Daily March 2024

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 15.03.2024
by Daily end-of-shift report 15 Mar '24

15 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-03-2024 18:00 − Freitag 15-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SIM swappers hijacking phone numbers in eSIM attacks ∗∗∗ --------------------------------------------- SIM swappers have adapted their attacks to steal a targets phone number by porting it into a new eSIM card, a digital SIM stored in a rewritable chip present on many recent smartphone models. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sim-swappers-hijacking-phone… ∗∗∗ StopCrypt: Most widely distributed ransomware now evades detection ∗∗∗ --------------------------------------------- A new variant of StopCrypt ransomware (aka STOP) was spotted in the wild, employing a multi-stage execution process that involves shellcodes to evade security tools. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stopcrypt-most-widely-distri… ∗∗∗ 5Ghoul Revisited: Three Months Later, (Fri, Mar 15th) ∗∗∗ --------------------------------------------- About three months ago, I wrote about the implications and impacts of 5Ghoul in a previous diary. The 5Ghoul family of vulnerabilities could cause User Equipment (UEs) to be continuously exploited (e.g. dropping/freezing connections, which would require manual rebooting or downgrading a 5G connection to 4G) once they are connected to the malicious 5Ghoul gNodeB (gNB, or known as the base station in traditional cellular networks). Given the potential complexities in the realm of 5G mobile network modems used in a multitude of devices (such as mobile devices and 5G-enabled environments such as Industrial Internet-of-Things and IP cameras), I chose to give the situation a bit more time before revisiting the 5Ghoul vulnerability. --------------------------------------------- https://isc.sans.edu/diary/rss/30746 ∗∗∗ Third-Party ChatGPT Plugins Could Lead to Account Takeovers ∗∗∗ --------------------------------------------- Cybersecurity researchers have found that third-party plugins available for OpenAI ChatGPT could act as a new attack surface for threat actors looking to gain unauthorized access to sensitive data. According to new research published by Salt Labs, security flaws found directly in ChatGPT and within the ecosystem could allow attackers to install malicious plugins without users' consent and hijack accounts on third-party websites like GitHub. --------------------------------------------- https://thehackernews.com/2024/03/third-party-chatgpt-plugins-could-lead.ht… ∗∗∗ Vorsicht vor Abo-Falle auf produktretter.at! ∗∗∗ --------------------------------------------- Einmal registrieren und schon erhalten Sie hochwertige und voll funktionsfähige Produkte, die andere retourniert haben. Es fallen lediglich Versandkosten von maximal 2,99 Euro an. Klingt zu schön, um wahr zu sein? Ist es auch. Denn Seiten wie produktretter.at, produkttest-anmeldung.com oder retourenheld.io locken in eine Abo-Falle. Die versprochenen Produkte kommen nie an. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-abo-falle-auf-produktre… ∗∗∗ Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled ∗∗∗ --------------------------------------------- We analyze recent samples of BunnyLoader 3.0 to illuminate this malware’s evolved and upscaled capabilities, including its new downloadable module system. --------------------------------------------- https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/ ∗∗∗ How to share sensitive files securely online ∗∗∗ --------------------------------------------- Here are a few tips for secure file transfers and what else to consider when sharing sensitive documents so that your data remains safe. --------------------------------------------- https://www.welivesecurity.com/en/how-to/share-sensitive-files-securely-onl… ∗∗∗ The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions ∗∗∗ --------------------------------------------- Talos explores the recent law enforcement takedown of LockBit, a prolific ransomware group that claimed to resume their operations 7 days later. --------------------------------------------- https://blog.talosintelligence.com/ransomware-affiliate-model/ ∗∗∗ Zwei Backdoors in Ivanti-Appliances analysiert ∗∗∗ --------------------------------------------- Anfang 2024 wurden die Pulse Secure Appliances von Ivanti durch die damals gemeldeten Schwachstellen CVE-2023-46805 und CVE-2024-21887 weiträumig ausgenutzt. Zwei Exemplare dieser Backdoors haben Sicherheitsforscher jetzt ausführlich beschrieben. --------------------------------------------- https://heise.de/-9656137 ∗∗∗ Sicherheitsforscher genervt: Lücken-Datenbank NVD seit Wochen unvollständig ∗∗∗ --------------------------------------------- Die von der US-Regierung betriebene Datenbank reichert im CVE-System gemeldete Sicherheitslücken mit wichtigen Metadaten an. Das blieb seit Februar aus. [..] Von über 2.200 seit 15. Februar veröffentlichten Sicherheitslücken mit CVE-ID sind lediglich 59 mit Metadaten versehen, 2.152 liegen brach. [..] Darüber, wie sie die Tausenden offenen Sicherheitslücken abarbeiten will und vor allem, wann sie ihre Arbeit wieder aufnimmt, schweigt sich die NVD derzeit aus. --------------------------------------------- https://heise.de/-9656574 ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP7 IF06 ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been resolved in 7.5.0 UP7 IF06. Severity Critical --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ Micropatches Released for Microsoft Outlook "MonikerLink" Remote Code Execution Vulnerability (CVE-2024-21413) ∗∗∗ --------------------------------------------- In February 2024, still-Supported Microsoft Outlook versions got an official patch for CVE-2024-21413, a vulnerability that allowed an attacker to execute arbitrary code on users computer when the user opened a malicious hyperlink in attackers email. The micropatch was written for the following security-adopted versions of Office with all available updates installed: Microsoft Office 2013, Microsoft Office 2010 --------------------------------------------- https://blog.0patch.com/2024/03/micropatches-released-for-microsoft.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (composer and node-xml2js), Fedora (baresip), Mageia (fonttools, libgit2, mplayer, open-vm-tools, and packages), Red Hat (dnsmasq, gimp:2.8, and kernel-rt), and SUSE (389-ds, gdb, kernel, python-Django, python3, python36-pip, spectre-meltdown-checker, sudo, and thunderbird). --------------------------------------------- https://lwn.net/Articles/965576/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CVE-2024-2247: JFrog Artifactory Cross-Site Scripting ∗∗∗ --------------------------------------------- https://jfrog.com/help/r/jfrog-release-information/cve-2024-2247-jfrog-arti… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2024
by Daily end-of-shift report 14 Mar '24

14 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-03-2024 18:00 − Donnerstag 14-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ PixPirate Android malware uses new tactic to hide on phones ∗∗∗ --------------------------------------------- The latest version of the PixPirate banking trojan for Android employs a previously unseen method to hide from the victim while remaining active on the infected device even if its dropper app has been removed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pixpirate-android-malware-us… ∗∗∗ Increase in the number of phishing messages pointing to IPFS and to R2 buckets, (Thu, Mar 14th) ∗∗∗ --------------------------------------------- Interesting trends do emerge from time to time. One such recent trend seems to be connected with an increased use of IPFS and R2 buckets to host phishing pages. --------------------------------------------- https://isc.sans.edu/diary/rss/30744 ∗∗∗ Breaking Down APT29’s Latest Tactics and How to Defend Against Them ∗∗∗ --------------------------------------------- Recently, the US National Security Agency (NSA) joined United Kingdom’s National Cyber Security Center (NCSC) in releasing an advisory detailing the recent TTPs (or tactics, techniques, and procedures) of the group known as APT29 (or, in other taxonomies of threat actors, Midnight Blizzard, the Dukes, and Cozy Bear). --------------------------------------------- https://orca.security/resources/blog/how-to-defend-against-apt29-cozy-bear-… ===================== = Vulnerabilities = ===================== ∗∗∗ A patched Windows attack surface is still exploitable ∗∗∗ --------------------------------------------- In this report, we highlight the key points about a class of recently-patched elevation-of-privilege vulnerabilities affecting Microsoft Windows, and then focus on how to check if any of them have been exploited or if there have been any attempts to exploit them. --------------------------------------------- https://securelist.com/windows-vulnerabilities/112232/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and openvswitch), Fedora (chromium, python-multipart, thunderbird, and xen), Mageia (java-17-openjdk and screen), Red Hat (.NET 7.0, .NET 8.0, kernel-rt, kpatch-patch, postgresql:13, and postgresql:15), Slackware (expat), SUSE (glibc, python-Django, python-Django1, sudo, and vim), and Ubuntu (expat, linux-ibm, linux-ibm-5.4, linux-oracle, linux-oracle-5.4, linux-lowlatency, linux-raspi, python-cryptography, texlive-bin, and xorg-server). --------------------------------------------- https://lwn.net/Articles/965470/ ∗∗∗ Kubernetes Vulnerability Allows Remote Code Execution on Windows Endpoints ∗∗∗ --------------------------------------------- A high-severity Kubernetes vulnerability tracked as CVE-2023-5528 can be exploited to execute arbitrary code on Windows endpoints. --------------------------------------------- https://www.securityweek.com/kubernetes-vulnerability-allows-remote-code-ex… ∗∗∗ Cisco schließt hochriskante Lücken in IOS XR ∗∗∗ --------------------------------------------- Cisco warnt vor SIcherheitslücken mit teils hohem Risiko im Router-Betriebssystem IOS XR. Updates stehen bereit. --------------------------------------------- https://heise.de/-9654542 ∗∗∗ Schnell upgraden: Problematische Sicherheitslücke in Apples GarageBand ∗∗∗ --------------------------------------------- Neue Funktionen liefert GarageBand 10.4.11 laut Apple nicht. Dafür steckt ein wichtiger Sicherheitsfix drin. Nutzer sollten die macOS-App schnell aktualisieren. --------------------------------------------- https://heise.de/-9654638 ∗∗∗ HP: Viele Laptops und PCs von Codeschmuggel-Lücke betroffen ∗∗∗ --------------------------------------------- Eine BIOS-Sicherheitsfunktion von HP-Laptops und -PCs kann von Angreifern umgangen werden. BIOS-Updates stehen bereit oder werden grad entwickelt. --------------------------------------------- https://heise.de/-9654678 ∗∗∗ VU#488902: CPU hardware utilizing speculative execution may be vulnerable to speculative race conditions ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/488902 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Softing edgeConnector ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-13 ∗∗∗ Mitsubishi Electric MELSEC-Q/L Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-14 ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.03.2024
by Daily end-of-shift report 13 Mar '24

13 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-03-2024 18:00 − Mittwoch 13-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ RisePro stealer targets Github users in “gitgub” campaign ∗∗∗ --------------------------------------------- We identified at least 13 such repositories belonging to a RisePro stealer campaign that was named “gitgub” by the threat actors. The repositories look similar, featuring a README.md file with the promise of free cracked software. [..] RisePro resurfaces with new string encryption and a bloated MSI installer that crashes reversing tools like IDA. The "gitgub" campaign already sent more than 700 archives of stolen data to Telegram. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/03/37885-risepro-stealer-campaign-g… ∗∗∗ Using ChatGPT to Deobfuscate Malicious Scripts, (Wed, Mar 13th) ∗∗∗ --------------------------------------------- Today, most of the malicious scripts in the wild are heavily obfuscated. [...] There was a huge amount of obfuscated strings (443 in total). Let's try tro process them with ChatGPT [..] The request took a few seconds to get some feedback but results were perfect (I only submitted a small part of the script). --------------------------------------------- https://isc.sans.edu/diary/rss/30740 ∗∗∗ FakeBat delivered via several active malvertising campaigns ∗∗∗ --------------------------------------------- A number of software brands are being impersonated with malicious ads and fake sites to distribute malware. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/03/fakebat-deliv… ∗∗∗ Geldwäsche statt Babysitting: Vorsicht vor diesem Jobbetrug! ∗∗∗ --------------------------------------------- Kriminelle suchen über Babysitter-Börsen angeblich eine Betreuung für ihr Kind oder ihre Kinder. Das vermeintliche Elternteil behauptet, derzeit noch im Ausland zu leben und erst zu einem späteren Zeitpunkt nach Österreich zu ziehen. Damit sich die Kinder gleich von Anfang an wohl fühlen, sollen die neuen Babysitter:innen bereits im Vorfeld Spielzeug einkaufen. --------------------------------------------- https://www.watchlist-internet.at/news/geldwaesche-statt-babysitting-vorsic… ∗∗∗ JetBrains vulnerability exploitation highlights debate over silent patching ∗∗∗ --------------------------------------------- Czech software giant JetBrains harshly criticized security company Rapid7 this week following a dispute over two recently-discovered vulnerabilities. In a blog post published Monday, JetBrains attributed the compromise of several customers’ servers to Rapid7’s decision to release detailed information on the vulnerabilities. --------------------------------------------- https://therecord.media/jetbrains-rapid7-silent-patching-dispute ∗∗∗ Unpacking Flutter hives ∗∗∗ --------------------------------------------- The goal of this blogpost is to obtain the content of an encrypted Hive without having access to the source code. --------------------------------------------- https://blog.nviso.eu/2024/03/13/unpacking-flutter-hives/ ∗∗∗ Threat actors leverage document publishing sites for ongoing credential and session token theft ∗∗∗ --------------------------------------------- Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks. Threat actors have used a similar tactic of deploying phishing lures on well-known cloud storage and contract management sites such as Google Drive, OneDrive, SharePoint, DocuSign and Oneflow. --------------------------------------------- https://blog.talosintelligence.com/threat-actors-leveraging-document-publis… ∗∗∗ CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign ∗∗∗ --------------------------------------------- The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers. [..] This campaign was part of the larger Water Hydra APT zero-day analysis. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-ope… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2024-03-13 ∗∗∗ --------------------------------------------- Security Impact Rating: 3x High, 4x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Palo Alto Security Advisories 2024-03-13 ∗∗∗ --------------------------------------------- Security Impact Rating: 3x Medium --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ Critical Vulnerability Remains Unpatched in Two Permanently Closed MiniOrange WordPress Plugins – $1,250 Bounty Awarded ∗∗∗ --------------------------------------------- Both miniOrange’s Malware Scanner and Web Application Firewall plugins contain a critical privilege escalation vulnerability, and both have been permanently closed. So we urge all users to delete these plugins from their websites immediately! [..] This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password. --------------------------------------------- https://www.wordfence.com/blog/2024/03/critical-vulnerability-remains-unpat… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (edk2, freeipa, kernel, and liblas), Oracle (kernel), Red Hat (docker, edk2, kernel, kernel-rt, and kpatch-patch), SUSE (axis, fontforge, gnutls, java-1_8_0-openjdk, kernel, python3, sudo, and zabbix), and Ubuntu (dotnet7, dotnet8, libgoogle-gson-java, openssl, and ovn). --------------------------------------------- https://lwn.net/Articles/965278/ ∗∗∗ März-Patchday: Microsoft stopft zwei kritische Löcher in Hyper-V ∗∗∗ --------------------------------------------- Insgesamt bringt der März-Patchday Fixes für 61 Sicherheitslücken. --------------------------------------------- https://www.zdnet.de/88414822/maerz-patchday-microsoft-stopft-zwei-kritisch… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe Experience Manager, Adobe Premiere Pro, Adobe ColdFusion, Adobe Bridge, Adobe Lightroom, Adobe Animate --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/12/adobe-releases-security-… ∗∗∗ AMD und Intel schließen CPU-Sicherheitslücken in Core- und Ryzen-CPUs ∗∗∗ --------------------------------------------- Zum Patch-Tuesday räumen AMD und Intel weitere Sicherheitslücken in ihren Prozessoren ein. Es geht unter anderem um Race Conditions. --------------------------------------------- https://heise.de/-9653846 ∗∗∗ Fortinet-Patchday: Updates gegen kritische Schwachstellen ∗∗∗ --------------------------------------------- Fortinet hat zum März-Patchday Sicherheitslücken in FortiOS, FortiProxy, FortiClientEMS und im FortiManager geschlossen. --------------------------------------------- https://heise.de/-9653730 ∗∗∗ Citrix Hypervisor Security Update for CVE-2023-39368 and CVE-2023-38575 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX616982/citrix-hypervisor-security-upd… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Lenovo Security Advisories 2024-03-12 ∗∗∗ --------------------------------------------- https://support.lenovo.com/at/de/product_security/home ∗∗∗ Xen Security Advisory CVE-2024-2193 / XSA-453 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-453.html ∗∗∗ Xen Security Advisory CVE-2023-28746 / XSA-452 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-452.html ∗∗∗ Wago: Multiple vulnerabilities in web-based management of multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-039/ ∗∗∗ Bosch: BVMS affected by Autodesk Design Review Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-246962-bt.html ∗∗∗ Bosch: RPS and RPS-LITE operator and communication process vulnerabilities. ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-099637-bt.html ∗∗∗ Canon: CPE2024-002 – Vulnerability Mitigation/Remediation for Small Office Multifunction Printers and Laser Printers – 14 March 2024 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ SonicWall: SonicWall Email Security Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0006 ∗∗∗ SonicWall: SonicOS SSLVPN Portal Stored Cross-site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0005 ∗∗∗ SonicWall: Integer-Based Buffer Overflow Vulnerability In SonicOS via IPSec ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0004 ∗∗∗ Google Chrome: Drei Sicherheitslöcher gestopft ∗∗∗ --------------------------------------------- https://heise.de/-9653082 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2024
by Daily end-of-shift report 12 Mar '24

12 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 11-03-2024 18:00 − Dienstag 12-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Inception Attack: Neue Angriffstechnik ermöglicht Manipulation von VR-Inhalten ∗∗∗ --------------------------------------------- Angreifer können nicht nur sensible Informationen abgreifen, sondern auch dem VR-Nutzer angezeigte Inhalte verändern, ohne dass dieser etwas merkt. --------------------------------------------- https://www.golem.de/news/inception-attack-neue-angriffstechnik-ermoeglicht… ∗∗∗ Verträge und Abos kündigen: Vorsicht vor kostenpflichtigen Angeboten ∗∗∗ --------------------------------------------- Sie möchten Ihren Vertrag kündigen, wissen aber nicht wie? Oft sind die Informationen zur Kündigung und Kontaktadressen des jeweiligen Unternehmens auch unauffindbar. Aus gutem Grund suchen Konsument:innen daher nach Diensten, die den Kündigungsprozess übernehmen. Oft sind diese Dienste kostenpflichtig oder selbst eine Abofalle. --------------------------------------------- https://www.watchlist-internet.at/news/vertraege-und-abos-kuendigen-vorsich… ∗∗∗ Ransomware: Attacks Continue to Rise as Operators Adapt to Disruption ∗∗∗ --------------------------------------------- Available evidence suggests vulnerability exploitation has replaced botnets as a prime infection vector. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ CISA Publishes SCuBA Hybrid Identity Solutions Guidance ∗∗∗ --------------------------------------------- CISA has published Secure Cloud Business Applications (SCuBA) Hybrid Identity Solutions Guidance (HISG) to help users better understand identity management capabilities and securely integrate their traditional on-premises enterprise networks with cloud-based solutions. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/12/cisa-publishes-scuba-hyb… ∗∗∗ VCURMS: A Simple and Functional Weapon ∗∗∗ --------------------------------------------- ForitGuard Labs uncovers a rat VCURMS weapon and STRRAT in a phishing campaign --------------------------------------------- https://feeds.fortinet.com/~/873512375/0/fortinet/blogs~VCURMS-A-Simple-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qemu), Mageia (libtiff and thunderbird), Red Hat (kernel, kpatch-patch, postgresql, and rhc-worker-script), SUSE (compat-openssl098, openssl, openssl1, python-Django, python-Django1, and wpa_supplicant), and Ubuntu (accountsservice, libxml2, linux-bluefield, linux-raspi-5.4, linux-xilinx-zynqmp, linux-oem-6.1, openvswitch, postgresql-9.5, and ruby-rack). --------------------------------------------- https://lwn.net/Articles/965113/ ∗∗∗ SAP schließt zehn Sicherheitslücken am März-Patchday ∗∗∗ --------------------------------------------- SAP hat zehn neue Sicherheitsmitteilungen zum März-Patchday veröffentlicht. Zwei der geschlossenen Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-9652057 ∗∗∗ Synology dichtet Sicherheitslecks in SRM ab ∗∗∗ --------------------------------------------- Im Synology Router Manager (SRM) klaffen Sicherheitslecks, durch die Angreifer etwa Scripte einschleusen können. Ein Update steht bereit. --------------------------------------------- https://heise.de/-9652225 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Fortiguard Security Advisories ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt ∗∗∗ SSA-918992 V1.0: Unused HTTP Service on SENTRON 3KC ATC6 Ethernet Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-918992.html ∗∗∗ SSA-832273 V1.0: Multiple Vulnerabilities in Fortigate NGFW on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-832273.html ∗∗∗ SSA-792319 V1.0: Missing Read Out Protection in SENTRON 7KM PAC3x20 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-792319.html ∗∗∗ SSA-770721 V1.0: Multiple Vulnerabilities in SIMATIC RF160B before V2.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-770721.html ∗∗∗ SSA-653855 V1.0: Information Disclosure vulnerability in SINEMA Remote Connect Client before V3.1 SP1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-653855.html ∗∗∗ SSA-576771 V1.0: Multiple Vulnerabilities in SINEMA Remote Connect Server before V3.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-576771.html ∗∗∗ SSA-382651 V1.0: File Parsing Vulnerability in Solid Edge before V223.0.11 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-382651.html ∗∗∗ SSA-366067 V1.0: Multiple Vulnerabilities in Fortigate NGFW before V7.4.1 on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-366067.html ∗∗∗ SSA-353002 V1.0: Multiple Vulnerabilities in SCALANCE XB-200 / XC-200 / XP-200 / XF-200BA / XR-300WG Family ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-353002.html ∗∗∗ SSA-225840 V1.0: Vulnerabilities in the Network Communication Stack in Sinteso EN and Cerberus PRO EN Fire Protection Systems ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-225840.html ∗∗∗ SSA-145196 V1.0: Authorization Bypass Vulnerability in Siveillance Control ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-145196.html ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in CHARX SEC charge controllers ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-011/ ∗∗∗ Citrix SDWAN Security Bulletin for CVE-2024-2049 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX617071/citrix-sdwan-security-bulletin… ∗∗∗ Stack-based Overflow Vulnerability in the TrueViewTM Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0005 ∗∗∗ Missing PSK secret for IKEv2 connection can cause libreswan to restart ∗∗∗ --------------------------------------------- https://libreswan.org/security/CVE-2024-2357/CVE-2024-2357.txt ∗∗∗ Schneider Electric EcoStruxure Power Design ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-072-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2024
by Daily end-of-shift report 11 Mar '24

11 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-03-2024 18:00 − Montag 11-03-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fake Leather wallet app on Apple App Store is a crypto drainer ∗∗∗ --------------------------------------------- The developers of the Leather cryptocurrency wallet are warning of a fake app on the Apple App Store, with users reporting it is a wallet drainer that stole their digital assets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-leather-wallet-app-on-a… ∗∗∗ What happens when you accidentally leak your AWS API keys? [Guest Diary], (Sun, Mar 10th) ∗∗∗ --------------------------------------------- As a college freshman taking my first computer science class, I wanted to create a personal project that would test my abilities and maybe have some sort of return. I saw a video online of someone who created a python script that emailed colleges asking for free swag to be shipped to him. I liked the idea and adapted it. --------------------------------------------- https://isc.sans.edu/diary/rss/30730 ∗∗∗ Check your email security, and protect your customers ∗∗∗ --------------------------------------------- Free online tool from the NCSC prevents cyber criminals using your email to conduct cyber attacks. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/cyes-protect-customers ∗∗∗ Leicht verdientes Geld auf Instagram? Vorsicht vor dieser Betrugsmasche ∗∗∗ --------------------------------------------- Sie erhalten eine Nachricht auf Instagram – angeblich von einer Künstlerin bzw. einem Künstler. Die Person behauptet, dass sie eines Ihrer Bilder auf Instagram als Vorlage für ein Gemälde nutzen möchte. Sie bekommen dafür angeblich 500 Euro. Gehen Sie nicht auf dieses Angebot ein, Sie werden betrogen! --------------------------------------------- https://www.watchlist-internet.at/news/leicht-verdientes-geld-auf-instagram… ∗∗∗ Misconfiguration Manager: Overlooked and Overprivileged ∗∗∗ --------------------------------------------- Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance. We’re also presenting this material at SO-CON 2024 on March 11, 2024. We’ll update this post with a link to the recording when it becomes available. --------------------------------------------- https://posts.specterops.io/misconfiguration-manager-overlooked-and-overpri… ∗∗∗ Ransomware tracker: The latest figures [March 2024] ∗∗∗ --------------------------------------------- Note: this Ransomware Tracker is updated on the second Sunday of each month to stay current. --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures ∗∗∗ Kritische Schwachstelle (CVE-2024-1403) in Progress OpenEdge Authentication Gateway/AdminServer – PoC öffentlich ∗∗∗ --------------------------------------------- Es gibt eine kritische Schwachstelle (CVE-2024-1403) in diesem Produkt (CVSS 10.0), die die Umgehung der Authentifizierung ermöglicht. Nun ist ein Exploit zur Ausnutzung dieser Schwachstelle bekannt geworden. --------------------------------------------- https://www.borncity.com/blog/2024/03/11/kritische-schwachstelle-cve-2024-1… ===================== = Vulnerabilities = ===================== ∗∗∗ Unauthenticated Stored XSS Vulnerability Patched in Ultimate Member WordPress Plugin ∗∗∗ --------------------------------------------- The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. --------------------------------------------- https://www.wordfence.com/blog/2024/03/unauthenticated-stored-xss-vulnerabi… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libuv1, nss, squid, tar, tiff, and wordpress), Fedora (chromium, exercism, grub2, qpdf, and wpa_supplicant), Oracle (edk2 and opencryptoki), and SUSE (cpio, openssl-1_0_0, openssl-1_1, openssl-3, sudo, tomcat, and xen). --------------------------------------------- https://lwn.net/Articles/965032/ ∗∗∗ ArubaOS: Sicherheitslücken erlauben Befehlsschmuggel ∗∗∗ --------------------------------------------- HPE Aruba warnt vor zum Teil hochriskanten Sicherheitslücken im Betriebssystem ArubaOS für Switches aus dem Hause. Mehrere gelten als hohes Risiko und erlauben das Einschmuggeln von Befehlen. --------------------------------------------- https://heise.de/-9650985 ∗∗∗ Qnap hat teils kritische Lücken in seinen Betriebssystemen geschlossen ∗∗∗ --------------------------------------------- Qnap hat Warnungen vor Sicherheitslücken in QTS, QuTS Hero und QuTScloud veröffentlicht. Aktualisierte Firmware dichtet sie ab. --------------------------------------------- https://heise.de/-9650933 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2024
by Daily end-of-shift report 08 Mar '24

08 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-03-2024 18:00 − Freitag 08-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard ∗∗∗ --------------------------------------------- This blog provides an update on the nation-state attack that was detected by the Microsoft Security Team on January 12, 2024. As we shared, on January 19, the security team detected this attack on our corporate email systems and immediately activated our response process. --------------------------------------------- https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-followi… ∗∗∗ New Malware Campaign Found Exploiting Stored XSS in Popup Builder < 4.2.3 ∗∗∗ --------------------------------------------- In the past three weeks, we’ve started seeing an uptick in attacks from a new malware campaign targeting this same Popup Builder vulnerability. According to PublicWWW, over 3,300 websites have already been infected by this new campaign. Our own SiteCheck remote malware scanner has detected this malware on over 1,170 sites. --------------------------------------------- https://blog.sucuri.net/2024/03/new-malware-campaign-found-exploiting-store… ∗∗∗ Google-Präsenz verbessern? Vorsicht vor Abzocker-Unternehmen! ∗∗∗ --------------------------------------------- Unternehmen wenden sich derzeit an uns und berichten von unseriösen Anbietern, die sich als Kooperationspartner von Google ausgeben. Das Angebot: Sie helfen dabei, den Unternehmensauftritt bei Google zu verbessern, ein angebotenes Beratungsgespräch soll nach dem Gespräch bezahlt werden und koste einmalig bis zu 80 Euro. Doch weit gefehlt: Erfahrungsberichten zufolge tappt man hier in eine Abo-Falle, die nur schwer zu kündigen ist. --------------------------------------------- https://www.watchlist-internet.at/news/abzocke-google-praesenz/ ∗∗∗ Online scam taxonomy: the many ways to trick us ∗∗∗ --------------------------------------------- Because there are so many different types of online scams, we have compiled a list of scam taxonomy, shortly explaining what these scams mean. It’s important to stay vigilant against these threats, so it’s easier to avoid them. --------------------------------------------- https://blog.f-secure.com/online-scam-taxonomy/ ∗∗∗ Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities ∗∗∗ --------------------------------------------- Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887), the exploit entered the group’s arsenal as fast as within 1 day after a POC for it was published. Campaigns that we were able to attribute to this actor targeted Ivanti, Magento, Qlink Sense and possibly Apache ActiveMQ. --------------------------------------------- https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-… ∗∗∗ Cisco: Angreifer können sich zum Root-Nutzer unter Linux machen ∗∗∗ --------------------------------------------- Cisco AppDynamics, Duo Authentication, Secure Client, Secure Client for Linux und Wireless Access Points der Small-Business-Reihe sind angreifbar. Sicherheitspatches stehen zum Download bereit. --------------------------------------------- https://heise.de/-9649863 ∗∗∗ Angeblicher Tesla-Hack mit Flipper Zero entpuppt sich als Sturm im Wasserglas ∗∗∗ --------------------------------------------- Mittels eines gefälschten Gast-WLANs im Tesla-Design könnten Angreifer an Superchargern oder in Service-Centern Zugänge abgreifen, warnen die Experten. --------------------------------------------- https://heise.de/-9650018 ===================== = Vulnerabilities = ===================== ∗∗∗ pgAdmin (<=8.3) Path Traversal in Session Handling Leads to Unsafe Deserialization and Remote Code Execution (RCE) ∗∗∗ --------------------------------------------- “pgAdmin is the most popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world. [..] If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them and gain code execution. --------------------------------------------- https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_… ∗∗∗ QNAP Security Advisories 2024-03-09 ∗∗∗ --------------------------------------------- Security Impact Rating: 1x Critical, 4x Medium --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fontforge), Fedora (chromium, iwd, libell, and thunderbird), Oracle (buildah, kernel, skopeo, and tomcat), Red Hat (opencryptoki), Slackware (ghostscript), SUSE (go1.21, go1.22, google-oauth-java-client, jetty-minimal, openssl-1_0_0, python310, sudo, wpa_supplicant, and xmlgraphics-batik), and Ubuntu (libhtmlcleaner-java, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-lowlatency-hwe-5.15, linux-nvidia, linux-azure, linux-azure-6.5, linux-hwe-6.5, mqtt-client, ncurses, and puma). --------------------------------------------- https://lwn.net/Articles/964832/ ∗∗∗ macOS 14.4 und mehr: Apple patcht schwere Sicherheitslücken ∗∗∗ --------------------------------------------- Apples Update-Reigen geht weiter: Nach iOS und iPadOS hat der Hersteller in der Nacht auf Freitag neue Versionen und Patches veröffentlicht, die für macOS, watchOS, tvOS und visionOS veröffentlicht. Neben kleineren Funktionserweiterungen und Bugfixes sollen die Aktualisierungen auch zwei gravierende Zero-Day-Schwachstellen im Kernel ausräumen, die nach Informationen von Apple wohl bereits aktiv für Angriffe ausgenutzt wurden. --------------------------------------------- https://heise.de/-9649559 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2024
by Daily end-of-shift report 07 Mar '24

07 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-03-2024 18:00 − Donnerstag 07-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Hacked WordPress sites use visitors browsers to hack other sites ∗∗∗ --------------------------------------------- Hackers are conducting widescale attacks on WordPress sites to inject scripts that force visitors browsers to bruteforce passwords for other sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacked-wordpress-sites-use-v… ∗∗∗ New Python-Based Snake Info Stealer Spreading Through Facebook Messages ∗∗∗ --------------------------------------------- Facebook messages are being used by threat actors to a Python-based information stealer dubbed Snake that’s designed to capture credentials and other sensitive data. --------------------------------------------- https://thehackernews.com/2024/03/new-python-based-snake-info-stealer.html ∗∗∗ Code injection on Android without ptrace ∗∗∗ --------------------------------------------- I came up with the idea to port linux_injector. The project has a simple premise: injecting code into a process without using ptrace. --------------------------------------------- https://erfur.github.io/blog/dev/code-injection-without-ptrace ∗∗∗ CVE-2023-36049: Microsoft .NET CRLF Injection Arbitrary File Write/Deletion Vulnerability ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability would allow a remote attacker to write or delete files in the context of the FTP server. The following is a portion of their write-up covering CVE-2023-36049, with a few minimal modifications. --------------------------------------------- https://www.thezdi.com/blog/2024/3/6/cve-2023-36049-microsoft-net-crlf-inje… ∗∗∗ Delving into Dalvik: A Look Into DEX Files ∗∗∗ --------------------------------------------- Through a case study of the banking trojan sample, this blog post aims to give an insight into the Dalvik Executable file format, how it is constructed, and how it can be altered to make analysis easier. --------------------------------------------- https://www.mandiant.com/resources/blog/dalvik-look-into-dex-files ∗∗∗ Staatstrojaner: Infrastruktur der Spyware Predator erneut abgeschaltet ∗∗∗ --------------------------------------------- Die Betreiber der Plattform hinter Predator haben offenbar Server vom Netz genommen, die sie zum Ausliefern und Steuern der Überwachungssoftware verwendeten. --------------------------------------------- https://heise.de/-9648238 ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2024-1403: Progress OpenEdge Authentication Bypass Deep-Dive ∗∗∗ --------------------------------------------- On February 27, 2024, Progress released a security advisory for OpenEdge, their application development and deployment platform suite. The advisory details that there exists an authentication bypass vulnerability which effects certain components of the OpenEdge platform. --------------------------------------------- https://www.horizon3.ai/attack-research/cve-2024-1403-progress-openedge-aut… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and yard), Fedora (cpp-jwt, golang-github-tdewolff-argp, golang-github-tdewolff-minify, golang-github-tdewolff-parse, and suricata), Mageia (wpa_supplicant), Oracle (curl, edk2, golang, haproxy, keylime, mysql, openssh, and rear), Red Hat (kernel and postgresql:12), SUSE (containerd, giflib, go1.21, gstreamer-plugins-bad, java-1_8_0-openjdk, python3, python311, python39, sudo, and vim), and Ubuntu (frr, linux, linux-gcp, linux-gcp-5.4, [...] --------------------------------------------- https://lwn.net/Articles/964725/ ∗∗∗ VMware schließt Schlupflöcher für Ausbruch aus virtueller Maschine ∗∗∗ --------------------------------------------- Angreifer können Systeme mit VMware ESXi, Fusion und Workstation attackieren. Sicherheitsupdates stehen zum Download. --------------------------------------------- https://heise.de/-9648396 ∗∗∗ VU#949046: Sceiner firmware locks and associated devices are vulnerable to encryption downgrade and arbitrary file upload attacks ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/949046 ∗∗∗ Registration role - Critical - Access bypass - SA-CONTRIB-2024-015 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-015 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Local Privilege Escalation via writable files in CheckMK Agent ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalati… ∗∗∗ Mattermost security updates 9.5.2 (ESR) / 9.4.4 / 9.3.3 / 8.1.11 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-5-2-esr-9-4-4-9-3… ∗∗∗ Apple Releases Security Updates for iOS and iPadOS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/07/apple-releases-security-… ∗∗∗ Chirp Systems Chirp Access ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-067-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.03.2024
by Daily end-of-shift report 06 Mar '24

06 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-03-2024 18:00 − Mittwoch 06-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Why Your Firewall Will Kill You, (Tue, Mar 5th) ∗∗∗ --------------------------------------------- The last few years have been great for attackers exploiting basic web application vulnerabilities. Usually, home and small business products from companies like Linksys, D-Link, and Ubiquity are known to be favorite targets. But over the last couple of years, enterprise products from companies like Ivanti, Fortigate, Sonicwall, and Citrix (among others) have become easy to exploit targets. The high value of the networks protected by these "solutions" has made them favorites for ransomware attackers. --------------------------------------------- https://isc.sans.edu/diary/rss/30714 ∗∗∗ Scanning and abusing the QUIC protocol, (Wed, Mar 6th) ∗∗∗ --------------------------------------------- The QUIC protocol has slowly (pun intended) crawled into our browsers and many other protocols. Last week, at BSides Zagreb I presented some research I did about applications using (and abusing) this protocol, so it made sense to put this into one diary. --------------------------------------------- https://isc.sans.edu/diary/rss/30720 ∗∗∗ Living off the land with native SSH and split tunnelling ∗∗∗ --------------------------------------------- Lately I was involved in an assumed compromise project where stealth and simplicity was required, reducing the opportunity to use a sophisticated C2 infrastructure. We did note that the built-in Windows SSH client could make this simpler for us. [..] Windows native SSH can be a convenient attack path IF an organisation doesn’t have the ability to block and monitor the forwarded internal traffic. [..] The obvious route is to restrict access to the SSH command for all users who don’t have a business need, or to uninstall it from your default Windows build and use something like PuTTY instead. --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-land-with-nati… ∗∗∗ Schneeballsystem-Alarm bei DCPTG.com! ∗∗∗ --------------------------------------------- An die Watchlist Internet wird aktuell vermehrt ein Schneeball- bzw. Pyramidensystem mit dem Namen dcptg.com gemeldet. Versprochen werden Erfahrungsberichten nach völlig unrealistische und risikofreie Gewinnmöglichkeiten von 2 bis 5 Prozent des eingesetzten Kapitals pro Tag. Außerdem müssen laufend weitere Menschen angeworben werden, um langfristig an dem System teilnehmen zu können. Vorsicht: DCPTG.com ist betrügerisch! --------------------------------------------- https://www.watchlist-internet.at/news/schneeballsystem-alarm-bei-dctpgcom/ ∗∗∗ Fake-Gewinnspiel im Namen vom Tiergarten Schönbrunn ∗∗∗ --------------------------------------------- Über ein Fake-Profil des Tiergartens Schönbrunn wird derzeit ein betrügerisches Gewinnspiel auf Facebook verbreitet. Die Facebook-Seite „Tiergarten Wien“ verlost angeblich 4 Eintrittskarten. Sie müssen lediglich die Versandgebühren für die Karten bezahlen. Vorsicht: Sie tappen in eine Abo-Falle und geben Ihre persönlichen Daten an Kriminelle weiter. --------------------------------------------- https://www.watchlist-internet.at/news/fake-gewinnspiel-im-namen-vom-tierga… ∗∗∗ Whoops! ACEMAGIC ships mini PCs with free bonus pre-installed malware ∗∗∗ --------------------------------------------- Chinese mini PC manufacturer ACEMAGIC has made life a bit more interesting for its customers, by admitting that it has also been throwing in free malware with its products. --------------------------------------------- https://grahamcluley.com/whoops-acemagic-ships-mini-pcs-with-free-bonus-pre… ∗∗∗ Data Exfiltration: Increasing Number of Tools Leveraged by Ransomware Attackers ∗∗∗ --------------------------------------------- Ransomware actors are deploying a growing array of data-exfiltration tools in their attacks and, over the past three months alone, Symantec has found attackers using at least dozen different tools capable of data exfiltration. While some exfiltration tools are malware, the vast majority are dual-use – legitimate software used by the attackers for malicious purposes. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ Badgerboard: A PLC backplane network visibility module ∗∗∗ --------------------------------------------- Analysis of the traffic between networked devices has always been of interest since devices could even communicate with one another. As the complexity of networks grew, the more useful dedicated traffic analysis tools became. Major advancements have been made over the years with tools like Snort or Wireshark, but these tools are only useful when accurate information is provided to them. By only sending a subset of the information being passed across a network to monitoring tools, analysts will be provided with an incomplete picture of the state of their network. --------------------------------------------- https://blog.talosintelligence.com/badgerboard-research/ ∗∗∗ Coper / Octo - A Conductor for Mobile Mayhem… With Eight Limbs? ∗∗∗ --------------------------------------------- In this blog post, we will detail our analysis and understanding of the Coper/Octo Android malware, examining the malware’s continued development, as well as providing insights into attack patterns, infrastructure utilization and management, and hunting tips. --------------------------------------------- https://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-wi… ∗∗∗ New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps ∗∗∗ --------------------------------------------- According to Cado Security’s research research shared with Hackread.com ahead of publication on Wednesday, Spinning Yarn is a malicious campaign that exploits weaknesses in popular Linux software used by businesses across various sectors. --------------------------------------------- https://www.hackread.com/new-linux-malware-alert-spinning-yarn-docker-apps/ ∗∗∗ Fritz.box: Domain aus dem Verkehr gezogen ∗∗∗ --------------------------------------------- Unbekannte sicherten sich im Januar die Domain fritz.box. Doch die Verwirrung hielt nicht lange an. Jetzt wurde die Adresse aus dem Verkehr gezogen. --------------------------------------------- https://heise.de/-9647776 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2024-02-28 ∗∗∗ --------------------------------------------- Security Impact Rating: 2x High, 5x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ VMSA-2024-0006 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3 for Workstation/Fusion and in the Important severity range with a maximum CVSSv3 base score of 8.4 for ESXi. [..] A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2024-0006.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libapache2-mod-auth-openidc, libuv1, php-phpseclib, and phpseclib), Red Hat (buildah, cups, curl, device-mapper-multipath, emacs, fence-agents, frr, fwupd, gmp, gnutls, golang, haproxy, keylime, libfastjson, libmicrohttpd, linux-firmware, mysql, openssh, rear, skopeo, sqlite, squid, systemd, and tomcat), Slackware (mozilla), SUSE (kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, postgresql-jdbc, python, python-cryptography, rubygem-rack, wpa_supplicant, and xmlgraphics-batik), and Ubuntu (c-ares, firefox, libde265, libgit2, and ruby-image-processing). --------------------------------------------- https://lwn.net/Articles/964559/ ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-23225 / CVE-2024-23296 Apple iOS and iPadOS Memory Corruption Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/06/cisa-adds-two-known-expl… ∗∗∗ Foxit: Sicherheitsupdates in Foxit PDF Reader 2024.1 und Foxit PDF Editor 2024.1 verfügbar ∗∗∗ --------------------------------------------- https://www.foxit.com/de/support/security-bulletins.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Bosch: Git for Windows Multiple Security Vulnerabilities in Bosch DIVAR IP all-in-one Devices ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-637386-bt.html ∗∗∗ Bosch: Multiple OpenSSL vulnerabilities in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-090577-bt.html ∗∗∗ F5: K000138827 : OpenSSH vulnerability CVE-2023-51385 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138827 ∗∗∗ iOS 17.4 und iOS 16.7.6: Wichtige sicherheitskritische Bugfixes ∗∗∗ --------------------------------------------- https://heise.de/-9647164 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.03.2024
by Daily end-of-shift report 05 Mar '24

05 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 04-03-2024 18:00 − Dienstag 05-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ScreenConnect flaws exploited to drop new ToddleShark malware ∗∗∗ --------------------------------------------- The North Korean APT hacking group Kimsuky is exploiting ScreenConnect flaws, particularly CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed ToddleShark. --------------------------------------------- https://www.bleepingcomputer.com/news/security/screenconnect-flaws-exploite… ∗∗∗ Network tunneling with… QEMU? ∗∗∗ --------------------------------------------- While investigating an incident, we detected uncommon malicious activity inside one of the systems. We ran an analysis on the artifacts, only to find that the adversary had deployed and launched the QEMU hardware emulator. --------------------------------------------- https://securelist.com/network-tunneling-with-qemu/111803/ ∗∗∗ Warning: Thread Hijacking Attack Targets IT Networks, Stealing NTLM Hashes ∗∗∗ --------------------------------------------- The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager (NTLM) hashes. --------------------------------------------- https://thehackernews.com/2024/03/warning-thread-hijacking-attack-targets.h… ∗∗∗ Pegasus spyware creator ordered to reveal code used to spy on WhatsApp users ∗∗∗ --------------------------------------------- Meta has won a court case against spyware vendor NSO Group to reveal the Pegasus spyware code that allows spying on WhatsApp users. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/03/pegasus-spyware-creator-orde… ∗∗∗ AnyDesk: Zugriffsversuche aus Spanien; Unsignierter Client verteilt ∗∗∗ --------------------------------------------- Das Drama bei AnyDesk geht anscheinend weiter, obwohl ich die Hoffnung hatte, das Thema langsam abschließen zu können... --------------------------------------------- https://www.borncity.com/blog/2024/03/05/anydesk-zugriffsversuche-aus-spani… ∗∗∗ WogRAT Malware Exploits aNotepad (Windows, Linux) ∗∗∗ --------------------------------------------- AhnLab Security intelligence Center (ASEC) has recently discovered the distribution of backdoor malware via aNotepad, a free online notepad platform. --------------------------------------------- https://asec.ahnlab.com/en/62446/ ∗∗∗ GhostSec’s joint ransomware operation and evolution of their arsenal ∗∗∗ --------------------------------------------- Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware. --------------------------------------------- https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/ ∗∗∗ Ransomware: ALPHV/Blackcat betrügt offensichtlich Partner und zieht sich zurück ∗∗∗ --------------------------------------------- Die Fakten legen nahe, dass ALPHV/Blackcat einen Cybercrime-Partner um 22 Millionen US-Dollar betrogen und sich nun zurückgezogen hat. --------------------------------------------- https://heise.de/-9646707 ===================== = Vulnerabilities = ===================== ∗∗∗ Exploit available for new critical TeamCity auth bypass bug, patch now ∗∗∗ --------------------------------------------- A critical vulnerability (CVE-2024-27198) in the TeamCity On-Premises CI/CD solution from JetBrains can let a remote unauthenticated attacker take control of the server with administrative permissions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-available-for-new-cr… ∗∗∗ Multiple vulnerabilities in RT-Thread RTOS ∗∗∗ --------------------------------------------- I reviewed RT-Thread’s source code hosted on GitHub and identified multiple security vulnerabilities that may cause memory corruption and security feature bypass. Their impacts range from denial of service to potential arbitrary code execution. --------------------------------------------- https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rto… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (yard), Oracle (buildah and kernel), Red Hat (389-ds:1.4, edk2, frr, gnutls, haproxy, libfastjson, libX11, postgresql:12, sqlite, squid, squid:4, tcpdump, and tomcat), SUSE (apache2-mod_auth_openidc and glibc), and Ubuntu (linux-gke, python-cryptography, and python-django). --------------------------------------------- https://lwn.net/Articles/964450/ ∗∗∗ Zeek Security Tool Vulnerabilities Allow ICS Network Hacking ∗∗∗ --------------------------------------------- Vulnerabilities in a plugin for the Zeek network security monitoring tool can be exploited in attacks aimed at ICS environments. --------------------------------------------- https://www.securityweek.com/zeek-security-tool-vulnerabilities-allow-ics-n… ∗∗∗ VU#782720: TCG TPM2.0 implementations vulnerable to memory corruption ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/782720 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 115.8.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-11/ ∗∗∗ Nice Linear eMerge E3-Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-065-01 ∗∗∗ Santesoft Sante FFT Imaging ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-065-01 ∗∗∗ K000138814 : OpenLDAP vulnerability CVE-2023-2953 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138814 ∗∗∗ Patchday: Kritische Schadcode-Lücken bedrohen Android 12, 13 und 14 ∗∗∗ --------------------------------------------- https://heise.de/-9646073 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2024
by Daily end-of-shift report 04 Mar '24

04 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-03-2024 18:00 − Montag 04-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Gemini, ChatGPT und LLaVA: Neuer Wurm verbreitet sich in KI-Ökosystemen selbst ∗∗∗ --------------------------------------------- Forscher haben einen KI-Wurm entwickelt. Dieser kann nicht nur sensible Daten abgreifen, sondern sich auch selbst in einem GenAI-Ökosystem ausbreiten. --------------------------------------------- https://www.golem.de/news/gemini-chatgpt-und-llava-neuer-wurm-verbreitet-si… ∗∗∗ Hunting For Integer Overflows In Web Servers ∗∗∗ --------------------------------------------- In order to overflow something (e.g. an integer overflow) we clearly need some way to be able to do that (think pouring water from a kettle into a cup), and that’s the source (us using the kettle) to overflow the cup. Cup of tea aside, what things can be accessed remotely and take user input (those sources)? Web servers! This blog post title does not lie! --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hunting-for… ∗∗∗ New Wave of SocGholish Infections Impersonates WordPress Plugins ∗∗∗ --------------------------------------------- SocGholish malware, otherwise known as “fake browser updates”, is one of the most common types of malware infections that we see on hacked websites. This long-standing malware campaign leverages a JavaScript malware framework that has been in use since at least 2017. The malware attempts to trick unsuspecting users into downloading what is actually a Remote Access Trojan (RAT) onto their computers, which is often the first stage in a ransomware infection. Late last week our incident response team identified a fresh wave of SocGholish (fake browser update) infections targeting WordPress websites. --------------------------------------------- https://blog.sucuri.net/2024/03/new-wave-of-socgholish-infections-impersona… ∗∗∗ Rise in Deceptive PDF: The Gateway to Malicious Payloads ∗∗∗ --------------------------------------------- McAfee Labs has recently observed a significant surge in the distribution of prominent malware through PDF files. Malware is not solely sourced from dubious websites or downloads; certain instances of malware may reside within apparently harmless emails, particularly within the PDF file attachments accompanying them. The subsequent trend observed in the past three months through McAfee telemetry pertains to the prevalence of malware distributed through non-portable executable (non-PE) vectors. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-in-deceptive-pdf-… ∗∗∗ Remote Stuxnet-Style Attack Possible With Web-Based PLC Malware: Researchers ∗∗∗ --------------------------------------------- A team of researchers has developed malware designed to target modern programmable logic controllers (PLCs) in an effort to demonstrate that remote Stuxnet-style attacks can be launched against such industrial control systems (ICS). --------------------------------------------- https://www.securityweek.com/remote-stuxnet-style-attack-possible-with-web-… ∗∗∗ Vorsicht vor falschen Paketbenachrichtigungen ∗∗∗ --------------------------------------------- Sie erwarten ein Paket? Prüfen Sie Benachrichtigungen über den Sendungsstatus sehr genau! Derzeit sind gefälschte Paketbenachrichtigungen im Namen aller gängigen Zustelldiensten im Umlauf. Klicken Sie niemals voreilig auf Links in E-Mails und SMS und geben Sie keine Kreditkartendaten preis! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-paketbenachric… ∗∗∗ Threat Brief: WordPress Exploit Leads to Godzilla Web Shell, Discovery & New CVE ∗∗∗ --------------------------------------------- Below is a recent Threat Brief that we shared with our customers. Each year, we produce over 50 detailed Threat Briefs, which follow a format similar to the below. Typically, these reports include specific dates and times to provide comprehensive insights; however, please note that such information has been redacted in this public version. IOCs are available to customers within Event 27236 (uuid – fe12e833-6f0c-45c9-97d6-83337ea6c5d3). --------------------------------------------- https://thedfirreport.com/2024/03/04/threat-brief-wordpress-exploit-leads-t… ∗∗∗ Microsoft schließt ausgenutzte Windows 0-day Schwachstelle CVE-2024-21338 sechs Monate nach Meldung ∗∗∗ --------------------------------------------- Im Februar 2024 hat Microsoft die Schwachstelle CVE-2024-21338 im Kernel von Windows 10/11 und diversen Windows Server-Versionen geschlossen. Super! Der Fehler an der Geschichte: Die Schwachstelle wurde von AVAST im August 2023 gemeldet, und die Schwachstelle wurde zu dieser Zeit als 0-day ausgenutzt. --------------------------------------------- https://www.borncity.com/blog/2024/03/03/microsoft-schliet-ausgenutzte-wind… ∗∗∗ Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO ∗∗∗ --------------------------------------------- The RA World (previously the RA Group) ransomware has managed to successfully breach organizations around the world since its first appearance in April 2023. Although the threat actor casts a wide net with its attacks, many of its targets were in the US, with a smaller number of attacks occurring in countries such as Germany, India, and Taiwan. When it comes to industries, the group focuses its efforts on businesses in the healthcare and financial sectors. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/multistage-ra-world-ransomwa… ∗∗∗ GitHub als Malware-Schleuder ∗∗∗ --------------------------------------------- Eine Sicherheitsfirma berichtet über eine neue Masche, wie Schadcode im großen Stil verteilt wird: über kompromittierte Klon-Repositories auf GitHub. --------------------------------------------- https://heise.de/-9644525 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical vulnerabilities in TeamCity JetBrains fixed, release of technical details imminent, patch quickly! (CVE-2024-27198, CVE-2024-27199) ∗∗∗ --------------------------------------------- JetBrains has fixed two critical security vulnerabilities (CVE-2024-27198, CVE-2024-27199) affecting TeamCity On-Premises and is urging customers to patch them immediately. --------------------------------------------- https://www.helpnetsecurity.com/2024/03/04/cve-2024-27198-cve-2024-27199/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and thunderbird), Fedora (dotnet6.0, dotnet8.0, and mod_auth_openidc), Gentoo (Blender, Tox, and UltraJSON), Oracle (kernel), Red Hat (edk2), SUSE (sendmail and zabbix), and Ubuntu (nodejs and thunderbird). --------------------------------------------- https://lwn.net/Articles/964376/ ∗∗∗ Hikvision Patches High-Severity Vulnerability in Security Management System ∗∗∗ --------------------------------------------- Chinese video surveillance equipment manufacturer Hikvision has announced patches for two vulnerabilities in its security management system HikCentral Professional. The most important of these flaws is CVE-2024-25063, a high-severity bug that could lead to unauthorized access to certain URLs. --------------------------------------------- https://www.securityweek.com/hikvision-patches-high-severity-vulnerability-… ∗∗∗ Aruba: Codeschmuggel durch Sicherheitslücken im Clearpass Manager möglich ∗∗∗ --------------------------------------------- Im Aruba Clearpass Manager von HPE klaffen teils kritische Sicherheitslücken. Updates zum Schließen stehen bereit. [..] Eine Lücke betrifft den mitgelieferten Apache Struts-Server und erlaubt das Einschleusen von Befehlen (CVE-2023-50164, CVSS 9.8, Risiko "kritisch"). --------------------------------------------- https://heise.de/-9644607 ∗∗∗ Solarwinds: Schadcode-Lücke in Security Event Manager ∗∗∗ --------------------------------------------- Sicherheitslücken in Solarwinds Secure Event Manager können Angreifer zum Einschleusen von Schadcode missbrauchen. Updates stopfen die Lecks. --------------------------------------------- https://heise.de/-9644643 ∗∗∗ Angreifer können Systeme mit Dell-Software kompromittieren ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitspatches für Dell Data Protection Advisor, iDRAC8 und Secure Connect Gateway erschienen. --------------------------------------------- https://heise.de/-9644978 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ F5: K000138726 : Linux kernel vulnerability CVE-2023-3611 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138726 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily March 2024