Daily November 2024

daily@lists.cert.at

1 participants
20 discussions

Tageszusammenfassung - 15.11.2024
by Daily end-of-shift report 15 Nov '24

15 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-11-2024 18:00 − Freitag 15-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Diese dummen Passwörter werden am häufigsten verwendet ∗∗∗ --------------------------------------------- Sind eure Accounts gut geschützt? Werft zur Sicherheit einen Blick auf diese Liste - hoffentlich fühlt ihr euch nicht ertappt. --------------------------------------------- https://futurezone.at/digital-life/dumme-passwoerter-oesterreich-internatio… ∗∗∗ Cyberangriff auf Destatis: Hacker erbeuten Firmendaten des Statistischen Bundesamtes ∗∗∗ --------------------------------------------- Der 3,8 GBytes große Datensatz bietet Zugriff auf von Unternehmen gemeldete Informationen. Das attackierte System wurde erst kürzlich modernisiert. --------------------------------------------- https://www.golem.de/news/cyberangriff-auf-destatis-hacker-erbeuten-firmend… ∗∗∗ MacOS 15.1: Apple patcht Drittanbieter-Firewalls kaputt ∗∗∗ --------------------------------------------- Wer unter MacOS 15.1 Drittanbieter-Firewalls wie Little Snitch verwendet, könnte auf Probleme stoßen. Filterregeln bleiben je nach Konfiguration wirkungslos. --------------------------------------------- https://www.golem.de/news/macos-15-1-apple-patcht-drittanbieter-firewalls-k… ∗∗∗ New Glove Stealer Malware Bypasses Google Chrome’s App-Bound to Steal Data ∗∗∗ --------------------------------------------- The New Glove Stealer malware has the ability to bypass Google Chrome’s Application-Bound (App-Bound) encryption to steal browser cookies. The threat actors’ attacks employed social engineering techniques akin to .. --------------------------------------------- https://heimdalsecurity.com/blog/glove-stealer-malware/ ∗∗∗ Gegen Enkeltrickbetrug: KI-Omi soll Kriminelle in endlose Gespräche verwickeln ∗∗∗ --------------------------------------------- Eine KI-generierte Omi soll für O2 Kriminelle beschäftigen, die echten Menschen per Telefon das Geld aus Tasche ziehen wollen. Dazu soll sie reden und reden. --------------------------------------------- https://www.heise.de/news/Gegen-Enkeltrickbetrug-KI-Omi-soll-Kriminelle-in-… ∗∗∗ Wordpress-Plug-in Really Simple Security gefährdet 4 Millionen Websites ∗∗∗ --------------------------------------------- Rund vier Millionen Wordpress-Seiten nutzen das Plug-in Really Simple Security. Angreifer aus dem Netz können sie kompromittieren. --------------------------------------------- https://www.heise.de/news/Wordpress-Plug-in-Really-Simple-Security-gefaehrd… ∗∗∗ An Interview With the Target & Home Depot Hacker ∗∗∗ --------------------------------------------- In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and .. --------------------------------------------- https://krebsonsecurity.com/2024/11/an-interview-with-the-target-home-depot… ∗∗∗ Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack ∗∗∗ --------------------------------------------- North Korean IT worker cluster CL-STA-0237 instigated phishing attacks via video apps in Laos, exploiting U.S. IT firms and major tech identities. --------------------------------------------- https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cl… ∗∗∗ Kritische Sicherheitslücke in Laravel Framework - Updates verfügbar ∗∗∗ --------------------------------------------- Im Laravel Framework wurde eine kritische Sicherheitslücke entdeckt. Die Schwachstelle ermöglicht es Angreifern, durch manipulierte URLs unbefugten Zugriff auf Anwendungen zu erlangen und Umgebungsvariablen zu manipulieren. --------------------------------------------- https://www.cert.at/de/warnungen/2024/11/kritische-sicherheitslucke-in-lara… ∗∗∗ Safeguarding Healthcare Organizations from IoMT Risks ∗∗∗ --------------------------------------------- The healthcare industry has undergone significant transformation with the emergence of the Internet of Medical Things (IoMT) devices. These devices ranging from wearable monitors to network imaging systems collect and process vast .. --------------------------------------------- https://levelblue.com/blogs/security-essentials/safeguarding-healthcare-org… ∗∗∗ Zero-day exploitation targeting Palo Alto Networks firewall management interfaces ∗∗∗ --------------------------------------------- Palo Alto Networks has indicated they are observing threat activity exploiting a zero-day unauthenticated remote command execution vulnerability in their firewall management interfaces. --------------------------------------------- https://www.rapid7.com/blog/post/2024/11/15/etr-zero-day-exploitation-targe… ∗∗∗ Microsoft Power Pages Misconfigurations Expose Millions of Records Globally ∗∗∗ --------------------------------------------- SaaS Security firm AppOmni has identified misconfigurations in Microsoft Power Pages that can lead to severe data breaches. --------------------------------------------- https://hackread.com/microsoft-power-pages-misconfigurations-data-leak/ ∗∗∗ Pirates in the Data Sea: AI Enhancing Your Adversarial Emulation ∗∗∗ --------------------------------------------- Written by: Matthijs Gielen, Jay ChristiansenBackgroundNew solutions, old problems. Artificial intelligence (AI) and large language models (LLMs) are here to signal a new day in the cybersecurity world, but what does that mean for us—the attackers and defenders—and our battle to improve security through all the noise?Data is everywhere. For most .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/ai-enhancing-your-… ∗∗∗ Defending Your Directory: An Expert Guide to Fortifying Active Directory Against LDAP Injection Threats ∗∗∗ --------------------------------------------- In our latest technical blog series, our DFIR team are highlighting the most prominent Active Directory (AD) threats, describing the tell-tale signs that your AD might be at risk, and give experienced insight into the best prevention and mitigation strategies to shore up your AD security and bolster your digital identity protection. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ∗∗∗ Kubernetes Audit Log “Gotchas” ∗∗∗ --------------------------------------------- How to overcome challenges and security gaps when using K8s audit logs for forensics and attack detection. --------------------------------------------- https://www.wiz.io/blog/overcoming-kubernetes-audit-log-challenges ∗∗∗ Massive npm Malware Campaign Leverages Ethereum Smart Contracts To Evade Detection and Maintain Control ∗∗∗ --------------------------------------------- Supply chain attacks are evolving. The Socket research team has uncovered a massive malware campaign that uses Ethereum smart contracts to control its operations - making it nearly impossible to shut down through traditional means. Instead of using conventional command and control servers that can be blocked or taken offline, these attackers .. --------------------------------------------- https://socket.dev/blog/massive-npm-malware-campaign-leverages-ethereum-sma… ∗∗∗ PyPI Introduces Digital Attestations to Strengthen Python Package Security ∗∗∗ --------------------------------------------- The Python Package Index (PyPI) has announced support for digital attestations. This new feature allows package maintainers to publish signed digital attestations when uploading their projects, providing an additional layer of trust and verification for users.What Are Digital Attestations?Digital attestations are cryptographic statements or .. --------------------------------------------- https://socket.dev/blog/pypi-introduces-digital-attestations ∗∗∗ 60 Hours of Cyber Defense: Hong Kong’s Innovative Cybersecurity Drill Begins ∗∗∗ --------------------------------------------- Hong Kong has initiated its first-ever cybersecurity drill, set to run for a total of 60 hours. The Hong Kong cybersecurity drill commenced on Friday, with plans to establish it as an annual event moving forward. Innovation minister Sun Dong emphasized the importance of this initiative, stating that maintaining cybersecurity is essential for .. --------------------------------------------- https://thecyberexpress.com/hong-kong-cybersecurity-drill/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Laravel Flaw (CVE-2024-52301) Exposes Millions of Web Applications to Attack ∗∗∗ --------------------------------------------- https://securityonline.info/critical-laravel-flaw-cve-2024-52301-exposes-mi… ∗∗∗ [webapps] SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/52082 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.11.2024
by Daily end-of-shift report 14 Nov '24

14 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-11-2024 18:00 − Donnerstag 14-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575 ∗∗∗ --------------------------------------------- While the FortiJump patch does effectively neutralise the devastating RCE that is FortiJump, we’re still a little concerned about FortiManager’s overall code quality. We note that our som/export vulnerability, ‘FortiJump Higher’, is still functional, even in patched versions, allowing adversaries to elevate from one managed FortiGate appliance to the central FortiManager appliance. --------------------------------------------- https://labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-2311… ∗∗∗ New PXA Stealer targets government and education sectors for sensitive information ∗∗∗ --------------------------------------------- Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia. --------------------------------------------- https://blog.talosintelligence.com/new-pxa-stealer/ ∗∗∗ Advertisers are pushing ad and pop-up blockers using old tricks ∗∗∗ --------------------------------------------- A malvertising campaign using an old school trick was found pushing to different ad blockers. [..] In the olden days, that something extra used to be video codecs or specific video players, but now we’ll be told we need a browser extension to “continue watching in safe mode.” [..] To us, this looks like a campaign executed by an affiliate, a company that promotes products or services from another company. If someone buys something through the affiliate’s efforts, the affiliate earns a commission. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/11/advertisers-are-pushing-ad-a… ∗∗∗ Сrimeware and financial cyberthreats in 2025 ∗∗∗ --------------------------------------------- Kasperskys GReAT looks back on the 2024 predictions about financial and crimeware threats, and explores potential cybercrime trends for 2025. --------------------------------------------- https://securelist.com/ksb-financial-and-crimeware-predictions-2025/114565/ ∗∗∗ Malware: Erkennung entgehen durch angeflanschtes ZIP ∗∗∗ --------------------------------------------- IT-Forscher haben Malware entdeckt, die der Erkennung durch Virenscanner durch Verkettung von ZIP-Dateien entgeht. --------------------------------------------- https://www.heise.de/-10034752 ∗∗∗ Gratis-Tool: Sicherheitsforscher knacken ShrinkLocker-Verschlüsselung ∗∗∗ --------------------------------------------- Der Erpressungstrojaner ShrinkLocker nutzt Microsofts Bitlocker, um Windows-Systeme zu verschlüsseln. Ein Entschlüsselungstool hilft. --------------------------------------------- https://www.heise.de/-10034933 ∗∗∗ PHP Reinfector and Backdoor Malware Target WordPress Sites ∗∗∗ --------------------------------------------- We recently observed a surge in WordPress websites being infected by a sophisticated PHP reinfector and backdoor malware. While we initially believed that the infection was linked to the wpcode plugin, we found that several sites without this plugin were compromised as well. Upon deeper investigation, we discovered that this malware not only reinfects website files but also embeds malicious code into other plugins and database tables wp_posts and wp_options. --------------------------------------------- https://blog.sucuri.net/2024/11/php-reinfector-and-backdoor-malware-target-… ∗∗∗ Malware Spotlight: A Deep-Dive Analysis of WezRat ∗∗∗ --------------------------------------------- Check Point Research (CPR) provides a comprehensive analysis of a custom modular infostealer, tracked as WezRat, after the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate (INCD) released a joint Cybersecurity Advisory and attributed the malware to the Iranian cyber group Emennet Pasargad. --------------------------------------------- https://research.checkpoint.com/2024/wezrat-malware-deep-dive/ ∗∗∗ Lazarus Group Targets macOS with RustyAttr Trojan in Fake Job PDFs ∗∗∗ --------------------------------------------- Group-IB has uncovered Lazarus group’s stealthy new trojan and technique of hiding malicious code in extended attributes on macOS. --------------------------------------------- https://hackread.com/lazarus-group-macos-rustyattr-trojan-fake-job-pdfs/ ===================== = Vulnerabilities = ===================== ∗∗∗ 4,000,000 WordPress Sites Using Really Simple Security Free and Pro Versions Affected by Critical Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This is one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress. This vulnerability affects Really Simple Security, formerly known as Really Simple SSL, installed on over 4 million websites, and allows an attacker to remotely gain full administrative access to a site running the plugin. CVE-2024-10924, CVSS Score: 9.8 (Critical) --------------------------------------------- https://www.wordfence.com/blog/2024/11/really-simple-security-vulnerability/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (llama-cpp, mingw-expat, python3.6, webkit2gtk4.0, and xorg-x11-server-Xwayland), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk & java-latest-openjdk and libarchive), Oracle (expat, gstreamer1-plugins-base, kernel, libsoup, podman, and tigervnc), SUSE (buildah, java-1_8_0-openjdk, and switchboard-plug-bluetooth), and Ubuntu (zlib). --------------------------------------------- https://lwn.net/Articles/998143/ ∗∗∗ CISA Releases Nineteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- Siemens, Rockwell, Hitachi, 2N, Elvaco, Baxter --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-releases-nineteen-i… ∗∗∗ GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7 ∗∗∗ --------------------------------------------- These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. [..] An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations. CVE-2024-9693, CVE-2024-7404, CVE-2024-8648, CVE-2024-8180, CVE-2024-10240 --------------------------------------------- https://thecyberthrone.in/2024/11/14/gitlab-fixes-high-severity-vulnerabili… ∗∗∗ Drupal: POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-060 ∗∗∗ Drupal: POST File - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-059 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-059 ∗∗∗ Fortinet: Lack of capacity to filter logs by administrator access ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-267 ∗∗∗ Palo Alto: CVE-2024-2551 PAN-OS: Firewall Denial of Service (DoS) Using a Specially Crafted Packet (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-2551 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.11.2024
by Daily end-of-shift report 13 Nov '24

13 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-11-2024 18:00 − Mittwoch 13-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Itsmydata: Hackerin veröffentlicht erneut Bonitätsdaten von Jens Spahn ∗∗∗ --------------------------------------------- Erst über Bonify, nun über Itsmydata: Lilith Wittmann hat sich mal wieder Bonitätsdaten von Jens Spahn beschafft. Immerhin hat sich sein Score verbessert. --------------------------------------------- https://www.golem.de/news/itsmydata-hackerin-veroeffentlicht-erneut-bonitae… ∗∗∗ Threats in space (or rather, on Earth): internet-exposed GNSS receivers ∗∗∗ --------------------------------------------- Internet-exposed GNSS receivers pose a significant threat to sensitive operations. Kaspersky shares statistics on internet-exposed receivers for July 2024 and advice on how to protect against GNSS attacks. --------------------------------------------- https://securelist.com/internet-exposed-gnss-receivers-in-2024/114548/ ∗∗∗ Chinas Volt Typhoon crew and its botnet surge back with a vengeance ∗∗∗ --------------------------------------------- Ohm, for flux sake Chinas Volt Typhoon crew and its botnet are back, compromising old Cisco routers once again to break into critical infrastructure networks and kick off cyberattacks, according to security researchers. --------------------------------------------- https://www.theregister.com/2024/11/13/china_volt_typhoon_back/ ∗∗∗ Stromanbieter Tibber gehackt, 50.000 deutsche Kunden betroffen ∗∗∗ --------------------------------------------- Tibber bestätigt, dass Hacker eingedrungen sind und Kundendaten an sich gebracht haben. Im Darknet werden diese nun verkauft. --------------------------------------------- https://www.heise.de/news/Stromanbieter-Tibber-gehackt-50-000-deutsche-Kund… ∗∗∗ Sicherheitsupdates: Zoom Room Client & Co. angreifbar ∗∗∗ --------------------------------------------- Die Entwickler rüsten verschiedene Zoom-Apps gegen mögliche Angriffe. Davon sind unter anderem macOS und Windows betroffen. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Zoom-Room-Client-Co-angreifbar… ∗∗∗ Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them ∗∗∗ --------------------------------------------- We discuss North Koreas use of IT workers to infiltrate companies, detailing detection strategies like IT asset management and IP analysis to counter this. --------------------------------------------- https://unit42.paloaltonetworks.com/north-korean-it-workers/ ∗∗∗ The November 2024 Security Update Review ∗∗∗ --------------------------------------------- It’s not quite the holiday season, despite what some early decorators will have you believe. It is the second Tuesday of the month, and that means Adobe and Microsoft have released their regularly scheduled updates. Take a break from your regular activities and join us as we review the details of their latest security alerts.If you’d rather watch the .. --------------------------------------------- https://www.thezdi.com/blog/2024/11/12/the-november-2024-security-update-re… ∗∗∗ How Italy became an unexpected spyware hub ∗∗∗ --------------------------------------------- Italy is home to six major spyware vendors and one supplier, with many smaller and harder-to-track enterprises emerging all the time, experts say. --------------------------------------------- https://therecord.media/how-italy-became-an-unexpected-spyware-hub ∗∗∗ Germany warns of potential cyber threats from Russia ahead of snap election ∗∗∗ --------------------------------------------- “We must be especially prepared against threats like hacker attacks, manipulation, and disinformation," German Interior Minister Nancy Faeser said. --------------------------------------------- https://therecord.media/germany-cyber-threats-russia-elections ∗∗∗ Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions ∗∗∗ --------------------------------------------- Trend Micros Threat Hunting Team has observed EDRSilencer, a red team tool that threat actors are attempting to abuse for its ability to block EDR traffic and conceal malicious activity. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpo… ∗∗∗ Bitdefender Finds New ShrinkLocker Ransomware, Releases Its Decryptor Tool ∗∗∗ --------------------------------------------- Bitdefender has released a free decryptor for ShrinkLocker ransomware, which exploits Windows BitLocker to encrypt .. --------------------------------------------- https://hackread.com/bitdefender-shrinklocker-ransomware-decryptor-tool/ ∗∗∗ Emerging Threats: Cybersecurity Forecast 2025 ∗∗∗ --------------------------------------------- Every November, we start sharing forward-looking insights on threats and other cybersecurity topics to help organizations and defenders prepare for the year ahead. The Cybersecurity Forecast 2025 report, available today, plays a big role in helping us accomplish this mission.This year’s report draws on insights directly from Google .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-fore… ∗∗∗ Defending Your Directory: An Expert Guide to Fortifying Active Directory Certificate Services (ADCS) Against Exploitation ∗∗∗ --------------------------------------------- In our latest technical blog series, our DFIR team are highlighting the most prominent Active Directory (AD) threats, describing the tell-tale signs that your AD might be at risk, and give experienced insight into the best prevention and mitigation strategies to shore up your AD security and bolster your digital identity protection. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ∗∗∗ Making Sense of Kubernetes Initial Access Vectors Part 1 – Control Plane ∗∗∗ --------------------------------------------- Explore Kubernetes control plane access vectors, risks, and security strategies to prevent unauthorized access and protect your clusters from potential threats. --------------------------------------------- https://www.wiz.io/blog/making-sense-of-kubernetes-initial-access-vectors-p… ∗∗∗ Time Boxed Penetration Testing for Web Applications ∗∗∗ --------------------------------------------- This article defines time boxed penetration testing and explains how it’s approached from a methodological standpoint. By focusing on high-risk areas, client-specific priorities, and sampling, time boxed testing can deliver efficient assessments within a limited timeframe. --------------------------------------------- https://projectblack.io/blog/time-boxed-penetration-testing/ ∗∗∗ Killing Filecoin nodes ∗∗∗ --------------------------------------------- By Simone Monica In January, we identified and reported a vulnerability in the Lotus and Venus clients of the Filecoin network that allowed an attacker to remotely crash a node and trigger a denial of service. This issue is .. --------------------------------------------- https://blog.trailofbits.com/2024/11/13/killing-filecoin-nodes/ ∗∗∗ Fault Injection – Down the Rabbit Hole ∗∗∗ --------------------------------------------- This series of articles describes fault injection attack techniques in order to understand their real potential by testing their limits and applicability with limited hardware (available on the market at an acceptable cost). It explores possible ways of using an attack that, in my opinion, is greatly underestimated. --------------------------------------------- https://security.humanativaspa.it/fault-injection-down-the-rabbit-hole/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (expat), Fedora (chromium and golang-github-nvidia-container-toolkit), Mageia (curl, expat, mpg123, networkmanager-libreswan, openssl, php-tcpdf, qbittorrent, and x11-server, x11-server-xwayland, and tigervnc), Red Hat (kernel and libsoup), Slackware (mozilla), SUSE (firefox, kernel, python-PyPDF2, and xen), and Ubuntu (dotnet9, ghostscript, linux-aws, linux-oem-6.8, and pydantic). --------------------------------------------- https://lwn.net/Articles/998044/ ∗∗∗ ZDI-24-1472: Veeam Backup Enterprise Manager AuthorizeByVMwareSsoToken Improper Certificate Validation Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1472/ ∗∗∗ ZDI-24-1486: (0Day) G DATA Total Security Incorrect Permission Assignment Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1486/ ∗∗∗ Critical Security Vulnerabilities Discovered in MZ Automation’s MMS Client ∗∗∗ --------------------------------------------- https://encs.eu/news/critical-security-vulnerabilities-discovered-in-mz-aut… ∗∗∗ Online Installer DLL Hijacking ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-205 ∗∗∗ Fortinet Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/11/12/fortinet-releases-securi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.11.2024
by Daily end-of-shift report 12 Nov '24

12 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Montag 11-11-2024 18:00 − Dienstag 12-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Daten von Amazon-Mitarbeiter wurden in einem Hackerforum veröffentlicht ∗∗∗ --------------------------------------------- Der Datensatz dürfte von einem Immobilienverwalter stammen und auf die kritische Lücke in der Software von Moveit zurückgehen --------------------------------------------- https://www.derstandard.at/story/3000000244555/daten-von-amazon-mitarbeiter… ∗∗∗ ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI ∗∗∗ --------------------------------------------- New research reveals two vulnerabilities in Googles Vertex AI that may lead to privilege escalation or data theft through custom jobs or malicious models. --------------------------------------------- https://unit42.paloaltonetworks.com/privilege-escalation-llm-model-exfil-ve… ∗∗∗ 2023 Top Routinely Exploited Vulnerabilities ∗∗∗ --------------------------------------------- This advisory provides details, collected and compiled by the authoring agencies, on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs). Malicious cyber actors exploited more zero-day vulnerabilities to compromise .. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a ∗∗∗ Building a Resilient Network Architecture: Key Trends for 2025 ∗∗∗ --------------------------------------------- As organizations continue to align their operational strategies with evolving digital ecosystems and technologies, the concept of network resilience has become a priority. A major mindset shift is that modern networks must be designed not just for speed and efficiency but also for flexibility, security, and the ability to hold out against .. --------------------------------------------- https://levelblue.com/blogs/security-essentials/building-a-resilient-networ… ∗∗∗ LodaRAT: Established malware, new victim patterns ∗∗∗ --------------------------------------------- Rapid7 has observed an ongoing malware campaign involving a new version of LodaRAT. This version possesses the ability to steal cookies and passwords from Microsoft Edge and Brave. --------------------------------------------- https://www.rapid7.com/blog/post/2024/11/12/lodarat-established-malware-new… ∗∗∗ ICS Security Is a Team Sport ∗∗∗ --------------------------------------------- Brandon Smith discusses some of the challenges an Automation Engineer face, Bitsights partnership with Schneider Electric, and what manufacturers in general are doing to tackle ICS security. --------------------------------------------- https://www.bitsight.com/blog/ics-security-team-sport ∗∗∗ Visionaries Have Democratised Remote Network Access - Citrix Virtual Apps and Desktops (CVE Unknown) ∗∗∗ --------------------------------------------- Well, we’re back again, with yet another fresh-off-the-press bug chain (and associated Interactive Artifact Generator). This time, it’s in Citrix’s “Virtual Apps and Desktops” offering. --------------------------------------------- https://labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-n… ∗∗∗ SAP Patchday: Acht neue Sicherheitslücken, davon eine hochriskant ∗∗∗ --------------------------------------------- Admins können etwas entspannter auf den aktuellen SAP-Patchday schauen: Von acht neuen Sicherheitslücken gilt lediglich eine als hohes Risiko. --------------------------------------------- https://heise.de/-10020168 ∗∗∗ Attack of the Evil Baristas ∗∗∗ --------------------------------------------- I use the term “hacklore” to refer to the urban legends surrounding cybersecurity. Hacklore is everywhere, and this holiday season, you’re bound to hear it nonstop: “The Russians will load your phone with malware if you scan QR codes!” or “Hackers will steal your banking details if you use a USB charger at the airport!” and so on. --------------------------------------------- https://medium.com/@boblord/attack-of-the-evil-baristas-b204436f0853 ∗∗∗ Reverse Engineering: Finding Exploits in Video Games ∗∗∗ --------------------------------------------- In this guide, I'll walk you through how I create tools to find exploits in video games for bug bounty programs. Specifically, I'll focus on my research into the game Sword of Convallaria. This exploration is purely for educational purposes. As such, I have removed some of the assets as an exercise for .. --------------------------------------------- https://shalzuth.com/Blog/FindingExploitsInGames ∗∗∗ Critical WPLMS WordPress Theme Vulnerability Puts Websites at Risk of RCE Attacks ∗∗∗ --------------------------------------------- A newly discovered vulnerability in the WPLMS WordPress theme threatens websites with potential Remote Code Execution (RCE) due to a critical path traversal flaw. CVE-2024-10470, a vulnerability in the WPLMS .. --------------------------------------------- https://thecyberexpress.com/critical-wplms-wordpress-theme-vulnerability/ ∗∗∗ Harnessing Chisel for Covert Operations: Unpacking a Multi-Stage PowerShell Campaign ∗∗∗ --------------------------------------------- The Cyble Research and Intelligence Lab (CRIL) has recently uncovered a sophisticated multi-stage infection chain, primarily driven by PowerShell scripts. This campaign, which targets organizations through a variety of .. --------------------------------------------- https://thecyberexpress.com/new-powershell-campaign/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gstreamer1-plugins-base), Debian (chromium, ghostscript, libarchive, mpg123, ruby-saml, and symfony), Fedora (buildah and podman), Red Hat (buildah, containernetworking-plugins, podman, skopeo, and xorg-x11-server-Xwayland), Slackware (wget), SUSE (pcp), and Ubuntu (linux, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, .. --------------------------------------------- https://lwn.net/Articles/997903/ ∗∗∗ Citrix Releases Security Updates for NetScaler and Citrix Session Recording ∗∗∗ --------------------------------------------- Citrix released security updates to address multiple vulnerabilities in NetScaler ADC, NetScaler Gateway, and Citrix Session Recording. A cyber threat actor could exploit some of these vulnerabilities to take control .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/11/12/citrix-releases-security… ∗∗∗ November Security Update ∗∗∗ --------------------------------------------- At Ivanti, our top priority is upholding our commitment to deliver and maintain secure products for our customers. Our vulnerability management program is designed to enable us to find, fix and disclose vulnerabilities in collaboration with the broader security ecosystem, and communicate responsibly and transparently with customers. Ivanti is .. --------------------------------------------- https://www.ivanti.com/blog/november-2024-security-update ∗∗∗ XSA-464 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-464.html ∗∗∗ XSA-463 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-463.html ∗∗∗ Mehrere Schwachstelen in Siemens Energy Omnivise T3000 ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelen… ∗∗∗ Zyxel security advisory for post-authentication command injection and buffer overflow vulnerabilities in GS1900 series switches ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.11.2024
by Daily end-of-shift report 11 Nov '24

11 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-11-2024 18:00 − Montag 11-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Palo Alto untersucht mögliche Sicherheitslücke in PAN-OS-Webinterface ∗∗∗ --------------------------------------------- Palo Alto untersucht eine angebliche Codeschmuggel-Lücke in der Verwaltungsoberfläche von PAN-OS. Ein Teil betroffener Kunden wird informiert. [..] Palo Alto empfiehlt Kunden dringend, sicherzustellen, dass der Zugang zur Verwaltungsoberfläche korrekt und im Einklang mit den empfohlenen Best-Practices-Richtlinien erfolgt. Dafür stellt das Unternehmen auch eine Anleitung bereit. --------------------------------------------- https://www.heise.de/-10013896.html ∗∗∗ Zugangsdaten aus 2023 für Zugriff ausgenutzt - "Helldown Leaks"-Ransomware kompromittiert Unternehmen über Zyxel-Firewalls ∗∗∗ --------------------------------------------- Seit etwa Anfang August 2024 werden international Unternehmen durch die Ransomware-Gruppe "Helldown Leaks" verschlüsselt. Als initialer Angriffsvektor können durchgängig Zyxel-Firewalls ausgemacht werden, selbst wenn diese auf dem letzten Software-Stand sind. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/11/zugangsdaten-aus-2023-fur-zugriff-… ∗∗∗ Testing the Koord2ool ∗∗∗ --------------------------------------------- As part of the EU-funded project “AWAKE”, we built the Koord2ool, which is a tool that allowed us to track the state of an incident across our constituency over time. We implemented this application as an extension to LimeSurvey (an Open Source survey tool) which generates a dashboard to visualize the state of the answers over time. --------------------------------------------- https://www.cert.at/en/blog/2024/11/testing-the-koord2ool ∗∗∗ Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new phishing campaign that spreads a new fileless variant of known commercial malware called Remcos RAT. [..] The malicious Excel document is designed to exploit a known remote code execution flaw in Office (CVE-2017-0199, CVSS score: 7.8) to download an HTML Application (HTA) file ("cookienetbookinetcahce.hta") from a remote server ("192.3.220[.]22") and launch it using mshta.exe. --------------------------------------------- https://thehackernews.com/2024/11/cybercriminals-use-excel-exploit-to.html ∗∗∗ #StopRansomware: Black Basta ∗∗∗ --------------------------------------------- Updates to this advisory, originally published May 10, 2024 [..] The advisory was updated to reflect new TTPs employed by Black Basta affiliates, as well as provide current IOCs/remove outdated IOCs for effective threat hunting. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a ∗∗∗ Cyberattack causes credit card readers to malfunction in Israel ∗∗∗ --------------------------------------------- As reported by the Jerusalem Post, the cause was a distributed denial-of-service attack (DDoS) that targeted the payment gateway company Hyp’s CreditGuard product. The attack disrupted communications between the card terminals and the wider payment system, but was not capable of stealing information or payments. --------------------------------------------- https://therecord.media/cyberattack-causes-credit-card-readers-in-israel-to… ∗∗∗ Malware Steals Account Credentials ∗∗∗ --------------------------------------------- It’s common for malware to target e-commerce sites, and these attackers are usually seeking to steal credit card details. In most cases, they will insert scripts that extract data from the checkout forms to siphon fields like the cardholder name, card number and expiration date. [..] However, every now and then we encounter a case where in addition to that they are also looking to steal details for accounts that customers have created on these sites along with admin account credentials. We’ll explore one such case. --------------------------------------------- https://blog.sucuri.net/2024/11/malware-steals-account-credentials.html ∗∗∗ Known Attacks On Elliptic Curve Cryptography ∗∗∗ --------------------------------------------- In recent years the Elliptic Curve Cryptography approach has become popular due to its high efficiency and strong security. The purpose of this article is to present this topic in a relatively clearer way than it exists today on the internet. --------------------------------------------- https://github.com/elikaski/ECC_Attacks ∗∗∗ Pishi: Coverage guided macOS KEXT fuzzing ∗∗∗ --------------------------------------------- In this blog post I will try to explain everything as clearly as possible so that even those who are not familiar with fuzzing can enjoy and understand it. I’ll break down the concepts, provide relatable examples, and resources, My goal is to make fuzzing approachable and interesting. --------------------------------------------- https://r00tkitsmm.github.io/fuzzing/2024/11/08/Pishi.html ===================== = Vulnerabilities = ===================== ∗∗∗ Veeam Backup Enterprise Manager: Unbefugte Zugriffe durch Angreifer möglich ∗∗∗ --------------------------------------------- Setzen Angreifer erfolgreich an der Schwachstelle (CVE-2024-40715 "hoch") an, können sie die Authentifizierung umgehen und Verbindungen als Man-in-the-Middle belauschen. Wie das im Detail ablaufen könnte, ist bislang nicht bekannt. [..] Ein Sicherheitspatch steht zum Download bereit. --------------------------------------------- https://www.heise.de/-10018234.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (podman), Debian (guix, libarchive, and nss), Fedora (expat, iaito, opendmarc, python-werkzeug, radare2, squid, and xorg-x11-server), Mageia (htmldoc, libheif, nspr, nss, firefox & rust, python-urllib3, python-werkzeug, quictls, ruby-webrick, and thunderbird), Oracle (firefox and NetworkManager-libreswan), SUSE (apache2, chromedriver, chromium, coredns, expat, govulncheck-vulndb, httpcomponents-client, java-17-openjdk, java-21-openjdk, libheif, python-wxPython, python311, python312, qbittorrent, ruby3.3-rubygem-actionmailer, ruby3.3-rubygem-actiontext, ruby3.3-rubygem-puma, ruby3.3-rubygem-rails, and virtualbox), and Ubuntu (openjdk-17, openjdk-21, openjdk-8, openjdk-lts, and qemu). --------------------------------------------- https://lwn.net/Articles/997774/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.11.2024
by Daily end-of-shift report 08 Nov '24

08 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-11-2024 18:00 − Freitag 08-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Google To Make MFA Mandatory for Google Cloud in 2025 ∗∗∗ --------------------------------------------- Google has recently announced that it plans to implement mandatory multi-factor authentication (MFA) on all Cloud accounts by the end of 2025. [..] The implementation will affect both admins and users with access to Google Cloud. General consumer Google accounts will not be affected. --------------------------------------------- https://heimdalsecurity.com/blog/google-cloud-mfa/ ∗∗∗ 2024 Credit Card Theft Season Arrives ∗∗∗ --------------------------------------------- In today’s post we’re going to perform a malware analysis of the most common MageCart injections identified so that eCommerce website owners can better understand the risks, and (hopefully) protect themselves, their websites, and their customers from attackers. --------------------------------------------- https://blog.sucuri.net/2024/11/2024-credit-card-theft-season-arrives.html ∗∗∗ ESET APT Activity Report Q2 2024–Q3 2024 ∗∗∗ --------------------------------------------- An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 2024 and Q3 2024 --------------------------------------------- https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2… ∗∗∗ Helldown Ransomware Group – A New Emerging Ransomware Threat ∗∗∗ --------------------------------------------- As of November 2024, the online resources available related to the Helldown ransomware group’s Tactics Techniques and Procedures (TTP’s) were effectively none-existent – this blogpost aims to address that and will be updated continuously as more investigations are completed. --------------------------------------------- https://www.truesec.com/hub/blog/helldown-ransomware-group ∗∗∗ TLPT & ME: Everything you need to know about Threat-Led Penetration Testing (TLPT) in a TIBER world. ∗∗∗ --------------------------------------------- While the TLPT RTS does come with some additional requirements or nuances compared to the TIBER framework, we can all be certain that adopting TIBER is indeed the way to fulfill DORA’s TLPT requirements. As mentioned in our initial post, we expect many more European countries to publish a TIBER implementation guide and/or a TIBER-EU 2.0 to be published for additional convergence. --------------------------------------------- https://blog.nviso.eu/2024/11/08/tlpt-me-everything-you-need-to-know-about-… ∗∗∗ Breaking Down Earth Estries Persistent TTPs in Prolonged Cyber Operations ∗∗∗ --------------------------------------------- Discover how Earth Estries employs a diverse set of tactics, techniques, and tools, including malware such as Zingdoor and Snappybee, for its campaigns. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-… ∗∗∗ Defending Your Directory: An Expert Guide to Securing Active Directory Against DCSync Attacks ∗∗∗ --------------------------------------------- Last time we took a dive deep into Kerberoasting. Up next, let's unravel the sinister secrets of DCSync attacks - a stealthy technique that can bring your entire Active Directory to its knees. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ∗∗∗ Nameless and shameless: Ransomware Encryption via BitLocker ∗∗∗ --------------------------------------------- This post will delve into a recent incident response engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team, involving an unknown ransomware strain but known TTPs. --------------------------------------------- https://www.nccgroup.com/us/research-blog/nameless-and-shameless-ransomware… ∗∗∗ Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond ∗∗∗ --------------------------------------------- Wiz Research looks at phishing tactics, along with how to trace and investigate these campaigns. --------------------------------------------- https://www.wiz.io/blog/unmasking-phishing-strategies-for-identifying-0ktap… ===================== = Vulnerabilities = ===================== ∗∗∗ Max-Critical Cisco Bug Enables Command-Injection Attacks ∗∗∗ --------------------------------------------- Though Cisco reports of no known malicious exploitation attempts, but thanks to a CVSS 10 out of 10 security vulnerability (CVE-2024-20418) three of its wireless access points are vulnerable to remote, unauthenticated cyberattacks. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/cisco-bug-command-injec… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (edk2), Debian (webkit2gtk), Fedora (thunderbird), Oracle (bzip2, container-tools:ol8, edk2, go-toolset:ol8, libtiff, python-idna, python3.11, and python3.12), Slackware (expat), and SUSE (apache2, govulncheck-vulndb, grub2, java-1_8_0-openjdk, python3, python39, qemu, xorg-x11-server, and xwayland). --------------------------------------------- https://lwn.net/Articles/997480/ ∗∗∗ Delta Electronics DIAScreen ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-312-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.11.2024
by Daily end-of-shift report 07 Nov '24

07 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-11-2024 18:00 − Donnerstag 07-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers increasingly use Winos4.0 post-exploitation kit in attacks ∗∗∗ --------------------------------------------- Hackers are increasingly targeting Windows users with the malicious Winos4.0 framework, distributed via seemingly benign game-related apps. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-increasingly-use-win… ∗∗∗ A look at the latest post-quantum signature standardization candidates ∗∗∗ --------------------------------------------- NIST has standardized four post-quantum signature schemes so far, and they’re not done yet: there are fourteen new candidates in the running for standardization. In this blog post we take .. --------------------------------------------- https://blog.cloudflare.com/another-look-at-pq-signatures ∗∗∗ The Power of Process in Creating a Successful Security Posture ∗∗∗ --------------------------------------------- Establishing realistic, practitioner-driven processes prevents employee burnout, standardizes experiences, and closes many of the gaps exposed by repeated one-offs. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/process-in-creating-su… ∗∗∗ Microsoft Windows Server 2025 Upgrade Triggers Licensing Conflicts and Operational Fallout ∗∗∗ --------------------------------------------- A recent Microsoft update has unexpectedly forced several organizations to upgrade from Windows Server 2022 to Windows Server 2025, resulting in unexpected licensing demands and operational setbacks. First reported on November 5, 2024, this incident has affected organizations .. --------------------------------------------- https://heimdalsecurity.com/blog/microsoft-windows-server-2025-upgrade/ ∗∗∗ Steam Account Checker Poisoned with Infostealer ∗∗∗ --------------------------------------------- I found an interesting script targeting Steam users. Steam[1] is a popular digital distribution platform for purchasing, downloading, and playing video games on personal computers. The script is called "steam-account-checker" .. --------------------------------------------- https://isc.sans.edu/forums/diary/Steam+Account+Checker+Poisoned+with+Infos… ∗∗∗ China-Aligned MirrorFace Hackers Target EU Diplomats with World Expo 2025 Bait ∗∗∗ --------------------------------------------- The China-aligned threat actor known as MirrorFace has been observed targeting a diplomatic organization in the European Union, marking the first time the hacking crew has targeted an organization in the region."During this attack, the threat .. --------------------------------------------- https://thehackernews.com/2024/11/china-aligned-mirrorface-hackers-target.h… ∗∗∗ North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS ∗∗∗ --------------------------------------------- A threat actor with ties to the Democratic Peoples Republic of Korea (DPRK) has been observed targeting cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices.Cybersecurity company SentinelOne, .. --------------------------------------------- https://thehackernews.com/2024/11/north-korean-hackers-target-crypto.html ∗∗∗ Office unter Windows 11 24H2 mit installiertem Crowdstrike lahmgelegt ∗∗∗ --------------------------------------------- Wer Crowdstrike-Sicherheitssoftware einsetzt und auf Windows 11 24H2 aktualisiert hat, hatte womöglich mit nicht funktionierenden Apps zu kämpfen. --------------------------------------------- https://www.heise.de/news/Crowdstrike-legte-Office-unter-Windows-11-24H2-la… ∗∗∗ Large eBay malvertising campaign leads to scams ∗∗∗ --------------------------------------------- Consumers are being swamped by Google ads claiming to be eBays customer service. --------------------------------------------- https://www.malwarebytes.com/blog/scams/2024/11/large-ebay-malvertising-cam… ∗∗∗ Vorsicht vor gefälschten Willhaben-Mails ∗∗∗ --------------------------------------------- Kriminelle geben sich als Willhaben aus und versenden massenhaft gefälschte E-Mails. In den teilweise echt aussehenden E-Mails wird behauptet, dass Sie Ihre Identität bestätigen müssen oder eine Rückerstattung erhalten. Eine andere gefälschte E-Mail enthält im Anhang angeblich eine Rechnung. Wir raten zur Vorsicht! --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-phishing/ ∗∗∗ Silent Skimmer Gets Loud (Again) ∗∗∗ --------------------------------------------- We discuss a new campaign from the cybercrime group behind Silent Skimmer, showcasing the exploit of ... --------------------------------------------- https://unit42.paloaltonetworks.com/silent-skimmer-latest-campaign/ ∗∗∗ Unwrapping the emerging Interlock ransomware attack ∗∗∗ --------------------------------------------- Cisco Talos Incident Response (Talos IR) recently observed an attacker conducting big-game .. --------------------------------------------- https://blog.talosintelligence.com/emerging-interlock-ransomware/ ∗∗∗ Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Vulnerabilities ∗∗∗ --------------------------------------------- CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and .. --------------------------------------------- https://hackread.com/androxgh0st-botnet-integrate-mozi-iot-vulnerabilities/ ∗∗∗ Malicious Python Package Typosquats Popular fabric SSH Library, Exfiltrates AWS Credentials ∗∗∗ --------------------------------------------- The Socket Research Team has discovered a malicious Python package, fabrice, that is typosquatting the popular fabric SSH automation library. The threat of malware delivered through typosquatted libraries remains a significant .. --------------------------------------------- https://socket.dev/blog/malicious-python-package-typosquats-fabric-ssh-libr… ===================== = Vulnerabilities = ===================== ∗∗∗ Zahlreiche Schwachstellen in HASOMED Elefant and Elefant Software Updater ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.11.2024
by Daily end-of-shift report 06 Nov '24

06 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-11-2024 18:00 − Mittwoch 06-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Germany drafts law to protect researchers who find security flaws ∗∗∗ --------------------------------------------- The Federal Ministry of Justice in Germany has drafted a law to provide legal protection to security researchers who discover and responsibly report security vulnerabilities to vendors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/germany-drafts-law-to-protec… ∗∗∗ Attackers Breach IT-Based Networks Before Jumping to ICS/OT Systems ∗∗∗ --------------------------------------------- SANS recently published its 2024 State of ICS.OT Cybersecurity report, highlighting the skills of cyber professionals working in critical infrastructure, budget estimates, and emerging technologies. The report .. --------------------------------------------- https://www.darkreading.com/ics-ot-security/attackers-breach-network-provid… ∗∗∗ Verbraucherschützer warnen: Smarte Fritteusen lauschen und senden Daten nach China ∗∗∗ --------------------------------------------- Verbraucherschützer haben bei verschiedenen smarten Geräten Datenschutzprobleme aufgedeckt. Ganz vorne mit dabei: Heißluftfritteusen! --------------------------------------------- https://www.golem.de/news/verbraucherschuetzer-warnen-smarte-fritteusen-lau… ∗∗∗ New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency ∗∗∗ --------------------------------------------- Kaspersky experts have discovered a new SteelFox Trojan that mimics popular software like Foxit PDF Editor and JetBrains to spread a stealer-and-miner bundle. --------------------------------------------- https://securelist.com/steelfox-trojan-drops-stealer-and-miner/114414/ ∗∗∗ INTERPOL Disrupts Over 22,000 Malicious Servers in Global Crackdown on Cybercrime ∗∗∗ --------------------------------------------- INTERPOL on Tuesday said it took down more than 22,000 malicious servers linked to various cyber threats as part of a global operation.Dubbed Operation Synergia II, the coordinated effort ran from April 1 to .. --------------------------------------------- https://thehackernews.com/2024/11/interpols-operation-synergia-ii.html ∗∗∗ Angreifer nutzen emulierte Linux-Umgebung als Backdoor ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben eine ungewöhnliche Angriffsart entdeckt: Die Täter haben eine emulierte Linux-Umgebung als Backdoor eingerichtet. --------------------------------------------- https://www.heise.de/news/CRON-TRAP-Emulierte-Linux-Umgebung-als-Backdoor-n… ∗∗∗ Canadian Man Arrested in Snowflake Data Extortions ∗∗∗ --------------------------------------------- A 26-year-old man in Ontario, Canada has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data service Snowflake. On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States. Bloomberg first .. --------------------------------------------- https://krebsonsecurity.com/2024/11/canadian-man-arrested-in-snowflake-data… ∗∗∗ You lost your iPhone, but it’s locked. That’s fine, right? ∗∗∗ --------------------------------------------- TL;DR Default iOS configuration leaves your locked device vulnerable Ensure your emergency contacts are set. Use ‘FindMy’ to track / wipe lost devices. Take regular backups. Consider turning off the .. --------------------------------------------- https://www.pentestpartners.com/security-blog/you-lost-your-iphone-but-its-… ∗∗∗ Tückische Zahlungsanweisung: Stammt diese Mail wirklich von Ihrem Chef? ∗∗∗ --------------------------------------------- Von der Buchhaltung im internationalen Großkonzern bis zur Verwaltung im Kleinbetrieb nebenan. In letzter Zeit erhalten immer mehr Mitarbeiter:innen betrügerische Mails im Namen der Geschäftsführung .. --------------------------------------------- https://www.watchlist-internet.at/news/tueckische-zahlungsanweisung-chef/ ∗∗∗ Guidance for brands to help advertising partners counter malvertising ∗∗∗ --------------------------------------------- Advice to make it harder for cyber criminals to deliver malicious advertising, and reduce the risk of cyber-facilitated fraud. --------------------------------------------- https://www.ncsc.gov.uk/guidance/guidance-brands-advertising-partners-count… ∗∗∗ With 2FA Enabled: NPM Package lottie-player Taken Over by Attackers ∗∗∗ --------------------------------------------- The popular NPM package @lottiefiles/lottie-player enables developers to seamlessly integrate Lottie animations into websites and applications. On October 30, the community reported existence of malicious code within versions 2.0.5, 2.0.6, and 2.0.7 of the npm package. The package maintainers replied and confirmed the attackers were able to .. --------------------------------------------- https://checkmarx.com/uncategorized/with-2fa-enabled-npm-package-lottie-pla… ∗∗∗ CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits ∗∗∗ --------------------------------------------- While we finalized this blog post, a technical analysis of this activity was published by fellow researchers from Cisco Talos. While it overlaps with our findings to some extent, our report provides additional extended information about the activity. Introduction Since July 2024, Check Point Research (CPR) has been tracking an extensive a.. --------------------------------------------- https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-late… ∗∗∗ (In)tuned to Takeovers: Abusing Intune Permissions for Lateral Movement and Privilege Escalation in Entra ID Native Environments ∗∗∗ --------------------------------------------- The Mandiant Red Team recently supported a client to visualize the possible impact of a compromise by an advanced threat actor. During the assessment, Mandiant moved laterally from the customer’s on-premises environment to their Microsoft Entra ID .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/abusing-intune-per… ∗∗∗ Threat Campaign Spreads Winos4.0 Through Game Application ∗∗∗ --------------------------------------------- FortiGuard Labs reveals a threat actor spreads Winos4.0, infiltrating gaming apps and targeting the education sector --------------------------------------------- https://www.fortinet.com/blog/threat-research/threat-campaign-spreads-winos… ∗∗∗ Defending Your Directory: An Expert Guide to Combating Kerberoasting in Active Directory ∗∗∗ --------------------------------------------- 16 hours or less, that’s all it takes for attackers to gain access to Microsoft Active Directory (AD) and unleash mayhem on your organization. If that attack happens on a Friday afternoon, they have all weekend to wreak havoc, escalating their privileges, deploying ransomware, exploiting your VPN, or exfiltrating your data. .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Nexus Dashboard Fabric Controller SQL Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit .. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Contact Center Management Portal Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) could allow an authenticated, remote attacker with low privileges to conduct a stored .. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libtiff), Debian (context, libheif, and thunderbird), Fedora (php-tcpdf, syncthing, and thunderbird), Gentoo (EditorConfig core C library, Flatpak, Neat VNC, and Ubiquiti UniFi), Oracle (bcc, bpftrace, grafana-pcp, haproxy, kernel, krb5, libtiff, python-gevent, python3.11-urllib3, python3.12-urllib3, and xmlrpc-c), .. --------------------------------------------- https://lwn.net/Articles/997182/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.11.2024
by Daily end-of-shift report 05 Nov '24

05 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Montag 04-11-2024 18:00 − Dienstag 05-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows Server 2025 released—here are the new features ∗∗∗ --------------------------------------------- Microsoft has announced that Windows Server 2025, the latest version of its server operating system, is generally available starting Friday, November 1st. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-server-2025-release… ∗∗∗ Nokia investigates breach after hacker claims to steal source code ∗∗∗ --------------------------------------------- Nokia is investigating whether a third-party vendor was breached after a hacker claimed to be selling the companys stolen source code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nokia-investigates-breach-af… ∗∗∗ Google fixes two Android zero-days used in targeted attacks ∗∗∗ --------------------------------------------- Google fixed two actively exploited Android zero-day flaws as part of its November security updates, addressing a total of 51 vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-fixes-two-android-zer… ∗∗∗ Angriff auf Schneider Electric: Hungrige Hacker fordern Baguettes als Lösegeld ∗∗∗ --------------------------------------------- Die Angreifer behaupten, über 40 GBytes an Daten von Schneider Electric erbeutet zu haben. Ihre Forderung: 125.000 US-Dollar in Form von Baguettes. --------------------------------------------- https://www.golem.de/news/angriff-auf-schneider-electric-hungrige-hacker-fo… ∗∗∗ Olympia-Kassensysteme: Registrierkassen seit drei Jahren ohne Sicherheitsupdates ∗∗∗ --------------------------------------------- Registrierkassen der Marke Olympia laufen auf Android 11 und bergen Risiken für den Zahlungsverkehr. --------------------------------------------- https://www.golem.de/news/olympia-kassensysteme-registrierkassen-seit-drei-… ∗∗∗ Python RAT with a Nice Screensharing Feature ∗∗∗ --------------------------------------------- While hunting, I found another interesting Python RAT in the wild. This is not brand new because the script was released two years ago. The script I found is based on the same tool and still .. --------------------------------------------- https://isc.sans.edu/diary/Python+RAT+with+a+Nice+Screensharing+Feature/314… ∗∗∗ Maritime lawyers assemble! ∗∗∗ --------------------------------------------- Maritime cyber insurance has been playing catch-up with maritime cyber security for a while now. It was all pretty good until the availability of cheap VSAT meant that ships .. --------------------------------------------- https://www.pentestpartners.com/security-blog/maritime-lawyers-assemble/ ∗∗∗ In final check-in before Election Day, CISA cites low-level threats, and not much else ∗∗∗ --------------------------------------------- Incidents to date have included “low level” distributed denial-of-service activity, criminal destruction of ballot drop boxes and continued threats targeting election officials, CISA Director Jen Easterly .. --------------------------------------------- https://therecord.media/cisa-2024-presidential-election-threats ∗∗∗ Smart Cities gegen Cyberattacken resilient machen ∗∗∗ --------------------------------------------- Ob es uns gefällt oder nicht – Städte weltweit wandeln sich in sogenannte "Smart Cities". Die Protagonisten versprechen Innovation, Nachhaltigkeit und digitales Wachstum. Aber diese Infrastruktur bzw. die .. --------------------------------------------- https://www.borncity.com/blog/2024/11/05/smart-cities-gegen-cyberattacken-r… ∗∗∗ SOC Around the Clock: World Tour Survey Findings ∗∗∗ --------------------------------------------- Trend surveyed 750 cybersecurity professionals in 49 countries to learn more about the state of .. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/k/world-tour-survey-results.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, openexr, and thunderbird), Fedora (llama-cpp and python-quart), Oracle (firefox, openexr, thunderbird, and xorg-x11-server and xorg-x11-server-Xwayland), SUSE (chromium, govulncheck-vulndb, openssl-1_1, python311, and python312), and Ubuntu (linux-azure, linux-bluefield, linux-azure, linux-gcp, linux-ibm, openjpeg2, and ruby3.0, ruby3.2, ruby3.3). --------------------------------------------- https://lwn.net/Articles/997030/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.11.2024
by Daily end-of-shift report 04 Nov '24

04 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-10-2024 18:00 − Montag 04-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Thousands of hacked TP-Link routers used in years-long account takeover attacks ∗∗∗ --------------------------------------------- The botnet is being skillfully used to launch "highly evasive" password-spraying attacks. --------------------------------------------- https://arstechnica.com/information-technology/2024/11/microsoft-warns-of-8… ∗∗∗ DDoS site Dstat.cc seized and two suspects arrested in Germany ∗∗∗ --------------------------------------------- The Dstat.cc DDoS review platform has been seized by law enforcement, and two suspects have been arrested after the service helped fuel distributed denial-of-service attacks for years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ddos-site-dstatcc-seized-and… ∗∗∗ Cisco says DevHub site leak won’t enable future breaches ∗∗∗ --------------------------------------------- Cisco says that non-public files recently downloaded by a threat actor from a misconfigured public-facing DevHub portal dont contain information that could be exploited in future breaches of the companys systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-says-devhub-site-leak-… ∗∗∗ Ware nicht geliefert: Betrüger hacken Tausende Webshops und kassieren Millionen ∗∗∗ --------------------------------------------- Hacker haben seit 2019 im Rahmen einer Betrugskampagne unzählige Onlineshops infiltriert. Käufer bestimmter Produkte erhielten .. --------------------------------------------- https://www.golem.de/news/ware-nicht-geliefert-betrueger-hacken-tausende-we… ∗∗∗ From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code ∗∗∗ --------------------------------------------- In our previous post, Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models, we introduced our framework for large-language-model-assisted vulnerability research and demonstrated its potential by improving the state-of-the-art performance on Meta's CyberSecEval2 benchmarks. Since then, Naptime has evolved into Big Sleep, a collaboration between Google Project Zero and Google DeepMind. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/10/from-naptime-to-big-sleep.ht… ∗∗∗ Inside Iran’s Cyber Playbook: AI, Fake Hosting, and Psychological Warfare ∗∗∗ --------------------------------------------- U.S. and Israeli cybersecurity agencies have published a new advisory attributing an Iranian cyber group to targeting the 2024 Summer Olympics and compromising a French commercial dynamic display provider to show messages denouncing Israels participation .. --------------------------------------------- https://thehackernews.com/2024/11/inside-irans-cyber-playbook-ai-fake.html ∗∗∗ Financial institutions told to get their house in order before the next CrowdStrike strikes ∗∗∗ --------------------------------------------- Calls for improvements will soon turn into demands when new rules come into force The UKs finance regulator is urging all institutions under its remit to better prepare for IT meltdowns like .. --------------------------------------------- https://www.theregister.com/2024/11/02/fca_it_resilience/ ∗∗∗ Booking.com Phishers May Leave You With Reservations ∗∗∗ --------------------------------------------- A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. Well .. --------------------------------------------- https://krebsonsecurity.com/2024/11/booking-com-phishers-may-leave-you-with… ∗∗∗ Kostenlose Webinare zum Schutz im Internet ∗∗∗ --------------------------------------------- Ab 2. Dezember finden in Kooperation mit der AK Oberösterreich und Saferinternet.at spannende Webinare zum sicheren und verantwortungsvollen Umgang mit Handy und Internet statt. Erweitern Sie Ihre digitalen Kompetenzen und .. --------------------------------------------- https://www.watchlist-internet.at/news/kostenlose-webinare-zum-schutz-im-in… ∗∗∗ TA Phone Home: EDR Evasion Testing Reveals Extortion Actors Toolkit ∗∗∗ --------------------------------------------- A threat actor attempted to use an AV/EDR bypass tool in an extortion attempt. Instead, the tool provided Unit 42 insight into the threat actor. --------------------------------------------- https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/ ∗∗∗ FBI wants more info on hackers behind Sophos exploitation after report on China’s intrusions ∗∗∗ --------------------------------------------- The FBI is asking the public for help in tracking down the people behind a series of intrusions into edge devices and networks. --------------------------------------------- https://therecord.media/fbi-hackers-china-wants-info ∗∗∗ Kimsuky Group’s Malware Disguised as Lecture Request Form (MSC, HWP) ∗∗∗ --------------------------------------------- Recently, malware disguised as a lecture request form targeting specific users was identified. The distributed files include Hangul Word Processor (HWP) documents and files in MSC format, which download additional malicious files. Decoy document files used to disguise as legitimate documents have been found to sometimes contain .. --------------------------------------------- https://asec.ahnlab.com/en/84181/ ∗∗∗ Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform Malware ∗∗∗ --------------------------------------------- age “jest-fet-mock,” which implements a different approach using Ethereum smart contracts for command-and-control operations. The package masquerades as a popular testing utility while distributing malware across Windows, Linux, and macOS platforms. This discovery represents a notable difference in supply chain attack methodologies, combining .. --------------------------------------------- https://checkmarx.com/blog/supply-chain-attack-using-ethereum-smart-contrac… ∗∗∗ Hackers Claim Access to Nokia Internal Data, Selling for $20,000 ∗∗∗ --------------------------------------------- Hackers claim to have breached Nokia through a third-party contractor, allegedly stealing SSH keys, source code, and internal --------------------------------------------- https://hackread.com/hackers-claim-access-nokia-internal-data-selling-20k/ ∗∗∗ Mallox Ransomware ∗∗∗ --------------------------------------------- FortiGuard Labs continue to see increase in Mallox ransomware related activities detecting Mallox ransomware on multiple hundred FortiGuard sensors. Ransomware infection may cause disruption, damage to daily operations, .. --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/mallox-ransomware ∗∗∗ Missing Link: Wie ein Unternehmen bei einem Cyberangriff die Kontrolle verlor ∗∗∗ --------------------------------------------- Eigentlich fühlt sich der IT-Chef recht sicher. Bis Hacker mitten am Tag in die Firma marschieren – und unbehelligt wieder raus. Die Beute: volle Kontrolle. --------------------------------------------- https://heise.de/-9984869 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, grafana, kernel, and mod_http2), Debian (chromium, openssl, and thunderbird), Fedora (chromium, krb5, mysql8.0, polkit, python-single-version, and webkitgtk), Mageia (bind, buildah, podman, skopeo, kernel, kmod-xtables-addons. kmod-virtualbox, kernel-firmware & kernel-firmware-nonfree radeon-firmware, .. --------------------------------------------- https://lwn.net/Articles/996908/ ∗∗∗ WordPress Vulnerability & Patch Roundup October 2024 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2024/11/wordpress-vulnerability-patch-roundup-octob… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily November 2024