Daily December 2024

daily@lists.cert.at

1 participants
19 discussions

Tageszusammenfassung - 12.12.2024
by Daily end-of-shift report 12 Dec '24

12 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-12-2024 18:00 − Donnerstag 12-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Apache issues patches for critical Struts 2 RCE bug ∗∗∗ --------------------------------------------- More details released after devs allowed weeks to apply fixes. We now know the remote code execution vulnerability in Apache Struts 2 disclosed back in November carries a near-maximum severity rating following the publication of the CVE. [..] Considering remote attackers could exploit the vulnerability without requiring any privileges, combined with the high impact to system confidentiality, integrity, and availability, it's likely the Apache Foundation withheld the juiciest details to allow customers to upgrade to a safe version (Struts 6.4.0 or greater). --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/12/12/apache_strut… ∗∗∗ Cyber Resilience Act: Vernetzte Produkte müssen bald besser abgesichert sein ∗∗∗ --------------------------------------------- Die EU-Verordnung zur Cyber-Widerstandsfähigkeit ist in Kraft getreten. Hersteller vernetzter Produkte müssen künftig ein Mindestmaß an Cybersicherheit bieten. --------------------------------------------- https://heise.de/-10197273 ∗∗∗ Modular Java Backdoor Dropped in Cleo Exploitation Campaign ∗∗∗ --------------------------------------------- While investigating incidents related to Cleo software exploitation, Rapid7 Labs and MDR team discovered a novel, multi-stage attack that deploys an encoded Java Archive (JAR) payload. --------------------------------------------- https://www.rapid7.com/blog/post/2024/12/11/etr-modular-java-backdoor-dropp… ∗∗∗ The Bite from Inside: The Sophos Active Adversary Report ∗∗∗ --------------------------------------------- A sea change in available data fuels fresh insights from the first half of 2024. --------------------------------------------- https://news.sophos.com/en-us/2024/12/12/active-adversary-report-2024-12/ ∗∗∗ Vorsicht beim Online-Kauf von Weihnachtsbäumen: So erkennen Sie unseriöse Shops ∗∗∗ --------------------------------------------- Die Vorweihnachtszeit ist für viele mit Stress und hohen Ausgaben verbunden - da scheint ein günstiger und schnell aufgestellter Weihnachtsbaum verlockend. Besonders im Trend liegen faltbare Weihnachtsbäume, die in Rekordzeit aufgestellt sein sollen. Doch Vorsicht: Nicht alle Anbieter halten, was sie versprechen. Wir zeigen, woran man unseriöse Angebote erkennt. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-shops-beim-weihnachtsbaum… ∗∗∗ 300,000+ Prometheus Servers and Exporters Exposed to DoS Attacks ∗∗∗ --------------------------------------------- In this research we highlighted vulnerabilities and flaws in the Prometheus stack. We highlight the risks associated with exposing Prometheus servers and exporters to the internet without authentication, which expose sensitive information and can be exploited to launch DoS attacks or even execute arbitrary code through compromised exporters. --------------------------------------------- https://blog.aquasec.com/300000-prometheus-servers-and-exporters-exposed-to… ∗∗∗ Bis zum Burn-out: Open-Source-Entwickler von KI-Bug-Reports genervt ∗∗∗ --------------------------------------------- Sie kommen freundlich und wohl durchdacht daher: Doch bei genauerer Prüfung stellen Open-Source-Maintainer fest, dass immer mehr Bugreports KI-Unsinn sind. --------------------------------------------- https://heise.de/-10195951 ===================== = Vulnerabilities = ===================== ∗∗∗ Hunk Companion WordPress plugin exploited to install vulnerable plugins ∗∗∗ --------------------------------------------- The issue impacts all versions of Hunk Companion before the latest 1.9.0, released yesterday, which addressed the problem. While investigating a WordPress site infection, WPScan discovered active exploitation of CVE-2024-11972 to install a vulnerable version of WP Query Console. [..] By installing outdated plugins with known vulnerabilities with available exploits, the attackers can access a large pool of flaws that lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS) flaws, or create backdoor admin accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hunk-companion-wordpress-plu… ∗∗∗ Apple Updates Everything (iOS, iPadOS, macOS, watchOS, tvOS, visionOS), (Wed, Dec 11th) ∗∗∗ --------------------------------------------- Apple today released patches for all of its operating systems. The updates address 46 different vulnerabilities. Many of the vulnerabilities affect more than one operating system. None of the vulnerabilities are labeled as being already exploited. --------------------------------------------- https://isc.sans.edu/diary/rss/31514 ∗∗∗ Atlassian schützt Confluence & Co. vor möglichen DoS-Attacken ∗∗∗ --------------------------------------------- Angreifer können an zehn Sicherheitslücken in Atlassian Bamboo, Bitbucket und Confluence ansetzen und unter anderem Abstürze provozieren. --------------------------------------------- https://heise.de/-10196643 ∗∗∗ Sicherheitspatch: Angreifer können über TeamViewer-Lücke Windows-Dateien löschen ∗∗∗ --------------------------------------------- Basierend auf einer Warnmeldung ist die Komponente TeamViewer Patch & Asset Management angreifbar (CVE-2024-12363 "hoch"). Die Komponente ist aber standardmäßig nicht installiert. Sie ist optional im Kontext des Remote-Management-Features installierbar. [..] Die Entwickler versichern, dass sich das Sicherheitsupdate automatisch installiert. --------------------------------------------- https://heise.de/-10196765 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libsoup2.4, python-aiohttp, and upx-ucl), Fedora (iaito, python3.11, python3.9, and radare2), Red Hat (ruby, ruby:2.5, and ruby:3.1), Slackware (mozilla-thunderbird), SUSE (govulncheck-vulndb, nodejs18, nodejs20, and socat), and Ubuntu (ofono and python-tornado). --------------------------------------------- https://lwn.net/Articles/1001863/ ∗∗∗ Paloalto: PAN-SA-2024-0017 Chromium: Monthly Vulnerability Updates (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0017 ∗∗∗ Tenable: [R1] Security Center Version 6.5.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-20 ∗∗∗ Drupal: Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-076 ∗∗∗ Drupal: Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-075 ∗∗∗ Drupal: Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-074 ∗∗∗ Drupal: Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-073 ∗∗∗ Drupal: Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-072 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.12.2024
by Daily end-of-shift report 11 Dec '24

11 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-12-2024 18:00 − Mittwoch 11-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Global Ongoing Phishing Campaign Targets Employees Across 12 Industries ∗∗∗ --------------------------------------------- Cybersecurity researchers at Group-IB have exposed an ongoing phishing operation that has been targeting employees and associates from over 30 companies across 12 industries and 15 jurisdictions. [..] What makes this campaign dangerous is the use of advanced techniques designed to bypass Secure Email Gateways (SEGs) and evade detection. [..] This campaign is ongoing therefore, companies need to watch out for what comes to their inbox. --------------------------------------------- https://hackread.com/ongoing-phishing-campaign-targets-employees/ ∗∗∗ AMD’s trusted execution environment blown wide open by new BadRAM attack ∗∗∗ --------------------------------------------- On Tuesday, an international team of researchers unveiled BadRAM, a proof-of-concept attack that completely undermines security assurances that chipmaker AMD makes to users of one of its most expensive and well-fortified microprocessor product lines. Starting with the AMD Epyc 7003 processor, a feature known as SEV-SNP—short for Secure Encrypted Virtualization and Secure Nested Paging—has provided the cryptographic means for certifying that a VM hasn’t been compromised by any sort of backdoor installed by someone with access to the physical machine running it. --------------------------------------------- https://arstechnica.com/information-technology/2024/12/new-badram-attack-ne… ∗∗∗ Microsoft MFA AuthQuake Flaw Enabled Unlimited Brute-Force Attempts Without Alerts ∗∗∗ --------------------------------------------- Cybersecurity researchers have flagged a "critical" security vulnerability in Microsofts multi-factor authentication (MFA) implementation that allows an attacker to trivially sidestep the protection and gain unauthorized access to a victims account. [..] Following responsible disclosure, the issue – codenamed AuthQuake – was addressed by Microsoft in October 2024. --------------------------------------------- https://thehackernews.com/2024/12/microsoft-mfa-authquake-flaw-enabled.html ∗∗∗ Decrypting Full Disk Encryption with Dissect ∗∗∗ --------------------------------------------- Back in 2022 Fox-IT decided to open source its proprietary incident response tooling known as Dissect. [..] One of the most popular requests has been the capability to use Dissect in combination with common disk encryption methods like Microsoft’s BitLocker or its Linux equivalent LUKS. Internally at Fox-IT we were able to already use these capabilities. With the release of Dissect version 3.17 these capabilities are now also available to the community at large. --------------------------------------------- https://blog.fox-it.com/2024/12/11/decrypting-full-disk-encryption-with-dis… ∗∗∗ The Stealthy Stalker: Remcos RAT ∗∗∗ --------------------------------------------- As cyberattacks become more sophisticated, understanding the mechanisms behind RemcosRAT and adopting effective security measures are crucial to protecting your systems from this growing threat. This blog presents a technical analysis of two RemcosRAT variants. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-stealthy-stalker-r… ∗∗∗ How easily access cards can be cloned and why your PACS might be vulnerable ∗∗∗ --------------------------------------------- PACS can be bad, but also good if you configure them right. These systems protect your building, and control access to your most sensitive systems. Give them some love. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-easily-access-cards-can-b… ∗∗∗ Zeitplan veröffentlicht: Lets Encrypt schafft OCSP-Zertifikatsüberprüfung ab ∗∗∗ --------------------------------------------- Das Protokoll zur Echtzeit-Gültigkeitsprüfung hat Datenschutzprobleme. Die weltgrößte CA ersetzt es nun durch Zertifikats-Sperrlisten. --------------------------------------------- https://heise.de/-10195107 ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti: December Security Update ∗∗∗ --------------------------------------------- Today, fixes have been released for the Ivanti solutions detailed below. [..] Ivanti Cloud Service Application, Ivanti Desktop and Server Management (DSM), Ivanti Connect Secure and Policy Secure, Ivanti Sentry, Ivanti Patch SDK, Ivanti Application Control, Ivanti Automation, Ivanti Workspace Control, Ivanti Performance Manager, Ivanti Security Controls (iSec) [..] Ivanti Cloud Services Application (CSA) 10.0 (Critical): An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access. CVE-2024-11639 --------------------------------------------- https://www.ivanti.com/blog/december-security-update ∗∗∗ Microsoft Security Update Summary (10. Dezember 2024) ∗∗∗ --------------------------------------------- Am 10. Dezember 2024 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 70 Schwachstellen (CVEs), davon 16 kritische Sicherheitslücken, davon eine als 0-day klassifiziert (bereits ausgenutzt). --------------------------------------------- https://www.borncity.com/blog/2024/12/10/microsoft-security-update-summary-… ∗∗∗ Solarwinds Web Help Desk: Software-Update schließt kritische Lücken ∗∗∗ --------------------------------------------- In Solarwinds Web Help Desk haben die Entwickler teils kritische Sicherheitslücken korrigiert. IT-Verantwortliche sollten rasch aktualisieren. --------------------------------------------- https://heise.de/-10195207 ∗∗∗ Patchday: Adobe schließt mehr als 160 Sicherheitslücken in Acrobat & Co. ∗∗∗ --------------------------------------------- Insgesamt hat der Softwarehersteller mehr als 160 Schwachstellen mit Updates für die Produkte geschlossen. --------------------------------------------- https://www.heise.de/-10194979 ∗∗∗ Synology-SA-24:28 Media Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to read specific files. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_28 ∗∗∗ PDQ Deploy allows reuse of deleted credentials that can compromise a device and facilitate lateral movement ∗∗∗ --------------------------------------------- The CERT/CC is creating this Vulnerability Note to advise and make users of PDQ Deploy aware of potential avenues of attack through the deploy service. System administrators that are using PDQ Deploy should employ LAPS to mitigate this vulnerability. --------------------------------------------- https://kb.cert.org/vuls/id/164934 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (proftpd-dfsg and smarty3), Fedora (python3.14), Gentoo (Distrobox, eza, idna, libvirt, and OpenSC), Red Hat (container-tools:rhel8 and edk2), SUSE (avahi, curl, libsoup2, lxd, nodejs20, python-Django, python310-Django4, python312, squid, and webkit2gtk3), and Ubuntu (expat, intel-microcode, linux, linux-aws, linux-kvm, linux-lts-xenial, and shiro). --------------------------------------------- https://lwn.net/Articles/1001728/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 128.5.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-69/ ∗∗∗ F5: K000148931: Linux kernel vulnerability CVE-2024-26923 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148931 ∗∗∗ Huawei: Security Advisory - Path Traversal Vulnerability in Huawei Home Music System ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-ptvihhms-… ∗∗∗ Numerix: Reflected Cross-Site Scripting in Numerix License Server Administration System Login ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scr… ∗∗∗ Splunk: SVD-2024-1207: Third-Party Package Updates in Splunk Universal Forwarder - December 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1207 ∗∗∗ Splunk: SVD-2024-1206: Third-Party Package Updates in Splunk Enterprise - December 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1206 ∗∗∗ Splunk: SVD-2024-1205: Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway app ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1205 ∗∗∗ Splunk: SVD-2024-1204: Sensitive Information Disclosure through SPL commands ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1204 ∗∗∗ Splunk: SVD-2024-1203: Information Disclosure due to Username Collision with a Role that has the same Name as the User ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1203 ∗∗∗ Splunk: SVD-2024-1202: Risky command safeguards bypass in “/en-US/app/search/report“ endpoint through “s“ parameter ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1202 ∗∗∗ Splunk: SVD-2024-1201: Information Disclosure in Mobile Alert Responses in Splunk Secure Gateway ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1201 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.12.2024
by Daily end-of-shift report 10 Dec '24

10 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 09-12-2024 18:00 − Dienstag 10-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Brute-Force-Angriffe auf exponierte Systeme ∗∗∗ --------------------------------------------- Aktuell werden dem BSI verstärkt Brute-Force-Angriffe gegen Citrix Netscaler Gateways aus verschiedenen KRITIS-Sektoren sowie von internationalen Partnern gemeldet. [..] Die aktuellen Angriffe heben sich aktuell lediglich in ihrer berichteten Menge von üblichen Angriffen dieser Art heraus. [..] Als Ziel der Brute-Force-Angriffe werden in aktuellen Berichten zwar Citrix Gateways gemeldet. Jedoch ist diese Cyber-Sicherheitswarnung für alle exponierten Systeme, insbesondere VPN-Gateways, relevant. --------------------------------------------- https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-2… ∗∗∗ Stark gestiegenes Aufkommen an Microsoft Remote Desktop Protokoll (RDP) Scanning ∗∗∗ --------------------------------------------- Ein internationaler Partner (Shadowserver) verzeichnet seit Anfang Dezember ein weltweit sehr stark gestiegenes Aufkommen (x160) an RDP "Scanning" in Wellen [1]. Ob es nur um Ausforschen offener RDP-Ports geht oder bereits weitere Handlungen gesetzt werden, ist aktuell unbekannt. Der Fokus scheint nicht auf dem RDP Standard-Port 3389, sondern auf Port 1098 zu liegen. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/12/stark-gestiegenes-aufkommen-an-mic… ∗∗∗ Microsoft ergreift Maßnahmen gegen NTLM-Relay-Angriffe ∗∗∗ --------------------------------------------- Ein Angriffsvektor zum Erlangen von Zugriff im Netz ist sogenanntes NTLM-Relaying. Das erschwert Microsoft nun mit neuen Maßnahmen. --------------------------------------------- https://heise.de/-10194220 ∗∗∗ Ultralytics PyPI Package Compromised Through GitHub Actions Cache Poisoning ∗∗∗ --------------------------------------------- Over the weekend, the popular Ultralytics PyPI package was compromised in a supply chain attack that was detected following reports of a discrepancy between the library’s code on GitHub and the code that was published to PyPI for v8.3.41. --------------------------------------------- https://socket.dev/blog/ultralytics-pypi-package-compromised-through-github… ∗∗∗ Malware trends: eBPF exploitation, malware configurations stored in unexpected places, and increased use of custom post-exploitation tools ∗∗∗ --------------------------------------------- An investigation into an information security incident has allowed virus analysts at Doctor Web to uncover an ongoing campaign that incorporates many modern trends employed by cybercriminals. A client approached Doctor Web after suspecting that their computer infrastructure had been compromised. While analyzing the client’s data, our virus analysts identified a number of similar cases, leading them to conclude that an active campaign was underway. --------------------------------------------- https://news.drweb.com/show/?i=14955&lng=en&c=9 ∗∗∗ When User Input Lines Are Blurred: Indirect Prompt Injection Attack Vulnerabilities in AI LLMs ∗∗∗ --------------------------------------------- Indirect prompt attacks are when an LLM takes input from external sources but where an attacker gets to smuggle payloads (additional prompts!) into these external/side sources. These malicious additional prompts modify the overall prompt, breaking out of the data context as they are treated as instructions (they are additional prompts, commands, if you will) and, in turn, influence the initial user prompt provided together with the system prompt and with that, the subsequent actions and output. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/when-user-i… ∗∗∗ Inside Zloader’s Latest Trick: DNS Tunneling ∗∗∗ --------------------------------------------- Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular Trojan based on the leaked Zeus source code that emerged in 2015. The malware was originally designed to facilitate banking fraud via Automated Clearing House (ACH) and wire transfers. However, similar to other malware families like Qakbot and Trickbot, Zloader has been repurposed for initial access, providing an entry point into corporate environments for the deployment of ransomware. --------------------------------------------- https://www.zscaler.com/blogs/security-research/inside-zloader-s-latest-tri… ∗∗∗ Mit dem Bumble-Date ins Theater? Vorsicht vor Betrug! ∗∗∗ --------------------------------------------- Sie haben auf Bumble jemanden kennengelernt? Sie verstehen sich gut und wollen als erstes Date ins Theater gehen? Doch Ihr Ticket sollten Sie sich selbst auf einer unbekannten Plattform kaufen. Vorsicht, hinter dem vermeintlich perfekten Match stecken Kriminelle, die Sie in einen Fake-Shop locken. --------------------------------------------- https://www.watchlist-internet.at/news/mit-dem-bumble-date-ins-theater-vors… ∗∗∗ Studie gemeinsam mit dem BSI: IT-Sicherheit von smarten Heizkörperthermostaten ∗∗∗ --------------------------------------------- Certitude führte im Auftrag des Bundesministerium für Sicherheit in der Informationstechnik (BSI) die technische Sicherheitsprüfung von smarten Heizkörperthermostaten durch. Die aus diesem Projekt entstandene und heute veröffentlichte Studie zeigt auf, dass es insbesondere beim Umgang mit Schwachstellen Nachholbedarf gibt. --------------------------------------------- https://certitude.consulting/blog/de/bsi-studie-sicherheit-smarte-heizkorpe… ∗∗∗ Full-Face Masks to Frustrate Identification ∗∗∗ --------------------------------------------- It’s a video of someone trying on a variety of printed full-face masks. They won’t fool anyone for long, but will survive casual scrutiny. And they’re cheap and easy to swap. --------------------------------------------- https://www.schneier.com/blog/archives/2024/12/full-face-masks-to-frustrate… ===================== = Vulnerabilities = ===================== ∗∗∗ Transfer-Software von Cleo: Hinter Firewall bringen, Patch wirkungslos ∗∗∗ --------------------------------------------- Die Datenstransfer-Software von Cleo hatte eine Sicherheitslücke gestopft – jedoch unzureichend. Das Leck wird aktiv angegriffen. --------------------------------------------- https://heise.de/-10193961 ∗∗∗ Wordpress: WPForms-Plug-in reißt Sicherheitsleck in 6 Millionen Webseiten ∗∗∗ --------------------------------------------- Im Wordpress-Plug-in WPForms können Angreifer eine Lücke missbrauchen, um etwa Zahlungen rückabzuwickeln. Sechs Millionen Webseiten nutzen das Plug-in. --------------------------------------------- https://heise.de/-10193387 ∗∗∗ MC LR Router and GoCast unpatched vulnerabilities ∗∗∗ --------------------------------------------- Cisco Talos Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. These vulnerabilities have not been patched at time of this posting. --------------------------------------------- https://blog.talosintelligence.com/mc-lr-router-and-gocast-zero-day-vulnera… ∗∗∗ SAP-Patchday: Updates schließen teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Im Dezember informiert SAP über neun neu entdeckte Sicherheitslücken in diversen Produkten. Eine davon gilt als kritisches Risiko. --------------------------------------------- https://heise.de/-10193418 ∗∗∗ Sicherheitsschwachstelle in Logitech MX Keys for Business (SYSS-2024-084) ∗∗∗ --------------------------------------------- SySS GmbH is currently not aware of a security fix for the described issue. [..] Due to the keyboard not enforcing any sort of authentication during the pairings, MX Keys for Business is vulnerable to machine-in-the-middle (MitM) attacks. --------------------------------------------- https://www.syss.de/pentest-blog/sicherheitsschwachstelle-in-logitech-mx-ke… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (postgresql:15, postgresql:16, and ruby:3.1), Debian (jinja2), Fedora (python-multipart, python-python-multipart, python3.12, retsnoop, rust-rbspy, rust-rustls, and zabbix), Oracle (kernel, libsoup, postgresql:12, postgresql:13, postgresql:15, postgresql:16, redis:7, and ruby:3.1), SUSE (nodejs18, pam, qt6-webengine, and radare2), and Ubuntu (dogtag-pki, linux-intel-iotg, linux-intel-iotg-5.15, ofono, rabbitmq-server, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1001597/ ∗∗∗ MOBATIME Network Master Clock ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-01 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-05 ∗∗∗ Rockwell Automation Arena ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-06 ∗∗∗ National Instruments LabVIEW ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-04 ∗∗∗ Milesight UG67 Outdoor LoRaWAN Gateway rt-sa-2024-001 - rt-sa-2024-005 ∗∗∗ --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/ ∗∗∗ SSA-979056 V1.0: Out of Bounds Write Vulnerability in Parasolid ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-979056.html ∗∗∗ SSA-881356 V1.0: Multiple Memory Corruption Vulnerabilities in Simcenter Femap ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-881356.html ∗∗∗ SSA-800126 V1.0: Deserialization Vulnerability in Siemens Engineering Platforms before V20 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-800126.html ∗∗∗ SSA-730188 V1.0: Multiple File Parsing Vulnerabilities in Solid Edge V2024 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-730188.html ∗∗∗ SSA-701627 V1.0: XXE Injection Vulnerabilities in COMOS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-701627.html ∗∗∗ SSA-645131 V1.0: Multiple WRL File Parsing Vulnerabilities in Teamcenter Visualization ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-645131.html ∗∗∗ SSA-620799 V1.0: Denial of Service Vulnerability During BLE Pairing in SENTRON Powercenter 1000/1100 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-620799.html ∗∗∗ SSA-392859 V1.0: Local Arbitrary Code Execution Vulnerability in Siemens Engineering Platforms before V20 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-392859.html ∗∗∗ SSA-384652 V1.0: Cross-Site Request Forgery (CSRF) Vulnerability in RUGGEDCOM ROX II ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-384652.html ∗∗∗ SSA-128393 V1.0: Firmware Decryption Vulnerability in SICAM A8000 CP-8031 and CP-8050 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-128393.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.12.2024
by Daily end-of-shift report 09 Dec '24

09 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-12-2024 18:00 − Montag 09-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phish Supper: An Incident Responder’s Bread and Butter ∗∗∗ --------------------------------------------- This post will delve into a recent business email compromise engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team, which saw the compromise of 12 users’ Microsoft 365 accounts. --------------------------------------------- https://www.nccgroup.com/us/research-blog/phish-supper-an-incident-responde… ∗∗∗ Hackers Using Fake Video Conferencing Apps to Steal Web3 Professionals Data ∗∗∗ --------------------------------------------- "The threat actors behind the malware have set up fake companies using AI to make them increase legitimacy," Cado Security researcher Tara Gould said. "The company reaches out to targets to set up a video call, prompting the user to download the meeting application from the website, which is Realst infostealer." --------------------------------------------- https://thehackernews.com/2024/12/hackers-using-fake-video-conferencing.html ∗∗∗ Abusing Git branch names to compromise a PyPI package ∗∗∗ --------------------------------------------- A compromised release was uploaded to PyPI after a project automatically processed a pull request with a flawed script. [..] This problem has been known for several years, but this event may serve as a good reminder to be careful with automated access to important secrets. --------------------------------------------- https://lwn.net/Articles/1001215/ ∗∗∗ A vulnerability in the OpenWrt attended sysupgrade server ∗∗∗ --------------------------------------------- The OpenWrt project has issued anadvisory regarding a vulnerability found in its Attended SysupgradeServer that could allow compromised packages to be installed on a router byan attacker. No official OpenWrt images were affected, and the vulnerability is not known to be exploited, but users who have installedimages created with an instance of this server are recommended toreinstall. --------------------------------------------- https://lwn.net/Articles/1001441/ ∗∗∗ Secure Coding: CWE-1007 – die unsichtbare Gefahr durch visuell ähnliche Zeichen ∗∗∗ --------------------------------------------- Vorsätzliche Homoglyphen-Angriffe durch visuell ähnliche Zeichen können Anwender in die Irre leiten. Zum Schutz dagegen helfen verschiedene Best Practices. --------------------------------------------- https://heise.de/-10188217 ∗∗∗ Malicious Maven Package Impersonating XZ for Java Library Introduces Backdoor Allowing Remote Code Execution ∗∗∗ --------------------------------------------- Socket researchers have discovered a malicious Maven package io.github.xz-java:xz-java that impersonates the legitimate XZ for Java library org.tukaani:xz. This deceptive package creates a hidden backdoor that enables remote command execution, posing a threat to enterprise supply chains. --------------------------------------------- https://socket.dev/blog/malicious-maven-package-impersonating-xz-for-java-l… ∗∗∗ Exploit Code Released for Microsoft CVE-2024-38193 ∗∗∗ --------------------------------------------- A critical use-after-free vulnerability, tracked as CVE-2024-38193 with a CVSS score of 7.8, has been discovered in the afd.sys Windows driver that allows attackers to escalate privileges and execute arbitrary code. This vulnerability has been fixed during the August 2024 patch on Tuesday. [..] Security researcher Nephster has published a proof-of-concept (PoC) code for the CVE-2024-38193 vulnerability on GitHub, further escalating its potential threat. --------------------------------------------- https://thecyberthrone.in/2024/12/09/exploit-code-released-for-microsoft-cv… ===================== = Vulnerabilities = ===================== ∗∗∗ Qlik: High Security fixes for Qlik Sense Enterprise for Windows (CVEs-pending) ∗∗∗ --------------------------------------------- Security issues in Qlik Sense Enterprise for Windows have been identified, and patches have been made available. If the vulnerabilities are successfully exploited, these issues could lead to a compromise of the server running the Qlik Sense software, including remote code execution (RCE). --------------------------------------------- https://community.qlik.com/t5/Official-Support-Articles/High-Security-fixes… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (redis:7, ruby, ruby:2.5, and ruby:3.1), Debian (avahi, ceph, chromium, gsl, jinja2, php7.4, renderdoc, ruby-doorkeeper, and zabbix), Fedora (chromium, python3.11, and uv), Gentoo (Asterisk, Cacti, Chromium, Google Chrome, Microsoft Edge. Opera, Dnsmasq, firefox, HashiCorp Consul, icinga2, OATH Toolkit, OpenJDK, PostgreSQL, R, Salt, Spidermonkey, and thunderbird), Mageia (kubernetes), Red Hat (grafana, grafana-pcp, osbuild-composer, and postgresql), SUSE (ansible-core, firefox, glib2, java-1_8_0-ibm, kernel-firmware, nanopb, netty, python310-django-ckeditor, python310-jupyter-ydoc, radare2, skopeo, and webkit2gtk3), and Ubuntu (tinyproxy). --------------------------------------------- https://lwn.net/Articles/1001433/ ∗∗∗ ZDI-24-1646: Epic Games Launcher Incorrect Default Permissions Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1646/ ∗∗∗ F5: K000148896: Intel SGX vulnerability CVE-2023-43753 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148896 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2024
by Daily end-of-shift report 06 Dec '24

06 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-12-2024 18:00 − Freitag 06-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Trojan-as-a-Service Hits Euro Banks, Crypto Exchanges ∗∗∗ --------------------------------------------- At least 17 affiliate groups have used the "DroidBot" Android banking Trojan against 77 financial services companies across Europe, with more to come, researchers warn. --------------------------------------------- https://www.darkreading.com/threat-intelligence/trojan-service-hits-euro-ba… ∗∗∗ Frequent freeloader part I: Secret Blizzard compromising Storm-0156 infrastructure for espionage ∗∗∗ --------------------------------------------- In this first of a two-part blog series, we discuss how Secret Blizzard has used the infrastructure of the Pakistan-based threat activity cluster we call Storm-0156 — which overlaps with the threat actor known as SideCopy, Transparent Tribe, and APT36 — to install backdoors and collect intelligence on targets of interest in South Asia. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/12/04/frequent-freeloade… ∗∗∗ Malicious Script Injection on WordPress Sites ∗∗∗ --------------------------------------------- Recently, our team discovered a JavaScript-based malware affecting WordPress sites, primarily targeting those using the Hello Elementor theme. This type of malware is commonly embedded within legitimate-looking website files to load scripts from an external source. The malware injects a malicious external script into the theme’s header.php file, leading to harmful consequences for site owners and visitors. --------------------------------------------- https://blog.sucuri.net/2024/12/malicious-script-injection-on-wordpress-sit… ∗∗∗ Hackers Leveraging Cloudflare Tunnels, DNS Fast-Flux to Hide GammaDrop Malware ∗∗∗ --------------------------------------------- The threat actor known as Gamaredon has been observed leveraging Cloudflare Tunnels as a tactic to conceal its staging infrastructure hosting a malware called GammaDrop.The activity is part of an ongoing spear-phishing campaign targeting Ukrainian entities since at least early 2024 thats designed to drop the Visual Basic Script malware, Recorded Futures Insikt Group said in a new analysis. --------------------------------------------- https://thehackernews.com/2024/12/hackers-leveraging-cloudflare-tunnels.html ∗∗∗ Researchers Uncover Flaws in Popular Open-Source Machine Learning Frameworks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed multiple security flaws impacting open-source machine learning (ML) tools and frameworks such as MLflow, H2O, PyTorch, and MLeap that could pave the way for code execution. The vulnerabilities, discovered by JFrog, are part of a broader collection of 22 security shortcomings the supply chain security company first disclosed last month. --------------------------------------------- https://thehackernews.com/2024/12/researchers-uncover-flaws-in-popular.html ∗∗∗ Announcing the launch of Vanir: Open-source Security Patch Validation ∗∗∗ --------------------------------------------- Today, we are announcing the availability of Vanir, a new open-source security patch validation tool. Introduced at Android Bootcamp in April, Vanir gives Android platform developers the power to quickly and efficiently scan their custom platform code for missing security patches and identify applicable available patches. --------------------------------------------- http://security.googleblog.com/2024/12/announcing-launch-of-vanir-open-sour… ∗∗∗ Tagesgeldkonten: Vorsicht vor betrügerischen Angeboten im Namen von CHECK24 ∗∗∗ --------------------------------------------- In den letzten Tagen wurden vermehrt SMS versendet, in denen im Namen von CHECK24 mit verlockenden Tagesgeldkonten zu einem Zinssatz von bis zu 5,25% geworben wird. Möchte man das Angebot wahrnehmen, wird man auf eine täuschend echt aussehende Phishing-Seite weitergeleitet. Wird dort Geld eingezahlt, landet es auf den Konten von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/tagesgeldkonten-betruegerischen-ange… ∗∗∗ Windows 11 24H2 auf mehr Geräten verfügbar; TPM 2.0-Pflicht; Installation auf unsupported CPUs ∗∗∗ --------------------------------------------- Microsoft hat damit begonnen, dass im Oktober 2024 allgemein freigegebene Windows 11 24H2 (als Windows 11 2024 Update bezeichnet), auf mehr Geräte zu verteilen. Weiterhin hat Microsoft bekräftigt, dass TPM 2.0 für Windows 11 Pflicht ist. Andererseits gibt es Leute, die die Erfahrung machen, dass Windows 11 24H2 auf Hardware, die nicht kompatibel ist, ohne Tricks installiert werden kann. --------------------------------------------- https://www.borncity.com/blog/2024/12/06/windows-11-24h2-auf-mehr-geraeten-… ∗∗∗ Introducing Supply-Chain Firewall: Protecting Developers from Malicious Open Source Packages ∗∗∗ --------------------------------------------- Release of Supply-Chain Firewall, an open source tool for preventing the installation of malicious PyPI and npm packages. --------------------------------------------- https://securitylabs.datadoghq.com/articles/introducing-supply-chain-firewa… ∗∗∗ New Malware Campaign Exposes Gaps in Manufacturing Cybersecurity Defenses ∗∗∗ --------------------------------------------- In a recent analysis by Cyble Research and Intelligence Labs (CRIL), a multi-stage cyberattack campaign has been identified, targeting the manufacturing industry. The attack, which heavily relies on process injection techniques, aims to deliver dangerous payloads, including Lumma Stealer and Amadey Bot. --------------------------------------------- https://thecyberexpress.com/lumma-stealer-amadey-bot-target-manufacturing/ ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities ∗∗∗ --------------------------------------------- CVE: CVE-2024-38475, CVE-2024-40763, CVE-2024-45318, CVE-2024-45319, CVE-2024-53702, CVE-2024-53703 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, python3:3.6.8, and thunderbird), Debian (clamav), Fedora (pam), Red Hat (firefox, postgresql:13, postgresql:15, python-tornado, redis:7, ruby, ruby:2.5, and ruby:3.1), SUSE (avahi, docker-stable, java-1_8_0-openjdk, libmozjs-128-0, obs-scm-bridge, php8, and teleport), and Ubuntu (ghostscript, needrestart, and shiro). --------------------------------------------- https://lwn.net/Articles/1001164/ ∗∗∗ Windows: 0patch für 0-day URL File NTLM Hash Disclosure-Schwachstelle ∗∗∗ --------------------------------------------- ACROS Security ist auf eine bisher nicht per Update geschlossene Schwachstelle in Windows gestoßen, die per URL die Offenlegung von NTLM Hash-Werten ermöglicht. ACROS Security hat einen opatch Micropatch veröffentlicht, um diese Schwachstelle zu beseitigen. Bis zum Bereitstellen eines Updates durch Microsoft ist der opatch-Micropatch kostenlos verfügbar. --------------------------------------------- https://www.borncity.com/blog/2024/12/06/windows-0patch-fuer-0-day-url-file… ∗∗∗ Sicherheitsupdate: Backupsoftware Dell NetWorker kann Daten leaken ∗∗∗ --------------------------------------------- Dell hat wichtige Sicherheitspatches für seine Backup- und Recovery-Software NetWorker und das SDK BSAFE veröffentlicht. Noch sind aber nicht alle Updates da. --------------------------------------------- https://heise.de/-10190285 ∗∗∗ QNAP: Vulnerability in Qsync Central ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-48 ∗∗∗ QNAP: Multiple Vulnerabilities in QTS and QuTS hero (PWN2OWN 2024) ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-49 ∗∗∗QNAP: Vulnerability in License Center ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-50 ∗∗∗ Tenable: [R1] Security Center Version 6.5.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-19 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.12.2024
by Daily end-of-shift report 05 Dec '24

05 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-12-2024 18:00 − Donnerstag 05-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kostenfalle Gesundheitstest: So schützen Sie sich vor Abzocke ∗∗∗ --------------------------------------------- Auf gesundheitskontrolle.com oder gesundheitsbewertung.com werden 2-minütige Gesundheitstests versprochen. Nach Beantwortung einiger Fragen erhalten Sie angeblich eine „maßgenschneiderte und individuelle Gesundheitsanalyse“ von Gesundheitsexperten. Wir raten zur Vorsicht: Wenige Tage später flattert eine Rechnung über 79 Euro ins Haus. --------------------------------------------- https://www.watchlist-internet.at/news/kostenfalle-gesundheitstest/ ∗∗∗ MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks ∗∗∗ --------------------------------------------- Trend Micro’s monitoring of the MOONSHINE exploit kit revealed how it’s used by the threat actor Earth Minotaur to exploit Android messaging app vulnerabilities and install the DarkNimbus backdoor for surveillance. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/earth-minotaur.html ∗∗∗ Telecom Giant BT Group Hit by Black Basta Ransomware ∗∗∗ --------------------------------------------- BT Group, a major telecommunications firm, has been hit by a ransomware attack from the Black Basta group. The attack targeted the companys Conferencing division, leading to server shutdowns and potential data theft. --------------------------------------------- https://hackread.com/telecom-giant-bt-group-black-basta-ransomware-attack/ ∗∗∗ Vorsicht vor Whatsapp-Phishing mit gespoofter Rufnummer ∗∗∗ --------------------------------------------- Cyber-Kriminelle nehmen deutschsprachige WhatsApp-Nutzer ins Visier und versuchen mit einem perfiden Trick und einem Chatbot deren Accounts zu kapern. --------------------------------------------- https://heise.de/-10188150 ∗∗∗ USA: Acht Telekommunikationsdienste von Cyberangriffen betroffen ∗∗∗ --------------------------------------------- Bereits im Wahlkampf wurde bekannt, dass Kriminelle an die Telefondaten hochrangiger US-Politiker gekommen sind. Doch der Angriff war umfangreicher als gedacht. --------------------------------------------- https://heise.de/-10188807 ∗∗∗ [Guest Diary] Business Email Compromise, (Thu, Dec 5th) ∗∗∗ --------------------------------------------- Business Email Compromise (BEC) is a lucrative attack, which FBI data shows 51 billion dollars in losses between 2013 to 2022 [2]. According to SentinelOne, nearly all cybersecurity attacks (98%) contain a social engineering component [3].The social engineering attacks include phishing, spear phishing, smishing, whaling , etc. --------------------------------------------- https://isc.sans.edu/diary/rss/31474 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Mitel MiCollab Flaw Exposes Systems to Unauthorized File and Admin Access ∗∗∗ --------------------------------------------- Cybersecurity researchers have released a proof-of-concept (PoC) exploit that strings together a now-patched critical security flaw impacting Mitel MiCollab with an arbitrary file read zero-day, granting an attacker the ability to access files from susceptible instances. [..] WatchTowr Labs' analysis further found that the authentication bypass could be chained with an as-yet-unpatched post-authentication arbitrary file read flaw to extract sensitive information. --------------------------------------------- https://thehackernews.com/2024/12/critical-mitel-micollab-flaw-exposes.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (thunderbird, tuned, and webkitgtk), Mageia (python-aiohttp and qemu), Oracle (container-tools:ol8, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, kernel:4.18.0, krb5, pam, postgresql:16, python-tornado, python3:3.6.8, thunderbird, tigervnc, tuned, and webkit2gtk3), Red Hat (bzip2, postgresql, postgresql:13, postgresql:15, postgresql:16, python-tornado, and ruby:3.1), Slackware (python3), SUSE (postgresql, postgresql16, postgresql17, postgresql13, postgresql14, postgresql15, python-python-multipart, and python3), and Ubuntu (python-django and recutils). --------------------------------------------- https://lwn.net/Articles/1000870/ ∗∗∗ Vier Lücken in HPE Aruba Networking ClearPass Policy Manager geschlossen ∗∗∗ --------------------------------------------- In aktuellen Versionen von HPE Aruba Networking ClearPass Policy Manager haben die Entwickler insgesamt vier Sicherheitslücken geschlossen. Im schlimmsten Fall können Angreifer eigenen Code ausführen und Systeme kompromittieren. --------------------------------------------- https://heise.de/-10188868 ∗∗∗ Drupal: Entity Form Steps - Moderately critical - Cross site scripting - SA-CONTRIB-2024-071 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-071 ∗∗∗ Drupal: Minify JS - Moderately critical - Cross site request forgery - SA-CONTRIB-2024-070 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-070 ∗∗∗ Drupal: Download All Files - Critical - Access bypass - SA-CONTRIB-2024-069 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-069 ∗∗∗ Drupal: Pages Restriction Access - Critical - Access bypass - SA-CONTRIB-2024-068 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-068 ∗∗∗ Drupal: OAuth & OpenID Connect Single Sign On – SSO (OAuth/OIDC Client) - Critical - Cross Site Scripting - SA-CONTRIB-2024-067 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-067 ∗∗∗ Drupal: Print Anything - Critical - Unsupported - SA-CONTRIB-2024-066 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-066 ∗∗∗ Drupal: Megamenu Framework - Critical - Unsupported - SA-CONTRIB-2024-065 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-065 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (November 25, 2024 to December 1, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/12/wordfence-intelligence-weekly-wordpr… ∗∗∗ AutomationDirect C-More EA9 Programming Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-340-01 ∗∗∗ Planet Technology Planet WGS-804HPT ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-340-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.12.2024
by Daily end-of-shift report 04 Dec '24

04 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-12-2024 18:00 − Mittwoch 04-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Supply Chain Attack Detected in Solanas web3.js Library ∗∗∗ --------------------------------------------- A supply chain attack has been detected in versions 1.95.6 and 1.95.7 of the popular @solana/web3.js library, which receives more than ~350,000 weekly downloads on npm. These compromised versions contain injected malicious code that is designed to steal private keys from unsuspecting developers and users, potentially enabling attackers to drain cryptocurrency wallets. [..] npm has moved swiftly to remove the affected versions. [..] Anza recommends developers who suspect they were compromised to rotate any suspect authority keys, including multisigs, program authorities, and server keypairs. --------------------------------------------- https://socket.dev/blog/supply-chain-attack-solana-web3-js-library ∗∗∗ Jetzt patchen! Exploit für kritische Lücke in Whatsup Gold in Umlauf ∗∗∗ --------------------------------------------- Eine "kritische" Sicherheitslücke ist seit September dieses Jahres bekannt. Seitdem gibt es auch ein Sicherheitsupdate. Weil mittlerweile Exploitcode für die Schwachstelle kursiert, könnten Attacken bevorstehen. --------------------------------------------- https://heise.de/-10187538 ∗∗∗ Cisco Urges Immediate Patch for Decade-Old WebVPN Vulnerability ∗∗∗ --------------------------------------------- Cisco recently updated an advisory about a security flaw in the WebVPN login page of their ASA software, which can allow an unauthenticated, remote attacker to execute a cross-site scripting (XSS) attack on anyone using WebVPN on the Cisco ASA. [..] The vulnerability itself isn’t new – Cisco originally issued a warning back in March 2014. However, the company’s recent update highlights a concerning development: attackers are actively trying to exploit this decade-old bug. --------------------------------------------- https://hackread.com/cisco-patch-decade-old-webvpn-vulnerability/ ∗∗∗ (QR) Coding My Way Out of Here: C2 in Browser Isolation Environments ∗∗∗ --------------------------------------------- In this blog post, Mandiant demonstrates a novel technique that can be used to circumvent all three current types of browser isolation (remote, on-premises, and local) for the purpose of controlling a malicious implant via C2. Mandiant shows how attackers can use machine-readable QR codes to send commands from an attacker-controlled server to a victim device. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/c2-browser-isolati… ∗∗∗ Wegem schwerem Cyberangriff auf US-Provider: FBI wirbt für Verschlüsselung ∗∗∗ --------------------------------------------- Angesichts eines verheerenden Cyberangriffs auf US-Provider haben die US-Bundespolizei FBI und die Cybersicherheitsbehörde CISA die Menschen in den Vereinigten Staaten aufgefordert, ihre Kommunikation möglichst zu verschlüsseln. --------------------------------------------- https://heise.de/-10187110 ∗∗∗ Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware ∗∗∗ --------------------------------------------- Beginning in early October, Rapid7 has observed a resurgence of activity related to the ongoing social engineering campaign being conducted by Black Basta ransomware operators. --------------------------------------------- https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign… ∗∗∗ PROXY.AM Powered by Socks5Systemz Botnet ∗∗∗ --------------------------------------------- After a year long investigation, Bitsight TRACE follows up on Socks5Systemz research. --------------------------------------------- https://www.bitsight.com/blog/proxyam-powered-socks5systemz-botnet ∗∗∗ New era of slop security reports for open source ∗∗∗ --------------------------------------------- Recently I've noticed an uptick in extremely low-quality, spammy, and LLM-hallucinated security reports to open source projects. [..] Security reports that waste maintainers' time result in confusion, stress, frustration, and to top it off a sense of isolation due to the secretive nature of security reports. [..] If this is happening to a handful of projects that I have visibility for, then I suspect that this is happening on a large scale to open source projects. This is a very concerning trend. --------------------------------------------- https://sethmlarson.dev/slop-security-reports ===================== = Vulnerabilities = ===================== ∗∗∗ Identitätsmanagement: Sicherheitslücke mit Höchstwertung bedroht IdentityIQ ∗∗∗ --------------------------------------------- Bislang gibt es von SailPoint noch keine Warnung zur Sicherheitslücke. Alle Informationen zur "kritischen" Schwachstelle (CVE-2024-10905) basieren derzeit auf einem Eintrag in der National Vulnerability Database (NVD) des National Insitute of Standards and Technology (NIST). [..] Die Lücke soll in den Ausgaben 8.2p8, 8.3p5 und 8.4p2 geschlossen sein. --------------------------------------------- https://heise.de/-10187194 ∗∗∗ Cisco NX-OS Software Image Verification Bypass Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the bootloader of Cisco NX-OS Software could allow an unauthenticated attacker with physical access to an affected device, or an authenticated, local attacker with administrative credentials, to bypass NX-OS image signature verification. CVE-2024-20397 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (go-toolset:rhel8, grafana, kernel, kernel-rt, kernel:4.18.0, pam, pam:1.5.1, pcs, postgresql:12, postgresql:15, postgresql:16, python3:3.6.8, qemu-kvm, rhc, rhc-worker-playbook, and virt:rhel and virt-devel:rhel) and SUSE (ansible-10, ansible-core, avahi, bpftool, python, python3, python36, webkit2gtk3, and xen). --------------------------------------------- https://lwn.net/Articles/1000721/ ∗∗∗ Scan2Net: Mehrere kritische Schwachstellen in Image Access Scan2Net ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-kritische-sch… ∗∗∗ PGST: Mehrere Schwachstellen in PGST-Alarmanlagen (SYSS-2024-070 bis -073) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-pgst-alarmanlage… ∗∗∗ F5: K000148830: Linux kernel vulnerabilities CVE-2024-41090 and CVE-2024-41091 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148830 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.12.2024
by Daily end-of-shift report 03 Dec '24

03 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Montag 02-12-2024 18:00 − Dienstag 03-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Building Cyber Resilience Against Ransomware Attacks ∗∗∗ --------------------------------------------- This is the first blogpost in this series. Its aim is twofold: to enable organizations embarking on a journey to build resilience against ransomware to recognize common misconceptions hindering readiness efforts and offer a conceptual framework to guide effective resilience building. --------------------------------------------- https://blog.nviso.eu/2024/12/03/building-cyber-resilience-against-ransomwa… ∗∗∗ Unveiling RevC2 and Venom Loader ∗∗∗ --------------------------------------------- Venom Spider, also known as GOLDEN CHICKENS, is a threat actor known for offering Malware-as-a-Service (MaaS) tools like VenomLNK, TerraLoader, TerraStealer, and TerraCryptor. These tools have been utilized by other threat groups such as FIN6 and Cobalt in the past. Recently, Zscaler ThreatLabz uncovered two significant campaigns leveraging Venom Spider's MaaS tools between August and October 2024. During our investigation, we identified two new malware families, which we named RevC2 and Venom Loader, that were deployed using Venom Spider MaaS Tools. --------------------------------------------- https://www.zscaler.com/blogs/security-research/unveiling-revc2-and-venom-l… ∗∗∗ Gafgyt Malware Targeting Docker Remote API Servers ∗∗∗ --------------------------------------------- Our researchers identified threat actors exploiting misconfigured Docker servers to spread the Gafgyt malware. This threat traditionally targets IoT devices; this new tactic signals a change in its behavior. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/l/gafgyt-malware-targeting-doc… ∗∗∗ Secure Coding: Sichere Fehlerbehandlung in Java – CWE-778-Risiken vermeiden ∗∗∗ --------------------------------------------- Mit sicheren Java-Design-Patterns wie dem Decorator und Proxy Pattern die Kontrolle über Fehlerberichte verbessern – zum Schutz gegen CWE-778-Schwachstellen. --------------------------------------------- https://heise.de/-10084007 ∗∗∗ On Almost Signing Android Builds ∗∗∗ --------------------------------------------- This blog post has two goals: to raise awareness about this issue, to introduce a script intended as a quick check to verify if an Android build was (incorrectly) signed with a known private key. When Android-based devices boot up, first the bootloader is verified to be running signed code, then the bootloader verifies the high-level operating system (HLOS). This blog post only covers the latter part. --------------------------------------------- https://www.nccgroup.com/us/research-blog/on-almost-signing-android-builds/ ∗∗∗ Extracting Files Embedded Inside Word Documents, (Tue, Dec 3rd) ∗∗∗ --------------------------------------------- I found a sample that is a Word document with an embedded executable. I'll explain how to extract the embedded executable with my tools. --------------------------------------------- https://isc.sans.edu/diary/rss/31486 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, kernel-rt:4.18.0, kernel:4.18.0, pam, pam:1.5.1, perl-App-cpanminus, perl-App-cpanminus:1.7044, python-tornado, tigervnc, tuned, and webkit2gtk3), Debian (needrestart and webkit2gtk), Mageia (firefox, glib2.0, krb5, and thunderbird), Red Hat (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, and thunderbird), SUSE (editorconfig-core-c, kernel, php7, php8, python, python-tornado6, python3-virtualenv, python310, python39, thunderbird, wget, and wireshark), and Ubuntu (firefox and haproxy). --------------------------------------------- https://lwn.net/Articles/1000591/ ∗∗∗ Zyxel security advisory for buffer overflow and post-authentication command injection vulnerabilities in some 4G LTE/5G NR CPE, DSL/Ethernet CPE, fiber ONTs, and WiFi extenders ∗∗∗ --------------------------------------------- CVE-2024-8748 ... could allow an attacker to cause denial of service (DoS) conditions against the web management interface [..] CVE-2024-9197 ... could allow an authenticated attacker with administrator privileges to cause DoS conditions against the web management interface [..] CVE-2024-9200 ... could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Patchday: Android 12, 13, 14 und 15 für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- In einer Warnmeldung hebt Google eine Sicherheitslücke (CVE-2024-43767 "hoch") im System als besonders bedrohlich hervor: Angreifer können Schadcode ausführen. Dafür seien keine zusätzlichen Ausführungsrechte nötig. Wie so ein Angriff genau ablaufen könnte, bleibt aber unklar. --------------------------------------------- https://heise.de/-10185926 ∗∗∗ HPE: HPESBGN04760 rev.1 - HPE AutoPass License Server (APLS), Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04760en_us&doc… ∗∗∗ Fuji Electric Monitouch V-SFT ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-05 ∗∗∗ Fuji Electric Tellus Lite V-Simulator ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-06 ∗∗∗ ICONICS and Mitsubishi Electric GENESIS64 Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-04 ∗∗∗ Open Automation Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-03 ∗∗∗ Ruijie Reyee OS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-338-01 ∗∗∗ F5: K000148809: Qt vulnerabilities CVE-2023-38197, CVE-2023-37369, and CVE-2023-32763 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148809 ∗∗∗ F5: K000148689: Qt vulnerability CVE-2023-32762 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148689 ∗∗∗ Veeam: Veeam Service Provider Console Vulnerability (CVE-2024-42448 | CVE-2024-42449) ∗∗∗ --------------------------------------------- https://www.veeam.com/kb4679 ∗∗∗ Veeam: Vulnerabilities Resolved in Veeam Backup & Replication 12.3 ∗∗∗ --------------------------------------------- https://www.veeam.com/kb4693 ∗∗∗ ZDI-24-1640: XnSoft XnView Classic RWZ File Parsing Integer Underflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1640/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.12.2024
by Daily end-of-shift report 02 Dec '24

02 Dec '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-11-2024 18:00 − Montag 02-12-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phishing: Angreifer umgehen Virenscan mittels beschädigter Word-Dokumente ∗∗∗ --------------------------------------------- Sicherheitsforscher sind auf eine neue Methode gestoßen, wie Cyberkriminelle präparierte Dokumente am Virenschutz vorbeischieben. --------------------------------------------- https://www.heise.de/-10184679 ∗∗∗ "Juice-Jacking": Wie gefährlich ist das Laden vom Smartphone im öffentlichen Raum? ∗∗∗ --------------------------------------------- Immer wieder warnen Behörden vor Angriffen durch manipulierte Charger, beim Cert Austria sieht man darin aber eine vorwiegend theoretische Bedrohung. --------------------------------------------- https://www.derstandard.at/story/3000000246594/juice-jacking-wie-gefaehrlic… ∗∗∗ Helldown, DoxNet & Darkrace Ransomware ∗∗∗ --------------------------------------------- In the following article I list some unique detection opportunities for all three ransomware groups, which seem to have the same affiliates or use the same server with similar ransomware variants to deploy their malware. --------------------------------------------- https://detect.fyi/helldown-donex-darktrace-ransomware-fd8683b7d135?source=… ∗∗∗ Code found online exploits LogoFAIL to install Bootkitty Linux backdoor ∗∗∗ --------------------------------------------- Researchers have discovered malicious code circulating in the wild that hijacks the earliest stage boot process of Linux devices by exploiting a year-old firmware vulnerability when it remains unpatched on affected models. [..] The ultimate objective of the exploit, which Binarly disclosed Friday, is to install Bootkitty, a bootkit for Linux that was found and reported on Wednesday by researchers from security firm ESET. --------------------------------------------- https://arstechnica.com/security/2024/11/code-found-online-exploits-logofai… ∗∗∗ Copilot: Administratorwissen zum Schutz der Daten ∗∗∗ --------------------------------------------- Microsoft hat ja damit begonnen, seine AI-Lösung Copilot in Microsoft Office-Anwendungen mit "Auto-Opt-in" an Kunden mit entsprechender Lizenz auszurollen. Administratoren kommt eine besondere Verantwortung zu, was den Schutz von Daten im Unternehmen betrifft. Microsoft hat dazu kürzlich einen Beitrag mit entsprechenden Hinweisen veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2024/12/01/copilot-was-administratoren-zum-sc… ∗∗∗ Cyber Resilience Act: Mehr Sicherheit für das Internet der Dinge ∗∗∗ --------------------------------------------- Der Cyber Resilience Act der EU soll vernetzte Geräte besser vor Angriffen aus dem Netz schützen. Unternehmen müssen ihn bis 2027 umsetzen. --------------------------------------------- https://www.golem.de/news/cyber-resilience-act-mehr-sicherheit-fuer-das-int… ∗∗∗ Digitale Bedrohungen: EU-Rat billigt Cyberschutzschild und Frühwarnsystem ∗∗∗ --------------------------------------------- Die EU-Staaten werden ein Cybersicherheitswarnsystem einrichten, mit dem sie Gefahren aus dem Internet quasi in Echtzeit erkennen und abwehren können wollen. --------------------------------------------- https://heise.de/-10185408 ∗∗∗ German intelligence launches task force to combat foreign election interference ∗∗∗ --------------------------------------------- Germanys domestic intelligence service (BfV) has created a special task force to counter cyberattacks, espionage, sabotage and disinformation campaigns ahead of federal elections in February. --------------------------------------------- https://therecord.media/german-bfv-election-task-force-cyberattacks-disinfo… ∗∗∗ Tamanoir: A KeyLogger using eBPF ∗∗∗ --------------------------------------------- Tamanoir is developed for educational purposes only. --------------------------------------------- https://github.com/pythops/tamanoir ∗∗∗ Webinar: Smartphone, Tablet & Co sicher nutzen! ∗∗∗ --------------------------------------------- Wie kann ich meine persönlichen Daten am Smartphone, Tablet & Co. schützen? In diesem Webinar zeigen wir Ihnen die wichtigsten Sicherheitseinstellungen – von Berechtigungen über Datenschutz bis hin zu Nutzungszeiten. Machen Sie mit unseren ExpertInnen Ihre digitalen Geräte sicher: Montag, 16. Dezember 2024, 18:30 - 20:00 Uhr via zoom. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-smartphone-tablet-co-sicher-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dnsmasq, editorconfig-core, lemonldap-ng, proftpd-dfsg, python3.9, simplesamlphp, tgt, and xfpt), Fedora (qbittorrent, webkitgtk, and wireshark), Mageia (libsoup3 & libsoup), Red Hat (buildah, grafana, grafana-pcp, and podman), SUSE (gimp, kernel, postgresql14, python, webkit2gtk3, xen, and zabbix), and Ubuntu (ansible and postgresql-12, postgresql-14, postgresql-16). --------------------------------------------- https://lwn.net/Articles/1000465/ ∗∗∗ Multiple vulnerabilities in UNIVERGE IX/IX-R/IX-V series routers ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN53958863/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily December 2024