr einer aktiven Bedrohung ∗∗∗
---------------------------------------------
Früherkennung und proaktive Untersuchung können einen Ransomware-Angriff im Keim ersticken. Ein aktueller realer Fall, zeigt, wie es funktioniert.
---------------------------------------------
https://sec-consult.com/de/blog/detail/inside-the-threat-ein-blick-hinter-d…
∗∗∗ Decades-Old Security Vulnerabilities Found in Ubuntus Needrestart Package ∗∗∗
---------------------------------------------
Multiple decade-old security vulnerabilities have been disclosed in the needrestart package installed by default in Ubuntu Server (since version 21.04) that could allow a local attacker to gain root privileges without requiring user ..
---------------------------------------------
https://thehackernews.com/2024/11/decades-old-security-vulnerabilities.html
∗∗∗ Yubikey-Seitenkanal: Weitere Produkte für Cloning-Attacke anfällig ∗∗∗
---------------------------------------------
Die Seitenkanal-Lücke EUCLEAK wurde auch als "Yubikey-Cloning-Attacke" bekannt. Das BSI re-zertifiziert aktualisierte Produkte, die betroffen waren.
---------------------------------------------
https://www.heise.de/news/EUCLEAK-Weitere-Produkte-fuer-Cloning-Attacke-anf…
∗∗∗ Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware ∗∗∗
---------------------------------------------
Explore this assessment on cybercrime group Ignoble Scorpius, distributors of BlackSuit ransomware. Since May 2023, operations have increased —affecting critical sectors.
---------------------------------------------
https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-…
∗∗∗ Looking at the Internals of the Kenwood DMX958XR IVI ∗∗∗
---------------------------------------------
For the upcoming Pwn2Own Automotive contest, a total of four in-vehicle infotainment (IVI) head units have been selected as targets. One of these is the double DIN Kenwood DMX958XR. This unit offers a variety of ..
---------------------------------------------
https://www.thezdi.com/blog/2024/11/18/looking-at-the-internals-of-the-kenw…
∗∗∗ Critical Vulnerabilities in vCenter Server Exploited in the Wild ∗∗∗
---------------------------------------------
CVE CVE-2024-38813CVE-2024-38812 Affected Products VMware vCenter Server VMware Cloud Foundation Exploitation Broadcom has confirmed exploitation of these vulnerabilities[1]. The CVE has not been ..
---------------------------------------------
https://www.truesec.com/hub/blog/critical-vulnerabilities-in-vcenter-server…
∗∗∗ Malicious QR Codes: How big of a problem is it, really? ∗∗∗
---------------------------------------------
QR codes are disproportionately effective at bypassing most anti-spam filters. Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption.
---------------------------------------------
https://blog.talosintelligence.com/malicious_qr_codes/
∗∗∗ Hackers Exploit Misconfigured Jupyter Servers for Illegal Sports Streaming ∗∗∗
---------------------------------------------
Aqua Nautilus’ research reveals hackers are leveraging vulnerable and misconfigured Jupyter Notebook servers to steal live sports streams.
---------------------------------------------
https://hackread.com/hackers-exploit-misconfigured-jupyter-servers-sports-s…
∗∗∗ Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 ∗∗∗
---------------------------------------------
It'll be no surprise that 2024, 2023, 2022, and every other year of humanities existence has been tough for SSLVPN appliances. Anyhow, there are new vulnerabilities (well, two of them) that are being exploited in the Palo Alto Networks ..
---------------------------------------------
https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve…
∗∗∗ Defending Your Directory: An Expert Guide to Mitigating Pass-the-Hash Attacks in Active Directory ∗∗∗
---------------------------------------------
In our latest technical blog series, our DFIR team are highlighting the most prominent Active Directory (AD) threats, describing the tell-tale signs that your AD might be at risk, and give experienced insight into the best prevention and mitigation strategies to shore up your AD security and bolster your digital identity protection.
---------------------------------------------
https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper…
∗∗∗ Let’s Encrypt: Ten Years ∗∗∗
---------------------------------------------
Vital personal and business information flows over the Internet more frequently than ever, and we don’t always know when it’s happening. It’s clear at this point that encrypting is something all of us should be doing. Then why don’t we use TLS (the successor to SSL) everywhere? Every browser in every device supports it. Every server in every data center supports it. Why don’t we just flip the switch?
---------------------------------------------
https://letsencrypt.org/2014/11/18/announcing-lets-encrypt/
∗∗∗ Achieving NIST CSF 2.0 Compliance: Best Practices ∗∗∗
---------------------------------------------
Cybersecurity is an ever-growing concern in today’s digital era. With the rise of cyberattacks and data breaches, organizations must adopt best practices to safeguard their sensitive information. One of the leading frameworks guiding organizations in securing their digital assets is the NIST CSF 2.0 by National Institute of Standards and ..
---------------------------------------------
https://fortbridge.co.uk/regulations/achieving-nist-csf-2-0-compliance-with…
=====================
= Vulnerabilities =
=====================
∗∗∗ DSA-5815-1 needrestart - security update ∗∗∗
---------------------------------------------
https://lists.debian.org/debian-security-announce/2024/msg00229.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 18-11-2024 18:00 − Dienstag 19-11-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Spotify abused to promote pirated software and game cheats ∗∗∗
---------------------------------------------
Spotify playlists and podcasts are being abused to push pirated software, game cheat codes, spam links, and "warez" sites. By injecting targeted keywords and links in playlist names and podcast descriptions, threat actors may ..
---------------------------------------------
https://www.bleepingcomputer.com/news/security/spotify-abused-to-promote-pi…
∗∗∗ New Helldown Ransomware Variant Expands Attacks to VMware and Linux Systems ∗∗∗
---------------------------------------------
Cybersecurity researchers have shed light on a Linux variant of a relatively new ransomware strain called Helldown, suggesting that the threat actors are broadening their attack focus."Helldown deploys Windows ransomware derived from the LockBit 3.0 code," Sekoia ..
---------------------------------------------
https://thehackernews.com/2024/11/new-helldown-ransomware-expands-attacks.h…
∗∗∗ Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble ∗∗∗
---------------------------------------------
If you didnt fix this a month ago, your to-do list probably needs a reshuffle Two VMware vCenter server bugs, including a critical heap-overflow vulnerability that leads to remote code execution (RCE), have been exploited in attacks after Broadcom’s first attempt to fix the flaws fell short.
---------------------------------------------
https://www.theregister.com/2024/11/18/vmware_vcenter_rce_exploited/
∗∗∗ Veritas Enterprise Vault: Kritische Codeschmuggel-Lücken in Archivsoftware ∗∗∗
---------------------------------------------
In Vertias Enterprise Vault können Angreifer kritische Lücke zum Einschleusen von Schadcode missbrauchen.
---------------------------------------------
https://www.heise.de/news/Veritas-Enterprise-Vault-Kritische-Codeschmuggel-…
∗∗∗ Kritische Palo-Alto-Lücke: Details und Patches sind da, CISA warnt vor Exploit ∗∗∗
---------------------------------------------
Fast drei Wochen nach ersten Exploit-Gerüchten hat der Hersteller nun endlich reagiert, trickst aber. Derweil warnt die US-Cyberbehörde vor Angriffen.
---------------------------------------------
https://www.heise.de/news/Kritische-Palo-Alto-Luecke-Patches-sind-da-CISA-w…
∗∗∗ FreeBSD Foundation releases Bhyve and Capsicum security audit ∗∗∗
---------------------------------------------
The FreeBSD Foundation has announced the release of a security audit report conducted by security firm Synacktiv. The audit uncovered a number of vulnerabilities: Most of these vulnerabilities have been addressed through official FreeBSD Project security advisories, which offer detailed information about each vulnerability, its impact, and the measures ..
---------------------------------------------
https://lwn.net/Articles/998615/
∗∗∗ FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications ∗∗∗
---------------------------------------------
We analyze FrostyGoop malware, which targets OT systems. This article walks through newly discovered samples, indicators, and also examines configurations and network communications.
---------------------------------------------
https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/
∗∗∗ The Importance of Establishing a Solid Third Party Risk Management Framework for Risk Mitigation ∗∗∗
---------------------------------------------
In the previous post, we introduced the concept of Third-Party Risk Management (TPRM) and its importance in today’s interconnected world. Now, let us have a look at the practical aspects of building a solid TPRM program and why it is important for your company. 1. Start with a Third-Party Inventory The first step in building ..
---------------------------------------------
https://blog.nviso.eu/2024/11/19/the-importance-of-establishing-a-solid-thi…
∗∗∗ Facebook Malvertising Campaign Spreads Malware via Fake Bitwarden ∗∗∗
---------------------------------------------
A Facebook malvertising campaign disguised as Bitwarden updates spreads malware, targeting business accounts. Users are tricked ..
---------------------------------------------
https://hackread.com/facebook-malvertising-malware-via-fake-bitwarden/
∗∗∗ Threat Actors Hijack Misconfigured Servers for Live Sports Streaming ∗∗∗
---------------------------------------------
To keep up with the ever-evolving world of cybersecurity, Aqua Nautilus researchers deploy honeypots that mimic real-world development environments. During a recent threat-hunting operation, they uncovered a surprising new ..
---------------------------------------------
https://blog.aquasec.com/threat-actors-hijack-misconfigured-servers-for-liv…
∗∗∗ Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 ∗∗∗
---------------------------------------------
Note: Since this is breaking news and more details are being released, were updating this ..
---------------------------------------------
https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve…
∗∗∗ NVD Backlog Tops 20,000 CVEs Awaiting Analysis as NIST Prepares System Updates ∗∗∗
---------------------------------------------
CVEs awaiting analysis by the NVD have broken the 20,000 mark, after the security community noticed its enrichment activity slowed to nearly a halt again last week. NIST failed to meet its self-imposed deadline of ..
---------------------------------------------
https://socket.dev/blog/nvd-backlog-tops-20-000-cves
∗∗∗ Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets ∗∗∗
---------------------------------------------
In October 2024, Socket discovered a widespread npm malware campaign using Ethereum smart contracts to evade detection and maintain control over infected systems. Building on our initial research and equipped with analyses of the ..
---------------------------------------------
https://socket.dev/blog/exploiting-npm-to-build-a-blockchain-powered-botnet
∗∗∗ Extending Burp Suite for fun and profit – The Montoya way – Part 7 ∗∗∗
---------------------------------------------
Last time we saw how to develop an extension that will add custom active and passive checks to the Burp Scanner. Today we will modify that extension to detect serialization issues using ..
---------------------------------------------
https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-t…
∗∗∗ U.S. Extradites and Charges Alleged Phobos Ransomware Admin ∗∗∗
---------------------------------------------
The United States secured the extradition of a Russian national from South Korea who is allegedly the mastermind behind the notorious Phobos ransomware. Evgenii Ptitsyn, 42, is accused of administering the Phobos ..
---------------------------------------------
https://thecyberexpress.com/us-charges-alleged-phobos-ransomware-admin/
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-24-1516: Trend Micro Deep Security Agent Manual Scan Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro Deep Security Agent. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-51503.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1516/
∗∗∗ ZDI-24-1517: McAfee Total Protection Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows local attackers to escalate privileges on affected installations of McAfee Total Protection. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.7. The following CVEs are assigned: CVE-2024-49592.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1517/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (.NET 9.0, bcc, bluez, bpftrace, bubblewrap, flatpak, buildah, cockpit, containernetworking-plugins, cups, cyrus-imapd, edk2, expat, firefox, fontforge, gnome-shell, gnome-shell-extensions, grafana, grafana-pcp, gtk3, httpd, iperf3, jose, krb5, libgcrypt, libsoup, libvirt, libvpx, lldpd, microcode_ctl, ..
---------------------------------------------
https://lwn.net/Articles/998755/
∗∗∗ Oracle Security Alert for CVE-2024-21287 - 18 November 2024 ∗∗∗
---------------------------------------------
https://www.oracle.com/security-alerts/alert-cve-2024-21287.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 15-11-2024 18:00 − Montag 18-11-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Honeypot: Forscher veralbert Scriptkiddies mit Fake-Ransomware ∗∗∗
---------------------------------------------
Ein Tool namens Jinn sollte Ransomware-Angriffe vereinfachen. Tatsächlich war das ein Honeypot, auf den so einige Akteure reingefallen sind.
---------------------------------------------
https://www.golem.de/news/honeypot-forscher-veralbert-scriptkiddies-mit-fak…
∗∗∗ Women In Russian-Speaking Cybercrime: Mythical Creatures or Significant Members of Underground? ∗∗∗
---------------------------------------------
A blog detailing in-depth research into women in Russian-speaking cybercrime.
---------------------------------------------
https://www.sans.org/blog/women-in-russian-speaking-cybercrime-mythical-cre…
∗∗∗ DORA-Kernthemen meistern: Ein Deep Dive in Incident Management ∗∗∗
---------------------------------------------
In diesem Blogbeitrag befassen wir uns mit den Anforderungen an DORA Incident Management.
---------------------------------------------
https://sec-consult.com/de/blog/detail/dora-kernthemen-meistern-ein-deep-di…
∗∗∗ Swiss cheesed off as postal service used to spread malware ∗∗∗
---------------------------------------------
QR codes arrive via an age-old delivery system Switzerlands National Cyber Security Centre (NCSC) has issued an alert about malware being spread via the countrys postal service.
---------------------------------------------
https://www.theregister.com/2024/11/16/swiss_malware_qr/
∗∗∗ WTF: Sicherheitsforscher finden beim Nachstellen einer Lücke drei neue ∗∗∗
---------------------------------------------
Als die Watchtowr Labs-Forscher die Lücke im FortiManager nachprüfen wollten, fanden sie weitere Fehler und unvollständige Fixes.
---------------------------------------------
https://www.heise.de/news/Sicherheitsforscher-finden-beim-Nachstellen-einer…
∗∗∗ T-Mobile von chinesischem Cyberangriff betroffen ∗∗∗
---------------------------------------------
Laut einem Bericht konnten die Hacker in mehrere Telekommunikationsunternehmen in den USA wie auch international eindringen
---------------------------------------------
https://www.derstandard.at/story/3000000245232/t-mobile-von-chinesischem-cy…
∗∗∗ Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 ∗∗∗
---------------------------------------------
We detail the observed limited activity regarding authentication bypass vulnerability CVE-2024-0012 affecting specific versions of PAN-OS software, and include protections and mitigations.
---------------------------------------------
https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
∗∗∗ Akute Welle an DDoS-Angriffen gegen österreichische Unternehmen und Organisationen ∗∗∗
---------------------------------------------
Seit heute Früh sind verschiedene österreichische Unternehmen und Organisationen aus unterschiedlichen Branchen und Sektoren mit DDoS-Angriffen konfrontiert. Die genauen Hintergründe der Attacke sind uns zurzeit nicht bekannt, Hinweise für eine hacktivistische Motivation liegen jedoch vor. In Anbetracht der aktuellen Geschehnisse ..
---------------------------------------------
https://www.cert.at/de/aktuelles/2024/11/ddos-angriffe-november-2024
∗∗∗ BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA ∗∗∗
---------------------------------------------
KEY TAKEAWAYS Volexity discovered and reported a vulnerability in Fortinets Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN. This vulnerability was abused by BrazenBamboo in their DEEPDATA malware. BrazenBamboo is the threat actor behind development of the ..
---------------------------------------------
https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlien…
∗∗∗ Inside Water Barghest’s Rapid Exploit-to-Market Strategy for IoT Devices ∗∗∗
---------------------------------------------
In this blog entry, we discuss Water Barghests exploitation of IoT devices, transforming them into profitable assets through advanced automation and monetization techniques.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/k/water-barghest.html
∗∗∗ What To Use Instead of PGP ∗∗∗
---------------------------------------------
It’s been more than five years since The PGP Problem was published, and I still hear from people who believe that using PGP (whether GnuPG or another OpenPGP implementation) is a thing ..
---------------------------------------------
https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/
∗∗∗ TPM-Backed SSH Keys on Windows 11 ∗∗∗
---------------------------------------------
On my MacBook, I’ve been using using TPM/security key-based SSH keys for years since it’s where I do the most development and the software support is good. Secretive is a decent app I can vouch for. Before that, I was ..
---------------------------------------------
https://cedwards.xyz/tpm-backed-ssh-keys-on-windows-11/
∗∗∗ Reverse Engineering iOS 18 Inactivity Reboot ∗∗∗
---------------------------------------------
iOS 18 introduced a new inactivity reboot security feature. What does it protect from and how does it work? This blog post covers all the details down to a kernel extension and the Secure Enclave Processor.
---------------------------------------------
https://naehrdine.blogspot.com/2024/11/reverse-engineering-ios-18-inactivit…
∗∗∗ Malicious npm Package Exploits WhatsApp Authentication with Remote Kill Switch for File Destruction ∗∗∗
---------------------------------------------
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.
---------------------------------------------
https://socket.dev/blog/malicious-npm-package-exploits-whatsapp-authenticat…
∗∗∗ Redis CVE-2024-31449: How to Reproduce and Mitigate the Vulnerability ∗∗∗
---------------------------------------------
On October 7, 2024, information about a serious vulnerability in Redis, identified as CVE-2024-31449, was published. This vulnerability allows an authenticated user to execute remote code using specially ..
---------------------------------------------
https://redrays.io/blog/redis-cve-2024-31449-how-to-reproduce-and-mitigate-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (binutils, libsoup, squid:4, tigervnc, and webkit2gtk3), Debian (icinga2, postgresql-13, postgresql-15, smarty3, symfony, thunderbird, and waitress), Fedora (dotnet9.0, ghostscript, microcode_ctl, php-bartlett-PHP-CompatInfo, python-waitress, and webkitgtk), Gentoo (Perl, Pillow, and X.Org X server, XWayland), ..
---------------------------------------------
https://lwn.net/Articles/998570/
∗∗∗ CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) (Severity: CRITICAL) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2024-0012
∗∗∗ CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2024-9474
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily