Daily April 2024

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 16.04.2024
by Daily end-of-shift report 16 Apr '24

16 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 15-04-2024 18:00 − Dienstag 16-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400) ∗∗∗ --------------------------------------------- At watchTowr, we no longer publish Proof of Concepts. Why prove something is vulnerable when we can just believe its so? Iinstead, weve decided to do something better - thats right! Were proud to release another detection artefact generator tool, this time in the form of an HTTP request: --------------------------------------------- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-c… ∗∗∗ Quick Palo Alto Networks Global Protect Vulnerablity Update (CVE-2024-3400), (Mon, Apr 15th) ∗∗∗ --------------------------------------------- One of our readers, Mark, observed attacks attempting to exploit the vulnerability from two IP addresses: 173.255.223.159: An Akamai/Linode IP address. We do not have any reports from this IP address. Shodan suggests that the system may have recently hosted a WordPress site. 146.70.192.174: A system in Singapore that has been actively scanning various ports in March and April. --------------------------------------------- https://isc.sans.edu/diary/rss/30838 ∗∗∗ New SteganoAmor attacks use steganography to target 320 orgs globally ∗∗∗ --------------------------------------------- A new campaign conducted by the TA558 hacking group is concealing malicious code inside images using steganography to deliver various malware tools onto targeted systems. [..] The attacks begin with malicious emails containing seemingly innocuous document attachments (Excel and Word files) that exploit the CVE-2017-11882 flaw, a commonly targeted Microsoft Office Equation Editor vulnerability fixed in 2017. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-steganoamor-attacks-use-… ∗∗∗ AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs ∗∗∗ --------------------------------------------- New cybersecurity research has found that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations. The vulnerability has been codenamed LeakyCLI by cloud security firm Orca. [..] Unlike Microsoft, however, both Amazon and Google consider this to be expected behavior, requiring that organizations take steps to avoid storing secrets in environment variables and instead use a dedicated secrets store service like AWS Secrets Manager or Google Cloud Secret Manager. --------------------------------------------- https://thehackernews.com/2024/04/aws-google-and-azure-cli-tools-could.html ∗∗∗ Vorsicht vor falschen Bankanrufen ∗∗∗ --------------------------------------------- Sie erhalten einen Anruf – angeblich von einer Bank. Die Person am Telefon behauptet, Sie hätten einen Kreditantrag eingereicht. Wenn Sie widersprechen, erklärt die Person am Telefon, dass dann wohl Kriminelle in Ihrem Namen den Kreditantrag gestellt hätten. Legen Sie auf! Es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-bankanrufen/ ∗∗∗ Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials ∗∗∗ --------------------------------------------- Cisco Talos is actively monitoring a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024. [..] We are including the usernames and passwords used in these attacks in the IOCs for awareness. IP addresses and credentials associated with these attacks can be found in our GitHub repository here. --------------------------------------------- https://blog.talosintelligence.com/large-scale-brute-force-activity-targeti… ∗∗∗ Zugriffsmanagement: Kritische Admin-Lücke in Delinea Secret Server geschlossen ∗∗∗ --------------------------------------------- Die Privileged-Access-Management-Lösung (PAM) Secret Server von Delinea ist verwundbar. Ein Sicherheitsupdate ist verfügbar. --------------------------------------------- https://heise.de/-9686457 ===================== = Vulnerabilities = ===================== ∗∗∗ Schwere Sicherheitslücke in PuTTY - CVE-2024-31497 ∗∗∗ --------------------------------------------- Sicherheitsforscher:innen haben in PuTTY, einer verbreiteten quelloffenen Software zur Herstellung von Verbindungen über Secure Shell (SSH), eine schwere Sicherheitslücke gefunden. Die Ausnutzung von CVE-2024-31497 erlaubt es Angreifer:innen unter bestimmten Umständen, den privaten Schlüssel eines kryptographischen Schlüsselpaares wiederherzustellen. --------------------------------------------- https://cert.at/de/aktuelles/2024/4/schwere-sicherheitslucke-in-putty-cve-2… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.4 and php8.2), Fedora (c-ares), Mageia (python-pillow and upx), Oracle (bind and dhcp, bind9.16, httpd:2.4/mod_http2, kernel, rear, and unbound), SUSE (eclipse, maven-surefire, tycho, emacs, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nodejs16, nodejs18, nodejs20, texlive, vim, webkit2gtk3, and xen), and Ubuntu (gnutls28, klibc, libvirt, nodejs, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/970036/ ∗∗∗ Proscend Communications M330-W and M330-W5 vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN23835228/ ∗∗∗ B&R: 2024-04-15: Cyber Security Advisory - Impact of LogoFail vulnerability on B&R Industrial PCs and HMI products ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P002_xPCs_vulnerable_to_LogoFai… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox ESR 115.10 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 125 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/ ∗∗∗ Libreswan: IKEv1 default AH/ESP responder can crash and restart ∗∗∗ --------------------------------------------- https://libreswan.org/security/CVE-2024-3652/CVE-2024-3652.txt ∗∗∗ Measuresoft ScadaPro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-01 ∗∗∗ Electrolink FM/DAB/TV Transmitter ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02 ∗∗∗ Rockwell Automation ControlLogix and GuardLogix ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-03 ∗∗∗ RoboDK RoboDK ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2024
by Daily end-of-shift report 15 Apr '24

15 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-04-2024 18:00 − Montag 15-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) ∗∗∗ --------------------------------------------- On April 10, 2024, Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers. During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. Details on this backdoor are included further on in this report. --------------------------------------------- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthent… ∗∗∗ Cisco Duo warns third-party data breach exposed SMS MFA logs ∗∗∗ --------------------------------------------- Cisco Duos security team warns that hackers stole some customers VoIP and SMS logs for multi-factor authentication (MFA) messages in a cyberattack on their telephony provider. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-duo-warns-third-party-… ∗∗∗ Angriff via WebGPU: Sensible Nutzerdaten lassen sich per Javascript auslesen ∗∗∗ --------------------------------------------- Einem Forscherteam der TU Graz ist es gelungen, durch drei verschiedene Seitenkanalangriffe über die in modernen Webbrowsern integrierte Grafikschnittstelle WebGPU sicherheitsrelevante Nutzerdaten wie Tastatureingaben oder Verschlüsselungsschlüssel auszuspähen. Durch die Forschungsarbeit will das Team vor allem auf die Risiken aufmerksam machen, die mit der Implementierung von WebGPU einhergehen können. --------------------------------------------- https://www.golem.de/news/angriff-via-webgpu-sensible-nutzerdaten-lassen-si… ∗∗∗ Using the LockBit builder to generate targeted ransomware ∗∗∗ --------------------------------------------- Kaspersky researchers revisit the leaked LockBit 3.0 builder and share insights into a real-life incident involving a custom targeted ransomware variant created with this builder. --------------------------------------------- https://securelist.com/lockbit-3-0-based-custom-targeted-ransomware/112375/ ∗∗∗ Delinea Secret Server customers should apply latest patches ∗∗∗ --------------------------------------------- Customers of Delinea's Secret Server are being urged to upgrade their installations "immediately" after a researcher claimed a critical vulnerability could allow attackers to gain admin-level access. [..] Delinea sent us a statement post publication: "We confirm there was a vulnerability in Secret Server. Delinea Platform and Secret Server Cloud have been patched and are no longer vulnerable. We have provided a remediation guide for our on-premise customers to fix the vulnerability. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/04/15/delinea_secr… ∗∗∗ Unpacking the Blackjack Groups Fuxnet Malware ∗∗∗ --------------------------------------------- Blackjack claims its initial compromise of Moscollector began in June 2023, and since then the group said it has worked slowly in an attempt to cripple the industrial sensors and monitoring infrastructure managed by the company. [..] Screenshots released by the attackers indicate that the impacted sensors are manufactured by a company named AO SBK, a Russian company that manufactures a variety of sensor types, ranging from gas measurement sensors to environmental monitoring equipment. --------------------------------------------- https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-m… ∗∗∗ Falsche Google-Anrufe zu Ihrem Google-Business-Eintrag ∗∗∗ --------------------------------------------- Vorsicht, wenn Anrufer:innen vorgeben, von Google zu sein. Vermehrt geben sich Kriminelle als Google aus und behaupten, dass die Testphase Ihres Google-Business-Profils abgelaufen und der Eintrag nun kostenpflichtig sei. Legen Sie gleich auf! --------------------------------------------- https://www.watchlist-internet.at/news/falsche-google-anrufe-zu-ihrem-googl… ∗∗∗ “Totally Unexpected” Package Malware Using Modified Notepad++ Plug-in (WikiLoader) ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has recently identified the distribution of a modified version of “mimeTools.dll”, a default Notepad++ plug-in. The malicious mimeTools.dll file in question was included in the package installation file of a certain version of the Notepad++ package and disguised as a legitimate package file. --------------------------------------------- https://asec.ahnlab.com/en/64106/ ∗∗∗ Lancom-Setup-Assistent leert Root-Passwort ∗∗∗ --------------------------------------------- Wer Lancom-Router mit dem Windows-Setup-Assistenten konfiguriert, läuft Gefahr, das Root-Passwort durch ein leeres zu ersetzen. --------------------------------------------- https://heise.de/-9682694 ===================== = Vulnerabilities = ===================== ∗∗∗ Palo Alto Networks Releases Urgent Fixes for Exploited PAN-OS Vulnerability ∗∗∗ --------------------------------------------- Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild. --------------------------------------------- https://thehackernews.com/2024/04/palo-alto-networks-releases-urgent.html ∗∗∗ Sicherheitsupdates: Schwachstellen in PHP gefährden Websites ∗∗∗ --------------------------------------------- Die PHP-Entwickler haben mehrere Schwachstellen geschlossen. Eine Sicherheitslücke gilt als kritisch. --------------------------------------------- https://heise.de/-9684558 ∗∗∗ Telegram Desktop: Tippfehler im Quellcode mündet in RCE-Schwachstelle ∗∗∗ --------------------------------------------- Ein Tippfehler im Code der Windows-App von Telegram ermöglicht die Ausführung von Schadcode auf fremden Systemen. Es reicht ein Klick auf ein vermeintliches Video. [..] Der Tippfehler im Telegram-Quellcode bezieht sich aber nicht auf .exe, sondern auf die Dateiendung .pyzw, die ausführbaren Python-Zip-Archiven zugeordnet wird. Diese war im Code noch bis zum 11. April als .pywz hinterlegt, so dass die oben genannte Sicherheitswarnung bei einem Klick auf eine .pyzw-Datei gar nicht erst erschien. [..] Zwar hat Telegram den Fehler im Quellcode inzwischen behoben, ein entsprechendes Update für die Windows-App wurde bisher aber offenbar nicht verteilt. --------------------------------------------- https://www.golem.de/news/telegram-desktop-tippfehler-im-quellcode-muendet-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bind, bind and dhcp, bind9.16, gnutls, httpd:2.4/mod_http2, squid:4, and unbound), Debian (kernel, trafficserver, and xorg-server), Fedora (chromium, kernel, libopenmpt, and rust-h2), Mageia (apache-mod_jk, golang, indent, openssl, perl-HTTP-Body, php, rear, ruby-rack, squid, varnish, and xfig), Oracle (bind, squid, unbound, and X.Org server), Red Hat (bind and dhcp and unbound), Slackware (less and php), SUSE (gnutls, python-Pillow, webkit2gtk3, xen, xorg-x11-server, and xwayland), and Ubuntu (yard). --------------------------------------------- https://lwn.net/Articles/969873/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Xen: XSA-456 ∗∗∗ --------------------------------------------- https://xenbits.xenproject.org/people/gdunlap/xsa-draft/advisory-456.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2024
by Daily end-of-shift report 12 Apr '24

12 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-04-2024 18:00 − Freitag 12-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Anweisung von oben: US-Behörden müssen nach Cyberangriff auf Microsoft aufräumen ∗∗∗ --------------------------------------------- Die Angreifer haben offenbar auch E-Mails abgegriffen, die zwischen Microsoft und US-Behörden ausgetauscht wurden. Letztere müssen nun handeln. --------------------------------------------- https://www.golem.de/news/anweisung-von-oben-us-behoerden-muessen-nach-cybe… ∗∗∗ Sicherheit: Apple warnt iPhone-Nutzer großflächig vor Spyware-Attacke ∗∗∗ --------------------------------------------- Apple hat iPhone-Besitzer in 92 Ländern vor Auftrags-Spyware-Angriffen gewarnt. Betroffene sollten die Warnung ernst nehmen und sich Hilfe suchen. --------------------------------------------- https://www.golem.de/news/sicherheit-apple-warnt-iphone-nutzer-grossflaechi… ∗∗∗ XZ backdoor story – Initial analysis ∗∗∗ --------------------------------------------- Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process. --------------------------------------------- https://securelist.com/xz-backdoor-story-part-1/112354/ ∗∗∗ Sneaky Credit Card Skimmer Disguised as Harmless Facebook Tracker ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a credit card skimmer thats concealed within a fake Meta Pixel tracker script in an attempt to evade detection. --------------------------------------------- https://thehackernews.com/2024/04/sneaky-credit-card-skimmer-disguised-as.h… ∗∗∗ Betrügerische Casino-Apps werden massiv über Facebook und Instagram beworben! ∗∗∗ --------------------------------------------- Mit zahlreichen Werbeanzeigen versuchen Kriminelle, ihre Opfer zum Download verschiedener Casino-Apps zu bewegen. Meist werden unglaubliche Gewinne versprochen, dazu kommen Freispiele und Boni von mehreren tausend Euro. In manchen Werbeanzeigen werden sogar Deepfake-Videos eingesetzt. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-casino-apps-werden-ma… ∗∗∗ IBM QRadar - When The Attacker Controls Your Security Stack (CVE-2022-26377) ∗∗∗ --------------------------------------------- Today, in this iteration of 'watchTowr Labs takes aim at yet another piece of software' we wonder why the industry panics about backdoors in libraries that have taken 2 years to be unsuccessfully introduced - while security vendors like IBM can't even update libraries used in their flagship security products that subsequently allow for trivial exploitation. [..] For those unfamiliar with defensive security products, QRadar is the mastermind application that can sit on-premise or in the cloud via IBM's SaaS offering. Quite simply, it's IBM's Security Information and Event Management (SIEM) product - and is the heart of many enterprise's security software stack. --------------------------------------------- https://labs.watchtowr.com/ibm-qradar-when-the-attacker-controls-your-secur… ∗∗∗ Krypto-Scams: Coinbase warnt EU-Kunden vor iPhone-Sideloading ∗∗∗ --------------------------------------------- Die Kryptobörse weist europäische Kunden an, die App nur aus Apples App Store zu beziehen. Auch dort wurden zuletzt aber Fake-Wallets gesichtet. --------------------------------------------- https://heise.de/-9683728 ∗∗∗ Intellexa: Spyware des Predator-Herstellers kommt über Online-Werbung ∗∗∗ --------------------------------------------- Der Malware-Dealer Intellexa stellt Spähsoftware vor, die Handys rein über Werbebanner infiziert. [..] Die neue Malware heißt Aladdin und installiert sich ohne Klick des Opfers (Zero-Click-Exploits). [..] Das Gesamtpaket kostet vier Millionen Euro, inklusive einjähriger Garantie und 24-Stunden-Support. Telefonnummern aus den USA, Griechenland und Israel sollen nicht angegriffen werden dürfen, was offenbar auf verhängte Sanktionen zurückgeht. --------------------------------------------- https://heise.de/-9682500 ∗∗∗ Sicherheitslücken: Angreifer können Juniper-Netzwerkgeräte lahmlegen ∗∗∗ --------------------------------------------- Wichtige Patches schließen mehrere Schwachstellen in Junos OS, die Firewalls, Router und Switches verwundbar machen. --------------------------------------------- https://heise.de/-9682955 ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Palo Alto PAN-OS (Global Protect) ∗∗∗ --------------------------------------------- n Palo Altos PAN-OS GlobalProtect-Funktion wurde eine kritische Sicherheitslücke identifiziert, welche das Einschleusen von Kommandos erlaubt. Zur Ausnutzung der Schwachstelle muss ein Gateway konfiguriert, und die sogenannte "Device Telemetry" aktiviert sein (zweiteres ist den betroffenen Versionen standardmäßig gegeben). Da noch keine Updates verfügbar sind, kann die Schwachstelle lediglich durch Konfigurationsänderungen mitigiert werden - beachten Sie den Abschnitt "Abhilfe". [..] CVE-2024-3400 --------------------------------------------- https://cert.at/de/warnungen/2024/4/palo-alto-cve-2024-3400 ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CVE-2024-3400 Palo Alto Networks PAN-OS Command Injection Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/04/12/cisa-adds-one-known-expl… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (rust, trafficserver, and upx), Mageia (postgresql-jdbc and x11-server, x11-server-xwayland, tigervnc), Red Hat (bind, bind9.16, gnutls, httpd:2.4, squid, unbound, and xorg-x11-server), SUSE (perl-Net-CIDR-Lite), and Ubuntu (apache2, maven-shared-utils, and nss). --------------------------------------------- https://lwn.net/Articles/969590/ ∗∗∗ Linux-Kernel: Neuer Exploit verschafft Root-Rechte ∗∗∗ --------------------------------------------- Ob die Lücke in den jüngsten Kernelversionen behoben ist, ist selbst Sicherheitsexperten unklar. Auch um die Urheberschaft gibt es Streit. --------------------------------------------- https://heise.de/-9682586 ∗∗∗ B&R: 2024-04-10: Cyber Security Advisory - B&R APROL Several vulnerabilities in the Docker Engine ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P006_Several_vulnerabilities_in… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2024
by Daily end-of-shift report 11 Apr '24

11 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-04-2024 18:00 − Donnerstag 11-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Spectre v2 attack impacts Linux systems on Intel CPUs ∗∗∗ --------------------------------------------- Researchers have demonstrated the "first native Spectre v2 exploit" for a new speculative execution side-channel flaw that impacts Linux systems running on many modern Intel processors. [..] The hardware vendor has indicated that future processors will include mitigations for BHI and potentially other speculative execution vulnerabilities. For a complete list of impacted Intel processors to the various speculative execution side-channel flaws, check this page updated by the vendor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-spectre-v2-attack-impact… ∗∗∗ CISA says Sisense hack impacts critical infrastructure orgs ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is investigating the recent breach of data analytics company Sisense, an incident that also impacted critical infrastructure organizations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-says-sisense-hack-impac… ∗∗∗ DragonForce Ransomware - What You Need To Know ∗∗∗ --------------------------------------------- A relatively new strain of ransomware called DragonForce has making the headlines after a series of high-profile attacks. Like many other ransomware groups, DragonForce attempts to extort money from its victims in two ways - locking companies out of their computers and data through encryption, and exfiltrating data from compromised systems with the threat of releasing it to others via the dark web. So far, so normal. How did DragonForce come to prominence? --------------------------------------------- https://www.tripwire.com/state-of-security/dragonforce-ransomware-what-you-… ∗∗∗ CISA Releases Malware Next-Gen Analysis System for Public Use ∗∗∗ --------------------------------------------- CISAs Malware Next-Gen system is now available for any organization to submit malware samples and other suspicious artifacts for analysis. --------------------------------------------- https://www.securityweek.com/cisa-releases-malware-next-gen-analysis-system… ∗∗∗ Metasploit Meterpreter Installed via Redis Server ∗∗∗ --------------------------------------------- Redis is an abbreviation of Remote Dictionary Server, which is an open-source in-memory data structure storage that is also used as a database. It is presumed that the threat actors abused inappropriate settings or ran commands through vulnerability attacks. --------------------------------------------- https://asec.ahnlab.com/en/64034/ ∗∗∗ Control Web Panel - Fingerprinting Open-Source Software using a Consolidation Algorithm approach ∗∗∗ --------------------------------------------- This blog post details one of these very unique cases: `CVE-2022-44877`, an unauthenticated Command Injection issue, flagged by CISA as a Known Exploited Vulnerability (CISA KEV), affecting Control Web Panel, an open-source control panel for servers and VPS management. Initially, the team could not find a way to straightforwardly fingerprint the software’s version, nor another way to detect it without intrusive exploitation - thus we used a novelty technique: an algorithm that retrieves the web application’s static web content files and consolidates them to pin-point the software’s version. --------------------------------------------- https://www.bitsight.com/blog/control-web-panel-fingerprinting-open-source-… ===================== = Vulnerabilities = ===================== ∗∗∗ Node.js Security Advisories Apr 10, 2024 ∗∗∗ --------------------------------------------- Node v21.7.3 (Current), Node v20.12.2 (LTS), Node v18.20.2 (LTS): CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows. --------------------------------------------- https://nodejs.org/en/blog/release/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, less, libreoffice, nodejs:18, nodejs:20, rear, thunderbird, and varnish), Debian (pillow), Fedora (dotnet7.0), SUSE (sngrep, texlive-specs-k, tomcat, tomcat10, and xorg-x11-server), and Ubuntu (nss, squid, and util-linux). --------------------------------------------- https://lwn.net/Articles/969468/ ∗∗∗ Citrix: XenServer and Citrix Hypervisor Security Update for CVE-2023-46842, CVE-2024-2201 and CVE-2024-31142 ∗∗∗ --------------------------------------------- Two issues have been identified that affect XenServer and Citrix Hypervisor; each issue may allow malicious unprivileged code in a guest VM to infer the contents of memory belonging to its own or other VMs on the same host. --------------------------------------------- https://support.citrix.com/article/CTX633151/xenserver-and-citrix-hyperviso… ∗∗∗ Google Chrome: Sandbox-Ausbruch durch bestimmte Gesten möglich ∗∗∗ --------------------------------------------- Mit etwas Verspätung haben Googles Entwickler das wöchentliche Update für den Chrome-Webbrowser veröffentlicht. Insgesamt drei Sicherheitslücken stopfen die Programmierer darin. Alle tragen die Risikoeinstufung "hoch". --------------------------------------------- https://heise.de/-9681413 ∗∗∗ WLAN-Access-Points von TP-Link 15 Minuten nach Reboot attackierbar ∗∗∗ --------------------------------------------- Angreifer können die WLAN-Access-Points von TP-Link AC1350 Wireless und N300 Wireless N Ceiling Mount attackieren und unter anderem auf Werksweinstellungen zurücksetzen. [..] Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-9681863 ∗∗∗ Palo Alto Security Advisories ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Juniper Security Advisories ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sor… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.04.2024
by Daily end-of-shift report 10 Apr '24

10 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-04-2024 18:00 − Mittwoch 10-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Verzögerte Aussendung der CERT.at-Tagesberichte ∗∗∗ --------------------------------------------- Aufgrund einer Fehlkonfiguration unserer Firewall kam es gestern, am 09.04.2024, zu einer teilweise verzögerten Aussendung unserer Tagesberichte. Wir bitten um Entschuldigung für entstandene Unannehmlichkeiten. --------------------------------------------- https://cert.at/de/aktuelles/2024/4/verzogerte-aussendung-der-certat-tagesb… ∗∗∗ VU#123335: Multiple Programming Languages Fail to Escape Arguments Properly in Microsoft Windows ∗∗∗ --------------------------------------------- Various programming languages lack proper validation mechanisms for commands and in some cases also fail to escape arguments correctly when invoking commands within a Microsoft Windows environment. The command injection vulnerability in these programming languages, when running on Windows, allows attackers to execute arbitrary code disguised as arguments to the command. --------------------------------------------- https://kb.cert.org/vuls/id/123335 ∗∗∗ Wie sich NIS 2 auf Mitarbeiter in Unternehmen auswirken wird ∗∗∗ --------------------------------------------- ÖGB Datenschutzexperte Sebastian Klocker im Interview über Schulungsmaßnahmen, Zutrittskontrollen und Überwachung. --------------------------------------------- https://futurezone.at/netzpolitik/nis-2-cybersicherheit-richtlinie-eu-geset… ∗∗∗ Datenpanne bei Microsoft: Passwörter und Quellcode lagen wohl offen im Netz ∗∗∗ --------------------------------------------- Microsoft hatte offenbar einen Azure-Storage-Server falsch konfiguriert. Angeblich sind allerhand sensible Daten des Konzerns für jedermann abrufbar gewesen. --------------------------------------------- https://www.golem.de/news/datenpanne-bei-microsoft-passwoerter-und-quellcod… ∗∗∗ Raspberry Robin Returns: New Malware Campaign Spreading Through WSF Files ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new Raspberry Robin campaign wave that propagates the malware through malicious Windows Script Files (WSFs) since March 2024. --------------------------------------------- https://thehackernews.com/2024/04/raspberry-robin-returns-new-malware.html ∗∗∗ Active Nitrogen campaign delivered via malicious ads for PuTTY, FileZilla ∗∗∗ --------------------------------------------- Threat actors once again target system administrators via their favorite tools. Learn more about their TTPs and use the IOCs provide to investigate. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/04/active-nitrog… ∗∗∗ Muddled Libra’s Evolution to the Cloud ∗∗∗ --------------------------------------------- Muddled Libra now actively targets CSP environments and SaaS applications. Using the MITRE ATT&CK framework, we outline observed TTPs from incident response. --------------------------------------------- https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/ ∗∗∗ Datendiebstahl unter macOS: Zwei neue Kampagnen aufgedeckt ∗∗∗ --------------------------------------------- Den Cyberkriminellen geht es um vertrauliche Nutzerdaten wie Passwörter. Unter anderem kommen gefälschte Werbeanzeigen zum Einsatz, um einen Infostealer einzuschleusen. --------------------------------------------- https://www.zdnet.de/88415282/datendiebstahl-unter-macos-zwei-neue-kampagne… ∗∗∗ New Technique to Trick Developers Detected in an Open Source Supply Chain Attack ∗∗∗ --------------------------------------------- In a recent attack campaign, cybercriminals were discovered cleverly manipulating GitHub’s search functionality, and using meticulously crafted repositories to distribute malware. --------------------------------------------- https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical BatBadBut Rust Vulnerability Exposes Windows Systems to Attacks ∗∗∗ --------------------------------------------- A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks. --------------------------------------------- https://thehackernews.com/2024/04/critical-batbadbut-rust-vulnerability.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gtkwave), Fedora (dotnet7.0, dotnet8.0, and python-pillow), Mageia (apache, gstreamer1.0, libreoffice, perl-Data-UUID, and xen), Oracle (kernel, kernel-container, and varnish), Red Hat (edk2, kernel, rear, and unbound), SUSE (apache2-mod_jk, gnutls, less, and xfig), and Ubuntu (bind9, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, [...] --------------------------------------------- https://lwn.net/Articles/969314/ ∗∗∗ Patchday: Angreifer umgehen erneut Sicherheitsfunktion und attackieren Windows ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für unter anderem Bitlocker, Office und Windows Defender veröffentlicht. Zwei Lücken nutzen Angreifer bereits aus. --------------------------------------------- https://heise.de/-9679989 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-455 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-455.html ∗∗∗ Pepperl+Fuchs: ICE2- * and ICE3- * are affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-017/ ∗∗∗ PC System Recovery Bootloader Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500613-PC-SYSTEM-RECOVERY-BOOT… ∗∗∗ AMI MegaRAC Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500612-AMI-MEGARAC-VULNERABILI… ∗∗∗ System Management Module (SMM v1 and v2) and Fan Power Controller (FPC) Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/SYSTEM-MANAGEMENT-MODULE-SMM-V1-… ∗∗∗ AMD Radeon Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500615 ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/04/09/adobe-releases-security-… ∗∗∗ Sunhillo SureLine Command Injection Attack ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/sunhillo-sureline-attack -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.04.2024
by Daily end-of-shift report 09 Apr '24

09 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 08-04-2024 18:00 − Dienstag 09-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New SharePoint flaws help hackers evade detection when stealing files ∗∗∗ --------------------------------------------- Researchers have discovered two techniques that could enable attackers to bypass audit logs or generate less severe entries when downloading files from SharePoint. [..] Varonis disclosed these bugs in November 2023, and Microsoft added the flaws to a patch backlog for future fixing. However, the issues were rated as moderate severity, so they won't receive immediate fixes. Therefore, SharePoint admins should be aware of these risks and learn to identify and mitigate them until patches become available. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-sharepoint-flaws-help-ha… ∗∗∗ Researchers Discover LG Smart TV Vulnerabilities Allowing Root Access ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and gain root access on the devices. [..] The issues were fixed by LG as part of updates released on March 22, 2024. [..] "Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, identified over 91,000 devices that expose this service to the Internet," Bitdefender said. --------------------------------------------- https://thehackernews.com/2024/04/researchers-discover-lg-smart-tv.html ∗∗∗ Vorsicht vor falschen Nachrichten vom Finanzamt ∗∗∗ --------------------------------------------- Sie erwarten eine Nachricht vom Finanzamt? Wir raten zur Vorsicht: Derzeit sind zahlreiche gefälschte SMS- und E-Mail-Benachrichtigungen von FinanzOnline bzw. vom Finanzamt im Umlauf. Klicken Sie nicht voreilig auf Links und fragen Sie im Zweifelsfall bei der jeweiligen Behörde nach! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-nachrichten-vo… ∗∗∗ It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise ∗∗∗ --------------------------------------------- We describe the characteristics of malware-initiated scanning attacks. These attacks differ from direct scanning and are increasing according to our data. --------------------------------------------- https://unit42.paloaltonetworks.com/malware-initiated-scanning-attacks/ ∗∗∗ Notepad++: Entwickler warnt vor Parasiten-Webseite und bittet um Mithilfe ∗∗∗ --------------------------------------------- Die unautorisierte Webseite bezeichnet sich als "Fan-Projekt", der Notepad++-Entwickler fürchtet jedoch schädliche Auswirkungen. Die Community soll helfen. --------------------------------------------- https://heise.de/-9678725 ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet Security Advisories 2024-04-09 ∗∗∗ --------------------------------------------- Fortinet has released 12 security advisories: FortiOS, FortiManager, FortiClientLinux, FortiClientMac, FortiProxy, FortiMai, FortiSandbox, FortiNAC-F (1x critical, 4x high, 7x medium) --------------------------------------------- https://www.fortiguard.com/psirt?product=FortiOS-6K7K%2CFortiOS&product=For… ∗∗∗ Fortinet: SMTP Smuggling ∗∗∗ --------------------------------------------- FortiMail may be susceptible to smuggling attacks if some measures are not put in place. We therefore recommend to adhere to the following indications in order to mitigate the potential risk associated to the smuggling attacks [..] --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-009 ∗∗∗ OpenSSL 3.3 Series Release Notes ∗∗∗ --------------------------------------------- Fixed unbounded memory growth with session handling in TLSv1.3 ([CVE-2024-2511]) --------------------------------------------- https://www.openssl.org/news/openssl-3.3-notes.html ∗∗∗ Technical Advisory – Ollama DNS Rebinding Attack (CVE-2024-28224) ∗∗∗ --------------------------------------------- Ollama is an open-source system for running and managing large language models (LLMs). [..] Ollama fixed this issue in release v0.1.29. --------------------------------------------- https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebi… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat), Oracle (less and nodejs:20), Slackware (libarchive), SUSE (kubernetes1.23, nghttp2, qt6-base, and util-linux), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/969141/ ∗∗∗ ICS Patch Tuesday: Siemens Addresses Palo Alto Networks Product Vulnerabilities ∗∗∗ --------------------------------------------- Siemens and Schneider Electric release their ICS Patch Tuesday advisories for April 2024, informing customers about dozens of vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-addresses-palo-alto-… ∗∗∗ SSA-885980 V1.0: Multiple Vulnerabilities in Scalance W1750D ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-885980.html ∗∗∗ SSA-822518 V1.0: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW before V11.0.1 on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-822518.html ∗∗∗ SSA-730482 V1.0: Denial of Service Vulnerability in SIMATIC WinCC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-730482.html ∗∗∗ SSA-556635 V1.0: Multiple Vulnerabilities in Telecontrol Server Basic before V3.1.2.0 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-556635.html ∗∗∗ SSA-455250 V1.0: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-455250.html ∗∗∗ SSA-265688 V1.0: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-265688.html ∗∗∗ SSA-222019 V1.0: X_T File Parsing Vulnerabilities in Parasolid ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-222019.html ∗∗∗ SSA-128433 V1.0: Multiple Vulnerabilities in SINEC NMS before V2.0 SP2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-128433.html ∗∗∗ Xen: XSA-454 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-454.html ∗∗∗ Welotec: Two vulnerabilities in TK500v1 router series ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-009/ ∗∗∗ SUBNET PowerSYSTEM Server and Substation Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-100-01 ∗∗∗ Multiple vulnerabilities in WordPress Plugin "Ninja Forms" ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN50361500/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ SAP-Patchday: Zehn Sicherheitsmitteilungen im April ∗∗∗ --------------------------------------------- https://heise.de/-9678796 ∗∗∗ HP Poly CCX IP-Telefone erlauben unbefugten Zugriff ∗∗∗ --------------------------------------------- https://heise.de/-9679027 ∗∗∗ Robot Operating System: Zahlreiche Schwachstellen gefunden und geschlossen ∗∗∗ --------------------------------------------- https://heise.de/-9679260 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2024
by Daily end-of-shift report 08 Apr '24

08 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-04-2024 18:00 − Montag 08-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Rund 16.500 VPN-Instanzen von Ivanti potenziell angreifbar ∗∗∗ --------------------------------------------- Scans zeigen, dass weltweit tausende VPN-Instanzen von Ivanti des Typs Connect Secure und Policy Secure Gateway verwundbar sind. [..] Eigenen Angaben zufolge sind Sicherheitsforscher von Shadowserver weltweit auf rund 16.500 VPN-Instanzen gestoßen, die mit hoher Wahrscheinlichkeit für Attacken empfänglich sind (CVE-2024-21894 „hoch“, CVE-2024-22053 „hoch“). Sind Angriffe erfolgreich, kann Schadcode auf Appliances gelangen. Im Anschluss gelten Systeme in der Regel als vollständig kompromittiert. --------------------------------------------- https://heise.de/-9677551 ∗∗∗ Over 92,000 exposed D-Link NAS devices have a backdoor account ∗∗∗ --------------------------------------------- A threat researcher has disclosed a new arbitrary command injection and hardcoded backdoor flaw in multiple end-of-life D-Link Network Attached Storage (NAS) device models. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-n… ∗∗∗ Fake Facebook MidJourney AI page promoted malware to 1.2 million people ∗∗∗ --------------------------------------------- Hackers are using Facebook advertisements and hijacked pages to promote fake Artificial Intelligence services, such as MidJourney, OpenAIs SORA and ChatGPT-5, and DALL-E, to infect unsuspecting users with password-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-facebook-midjourney-ai-… ∗∗∗ Tastatursteuerung: Amazon untersucht Sicherheitslücke in Fire-TV-Funktion ∗∗∗ --------------------------------------------- Amazon hat eine Komfort-Funktion für Fire-TV-Geräte aufgrund möglicher Sicherheitsbedenken von Green Line Analytics vorübergehend zurückgezogen. --------------------------------------------- https://www.golem.de/news/tastatursteuerung-amazon-untersucht-sicherheitslu… ∗∗∗ Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites ∗∗∗ --------------------------------------------- Threat actors have been found exploiting a critical flaw in Magento to inject a persistent backdoor into e-commerce websites. The attack leverages CVE-2024-20720 (CVSS score: 9.1), which has been described by Adobe as a case of "improper neutralization of special elements" that could pave the way for arbitrary code execution. It was addressed by the company as part of security updates released on February 13, 2024. --------------------------------------------- https://thehackernews.com/2024/04/hackers-exploit-magento-bug-to-steal.html ∗∗∗ Automating Pikabot’s String Deobfuscation ∗∗∗ --------------------------------------------- Pikabot is a malware loader that originally emerged in early 2023 with one of the prominent features being the code obfuscation that it leverages to evade detection and thwart technical analysis. Pikabot employed the obfuscation method to encrypt binary strings, including the address of the command-and-control (C2) servers. In this article, we briefly describe the obfuscation method used by Pikabot and we present an IDA plugin (with source code) that we developed to assist in our binary analysis. --------------------------------------------- https://www.zscaler.com/blogs/security-research/automating-pikabot-s-string… ∗∗∗ Confidential VMs Hacked via New Ahoi Attacks ∗∗∗ --------------------------------------------- New Ahoi attacks Heckler and WeSee target AMD SEV-SNP and Intel TDX with malicious interrupts to hack confidential VMs. --------------------------------------------- https://www.securityweek.com/confidential-vms-hacked-via-new-ahoi-attacks/ ∗∗∗ Vorsicht vor kostenlosen Diensten zur Anpassung und Veränderung von Dateien ∗∗∗ --------------------------------------------- Sie möchten Dateien konvertieren, verkleinern oder Dokumente zusammenfügen? Im Internet gibt es dafür zahlreiche vermeintlich kostenlose Dienste. Wir raten davon ab, denn hinter vielen Angeboten steckt eine Abofalle. Zudem ist oft unklar, was mit Ihren Dokumenten geschieht. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-kostenlosen-diensten-zu… ∗∗∗ IBIS-Hotel: Check-In-Terminal gibt Zugangsdaten fremder Zimmer aus ∗∗∗ --------------------------------------------- Nächster Sicherheitsunfall bei Hotels: Bei den Check-In-Terminals der IBIS-Hotels war es durch Eingabe einer speziellen nicht alphanumerischen Buchungsnummer möglich, die Tastencodes von fast die Hälfte der Zimmer abzurufen. Dritte hätten in die Zimmer eindringen und Wertsachen stehlen können. --------------------------------------------- https://www.borncity.com/blog/2024/04/06/ibis-hotel-check-in-terminal-gibt-… ∗∗∗ ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins ∗∗∗ --------------------------------------------- FortiGuard Labs uncovered a threat actor using ScrubCrypt to spread VenomRAT along with multiple RATs. --------------------------------------------- https://feeds.fortinet.com/~/875486669/0/fortinet/blogs~ScrubCrypt-Deploys-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9, libcaca, libgd2, tomcat9, and util-linux), Fedora (chromium, micropython, and upx), Mageia (chromium-browser-stable, dav1d, libreswan, libvirt, nodejs, texlive-20220321, and util-linux), Red Hat (less, nodejs:20, and varnish), Slackware (tigervnc), and SUSE (buildah, c-ares, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, curl, expat, go1.21, go1.22, guava, helm, indent, krb5, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libcares2, libvirt, ncurses, nghttp2, podman, postfix, python-Django, python-Pillow, python310, qemu, rubygem-rack, thunderbird, ucode-intel, and xen). --------------------------------------------- https://lwn.net/Articles/968999/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.04.2024
by Daily end-of-shift report 05 Apr '24

05 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-04-2024 18:00 − Freitag 05-04-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fake AI law firms are sending fake DMCA threats to generate fake SEO gains ∗∗∗ --------------------------------------------- If you run a personal or hobby website, getting a copyright notice from a law firm about an image on your site can trigger some fast-acting panic. Ernie Smith, the prolific, ever-curious writer behind the newsletter Tedium, received a "DMCA Copyright Infringement Notice" in late March from "Commonwealth Legal," representing the "Intellectual Property division" of Tech4Gods. --------------------------------------------- https://arstechnica.com/?p=2014933 ∗∗∗ Continuation Flood: DoS-Angriffstechnik legt HTTP/2-Server ohne Botnetz lahm ∗∗∗ --------------------------------------------- Für einen erfolgreichen Angriff ist in einigen Fällen nur eine einzige TCP-Verbindung erforderlich. Es kommt zu einer Überlastung von Systemressourcen. --------------------------------------------- https://www.golem.de/news/continuation-flood-dos-angriffstechnik-legt-http-… ∗∗∗ AI-as-a-Service Providers Vulnerable to PrivEsc and Cross-Tenant Attacks ∗∗∗ --------------------------------------------- New research has found that artificial intelligence (AI)-as-a-service providers such as Hugging Face are susceptible to two critical risks that could allow threat actors to escalate privileges, gain cross-tenant access to other customers models, and even take over the continuous integration and continuous deployment (CI/CD) pipelines. [..] To mitigate the issue, it's recommended to enable IMDSv2 with Hop Limit so as to prevent pods from accessing the Instance Metadata Service (IMDS) and obtaining the role of a Node within the cluster. --------------------------------------------- https://thehackernews.com/2024/04/ai-as-service-providers-vulnerable-to.html ∗∗∗ Bing ad for NordVPN leads to SecTopRAT ∗∗∗ --------------------------------------------- Threat actors are luring victims to a fake NordVPN website that installs a Remote Access Trojan. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/04/bing-ad-for-n… ∗∗∗ Neue Dreiecksbetrugsmasche: Kriminelle bestellen in Ihrem Namen ∗∗∗ --------------------------------------------- Sie kaufen online ein, bezahlen und erhalten die gewünschte Ware. Doch nach einigen Wochen erreicht Sie plötzlich eine Mahnung, ein Inkassoschreiben oder sogar eine Betrugsanzeige. Der Grund: Eine nicht bezahlte Rechnung von einem Onlineshop, bei dem Sie gar nichts bestellt haben. In diesem Fall wurden Sie und der Onlineshop betrogen. Wir zeigen Ihnen wie diese neue Masche funktioniert und wie Sie sich schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/neue-dreiecksbetrugsmasche-kriminell… ∗∗∗ The Illusion of Privacy: Geolocation Risks in Modern Dating Apps ∗∗∗ --------------------------------------------- Key takeaways Introduction Dating apps traditionally utilize location data, offering the opportunity to connect with people nearby, and enhancing the chances of real-life meetings. Some apps can also display the distance of the user to other users. This feature is quite useful for coordinating meetups, indicating whether a potential match is just a short distance away or a kilometer apart. However, openly sharing your distance with other users can create serious security issues. The risks become apparent when you consider the potential misuse by a curious individual armed with advanced knowledge of techniques like trilateration. --------------------------------------------- https://research.checkpoint.com/2024/the-illusion-of-privacy-geolocation-ri… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/968561/ ∗∗∗ Lexmark: Hochriskante Lücken erlauben Codeschmuggel auf Drucker ∗∗∗ --------------------------------------------- Lexmark warnt vor Sicherheitslücken in diversen Drucker-Firmwares. Angreifer können Schadcode einschleusen. Updates sind verfügbar. --------------------------------------------- https://heise.de/-9675861 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2024
by Daily end-of-shift report 04 Apr '24

04 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-04-2024 18:00 − Donnerstag 04-04-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SurveyLama data breach exposes info of 4.4 million users ∗∗∗ --------------------------------------------- In early February, HIBP's creator, Troy Hunt, received information about a data breach impacting the service, which involved various data types, including: Dates of birth. Email addresses. IP addresses, Full Names, Passwords, Phone numbers, Physical addresses [..] The data set contains information about 4,426,879 accounts and was added to HIBP yesterday, so impacted users should have already received an email notification. --------------------------------------------- https://www.bleepingcomputer.com/news/security/surveylama-data-breach-expos… ∗∗∗ New HTTP/2 DoS attack can crash web servers with a single connection ∗∗∗ --------------------------------------------- Newly discovered HTTP/2 protocol vulnerabilities called "CONTINUATION Flood" can lead to denial of service (DoS) attacks, crashing web servers with a single TCP connection in some implementations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-http-2-dos-attack-can-cr… ∗∗∗ Angriff mit neuer Ransomware: SEXi-Hacker verschlüsseln ESXi-Server ∗∗∗ --------------------------------------------- Die neue SEXi-Ransomware ist kürzlich in einem Rechenzentrum von Powerhost zum Einsatz gekommen. Betroffene Kundensysteme sind wohl teilweise nicht wiederherstellbar. [..] Bei der Bezeichnung scheint es sich um ein Wortspiel zu handeln, denn die Angreifer haben es damit offenkundig auf VMware ESXi-Server abgesehen. --------------------------------------------- https://www.golem.de/news/angriff-mit-neuer-ransomware-sexi-hacker-verschlu… ∗∗∗ Windows NTLM Credentials-Schwachstelle CVE-2024-21320: Fix durch 0patch ∗∗∗ --------------------------------------------- In Windows gibt es eine Schwachstelle (CVE-2024-21320), die NTLM-Anmeldeinformationen über Windows-Themen offen legt. Microsoft hat zwar im Januar 2024 die Schwachstelle CVE-2024-21320 mit einem Patch versehen. Dieser Patch stellt eine Richtlinie bereit, um das Abrufen der NTLM-Anmeldeinformationen zu verhindern, wenn Theme-Dateien auf Netzlaufwerken liegen. ACROS Security hat nun einen Micropatch für den 0patch-Agenten veröffentlicht, der die Schwachstelle generell (ohne Registrierungseingriff) schließt. --------------------------------------------- https://www.borncity.com/blog/2024/04/04/windows-ntlm-credentials-schwachst… ∗∗∗ Latrodectus: This Spider Bytes Like Ice ∗∗∗ --------------------------------------------- We share Proofpoint’s assessment that Latrodectus will become increasingly used by financially motivated threat actors across the criminal landscape, particularly those who previously distributed IcedID.. This research highlights the value of collaborative work between commercial threat intelligence companies, piecing together distinct viewpoints to provide a more complete picture of malicious activities. --------------------------------------------- https://www.team-cymru.com/post/latrodectus-this-spider-bytes-like-ice ∗∗∗ Byakugan – The Malware Behind a Phishing Attack ∗∗∗ --------------------------------------------- FortiGuard Labs has uncovered the Byakugan malware behind a recent malware campaign distributed by malicious PDF files [..] In January 2024, FortiGuard Labs collected a PDF file written in Portuguese that distributes a multi-functional malware known as Byakugan. While investigating this campaign, a report about it was published. Therefore, this report will only provide a brief analysis of the overlap between that attack and this and focus primarily on the details of the infostealer. --------------------------------------------- https://www.fortinet.com/blog/threat-research/byakugan-malware-behind-a-phi… ∗∗∗ Politische Parteien vor der EU-Wahl häufiger Ziel von Cyberangriffen ∗∗∗ --------------------------------------------- Cyberangreifer konzentrieren sich derzeit offenbar stark auf politische Akteure und Parteien. Gefahr bestehe besonders durch sogenannte Hack-and-Leak-Angriffe. --------------------------------------------- https://heise.de/-9674511 ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks ∗∗∗ --------------------------------------------- IT security software company Ivanti has released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways. Unauthenticated attackers can exploit one of them, a high-severity flaw tracked as CVE-2024-21894, to gain remote code execution and trigger denial of service states on unpatched appliances in low-complexity attacks that don't require user interaction. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ivanti-fixes-vpn-gateway-vul… ∗∗∗ Cisco Security Advisories 2024-04-03 ∗∗∗ --------------------------------------------- Security Impact Rating: 1x High, 11x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-29745 Android Pixel Information Disclosure Vulnerability, CVE-2024-29748 Android Pixel Privilege Escalation Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/04/04/cisa-adds-two-known-expl… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Hitachi Energy Asset Suite 9 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-095-01 ∗∗∗ Schweitzer Engineering Laboratories SEL ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-095-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2024
by Daily end-of-shift report 03 Apr '24

03 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-04-2024 18:00 − Mittwoch 03-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ NIS2-Begutachtungsverfahren gestartet ∗∗∗ --------------------------------------------- Die Regierung hat am 3. April 2024 das Cybersicherheitsgesetz zur europäischen NIS2-Verordnung in Begutachtung geschickt. --------------------------------------------- https://www.bmi.gv.at/news.aspx?id=7567384169746C75366D413D ∗∗∗ Kritik nach Cyberangriff: Microsoft hat seine Kronjuwelen nicht im Griff ∗∗∗ --------------------------------------------- Ein im Sommer 2023 festgestellter Cyberangriff auf Microsofts Server hatte für einige Kunden verheerende Folgen. Eine US-Kommission erhebt nun schwere Vorwürfe gegen den Konzern. --------------------------------------------- https://www.golem.de/news/us-kommission-aeussert-kritik-hackerangriff-auf-m… ∗∗∗ The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind ∗∗∗ --------------------------------------------- As scrutiny around Jia Tan has mounted since the revelation of the XZ Utils backdoor last Friday, researchers have noted that the persona has remarkably good operational security. [..] The Jia Tan persona has vanished since the backdoor was discovered [..] In fact, the only real footprints Jia Tan appears to have left behind were their contributions to the open source development community, where they were a prolific contributor: Disturbingly, Jia Tan’s first code change was to the “libarchive” compression library, another very widely used open source component. [..] In total, Jia Tan made 6,000 code changes to at least seven projects between 2021 and February 2024 [..] Security researchers agree, at least, that it’s unlikely that Jia Tan is a real person, or even one person working alone. Instead, it seems clear that the persona was the online embodiment of a new tactic from a new, well-organized organization—a tactic that nearly worked. --------------------------------------------- https://www.wired.com/story/jia-tan-xz-backdoor/ ∗∗∗ XZ Utils Backdoor Attack Brings Another Similar Incident to Light ∗∗∗ --------------------------------------------- In a post on Mastodon, Hans-Christoph Steiner, a maintainer of F-Droid, recalled a similar story from 2020, when an individual attempted to get F-Droid developers to add what later was determined to be a SQL injection vulnerability. That attempt was unsuccessful, but has some similarities to the XZ incident. --------------------------------------------- https://www.securityweek.com/xz-utils-backdoor-attack-brings-another-simila… ∗∗∗ Distinctive Campaign Evolution of Pikabot Malware ∗∗∗ --------------------------------------------- PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a loader and a core component. [..] During February 2024, McAfee Labs observed a significant change in the campaigns that distribute Pikabot. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/distinctive-campaign-e… ∗∗∗ Hohe Handyrechnung durch ungewolltes Abo? ∗∗∗ --------------------------------------------- Per E-Mail oder SMS werden Sie plötzlich von Ihrem Mobilfunkanbieter darüber informiert, dass Sie ein Abo abgeschlossen haben. Sie sind sich aber sicher, dass Sie keinem Vertrag zugestimmt haben und wissen auch nicht, wie es dazu gekommen ist? Wir zeigen Ihnen, was Sie gegen unseriöse Abbuchungen von Ihrer Handyrechnung tun können und wie Sie sich vor Abofallen schützen. --------------------------------------------- https://www.watchlist-internet.at/news/hohe-handyrechnung-durch-ungewolltes… ∗∗∗ Another Path to Exploiting CVE-2024-1212 in Progress Kemp LoadMaster ∗∗∗ --------------------------------------------- Rhino Labs discovered a pre-authentication command injection vulnerability in the Progress Kemp LoadMaster. [..] This was a really cool find by Rhino Labs. Here I add one additional exploitation path and some additional ways to test for this vulnerability. --------------------------------------------- https://medium.com/tenable-techblog/another-path-to-exploiting-cve-2024-121… ∗∗∗ Unveiling the Fallout: Operation Cronos Impact on LockBit Following Landmark Disruption ∗∗∗ --------------------------------------------- Our new article provides key highlights and takeaways from Operation Cronos disruption of LockBits operations, as well as telemetry details on how LockBit actors operated post-disruption. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti). --------------------------------------------- https://lwn.net/Articles/968218/ ∗∗∗ Critical Vulnerability Found in LayerSlider Plugin Installed on a Million WordPress Sites ∗∗∗ --------------------------------------------- A critical SQL injection vulnerability in the LayerSlider WordPress plugin allows attackers to extract sensitive information. --------------------------------------------- https://www.securityweek.com/critical-vulnerability-found-in-layerslider-pl… ∗∗∗ CVE-2024-0394: Rapid7 Minerva Armor Privilege Escalation (FIXED) ∗∗∗ --------------------------------------------- Rapid7 is disclosing CVE-2024-0394, a privilege escalation vulnerability in Rapid7 Minerva’s Armor product family. The root cause of this vulnerability is Minerva’s implementation of OpenSSL’s OPENSSLDIR parameter, which was set to a path accessible to low-privileged users. --------------------------------------------- https://www.rapid7.com/blog/post/2024/04/03/cve-2024-0394-rapid7-minerva-ar… ∗∗∗ Patchday Android: Angreifer können sich höhere Rechte verschaffen ∗∗∗ --------------------------------------------- Neben Google haben auch Samsung und weitere Hersteller wichtige Sicherheitsupdates für Androidgeräte veröffentlicht. --------------------------------------------- https://heise.de/-9673480 ∗∗∗ Codeschmuggellücke in VMware SD-WAN Edge und Orchestrator ∗∗∗ --------------------------------------------- Drei Sicherheitslücken in VMwares SD-WAN Edge und Orchestrator ermöglichen Angreifern unter anderem, Schadcode einzuschleusen. --------------------------------------------- https://heise.de/-9673416 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox for iOS 124 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-17/ ∗∗∗ Unify: Credentials disclosure vulnerability in Unify OpenScape Desk Phones CP ∗∗∗ --------------------------------------------- https://networks.unify.com/security/advisories/OBSO-2404-01.pdf -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily April 2024