Daily February 2024

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 29.02.2024
by Daily end-of-shift report 29 Feb '24

29 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-02-2024 18:00 − Donnerstag 29-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ LockBit ransomware returns to attacks with new encryptors, servers ∗∗∗ --------------------------------------------- The LockBit ransomware gang is once again conducting attacks, using updated encryptors with ransom notes linking to new servers after last weeks law enforcement disruption. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-t… ∗∗∗ Neue Ransomwaregruppe: Angeblicher Cyberangriff auf Epic Games bleibt zweifelhaft ∗∗∗ --------------------------------------------- Die Hackergruppe Mogilevich bietet im Darknet Daten von Epic Games im Umfang von 189 GByte zum Verkauf an. Zweifel an dem Angebot sind jedoch angebracht. --------------------------------------------- https://www.golem.de/news/daten-stehen-zum-verkauf-neue-ransomwaregruppe-ha… ∗∗∗ GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks ∗∗∗ --------------------------------------------- Threat hunters have discovered a new Linux malware called GTPDOOR that’s designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges (GRX). The malware is novel in the fact that it leverages the GPRS Tunnelling Protocol (GTP) for command-and-control (C2) communications. --------------------------------------------- https://thehackernews.com/2024/02/gtpdoor-linux-malware-targets-telecoms.ht… ∗∗∗ New Silver SAML Attack Evades Golden SAML Defenses in Identity Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new attack technique called Silver SAML that can be successful even in cases where mitigations have been applied against Golden SAML attacks. --------------------------------------------- https://thehackernews.com/2024/02/new-silver-saml-attack-evades-golden.html ∗∗∗ #StopRansomware: Phobos Ransomware ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a ∗∗∗ ALPHV is singling out healthcare sector, say FBI and CISA ∗∗∗ --------------------------------------------- CISA, FBI and HHS are warning about the ALPHV/ Blackcat ransomware group targeting the healthcare industry. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/02/alphv-is-singling-out-health… ∗∗∗ GUloader Unmasked: Decrypting the Threat of Malicious SVG Files ∗∗∗ --------------------------------------------- This sophisticated malware loader has garnered attention for its stealthy techniques and ability to evade detection, posing a significant risk to organizations and individuals. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-unmasked-decr… ∗∗∗ Amazon-Vishing: Vorsicht vor Fake-Amazon-Anrufen! ∗∗∗ --------------------------------------------- Am Telefon geben sich Kriminelle als Amazon-Mitarbeiter:innen aus. Unter verschiedenen Vorwänden bringen sie Sie dazu, TeamViewer oder AnyDesk zu installieren und räumen Ihr Konto leer! Sollten Sie so einen Anruf erhalten, legen Sie auf und blockieren Sie die Nummer. --------------------------------------------- https://www.watchlist-internet.at/news/amazon-vishing-vorsicht-vor-fake-ama… ∗∗∗ ADCS ESC14 Abuse Technique ∗∗∗ --------------------------------------------- In this blog post, we will explore the variations of abuse of explicit certificate mapping in AD, what the requirements are, and how you can protect your environment against it. --------------------------------------------- https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9 ∗∗∗ The Art of Domain Deception: Bifrosts New Tactic to Deceive Users ∗∗∗ --------------------------------------------- The RAT Bifrost has a new Linux variant that leverages a deceptive domain in order to compromise systems. We analyze this expanded attack surface. --------------------------------------------- https://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/ ∗∗∗ Vulnerabilities in business VPNs under the spotlight ∗∗∗ --------------------------------------------- As adversaries increasingly set their sights on vulnerable enterprise VPN software to infiltrate corporate networks, concerns mount about VPNs themselves being a source of cyber risk. --------------------------------------------- https://www.welivesecurity.com/en/business-security/vulnerabilities-busines… ∗∗∗ IT-Sicherheitsprodukte von Sophos verschlucken sich am Schaltjahr ∗∗∗ --------------------------------------------- Aufgrund eines Fehlers können Sophos Endpoint, Home und Server vor dem Besucht legitimer Websites warnen. Erste Lösungen sind bereits verfügbar. --------------------------------------------- https://heise.de/-9642801 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (moodle), Red Hat (kernel, kernel-rt, and postgresql:15), Slackware (wpa_supplicant), SUSE (Java and rear27a), and Ubuntu (libcpanel-json-xs-perl, libuv1, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.4, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, python-openstackclient, and unbound). --------------------------------------------- https://lwn.net/Articles/964039/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved in JSA Applications ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-S… ∗∗∗ On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP7 IF05 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ Delta Electronics CNCSoft-B ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-060-01 ∗∗∗ MicroDicom DICOM Viewer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-060-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.02.2024
by Daily end-of-shift report 28 Feb '24

28 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-02-2024 18:00 − Mittwoch 28-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ivanti: Enhanced External Integrity Checking Tool to Provide Additional Visibility and Protection for Customers Against Evolving Threat Actor Techniques in Relation to Previously Disclosed Vulnerabilities ∗∗∗ --------------------------------------------- As part of our exhaustive investigation into the recent attack against our customers, Ivanti and Mandiant released findings today regarding evolving threat actor tactics, techniques and procedures (TTPs). These findings were identified in the ongoing analysis of the previously disclosed vulnerabilities affecting Ivanti Connect Secure, Policy Secure and ZTA gateways, and include potential persistence techniques that we are monitoring, even though to date they have not been deployed successfully in the wild. --------------------------------------------- https://www.ivanti.com/blog/enhanced-external-integrity-checking-tool-to-pr… ∗∗∗ Savvy Seahorse gang uses DNS CNAME records to power investor scams ∗∗∗ --------------------------------------------- A threat actor named Savvy Seahorse is abusing CNAME DNS records Domain Name System to create a traffic distribution system that powers financial scam campaigns. --------------------------------------------- https://www.bleepingcomputer.com/news/security/savvy-seahorse-gang-uses-dns… ∗∗∗ Take Downs and the Rest of Us: Do they matter?, (Tue, Feb 27th) ∗∗∗ --------------------------------------------- Last week, the US Department of Justice published a press release entitled "Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federations Main Intelligence Directorate of the General Staff (GRU)". The disruption targeted a botnet built using the "Moobot" malware. According to the press release, this particular botnet focused on routers made by Ubiquity, using well-known default credentials. Why do nation-state actors go after "simple" home devices? --------------------------------------------- https://isc.sans.edu/diary/rss/30694 ∗∗∗ European diplomats targeted by SPIKEDWINE with WINELOADER ∗∗∗ --------------------------------------------- Zscalers ThreatLabz discovered a suspicious PDF file uploaded to VirusTotal from Latvia on January 30th, 2024. This PDF file is masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024. The PDF also included a link to a fake questionnaire that redirects users to a malicious ZIP archive hosted on a compromised site, initiating the infection chain. --------------------------------------------- https://www.zscaler.com/blogs/security-research/european-diplomats-targeted… ∗∗∗ Hacker-Gruppe fordert Bitcoins: Erpresserische E-Mails enthalten Wohnadresse als Druckmittel ∗∗∗ --------------------------------------------- „Es freut uns sehr dir mitteilen zu können, das du keine Ahnung von Cyber Security Hast und wir dein Handy infizieren konnten“ beginnt ein E-Mail von einer angeblichen Hacker-Gruppe mit dem Namen „Russian Blakmail Army“. Angeblich wurden private Fotos und Inhalte von Ihnen gesammelt. Wenn Sie nicht wollen, dass diese veröffentlicht werden, sollten Sie 1000 Euro an eine Bitcoin-Wallet senden. Ignorieren Sie dieses E-Mail, es handelt sich um Fake. --------------------------------------------- https://www.watchlist-internet.at/news/hacker-gruppe-fordert-bitcoins-erpre… ∗∗∗ Navigating the Cloud: Exploring Lateral Movement Techniques ∗∗∗ --------------------------------------------- We illuminate lateral movement techniques observed in the wild within cloud environments, including Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. --------------------------------------------- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/ ∗∗∗ Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day ∗∗∗ --------------------------------------------- Avast discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver. Thanks to Avast’s prompt report, Microsoft addressed this vulnerability as CVE-2024-21338 in the February Patch Tuesday update. The exploitation activity was orchestrated by the notorious Lazarus Group, with the end goal of establishing a kernel read/write primitive. This primitive enabled Lazarus to perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit, a previous version of which was analyzed by ESET and AhnLab. --------------------------------------------- https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyo… ∗∗∗ Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations ∗∗∗ --------------------------------------------- This advisory provides observed tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and recommendations to mitigate the threat posed by APT28 threat actors related to compromised EdgeRouters. --------------------------------------------- https://www.ic3.gov/Media/News/2024/240227.pdf ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (knot-resolver and wpa), Fedora (chromium, kernel, thunderbird, and yarnpkg), Mageia (c-ares), Oracle (firefox, kernel, opensc, postgresql:13, postgresql:15, and thunderbird), Red Hat (edk2, gimp:2.8, and kernel), SUSE (bind, bluez, container-suseconnect, dnsdist, freerdp, gcc12, gcc7, glib2, gnutls, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libqt5-qtbase, libqt5-qtsvg, nodejs18, nodejs20, openssl, openssl-1_0_0, poppler, python-crcmod, python-cryptography, python-cryptography- vectors, python-pip, python-requests, python3-requests, python311, python39, rabbitmq-c, samba, sccache, shim, SUSE Manager 4.2, SUSE Manager Server 4.2, the Linux-RT Kernel, and thunderbird), and Ubuntu (less, openssl, php7.0, php7.2, php7.4, and tiff). --------------------------------------------- https://lwn.net/Articles/963957/ ∗∗∗ TeamViewer Passwort-Schwachstelle CVE-2024-0819 ∗∗∗ --------------------------------------------- Der Client für Windows sollte dringend auf die Version 15.51.5 aktualisiert werden. Der Hersteller hat einen Sicherheitshinweis veröffentlicht, aus dem hervorgeht, dass ältere Software-Versionen nur einen unvollständigen Schutz der persönlichen Kennworteinstellungen bieten. --------------------------------------------- https://www.borncity.com/blog/2024/02/28/teamviewer-passwort-schwachstelle-… ∗∗∗ Cisco Security Advisories 2024-02-28 ∗∗∗ --------------------------------------------- Security Impact Rating: 2x High, 3x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Checkmk: Werk #16361: Privilege escalation in Windows agent ∗∗∗ --------------------------------------------- https://checkmk.com/werk/16361 ∗∗∗ ARISTA Security Advisory 0093 ∗∗∗ --------------------------------------------- https://www.arista.com/en/support/advisories-notices/security-advisory/1903… ∗∗∗ Wiesemann & Theis: Multiple products prone to unquoted search path ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-018/ ∗∗∗ F5: K000138731 : Linux vulnerability CVE-2023-3776 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138731 ∗∗∗ Google Chrome: Sicherheitsupdate bessert vier Schwachstellen aus ∗∗∗ --------------------------------------------- https://heise.de/-9641080 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.02.2024
by Daily end-of-shift report 27 Feb '24

27 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Montag 26-02-2024 18:00 − Dienstag 27-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub ∗∗∗ --------------------------------------------- An "intricately designed" remote access trojan (RAT) called Xeno RAT has been made available on GitHub, making it available to other actors at no extra cost. --------------------------------------------- https://thehackernews.com/2024/02/open-source-xeno-rat-trojan-emerges-as.ht… ∗∗∗ Achtung Betrug: Kriminelle locken mit gratis Spar-Geschenkkarten und Klimatickets ∗∗∗ --------------------------------------------- Aktuell kursieren gefälschte Gewinnspiele für kostenlose Spar-Geschenkkarten und Klimatickets. Die Angebote werden per E-Mail, in Sozialen Netzwerken oder per Direktnachricht auf Ihr Handy verbreitet. Die verlockenden Angebote dienen dazu, Ihnen persönliche Daten und Geld zu stehlen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-betrug-kriminelle-locken-mit… ∗∗∗ Booking.com refund request? It might be an Agent Tesla malware attack ∗∗∗ --------------------------------------------- Always be wary of opening unsolicited attachments - they might harbour malware. --------------------------------------------- https://grahamcluley.com/booking-com-refund-request-it-might-be-an-agent-te… ∗∗∗ Phishing Malware That Sends Stolen Information Using Telegram API ∗∗∗ --------------------------------------------- Recently, several phishing scripts using Telegram are being distributed indiscriminately through keywords such as remittance and receipts. --------------------------------------------- https://asec.ahnlab.com/en/62177/ ∗∗∗ Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities ∗∗∗ --------------------------------------------- This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-includin… ∗∗∗ Hunting PrivateLoader: The malware behind InstallsKey PPI service ∗∗∗ --------------------------------------------- Read the latest Bitsight research on PrivateLoader including important updates recently, including a new string encryption algorithm, a new alternative communication protocol and more. --------------------------------------------- https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installs… ∗∗∗ Februar-Sicherheitsupdates für Windows 11 können fehlschlagen ∗∗∗ --------------------------------------------- Microsoft arbeitet an der Lösung eines Problems, das die Installation der Februar-Sicherheitsupdates in Windows 11 verhindert. --------------------------------------------- https://heise.de/-9639866 ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk ∗∗∗ --------------------------------------------- A security vulnerability has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable unauthenticated users to escalate their privileges. --------------------------------------------- https://thehackernews.com/2024/02/wordpress-litespeed-plugin.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (engrampa and libgit2), Fedora (libxls, perl-Spreadsheet-ParseXLSX, and wpa_supplicant), Gentoo (PyYAML), Mageia (packages and thunderbird), Red Hat (firefox, kernel, linux-firmware, thunderbird, and unbound), Slackware (openjpeg), SUSE (golang-github-prometheus-prometheus, installation-images, kernel, python-azure-core, python-azure-storage-blob, salt and python-pyzmq, SUSE Manager 4.2.11, SUSE Manager 4.3, SUSE Manager Server 4.2, and wayland), [...] --------------------------------------------- https://lwn.net/Articles/963805/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-451 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-451.html ∗∗∗ Zyxel Patches Remote Code Execution Bug in Firewall Products ∗∗∗ --------------------------------------------- https://www.securityweek.com/zyxel-patches-remote-code-execution-bug-in-fir… ∗∗∗ Festo: Multiple vulnerabilities affect MES PC shipped with Windows 10 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-065/ ∗∗∗ Nagios XI: Schwachstellen CVE-2024-24401 und CVE-2024-24402; PoC öffentlich ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2024/02/27/nagios-xi-schwachstellen-cve-2024-… ∗∗∗ Mitsubishi Electric Multiple Factory Automation Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-058-01 ∗∗∗ Santesoft Sante DICOM Viewer Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-058-01 ∗∗∗ VMSA-2024-0005 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2024-0005.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.02.2024
by Daily end-of-shift report 26 Feb '24

26 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-02-2024 18:00 − Montag 26-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hijacked subdomains of major brands used in massive spam campaign ∗∗∗ --------------------------------------------- A massive ad fraud campaign named "SubdoMailing" is using over 8,000 legitimate internet domains and 13,000 subdomains to send up to five million emails per day to generate revenue through scams and malvertising. [..] As these domains belong to trusted companies, they gain the benefit of being able to bypass spam filters and, in some cases, take advantage of configured SPF and DKIM email policies that tell secure email gateways that the emails are legitimate and not spam. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hijacked-subdomains-of-major… ∗∗∗ New IDAT Loader Attacks Using Steganography to Deploy Remcos RAT ∗∗∗ --------------------------------------------- Ukrainian entities based in Finland have been targeted as part of a malicious campaign distributing a commercial remote access trojan known as Remcos RAT using a malware loader called IDAT Loader. --------------------------------------------- https://thehackernews.com/2024/02/new-idat-loader-attacks-using.html ∗∗∗ Actively exploited open redirect in Google Web Light ∗∗∗ --------------------------------------------- An open redirect vulnerability exists in the remains of Google Web Light service, which is being actively exploited in multiple phishing campaigns. Google decided not to fix it, so it might be advisable to block access to the Web Light domain in corporate environments. --------------------------------------------- https://untrustednetwork.net/en/2024/02/26/google-open-redirect/ ∗∗∗ Webinar: Wie schütze ich mich vor Identitätsdiebstahl? ∗∗∗ --------------------------------------------- n diesem Webinar schauen wir uns aktuelle Betrugsmaschen an und besprechen Tools, mit denen man sicherer im Internet unterwegs ist. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-wie-schuetze-ich-mich-vor-id… ∗∗∗ Mattermost: Support for Extended Support Release 8.1 is ending soon ∗∗∗ --------------------------------------------- As of May 15, 2024, Mattermost Extended Support Release (ESR) version 8.1 will no longer be supported. If any of your servers are not on ESR 9.5 or later, upgrading is recommended. --------------------------------------------- https://mattermost.com/blog/support-for-extended-support-release-8-1-is-end… ∗∗∗ SVR Cyber Actors Adapt Tactics for Initial Cloud Access ∗∗∗ --------------------------------------------- This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a ∗∗∗ Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT’s Variant) ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) recently discovered that Nood RAT is being used in malware attacks. Nood RAT is a variant of Gh0st RAT that works in Linux. Although the number of Gh0st RAT for Linux is fewer compared to Gh0st RAT for Windows, the cases of Gh0st RAT for Linux are continuously being collected. --------------------------------------------- https://asec.ahnlab.com/en/62144/ ∗∗∗ Ransomware Roundup – Abyss Locker ∗∗∗ --------------------------------------------- FortiGuard Labs highlights the Abyss Locker ransomware group that steals information from victims and encrypts files for financial gain. --------------------------------------------- https://www.fortinet.com/blog/threat-research/ransomware-roundup-abyss-lock… ∗∗∗ Ransomware: LockBit gibt Fehler zu, plant Angriffe auf staatliche Einrichtungen ∗∗∗ --------------------------------------------- Die Ransomware-Gruppe LockBit gesteht Fehler aus Faulheit ein, macht sich über das FBI lustig und will Angriffe auf staatliche Einrichtungen intensivieren. --------------------------------------------- https://heise.de/-9638063 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnutls28, iwd, libjwt, and thunderbird), Fedora (chromium, expat, mingw-expat, mingw-openexr, mingw-python3, mingw-qt5-qt3d, mingw-qt5-qtactiveqt, mingw-qt5-qtbase, mingw-qt5-qtcharts, mingw-qt5-qtdeclarative, mingw-qt5-qtgraphicaleffects, mingw-qt5-qtimageformats, mingw-qt5-qtlocation, mingw-qt5-qtmultimedia, mingw-qt5-qtquickcontrols, mingw-qt5-qtquickcontrols2, mingw-qt5-qtscript, mingw-qt5-qtsensors, mingw-qt5-qtserialport, mingw-qt5-qtsvg, mingw-qt5-qttools, mingw-qt5-qttranslations, mingw-qt5-qtwebchannel, mingw-qt5-qtwebsockets, mingw-qt5-qtwinextras, mingw-qt5-qtxmlpatterns, and thunderbird), Gentoo (btrbk, Glances, and GNU Aspell), Mageia (clamav and xen, qemu and libvirt), Oracle (firefox and postgresql), Red Hat (firefox, opensc, postgresql:10, postgresql:12, postgresql:13, postgresql:15, thunderbird, and unbound), SUSE (firefox, java-1_8_0-ibm, libxml2, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-oracle, linux-raspi, linux-starfive, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-oem-6.1, and roundcube). --------------------------------------------- https://lwn.net/Articles/963725/ ∗∗∗ Critical Flaw in Popular ‘Ultimate Member’ WordPress Plugin ∗∗∗ --------------------------------------------- The vulnerability carries a CVSS severity score of 9.8/10 and affects web sites running the Ultimate Member WordPress membership plugin. --------------------------------------------- https://www.securityweek.com/critical-flaw-in-popular-ultimate-member-wordp… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Local Privilege Escalation via DLL Hijacking im Qognify VMS Client Viewer ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… ∗∗∗ F5: K000138695 : OpenSSL vulnerability CVE-2024-0727 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138695 ∗∗∗ F5: K000138682 : libssh vulnerability CVE-2023-2283 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138682 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.02.2024
by Daily end-of-shift report 23 Feb '24

23 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-02-2024 18:00 − Freitag 23-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Web3 Crypto Malware: Angel Drainer – From Phishing Sites to Malicious Injections ∗∗∗ --------------------------------------------- In this post, we’ll describe how bad actors have started using crypto drainers to monetize traffic to compromised sites. Our analysis starts with a brief overview of the threat landscape and investigation of Wave 2 (the most massive infection campaign) before covering Angel Drainer scan statistics, predecessors, and most recent variants of website hacks that involve crypto drainers. --------------------------------------------- https://blog.sucuri.net/2024/02/web3-crypto-malware-angel-drainer.html ∗∗∗ Shortcuts-Lücke: Zero-Day-Exploit konnte Apples Systemsicherheit aushebeln ∗∗∗ --------------------------------------------- Apples TCC-Verfahren soll eigentlich verhindern, dass böswillige Apps ausgeführt werden. Mittels Shortcuts war das doch möglich. Die Lücke ist gestopft. --------------------------------------------- https://www.heise.de/-9636600 ∗∗∗ Intruders in the Library: Exploring DLL Hijacking ∗∗∗ --------------------------------------------- Dynamic-link library (DLL) hijacking remains a popular technique to run malware. We address its evolution using examples from the realm of cybercrime and more. --------------------------------------------- https://unit42.paloaltonetworks.com/dll-hijacking-techniques/ ∗∗∗ Everything you need to know about IP grabbers ∗∗∗ --------------------------------------------- You would never give your personal ID to random strangers, right? So why provide the ID of your computer? Unsuspecting users beware, IP grabbers do not ask for your permission. --------------------------------------------- https://www.welivesecurity.com/en/cybersecurity/everything-you-need-to-know… ∗∗∗ Weitere Informationen zu Angriffen gegen ConnectWise ScreenConnect ∗∗∗ --------------------------------------------- Sophos hat einen Überblick über Angriffe gegen ConnectWise ScreenConnect veröffentlicht. Demnach wurden bereits verschiedene Arten von Ransomware, verschiedene Information Stealer und auch unterschiedliche Remote-Access-Trojans (RATs) auf Basis der kürzlich von ConnectWise veröffentlichten Vulnerabilities in ScreenConnect deployt. Diese heterogene Bedrohungslage bedingt zur Abklärung einer bereits stattgefundenen Kompromittierung auch einen abstrahierten Blick auf etwaige eigene Installationen. Sophos beschreibt in den Kapiteln "Recommendations" und "Threat hunting information" Empfehlungen zur Vorgangsweise, selbst betriebene Instanzen auf Kompromittierungen zu untersuchen. Wir empfehlen weiterhin, etwaige eigene Installationen von ConnectWise ScreenConnect eine genaueren Untersuchung zuzuführen - auch wenn die vom Hersteller herausgegebenen Updates bereits eingespielt wurden. --------------------------------------------- https://cert.at/de/aktuelles/2024/2/weitere-informationen-zu-angriffen-gege… ∗∗∗ ProxyNotShell: Scan-Problematik der "false positives" bei Exchange (nmap, Greenbone) ∗∗∗ --------------------------------------------- Ende September 2022 scheuchte die als ProxyNotShell bekannt gewordene Schwachstelle in Microsoft Exchange Server Administratoren auf. Die Anfang August 2022 entdeckte Schwachstelle wurde als 0-day mit Exploits angegriffen und Microsoft brauchte mehrere Versuche, die Sicherheitslücke zu schließen. Inzwischen gibt es Scanner wie nmap oder Greenbone, um Exchange Server auf diese Schwachstelle zu prüfen. Allerdings liefern diese Scanner ggf. auch Fehlalarme. --------------------------------------------- https://www.borncity.com/blog/2024/02/23/proxynotshell-scan-problematik-der… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Root-Lücke bedroht Servermonitoringtool Nagios XI ∗∗∗ --------------------------------------------- Admins sollten das Dienste-Monitoring mit Nagios XI aus Sicherheitsgründen zeitnah auf den aktuellen Stand bringen. --------------------------------------------- https://www.heise.de/-9636505 ∗∗∗ Sicherheitslücken: GitLab gegen mögliche Attacken abgesichert ∗∗∗ --------------------------------------------- Updates schließen mehrere Schwachstellen in GitLab. Eine Lücke bleibt aber offensichtlich erstmal bestehen. --------------------------------------------- https://www.heise.de/-9636995 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, imagemagick, and iwd), Fedora (chromium, firefox, and pdns-recursor), Mageia (nodejs and yarnpkg), Red Hat (firefox, postgresql, and postgresql:15), and SUSE (bind, mozilla-nss, openssh, php-composer2, python-pycryptodome, python-uamqp, python310, and tiff). --------------------------------------------- https://lwn.net/Articles/963352/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Sonicwall: SMA100 MFA Improper Access Control Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0001 ∗∗∗ F5: K000138693 : Linux kernel vulnerabilities CVE-2023-4206, CVE-2023-4207, and CVE-2023-4208 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138693 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.02.2024
by Daily end-of-shift report 22 Feb '24

22 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-02-2024 18:00 − Donnerstag 22-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New SSH-Snake malware steals SSH keys to spread across the network ∗∗∗ --------------------------------------------- A threat actor is using an open-source network mapping tool named SSH-Snake to look for private keys undetected and move laterally on the victim infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ssh-snake-malware-steals… ∗∗∗ Google Play Store: Banking-Trojaner nimmt europäische Nutzer ins Visier ∗∗∗ --------------------------------------------- Im Google Play Store tauchen Varianten des Anatsa-Banking-Trojaners auf. Sie kommen auf über 100.000 Installationen. --------------------------------------------- https://www.heise.de/news/Google-Play-Store-Banking-Trojaner-nimmt-europaei… ∗∗∗ Why ransomware gangs love using RMM tools—and how to stop them ∗∗∗ --------------------------------------------- More and more ransomware gangs are using RMM tools in their attacks. --------------------------------------------- https://www.malwarebytes.com/blog/business/2024/02/why-ransomware-gangs-lov… ∗∗∗ Unmasking Lorenz Ransomware: A Dive into Recent Tactics, Techniques and Procedures ∗∗∗ --------------------------------------------- In the ever-evolving landscape of cyber threats, ransomware remains a persistent menace, with groups like Lorenz actively exploiting vulnerabilities in small to medium businesses globally. --------------------------------------------- https://research.nccgroup.com/2024/02/22/unmasking-lorenz-ransomware-a-dive… ∗∗∗ Angriffe gegen ConnectWise ScreenConnect ∗∗∗ --------------------------------------------- Die Remote Desktop und Access Software ConnectWise ScreenConnect ist aktuell Ziel von Cyberangriffen. Der Hersteller der Software hatte kürzlich ein Security Advisory bezüglich Authentication Bypass und Path Traversal Vulnerabilities veröffentlicht und dieses inzwischen um Hinweise auf bereits laufende Angriff und Indikatoren für eine bereits stattgefundene Kompromittierung erweitert. --------------------------------------------- https://cert.at/de/aktuelles/2024/2/angriffe-gegen-connectwise-screenconnect ∗∗∗ TinyTurla-NG in-depth tooling and command and control analysis ∗∗∗ --------------------------------------------- Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed. --------------------------------------------- https://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/ ∗∗∗ LockBit Attempts to Stay Afloat With a New Version ∗∗∗ --------------------------------------------- This research is the result of our collaboration with the National Crime Agency in the United Kingdom, who took action against LockBit as part of Operation Cronos, an international effort resulting in the undermining of its operations. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afl… ∗∗∗ Decrypted: HomuWitch Ransomware ∗∗∗ --------------------------------------------- HomuWitch is a ransomware strain that initially emerged in July 2023. Unlike the majority of current ransomware strains, HomuWitch targets end-users - individuals - rather than institutions and companies. --------------------------------------------- https://decoded.avast.io/threatresearch/decrypted-homuwitch-ransomware/ ∗∗∗ “To live is to fight, to fight is to live! - IBM ODM Remote Code Execution ∗∗∗ --------------------------------------------- In today’s match-up, we’re looking at various versions(both old and new!) of IBM’s “Operational Decision Manager” (ODM). --------------------------------------------- https://labs.watchtowr.com/double-k-o-rce-in-ibm-operation-decision-manager/ ===================== = Vulnerabilities = ===================== ∗∗∗ Codeschmuggel-Lücke in diversen HP Laser-Druckern ∗∗∗ --------------------------------------------- HP warnt mit gleich zwei Sicherheitsmeldungen vor Lücken in diversen Laserjet-Druckern. Firmwareupdates sollen sie schließen. --------------------------------------------- https://www.heise.de/news/Codeschmuggel-Luecke-in-diversen-HP-Laser-Drucker… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (python-pillow), Debian (firefox-esr and imagemagick), Fedora (kernel, mbedtls, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Gentoo (LibreOffice), Red Hat (kpatch-patch), Slackware (mozilla), SUSE (docker, python-pycryptodome, python3, and qemu), [...] --------------------------------------------- https://lwn.net/Articles/963205/ ∗∗∗ Progress Kemp LoadMaster (Load-Balancer) Schwachstelle CVE-2024-1212 ∗∗∗ --------------------------------------------- Zum 8. Februar 2024 gab es den Hinweis für Administratoren, die den Load-Balancer LoadMaster von Progress Kemp verwenden, dessen Firmware zu aktualisieren. --------------------------------------------- https://www.borncity.com/blog/2024/02/22/progress-kemp-loadmaster-load-bala… ∗∗∗ 2024-02-22: Cyber Security Advisory - B&R Automation Studio & Technology Guarding products use insufficient communication encryption ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA23P019_Automation_Studio_Upgrade_… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ WAGO: Multiple products affected by Terrapin ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-014/ ∗∗∗ [R1] Tenable Identity Exposure Secure Relay Version 3.59.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-03 ∗∗∗ [R1] Tenable Identity Exposure Version 3.59.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-04 ∗∗∗ Delta Electronics CNCSoft-B DOPSoft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-053-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.02.2024
by Daily end-of-shift report 21 Feb '24

21 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-02-2024 18:00 − Mittwoch 21-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Open Source in Enterprise Environments - Where Are We Now and What Is Our Way Forward? ∗∗∗ --------------------------------------------- We have been used to hearing that free and open source software and enterprise environments in Big Business are fundamentally opposed and do not mix well. Is that actually the case, or should we rather explore how business and free software can both benefit going forward? --------------------------------------------- https://bsdly.blogspot.com/2022/09/open-source-in-enterprise-environments.h… ∗∗∗ VoltSchemer attacks use wireless chargers to inject voice commands, fry phones ∗∗∗ --------------------------------------------- A team of academic researchers show that a new set of attacks called VoltSchemer can inject voice commands to manipulate a smartphones voice assistant through the magnetic field emitted by an off-the-shelf wireless charger. --------------------------------------------- https://www.bleepingcomputer.com/news/security/voltschemer-attacks-use-wire… ∗∗∗ Security: Forscher erzeugen Fingerabdrücke aus Wischgeräuschen ∗∗∗ --------------------------------------------- Die Methode basiert auf einer Reihe komplexer Algorithmen, mit denen sich schließlich ein Master-Fingerabdruck erzeugen lässt. --------------------------------------------- https://www.golem.de/news/security-forscher-erzeugen-fingerabdruecke-aus-wi… ∗∗∗ Phishing pages hosted on archive.org, (Wed, Feb 21st) ∗∗∗ --------------------------------------------- The Internet Archive is a well-known and much-admired institution, devoted to creating a “digital library of Internet sites and other cultural artifacts in digital form”[1]. [...] Unfortunately, since it allows for uploading of files by users, it is also used by threat actors to host malicious content from time to time[2,3]. --------------------------------------------- https://isc.sans.edu/diary/rss/30676 ∗∗∗ Breakdown of Tycoon Phishing-as-a-Service System ∗∗∗ --------------------------------------------- Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/breakdown-o… ∗∗∗ re: Zyxel VPN Series Pre-auth Remote Command Execution ∗∗∗ --------------------------------------------- An unauthenticated command injection exploit affecting Zyxel firewalls was published in late January without an associated CVE. The vulnerability turns out to be CVE-2023-33012. The associated disclosure did not mention any caveats to exploitation, but it turns out only an uncommon configuration is affected. --------------------------------------------- https://vulncheck.com/blog/zyxel-cve-2023-33012 ∗∗∗ Vibrator virus steals your personal information ∗∗∗ --------------------------------------------- One of our customers found their vibrator was buzzing with a hint of malware. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/02/vibrator-virus-steals-your-p… ∗∗∗ Redis Servers Targeted With New ‘Migo’ Malware ∗∗∗ --------------------------------------------- Attackers weaken Redis instances to deploy the new Migo malware and install a rootkit and cryptominers. --------------------------------------------- https://www.securityweek.com/redis-servers-targeted-with-new-migo-malware/ ∗∗∗ Fake-SMS zum Ablauf der Finanz-Online ID im Umlauf! ∗∗∗ --------------------------------------------- Kriminelle versenden aktuell massenhaft SMS im Namen des BMF zum angeblichen Ablauf der FinanzOnline ID, beziehungsweise ID Austria. Links in den Smishing-Nachrichten führen auf gefälschte Finanz-Online-Websites, auf denen persönliche Daten abgegriffen werden. Diese Daten können anschließend für personalisierte Folgebetrugsmaschen eingesetzt werden. Ignorieren Sie diese SMS-Nachrichten! --------------------------------------------- https://www.watchlist-internet.at/news/fake-sms-zum-ablauf-der-finanz-onlin… ∗∗∗ Detecting Malicious Actors By Observing Commands in Shell History ∗∗∗ --------------------------------------------- Among the myriad techniques and tools at the disposal of cybersecurity experts, one subtle yet powerful method often goes unnoticed: the analysis of shell history to detect malicious actors. --------------------------------------------- https://orca.security/resources/blog/understand-shell-commands-detect-malic… ∗∗∗ Practical Vulnerability Archaeology Starring Ivantis CVE-2021-44529 ∗∗∗ --------------------------------------------- In 2021, Ivanti patched a vulnerability that they called “code injection”. Rumors say it was a backdoor in an open source project. Let’s find out what actually happened! --------------------------------------------- https://www.greynoise.io/blog/practical-vulnerability-archaeology-starring-… ∗∗∗ CISA, EPA, and FBI Release Top Cyber Actions for Securing Water Systems ∗∗∗ --------------------------------------------- Today, CISA, the Environmental Protection Agency (EPA), and the Federal Bureau of Investigation (FBI) released the joint fact sheet Top Cyber Actions for Securing Water Systems. This fact sheet outlines the following practical actions Water and Wastewater Systems (WWS) Sector entities can take to better protect water systems from malicious cyber activity and provides actionable guidance [...] --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/21/cisa-epa-and-fbi-release… ∗∗∗ Lucifer DDoS botnet Malware is Targeting Apache Big-Data Stack ∗∗∗ --------------------------------------------- Aqua Nautilus has unveiled a new campaign targeting Apache big-data stack, specifically Apache Hadoop and Apache Druid. Upon investigation, it was discovered that the attacker exploits existing misconfigurations and vulnerabilities within our Apache cloud honeypots to execute the attacks. --------------------------------------------- https://blog.aquasec.com/lucifer-ddos-botnet-malware-is-targeting-apache-bi… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Unified Intelligence Center Insufficient Access Control Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Live Data server of Cisco Unified Intelligence Center could allow an unauthenticated, local attacker to read and modify data in a repository that belongs to an internal service on an affected device. This vulnerability is due to insufficient access control implementations on cluster configuration CLI requests. An attacker could exploit this vulnerability by sending a cluster configuration CLI request to specific directories on an affected device. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- In February 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ WS_FTP Server Service Pack (February 2024) ∗∗∗ --------------------------------------------- This article contains the details of the specific updates within the WS_FTP Server February 2024 Service Pack. The Service Pack contains a fix for the newly disclosed CVE described below. Progress highly recommends you apply this Service Pack for product updates and security improvements. For Service Pack content, please review the Service Pack Release Notes and this knowledgebase article carefully. --------------------------------------------- https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-Februar… ∗∗∗ Broadcom schließt Sicherheitslücken in VMware Aria Operations und EAP-Plug-in ∗∗∗ --------------------------------------------- Broadcom verteilt Updates für VMware Aria Operations und das EAP Browser Plug-in. Sie bessern teils kritische Sicherheitslücken aus. --------------------------------------------- https://www.heise.de/-9634714.html ∗∗∗ Firefox und Thunderbird: Neue Versionen liefern Sicherheitsfixes ∗∗∗ --------------------------------------------- Neue Versionen von Firefox, Firefox ESR und Thunderbird stehen bereit. Sie dichten im Kern Sicherheitslücken ab. --------------------------------------------- https://www.heise.de/-9634418.html ∗∗∗ VMSA-2024-0003 ∗∗∗ --------------------------------------------- Addressing Arbitrary Authentication Relay and Session Hijack Vulnerabilities in Deprecated VMware Enhanced Authentication Plug-in (EAP) (CVE-2024-22245, CVE-2024-22250) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2024-0003.html ∗∗∗ VMSA-2024-0004 ∗∗∗ --------------------------------------------- VMware Aria Operations updates address local privilege escalation vulnerability. (CVE-2024-22235) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2024-0004.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (linux-firmware and python-reportlab), Debian (unbound), Fedora (freeglut and syncthing), Red Hat (edk2, go-toolset:rhel8, java-1.8.0-ibm, kernel, kernel-rt, mysql:8.0, oniguruma, and python-pillow), Slackware (libuv and mozilla), SUSE (abseil-cpp, grpc, opencensus-proto, protobuf, python- abseil, python-grpcio, re2, bind, dpdk, firefox, hdf5, libssh, libssh2_org, libxml2, mozilla-nss, openssl-1_1, openvswitch, postgresql12, postgresql13, postgresql14, postgresql15, postgresql16, python-aiohttp, python-time-machine, python-pycryptodomex, runc, and webkit2gtk3), and Ubuntu (kernel, libspf2, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux, linux-aws, linux-kvm, linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/963035/ ∗∗∗ Chrome 122, Firefox 123 Patch High-Severity Vulnerabilities ∗∗∗ --------------------------------------------- Google and Mozilla resolve high-severity memory safety vulnerabilities with the latest Chrome and Firefox updates. --------------------------------------------- https://www.securityweek.com/chrome-122-firefox-123-patch-high-severity-vul… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000138649 : GnuTLS vulnerability CVE-2023-5981 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138649 ∗∗∗ K000138650 : cURL vulnerability CVE-2023-46218 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138650 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.02.2024
by Daily end-of-shift report 20 Feb '24

20 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Montag 19-02-2024 18:00 − Dienstag 20-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ransomware: Lockbit durch Ermittler zerschlagen - zwei Festnahmen ∗∗∗ --------------------------------------------- Operation Cronos: Je eine Verhaftung in Polen und der Ukraine, Ermittler haben Datenschatz sowie Zugriff auf Kryptogeld und Websites von Lockbit erbeutet. --------------------------------------------- https://www.heise.de/-9633327 ∗∗∗ Hackers exploit critical RCE flaw in Bricks WordPress site builder ∗∗∗ --------------------------------------------- Hackers are actively exploiting a critical remote code execution (RCE) flaw impacting the Brick Builder Theme to run malicious PHP code on vulnerable sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-rce… ∗∗∗ Cactus ransomware claim to steal 1.5TB of Schneider Electric data ∗∗∗ --------------------------------------------- The Cactus ransomware gang claims they stole 1.5TB of data from Schneider Electric after breaching the companys network last month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cactus-ransomware-claim-to-s… ∗∗∗ Over 28,500 Exchange servers vulnerable to actively exploited bug ∗∗∗ --------------------------------------------- Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical severity privilege escalation flaw tracked as CVE-2024-21410 that hackers are actively exploiting. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-28-500-exchange-servers… ∗∗∗ Vorsicht vor falschen Microsoft-Sicherheitswarnungen beim Surfen im Internet ∗∗∗ --------------------------------------------- Beim Surfen im Internet taucht plötzlich eine Sicherheitswarnung von Microsoft auf. Darin heißt es, dass Ihr Gerät von einem Virus befallen sei und Sie die „Windowshilfe“ anrufen sollen. Rufen Sie diese Nummer keinesfalls an. Es handelt sich um ein betrügerisches Pop-Up-Fenster. Wenn Sie anrufen, stehlen Kriminelle Daten und Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-microsoft-sich… ∗∗∗ Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns ∗∗∗ --------------------------------------------- Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe. The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly observe new email distribution campaigns. --------------------------------------------- https://blog.talosintelligence.com/google-cloud-run-abuse/ ∗∗∗ A technical analysis of the BackMyData ransomware used to attack hospitals in Romania ∗∗∗ --------------------------------------------- Summary According to BleepingComputer, a ransomware attack that occurred starting 0n February 11 forced 100 hospitals across Romania to take their systems offline. BackMyData ransomware, which took credit for it, belongs to the Phobos family. --------------------------------------------- https://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-u… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Flaws Found in ConnectWise ScreenConnect Software - Patch Now ∗∗∗ --------------------------------------------- ConnectWise has released software updates to address two security flaws in its ScreenConnect remote desktop and access software, including a critical bug that could enable remote code execution on affected systems. The vulnerabilities, which currently lack CVE identifiers, are listed below - Authentication bypass using an alternate path or channel (CVSS score: 10.0) - Improper limitation of a pathname to a restricted directory aka "path traversal" (CVSS score: 8.4) --------------------------------------------- https://thehackernews.com/2024/02/critical-flaws-found-in-connectwise.html ∗∗∗ Multiple Stored Cross-Site-Scripting Vulnerabilities in OpenOLAT (Frentix GmbH) ∗∗∗ Several stored XSS vulnerabilities were identified in the open source e-learning application OpenOLAT, as well as missing security measures in the standard configurations regarding content security policy (CSP). [..] The vendor provides a patch which should be installed immediately. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/mutiple-stored-cross-sit… ∗∗∗ SQL Injection Vulnerability Patched in RSS Aggregator by Feedzy WordPress Plugin ∗∗∗ --------------------------------------------- On February 1st, 2024, during our second Bug Bounty Extravaganza, we received a submission for a SQL Injection vulnerability in RSS Aggregator by Feedzy, a WordPress plugin with more than 50,000+ active installations. The vulnerability enables threat actors with contributor-level permissions or higher to extract sensitive data from the database, such as password hashes. --------------------------------------------- https://www.wordfence.com/blog/2024/02/sql-injection-vulnerability-patched-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (freeglut, hugin, libmodsecurity, qemu, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Mageia (packages, radare2, ruby-rack, and wireshark), Oracle (.NET 8.0 and python-pillow), Red Hat (gimp:2.8, java-1.8.0-ibm, and kpatch-patch), SUSE (dpdk and opera), and Ubuntu (bind9, curl, linux-raspi, linux-raspi-5.4, node-ip, and tiff). --------------------------------------------- https://lwn.net/Articles/962881/ ∗∗∗ Zyxel security advisory for multiple vulnerabilities in firewalls and APs ∗∗∗ --------------------------------------------- Zyxel has released patches addressing multiple vulnerabilities in some firewall and access point (AP) versions. Users are advised to install the patches for optimal protection. CVEs: CVE-2023-6397, CVE-2023-6398, CVE-2023-6399, CVE-2023-6764 --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Joomla: [20240205] - Core - Inadequate content filtering within the filter code ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/929-20240205-core-inadequa… ∗∗∗ Joomla: [20240204] - Core - XSS in mail address outputs ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/928-20240204-core-xss-in-m… ∗∗∗ Joomla: [20240203] - Core - XSS in media selection fields ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/927-20240203-core-xss-in-m… ∗∗∗ Joomla: [20240202] - Core - Open redirect in installation application ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/926-20240202-core-open-red… ∗∗∗ Joomla: [20240201] - Core - Insufficient session expiration in MFA management views ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/925-20240201-core-insuffic… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 123 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/ ∗∗∗ MISP 2.4.185 released with sighting performance improvements, security and bugs fixes. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.185 ∗∗∗ Ethercat Zeek Plugin ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-02 ∗∗∗ Mitsubishi Electric Electrical Discharge Machines ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-03 ∗∗∗ Commend WS203VICM ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.02.2024
by Daily end-of-shift report 19 Feb '24

19 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-02-2024 18:00 − Montag 19-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Anatsa Android malware downloaded 150,000 times via Google Play ∗∗∗ --------------------------------------------- The Anatsa banking trojan has been targeting users in Europe by infecting Android devices through malware droppers hosted on Google Play. --------------------------------------------- https://www.bleepingcomputer.com/news/security/anatsa-android-malware-downl… ∗∗∗ Mirai-Mirai On The Wall... [Guest Diary], (Sun, Feb 18th) ∗∗∗ --------------------------------------------- This article is about one of the ways attackers on the open Internet are attempting to use the Mirai Botnet [1][2] malware to exploit vulnerabilities on exposed IoT devices. --------------------------------------------- https://isc.sans.edu/diary/rss/30658 ∗∗∗ Remote Access Trojan (RAT): Types, Mitigation & Removal ∗∗∗ --------------------------------------------- Remote Access Trojans (RATs) are a serious threat capable of giving attackers control over infected systems. This malware stealthily enters systems (often disguised as legitimate software or by exploiting a vulnerability in the system) and opens backdoors for attackers to perform a wide range of malicious activities on the victim’s computer. This blog post is designed to educate readers on RATs - how they work, the risks they pose, and how to protect against them. --------------------------------------------- https://blog.sucuri.net/2024/02/remote-access-trojan-rat-types-mitigation-r… ∗∗∗ The scary DNS “KeyTrap” bug explained in plain words ∗∗∗ --------------------------------------------- If you were following the IT media last week, you’d have been forgiven for awaiting the imminent implosion of the internet, with DNS itself in desperate danger. [...] Obviously, the next step is for the community to update the DNSSEC specifications, and thereby to protect proactively against this sort of extreme denial-of-service attack by building in new precautions for everyone to follow. --------------------------------------------- https://pducklin.com/2024/02/18/the-scary-dns-keytrap-bug-explained-in-plai… ∗∗∗ KI: OpenAI und Microsoft schließen Konten staatlicher Bedrohungsakteure ∗∗∗ --------------------------------------------- Microsoft und OpenAI haben Konten mutmaßlicher staatlicher Bedrohungsakteure geschlossen, die ChatGPT für kriminelle Zwecke nutzten. --------------------------------------------- https://www.heise.de/-9631899.html ∗∗∗ Mastodon: Spamwelle zeigt Schwächen auf und weckt Sorge vor schlimmerer Methode ∗∗∗ --------------------------------------------- Seit Tagen klagen einige User auf Mastodon über eine Spamwelle. Der liegen automatisierte Angriffe auf unzureichend geschützte Teile des Fediverse zugrunde. --------------------------------------------- https://www.heise.de/-9632055.html ∗∗∗ CVE Prioritizer: Open-source tool to prioritize vulnerability patching ∗∗∗ --------------------------------------------- CVE Prioritizer is an open-source tool designed to assist in prioritizing the patching of vulnerabilities. It integrates data from CVSS, EPSS, and CISA’s KEV catalog to offer insights into the probability of exploitation and the potential effects of vulnerabilities on your systems. --------------------------------------------- https://www.helpnetsecurity.com/2024/02/19/cve-prioritizer-open-source-vuln… ∗∗∗ Why keeping track of user accounts is important ∗∗∗ --------------------------------------------- CISA has issued an advisory after the discovery of documents containing information about a state government organization’s network environment on a dark web brokerage site. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/02/why-keeping-track-of-user-ac… ∗∗∗ Gefälschtes Flixbus-Angebot: „Verlorenes Gepäck für 2 Euro“ ∗∗∗ --------------------------------------------- Auf Facebook und Instagram kursiert eine gefälschte Flixbus-Werbung. In der Anzeige steht, dass Flixbus angeblich verlorenes Gepäck um 2 Euro verkauft. Geködert werden Sie mit dem Versprechen, dass sich in den Koffern oft Handys, Laptops oder Schmuck befinden. Es handelt sich aber um eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-flixbus-angebot-verlore… ∗∗∗ The Most Dangerous Entra Role You’ve (Probably) Never Heard Of ∗∗∗ --------------------------------------------- Entra ID has a built-in role called “Partner Tier2 Support” that enables escalation to Global Admin, but [...] --------------------------------------------- https://posts.specterops.io/the-most-dangerous-entra-role-youve-probably-ne… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2024-23724: Ghost CMS Stored XSS Leading to Owner Takeover ∗∗∗ --------------------------------------------- During research on the Ghost CMS application, the Rhino research team identified a Stored Cross-Site Scripting (XSS) vulnerability which can be triggered by a malicious profile image. [...] The vendor does not view this as a valid vector so will not be releasing an official patch, but it’s important to us at Rhino to not release unpatched vulnerabilities. While this is a unique case, we’ve decided to make the patch ourselves [...] --------------------------------------------- https://rhinosecuritylabs.com/research/cve-2024-23724-ghost-cms-stored-xss/ ∗∗∗ Solarwinds: Codeschmuggel möglich, Updates verfügbar ∗∗∗ --------------------------------------------- Solarwinds schließt Sicherheitslücken in Access Rights Manager und Platform (Orion). Angreifer können Schadcode einschleusen. --------------------------------------------- https://www.heise.de/-9632541.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (engrampa, openvswitch, pdns-recursor, and runc), Fedora (caddy, expat, freerdp, libgit2, libgit2_1.6, mbedtls, python-cryptography, qt5-qtbase, and sudo), Gentoo (Apache Log4j, Chromium, Google Chrome, Microsoft Edge, CUPS, e2fsprogs, Exim, firefox, Glade, GNU Tar, intel-microcode, libcaca, QtNetwork, QtWebEngine, Samba, Seamonkey, TACACS+, Thunar, and thunderbird), Mageia (dnsmasq, unbound, and vim), Oracle (container-tools:4.0, container-tools:ol8, dotnet6.0, dotnet7.0, kernel, nss, openssh, and sudo), Red Hat (python-pillow), and SUSE (bitcoin, dpdk, libssh, openvswitch, postgresql12, and postgresql13). --------------------------------------------- https://lwn.net/Articles/962753/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ ADS-TEC Industrial IT: Docker vulnerability affects multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-016/ ∗∗∗ K000138640 : Perl vulnerability CVE-2023-47038 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138640 ∗∗∗ K000138641 : cURL vulnerability CVE-2023-46219 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138641 ∗∗∗ K000138643 : OpenSSH vulnerability CVE-2023-51767 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138643 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.02.2024
by Daily end-of-shift report 16 Feb '24

16 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-02-2024 18:00 − Freitag 16-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ RansomHouse gang automates VMware ESXi attacks with new MrAgent tool ∗∗∗ --------------------------------------------- The RansomHouse ransomware operation has created a new tool named MrAgent that automates the deployment of its data encrypter across multiple VMware ESXi hypervisors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomhouse-gang-automates-v… ∗∗∗ Berliner Kritis-Lieferant: PSI Software nimmt Systeme nach Cyberangriff offline ∗∗∗ --------------------------------------------- Der Softwarekonzern beliefert unter anderem Betreiber von Energienetzen und Verkehrsinfrastrukturen sowie Kunden aus den Bereichen Industrie und Logistik. --------------------------------------------- https://www.golem.de/news/berliner-kritis-lieferant-psi-software-nimmt-syst… ∗∗∗ Phishing und Spoofing: BSI gibt Hinweise zur E-Mail-Authentifizierung ∗∗∗ --------------------------------------------- Gewappnet mit Standards wie SPF, DKIM und DMARC könnten Anbieter selbst neue Angriffe wie SMTP-Smuggling erschweren, heißt es in einer Technischen Richtlinie. --------------------------------------------- https://www.heise.de/-9631309 ∗∗∗ F5 behebt 20 Sicherheitslücken in Big-IP-Loadbalancer, WAF und nginx ∗∗∗ --------------------------------------------- Unter anderem konnten Angreifer eigenen Code in den Loadbalancer einschmuggeln, nginx hingegen verschluckte sich an HTTP3/QUIC-Anfragen. --------------------------------------------- https://www.heise.de/-9629983 ∗∗∗ Falsche DHL-Boten fordern am Telefon SMS-Code für vermeintliche Paketzustellung ∗∗∗ --------------------------------------------- Kriminelle ergaunern SMS-Codes für Paket-Zustellungen. Dabei geben sich die Täter gegenüber potenziellen Opfern als angebliche DHL-Mitarbeiter aus. --------------------------------------------- https://www.heise.de/-9630541 ∗∗∗ Alpha Ransomware Emerges From NetWalker Ashes ∗∗∗ --------------------------------------------- Alpha, a new ransomware that first appeared in February 2023 and stepped up its operations in recent weeks, has strong similarities to the long-defunct NetWalker ransomware, which disappeared in January 2021 following an international law enforcement operation. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/alpha-ne… ===================== = Vulnerabilities = ===================== ∗∗∗ CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched security flaw impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to its Known Exploited Vulnerabilities (KEV) catalog, following reports that its being likely exploited in Akira ransomware attacks. --------------------------------------------- https://thehackernews.com/2024/02/cisa-warning-akira-ransomware.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (bind), Red Hat (.NET 8.0 and kpatch-patch), SUSE (golang-github-prometheus-alertmanager, java-1_8_0-openj9, kernel, libaom, openssl-3, postgresql15, salt, SUSE Manager Client Tools, SUSE Manager Server 4.3, and webkit2gtk3), and Ubuntu (shadow). --------------------------------------------- https://lwn.net/Articles/962506/ ∗∗∗ Eight Vulnerabilities Disclosed in the AI Development Supply Chain ∗∗∗ --------------------------------------------- Details of eight vulnerabilities found in the open source supply chain used to develop in-house AI and ML models have been disclosed. All have CVE numbers, one has critical severity, and seven have high severity. [..] They are: CVE-2023-6975: arbitrary file write in MLFLow, CVSS 9.8, CVE-2023-6753: arbitrary file write on Windows in MLFlow, CVSS 9.6, CVE-2023-6730: RCE in Hugging Face Transformers via RagRetriever.from_pretrained(), CVSS 9.0, CVE-2023-6940: server side template injection bypass in MLFlow, CVSS 9.0, CVE-2023-6976: arbitrary file upload patch bypass in MLFlow, CVSS 8.8, CVE-2023-31036: RCE via arbitrary file overwrite in Triton Inference Server, CVSS 7.5, CVE-2023-6909: local file inclusion in MLFlow, CVSS 7.5, CVE-2024-0964: LFI in Gradio, CVSS 7.5 --------------------------------------------- https://www.securityweek.com/eight-vulnerabilities-disclosed-in-the-ai-deve… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily February 2024