Daily July 2024

daily@lists.cert.at

1 participants
23 discussions

Tageszusammenfassung - 03.07.2024
by Daily end-of-shift report 03 Jul '24

03 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-07-2024 18:00 − Mittwoch 03-07-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Europol takes down 593 Cobalt Strike servers used by cybercriminals ∗∗∗ --------------------------------------------- Europol coordinated a joint law enforcement action known as Operation Morpheus, which led to the takedown of almost 600 Cobalt Strike servers used by cybercriminals to infiltrate victims networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/europol-takes-down-593-cobal… ∗∗∗ Cyberangriff: Hacker erbeuten Daten von TÜV Rheinland ∗∗∗ --------------------------------------------- Einer Ransomwarebande ist es gelungen, in ein Schulungsnetzwerk des TÜV Rheinland einzudringen. Dabei sind womöglich Zugangsdaten abgeflossen. --------------------------------------------- https://www.golem.de/news/cyberangriff-hacker-erbeuten-daten-von-tuev-rhein… ∗∗∗ South Korean ERP Vendors Server Hacked to Spread Xctdoor Malware ∗∗∗ --------------------------------------------- An unnamed South Korean enterprise resource planning (ERP) vendors product update server has been found to be compromised to deliver a Go-based backdoor dubbed Xctdoor.The AhnLab Security Intelligence Center (ASEC), which identified .. --------------------------------------------- https://thehackernews.com/2024/07/south-korean-erp-vendors-server-hacked.ht… ∗∗∗ Hijacked: How hacked YouTube channels spread scams and malware ∗∗∗ --------------------------------------------- Here's how cybercriminals go after YouTube channels and use them as conduits for fraud – and what you should watch out for when watching videos on the platform. --------------------------------------------- https://www.welivesecurity.com/en/scams/hijacked-hacked-youtube-channels-sc… ∗∗∗ LockBit claims cyberattack on Croatia’s largest hospital ∗∗∗ --------------------------------------------- The LockBit ransomware gang has claimed responsibility for a cyberattack on Croatia’s largest hospital, which forced it to shut down IT systems for a day. The group claims to have gained access to patient and employee information, medical records, organ and donor data and contracts signed with external companies. --------------------------------------------- https://therecord.media/lockbit-claims-cyberattack-croatia-hospital ∗∗∗ Wurde der Blog von Qualys gehackt? (2. Juli 2024) ∗∗∗ --------------------------------------------- Kurze Information zu Qualys, ein Technologieunternehmen mit Dienstleistungsangeboten im Bereich Cloud-Sicherheit und Compliance. Es steht die Frage im Raum, ob die mit ihrem Blog womöglich gehackt wurden. --------------------------------------------- https://www.borncity.com/blog/2024/07/03/wurde-der-blog-von-qualys-gehackt-… ∗∗∗ Cisco NX-OS: Update gegen seit April angegriffene Sicherheitslücke ∗∗∗ --------------------------------------------- Im Cisco NX-OS mehrerer Nexus- und MDS-Switches wird eine Sicherheitslücke bereits seit April angegriffen. Jetzt stellt Cisco ein Update bereit. --------------------------------------------- https://heise.de/-9787532 ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerabilities in PanelView Plus devices could lead to remote code execution ∗∗∗ --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/07/02/vulnerabilities-in… ∗∗∗ Unpatched RCE Vulnerabilities in Gogs: Argument Injection in the Built-In SSH Server ∗∗∗ --------------------------------------------- https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vu… ∗∗∗ Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server (regreSSHion): July 2024 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ [R1] Tenable Identity Exposure Version 3.59.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.07.2024
by Daily end-of-shift report 02 Jul '24

02 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Montag 01-07-2024 18:00 − Dienstag 02-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Latest Intel CPUs impacted by new Indirector side-channel attack ∗∗∗ --------------------------------------------- Modern Intel processors, including chips from the Raptor Lake and the Alder Lake generations are susceptible to a new type of a high-precision Branch Target Injection (BTI) attack dubbed Indirector, which could be used to steal sensitive information from the CPU. --------------------------------------------- https://www.bleepingcomputer.com/news/security/latest-intel-cpus-impacted-b… ∗∗∗ Zahlungsaufforderung von Tecom für Erotikdienstleistungen ignorieren ∗∗∗ --------------------------------------------- In letzter Zeit werden uns vermehrt SMS-Nachrichten von Tecom gemeldet. Darin werden 90 Euro für Erotikdienstleistungen gefordert. Der Betrag soll auf ein tschechisches Konto überwiesen oder in bar per Einschreiben bezahlt werden. Bezahlen Sie nicht, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/zahlungsaufforderung-von-tecom-fuer-… ∗∗∗ Getting Unauthenticated Remote Code Execution on the Logsign Unified SecOps Platform ∗∗∗ --------------------------------------------- This blog looks at two separate vulnerabilities that can be combined to achieve remote, unauthenticated code execution on the web server via HTTP requests. [..] Logsign patched these and other vulnerabilities with version 6.4.8. --------------------------------------------- https://www.thezdi.com/blog/2024/7/1/getting-unauthenticated-remote-code-ex… ∗∗∗ The End of Passwords? Embrace the Future with Passkeys. ∗∗∗ --------------------------------------------- Passkeys will become the new norm in a few years. Users will realize that passkeys simplify their lives, and companies and users alike will appreciate the reduced risk of breaches from phishing or brute-force attacks. However, building user trust in passkeys remains a challenge, like the adoption of password managers. --------------------------------------------- https://blog.nviso.eu/2024/07/02/the-end-of-passwords-embrace-the-future-wi… ∗∗∗ Modern Cryptographic Attacks: A Guide for the Perplexed ∗∗∗ --------------------------------------------- In this write-up, we lay out in simple terms: “Classic Flavor” modern cryptanalysis (e.g. meet-in-the-middle attacks, Birthday Attack on CBC) [..] Side Channel Attacks (e.g. Timing Attacks, an honorable mention for SPECTRE) [..] Attacks on RSA (e.g. Bleichenbacher’s attack, related message attacks, Coppersmith’s method) --------------------------------------------- https://research.checkpoint.com/2024/modern-cryptographic-attacks-a-guide-f… ∗∗∗ CocoaPods: Anfällig für Supply-Chain-Angriffe in "zahllosen" Mac- und iOS-Apps ∗∗∗ --------------------------------------------- Der Dependency-Manager auf Open-Source-Basis steckt in Millionen von Swift- und Objective-C-Programmen. [..] Eva Security fand heraus, dass CocoaPods bereits im Jahr 2014 alle Pods auf einen neuen "Trunk Server" auf GitHub migriert hat. Dabei wurden die Autoren jeder Bibliothek einfach zurückgesetzt. CocoaPods forderte die Entwickler dann auf, ihre jeweilige Bibliothek zu "claimen". Allerdings taten dies nicht alle. --------------------------------------------- https://heise.de/-9786099 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. [..} To successfully exploit this vulnerability on a Cisco NX-OS device, an attacker must have Administrator credentials. [..] In April 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild. [..] CVE-2024-20399 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (httpd:2.4/httpd), Arch Linux (openssh), Fedora (cups, emacs, and python-urllib3), Gentoo (OpenSSH), Mageia (ffmpeg, gdb, openssl, python-idna, and python-imageio), Red Hat (golang and kernel), SUSE (booth, libreoffice, openssl-1_1-livepatches, podman, python-arcomplete, python-Fabric, python-PyGithub, python- antlr4-python3-runtime, python-avro, python-chardet, python-distro, python- docker, python-fakeredis, python-fixedint, pyth, python-Js2Py, python310, python39, and squid), and Ubuntu (cups and netplan.io). --------------------------------------------- https://lwn.net/Articles/980393/ ∗∗∗ QNAP: Vulnerability in OpenSSH ∗∗∗ --------------------------------------------- A remote code execution (RCE) vulnerability in OpenSSH has been reported to affect QTS 5.2.0 Release Candidate and QuTS hero h5.2. [..] QNAP is actively investigating this issue and working on a solution. We will fix the issue in the official releases of QTS 5.2.0 and QuTS hero h5.2.0. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-31 ∗∗∗ Juniper: Notfall-Update für Junos OS auf SRX-Baureihe ∗∗∗ --------------------------------------------- Juniper Networks schließt eine als hochriskant eingestufte DoS-Lücke im Juniper OS der SRX-Geräte mit einem Update außer der Reihe. [..] Nachdem bereits am Freitag Notfall-Updates von Juniper Networks für Session Smart Router nötig waren, legt das Unternehmen nun mit einem Update außer der Reihe für das Junos OS auf Geräten der SRX-Baureihe nach. Sie dichten eine Denial-of-Service-Sicherheitslücke ab. [..] CVE-2024-21586 --------------------------------------------- https://heise.de/-9785970 ∗∗∗ Android: Google schließt teils kritische Lücken am Juli-Patchday ∗∗∗ --------------------------------------------- Google hat Updates für Android 12, 12L, 13 und 14 im Rahmen des Juli-Patchdays veröffentlicht. Sie schließen Rechteausweitungs-Lücken. [..] Wie immer müssen sich Smartphone-Besitzer etwas gedulden, bis die Android-Aktualisierungen sich als Firmware-Updates für ihr eingesetztes Gerät materialisieren. Selbst für Googles hauseigene Pixel-Smartphones steht das Juli-Update zum Meldungszeitpunkt noch aus. --------------------------------------------- https://heise.de/-9786995 ∗∗∗ Splunk Security Advisories 2024-07-01 ∗∗∗ --------------------------------------------- https://advisory.splunk.com/advisories ∗∗∗ ICONICS and Mitsubishi Electric Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-03 ∗∗∗ Johnson Controls Kantech Door Controllers ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-01 ∗∗∗ mySCADA myPRO ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.07.2024
by Daily end-of-shift report 01 Jul '24

01 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-06-2024 18:00 − Montag 01-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Roles in Cybersecurity: CSIRTs / LE / others ∗∗∗ --------------------------------------------- Back in January 2024, I was asked by the Belgian EU Presidency to moderate a panel during their high-level conference on cyber security in Brussels. The topic was the relationship between cyber security and law enforcement: how do CSIRTs and the police / public prosecutors cooperate, what works here and where are the fault lines in this collaboration. As the moderator, I wasn’t in the position to really present my own view on some of the issues, so I’m using this blogpost to document my thinking regarding the CSIRT/LE division of labour. From that starting point, this text kind of turned into a rant on what’s wrong with IT Security. --------------------------------------------- https://www.cert.at/en/blog/2024/7/csirt-le-military ∗∗∗ NIS2 - Implementing Acts ∗∗∗ --------------------------------------------- Es liegen endlich Entwürfe für die Implementing Acts zur NIS 2 Richtline vor, die Umsetzungsdetails regeln werden. Genauer gesagt: es geht um Kriterien, wann ein Vorfall meldepflichtig wird und Maßnahmen zum Risikomanagement. Seitens der EU gibt es ein öffentliches Konsultationsverfahren dazu, das bis zum 25. Juli offen ist. Die Entwürfe sind auch über diese Webseite abrufbar. --------------------------------------------- https://www.cert.at/de/blog/2024/6/nis2-implementing-acts ∗∗∗ Vorsicht vor gefälschten Gewinnspielen zur UEFA EURO 2024 ∗∗∗ --------------------------------------------- Kriminelle verbreiten per E-Mail gefälschte Gewinnspiele zur UEFA EURO 2024. In der E-Mail heißt es, dass man eine UEFA EURO 2024 Mystery Box gewinnen kann, wenn man auf den Link klickt und an einer kurzen Umfrage teilnimmt. Vorsicht: Kriminelle stehlen Ihre Daten und Sie tappen in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-gewinnspie… ∗∗∗ Hackers exploit critical D-Link DIR-859 router flaw to steal passwords ∗∗∗ --------------------------------------------- Hackers are exploiting a critical vulnerability that affects all D-Link DIR-859 WiFi routers to collect account information from the device, including passwords. The security issue was disclosed in January and is currently tracked as CVE-2024-0769 (9.8 severity score) - a path traversal flaw that leads to information disclosure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-d-l… ∗∗∗ Dev rejects CVE severity, makes his GitHub repo read-only ∗∗∗ --------------------------------------------- The popular open source project, ip had its GitHub repository archived, or made "read-only" by its developer as a result of a dubious CVE report filed for his project. Unfortunately, open-source developers have recently been met with an uptick in debatable or outright bogus CVEs filed for their projects. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-mak… ∗∗∗ Fake IT support sites push malicious PowerShell scripts as Windows fixes ∗∗∗ --------------------------------------------- Fake IT support sites promote malicious PowerShell "fixes" for common Windows errors, like the 0x80070643 error, to infect devices with information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-it-support-sites-push-m… ∗∗∗ Router makers support portal responds with MetaMask phishing ∗∗∗ --------------------------------------------- BleepingComputer has verified that the helpdesk portal of a router manufacturer is currently sending MetaMask phishing emails in response to newly filed support tickets, in what appears to be a compromise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/router-makers-support-portal… ∗∗∗ Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data ∗∗∗ --------------------------------------------- [..] threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension thats designed to steal sensitive information as part of an ongoing intelligence collection effort. --------------------------------------------- https://thehackernews.com/2024/06/kimsuky-using-translatext-chrome.html ∗∗∗ CapraRAT Spyware Disguised as Popular Apps Threatens Android Users ∗∗∗ --------------------------------------------- The threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest. [..] The list of new malicious APK files identified by SentinelOne is as follows - Crazy Game, Sexy Videos, TikToks, Weapons --------------------------------------------- https://thehackernews.com/2024/07/caprarat-spyware-disguised-as-popular.html ∗∗∗ Unveiling Qilin/Agenda Ransomware - A Deep Dive into Modern Cyber Threats ∗∗∗ --------------------------------------------- Agenda ransomware, also known as 'Qilin,' first emerged in July 2022. Written in Golang, Agenda supports multiple encryption modes, all controlled by its operators. The Agenda ransomware actors use double extortion tactics, demanding payment for both a decryptor and the non-release of stolen data. This ransomware primarily targets large enterprises and high-value organizations, focusing particularly on the healthcare and education sectors in Africa and Asia. --------------------------------------------- https://sec-consult.com/blog/detail/unveiling-qilin-agenda-ransomware-a-dee… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dcmtk, edk2, emacs, glibc, gunicorn, libmojolicious-perl, openssh, org-mode, pdns-recursor, tryton-client, and tryton-server), Fedora (freeipa, kitty, libreswan, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, mingw-poppler, and mingw-python-urllib3), Gentoo (cpio, cryptography, GNU Emacs, Org Mode, GStreamer, GStreamer Plugins, Liferea, Pixman, SDL_ttf, SSSD, and Zsh), Oracle (pki-core), Red Hat (httpd:2.4, libreswan, and pki-core), SUSE (glib2 and kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t), and Ubuntu (espeak-ng, libcdio, and openssh). --------------------------------------------- https://lwn.net/Articles/980252/ ∗∗∗ regreSSHion: Remote Unauthenticated Code Execution Vulnerability (CVE-2024-6387) in OpenSSH server ∗∗∗ --------------------------------------------- Eine kritische Schwachstelle (CVE-2024-6387) wurde im OpenSSH Server (sshd) auf glibc-basierten Linux-Systemen getestet. Diese Sicherheitslücke ermöglicht es einem nicht authentifizierten Angreifer potentiell, über eine Race-Condition im Signalhandler beliebigen Code als root auf dem betroffenen System auszuführen. OpenBSD-basierte Systeme sind nicht betroffen. Obwohl die Schwachstelle als Remote Code Execution (RCE) eingestuft wird, ist ihre Ausnutzung äußerst komplex. [..] Betroffen sind OpenSSH-Versionen früher als 4.4p1, es sei denn, sie wurden gegen die Schwachstellen CVE-2006-5051 und CVE-2008-4109 gepatcht, sowie OpenSSH-Versionen von 8.5p1 bis einschließlich 9.8p1. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/7/regresshion-remote-unauthenticated-… ∗∗∗ IP-Telefonie: Avaya IP Office stopft kritische Sicherheitslecks ∗∗∗ --------------------------------------------- Updates für Avaya IP Office dichten Sicherheitslecks in der Software ab. Angreifer können dadurch Schadcode einschleusen. --------------------------------------------- https://heise.de/-9784229 ∗∗∗ ABB: 2024-07-01: Cyber Security Advisory -ASPECT system operating with default credentials while exposed to the Internet ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A6101&Lan… ∗∗∗ Kubernetes: Invalid entry in vulnerability feed ∗∗∗ --------------------------------------------- https://github.com/kubernetes/website/issues/47003 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily July 2024