Daily December 2024

daily@lists.cert.at

1 participants
19 discussions

Tageszusammenfassung - 30.12.2024
by Daily end-of-shift report 30 Dec '24

30 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-12-2024 18:00 − Montag 30-12-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Customer data from 800,000 electric cars and owners exposed online ∗∗∗ --------------------------------------------- Volkswagens automotive software company, Cariad, exposed data collected from around 800,000 electric cars. The info could be linked to drivers names and reveal precise vehicle locations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/customer-data-from-800-000-e… ∗∗∗ Malware botnets exploit outdated D-Link routers in recent attacks ∗∗∗ --------------------------------------------- Two botnets tracked as Ficora and Capsaicin have recorded increased activity in targeting D-Link routers that have reached end of life or are running outdated firmware versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-botnets-exploit-outd… ∗∗∗ Hackerangriff auf Flughäfen von Mailand ∗∗∗ --------------------------------------------- Eine prorussische Hackergruppe bekannte sich zu dem Cyberangriff. Der Flugbetrieb war nicht gefährdet. --------------------------------------------- https://futurezone.at/digital-life/hackerangriff-auf-flughaefen-von-mailand… ∗∗∗ Bundestagswahlen: Wahlsoftware immer noch unsicher ∗∗∗ --------------------------------------------- Seit Jahren fordert der CCC eine transparente Wahlsoftware. Wie sinnvoll das wäre, zeigt die Analyse eines weit verbreiteten Tools. Ein Bericht von Friedhelm Greis. --------------------------------------------- https://www.golem.de/news/bundestagswahlen-wahlsoftware-immer-noch-unsicher… ∗∗∗ Rundsteuerempfänger gehackt: Lässt sich über Funksignale ein Blackout herbeiführen? ∗∗∗ --------------------------------------------- Zwei Sicherheitsforscher haben die Protokolle für funkbasierte Rundsteuerempfänger entschlüsselt. Doch es ist strittig, in welchem Umfang sich manipulierte Signale missbrauchen lassen. Ein Bericht von Friedhelm Greis. --------------------------------------------- https://www.golem.de/news/rundsteuerempfaenger-gehackt-laesst-sich-ueber-fu… ∗∗∗ Prioritizing patching: A deep dive into frameworks and tools – Part 2: Alternative frameworks ∗∗∗ --------------------------------------------- In the second of a two-part series on tools and frameworks designed to help with remediation prioritization, we explore some alternatives to CVSS --------------------------------------------- https://news.sophos.com/en-us/2024/12/30/prioritizing-patching-a-deep-dive-… ∗∗∗ 16 Chrome Extensions Hacked, Exposing Over 600,000 Users to Data Theft ∗∗∗ --------------------------------------------- A new attack campaign has targeted known Chrome browser extensions, leading to at least 16 extensions being compromised and exposing over 600,000 users to data exposure and credential theft.The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign and used their access permissions to insert malicious code into legitimate extensions in order to steal --------------------------------------------- https://thehackernews.com/2024/12/16-chrome-extensions-hacked-exposing.html ∗∗∗ Its only a matter of time before LLMs jump start supply-chain attacks ∗∗∗ --------------------------------------------- The greatest concern is with spear phishing and social engineering Interview Now that criminals have realized theres no need to train their own LLMs for any nefarious purposes - its much cheaper and easier to steal credentials and then jailbreak existing ones - the threat of a large-scale supply chain attack using generative AI becomes more real. --------------------------------------------- https://www.theregister.com/2024/12/29/llm_supply_chain_attacks/ ∗∗∗ 38C3: Große Sicherheitsmängel in elektronischer Patientenakte 3.0 aufgedeckt ∗∗∗ --------------------------------------------- Gravierende Sicherheitslücken müssten bis zum Start der ePA 3.0 noch geschlossen werden. Das demonstrieren Martin Tschirsich und Bianca Kastl auf dem 38C3. --------------------------------------------- https://www.heise.de/news/38C3-Weitere-Sicherheitsmaengel-in-elektronischer… ∗∗∗ 38C3: BogusBazaar-Bande betreibt noch immer Tausende Fakeshops ∗∗∗ --------------------------------------------- Monate nach der Entdeckung operiert eine chinesische Cyberbande weiterhin unbehelligt, berichten Sicherheitsforscher. Schützenhilfe leisten auch US-Anbieter. --------------------------------------------- https://www.heise.de/news/38C3-BogusBazaar-Bande-betreibt-noch-immer-Tausen… ∗∗∗ 38C3: BitLocker-Verschlüsselung von Windows 11 umgangen, ohne PC zu öffnen. ∗∗∗ --------------------------------------------- Zwei Jahre nach der vermeintlichen Behebung einer Lücke kann diese weiterhin genutzt werden, um BitLocker-geschützte Festplatten von Windows 11 zu entschlüsseln --------------------------------------------- https://www.heise.de/news/38C3-BitLocker-Verschluesselung-von-Windows-11-um… ∗∗∗ On the sixth day of Christmas, an X account gave to me: a fake 7-Zip ACE ∗∗∗ --------------------------------------------- An account with the name @NSA_Employee39 claimed to have dropped a zero-day vulnerability for the popular file archive software 7-Zip. Nobody could get it to work. --------------------------------------------- https://therecord.media/fake-zero-day-7Zip ∗∗∗ Lets Encrypt to end OCSP support in 2025 ∗∗∗ --------------------------------------------- Well, the writing has been on the wall for some years now, arguably over a decade, but the time has finally come where the largest CA in the World is going to drop support for the Online Certificate Status Protocol.What is OCSP?The Online Certificate Status Protocol is a --------------------------------------------- https://scotthelme.ghost.io/lets-encrypt-to-end-ocsp-support-in-2025/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-good1.0 and opensc), Fedora (iwd and libell), and SUSE (chromium, govulncheck-vulndb, and poppler). --------------------------------------------- https://lwn.net/Articles/1003768/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.12.2024
by Daily end-of-shift report 27 Dec '24

27 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 23-12-2024 18:00 − Freitag 27-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cybersecurity firms Chrome extension hijacked to steal users data ∗∗∗ --------------------------------------------- One attack was disclosed by Cyberhaven, a data loss prevention company that alerted its customers of a breach on December 24 after a successful phishing attack on an administrator account for the Google Chrome store. Among Cyberhaven's customers are Snowflake, Motorola, Canon, Reddit, AmeriHealth, Cooley, IVP, Navan, DBS, Upstart, and Kirkland & Ellis. [..] Cyberhaven's internal security team removed the malicious package within an hour since its detection, the company says in an email to its customers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybersecurity-firms-chrome-e… ∗∗∗ Microsoft warnt: Bug könnte Security-Updates verhindern ∗∗∗ --------------------------------------------- Microsoft warnt Nutzer, die ihr System vor Kurzem via CD oder USB-Stick installiert haben. Konkret geht es um Installationsmedien, die das Sicherheitsupdate vom Oktober oder das vom November inkludiert haben. Hier kann es passieren, dass diese Systeme keine weiteren Updates mehr erhalten, wenn sie derzeit auf 24H2 sind. --------------------------------------------- https://futurezone.at/produkte/microsoft-warnung-bug-security-updates-windo… ∗∗∗ Datenschutzverletzung: Volkwagen-Bewegungsprofile von 800.000 E-Autos offengelegt ∗∗∗ --------------------------------------------- Persönliche Daten und Bewegungsprofile von rund 800.000 VW-E-Auto-Besitzern lagen monatelang öffentlich zugänglich in der Cloud. --------------------------------------------- https://www.golem.de/news/datenschutzverletzung-volkwagen-bewegungsprofile-… ∗∗∗ Threat landscape for industrial automation systems in Q3 2024 ∗∗∗ --------------------------------------------- The ICS CERT quarterly report covers threat landscape for industrial automation systems in Q3 2024. --------------------------------------------- https://securelist.com/ics-cert-q3-2024-report/115182/ ∗∗∗ More SSH Fun!, (Tue, Dec 24th) ∗∗∗ --------------------------------------------- A few days ago, I wrote a diary about a link file that abused the ssh.exe tool present in modern versions of Microsoft Windows. At the end, I mentioned that I will hunt for more SSH-related files/scripts. Guess what? I already found another one. --------------------------------------------- https://isc.sans.edu/diary/rss/31542 ∗∗∗ Jahresrückblick: Diese Themen beschäftigten uns 2024! ∗∗∗ --------------------------------------------- Wir sagen „DANKE“ und blicken noch einmal zurück auf die Entwicklungen und Geschehnisse des vergangenen Jahres. --------------------------------------------- https://www.watchlist-internet.at/news/jahresrueckblick-2024/ ∗∗∗ ASUS: "Weihnachtsüberraschung" mit christmas.exe schief gegangen ∗∗∗ --------------------------------------------- Anbieter ASUS wollte seine Benutzer überraschen und hat diesen eine besondere Weihnachtskarte mit dem Dateinamen christmas.exe zukommen lassen. Ist natürlich seit Jahren bekannt, dass man aus Sicherheitsgründen keine .exe-Grußkarte mit Weihnachtsgrüßen verschickt. --------------------------------------------- https://www.borncity.com/blog/2024/12/26/asus-weihnachtsueberraschung-mit-c… ∗∗∗ PMKID Attacks: Debunking the 802.11r Myth ∗∗∗ --------------------------------------------- This article addresses common misconceptions surrounding PMKID-based attacks while offering technical insights into their mechanics and effective countermeasures. The PMKID-based attack, first disclosed in 2018 by the Hashcat team, introduced a novel method of compromising WPA2-protected Wi-Fi networks. Unlike traditional techniques, this approach does not require capturing a full 4-way handshake, instead leveraging a design flaw in the Pairwise Master Key Identifier (PMKID). --------------------------------------------- https://www.nccgroup.com/us/research-blog/pmkid-attacks-debunking-the-80211… ∗∗∗ From Arbitrary File Write to RCE in Restricted Rails apps ∗∗∗ --------------------------------------------- Introduction Recently, we came across a situation where we needed to exploit an arbitrary file write vulnerability in a Rails application running in a restricted environment. The application was deployed via a Dockerfile that imposed...O post From Arbitrary File Write to RCE in Restricted Rails apps apareceu primeiro em Conviso AppSec. --------------------------------------------- https://blog.convisoappsec.com/en/from-arbitrary-file-write-to-rce-in-restr… ===================== = Vulnerabilities = ===================== ∗∗∗ Palo Alto: CVE-2024-3393 PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet (Severity: HIGH) ∗∗∗ --------------------------------------------- A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-3393 ∗∗∗ Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks ∗∗∗ --------------------------------------------- The Apache Software Foundation (ASF) has released a security update to address an important vulnerability in its Tomcat server software that could result in remote code execution (RCE) under certain conditions. The vulnerability, tracked as CVE-2024-56337, has been described as an incomplete mitigation for CVE-2024-50379 (CVSS score: 9.8), another critical security flaw in the same product that was previously addressed on December 17, 2024. --------------------------------------------- https://thehackernews.com/2024/12/apache-tomcat-vulnerability-cve-2024.html ∗∗∗ Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now ∗∗∗ --------------------------------------------- The Apache Software Foundation (ASF) has shipped security updates to address a critical security flaw in Traffic Control that, if successfully exploited, could allow an attacker to execute arbitrary Structured Query Language (SQL) commands in the database. The SQL injection vulnerability, tracked as CVE-2024-45387, is rated 9.9 out of 10.0 on the CVSS scoring system. --------------------------------------------- https://thehackernews.com/2024/12/critical-sql-injection-vulnerability-in.h… ∗∗∗ Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization ∗∗∗ --------------------------------------------- The Apache Software Foundation (ASF) has released patches to address a maximum severity vulnerability in the MINA Java network application framework that could result in remote code execution under specific conditions. Tracked as CVE-2024-52046, the vulnerability carries a CVSS score of 10.0. --------------------------------------------- https://thehackernews.com/2024/12/apache-mina-cve-2024-52046-cvss-100.html ∗∗∗ Adobe warns of critical ColdFusion bug with PoC exploit code ∗∗∗ --------------------------------------------- Adobe has released out-of-band security updates to address a critical ColdFusion vulnerability with proof-of-concept exploit code. In an advisory released on Monday, the company says the flaw (tracked as CVE-2024-53961) is caused by a path traversal weakness that impacts Adobe ColdFusion versions 2023 and 2021 and can enable attackers to read arbitrary files on vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-cold… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (containernetworking-plugins, edk2:20240524, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, libsndfile:1.0.31, mpg123:1.32.9, pam, php:8.1, php:8.2, python3.11, python3.11-urllib3, python3.12, python3.9:3.9.21, skopeo, and unbound:1.16.2), Debian (intel-microcode), Fedora (python3-docs and python3.12), Mageia (emacs), Red Hat (podman), and SUSE (gdb, govulncheck-vulndb, libparaview5_12, mozjs115, mozjs78, and vhostmd). --------------------------------------------- https://lwn.net/Articles/1003381/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (sympa and tomcat), Red Hat (kernel), and SUSE (poppler). --------------------------------------------- https://lwn.net/Articles/1003462/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fastnetmon, webkit2gtk, and xen), Fedora (sympa), Oracle (postgresql), and Red Hat (pcp, tigervnc, and xorg-x11-server and xorg-x11-server-Xwayland). --------------------------------------------- https://lwn.net/Articles/1003542/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-postcss), Fedora (age, dr_libs, incus, libxml2, moodle, and python-sql), and SUSE (poppler and python-grpcio). --------------------------------------------- https://lwn.net/Articles/1003601/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.12.2024
by Daily end-of-shift report 23 Dec '24

23 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-12-2024 18:00 − Montag 23-12-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Middle East Cyberwar Rages On, With No End in Sight ∗∗∗ --------------------------------------------- Since October 2023, cyberattacks among countries in the Middle East have persisted, fueled by the conflict between Israel and Hamas, reeling in others on a global scale. --------------------------------------------- https://www.darkreading.com/cyberattacks-data-breaches/middle-east-cyberwar… ∗∗∗ Cloud Atlas seen using a new tool in its attacks ∗∗∗ --------------------------------------------- We analyze the latest activity by the Cloud Atlas gang. The attacks employ the PowerShower, VBShower and VBCloud modules to download victims data with various PowerShell scripts. --------------------------------------------- https://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/ ∗∗∗ Modiloader From Obfuscated Batch File ∗∗∗ --------------------------------------------- My last investigation is a file called "Albertsons Payments.gz", received via email. The file looks like an archive but is identified as a picture by .. --------------------------------------------- https://isc.sans.edu/diary/Modiloader+From+Obfuscated+Batch+File/31540 ∗∗∗ Vulnerability & Patch Roundup - November 2024 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help .. --------------------------------------------- https://blog.sucuri.net/2024/12/vulnerability-patch-roundup-november-2024.h… ∗∗∗ Rockstar2FA Collapse Fuels Expansion of FlowerStorm Phishing-as-a-Service ∗∗∗ --------------------------------------------- An interruption to the phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA has led to a rapid uptick in activity from another nascent offering named FlowerStorm."It appears that the [Rockstar2FA] group running the service experienced at least a .. --------------------------------------------- https://thehackernews.com/2024/12/rockstar2fa-collapse-fuels-expansion-of.h… ∗∗∗ l+f: Sicherheitsforscher bestellt bei McDonalds für 1 Cent ∗∗∗ --------------------------------------------- Der McDonalds-Lieferservice in Indien war kaputt und Bestellungen waren umfangreich manipulierbar. --------------------------------------------- https://www.heise.de/news/l-f-Sicherheitsforscher-bestellt-bei-McDonald-s-f… ∗∗∗ Webbrowser: Chrome und Edge sollen mittels KI vor Spam-Seiten warnen ∗∗∗ --------------------------------------------- Um Nutzer vor betrügerischen Websites zu warnen, haben Chrome und Edge neuerdings einen KI-Schutz an Bord. Noch ist das Feature aber nicht standardmäßig aktiv. --------------------------------------------- https://www.heise.de/news/Webbrowser-Chrome-und-Edge-sollen-mittels-KI-vor-… ∗∗∗ Heels on fire. Hacking smart ski socks ∗∗∗ --------------------------------------------- TL;DR A silly-season BLE connectivity story Overheat people’s smart ski socks .. but only when in Bluetooth range AND when the owner’s phone is out of range of their feet! Having […]The post Heels on fire. Hacking smart ski socks first appeared on Pen Test Partners. --------------------------------------------- https://www.pentestpartners.com/security-blog/heels-on-fire-hacking-smart-s… ∗∗∗ Fast zwei Drittel aller gestohlenen Kryptogelder wanderten 2024 nach Nordkorea ∗∗∗ --------------------------------------------- Eine aktuelle Analyse zeigt, dass der Gesamtwert gestohlener Kryptowährungen heuer bisher um 21 Prozent auf 2,2 Milliarden Dollar gestiegen ist --------------------------------------------- https://www.derstandard.at/story/3000000250591/fast-zwei-drittel-aller-gest… ∗∗∗ NSO-Group für WhatsApp-Angriff mit Pegasus-Spyware schuldig gesprochen ∗∗∗ --------------------------------------------- Im Jahr 2019 wurden WhatsApp-Nutzer Opfer eines Angriffs durch Spyware, die über eine Schwachstelle auf Android und iOS-Geräte installiert werden konnte. WhatsApp verklagte die NSO Group, die den .. --------------------------------------------- https://www.borncity.com/blog/2024/12/22/nso-group-fuer-angriff-mit-pegasus… ∗∗∗ Jingle Shells: How Virtual Offices Enable a Facade of Legitimacy ∗∗∗ --------------------------------------------- Virtual offices have revolutionized the way businesses operate. They provide cost-effective flexibility by eliminating the .. --------------------------------------------- https://www.team-cymru.com/post/how-virtual-offices-enable-a-facade-of-legi… ∗∗∗ A Primer on JA4+: Empowering Threat Analysts with Better Traffic Analysis ∗∗∗ --------------------------------------------- What is JA4+ and Why Does It Matter? Introduction Threat analysts and researchers are continually seeking tools and methodologies to gain .. --------------------------------------------- https://www.team-cymru.com/post/a-primer-on-ja4-empowering-threat-analysts-… ∗∗∗ Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner ∗∗∗ --------------------------------------------- Popular npm packages, Rspack and Vant, were recently compromised with malicious code. Learn about the attack, the impact, and how to protect your projects from similar threats. --------------------------------------------- https://hackread.com/supply-chain-attack-rspack-vant-npm-monero-miner/ ∗∗∗ Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition ∗∗∗ --------------------------------------------- A comprehensive analysis of benign internet scanning activity from November 2024, examining how quickly and thoroughly various legitimate scanning services (like Shodan, Censys, and others) discover and probe new internet-facing assets. The study deployed 24 new sensors across 8 geographies and 5 autonomous systems, revealing that most scanners .. --------------------------------------------- https://www.greynoise.io/blog/checking-it-twice-profiling-benign-internet-s… ∗∗∗ Kritische Sicherheitslücken bedrohen Sophos-Firewalls ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Firewalls von Sophos erschienen. Mit den Standardeinstellungen installieren sie sich automatisch. --------------------------------------------- https://heise.de/-10218914 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-base1.0, libxstream-java, php-laravel-framework, python-urllib3, and sqlparse), Fedora (chromium, libcomps, libdnf, mingw-directxmath, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, mingw-orc, ofono, prometheus-podman-exporter, .. --------------------------------------------- https://lwn.net/Articles/1003287/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0008 ∗∗∗ --------------------------------------------- Date Reported: December 22, 2024 Advisory ID: WSA-2024-0008 CVE identifiers: CVE-2024-54479, CVE-2024-54502, CVE-2024-54505, CVE-2024-54508, CVE-2024-54534 Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2024-54479 Versions affected: WebKitGTK and WPE WebKit before 2.46.5. Credit to Seunghyun Lee. Impact: Processing maliciously .. --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0008.html ∗∗∗ TR-91 - Vulnerability identified as CVE-2024-0012, affecting Palo Alto Networks PAN-OS software ∗∗∗ --------------------------------------------- https://www.circl.lu/pub/tr-91 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.12.2024
by Daily end-of-shift report 20 Dec '24

20 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-12-2024 18:00 − Freitag 20-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ In eigener Sache: CERT.at sucht Junior IT-Security Analyst:in (m/w/d - Vollzeit - Wien) ∗∗∗ --------------------------------------------- Für unsere laufenden Routinetätigkeiten suchen wir derzeit eine:n Berufsein- oder -umsteiger:in mit Interesse an IT-Security. --------------------------------------------- https://www.cert.at/de/ueber-uns/jobs/ ∗∗∗ BadBox malware botnet infects 192,000 Android devices despite disruption ∗∗∗ --------------------------------------------- The BadBox Android malware botnet has grown to over 192,000 infected devices worldwide despite a recent sinkhole operation that attempted to disrupt the operation in Germany. --------------------------------------------- https://www.bleepingcomputer.com/news/security/badbox-malware-botnet-infect… ∗∗∗ The Windows Registry Adventure #5: The regf file format ∗∗∗ --------------------------------------------- This post aimed to systematically explore the inner workings of the regf format, focusing on the hard requirements enforced by Windows. Due to my role and interests, I looked at the format from a strictly security-oriented angle rather than digital forensics, which is the context in which registry hives are typically considered. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/12/the-windows-registry-adventu… ∗∗∗ BellaCPP: Discovering a new BellaCiao variant written in C++ ∗∗∗ --------------------------------------------- While investigating an incident involving the BellaCiao .NET malware, Kaspersky researchers discovered a C++ version they dubbed "BellaCPP". --------------------------------------------- https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/ ∗∗∗ Auslaufmodell NTLM: Aus Windows 11 24H2 und Server 2025 teils entfernt ∗∗∗ --------------------------------------------- Weitgehend unbemerkt wurden in Windows 11 24H2 und Server 2025 zudem NTLMv1 entfernt. --------------------------------------------- https://heise.de/-10217239 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1718: (0Day) Arista NG Firewall custom_handler Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2024-12830. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1718/ ∗∗∗ ZDI-24-1724: (0Day) Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12836. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1724/ ∗∗∗ Sophos: Resolved Multiple Vulnerabilities in Sophos Firewall (CVE-2024-12727, CVE-2024-12728, CVE-2024-12729) ∗∗∗ --------------------------------------------- Sophos has resolved three independent security vulnerabilities in Sophos Firewall (2x Critical, 1x High). To confirm that the hotfix has been applied to your firewall, please refer to KBA-000010084. --------------------------------------------- https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and gunicorn), Fedora (jupyterlab), Oracle (bluez, containernetworking-plugins, edk2:20220126gitbb1bba3d77, edk2:20240524, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, and unbound:1.16.2), SUSE (avahi, docker, emacs, govulncheck-vulndb, haproxy, kernel, libmozjs-128-0, python-grpcio, python310-xhtml2pdf, sudo, and tailscale), and Ubuntu (dpdk, linux-hwe-5.15, and linux-iot). --------------------------------------------- https://lwn.net/Articles/1003019/ ∗∗∗ Autodesk: DWFX File Parsing Vulnerabilities in Autodesk Navisworks Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0027 ∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.3.0, 6.4.0 and 6.4.5: SC-202412.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-21 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.12.2024
by Daily end-of-shift report 19 Dec '24

19 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-12-2024 18:00 − Donnerstag 19-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Attackers exploiting a patched FortiClient EMS vulnerability in the wild ∗∗∗ --------------------------------------------- During a recent incident response, Kaspersky’s GERT team identified a set of TTPs and indicators linked to an attacker that infiltrated a company’s networks by targeting a Fortinet vulnerability for which a patch was already available. --------------------------------------------- https://securelist.com/patched-forticlient-ems-vulnerability-exploited-in-t… ∗∗∗ HubPhish Abuses HubSpot Tools to Target 20,000 European Users for Credential Theft ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new phishing campaign that has targeted European companies with an aim to harvest account credentials and take control of the victims Microsoft Azure cloud infrastructure. [..] Targets include at least 20,000 automotive, chemical, and industrial compound manufacturing users in Europe. [..] The attacks involve sending phishing emails with Docusign-themed lures that urge recipients to view a document, which then redirects users to malicious HubSpot Free Form Builder links, from where they are led to a fake Office 365 Outlook Web App login page in order to steal their credentials. --------------------------------------------- https://thehackernews.com/2024/12/hubphish-exploits-hubspot-tools-to.html ∗∗∗ Spyware distributed through Amazon Appstore ∗∗∗ --------------------------------------------- Recently, we uncovered a seemingly harmless app called “BMI CalculationVsn” on the Amazon App Store, which is secretly stealing the package name of installed apps and incoming SMS messages under the guise of a simple health tool. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spyware-distributed-th… ∗∗∗ Achtung: AG Reparaturservice ist Betrug ∗∗∗ --------------------------------------------- Geschirrspüler kaputt? Die Website ag-reparaturservice.at bietet angeblich Reparaturen verschiedenster Geräte an. Von Kühlschränken über Waschmaschinen bis hin zu Backöfen repariert das Unternehmen angeblich Haushaltsgeräte. Wir raten zur Vorsicht: Die Reparatur wird trotz Bezahlung nicht durchgeführt. Sie verlieren Ihr Geld. Wir zeigen Ihnen, wie Sie die Betrugsmasche erkennen! --------------------------------------------- https://www.watchlist-internet.at/news/ag-reparaturservice-ist-betrug/ ∗∗∗ CISA urges senior government officials to lock down mobile devices amid ongoing Salt Typhoon breach ∗∗∗ --------------------------------------------- A 5-page advisory provided troves of guidance for both Apple and Android users, urging all “highly targeted individuals” to rely on the “consistent use of end-to-end encryption.” --------------------------------------------- https://therecord.media/cisa-urges-senior-officials-to-lock-down-devices-sa… ∗∗∗ Hacker könnten über Schwachstellen in Solaranlagen das europäische Stromnetz knacken ∗∗∗ --------------------------------------------- Unschöne, aber keineswegs neue Erkenntnis. Deutschland ist zwar "stolz" ob der installierten Leistung an Solarkollektoren. Aber ein griechischer White Hat-Hacker hat gezeigt, wie er sich mittels Notebook und Internet in zahlreiche europäischen Solaranlagen hacken und diese – auch in Deutschland – einfach ausknipsen könnte. --------------------------------------------- https://www.borncity.com/blog/2024/12/19/hacker-koennten-ueber-schwachstell… ∗∗∗ Kritische LDAP-Schwachstelle in Windows (CVE-2024-49112) ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag vom Dezember 2024-Patchday. Zum 10. Dezember 2024 hat Microsoft einen kritische Schwachstelle (CVE-2024-49112) im Lightweight Directory Access Protocol (LDAP) öffentlich gemacht. Diese ermöglicht Remote-Angriffe auf Windows-Clients und -Server, wurde aber gepatcht. [..] Hunter schreibt, dass jährlich 178.900 LDAP- und LDAPS-Dienste jährlich beim Scans über hunter.how gefunden würden. --------------------------------------------- https://www.borncity.com/blog/2024/12/19/kritische-ldap-schwachstelle-in-wi… ∗∗∗ Exploring vulnerable Windows drivers ∗∗∗ --------------------------------------------- This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about malicious Windows drivers. --------------------------------------------- https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/ ∗∗∗ Betrugsmail: Cyberversicherung muss Schaden nicht ersetzen ∗∗∗ --------------------------------------------- Klassisches Mail-Spoofing kostete eine deutsche Firma 85.000 Euro. Ihre Cyberversicherung deckt den Schaden nicht, sagt das Landgericht Hagen. --------------------------------------------- https://heise.de/-10215212 ∗∗∗ Skuld Infostealer Returns to npm with Fake Windows Utilities and Malicious Solara Development Packages ∗∗∗ --------------------------------------------- Socket’s threat research team identified a malware campaign infiltrating the npm ecosystem, deploying the Skuld infostealer just weeks after a similar attack targeted Roblox developers. [..] Before their removal, these packages compromised hundreds of machines, demonstrating how even low-complexity attacks can rapidly gain traction. --------------------------------------------- https://socket.dev/blog/skuld-infostealer-returns-to-npm ===================== = Vulnerabilities = ===================== ∗∗∗ FortiWLM Unauthenticated limited file read vulnerability ∗∗∗ --------------------------------------------- A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files. Severity: Critical, CVE-2023-34990 --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-23-144 ∗∗∗ FortiManager OS command injection ∗∗∗ --------------------------------------------- An Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) vulnerability [CWE-78] in FortiManager may allow an authenticated remote attacker to execute unauthorized code via FGFM crafted requests. Severity: High, CVE-2024-48889 --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-425 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bluez, edk2:20220126gitbb1bba3d77, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, kernel-rt, mpg123, php:8.2, python3.11-urllib3, and tuned), Fedora (ColPack, glibc, golang-github-chainguard-dev-git-urls, golang-github-task, icecat, python-nbdime, python3.13, and python3.14), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, dwarves and kernel-linus), Red Hat (gstreamer1-plugins-base and gstreamer1-plugins-good), SUSE (curl, emacs, git-bug, glib2, helm, kernel, and traefik2), and Ubuntu (gst-plugins-base1.0, gst-plugins-good1.0, gstreamer1.0, libvpx, linux-gcp, phpunit, and yara). --------------------------------------------- https://lwn.net/Articles/1002903/ ∗∗∗ Delta Electronics DTM Soft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-03 ∗∗∗ Hitachi Energy SDM600 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-02 ∗∗∗ Hitachi Energy RTU500 series CMU ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-01 ∗∗∗ Ossur Mobile Logic Application ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-354-01 ∗∗∗ Tibbo AggreGate Network Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.12.2024
by Daily end-of-shift report 18 Dec '24

18 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-12-2024 18:00 − Mittwoch 18-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical security hole in Apache Struts under exploit ∗∗∗ --------------------------------------------- A critical security hole in Apache Struts 2 [..] CVE-2024-53677 [..] is currently being exploited using publicly available proof-of-concept (PoC) code. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/12/17/critical_rce… ∗∗∗ How to Lose a Fortune with Just One Bad Click ∗∗∗ --------------------------------------------- Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click "yes" to a Google prompt on his mobile device. --------------------------------------------- https://krebsonsecurity.com/2024/12/how-to-lose-a-fortune-with-just-one-bad… ∗∗∗ AI-generated malvertising “white pages” are fooling detection engines ∗∗∗ --------------------------------------------- In this blog post, we take a look at a couple of examples where threat actors are buying Google Search ads and using AI to create white pages. The content is unique and sometimes funny if you are a real human, but unfortunately a computer analyzing the code would likely give it a green check. --------------------------------------------- https://www.malwarebytes.com/blog/cybercrime/2024/12/ai-generated-malvertis… ∗∗∗ Spotify: Vorsicht vor betrügerischen Phishing-Mails ∗∗∗ --------------------------------------------- Derzeit häufen sich Meldungen über betrügerische E-Mails, die angeblich von Spotify stammen. Es sei ein Problem mit der Zahlungsabwicklung aufgetreten, sodass Spotify die Nutzungsgebühr nicht abbuchen konnte und daher den Account vorübergehend gesperrt hat. Um Spotify weiter nutzen zu können, werden Sie aufgefordert die Kontoinformationen zu aktualisieren. Es handelt sich jedoch um Phishing! --------------------------------------------- https://www.watchlist-internet.at/news/spotify-vorsicht-vor-betruegerischen… ∗∗∗ Detailing the Attack Surfaces of the Tesla Wall Connector EV Charger ∗∗∗ --------------------------------------------- Trend ZDI researchers have performed an analysis of the discrete hardware components found in the device. --------------------------------------------- https://www.thezdi.com/blog/2024/12/16/detailing-the-attack-surfaces-of-the… ∗∗∗ Phishing-Masche nimmt Nutzer von Google-Kalender ins Visier ∗∗∗ --------------------------------------------- Cyberkriminelle nutzen laut einer Analyse von Sicherheitsforschern offenbar verstärkt Google-Kalender-Invites, um Internetnutzer auf Phishingseiten zu locken. --------------------------------------------- https://heise.de/-10214705 ∗∗∗ [Guest Diary] A Deep Dive into TeamTNT and Spinning YARN, (Wed, Dec 18th) ∗∗∗ --------------------------------------------- TeamTNT is running a crypto mining campaign dubbed Spinning YARN. Spinning YARN focuses on exploiting Docker, Redis, YARN, and Confluence. On November 4th, 2024, my DShield sensor recorded suspicious activity targeting my web server. The attacker attempted to use a technique that tricks the server into running harmful commands. --------------------------------------------- https://isc.sans.edu/diary/rss/31530 ===================== = Vulnerabilities = ===================== ∗∗∗ BeyondTrust BT24-10: Command Injection Vulnerability / Severity: Critical ∗∗∗ --------------------------------------------- A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user. CVE(s): CVE-2024-12356 --------------------------------------------- https://www.beyondtrust.com/trust-center/security-advisories/bt24-10 ∗∗∗ Juniper: 2024-12 Reference Advisory: Session Smart Router: Mirai malware found on systems when the default password remains unchanged ∗∗∗ --------------------------------------------- On Wednesday, December 11, 2024, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms. These systems have been infected with the Mirai malware and were subsequently used as a DDOS attack source to other devices accessible by their network. The impacted systems were all using default passwords. Any customer not following recommended best practices and still using default passwords can be considered compromised as the default SSR passwords have been added to the virus database. [..] This affects all versions of Session Smart Router (SSR) --------------------------------------------- https://supportportal.juniper.net/s/article/2024-12-Reference-Advisory-Sess… ∗∗∗ Foxit PDF Editor und Reader: Attacken über präparierte PDF-Dateien möglich ∗∗∗ --------------------------------------------- PDF-Anwendungen von Foxit sind unter macOS und Windows verwundbar. Sicherheitsupdates stehen bereit. [..] Die Einstufung des Bedrohungsgrads der Lücken (CVE-2024-49576, CVE-2024-47810) steht zurzeit noch aus. --------------------------------------------- https://heise.de/-10211267 ∗∗∗ Windows-Sicherheitslösung Trend Micro Apex One als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Angreifer können an mehreren Sicherheitslücken in Trend Micro Apex One ansetzen. Sicherheitsupdates sind verfügbar. [..] Die darin geschlossenen Sicherheitslücken (CVE-2024-52048, CVE-2024-52049, CVE-2024-52050, CVE-2024-55631, CVE-2024-55632, CVE-2024-55917) sind mit dem Bedrohungsgrad "hoch" eingestuft. --------------------------------------------- https://heise.de/-10213518 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libsndfile, php:7.4, python3.11, python3.12, and python36:3.6), Debian (dpdk), Mageia (curl and socat), Oracle (firefox and tuned), Red Hat (bluez, containernetworking-plugins, edk2, edk2:20220126gitbb1bba3d77, edk2:20240524, expat, gstreamer1-plugins-base, gstreamer1-plugins-base and gstreamer1-plugins-good, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, unbound, and unbound:1.16.2), SUSE (cloudflared, curl, docker, firefox, gstreamer-plugins-good, kernel, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, libsoup, ovmf, python-urllib3_1, subversion, thunderbird, and traefik), and Ubuntu (editorconfig-core, libspring-java, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-raspi, linux, linux-lowlatency, linux-oracle, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-bluefield, linux-oracle, linux-oracle-5.4, and linux-oem-6.11). --------------------------------------------- https://lwn.net/Articles/1002703/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.12.2024
by Daily end-of-shift report 17 Dec '24

17 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 16-12-2024 18:00 − Dienstag 17-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Verbraucherzentrale warnt vor aktueller Paypal-Betrugsmasche ∗∗∗ --------------------------------------------- Die Verbraucherzentrale NRW warnt, dass Kriminelle "Bezahlen ohne Paypal-Konto" missbrauchen. Schutz davor ist kaum möglich. [..] Im Zentrum der Kritik steht eine Paypal-Bezahloption, die sich "Zahlen ohne Paypal-Konto" nennt und auch als "Gast-Konto" oder "Gastzahlung" bekannt ist. Damit können Käufer über das Lastschrift-Verfahren zahlen, ohne dass ein Paypal-Konto angelegt wird. Dafür ist eine IBAN anzugeben. --------------------------------------------- https://heise.de/-10202355 ∗∗∗ Malicious ads push Lumma infostealer via fake CAPTCHA pages ∗∗∗ --------------------------------------------- DeceptionAds can be seen as a newer and more dangerous variant of the "ClickFix" attacks, where victims are tricked into running malicious PowerShell commands on their machine, infecting themselves with malware. ClickFix actors have employed phishing emails, fake CAPTCHA pages on pirate software sites, malicious Facebook pages, and even GitHub issues redirecting users to dangerous landing pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-ads-push-lumma-inf… ∗∗∗ Over 25,000 SonicWall VPN Firewalls exposed to critical flaws ∗∗∗ --------------------------------------------- Over 25,000 publicly accessible SonicWall SSLVPN devices are vulnerable to critical severity flaws, with 20,000 using a SonicOS/OSX firmware version that the vendor no longer supports. [..] Public exposure means that the firewall's management or SSL VPN interfaces are accessible from the internet, presenting an opportunity for attackers to probe for vulnerabilities, outdated/unpatched firmware, misconfigurations, and brute-force weak passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-25-000-sonicwall-vpn-fi… ∗∗∗ Sicherheitsbehörde warnt: Kernel-Schwachstelle in Windows wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Konkret geht es um die Sicherheitslücke CVE-2024-35250. Diese ermöglicht es Angreifern, auf anfälligen Systemen ihre Rechte auszuweiten. Nach Angaben der US-Cybersicherheitsbehörde Cisa gibt es neuerdings Hinweise auf eine aktive Ausnutzung. [..] Patches gegen CVE-2024-35250 stehen schon seit Juni für alle anfälligen Betriebssysteme bereit und dürften daher auf den meisten Systemen längst eingespielt worden sein. --------------------------------------------- https://www.golem.de/news/sicherheitsbehoerde-warnt-kernel-schwachstelle-in… ∗∗∗ Python Delivering AnyDesk Client as RAT, (Tue, Dec 17th) ∗∗∗ --------------------------------------------- Yesterday, I found an interesting piece of Python script that will install AnyDesk on the victim’s computer. Even better, it reconfigures the tool if it is already installed. The script, called “an5.py” has a low VT score (6/63). Note that the script is compatible with Windows and Linux victims. --------------------------------------------- https://isc.sans.edu/diary/rss/31524 ∗∗∗ Technical Analysis of RiseLoader ∗∗∗ --------------------------------------------- In October 2024, Zscaler ThreatLabz came across malware samples that use a network communication protocol that is similar to RisePro. However, unlike RisePro which has primarily been used for information stealing, this new malware specializes in downloading and executing second-stage payloads. Due its distinctive focus and similarities with RisePro’s communication protocol, we named this new malware family RiseLoader. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-riseload… ∗∗∗ Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks ∗∗∗ --------------------------------------------- APT group Earth Koshchei, suspected to be sponsored by the SVR, executed a large-scale rogue RDP campaign using spear-phishing emails, red team tools, and sophisticated anonymization techniques to target high-profile sectors. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gstreamer1.0), Fedora (jupyterlab and python-notebook), Oracle (gimp:2.8.22, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, php:8.2, postgresql, and python3.11), SUSE (aws-iam-authenticator, firefox, installation-images, kernel, libaom, libyuv, libsoup, libsoup2, python-aiohttp, socat, thunderbird, and vim), and Ubuntu (curl, Docker, imagemagick, and kernel). --------------------------------------------- https://lwn.net/Articles/1002496/ ∗∗∗ CrushFTP: Attacken auf Admins möglich ∗∗∗ --------------------------------------------- Angreifer können in Logs von CrushFTP Schadcode verstecken. Dagegen gerüstete Versionen sind verfügbar. --------------------------------------------- https://heise.de/-10202537 ∗∗∗ Xen Security Advisory CVE-2024-53241 / XSA-466 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-466.html ∗∗∗ Xen Security Advisory CVE-2024-53240 / XSA-465 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-465.html ∗∗∗ Rockwell Automation PowerMonitor 1000 Remote ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-03 ∗∗∗ Hitachi Energy TropOS Devices Series 1400/2400/6400 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-02 ∗∗∗ ThreatQuotient ThreatQ Platform ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-01 ∗∗∗ MISP v2.5.3 and v2.4.201 released with numerous enhancements, bug fixes, and security improvements to strengthen threat information sharing capabilities. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.3 ∗∗∗ BD Diagnostic Solutions Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-352-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.12.2024
by Daily end-of-shift report 17 Dec '24

17 Dec '24

1 0

Tageszusammenfassung - 16.12.2024
by Daily end-of-shift report 16 Dec '24

16 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-12-2024 18:00 − Montag 16-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Update-Katalog: Kritische Lücke in Microsofts Webserver entdeckt ∗∗∗ --------------------------------------------- Angreifer konnten sich auf einem Webserver von Microsoft erweiterte Rechte verschaffen. Trotz versprochener Transparenz nennt der Konzern keine Details. --------------------------------------------- https://www.golem.de/news/microsoft-update-katalog-kritische-luecke-in-micr… ∗∗∗ Angriffe auf Citrix Netscaler Gateway: Hersteller gibt Hinweise zum Schutz ∗∗∗ --------------------------------------------- Seit Dezember 2024 gibt es ja massiven Angriffswellen Citrix Netscaler Gateways. [..] Nun hat Citrix reagiert, und gibt Tipps, wie sich Netscaler Gateways gegen die Angriffe … Weiterlesen →Quelle --------------------------------------------- https://www.borncity.com/blog/2024/12/15/angriffe-auf-citrix-netscaler-gate… ∗∗∗ 390,000 WordPress accounts stolen from hackers in supply chain attack ∗∗∗ --------------------------------------------- A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign targeting other threat actors using a trojanized WordPress credentials checker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/390-000-wordpress-accounts-s… ∗∗∗ The Simple Math Behind Public Key Cryptography ∗∗∗ --------------------------------------------- The security system that underlies the internet makes use of a curious fact: You can broadcast part of your encryption to make your information much more secure. --------------------------------------------- https://www.wired.com/story/how-public-key-cryptography-really-works-using-… ∗∗∗ NodeLoader Exposed: The Node.js Malware Evading Detection ∗∗∗ --------------------------------------------- Zscaler ThreatLabz discovered a malware campaign leveraging Node.js applications for Windows to distribute cryptocurrency miners and information stealers. We have named this malware family NodeLoader, since the attackers employ Node.js compiled executables to deliver second-stage payloads, including XMRig, Lumma, and Phemedrone Stealer. --------------------------------------------- https://www.zscaler.com/blogs/security-research/nodeloader-exposed-node-js-… ∗∗∗ Phishing-Nachricht „Ihr Konto wurde gesperrt“ im Namen von Meta ignorieren! ∗∗∗ --------------------------------------------- Sie erhalten eine Nachricht von Meta, in der Ihnen mitgeteilt wird, dass Ihr Facebook- oder Instagram-Konto demnächst gesperrt wird. Um dies zu verhindern, müssen Sie auf einen Link klicken und Ihr Konto verifizieren. Aber Vorsicht: Es handelt sich um eine Phishing-Nachricht von Kriminellen, die Ihre Daten stehlen wollen! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-nachricht-im-namen-von-meta/ ∗∗∗ Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation ∗∗∗ --------------------------------------------- Analysis of packer-as-a-service (PaaS) HeartCrypt reveals its use in over 2k malicious payloads across 45 malware families since its early 2024 appearance. --------------------------------------------- https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/ ∗∗∗ CoinLurker: The Stealer Powering the Next Generation of Fake Updates ∗∗∗ --------------------------------------------- The evolution of fake update campaigns has advanced significantly with the emergence of CoinLurker, a sophisticated stealer designed to exfiltrate data while evading detection. Written in Go, CoinLurker employs cutting-edge obfuscation and anti-analysis techniques, making it a highly effective tool in modern cyberattacks. --------------------------------------------- https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generat… ∗∗∗ Secure Coding: CWE 1123 – Sich selbst modifizierenden Code vermeiden ∗∗∗ --------------------------------------------- Die Common Weakness Enumeration CWE-1123 warnt vor dem übermäßigen Einsatz von sich selbst modifizierendem Code. Java-Entwickler sollten mit Bedacht agieren. --------------------------------------------- https://heise.de/-10194617 ∗∗∗ CISA and EPA Warn: Internet-Exposed HMIs Pose Serious Cybersecurity Risks to Water Systems ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) have jointly released a crucial fact sheet highlighting the cybersecurity risks posed by Internet-exposed Human Machine Interfaces (HMIs) in the Water and Wastewater Systems (WWS) sector. --------------------------------------------- https://thecyberexpress.com/exposed-human-machine-interfaces-in-wws/ ∗∗∗ The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit ∗∗∗ --------------------------------------------- This blog post provides a technical analysis of exploit artifacts provided to us by Google's Threat Analysis Group (TAG) from Amnesty International. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpect… ∗∗∗ Tech Guide: Detecting NoviSpy spyware with AndroidQF and the Mobile Verification Toolkit (MVT) ∗∗∗ --------------------------------------------- Amnesty Security Lab has published Indicators of Compromise (IOCs) for the NoviSpy spyware application. This tutorial explains how to use AndroidQF Android Quick Forensics (androidqf) and Mobile Verification Toolkit (MVT) to examine an Android device for traces of these indicators. --------------------------------------------- https://securitylab.amnesty.org/latest/2024/12/tech-guide-detecting-novispy… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-base1.0, gstreamer1.0, and libpgjava), Fedora (bpftool, chromium, golang-x-crypto, kernel, kernel-headers, linux-firmware, pytest, python3.10, subversion, and thunderbird), Gentoo (NVIDIA Drivers), Oracle (kernel, perl-App-cpanminus:1.7044, php:7.4, php:8.1, php:8.2, postgresql, python3.11, python3.12, python3.9:3.9.21, python36:3.6, ruby, and ruby:2.5), SUSE (docker-stable, firefox-esr, gstreamer, gstreamer-plugins-base, gstreamer-plugins-good, kernel, python-Django, python312, and socat), and Ubuntu (mpmath). --------------------------------------------- https://lwn.net/Articles/1002338/ ∗∗∗ Siemens: SSA-928984 V1.0: Heap-based Buffer Overflow Vulnerability in User Management Component (UMC) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-928984.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.12.2024
by Daily end-of-shift report 13 Dec '24

13 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-12-2024 18:00 − Freitag 13-12-2024 18:05 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Social Engineering nach Mailbombing ∗∗∗ --------------------------------------------- Rapid7 hat vor Kurzem einen Blogbeitrag zur Vorgehensweise einer Ransomwaregruppe veröffentlicht, wir haben inzwischen von mehreren Firmen in Österreich gehört, die dieses Angriffsmuster selber beobachten mussten: Zuerst wird ein Mitarbeiter der Zielfirma mit E-Mail überschüttet: in vielen Fällen sind das legitime Newsletter, die aber in der Masse ein echtes Problem sind. Danach wird dieser Angestellte per Teams oder über andere Kanäle kontaktiert: Man sei der Helpdesk und will ihm bei der Bewältigung der Mail-Lawine helfen. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/12/social-engineering-nach-mailbombing ∗∗∗ Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion ∗∗∗ --------------------------------------------- In this blog entry, we discuss a social engineering attack that tricked the victim into installing a remote access tool, triggering DarkGate malware activities and an attempted C&C connection. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html ∗∗∗ Germany sinkholes BadBox malware pre-loaded on Android devices ∗∗∗ --------------------------------------------- Germanys Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over 30,000 Android IoT devices sold in the country. [..] Germany's cybersecurity agency says it blocked communication between the BadBox malware devices and their command and control (C2) infrastructure by sinkholing DNS queries so that the malware communicates with police-controlled servers rather than the attacker's command and control servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/germany-sinkholes-badbox-mal… ∗∗∗ Efforts to Secure US Telcos Beset by Salt Typhoon Might Fall Flat ∗∗∗ --------------------------------------------- The rules necessary to secure US communications have already been in place for 30 years, argues Sen. Wyden, the FCC just hasnt enforced them. Its unclear if they will help. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/efforts-secure-us-telco… ∗∗∗ IoT Cloud Cracked by Open Sesame Over-the-Air Attack ∗∗∗ --------------------------------------------- Researchers demonstrate how to hack Ruijie Reyee access points without Wi-Fi credentials or even physical access to the device. --------------------------------------------- https://www.darkreading.com/ics-ot-security/iot-cloud-cracked-open-sesame-a… ∗∗∗ Windows Tooling Updates: OleView.NET ∗∗∗ --------------------------------------------- This is a short blog post about some recent improvements I've been making to the OleView.NET tool which has been released as part of version 1.16. The tool is designed to discover the attack surface of Windows COM and find security vulnerabilities such as privilege escalation and remote code execution. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/12/windows-tooling-updates-olev… ∗∗∗ New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection. --------------------------------------------- https://thehackernews.com/2024/12/new-linux-rootkit-pumakit-uses-advanced.h… ∗∗∗ Attacking Entra Metaverse: Part 1 ∗∗∗ --------------------------------------------- This first blog post is a short one, and demonstrates how complete control of an Entra user is equal to compromise of the on-premises user. For the entire blog series the point I am trying to make is this: The Entra Tenant is the trust boundary --------------------------------------------- https://posts.specterops.io/attacking-entra-metaverse-part-1-c9cf8c4fb4ee?s… ===================== = Vulnerabilities = ===================== ∗∗∗ DevSecOps-Plattform Gitlab: Accountübernahme möglich ∗∗∗ --------------------------------------------- In einem Beitrag schreiben die Entwickler, dass auf Gitlab.com bereits die abgesicherten Ausgaben laufen. Für selbstverwaltete Gitlab-Installation sind nun die Ausgaben 17.4.6, 17.5.4 und 17.6.2 in der Community Edition und Enterprise Edition erschienen. [..] Insgesamt haben die Entwickler zwölf Sicherheitslücken geschlossen. Zwei davon sind mit dem Bedrohungsgrad "hoch" eingestuft (CVE-2024-11274, CVE-2024-8233). Im ersten Fall können Angreifer durch Manipulation von Kubernetes-Proxy-Responses Accounts übernehmen. --------------------------------------------- https://heise.de/-10198923 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, pgpool2, and smarty4), Fedora (chromium, linux-firmware, matrix-synapse, open62541, and thunderbird), Red Hat (kernel, kernel-rt, python3.11, python3.12, python3.9:3.9.18, python3.9:3.9.21, and ruby:2.5), SUSE (buildah, chromium, govulncheck-vulndb, java-1_8_0-ibm, libsvn_auth_gnome_keyring-1-0, python310-Django, qemu, and radare2), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, php7.0, php7.2, python-asyncssh, and smarty3). --------------------------------------------- https://lwn.net/Articles/1002036/ ∗∗∗ Schneider Electric Security Advisories 10.12.2024 ∗∗∗ --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 115.18 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-70/ ∗∗∗ F5: K000148969: Python vulnerability CVE-2024-7592 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148969 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily December 2024