Daily June 2024

daily@lists.cert.at

1 participants
20 discussions

Tageszusammenfassung - 28.06.2024
by Daily end-of-shift report 28 Jun '24

28 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-06-2024 18:00 − Freitag 28-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New Unfurling Hemlock threat actor floods systems with malware ∗∗∗ --------------------------------------------- A threat actor tracked as Unfurling Hemlock has been infecting target systems with up to ten pieces of malware at the same time in campaigns that distribute hundreds of thousands of malicious files .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-unfurling-hemlock-threat… ∗∗∗ BlackSuit ransomware gang claims attack on KADOKAWA corporation ∗∗∗ --------------------------------------------- The BlackSuit ransomware gang claimed a recent cyberattack on KADOKAWA corporation and is now threatening to publish stolen data if a ransom is not paid. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blacksuit-ransomware-gang-cl… ∗∗∗ Teamviewer gehackt: Cyberangriff trifft populäre Fernwartungssoftware ∗∗∗ --------------------------------------------- Teamviewer hat bestätigt, dass es einen Sicherheitsvorfall gegeben hat. Erste Hinweise deuten darauf hin, dass die Hackergruppe Midnight Blizzard dahinterstecken könnte. --------------------------------------------- https://www.golem.de/news/teamviewer-gehackt-cyberangriff-trifft-populaere-… ∗∗∗ Support of SSL 2.0 on web servers in 2024 ∗∗∗ --------------------------------------------- We last discussed SSLv2 support on internet-exposed web servers about a year ago, when we discovered that there were still about 450 thousand web servers that supported this protocol left on the internet. We also found that a significant portion of these servers was located in Kazakhstan, Tunisia .. --------------------------------------------- https://isc.sans.edu/diary/Support+of+SSL+20+on+web+servers+in+2024/31044 ∗∗∗ Microsoft Informs Customers that Russian Hackers Spied on Emails ∗∗∗ --------------------------------------------- Russian hackers who broke into Microsofts systems and spied on staff inboxes earlier this year also stole emails from its customers, the tech giant said on Thursday, around six months after it first disclosed the intrusion. Reuters: The disclosure underscores the breadth of the breach as Microsoft faces increasing regulatory scrutiny .. --------------------------------------------- https://yro.slashdot.org/story/24/06/28/1319219/microsoft-informs-customers… ∗∗∗ Google cuts ties with Entrust in Chrome over trust issues ∗∗∗ --------------------------------------------- Move comes weeks after Mozilla blasted certificate authority for failings Google is severing its trust in Entrust after what it describes as a protracted period of failures around compliance and general improvements. --------------------------------------------- https://www.theregister.com/2024/06/28/google_axes_entrust_over_six/ ∗∗∗ An Inside Look at The Malware and Techniques Used in the WordPress.org Supply Chain Attack ∗∗∗ --------------------------------------------- On Monday June 24th, 2024 the Wordfence Threat Intelligence team was made aware of the presence of malware in the Social Warfare repository plugin .. --------------------------------------------- https://www.wordfence.com/blog/2024/06/an-inside-look-at-the-malware-and-te… ∗∗∗ Akute Welle an DDoS-Angriffen gegen österreichische Unternehmen und Organisationen ∗∗∗ --------------------------------------------- Seit heute Morgen sind verschiedene österreichische Unternehmen und Organisationen aus unterschiedlichen Branchen und Sektoren mit DDoS-Angriffen konfrontiert. Die genauen Hintergründe der Attacke .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/6/akute-welle-an-ddos-angriffen-gegen… ∗∗∗ SVR Cyber Actors Adapt Tactics for Initial Cloud Access ∗∗∗ --------------------------------------------- This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear.The UK National Cyber Security Centre (NCSC) and international partners assess that APT29 is a cyber espionage group, almost certainly part of the SVR, an .. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a ∗∗∗ Supply Chain Compromise Leads to Trojanized Installers for Notezilla, RecentX, Copywhiz ∗∗∗ --------------------------------------------- On Tuesday, June 18th, 2024, Rapid7 initiated an investigation into suspicious activity in a customer environment. Our investigation identified that the suspicious behavior was emanating from the installation of .. --------------------------------------------- https://www.rapid7.com/blog/post/2024/06/27/supply-chain-compromise-leads-t… ∗∗∗ Juniper: Kritische Lücke erlaubt Angreifern Übernahme von Session Smart Router ∗∗∗ --------------------------------------------- Juniper Networks liefert außerplanmäßige Updates gegen eine kritische Sicherheitslücke in Session Smart Router, -Conductor und WAN Assurance Router. --------------------------------------------- https://heise.de/-9781931 ===================== = Vulnerabilities = ===================== ∗∗∗ GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others ∗∗∗ --------------------------------------------- https://thehackernews.com/2024/06/gitlab-releases-patch-for-critical-cicd.h… ∗∗∗ 2024-06: Out-Of-Cycle Security Bulletin: Session Smart Router(SSR): On redundant router deployments API authentication can be bypassed (CVE-2024-2973) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-06-Out-Of-Cycle-Security-B… ∗∗∗ OMSA-2024-0001 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/OMSA-2024-0001.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.06.2024
by Daily end-of-shift report 27 Jun '24

27 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-06-2024 18:00 − Donnerstag 27-06-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Exploit for critical Fortra FileCatalyst Workflow SQLi flaw released ∗∗∗ --------------------------------------------- The Fortra FileCatalyst Workflow is vulnerable to an SQL injection vulnerability that could allow remote unauthenticated attackers to create rogue admin users and manipulate data on the application database. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-for-critical-fortra-… ∗∗∗ Sicherheitslücke: Ungeschützte API liefert sensible Daten deutscher Häftlinge ∗∗∗ --------------------------------------------- Welcher Häftling wann mit seinem Anwalt oder Therapeuten telefoniert hat, ist aufgrund der Sicherheitslücke für jedermann einsehbar gewesen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-ungeschuetzte-api-liefert-sensi… ∗∗∗ What Setting Live Traps for Cybercriminals Taught Me About Security [Guest Diary], (Wed, Jun 26th) ∗∗∗ --------------------------------------------- For anyone who doesn’t know what a honeypot is, it is a server created specifically for the purpose of gathering information about unauthorized users that connect to it. A honeypot is usually vulnerable by design and often designed to be enticing to trap unsuspecting criminals into spending more time with it. I named my honeypot “Winnie.” --------------------------------------------- https://isc.sans.edu/diary/rss/31038 ∗∗∗ Rust-Based P2PInfect Botnet Evolves with Miner and Ransomware Payloads ∗∗∗ --------------------------------------------- The peer-to-peer malware botnet known as P2PInfect has been found targeting misconfigured Redis servers with ransomware and cryptocurrency miners. --------------------------------------------- https://thehackernews.com/2024/06/rust-based-p2pinfect-botnet-evolves.html ∗∗∗ Warnung vor Fake Finanzamt-SMS ∗∗∗ --------------------------------------------- Es häufen sich Berichte über eine erneute Smishing-Welle, bei der Kriminelle versuchen, ahnungslose Bürger:innen mit gefälschten SMS-Nachrichten im Namen des Finanzamtes hereinzulegen. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-finanzamt-sms/ ∗∗∗ Rabbit R1: Verrissenes KI-Gadget erweist sich auch als Sicherheitsalbtraum ∗∗∗ --------------------------------------------- Hacker demonstrieren, dass sie auf jede an R1-Geräte geschickte Antwort zugreifen können. Zudem lassen sich die Geräte auf diesem Weg beschädigen und Antworten manipulieren. --------------------------------------------- https://www.derstandard.at/story/3000000226115/rabbit-r1-verrissenes-ki-gad… ∗∗∗ Snowflake isn’t an outlier, it’s the canary in the coal mine ∗∗∗ --------------------------------------------- Headlines continue to roll in about the many implications and follow-on attacks originating from leaked and/or stolen credentials for the Snowflake cloud data platform. --------------------------------------------- https://blog.talosintelligence.com/infostealer-landscape-facilitates-breach… ∗∗∗ MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems ∗∗∗ --------------------------------------------- FortiGuard Labs uncovers MerkSpy, a new spyware exploiting CVE-2021-40444 to steal keystrokes and sensitive data. --------------------------------------------- https://www.fortinet.com/blog/threat-research/merkspy-exploiting-cve-2021-4… ∗∗∗ The Growing Threat of Malware Concealed Behind Cloud Services ∗∗∗ --------------------------------------------- Cybersecurity threats are increasingly leveraging cloud services to store, distribute, and establish command and control (C2) servers. --------------------------------------------- https://www.fortinet.com/blog/threat-research/growing-threat-of-malware-con… ===================== = Vulnerabilities = ===================== ∗∗∗ Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack ∗∗∗ --------------------------------------------- Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library ("polyfill.js") to redirect users to malicious and scam sites. --------------------------------------------- https://thehackernews.com/2024/06/over-110000-websites-affected-by.html ∗∗∗ Prompt Injection Flaw in Vanna AI Exposes Databases to RCE Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a high-severity security flaw in the Vanna.AI library that could be exploited to achieve remote code execution vulnerability via prompt injection techniques. --------------------------------------------- https://thehackernews.com/2024/06/prompt-injection-flaw-in-vanna-ai.html ∗∗∗ GitLab Security Updates Patch 14 Vulnerabilities ∗∗∗ --------------------------------------------- GitLab CE and EE updates resolve 14 vulnerabilities, including a critical- and three high-severity bugs. --------------------------------------------- https://www.securityweek.com/gitlab-security-updates-patch-14-vulnerabiliti… ∗∗∗ Multiple vulnerabilities in TP-Link Omada system could lead to root access ∗∗∗ --------------------------------------------- Affected devices could include wireless access points, routers, switches and VPNs. --------------------------------------------- https://blog.talosintelligence.com/multiple-vulnerabilities-in-tp-link-omad… ∗∗∗ TELSAT marKoni FM Transmitter ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-01 ∗∗∗ Johnson Controls Illustra Essentials Gen 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-04 ∗∗∗ Johnson Controls Illustra Essentials Gen 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-07 ∗∗∗ SDG Technologies PnPSCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-02 ∗∗∗ Johnson Controls Illustra Essentials Gen 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-05 ∗∗∗ Yokogawa FAST/TOOLS and CI Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-03 ∗∗∗ Johnson Controls Illustra Essentials Gen 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-06 ∗∗∗ Local Privilege Escalation über MSI Installer in SoftMaker Office / FreeOffice ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.06.2024
by Daily end-of-shift report 26 Jun '24

26 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-06-2024 18:00 − Mittwoch 26-06-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New Medusa Android Trojan Targets Banking Users Across 7 Countries ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered an updated version of an Android banking trojan called Medusa that has been used to target users in Canada, France, Italy, Spain, Turkey, the U.K., and the U.S. --------------------------------------------- https://thehackernews.com/2024/06/new-medusa-android-trojan-targets.html ∗∗∗ New Credit Card Skimmer Targets WordPress, Magento, and OpenCart Sites ∗∗∗ --------------------------------------------- Multiple content management system (CMS) platforms like WordPress, Magento, and OpenCart have been targeted by a new credit card web skimmer called Caesar Cipher Skimmer. --------------------------------------------- https://thehackernews.com/2024/06/new-credit-card-skimmer-targets.html ∗∗∗ Vorsicht vor Jobbetrug auf dm-supermall.com ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie für Ihren neuen Job, bei dm-supermall.com einkaufen müssen. Diese Plattform ist Teil einer Betrugsmasche. Der neue Job, bei dem Sie Online-Shops oder Dienstleistungen testen, ist betrügerisch. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-jobbetrug-auf-dm-superm… ∗∗∗ Attackers Exploiting Public Cobalt Strike Profiles ∗∗∗ --------------------------------------------- Unit 42 researchers examine how attackers use publicly available Malleable C2 profiles, examining their structure to reveal evasive techniques. --------------------------------------------- https://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-… ∗∗∗ Buying a VPN? Here’s what to know and look for ∗∗∗ --------------------------------------------- VPNs are not all created equal – make sure to choose the right provider that will help keep your data safe from prying eyes. --------------------------------------------- https://www.welivesecurity.com/en/privacy/buying-vpn-what-know-look-for/ ===================== = Vulnerabilities = ===================== ∗∗∗ Snowblind malware abuses Android security feature to bypass security ∗∗∗ --------------------------------------------- A novel Android attack vector from a piece of malware tracked as Snowblind is abusing a security feature to bypass existing anti-tampering protections in apps that handle sensitive user data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/snowblind-malware-abuses-and… ∗∗∗ A Novel DoS Vulnerability affecting WebRTC Media Servers ∗∗∗ --------------------------------------------- A critical denial-of-service (DoS) vulnerability has been identified in media servers that process WebRTC’s DTLS-SRTP, specifically in their handling of ClientHello messages. --------------------------------------------- https://www.rtcsec.com/article/novel-dos-vulnerability-affecting-webrtc-med… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (git, python3.11, and python3.9), Debian (chromium, emacs, git, linux-5.10, and org-mode), Fedora (libopenmpt, nginx-mod-modsecurity, and thunderbird), Mageia (emacs, python-ansible-core, and python-authlib), Oracle (git, python3.11, and python3.9), Red Hat (kernel, kernel-rt, and samba), and Ubuntu (ansible, cups, google-guest-agent, google-osconfig-agent, libheif, openvpn, roundcube, and salt). --------------------------------------------- https://lwn.net/Articles/979740/ ∗∗∗ Supply-Chain-Angriff gegen polyfill.js ∗∗∗ --------------------------------------------- Die populäre Javascript-Bibliothek polyfill.js, welche von Entwickler:innen verwendet wird, um alte Browserversionen zu unterstützen, wurde Opfer eines Supply-Chain-Angriffes beziehungsweise für einen solchen missbraucht. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/6/supply-chain-angriff-gegen-polyfill… ∗∗∗ Jetzt patchen! Progress-MOVEit-Sicherheitslücken werden bereits angegriffen ∗∗∗ --------------------------------------------- Progress hat zwei kritische Lücken in MOVEit Gateway und Transfer gestopft. Eine davon missbrauchen Cyberkriminelle bereits. --------------------------------------------- https://heise.de/-9778266 ∗∗∗ Sicherheitslücke: Apple stoppt Bluetooth-Übernahme von AirPods und Beats-Geräten ∗∗∗ --------------------------------------------- Apple hat eine neue Firmware für verschiedene Kopfhörermodelle veröffentlicht, die eine problematische Lücke schließt. Das Update ist allerdings nicht einfach. --------------------------------------------- https://heise.de/-9778924 ∗∗∗ ZDI-24-882: VMware vCenter Server Appliance License Server Uncontrolled Memory Allocation Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-882/ ∗∗∗ Multiple Vulnerabilities in Siemens Power Automation Products (CP-8000/CP-8021/CP8-022/CP-8031/CP-8050/SICORE) ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.06.2024
by Daily end-of-shift report 25 Jun '24

25 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Montag 24-06-2024 18:00 − Dienstag 25-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ NISG 2024 im Innenausschuss ∗∗∗ --------------------------------------------- Ich wurde eingeladen, am 19. Juni im Innenausschuss des Parlaments als Experte in einem Hearing zum NISG 2024 aufzutreten. Das war keine Vorladung zu einem Untersuchungsausschuss, die man kaum ausschlagen kann, sondern ein wirklich freiwilliger Termin. Ich war schon öfters beruflich im Parlament, aber bisher immer auf Einladung der Parlamentsdirektion: das hier war der erste Termin mit Mandataren. Die Illusion, mit diesem Auftritt irgendwas bewirken zu können, hatte ich nie. [..] In diesem Blogpost will ich kurz erklären, was ich kommunizieren wollte. --------------------------------------------- https://www.cert.at/de/blog/2024/6/nisg-2024-im-innenausschuss ∗∗∗ New attack uses MSC files and Windows XSS flaw to breach networks ∗∗∗ --------------------------------------------- A novel command execution technique dubbed GrimResource uses specially crafted MSC (Microsoft Saved Console) and an unpatched Windows XSS flaw to perform code execution via the Microsoft Management Console. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-grimresource-attack-uses… ∗∗∗ Kurioser Fehlalarm: Microsoft Defender stuft harmlose Textdatei als Trojaner ein ∗∗∗ --------------------------------------------- Der Microsoft Defender erkannte demnach eine einfache Textdatei mit dem Inhalt "This content is no longer available." (auf Deutsch: "Dieser Inhalt ist nicht mehr verfügbar.") als Trojaner – genauer gesagt als Trojan:Win32/Casdet!rfn. [..] wurde der Fehlalarm angeblich dadurch ausgelöst, dass jemand eine Textdatei mit dem bereits genannten Inhalt in die Malwaredatenbank von Microsoft aufgenommen hat. Inzwischen scheint der Konzern das Problem aber behoben zu haben ... --------------------------------------------- https://www.golem.de/news/kurioser-fehlalarm-microsoft-defender-stuft-harml… ∗∗∗ Atlas Oil: The Consequences of a Ransomware Attack ∗∗∗ --------------------------------------------- Overview Atlas Oil, a major player in the oil and fuel distribution industry, fell victim to a ransomware attack orchestrated by the Black Basta group. This attack not only compromised sensitive company data but also exposed a variety of documents that could potentially harm the company’s operations and reputation. Overall, Black Basta claims to have exfiltrated approximately 730 GB of data. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/atlas-oil-t… ∗∗∗ New Cyberthreat Boolka Deploying BMANAGER Trojan via SQLi Attacks ∗∗∗ --------------------------------------------- A previously undocumented threat actor dubbed Boolka has been observed compromising websites with malicious scripts to deliver a modular trojan codenamed BMANAGER. --------------------------------------------- https://thehackernews.com/2024/06/new-cyberthreat-boolka-deploying.html ∗∗∗ Recent Zyxel NAS Vulnerability Exploited by Botnet ∗∗∗ --------------------------------------------- A Mirai-like botnet has started exploiting a critical-severity vulnerability in discontinued Zyxel NAS products. Tracked as CVE-2024-29973, the issue is described as a code injection flaw that can be exploited remotely without authentication. It was introduced last year, when Zyxel patched CVE-2023-27992, a similar code injection bug. --------------------------------------------- https://www.securityweek.com/recent-zyxel-nas-vulnerability-exploited-by-bo… ∗∗∗ Falscher Ryanair-Support auf X ∗∗∗ --------------------------------------------- Wenn Sie Probleme mit Ihrem Ryanair-Flug haben, gibt es verschiedene Möglichkeiten, den Kundenservice zu erreichen. Eine Möglichkeit ist X (früher Twitter). Achten Sie bei der Kontaktaufnahme über X jedoch darauf, dass Sie eine Anfrage an das richtige Profil senden. Immer häufiger geben sich Kriminelle mit gefälschten Profilen als Ryanair Support aus, um Geld und Daten zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/falscher-ryanair-support-auf-x/ ∗∗∗ Betrügerische Finanz-Online-SMS ∗∗∗ --------------------------------------------- Derzeit versenden Kriminelle wieder vermehrt gefälschte Nachrichten im Namen des Finanzamtes. Darin wird behauptet, dass Ihre Registrierung für die Finanz-Online ID abläuft und Sie Ihre Daten über einen Link erneuern sollen. Klicken Sie nicht auf den Link, Kriminelle stehlen Ihre persönlichen Daten! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-finanz-online-sms/ ∗∗∗ Auth. Bypass In (Un)Limited Scenarios - Progress MOVEit Transfer (CVE-2024-5806) ∗∗∗ --------------------------------------------- Many sysadmins may remember last year’s CVE-2023-34362, a cataclysmic vulnerability in Progress MOVEit Transfer that sent ripples through the industry, claiming such high-profile victims as the BBC and FBI. [..] Today (25th June 2024), Progress un-embargoed an authentication bypass vulnerability in Progress MOVEit Transfer. --------------------------------------------- https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-mov… ∗∗∗ Grazer Lauschangriff braucht bloß TCP/IP - weder Malware noch Sicherheitslücke ∗∗∗ --------------------------------------------- Der SnailLoad genannte Lauschangriff gründet darauf, dass Downloads verschiedener Dateien Schwankungen der Paketlaufzeiten aufweisen (Round Trip Times, RTTs), und dass diese Schwankungen individuell sind, sofern dieselbe Datei vom selben Server auf demselben Netzwerkweg geladen wird. [..] Damit lässt sich ermitteln, welches Video oder welche Webseite ein User abruft. [..] Die Angriffe lassen sich von beliebigen Positionen im Internet führen, von denen aus sich IP-Pakete an das Opfer schicken lassen. --------------------------------------------- https://heise.de/-9775311 ∗∗∗ Wordpress: Fünf Plug-ins mit Malware unterwandert ∗∗∗ --------------------------------------------- In fünf Wordpress-Plug-ins haben IT-Sicherheitsforscher dieselbe eingeschleuste Malware entdeckt. --------------------------------------------- https://heise.de/-9777207 ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress 6.5.5 Security Release – What You Need to Know ∗∗∗ --------------------------------------------- WordPress Core 6.5.5 was released yesterday, on June 24, 2023. Contained within this release are three security fixes addressing two Cross-Site Scripting (XSS) vulnerabilities and one Windows-specific Directory Traversal vulnerability. Despite these vulnerabilities being medium-severity, the worst of them (specifically, the XSS vulnerabilities) can allow for site takeover by an authenticated, contributor-level user if successfully exploited. --------------------------------------------- https://www.wordfence.com/blog/2024/06/wordpress-6-5-5-security-release-wha… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (python3.11), Debian (composer), Fedora (thunderbird), Mageia (chromium-browser-stable, python-aiohttp, python-gunicorn, python-werkzeug, and virtualbox), Oracle (libreswan and python3.11), Red Hat (git, kpatch-patch, python3.11, python3.9, and thunderbird), and SUSE (avahi, ghostscript, grafana and mybatis, hdf5, kernel, openssl-1_1-livepatches, python-docker, and wget). --------------------------------------------- https://lwn.net/Articles/979606/ ∗∗∗ Cloud Software Group Security Advisory for CVE-2024-3661 ∗∗∗ --------------------------------------------- This vulnerability may allow an attacker on the same local network as the victim to read, disrupt, or modify network traffic expected to be protected by the VPN. [..] CTX677069 NewCloud Software Group Security Advisory for CVE-2024-3661 [..] Applicable Products : NetScaler, NetScaler Gateway --------------------------------------------- https://support.citrix.com/article/CTX677069/cloud-software-group-security-… ∗∗∗ ABB: 2024-06-25: Cyber Security Advisory -ABB PCM600 Installer Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA002251&Language… ∗∗∗ ABB Ability System 800xA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-177-01 ∗∗∗ PTC Creo Elements/Direct License Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-177-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.06.2024
by Daily end-of-shift report 24 Jun '24

24 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-06-2024 18:00 − Montag 24-06-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Ratel RAT targets outdated Android phones in ransomware attacks ∗∗∗ --------------------------------------------- An open-source Android malware named Ratel RAT is widely deployed by multiple cybercriminals to attack outdated devices, some aiming to lock them down with a ransomware module that demands payment on Telegram. [..] As for the targets, Check Point mentions successful targeting of high-profile organizations, including in government and the military sector, with most victims being from the United States, China, and Indonesia. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ratel-rat-targets-outdated-a… ∗∗∗ Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins ∗∗∗ --------------------------------------------- On Monday June 24th, 2024 the Wordfence Threat Intelligence team became aware of a plugin, Social Warfare, that was injected with malicious code on June 22, 2024 based on a forum post by the WordPress.org Plugin Review team. [..] We then reached out to the WordPress plugins team to alert them about the four additional plugins but have not yet received a response, though it appears the plugins have been delisted. [..] At this stage, we know that the injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server. --------------------------------------------- https://www.wordfence.com/blog/2024/06/supply-chain-attack-on-wordpress-org… ∗∗∗ Facebook PrestaShop module exploited to steal credit cards ∗∗∗ --------------------------------------------- Hackers are exploiting a flaw in a premium Facebook module for PrestaShop named pkfacebook to deploy a card skimmer on vulnerable e-commerce sites and steal peoples payment credit card details. [..] Analysts at TouchWeb discovered the flaw on March 30, 2024, but Promokit.eu said the flaw was fixed "a long time ago," without providing any proof. --------------------------------------------- https://www.bleepingcomputer.com/news/security/facebook-prestashop-module-e… ∗∗∗ XZ backdoor: Hook analysis ∗∗∗ --------------------------------------------- In our first article on the XZ backdoor, we analyzed its code from initial infection to the function hooking it performs. As we mentioned then, its initial goal was to successfully hook one of the functions related to RSA key manipulation. In this article, we will focus on the backdoor’s behavior inside OpenSSH, specifically OpenSSH portable version 9.7p1 – the most recent version at this time. --------------------------------------------- https://securelist.com/xz-backdoor-part-3-hooking-ssh/113007/ ∗∗∗ Sysinternals Process Monitor Version 4 Released, (Sat, Jun 22nd) ∗∗∗ --------------------------------------------- These releases bring improvements to performance and the user interface. --------------------------------------------- https://isc.sans.edu/diary/rss/31026 ∗∗∗ Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a now-patch security flaw affecting the Ollama open-source artificial intelligence (AI) infrastructure platform that could be exploited to achieve remote code execution. Tracked as CVE-2024-37032, the vulnerability has been codenamed Probllama by cloud security firm Wiz. --------------------------------------------- https://thehackernews.com/2024/06/critical-rce-vulnerability-discovered.html ∗∗∗ Deye Wechselrichter: Cloud Account zeigt fremde Anlagen-/Kundendaten an ∗∗∗ --------------------------------------------- In deutschen Objekten dürften einige Balkonkraftwerke und auch fest installierte Solaranlagen arbeiten, bei denen Wechselrichter des chinesischen Herstellers Deye verwendet werden. [..] Ein Leser hat mich bereits im Mai 2024 mit einem anderen Problem konfrontiert. Er konnte die Anlagendaten einer ihm komplett unbekannten Person einsehen. [..] Der Leser hat die deutsche Dependance kontaktiert [..] Die Reaktion hat den Leser erstaunt, denn als er den Hersteller auf den Bug hinwies, habe dieser das bezweifelt. [..] Generöser Weise bot Deye dem Betroffenen an, zu helfen, die zweite Anlage aus dem Benutzerkonto auszutragen. --------------------------------------------- https://www.borncity.com/blog/2024/06/24/deye-wechselrichter-cloud-account-… ∗∗∗ Horror auf dem Vision Pro: Exploit schleust Spinnen und Fledermäuse in den Raum ∗∗∗ --------------------------------------------- Damit der Angriff gelingt, muss der Vision-Pro-Nutzer lediglich eine präparierte Webseite aufrufen. Der Raum füllt sich daraufhin mit gruseligen Tierchen, inklusive Sound. --------------------------------------------- https://www.golem.de/news/horror-auf-der-vision-pro-exploit-schleust-spinne… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise) ∗∗∗ --------------------------------------------- The product WINSelect from Faronics is used to restrict the possible actions of users on a system and can even be used to implement a Kiosk mode. Due to hardcoded credentials and an unfitting application architecture an attacker could decrypt the configuration file and retrieve the password which is used to configure the software. Thus, an attacker could completely disable the software. [..] The vendor provides a patched version 8.30.xx.903 since May 2024 [..] Since the hardcoded password for the encryption is not fixed, we ask if this will be addressed as well. Vendor responds that this will be addressed in a future release. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (ipa and libreswan), Debian (netty), Fedora (python-PyMySQL, tomcat, and webkitgtk), Gentoo (Flatpak, GLib, JHead, LZ4, and RDoc), Mageia (thunderbird), Oracle (nghttp2 and thunderbird), Red Hat (dnsmasq, libreswan, pki-core, and python3.11), Slackware (emacs), SUSE (gnome-settings-daemon, libarchive, qpdf, vte, and wget), and Ubuntu (libhibernate3-java). --------------------------------------------- https://lwn.net/Articles/979520/ ∗∗∗ CosmicSting: Schwachstelle CVE-2024-34102 gefährdet Adobe Commerce- und Magento-Shops ∗∗∗ --------------------------------------------- Seit Mitte des Monats ist bekannt, dass in Adobe Commerce- und Magento-Online-Shops die Schwachstelle CVE-2024-34102 existiert. Zusammen mit einer Linux-Schwachstelle lassen sich Tausende Shops durch Angreifer übernehmen. Es gibt seit einigen Tagen einen Fix, aber ein Großteil der Online-Shops läuft noch mit ungepatchten Versionen. --------------------------------------------- https://www.borncity.com/blog/2024/06/24/cosmicsting-schwachstelle-cve-2024… ∗∗∗ Vulnerability Summary for the Week of June 17, 2024 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb24-176 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.06.2024
by Daily end-of-shift report 21 Jun '24

21 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-06-2024 18:00 − Freitag 21-06-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Linux version of RansomHub ransomware targets VMware ESXi VMs ∗∗∗ --------------------------------------------- The RansomHub ransomware operation is using a Linux encryptor designed specifically to encrypt VMware ESXi environments in corporate attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-ransomhub-r… ∗∗∗ Qilin: We knew our Synnovis attack would cause a healthcare crisis at London hospitals ∗∗∗ --------------------------------------------- The ransomware gang responsible for a healthcare crisis at London hospitals says it has no regrets about its cyberattack, which was entirely deliberate, it told The Register in an interview. --------------------------------------------- https://www.theregister.com/2024/06/20/qilin_our_plan_was_to/ ∗∗∗ LLMNR – das oft vergessene Einfallstor ins Netzwerk ∗∗∗ --------------------------------------------- LLMNR dient zur Namensauflösung in lokalen Netzwerken, wenn kein Domain Name System (DNS) vorhanden ist – was heutzutage so gut wie nie vorkommt. Da LLMNR keine Sicherheitsmechanismen enthält, lässt es sich sehr leicht für Angriffe missbrauchen. --------------------------------------------- https://www.syss.de/pentest-blog/llmnr-das-oft-vergessene-einfallstor-ins-n… ∗∗∗ Meine Gesundheitsdaten wurden gestohlen. Was nun? ∗∗∗ --------------------------------------------- Gesundheitsdaten bleiben weiterhin ein begehrtes Ziel für Hacker. Gelangen sie – warum auch immer – in fremde Hände, sollten Sie diese Schritte befolgen, um den Schaden zu minimieren. --------------------------------------------- https://www.welivesecurity.com/de/privatsphare/meine-gesundheitsdaten-wurde… ∗∗∗ SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023. --------------------------------------------- https://blog.talosintelligence.com/sneakychef-sugarghost-rat/ ∗∗∗ Worldwide 2023 Email Phishing Statistics and Examples ∗∗∗ --------------------------------------------- Explore the need for going beyond built-in Microsoft 365 and Google Workspace™ security based on email threats detected in 2023. --------------------------------------------- https://www.trendmicro.com/en_us/ciso/23/e/worldwide-email-phishing-stats-e… ∗∗∗ CISA Releases Guidance on Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: (SMBs) ∗∗∗ --------------------------------------------- Today, CISA released Barriers to Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: Identifying Challenges and Opportunities, a detailed report exploring challenges to SSO adoption by small and medium-sized businesses (SMBs). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/06/20/cisa-releases-guidance-s… ∗∗∗ Cybercrime: Datenlecks bei Apple und T-Mobile, Gerüchte über Jira-Exploit ∗∗∗ --------------------------------------------- Ein bekannter Cyberkrimineller versucht interne Daten aus Apples und T-Mobiles Beständen sowie Schadcode für Jira zu Geld zu machen. Ein Unternehmen dementiert. --------------------------------------------- https://heise.de/-9771149 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (ghostscript and thunderbird), Debian (chromium, composer, libndp, and sendmail), Fedora (composer), Mageia (flatpak and python-scikit-learn), Red Hat (curl, ghostscript, and thunderbird), SUSE (hdf5 and opencc), and Ubuntu (gdb and php7.4, php8.1, php8.2, php8.3). --------------------------------------------- https://lwn.net/Articles/979153/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, ghostscript, idm:DL1, and thunderbird), Debian (php8.2 and putty), Mageia (chromium-browser-stable), Oracle (ghostscript and thunderbird), Red Hat (thunderbird), and SUSE (containerd, kernel, php-composer2, podofo, python-cryptography, and rmt-server). --------------------------------------------- https://lwn.net/Articles/979257/ ∗∗∗ 2024-06-21: Cyber Security Advisory -System 800xA SECURITY Advisory - ABB 800xA Base 6.0.x, 6.1.x CSLib communication DoS vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=7PAA013309&Language… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.06.2024
by Daily end-of-shift report 20 Jun '24

20 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-06-2024 18:00 − Donnerstag 20-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SolarWinds Serv-U path-traversal flaw actively exploited in attacks ∗∗∗ --------------------------------------------- Threat actors are actively exploiting a SolarWinds Serv-U path-traversal vulnerability, leveraging publicly available proof-of-concept (PoC) exploits. [..] The vulnerability, CVE-2024-28995, is a high-severity directory traversal flaw, allowing unauthenticated attackers to read arbitrary files from the filesystem by crafting specific HTTP GET requests. [..] SolarWinds released the 15.4.2 Hotfix 2, version 15.4.2.157, on June 5, 2024, to address this vulnerability by introducing improved validation mechanisms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-serv-u-path-trave… ∗∗∗ No Excuses, Free Tools to Help Secure Authentication in Ubuntu Linux [Guest Diary], (Thu, Jun 20th) ∗∗∗ --------------------------------------------- Being in the IT and cybersecurity world it seems the costs of controls keeps going up and up. With all the new flashy tools coming out daily it’s easy to forget that there are tons of free tools that can be just as effective at stopping attacks. --------------------------------------------- https://isc.sans.edu/diary/rss/31024 ∗∗∗ Researchers Uncover UEFI Vulnerability Affecting Multiple Intel CPUs ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a now-patched security flaw in Phoenix SecureCore UEFI firmware that affects multiple families of Intel Core desktop and mobile processors. Tracked as CVE-2024-0762 (CVSS score: 7.5), the "UEFIcanhazbufferoverflow" vulnerability has been described as a case of a buffer overflow stemming from the use of an unsafe variable in the Trusted Platform Module (TPM) configuration that could result in the execution of malicious code. --------------------------------------------- https://thehackernews.com/2024/06/researchers-uncover-uefi-vulnerability.ht… ∗∗∗ Fickle Stealer Distributed via Multiple Attack Chain ∗∗∗ --------------------------------------------- This article summarizes the details of this campaign, roughly dividing the attack chain into three stages: Delivery, Preparatory Work, and Packer and Stealer Payload. --------------------------------------------- https://feeds.fortinet.com/~/899735243/0/fortinet/blogs~Fickle-Stealer-Dist… ∗∗∗ A Traveler’s Guide to Cybersecurity ∗∗∗ --------------------------------------------- In this Q&A with Jonas Walker, a Security Strategist with Fortinet’s FortiGuard Labs, he offers his insight into how to stay safe and avoid attacks from threat actors while traveling in today’s cyber world. --------------------------------------------- https://feeds.fortinet.com/~/701705230/0/fortinet/blogs~A-Traveler%e2%80%99… ∗∗∗ BSI warnt vor angreifbaren Codeschmuggel-Lecks in tausenden Exchange-Servern ∗∗∗ --------------------------------------------- Das BSI schreibt, dass mehr als 18.000 Exchange-Server einen offenen Outlook-Web-Access anbieten und für eine oder sogar mehrere Codeschmuggel-Lücken anfällig seien. --------------------------------------------- https://heise.de/-9770441 ===================== = Vulnerabilities = ===================== ∗∗∗ D-Link: Versteckte Backdoor in 16 Routermodellen entdeckt ∗∗∗ --------------------------------------------- Angreifer können aus der Ferne den Telnet-Dienst betroffener D-Link-Router aktivieren. Auch die Admin-Zugangsdaten sind offenbar in der Firmware hinterlegt. --------------------------------------------- https://www.golem.de/news/d-link-versteckte-backdoor-in-16-routermodellen-e… ∗∗∗ Sicherheitslücken: Attacken auf Atlassian Confluence & Co. möglich ∗∗∗ --------------------------------------------- Sicherheitslücken bedrohen mehrere Anwendungen von Atlassian. Angreifer können Abstürze auslösen oder unbefugt Daten einsehen. [..] Wie aus einer Warnmeldung hervorgeht, haben die Entwickler insgesamt neun Schwachstellen geschlossen, die alle mit dem Bedrohungsgrad "hoch" eingestuft sind. --------------------------------------------- https://heise.de/-9770453 ∗∗∗ Arbitrary File Upload in edu-sharing (metaVentis GmbH) ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/arbitrary-file-upload-in… ∗∗∗ Sonicwall: Heap-based buffer overflow vulnerability in SonicOS SSL-VPN ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0009 ∗∗∗ Sonicwall: Stack-based buffer overflow vulnerability in SonicOS HTTP server ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0008 ∗∗∗ CAREL Boss-Mini ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-172-02 ∗∗∗ Westermo L210-F2G ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-172-03 ∗∗∗ Yokogawa CENTUM ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-172-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.06.2024
by Daily end-of-shift report 19 Jun '24

19 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-06-2024 18:00 − Mittwoch 19-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ ONNX phishing service targets Microsoft 365 accounts at financial firms ∗∗∗ --------------------------------------------- A new phishing-as-a-service (PhaaS) platform called ONNX Store is targeting Microsoft 365 accounts for employees at financial firms using QR codes in PDF attachments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/onnx-phishing-service-target… ∗∗∗ Re-moo-te Code Execution in Mailcow: Always Sanitize Error Messages ∗∗∗ --------------------------------------------- Mailcow is an easy-to-use email solution that can be set up in minutes. [..] In this blog post, we will cover the code intricacies that led to the vulnerabilities. We will first go over the details of the XSS vulnerability and then explore the Path Traversal flaw. We will also cover how the mailcow maintainers have tackled these issues and give advice on how to avoid such vulnerabilities in your code. [..] They have been fixed in mailcow 2024-04 and seem to have existed for at least three years. --------------------------------------------- https://www.sonarsource.com/blog/remote-code-execution-in-mailcow-always-sa… ∗∗∗ Sicherheitslücke: Phisher können E-Mails im Namen von Microsoft verschicken ∗∗∗ --------------------------------------------- Durch die Schwachstelle lassen sich E-Mails beispielsweise mit security(a)microsoft.com als Absender übermitteln. [..] Wie aus einem Bericht von Techcrunch hervorgeht, funktioniert das Spoofing nur beim Mail-Versand an Outlook-Konten, womit jedoch weltweit mehrere Hundert Millionen Nutzer betroffen sind. [..] Technische Details nannte der Forscher aus Sicherheitsgründen bisher nicht. [..] Wann das Spoofing-Problem behoben sein wird, bleibt jedoch weiterhin offen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-phisher-koennen-e-mails-im-name… ∗∗∗ Vorsicht vor gefälschten BAWAG-Nachrichten ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit betrügerische SMS-Nachrichten im Namen der BAWAG. Darin wird behauptet, dass eine IP-Adresse aus Schweden Ihre App aktiviert hat. Wenn dies nicht Sie waren, werden Sie aufgefordert, auf einen Link zu klicken. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-bawag-nach… ∗∗∗ IT-Sicherheitsforscher warnen vor neuer Angriffstechnik über die Zwischenablage ∗∗∗ --------------------------------------------- ClearFake ist ein bösartiges JavaScript-Framework, das auf kompromittierten Websites eingesetzt wird, um mittels Drive-by-Download-Technik weitere Malware zu verbreiten. Dabei erhalten die Opfer eine Fehlermeldung, die vorgibt, von einer vertrauenswürdigen Quelle wie dem Betriebssystem zu stammen. Sie suggeriert ein Problem und liefert gleichzeitig eine Lösung in Form eines PowerShell-Befehls, den das Opfer nur noch kopieren und ausführen muss. --------------------------------------------- https://heise.de/-9768750 ∗∗∗ 20 Prozent der Microsoft SQL Server läuft trotz End of Life ∗∗∗ --------------------------------------------- Ein Fünftel der SQL-Server-Instanzen läuft mit veralteten Versionen. Ab nächsten Monat könnten es mit SQL Server 2014 sogar ein Drittel werden. --------------------------------------------- https://heise.de/-9769490 ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP8 IF03 ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been resolved in 7.5.0 UP8 IF03. These issues affect Juniper Networks Juniper Secure Analytics: Severity Critical --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools, firefox, and flatpak), Debian (composer, roundcube, and thunderbird), Fedora (kitty and webkitgtk), Oracle (container-tools and flatpak), Red Hat (flatpak and java-1.8.0-ibm), SUSE (gdcm, gdk-pixbuf, libarchive, libzypp, zypper, ntfs-3g_ntfsprogs, openssl-1_1, openssl-3, podman, python-Werkzeug, and thunderbird), and Ubuntu (git, linux-hwe-6.5, mariadb, mariadb-10.6, and thunderbird). --------------------------------------------- https://lwn.net/Articles/978907/ ∗∗∗ Paradox IP150 Internet Module Cross-Site Request Forgery ∗∗∗ --------------------------------------------- The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to Cross-Site Request Forgery (CSRF) attacks due to a lack of countermeasures and the use of the HTTP method `GET` to introduce changes in the system. [..] We are not aware of a vendor fix yet. --------------------------------------------- https://github.com/sbaresearch/advisories/commit/9b61d7e591aa320b9ecedd6701… ∗∗∗ Multiple vulnerabilities in Ricoh Streamline NX PC Client ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN00442488/ ∗∗∗ Multiple vulnerabilities in ID Link Manager and FUJITSU Software TIME CREATOR ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN65171386/ ∗∗∗ Huawei: Security Advisory - Path Traversal Vulnerability in Huawei Home Music System ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-ptvihhms-… ∗∗∗ Huawei: Security Advisory - Connection Hijacking Vulnerability in Some Huawei Home Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-chvishhr-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.06.2024
by Daily end-of-shift report 18 Jun '24

18 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Montag 17-06-2024 18:02 − Dienstag 18-06-2024 18:02 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Hackers use F5 BIG-IP malware to stealthily steal data for years ∗∗∗ --------------------------------------------- A group of suspected Chinese cyberespionage actors named Velvet Ant are deploying custom malware on F5 BIG-IP appliances to gain a persistent connection to the internal network and steal data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-f5-big-ip-malwar… ∗∗∗ Analysis of user password strength ∗∗∗ --------------------------------------------- Kaspersky experts conducted a study of password resistance to attacks that use brute force and smart guessing techniques. --------------------------------------------- https://securelist.com/passworde-brute-force-time/112984/ ∗∗∗ New Malware Targets Exposed Docker APIs for Cryptocurrency Mining ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new malware campaign that targets publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads. --------------------------------------------- https://thehackernews.com/2024/06/new-malware-targets-exposed-docker-apis.h… ∗∗∗ From Clipboard to Compromise: A PowerShell Self-Pwn ∗∗∗ --------------------------------------------- Proofpoint has observed an increase in a technique leveraging unique social engineering that directs users to copy and paste malicious PowerShell scripts to infect their computers with malware. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powe… ∗∗∗ Exfiltrate sensitive user data from apps on Android 12 and 13 using CVE-2024-0044 vulnerability ∗∗∗ --------------------------------------------- With physical access to Android device with enabled ADB debugging running Android 12 or 13 before receiving March 2024 security patch, it is possible to access internal data of any user installed app by misusing CVE-2024-0044 vulnerability. --------------------------------------------- https://www.mobile-hacker.com/2024/06/17/exfiltrate-sensitive-user-data-fro… ∗∗∗ Achtung Fake: doouglasparfum.com ∗∗∗ --------------------------------------------- In professionell wirkenden Online-Shops von Douglas werden aktuell Markenparfüms um mehr als 50 Prozent billiger angeboten. Sogar die Internetadressen doouglasparfum.com oder dougllas.com erscheinen zunächst plausibel. Wer in diesen Fake-Shops einkauft verliert aber Geld und erhält keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-doouglasparfumcom/ ∗∗∗ Attack Paths Into VMs in the Cloud ∗∗∗ --------------------------------------------- Virtual machines (VMs) are a significant attack target. Focusing on three major CSPs, this research summarizes the conditions for possible VM attack paths. --------------------------------------------- https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/ ∗∗∗ Private Microsoft Outlook-Mailkonten sollen besser abgesichert werden ∗∗∗ --------------------------------------------- Microsoft hat vor einigen Tagen eine Ankündigung gemacht, dass man "Outlook für private Nutzer" in Zukunft besser absichern will. --------------------------------------------- https://www.borncity.com/blog/2024/06/18/private-microsoft-outlook-mailkont… ∗∗∗ How are attackers trying to bypass MFA? ∗∗∗ --------------------------------------------- Exploring trends on how attackers are trying to manipulate and bypass MFA, as well as when/how attackers will try their push-spray MFA attacks --------------------------------------------- https://blog.talosintelligence.com/how-are-attackers-trying-to-bypass-mfa/ ∗∗∗ Malvertising Campaign Leads to Execution of Oyster Backdoor ∗∗∗ --------------------------------------------- Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams. --------------------------------------------- https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-… ∗∗∗ Cloaked and Covert: Uncovering UNC3886 Espionage Operations ∗∗∗ --------------------------------------------- Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected China-nexus cyber espionage actor that has targeted prominent strategic organizations on a global scale. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886… ∗∗∗ CISA and Partners Release Guidance for Modern Approaches to Network Access Security ∗∗∗ --------------------------------------------- Today, CISA, in partnership with the Federal Bureau of Investigation (FBI), released guidance, Modern Approaches to Network Access Security. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/06/18/cisa-and-partners-releas… ∗∗∗ New Diamorphine rootkit variant seen undetected in the wild ∗∗∗ --------------------------------------------- Diamorphine is a well-known Linux kernel rootkit that supports different Linux kernel versions (2.6.x, 3.x, 4.x, 5.x and 6.x) and processor architectures (x86, x86_64 and ARM64). Briefly stated, when loaded, the module becomes invisible and hides all the files and folders starting with the magic prefix chosen by the attacker at compilation time. --------------------------------------------- https://decoded.avast.io/davidalvarez/new-diamorphine-rootkit-variant-seen-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.3), Fedora (galera, ghostscript, and mariadb), Mageia (cups, iperf, and libndp), Oracle (firefox and flatpak), Red Hat (container-tools:rhel8, Firefox, firefox, and flatpak), SUSE (booth, bouncycastle, firefox, ghostscript, less, libaom, openssl-1_1, openssl-3, podman, python-Authlib, python-requests, python-Werkzeug, webkit2gtk3, and xdg-desktop-portal), and Ubuntu (ghostscript, ruby-rack, ruby2.7, ruby3.0, ruby3.1, ruby3.2, and sssd). --------------------------------------------- https://lwn.net/Articles/978804/ ∗∗∗ Sicherheitsupdates: Root-Lücke bedroht VMware vCenter Server ∗∗∗ --------------------------------------------- Unter anderem zwei kritische Schwachstelle bedrohen vCenter Server und Cloud Foundation von VMware. --------------------------------------------- https://heise.de/-9767493 ∗∗∗ Python-based exploit in Autodesk Maya software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0011 ∗∗∗ Kritische Schwachstelle CVE-2024-38428 in wget ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2024/06/18/kritische-schwachstelle-cve-2024-3… ∗∗∗ RAD Data Communications SecFlow-2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-170-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.06.2024
by Daily end-of-shift report 17 Jun '24

17 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-06-2024 18:00 − Montag 17-06-2024 18:02 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Linux malware is controlled through emojis sent from Discord ∗∗∗ --------------------------------------------- The malware is similar to many other backdoors/botnets used in different attacks, allowing threat actors to execute commands, take screenshots, steal files, deploy additional payloads, and search for files. However, its use of Discord and emojis as a command and control (C2) platform makes the malware stand out from others and could allow it to bypass security software that looks for text-based commands. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-linux-malware-is-control… ∗∗∗ New ARM TIKTAG attack impacts Google Chrome, Linux systems ∗∗∗ --------------------------------------------- A new speculative execution attack named "TIKTAG" targets ARMs Memory Tagging Extension (MTE) to leak data with over a 95% chance of success, allowing hackers to bypass the security feature. [..] Leaking those tags does not directly expose sensitive data such as passwords, encryption keys, or personal information. However, it can theoretically allow attackers to undermine the protections provided by MTE, rendering the security system ineffective against stealthy memory corruption attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-arm-tiktag-attack-impact… ∗∗∗ Ransomware Roundup – Shinra and Limpopo Ransomware ∗∗∗ --------------------------------------------- he Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. --------------------------------------------- https://www.fortinet.com/blog/threat-research/ransomware-roundup-shinra-and… ∗∗∗ Ivanti Endpoint Manager: Exploit für kritische Lücke aufgetaucht ∗∗∗ --------------------------------------------- Ende Mai wurden teils kritische Sicherheitslücken in Ivantis Endpoint Manager (EPM) bekannt. Inzwischen haben IT-Sicherheitsforscher einen Proof-of-Concept-Exploit für eine davon veröffentlicht. --------------------------------------------- https://heise.de/-9765685 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (389-ds-base, buildah, c-ares, cockpit, containernetworking-plugins, fence-agents, gdk-pixbuf2, gvisor-tap-vsock, libreoffice, podman, python-idna, rpm-ostree, and ruby), Debian (atril, chromium, ffmpeg, libndp, libvpx, nano, plasma-workspace, pymongo, roundcube, sendmail, and thunderbird), Fedora (booth and thunderbird), Mageia (aom, atril, libvpx, nano, nss, firefox, and vte), Red Hat (linux-firmware), SUSE (bind, booth, mariadb, openssl-1_1, php7, php8, and webkit2gtk3), and Ubuntu (linux-azure, linux-azure-fde, linux-azure, linux-gke, and linux-nvidia-6.5). --------------------------------------------- https://lwn.net/Articles/978709/ ∗∗∗ Sicherheitsupdates: Angreifer können Asus-Router kompromittieren ∗∗∗ --------------------------------------------- Mehrere WLAN-Router von Asus sind verwundbar und Angreifer können auf sie zugreifen. Updates lösen mehrere Sicherheitsprobleme. [..] Wie aus dem Sicherheitsbereich der Asus-Website hervorgeht, sind von der „kritischen“ Schwachstelle (CVE-2024-3080) die WLAN-Router-Modelle RT-AC68U, RTAC86U, RT-AX57, RT-AX58U, RT-AX88U, XT8_V2 und XT8 betroffen. --------------------------------------------- https://heise.de/-9765067 ∗∗∗ Nextcloud: Angreifer können Zwei-Faktor-Authentifizierung umgehen ∗∗∗ --------------------------------------------- Die Clouddienst-Software Nextcloud ist verwundbar. In aktuellen Versionen haben die Entwickler mehrere Sicherheitslücken geschlossen. [..] Am gefährlichsten gelten zwei Lücken in Nextcloud und Nextcloud Enterprise. An diesen Stellen können Angreifer die Rechte von Freigaben ausweiten (CVE-2024-37882 "hoch") oder die Zwei-Faktor-Authentifizierung umgehen (CVE-2024-37313 "hoch"). Wie solche Attacken ablaufen könnten, führen die Entwickler derzeit nicht aus. --------------------------------------------- https://heise.de/-9766062 ∗∗∗ Vulnerability Summary for the Week of June 10, 2024 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb24-169 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily June 2024