January 2025 - Daily

Tageszusammenfassung - 31.01.2025
by Daily end-of-shift report 31 Jan '25

31 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-01-2025 18:00 − Freitag 31-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows Exploitation Tricks: Trapping Virtual Memory Access (2025 Update) ∗∗∗ --------------------------------------------- Back in 2021 I wrote a blog post about various ways you can build a virtual memory access trap primitive on Windows. The goal was to cause a reader or writer of a virtual memory address to halt for a significant (e.g. 1 or more seconds) amount of time, generally for the purpose of exploiting TOCTOU memory access .. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/01/windows-exploitation-tricks-… ∗∗∗ Infrastructure Laundering: Blending in with the Cloud ∗∗∗ --------------------------------------------- In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers. Research published this week on one such outfit -- a sprawling network tied to Chinese organized crime gangs and aptly named "Funnull" -- highlights a persistent whac-a-mole problem facing cloud services. --------------------------------------------- https://krebsonsecurity.com/2025/01/infrastructure-laundering-blending-in-w… ∗∗∗ Operation "Talent" nimmt weltgrößte Plattformen für Cyberkriminalität vom Netz ∗∗∗ --------------------------------------------- Bei einer internationalen Aktion wurden die Cracking-Foren nulled.to und cracked.io vom Netz genommen --------------------------------------------- https://www.derstandard.at/story/3000000255412/operation-talent-nimmt-weltg… ∗∗∗ Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek ∗∗∗ --------------------------------------------- Evaluation of three jailbreaking techniques on DeepSeek shows risks of generating prohibited content. --------------------------------------------- https://unit42.paloaltonetworks.com/jailbreaking-deepseek-three-techniques/ ∗∗∗ On hackers, hackers, and hilarious misunderstandings ∗∗∗ --------------------------------------------- "Hacker", as we in the bizz know well, carries different meanings for different people, and this can cause hilarious misunderstandings. Yesterday, the Polish TV network TVN aired the second part of an ongoing documentary about issues in NEWAG trains that were analyzed by Dragon Sector. Near the end, the documentary featured a recording .. --------------------------------------------- https://gynvael.coldwind.pl/?id=799 ∗∗∗ Cyberangriffe auf SimpleHelp RMM beobachtet ∗∗∗ --------------------------------------------- In SimepleHelp RMM missbrauchen Angreifer Sicherheitslücken, um Netzwerke zu kompromittieren. Updates stehen bereit. --------------------------------------------- https://heise.de/-10265414 ∗∗∗ The Slow Death of OCSP ∗∗∗ --------------------------------------------- Everybody is talking about OCSP now because, just last month, at the end of 2024, Let’s Encrypt announced it was going to stop supporting online certificate revocation checking. Beginning in early May 2025, there will no longer be any OCSP revocation information in Let’s Encrypt’s certificates. Once all its earlier certificates expire, Let’s Encrypt will shut down its OCSP servers. --------------------------------------------- https://www.feistyduck.com/newsletter/issue_121_the_slow_death_of_ocsp ∗∗∗ PyPI’s New Archival Feature Closes a Major Security Gap ∗∗∗ --------------------------------------------- A major security improvement has landed on PyPI: maintainers can now archive projects, making it clear when a package is no longer actively maintained. This long-awaited feature, developed by Trail of Bits and funded by Alpha-Omega, helps developers make informed decisions about dependencies while protecting the Python ecosystem from risks associated .. --------------------------------------------- https://socket.dev/blog/pypi-adds-support-for-archiving-projects ∗∗∗ VMware Aria Vulnerabilities Addressed ∗∗∗ --------------------------------------------- VMware Security Advisory VMSA-2025-0003 addresses multiple vulnerabilities identified in VMware Aria Operations for Logs and VMware Aria Operations. These vulnerabilities, if exploited, could allow attackers to .. --------------------------------------------- https://thecyberthrone.in/2025/01/31/vmware-aria-vulnerabilities-addressed/ ∗∗∗ DeepSeek’s Popularity Sparks Surge in Crypto Phishing and Malware Campaigns ∗∗∗ --------------------------------------------- The rapid rise of DeepSeek, a Chinese artificial intelligence company known for its open-source large language models (LLMs), has sparked not only excitement but also a significant increase in cyber threats. As of January 2025, the company launched its first free chatbot app, “DeepSeek – AI Assistant,” which quickly became the most downloaded .. --------------------------------------------- https://thecyberexpress.com/deepseeks-surge-sparks-malware-campaigns/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libsoup), Debian (debian-security-support and redis), Fedora (expat, java-21-openjdk, lemonldap-ng, and phpMyAdmin), Mageia (chromium-browser-stable and git-lfs), Oracle (bzip2, git-lfs, libsoup, mariadb:10.11, mariadb:10.5, python-jinja2, redis, and unbound), Red Hat (git-lfs, libsoup, python-jinja2, .. --------------------------------------------- https://lwn.net/Articles/1007252/ ∗∗∗ VU#733789: ChatGPT-4o contains security bypass vulnerability through time and search functions called "Time Bandit" ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/733789 ∗∗∗ ZDI-25-060: Google Chrome AI Manager Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-060/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.01.2025
by Daily end-of-shift report 30 Jan '25

30 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-01-2025 18:00 − Donnerstag 30-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ No need to RSVP: a closer look at the Tria stealer campaign ∗∗∗ --------------------------------------------- Kaspersky GReAT experts discovered a new campaign targeting Android devices in Malaysia and Brunei with the Tria stealer to collect data from apps like WhatsApp and Gmail. --------------------------------------------- https://securelist.com/tria-stealer-collects-sms-data-from-android-devices/… ∗∗∗ Exposed DeepSeek Database Revealed Chat Prompts and Internal Data ∗∗∗ --------------------------------------------- China-based DeepSeek has exploded in popularity, drawing greater scrutiny. Case in point: Security researchers found more than 1 million records, including user data and API keys, in an open database. --------------------------------------------- https://www.wired.com/story/exposed-deepseek-database-revealed-chat-prompts… ∗∗∗ Europol warnt vor gefälschten Medikamenten in Online-Angeboten ∗∗∗ --------------------------------------------- Europol hat 2024 Medikamente im Wert von rund 11,1 Millionen Euro beschlagnahmt. Sie waren gefälscht und für den Online-Handel vorgesehen. --------------------------------------------- https://www.heise.de/news/Europol-warnt-vor-gefaelschten-Medikamenten-in-On… ∗∗∗ Warten auf Patch: Das Admin-Interface Voyager für Laravel-Apps ist verwundbar ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor möglichen Attacken auf Voyager. Bislang haben sich die Entwickler zu den Sicherheitslücken nicht geäußert. --------------------------------------------- https://www.heise.de/news/Warten-auf-Patch-Das-Admin-Interface-Voyager-fuer… ∗∗∗ Linux-related discussion as a cybersecurity threat ∗∗∗ --------------------------------------------- Starting on January 19, 2025 Facebooks internal policy makers decided that Linux is malware and labeled groups associated with Linux as being "cybersecurity threats". Any posts mentioning DistroWatch and multiple groups associated with Linux and Linux discussions have either been shut down or had many of their posts removed. Weve been hearing all week .. --------------------------------------------- https://lwn.net/Articles/1006328/ ∗∗∗ Betrugswelle auf Facebook: Gefälschte Lagerabverkäufe von Hofer und Zara ∗∗∗ --------------------------------------------- Aktuell kursieren auf Facebook Postings, die angeblich von bekannten Marken stammen und mit einem Lagerabverkauf werben. Nutzer:innen wird suggeriert, dass Unternehmen wie Hofer oder Zara kostenlose Kaffeemaschinen oder Geschenkboxen zu Sonderpreisen verschenken. Doch Vorsicht: Es handelt sich um gefälschte Angebote von Kriminellen, die es nur auf Kreditkartendaten abgesehen haben. --------------------------------------------- https://www.watchlist-internet.at/news/betrugswelle-auf-facebook-gefaelscht… ∗∗∗ Risikobild 2025 ∗∗∗ --------------------------------------------- Das österreichische Verteidigungsministerium präsentierte am 27. Jänner das "Risikobild 2025". Wie nicht anders zu erwarten war, dominieren geopolitische Herausforderungen die Risikolandschaft. Der Ukraine-Krieg, die Spannungen zwischen China und den USA sowie der Nahe Osten sind auch die ersten Themen, die mir einfallen würden, wenn mich .. --------------------------------------------- https://www.cert.at/de/blog/2025/1/risikobild-2025 ∗∗∗ Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike ∗∗∗ --------------------------------------------- This new report from Cisco Talos Incident Response explores how threat actors increasingly deployed web shells against vulnerable web applications, and exploited vulnerable or unpatched public-facing applications to gain initial access. --------------------------------------------- https://blog.talosintelligence.com/talos-ir-trends-q4-2024/ ∗∗∗ FBI Seizes Leading Hacking Forums Cracked.io and Nulled.to ∗∗∗ --------------------------------------------- Nulled.to, Cracked.to and Cracked.io, major hacking forums, appear seized by the FBI as DNS records point to FBI. --------------------------------------------- https://hackread.com/fbi-seizes-hacking-forums-cracked-to-nulled-to/ ∗∗∗ Common OAuth Vulnerabilities ∗∗∗ --------------------------------------------- OAuth2’s popularity makes it a prime target for attackers. While it simplifies user login, its complexity can lead to misconfigurations that create security holes. Some of the more intricate vulnerabilities keep reappearing because the protocol’s inner workings are not always well-understood. In an effort to change that, we have decided to .. --------------------------------------------- https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html ===================== = Vulnerabilities = ===================== ∗∗∗ Google Tag - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-012 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-012 ∗∗∗ Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-011 ∗∗∗ Drupal Admin LTE theme - Critical - Unsupported - SA-CONTRIB-2025-010 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-010 ∗∗∗ Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-009 ∗∗∗ Matomo Analytics - Moderately critical - Cross site request forgery - SA-CONTRIB-2025-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-008 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.01.2025
by Daily end-of-shift report 29 Jan '25

29 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-01-2025 18:00 − Mittwoch 29-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Threat predictions for industrial enterprises 2025 ∗∗∗ --------------------------------------------- Kaspersky ICS CERT analyzes industrial threat trends and makes forecasts on how the industrial threat landscape will look in 2025. --------------------------------------------- https://securelist.com/industrial-threat-predictions-2025/115327/ ∗∗∗ ExxonMobil Lobbyist Caught Hacking Climate Activists ∗∗∗ --------------------------------------------- The Department of Justice is investigating a lobbying firm representing ExxonMobil for hacking the phones of climate activists:The hacking was allegedly commissioned by a Washington, D.C., lobbying firm, according to a lawyer representing the U.S. government. The firm, in turn, was allegedly working on behalf of one of the world’s largest oil and gas .. --------------------------------------------- https://www.schneier.com/blog/archives/2025/01/exxonmobil-lobbyist-caught-h… ∗∗∗ Industrielle Kontrollsysteme: Attacken auf kritische Infrastrukturen möglich ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für industriellen Steuerungssysteme von unter anderem Rockwell und Schneider erschienen. --------------------------------------------- https://www.heise.de/news/Industrielle-Kontrollsysteme-Attacken-auf-kritisc… ∗∗∗ Zwei Sidechannel-Attacken auf Apples M-Prozessoren ∗∗∗ --------------------------------------------- Die schwerwiegenden Sicherheitslücken lassen sich für Angriffe auf Webbrowser aus der Ferne nutzen. Betroffen sind viele Mobil- und Desktop-Geräte von Apple. --------------------------------------------- https://www.heise.de/news/Zwei-Sidechannel-Attacken-auf-Apples-M-Prozessore… ∗∗∗ How we estimate the risk from prompt injection attacks on AI systems ∗∗∗ --------------------------------------------- Modern AI systems, like Gemini, are more capable than ever, helping retrieve data and perform actions on behalf of users. However, data from external sources present new security challenges if untrusted sources are available to execute instructions on AI systems. Attackers can take advantage of this by hiding malicious instructions in data .. --------------------------------------------- http://security.googleblog.com/2025/01/how-we-estimate-risk-from-prompt.html ∗∗∗ Backups & DRP in the ransomware era ∗∗∗ --------------------------------------------- In today’s digital landscape, the threat of ransomware has forced organizations to reevaluate their disaster recovery plans. Traditional approaches to data protection were focused primarily on high availability and are no longer sufficient. As cyber threats evolve, so must our strategies for safeguarding critical information. This blog post explores the .. --------------------------------------------- https://blog.nviso.eu/2025/01/29/backups-drp-in-the-ransomware-era/ ∗∗∗ Hackers Actively Exploiting Fortinet Firewalls: Real-Time Insights from GreyNoise ∗∗∗ --------------------------------------------- This blog details how attackers are actively exploiting Fortinet FortiGate firewalls vulnerable to CVE-2022-40684, with real-time insights from GreyNoise to help defenders understand and respond to these threats. --------------------------------------------- https://www.greynoise.io/blog/hackers-actively-exploiting-fortinet-firewall… ∗∗∗ Active Exploitation of Zero-day Zyxel CPE Vulnerability (CVE-2024-40891) ∗∗∗ --------------------------------------------- CVE-2024-40891: Zyxel CPE Zero-day Exploitation. Hackers are actively exploiting a telnet-based command injection vulnerability in Zyxel CPE devices, impacting 1,500+ exposed systems. No patch is available yet. --------------------------------------------- https://www.greynoise.io/blog/active-exploitation-of-zero-day-zyxel-cpe-vul… ∗∗∗ Adversarial Misuse of Generative AI ∗∗∗ --------------------------------------------- Rapid advancements in artificial intelligence (AI) are unlocking new possibilities for the way we work and accelerating innovation in science, technology, and beyond. In cybersecurity, AI is poised to transform digital defense, empowering defenders and enhancing our collective security. Large language models (LLMs) open new possibilities for .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse… ∗∗∗ CVE-2024-46507: Yeti Platform Server-Side Template Injection (SSTI) ∗∗∗ --------------------------------------------- Yeti is a Forensic Intelligence platform and pipeline for DFIR teams. It allows threat intelligence and DFIR teams to catalog, search, and link pieces of intelligence such as IP addresses, TTPs, and threat actors. With 10,000 .. --------------------------------------------- https://rhinosecuritylabs.com/research/cve-2024-46507-yeti-server-side-temp… ∗∗∗ CISA Brings KEV Data to GitHub ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) just made a major move to improve access and usability for its Known Exploited Vulnerabilities (KEV) catalog. Announced by Tod Beardsley on LinkedIn, CISA has launched a new kev-data repository on GitHub, allowing developers, researchers, and cybersecurity enthusiasts to access KEV data in .. --------------------------------------------- https://socket.dev/blog/cisa-brings-kev-data-to-github ∗∗∗ CVE-2024-49138 Windows CLFS heap-based buffer overflow analysis – Part 2 ∗∗∗ --------------------------------------------- In the previous article, we discussed a vulnerability in the LoadContainerQ() function inside clfs.sys. The root cause of the vulnerability was LoadContainerQ() using a CLFS_CONTAINER_CONTEXT.pContainer without checking if FlushImage() invalidated the General Metadata Block. --------------------------------------------- https://security.humanativaspa.it/cve-2024-49138-windows-clfs-heap-based-bu… ∗∗∗ CVE-2024-49138 Windows CLFS heap-based buffer overflow analysis – Part 1 ∗∗∗ --------------------------------------------- CVE-2024-49138 is a Windows vulnerability detected by CrowdStrike as exploited in the wild. Microsoft patched the vulnerability on December 10th, 2024 with KB5048685 (for Windows 11 .. --------------------------------------------- https://security.humanativaspa.it/cve-2024-49138-windows-clfs-heap-based-bu… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bzip2, gimp:2.8, keepalived, mariadb:10.11, mariadb:10.5, python-jinja2, and redis), Debian (iperf3, libtar, and pdns-recursor), Fedora (abseil-cpp, dotnet8.0, dotnet9.0, golang, libsoup3, and vaultwarden), Oracle (gimp:2.8, iperf3, keepalived, kernel, redis:7, and unbound), Red Hat (libsoup), SUSE (amazon-ssm-agent, .. --------------------------------------------- https://lwn.net/Articles/1006677/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.01.2025
by Daily end-of-shift report 28 Jan '25

28 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Montag 27-01-2025 18:00 − Dienstag 28-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ EU sanctions Russian GRU hackers for cyberattacks against Estonia ∗∗∗ --------------------------------------------- The European Union sanctioned three hackers, part of Unit 29155 of Russias military intelligence service (GRU), for their involvement in cyberattacks targeting Estonias government agencies in 2020. --------------------------------------------- https://www.bleepingcomputer.com/news/security/eu-sanctions-russian-gru-hac… ∗∗∗ Israel: Hacker kapern Notfallsirenen und spielen arabische Musik ∗∗∗ --------------------------------------------- In mehreren israelischen Einrichtungen ist kürzlich unerwartet arabische Musik aus den Notfallsirenen ertönt. Eine Hackergruppe hat sich schuldig bekannt. --------------------------------------------- https://www.golem.de/news/israel-hacker-kapern-notfallsirenen-und-spielen-a… ∗∗∗ Beyond the hype: The business reality of AI for cybersecurity ∗∗∗ --------------------------------------------- Real-world insights from 400 IT leaders, plus practical guidance to enhance business outcomes --------------------------------------------- https://news.sophos.com/en-us/2025/01/28/beyond-the-hype-the-business-reali… ∗∗∗ Update: Cybercriminals still not fully on board the AI train (yet) ∗∗∗ --------------------------------------------- A year after our initial research on threat actors’ attitudes to generative AI, we revisit some underground forums and find that many cybercriminals are still skeptical – although there has been a slight shift. --------------------------------------------- https://news.sophos.com/en-us/2025/01/28/update-cybercriminals-still-not-fu… ∗∗∗ Top-Rated Chinese AI App DeepSeek Limits Registrations Amid Cyberattacks ∗∗∗ --------------------------------------------- DeepSeek, the Chinese AI startup that has captured much of the artificial intelligence (AI) buzz in recent days, said its restricting registrations on the service, citing malicious attacks."Due to large-scale malicious attacks on DeepSeeks services, .. --------------------------------------------- https://thehackernews.com/2025/01/top-rated-chinese-ai-app-deepseek.html ∗∗∗ Apple plugs security hole in its iThings thats already been exploited in iOS ∗∗∗ --------------------------------------------- Cupertino kicks off the year with a zero-day Apple has plugged a security hole in the software at the heart of its iPhones, iPads, Vision Pro goggles, Apple TVs and macOS Sequoia Macs, warning some miscreants have already exploited the bug. --------------------------------------------- https://www.theregister.com/2025/01/28/apple_cve_2025_24085/ ∗∗∗ Security pros more confident about fending off ransomware, despite being battered by attacks ∗∗∗ --------------------------------------------- Data leak, shmata leak. It will all work out, right? IT and security pros say they are more confident in their ability to manage ransomware attacks after nearly nine in ten (88 percent) were forced to contain efforts by criminals to breach their defenses in the past year. --------------------------------------------- https://www.theregister.com/2025/01/28/research_security_pros_gain_ransomwa… ∗∗∗ Auf Facebook konnte man E-Mail-Adressen, Telefonnummern, Einmalpasswörter, etc. von Fremden einsehen. ∗∗∗ --------------------------------------------- For an unknown period until the end of January 2024, Facebook appears to have suffered a data leak that has exposed users’ email addresses, phone numbers and other identifying information. [..] The issue was reported to Facebook via its bug bounty programme. While the demonstrated method stopped working two weeks after submission, the .. --------------------------------------------- https://social.leckse.net/@leckse/statuses/01JJPE94S1NQM62VY60S767S1H ∗∗∗ Sonicwall: Tausende Geräte für trivial angreifbare SSL-VPN-Lücke anfällig ∗∗∗ --------------------------------------------- Seit Anfang Januar gibt es einen Patch zum Schließen einer SSL-VPN-Lücke in Sonicwalls. Dennoch sind mehr als 5000 Geräte noch angreifbar. --------------------------------------------- https://www.heise.de/news/Leicht-angreifbare-Sonicwall-Luecke-Tausende-Gera… ∗∗∗ Teamviewer: Rechteausweitung durch Sicherheitslücke möglich ∗∗∗ --------------------------------------------- Teamviewer warnt vor einer Schwachstelle in den Windows-Versionen der Fernwartungssoftware, die Angreifern die Rechteausweitung ermöglicht. --------------------------------------------- https://www.heise.de/news/Teamviewer-Rechteausweitung-durch-Sicherheitsluec… ∗∗∗ A Tumultuous Week for Federal Cybersecurity Efforts ∗∗∗ --------------------------------------------- President Trump last week issued a flurry of executive orders that upended a number of government initiatives focused on improving the nations cybersecurity posture. The president fired all advisors from the Department of Homeland Securitys Cyber Safety Review Board, called for the creation of a strategic cryptocurrency reserve, and voided .. --------------------------------------------- https://krebsonsecurity.com/2025/01/a-tumultuous-week-for-federal-cybersecu… ∗∗∗ How Garmin watches reveal your personal data, and what you can do ∗∗∗ --------------------------------------------- TL;DR A walk-through of obtaining sensitive data from a Garmin watch using forensic techniques How digital forensics on a Garmin watch helped solve a double murder case A .. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-garmin-watches-reveal-you… ∗∗∗ New TorNet backdoor seen in widespread campaign ∗∗∗ --------------------------------------------- Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany. --------------------------------------------- https://blog.talosintelligence.com/new-tornet-backdoor-campaign/ ∗∗∗ ScatterBrain: Unmasking the Shadow of PoisonPlugs Obfuscator ∗∗∗ --------------------------------------------- Since 2022, Google Threat Intelligence Group (GTIG) has been tracking multiple cyber espionage operations conducted by China-nexus actors utilizing POISONPLUG.SHADOW. These operations employ a custom obfuscating compiler that we refer to as "ScatterBrain," facilitating attacks against various entities across Europe and the Asia Pacific (APAC) region. ScatterBrain appears .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmas… ∗∗∗ Stating the Obvious: Vulns On the Rise in 2025 ∗∗∗ --------------------------------------------- Join Ben Edwards, as he takes a brief look back at one of the stories that was most interesting to him as a security data nerd from 2024. --------------------------------------------- https://www.bitsight.com/blog/2025-predictions-for-cve-vulnerabilities ∗∗∗ Get FortiRekt, I Am The Super_Admin Now - Fortinet FortiOS Authentication Bypass CVE-2024-55591 ∗∗∗ --------------------------------------------- Welcome to Monday, and what an excitingly fresh start to the week were all having. Grab your coffee, grab your vodka - were diving into a currently exploited-in-the-wild critical Authentication Bypass affecting .. --------------------------------------------- https://labs.watchtowr.com/get-fortirekt-i-am-the-super_admin-now-fortios-a… ∗∗∗ Clone2Leak: Your Git Credentials Belong To Us ∗∗∗ --------------------------------------------- In October 2024, I was hunting bugs for the GitHub Bug Bounty program. After investigating GitHub Enterprise Server for a while, I felt bored and decided to try to find bugs on GitHub Desktop instead. --------------------------------------------- https://flatt.tech/research/posts/clone2leak-your-git-credentials-belong-to… ∗∗∗ Best practices for key derivation ∗∗∗ --------------------------------------------- By Marc Ilunga Key derivation is essential in many cryptographic applications, including key exchange, key management, secure communications, and building robust cryptographic primitives. But it’s also easy to get wrong: although .. --------------------------------------------- https://blog.trailofbits.com/2025/01/28/best-practices-for-key-derivation/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability in ClamAV Discovered by OSS-Fuzz ∗∗∗ --------------------------------------------- A security vulnerability has been identified in ClamAV, stemming from a potential buffer overflow read issue in .. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-04 ∗∗∗ WordPress Plugin "Simple Image Sizes" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN88046370/ ∗∗∗ TYPO3-EXT-SA-2025-001: Account Takeover in extension "OpenID Connect Authentication" (oidc) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-001 ∗∗∗ Rockwell Automation FactoryTalk ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.01.2025
by Daily end-of-shift report 27 Jan '25

27 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-01-2025 18:00 − Montag 27-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Eine verpasste Chance: Schwaches Passwort-Hashing in VxWorks ∗∗∗ --------------------------------------------- Die Sicherheit von eingebetteten Systemen, die Echtzeitbetriebssysteme (RTOS) wie Wind River VxWorks verwenden, ist in risikoreichen Bereichen wie OT, .. --------------------------------------------- https://sec-consult.com/de/blog/detail/eine-verpasste-chance-schwaches-pass… ∗∗∗ Cracking the Giant: How ODAT Challenges Oracle, the King of Databases ∗∗∗ --------------------------------------------- In the past decade, Oracle Database (Oracle DB) has reigned supreme in the competitive arena of database engine popularity ranking as shown in Figure 1 and Figure 2. This pervasiveness has led Oracle Database to be trusted by Fortune 500 companies (e.g. Netflix, LinkedIn, eBay, etc.) to house, process, and safeguard their critical data. Its .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cracking-th… ∗∗∗ GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in GitHub Desktop as well as other Git-related projects that, if successfully exploited, could permit an attacker to gain unauthorized access to a users Git credentials."Git implements a protocol called Git Credential Protocol to retrieve credentials from the .. --------------------------------------------- https://thehackernews.com/2025/01/github-desktop-vulnerability-risks.html ∗∗∗ Scammers Are Creating Fake News Videos to Blackmail Victims ∗∗∗ --------------------------------------------- “Yahoo Boy” scammers are impersonating CNN and other news organizations to create videos that pressure victims into making blackmail payments. --------------------------------------------- https://www.wired.com/story/scammers-are-creating-fake-news-videos-to-black… ∗∗∗ Technical Analysis of Xloader Versions 6 and 7 | Part 1 ∗∗∗ --------------------------------------------- Xloader is a malware family that is the successor to Formbook with information stealing capabilities targeting web browsers, email clients, and File Transfer Protocol (FTP) applications. The malware is also able to deploy second-stage payloads to an infected system. The author of Xloader regularly adds new functionality to target more .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-… ∗∗∗ Nach Sicherheitslücke bei D-Trust: CCC spricht von "Cyber-Augenwischerei" ∗∗∗ --------------------------------------------- Der Chaos Computer Club fordert vom Vertrauensdiensteanbieter D-Trust Verantwortung zu tragen und die Abschaffung des Hackerparagraphen. --------------------------------------------- https://www.heise.de/news/Nach-Sicherheitsluecke-bei-D-Trust-CCC-spricht-vo… ∗∗∗ Palo-Alto: Sicherheitslücken in Firmware und Bootloadern von Firewalls ∗∗∗ --------------------------------------------- Die Firmware und Bootloader von einigen Palo-Alto-Firewalls weisen Sicherheitslecks auf, die Angreifern das Einnisten nach Angriffen ermöglichen. --------------------------------------------- https://www.heise.de/news/Palo-Alto-Sicherheitsluecken-in-Firmware-und-Boot… ∗∗∗ Hacked buses blare out patriotic pro-European anthems in Tbilisi, attack government ∗∗∗ --------------------------------------------- Residents of Tbilisi, the capital city of Georgia, experienced an unexpected and unusual start to their Friday morning commute. As they boarded their public transport buses, they were greeted by a barrage of sound emanating .. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/hacked-buses-blare-ou… ∗∗∗ The 2024 Ransomware Landscape: Looking back on another painful year ∗∗∗ --------------------------------------------- In this post, we’ll examine the latest data points, discuss notable groups, and estimate the potential impact on victims — helping security teams plan their defenses for the months ahead. --------------------------------------------- https://www.rapid7.com/blog/post/2025/01/27/the-2024-ransomware-landscape-l… ∗∗∗ Brave Desktop Browser Vulnerability Lets Malicious Sites Appear Trusted ∗∗∗ --------------------------------------------- A critical vulnerability in Brave Browser allows malicious websites to appear as trusted sources during file uploads/downloads. --------------------------------------------- https://hackread.com/brave-desktop-browser-vulnerability-malicious-sites-tr… ∗∗∗ Datadog threat roundup: top insights for Q4 2024 ∗∗∗ --------------------------------------------- Threat insights from Datadog Security Labs for Q4 2024. --------------------------------------------- https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/ ∗∗∗ Exploit Me, Baby, One More Time: Command Injection in Kubernetes Log Query ∗∗∗ --------------------------------------------- Kubernetes and containers in general have become a predominant force in the security world - and, as such, they’ve been a point of interest for researchers worldwide (including us). Our research journey initially led .. --------------------------------------------- https://www.akamai.com/blog/security-research/2024-january-kubernetes-log-q… ∗∗∗ Node.js EOL Versions CVE Dubbed the "Worst CVE of the Year" by Security Experts ∗∗∗ --------------------------------------------- On January 22, 2025, CVE-2025-23088 was published by HackerOne to inform users about the risks of continuing to use End-of-Life (EOL) versions of Node.js. This CVE has quickly sparked debate in the security community, with some experts labeling it the “worst CVE of the year” – not for its severity, but for the controversy surrounding .. --------------------------------------------- https://socket.dev/blog/node-js-eol-versions-cve-dubbed-the-worst-cve-of-th… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (git-lfs, java-17-openjdk, java-21-openjdk, kernel, and python-jinja2), Debian (git and git-lfs), Fedora (buildah, chromium, containers-common, freeipa, glibc, golang, mediawiki, pam-u2f, podman, and rsync), Mageia (glibc, iperf, openssl, phpmyadmin, and poppler), Oracle (firefox, git-lfs, grafana, .. --------------------------------------------- https://lwn.net/Articles/1006261/ ∗∗∗ Wind River Software VxWorks RTOS Weak Password Hashing Algorithms ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/wind-river-software-vxwo… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2025
by Daily end-of-shift report 24 Jan '25

24 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-01-2025 18:00 − Freitag 24-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker infects 18,000 "script kiddies" with fake malware builder ∗∗∗ --------------------------------------------- A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-infects-18-000-script… ∗∗∗ Malware Redirects WordPress Traffic to Harmful Sites ∗∗∗ --------------------------------------------- Recently, a customer approached us after noticing their website was redirecting visitors to a suspicious URL. They suspected their site had been compromised and sought assistance in identifying and resolving the issue. This .. --------------------------------------------- https://blog.sucuri.net/2025/01/malware-redirects-wordpress-traffic-to-harm… ∗∗∗ North Korean dev who renamed himself Bane accused of IT worker fraud scheme ∗∗∗ --------------------------------------------- 5 indicted as FBI warns North Korea dials up aggression, plus Russian devs allegedly get in on the act The US is indicting yet another five suspects it believes were involved in North Koreas long-running, fraudulent remote IT worker scheme – including one who changed their last name to "Bane" and scored a gig at a tech biz in San Francisco. --------------------------------------------- https://www.theregister.com/2025/01/24/north_korean_devs_and_their/ ∗∗∗ Dont want your Kubernetes Windows nodes hijacked? Patch this hole now ∗∗∗ --------------------------------------------- SYSTEM-level command injection via API parameter *chefs kiss* A now-fixed command-injection bug in Kubernetes can be exploited by a remote attacker to gain code execution with SYSTEM privileges on all Windows endpoints in a cluster, and thus fully take over those systems, according to Akamai researcher Tomer Peled. --------------------------------------------- https://www.theregister.com/2025/01/24/kubernetes_windows_nodes_bug/ ∗∗∗ Subaru Security Flaws Exposed Its System for Tracking Millions of Cars ∗∗∗ --------------------------------------------- Now-fixed web bugs allowed hackers to remotely unlock and start any of millions of Subarus. More disturbingly, they could also access at least a year of cars’ location histories—and Subaru employees still can. --------------------------------------------- https://www.wired.com/story/subaru-location-tracking-vulnerabilities/ ∗∗∗ Mehrere Staaten desinfizieren Botnetz, Deutschland nicht ∗∗∗ --------------------------------------------- Während Behörden in Frankreich und den USA die Schadsoftware Plug-X auf betroffenen Computern abschalten, wird in Deutschland über Infektionen nur informiert. --------------------------------------------- https://www.heise.de/news/Botnetz-Plug-X-Reinemachen-geht-nicht-10252309.ht… ∗∗∗ Jetzt patchen: Cross-Site-Scripting und Denial of Service in GitLab möglich ∗∗∗ --------------------------------------------- GitLab warnt vor drei Schwachstellen, von denen eine den Bedrohungsgrad "hoch" trägt. Patches stehen für die jüngeren Versionen bereit. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Cross-Site-Scripting-und-Denial-of-… ∗∗∗ Malvertising: Mac-Homebrew-User im Visier ∗∗∗ --------------------------------------------- Kriminelle haben bösartige Werbeanzeigen auf Google geschaltet, die anstatt auf die Homebrew-Webseite auf eine echt wirkende Malware-Seite leitet. --------------------------------------------- https://www.heise.de/news/Malvertising-Mac-Homebrew-User-im-Visier-10255909… ∗∗∗ Cyber security guidance for small fleet operators ∗∗∗ --------------------------------------------- Introduction Cyber threats aren’t just a problem for large shipping organizations, small maritime fleet operators are also at risk. Anything from phishing emails to ransomware attacks, these threats can disrupt .. --------------------------------------------- https://www.pentestpartners.com/security-blog/cyber-security-guidance-for-s… ∗∗∗ Private Keys in the Fortigate Leak ∗∗∗ --------------------------------------------- A few days ago, a download link for a leak of configuration files for Fortigate/Fortinet devices was posted on an Internet forum. It appears that the data was collected in 2022 due to a security vulnerability known as CVE-2022-40684. According to a blog post by Fortinet in 2022, they were already aware of active exploitation of the issue back then. It was first .. --------------------------------------------- https://blog.hboeck.de:443/archives/908-Private-Keys-in-the-Fortigate-Leak.… ∗∗∗ Exchange Server 2016 / 2019 erreichen im Oktober 2025 ihr EOL ∗∗∗ --------------------------------------------- Kleiner Nachtrag von dieser Woche zu einem Thema, welches eigentlich alle Exchange-Administratoren auf dem Radar haben sollten und auch dürften. Im Oktober 2025 fallen sowohl Microsoft Exchange Server 2016 als auch Microsoft Exchange .. --------------------------------------------- https://www.borncity.com/blog/2025/01/24/exchange-server-2016-2019-erreiche… ∗∗∗ Seasoning email threats with hidden text salting ∗∗∗ --------------------------------------------- Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. Cisco Talos has observed an increase in the number of email threats leveraging hidden text salting. --------------------------------------------- https://blog.talosintelligence.com/seasoning-email-threats-with-hidden-text… ∗∗∗ SUSCTL (CVE-2024-54507) A particularly sus sysctl in the XNU Kernel ∗∗∗ --------------------------------------------- Every time Apple releases a new version of XNU, I run a custom suite of tests under an address sanitizer to see if I can spot any regressions, or even possibly new bugs. When I was messing around with macOS 15.0, I was shocked to see a very simple command was causing the sanitizer to report an invalid load. --------------------------------------------- https://jprx.io/cve-2024-54507/ ∗∗∗ The J-Magic Show: Magic Packets and Where to find them ∗∗∗ --------------------------------------------- The Black Lotus Labs team at Lumen Technologies has been tracking the use of a backdoor attack tailored for use against enterprise-grade Juniper routers. This backdoor is opened by a passive agent that continuously monitors for a “magic packet,” sent by .. --------------------------------------------- https://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-the… ∗∗∗ cURL Project and Go Security Teams Reject CVSS as Broken ∗∗∗ --------------------------------------------- The CVSS (Common Vulnerability Scoring System) is facing significant pushback as both the cURL project and Go security teams are publicly distance themselves from the framework. While CVSS is designed to assign a severity score to vulnerabilities, its one-size-fits-all approach often produces misleading results, particularly for projects like cURL, which .. --------------------------------------------- https://socket.dev/blog/curl-project-and-go-security-teams-reject-cvss-as-b… ∗∗∗ FalconFeedsio X Account Hacked, Promoting Fraudulent Crypto Scams ∗∗∗ --------------------------------------------- FalconFeedsios official X (formerly Twitter) account has been compromised, leading to the promotion of fraudulent cryptocurrency posts and scams. This hacking of FalconFeed has shocked the cybersecurity community as the platform was renowned for dark web news alerts. With this hacking of FalconFeed x account, many users and cybersecurity experts are advising .. --------------------------------------------- https://thecyberexpress.com/hacking-of-falconfeed/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and python-django), Fedora (git-lfs and pam-u2f), Mageia (golang), Red Hat (java-11-openjdk with Extended Lifecycle Support, java-17-openjdk, and java-21-openjdk), SUSE (cheat, dante, docker-stable, grafana, and kernel), and Ubuntu (cacti, cyrus-imapd, HTMLDOC, and PCL). --------------------------------------------- https://lwn.net/Articles/1006103/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.01.2025
by Daily end-of-shift report 23 Jan '25

23 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-01-2025 18:00 − Donnerstag 23-01-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zendesk’s Subdomain Registration Abused in Phishing Scams ∗∗∗ --------------------------------------------- Leveraging Zendesk’s communication features, they can send phishing emails disguised as legitimate customer support messages. These emails often include malicious links or attachments to lure victims into clicking. --------------------------------------------- https://hackread.com/zendesk-subdomain-registration-abused-phishing-scams/ ∗∗∗ Heimserver-Betriebssystem: Updates beheben Sicherheitslücken in Unraid ∗∗∗ --------------------------------------------- Angreifer könnten die Lücken ausnutzen, um dem UnRAID-Admin eigenen Javascript-Code oder bösartige Plug-ins unterzuschieben. [..] Alle Sicherheitslücken sind in der Anfang Januar veröffentlichten neuesten Major-Version 7.0.0 und in einem Bugfix-Release für die Vorgängerversion behoben. --------------------------------------------- https://heise.de/-10253366 ∗∗∗ Researchers say new attack could take down the European power grid ∗∗∗ --------------------------------------------- Late last month, researchers revealed a finding that’s likely to shock some people and confirm the low expectations of others: Renewable energy facilities throughout Central Europe use unencrypted radio signals to receive commands to feed or ditch power into or from the grid that serves some 450 million people throughout the continent. --------------------------------------------- https://arstechnica.com/security/2025/01/could-hackers-use-new-attack-to-ta… ∗∗∗ Telegram captcha tricks you into running malicious PowerShell scripts ∗∗∗ --------------------------------------------- Threat actors on X are exploiting the news around Ross Ulbricht to direct unsuspecting users to a Telegram channel that tricks them into executing PowerShell code that infects them with malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telegram-captcha-tricks-you-… ∗∗∗ Beware: Fake CAPTCHA Campaign Spreads Lumma Stealer in Multi-Industry Attacks ∗∗∗ --------------------------------------------- The attack chain begins when a victim visits a compromised website, which directs them to a bogus CAPTCHA page that specifically instructs the site visitor to copy and paste a command into the Run prompt in Windows that uses the native mshta.exe binary to download and execute an HTA file from a remote server. [..] The HTA file, in turn, executes a PowerShell command to launch a next-stage payload, a PowerShell script that unpacks a second PowerShell script responsible for decoding and loading the Lumma payload, but not before taking steps to bypass the Windows Antimalware Scan Interface (AMSI) in an effort to evade detection. --------------------------------------------- https://thehackernews.com/2025/01/beware-fake-captcha-campaign-spreads.html ∗∗∗ Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass and Firmware Exploits ∗∗∗ --------------------------------------------- An exhaustive evaluation of three firewall models from Palo Alto Networks has uncovered a host of known security flaws impacting the devices firmware as well as misconfigured security features. --------------------------------------------- https://thehackernews.com/2025/01/palo-alto-firewalls-found-vulnerable-to.h… ∗∗∗ Supply chain attack hits Chrome extensions, could expose millions ∗∗∗ --------------------------------------------- Cybersecurity outfit Sekoia is warning Chrome users of a supply chain attack targeting browser extension developers that has potentially impacted hundreds of thousands of individuals already. [..] A number of the potentially affected extensions (according to Booz Allen Hamilton's report) appear to have been pulled from the Chrome Web Store at the time of writing. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/01/22/supply_chain… ∗∗∗ Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a ∗∗∗ Denuvo Analysis ∗∗∗ --------------------------------------------- Denuvo is an anti-tamper and digital rights management system (DRM). It is primarily used to protect digital media such as video games from piracy and reverse engineering efforts. Unlike traditional DRM systems, Denuvo employs a wide range of unique techniques and checks to confirm the integrity of both the game’s code and licensed user. --------------------------------------------- https://connorjaydunn.github.io/blog/posts/denuvo-analysis/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in SonicWall SMA1000 - aktiv ausgenutzt - Update verfügbar ∗∗∗ --------------------------------------------- In SonicWall SMA1000 Appliance Management Console (AMC) und Central Management Console (CMC) wurde eine kritische Sicherheitslücke entdeckt, die bereits aktiv von Angreifern ausgenutzt wird. Die Schwachstelle ermöglicht die Ausführung von beliebigem Code ohne vorherige Authentifizierung. CVE-Nummer(n): CVE-2025-23006 --------------------------------------------- https://www.cert.at/de/warnungen/2025/1/sonicwall-amc-cmc-rce ∗∗∗ Critical zero-days impact premium WordPress real estate plugins ∗∗∗ --------------------------------------------- The RealHome theme and the Easy Real Estate plugins for WordPress are vulnerable to two critical severity flaws that allow unauthenticated users to gain administrative privileges. [..] Also, Patchstack says the vendor released three versions since September, but no security fixes to address the critical issues were introduced. Hence, the issues remain unfixed and exploitable. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-zero-days-impact-pr… ∗∗∗ Schwachstellen in Jenkins-Plug-ins gefährden Entwicklungsumgebungen ∗∗∗ --------------------------------------------- Unter bestimmten Bedingungen können Angreifer Softwareentwicklungsserver mit Jenkins-Plug-ins attackieren. Darunter fallen etwa die Plug-ins Azure Service Fabric und Zoom. --------------------------------------------- https://heise.de/-10254105 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (redis:6), Debian (frr and git-lfs), Fedora (SDL2_sound and webkit2gtk4.0), Gentoo (firefox, GPL Ghostscript, libgsf, libuv, PHP, Qt, QtWebEngine, and Yubico pam-u2f), Mageia (chromium-browser-stable), SUSE (helmfile, nvidia-modprobe, qt6-webengine, ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1, ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1, ruby3.4-rubygem-actiontext-8.0-8.0.1-1.1, ruby3.4-rubygem-actionview-8.0-8.0.1-1.1, ruby3.4-rubygem-activejob-8.0-8.0.1-1.1, ruby3.4-rubygem-activerecord-8.0-8.0.1-1.1, ruby3.4-rubygem-activestorage-8.0-8.0.1-1.1, ruby3.4-rubygem-rails-8.0-8.0.1-1.1, and ruby3.4-rubygem-railties-8.0-8.0.1-1.1), and Ubuntu (bluez, openjpeg2, and python-django). --------------------------------------------- https://lwn.net/Articles/1005946/ ∗∗∗ Drupal: Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-007 ∗∗∗ Drupal: Material Admin - Critical - Unsupported - SA-CONTRIB-2025-006 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-006 ∗∗∗ Drupal: Flattern – Multipurpose Bootstrap Business Profile - Critical - Unsupported - SA-CONTRIB-2025-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-005 ∗∗∗ Drupal: AI (Artificial Intelligence) - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-004 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-004 ∗∗∗ QNAP: Multiple Vulnerabilities in Rsync ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-02 ∗∗∗ Hitachi Energy RTU500 Series Product ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-02 ∗∗∗ mySCADA myPRO Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-01 ∗∗∗ HMS Networks Ewon Flexy 202 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.01.2025
by Daily end-of-shift report 22 Jan '25

22 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-01-2025 18:00 − Mittwoch 22-01-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Großflächige Brute-Force-Angriffe auf M365 – vorsichtshalber Log-ins checken ∗∗∗ --------------------------------------------- In den vergangenen Wochen gab es großflächige Angriffe auf Zugangsdaten zur Microsoft-Cloud. IT-Admins sollten prüfen, ob diese eventuell erfolgreich waren. --------------------------------------------- https://heise.de/-10252167 ∗∗∗ Patch procrastination leaves 50,000 Fortinet firewalls vulnerable to zero-day ∗∗∗ --------------------------------------------- Data from the Shadowserver Foundation shows 48,457 Fortinet boxes are still publicly exposed and haven't had the patch for CVE-2024-55591 applied, despite stark warnings issued over the past seven days. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/01/21/fortinet_fir… ∗∗∗ Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet ∗∗∗ --------------------------------------------- Threat actors are exploiting an unspecified zero-day vulnerability in Cambium Networks cnPilot routers to deploy a variant of the AISURU botnet called AIRASHI to carry out distributed denial-of-service (DDoS) attacks. According to QiAnXin XLab, the attacks have leveraged the security flaw since June 2024. --------------------------------------------- https://thehackernews.com/2025/01/hackers-exploit-zero-day-in-cnpilot.html ∗∗∗ Fake Homebrew Google ads target Mac users with malware ∗∗∗ --------------------------------------------- Hackers are once again abusing Google ads to spread malware, using a fake Homebrew website to infect Macs and Linux devices with an infostealer that steals credentials, browser data, and cryptocurrency wallets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-homebrew-google-ads-tar… ∗∗∗ IPany VPN breached in supply-chain attack to push custom malware ∗∗∗ --------------------------------------------- South Korean VPN provider IPany was breached in a supply chain attack by the "PlushDaemon" China-aligned hacking group, who compromised the companys VPN installer to deploy the custom SlowStepper malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ipany-vpn-breached-in-supply… ∗∗∗ Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platforms ∗∗∗ --------------------------------------------- 3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. [..] A few months ago, I had a lightbulb moment: if Cloudflare stores cached data so close to users, could this be exploited for deanonymization attacks on sites we don't control? [..] Cloudflare's final statement about this says they do not consider the deanonymization attack to be a vulnerability in their own systems and it is up to their consumers to disable caching for resources they wish to protect. --------------------------------------------- https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117 ∗∗∗ Turning Data into Decisions: How CVE Management Is Changing ∗∗∗ --------------------------------------------- Every day, hundreds of new Common Vulnerabilities and Exposures (CVEs) are published, many of which target critical systems that keep businesses and governments operational. For cybersecurity professionals, simply knowing that a vulnerability exists is not enough. What’s needed is context—a deeper understanding of the CVE data, its potential impact, and how to prioritize its remediation. Enter Vulnrichment, an initiative launched by the Cybersecurity and Infrastructure Security Agency (CISA) on May 10, 2024. --------------------------------------------- https://thecyberexpress.com/cve-data-vulnrichment-program/ ∗∗∗ Geolocation and Starlink, (Tue, Jan 21st) ∗∗∗ --------------------------------------------- The IP address of a satellite user identifies the ground station location, not the user's location. Starlink, on the other hand, uses satellites in low earth orbit. The network can forward traffic among satellites, but typically, the satellite will attempt to pass the traffic to the closest base station in view. Due to the low orbit, each satellite only "sees" a relatively small area, and the ground station is usually within a couple hundred miles of the user. --------------------------------------------- https://isc.sans.edu/diary/rss/31612 ∗∗∗ Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Device ∗∗∗ --------------------------------------------- Web infrastructure and security company Cloudflare on Tuesday said it detected and blocked a 5.6 Terabit per second (Tbps) distributed denial-of-service (DDoS) attack, the largest ever attack to be reported to date. The UDP protocol-based attack took place on October 29, 2024, targeting one of its customers, an unnamed internet service provider (ISP) from Eastern Asia. --------------------------------------------- https://thehackernews.com/2025/01/mirai-botnet-launches-record-56-tbps.html ∗∗∗ Understanding Microsofts CVSS v3.1 Ratings and Severity Scores ∗∗∗ --------------------------------------------- Recently, I looked at Microsoft’s assigned CVSS v3.1 scores for Patch Tuesday vulnerabilities alongside the Microsoft assigned severity ratings. I wanted to revisit these numbers and see just how closely CVSS aligns with Microsoft’s opinion of severity. --------------------------------------------- https://www.tripwire.com/state-of-security/understanding-microsofts-cvss-v3… ∗∗∗ Vorsicht, wenn Online-Shops per WhatsApp zur Zahlung auffordern ∗∗∗ --------------------------------------------- Der Fake-Shop bikeunivers.de bietet Markenfahrräder zu günstigen Preisen an. Bezahlt werden kann nur per Banküberweisung. Wer nicht bezahlt, erhält eine Zahlungsaufforderung per E-Mail und WhatsApp. Ignorieren Sie diese, denn Sie erhalten trotz Zahlung keine Ware! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-whatsapp/ ∗∗∗ Vorsicht vor gefälschten Telegram-SMS ∗∗∗ --------------------------------------------- Derzeit kursieren gefälschte SMS, angeblich von Telegram. Die Nachricht besagt, dass Ihr Konto eingeschränkt sei und Sie es freischalten müssen. Klicken Sie auf keinen Fall auf den Link! Kriminelle stehlen Ihre Daten und versuchen sich auf einem fremden Gerät mit Ihrer Telefonnummer einzuloggen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-telegram-s… ∗∗∗ Redline, Vidar and Raccoon Malware Stole 1 Billion Passwords in 2024 ∗∗∗ --------------------------------------------- Specops 2025 Breached Password Report reveals over 1 billion passwords stolen by malware in the past year, exposing weak practices, malware trends, and security gaps. --------------------------------------------- https://hackread.com/redline-vidar-raccoon-malware-stole-1-billion-password… ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - January 2025 ∗∗∗ --------------------------------------------- This Critical Patch Update contains 318 new security patches across the product families listed below. --------------------------------------------- https://www.oracle.com/security-alerts/cpujan2025.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (snapcast), Fedora (python-jinja2), Mageia (rsync), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, gh, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nvidia-open-driver-G06-signed, and pam_u2f), and Ubuntu (linux-oem-6.11 and vim). --------------------------------------------- https://lwn.net/Articles/1005798/ ∗∗∗ Technical Advisory: Cross-Site Scripting in Umbraco Rich Text Display ∗∗∗ --------------------------------------------- Due to a lack of input sanitization on the server side, Umbraco CMS 14.3.1 or below is vulnerable to stored cross-site scripting (XSS) attacks through the rendering logic for rich text contents. [..] Umbraco has accepted this behavior as the majority of its customer base is unaffected. [..] Identify a C/C++ HTML sanitization framework best suited for the organization if using RTE is mandatory. Seek alternative components in Umbraco for content rendering otherwise. --------------------------------------------- https://www.nccgroup.com/us/research-blog/technical-advisory-cross-site-scr… ∗∗∗ PHP: PMASA-2025-3 ∗∗∗ --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2025-3/ ∗∗∗ PHP: PMASA-2025-2 ∗∗∗ --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2025-2/ ∗∗∗ PHP: PMASA-2025-1 ∗∗∗ --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2025-1/ ∗∗∗ ABB: 2025-01-21: Cyber Security Advisory - Drive Composer Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5466&Lan… ∗∗∗ Cisco BroadWorks SIP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Meeting Management REST API Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco ClamAV OLE2 File Format Decryption Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.01.2025
by Daily end-of-shift report 21 Jan '25

21 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Montag 20-01-2025 18:00 − Dienstag 21-01-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing” ∗∗∗ --------------------------------------------- Sophos MDR identifies a new threat cluster riffing on the playbook of Storm-1811, and amped-up activity from the original connected to Black Basta ransomware. --------------------------------------------- https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-c… ∗∗∗ 7-Zip: Lücke erlaubt Umgehung von Mark-of-the-Web ∗∗∗ --------------------------------------------- In 7-Zip ermöglicht eine Sicherheitslücke, den Mark-of-the-Web-Schutzmechanismus auszuhebeln und so Code auszuführen. [..] Die Sicherheitslücke schließt 7-Zip Version 24.09 oder neuer, die auf der Download-Seite von 7-Zip bereits seit Ende November vergangenen Jahres zum Herunterladen bereitsteht. [..] 7-Zip-Nutzer müssen selbst aktiv werden, um sich zu schützen und das verfügbare Update installieren. --------------------------------------------- https://heise.de/-10250351 ∗∗∗ 13,000 MikroTik Routers Hijacked by Botnet for Malspam and Cyberattacks ∗∗∗ --------------------------------------------- A global network of about 13,000 hijacked Mikrotik routers has been employed as a botnet to propagate malware via spam campaigns, the latest addition to a list of botnets powered by MikroTik devices. The activity "take[s] advantage of misconfigured DNS records to pass email protection techniques," Infoblox security researcher David Brunsdon said in a technical report published last week. --------------------------------------------- https://thehackernews.com/2025/01/13000-mikrotik-routers-hijacked-by.html ∗∗∗ Exchange 2016 und 2019 erreichen Support-Ende – in 9 Monaten ∗∗∗ --------------------------------------------- Microsoft erinnert an das dräuende Support-Ende der Exchange-Server 2016 und 2019. --------------------------------------------- https://www.heise.de/-10249853 ∗∗∗ Medusa Ransomware: What You Need To Know ∗∗∗ --------------------------------------------- What is the Medusa ransomware? Medusa is a ransomware-as-a-service (RaaS) platform that first came to prominence in 2023. The ransomware impacts organisations running Windows, predominantly exploiting vulnerable and unpatched systems and hijacking accounts through initial access brokers. --------------------------------------------- https://www.tripwire.com/state-of-security/medusa-ransomware-what-you-need-… ∗∗∗ How to secure body-worn cameras and protect footage from cyber threats ∗∗∗ --------------------------------------------- Body-worn cameras are used by police [..] Cameras are taken into the field but footage could be presented as evidence [..] Cryptographic approaches are needed to ensure the confidentiality and integrity of captured video and audio. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-secure-body-worn-camer… ∗∗∗ Offene Rechnung für „Gelbe Seiten Online“-Eintrag nicht bezahlen ∗∗∗ --------------------------------------------- In den letzten Tagen haben zahlreiche Unternehmen eine E-Mail von gsol-dach.com erhalten. Darin werden sie aufgefordert, eine Rechnung für einen angeblichen Premium-Firmenbucheintrag zu bezahlen. Achtung: Diese Rechnungen sind Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/rechnung-fuer-gelbe-seiten-online-ei… ∗∗∗ Hackers impersonate Ukraine’s CERT to trick people into allowing computer access ∗∗∗ --------------------------------------------- CERT-UA is warning Ukrainians not to accept requests for help via AnyDesk software unless they are sure the source is legitimate. --------------------------------------------- https://therecord.media/fake-ukraine-cert-anydesk-requests-hackers ∗∗∗ Reverse Engineering Bambu Connect ∗∗∗ --------------------------------------------- The purpose of this guide is to demonstrate the trivial process of extracting the "private keys" used for communicating with Bambu devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect. --------------------------------------------- https://wiki.rossmanngroup.com/wiki/Reverse_Engineering_Bambu_Connect ∗∗∗ Vulnerability Archeology: Stealing Passwords with IBM i Access Client Solutions ∗∗∗ --------------------------------------------- Two weeks ago IBM published a support article about a compatibility issue affecting IBM i Access Client Solutions (ACS) when running on Windows 11 24H2. [..] Debugging the entry point in cwbnetnt.dll also confirms that password information is no longer passed to the Network Provider!. This change was documented by Microsoft here in March 2024, we believe IBM should’ve referenced this document in their memo. This is an important change from Microsoft - let’s hope not many applications rely on this backdoor and their insecure artifacts get cleaned up properly! --------------------------------------------- https://blog.silentsignal.eu/2025/01/21/ibm-acs-password-dump/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (grafana), Debian (libebml, poco, redis, sympa, tiff, and ucf), Fedora (rsync), Mageia (dcmtk, git, proftpd, and raptor2), Red Hat (grafana, iperf3, kernel, microcode_ctl, and redis), SUSE (chromium, dhcp, git, libqt5-qtwebkit, and pam_u2f), and Ubuntu (python3.10, python3.8 and python3.12). --------------------------------------------- https://lwn.net/Articles/1005708/ ∗∗∗ Webbrowser: Lücke in Brave ermöglicht gefälschte Anzeige der Download-Quelle ∗∗∗ --------------------------------------------- Im Webbrowser Brave können Angreifer eine Sicherheitslücke missbrauchen, die zur falschen Anzeige einer Download-Quelle führt. [..] Die Sicherheitslücke schließt Brave mit der Version 1.74.48, die in der Mitte vergangener Woche veröffentlicht wurde. --------------------------------------------- https://heise.de/-10250205 ∗∗∗ Traffic Alert and Collision Avoidance System (TCAS) II ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-01 ∗∗∗ ZF Roll Stability Support Plus (RSSPlus) ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.01.2025
by Daily end-of-shift report 20 Jan '25

20 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-01-2025 18:00 − Montag 20-01-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malicious PyPi package steals Discord auth tokens from devs ∗∗∗ --------------------------------------------- A malicious package named pycord-self on the Python package index (PyPI) targets Discord developers to steal authentication tokens and plant a backdoor for remote control over the system. [..] The package mimics the highly popular 'discord.py-self,' which has nearly 28 million downloads, and even offers the functionality of the legitimate project. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-package-steal… ∗∗∗ Forscher deckt auf: ChatGPT lässt sich für DDoS-Angriffe missbrauchen ∗∗∗ --------------------------------------------- Eine ChatGPT-API scheint bereitwillig eine lange Liste von Links zur gleichen Webseite anzunehmen - und diese anschließend ungebremst abzufragen. [..] Ausführen lässt sich der DDoS-Angriff laut Flesch durch eine HTTP-Anfrage an eine ChatGPT-API, konkret durch einen POST-Request an die URL "https://chatgpt.com/backend-api/attributions". Die API erwarte eine Liste von Hyperlinks, schreibt der Forscher. Jedoch werde nicht geprüft, ob ein Hyperlink zur gleichen Ressource mehrfach genannt wird. --------------------------------------------- https://www.golem.de/news/forscher-deckt-auf-chatgpt-laesst-sich-fuer-ddos-… ∗∗∗ Partial ZIP File Downloads, (Mon, Jan 20th) ∗∗∗ --------------------------------------------- Say you want a file that is inside a huge online ZIP file (several gigabytes large). Downloading the complete ZIP file would take too long. --------------------------------------------- https://isc.sans.edu/diary/rss/31608 ∗∗∗ Private Keys in the Fortigate Leak ∗∗∗ --------------------------------------------- A few days ago, a download link for a leak of configuration files for Fortigate/Fortinet devices was posted on an Internet forum. [..] It was first reported by heise, a post by Kevin Beaumont contains further info. What has not been widely recognized is that this leak also contains TLS and SSH private keys. --------------------------------------------- https://blog.hboeck.de:443/archives/908-Private-Keys-in-the-Fortigate-Leak.… ∗∗∗ Looking at the Attack Surfaces of the Pioneer DMH-WT7600NEX IVI ∗∗∗ --------------------------------------------- For the upcoming Pwn2Own Automotive contest, a total of four in-vehicle infotainment (IVI) head units have been selected as targets. [..] This blog post aims to detail some of the attack surfaces of the DMH-WT7600NEX unit as well as provide information on how to extract the software running on this unit for further vulnerability research. --------------------------------------------- https://www.thezdi.com/blog/2025/1/16/looking-at-the-attack-surfaces-of-the… ∗∗∗ Die meisten Cyberkriminellen hacken nicht, sondern loggen sich ein ∗∗∗ --------------------------------------------- Bei 57 Prozent der erfolgreichen Cyberangriffe ist kein großer Hack über Sicherheitslücken erforderlich. Die Cyberkriminellen nutzten einfach ein kompromittiertes Nutzerkonto, um Zugang auf die Systeme zu erhalten, so die Analyse von Varonis zu solchen Vorfällen --------------------------------------------- https://www.borncity.com/blog/2025/01/19/die-meisten-cyberkriminellen-hacke… ∗∗∗ Hackers Claim Breach of Hewlett Packard Enterprise, Lists Data for Sale ∗∗∗ --------------------------------------------- Hacker IntelBroker claims to have breached Hewlett Packard Enterprise (HPE), exposing sensitive data like source code, certificates, and PII, now available for sale online. --------------------------------------------- https://hackread.com/hackers-claim-hewlett-packard-data-breach-sale/ ∗∗∗ Secure Coding: Apache Maven gegen Cache-Poisoning-Attacken rüsten ∗∗∗ --------------------------------------------- Dependency-Management-Systeme wie Maven sind immer wieder Ziel von Cache-Poisoning-Angriffen, gegen die nur konsequent umgesetzte Sicherheitspraktiken helfen. --------------------------------------------- https://heise.de/-10244779 ∗∗∗ Hilton, Hyatt, Marriott: 437.000 Datensätze aus Verwaltungsplattform bei HIBP ∗∗∗ --------------------------------------------- Kriminelle haben Daten bei der Verwaltungsplattform Otelier geklaut. Rund 437.000 Datensätze etwa von Hilton, Hyatt oder Marriott sind nun bei HIBP. --------------------------------------------- https://heise.de/-10248339 ∗∗∗ Investigating an "evil" RJ45 dongle ∗∗∗ --------------------------------------------- Earlier this week, a young entrepreneur caused stir on social media by suggesting that an Ethernet-to-USB they purchased from China was preloaded with malware that “evaded virtual machines”, “captured keystrokes”, and “used Russian-language elements”. [..] To get to that point, we didn’t need a hardware lab; a bit of patience and Google-fu was enough. --------------------------------------------- https://lcamtuf.substack.com/p/investigating-an-evil-rj45-dongle ===================== = Vulnerabilities = ===================== ∗∗∗ VU#199397: Insecure Implementation of Tunneling Protocols (GRE/IPIP/4in6/6in4) ∗∗∗ --------------------------------------------- Researchers at the DistriNet-KU Leuven research group have discovered millions of vulnerable Internet systems that accept unauthenticated IPIP, GRE, 4in6, or 6in4 traffic. This can be considered a generalization of the vulnerability in VU#636397 : IP-in-IP protocol routes arbitrary traffic by default (CVE-2020-10136). The exposed systems can be abused as one-way proxies, enable an adversary to spoof the source address of packets (CWE-290 Authentication Bypass by Spoofing), or permit access to an organization's private network. --------------------------------------------- https://kb.cert.org/vuls/id/199397 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, ipa, and NetworkManager), Debian (389-ds-base, busybox, libreoffice, rsync, ruby2.7, tomcat10, and tryton-server), Fedora (chromium and stb), Mageia (openafs and vim), Oracle (.NET 8.0 and .NET 9.0), SUSE (amazon-ssm-agent, chromedriver, git, golang-github-prometheus-prometheus, govulncheck-vulndb, grafana, hplip, pam_u2f, perl-Compress-Raw-Zlib, perl-IO-Compress, redis, redis7, rsync, and velociraptor), and Ubuntu (libpodofo and linux-xilinx-zynqmp). --------------------------------------------- https://lwn.net/Articles/1005638/ ∗∗∗ Nvidia: Datenabfluss durch Sicherheitsleck in Grafiktreiber möglich ∗∗∗ --------------------------------------------- Nvidia hat Sicherheitslücken in seinen Grafikkartentreibern entdeckt. Angreifer können dadurch Informationen abgreifen. Updates stehen bereit. --------------------------------------------- https://heise.de/-10248258 ∗∗∗ Sicherheitspatch: Unbefugte Zugriffe auf bestimmte Switches von Moxa möglich ∗∗∗ --------------------------------------------- Angreifer können bei Moxa-Switches der EDS-508A-Serie die Authentifizierung umgehen. Die Sicherheitslücke gilt als kritisch. Um Angriffe vorzubeugen, sollten Netzwerkadmins die Firmware ihrer Ethernet-Switches der Serie EDS-508A von Moxa auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-10249285 ∗∗∗ Yubico Warns of 2FA Security Flaw in pam-u2f for Linux and macOS Users ∗∗∗ --------------------------------------------- https://thecyberexpress.com/yubico-2fa-bypass-vulnerability-advisory/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.01.2025
by Daily end-of-shift report 17 Jan '25

17 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-01-2025 18:00 − Freitag 17-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ D-Trust: Cyberangriff trifft Trustcenter der Bundesdruckerei ∗∗∗ --------------------------------------------- Aus einem Antragsportal der D-Trust GmbH sind potenziell personenbezogene Daten abgeflossen. Wer hinter dem Angriff steckt, ist noch unklar. --------------------------------------------- https://www.golem.de/news/d-trust-cyberangriff-trifft-trustcenter-der-bunde… ∗∗∗ Mercedes-Benz Head Unit security research report ∗∗∗ --------------------------------------------- Kaspersky experts analyzed the Mercedes-Benz head unit, its IPC protocols and firmware, and found new vulnerabilities via physical access. --------------------------------------------- https://securelist.com/mercedes-benz-head-unit-security-research/115218/ ∗∗∗ New Star Blizzard spear-phishing campaign targets WhatsApp accounts ∗∗∗ --------------------------------------------- In mid-November 2024, Microsoft Threat Intelligence observed the Russian threat actor we track as Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group. This is the first time we have identified a shift in Star Blizzard’s longstanding tactics, techniques, .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-… ∗∗∗ Gootloader inside out ∗∗∗ --------------------------------------------- Open-source intelligence reveals the server-side code of this pernicious SEO-driven malware - without needing a lawyer afterward --------------------------------------------- https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/ ∗∗∗ U.S. Sanctions North Korean IT Worker Network Supporting WMD Programs ∗∗∗ --------------------------------------------- The U.S. Treasury Departments Office of Foreign Assets Control (OFAC) sanctioned two individuals and four entities for their alleged involvement in illicit revenue generation schemes for the Democratic Peoples Republic of Korea (DPRK) by dispatching .. --------------------------------------------- https://thehackernews.com/2025/01/us-sanctions-north-korean-it-worker.html ∗∗∗ Hackers Likely Stole FBI Call Logs From AT&T That Could Compromise Informants ∗∗∗ --------------------------------------------- A breach of AT&T that exposed “nearly all” of the company’s customers may have included records related to confidential FBI sources, potentially explaining the bureau’s new embrace of end-to-end encryption. --------------------------------------------- https://www.wired.com/story/hackers-likely-stole-fbi-call-logs-from-att-tha… ∗∗∗ Biden ordnet für US-Behörden Verschlüsselung von E-Mail, DNS und BGP an ∗∗∗ --------------------------------------------- Ende-zu-Ende-Verschlüsselung, bessere Software und Abwehr, Post-Quanten, Aufsicht über Lieferanten, Passkeys, Erforschung von KI – Biden verordnet gute Medizin. --------------------------------------------- https://www.heise.de/news/Biden-ordnet-Verschluesselung-von-E-Mail-DNS-und-… ∗∗∗ Daten von rund 250.000 MSI-Kunden bei Have I Been Pwned ∗∗∗ --------------------------------------------- Bei einem Cybervorfall bei MSI sind 2024 offenbar zahlreiche Kundendatensätze kopiert worden. Rund 250.000 Stück hat HIBP nun aufgenommen. --------------------------------------------- https://www.heise.de/news/Daten-von-rund-250-000-MSI-Kunden-bei-Have-I-Been… ∗∗∗ Vertrauensdiensteanbieter D-Trust informiert über Datenschutzvorfall ∗∗∗ --------------------------------------------- Bei D-Trust kam es zu einem Datenschutzvorfall. Betroffen ist das Antragsportal für Signatur- und Siegelkarten. Die Ermittlungen laufen. --------------------------------------------- https://www.heise.de/news/Vertrauensdiensteanbieter-D-Trust-informiert-uebe… ∗∗∗ Chinese Innovations Spawn Wave of Toll Phishing Via SMS ∗∗∗ --------------------------------------------- Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to .. --------------------------------------------- https://krebsonsecurity.com/2025/01/chinese-innovations-spawn-wave-of-toll-… ∗∗∗ OSV-SCALIBR: A library for Software Composition Analysis ∗∗∗ --------------------------------------------- In December 2022, we announced OSV-Scanner, a tool to enable developers to easily scan for vulnerabilities in their open source dependencies. Together with the open source community, we’ve continued to build this tool, adding remediation features, as well .. --------------------------------------------- http://security.googleblog.com/2025/01/osv-scalibr-library-for-software.html ∗∗∗ PayPal ruft an? Vorsicht Betrug! ∗∗∗ --------------------------------------------- Aktuell erhält die Watchlist Internet zahlreiche Meldungen zu Anrufen durch angebliche PayPal-Mitarbeiter:innen. Heben Sie ab, berichtet man Ihnen von angeblichen Abbuchungen von Ihrem PayPal-Konto und fordert Ihre Mithilfe zum Blockieren der Abbuchungen. Tatsächlich greift man dabei aber auf Ihre Systeme zu und stiehlt Ihnen Ihr Geld. Ein Schaden entsteht erst durch das Telefonat! --------------------------------------------- https://www.watchlist-internet.at/news/paypal-ruft-an/ ∗∗∗ Let’s talk about AI and end-to-end encryption ∗∗∗ --------------------------------------------- Recently, I came across a fantastic new paper by a group of NYU and Cornell researchers entitled “How to think about end-to-end encryption and AI.” I’m extremely grateful to see this paper, because while I don’t agree with every one of it’s .. --------------------------------------------- https://blog.cryptographyengineering.com/2025/01/17/lets-talk-about-ai-and-… ∗∗∗ Threat Brief: CVE-2025-0282 and CVE-2025-0283 ∗∗∗ --------------------------------------------- CVE-2025-0282 and CVE-2025-0283 affect multiple Ivanti products. This threat brief covers attack scope, including details from an incident response case. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2025-0282-cve-2… ∗∗∗ New WDAC Exploit Technique: Leveraging Policies to Disable EDRs and Evade Detection ∗∗∗ --------------------------------------------- The file “SiPolicy.p7b” contains policies that Windows OS and Windows Defender (AV) will listen to and your antivirus will apply the policies that this .. --------------------------------------------- https://www.truesec.com/hub/blog/new-wdac-exploit-technique-leveraging-poli… ∗∗∗ IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024 ∗∗∗ --------------------------------------------- Since the end of 2024, we have been continuously monitoring large-scale DDoS attacks orchestrated by an IoT botnet exploiting vulnerable IoT devices such as wireless routers and IP cameras. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddos-at… ∗∗∗ Announcing Six Day and IP Address Certificate Options in 2025 ∗∗∗ --------------------------------------------- This year we will continue to pursue our commitment to improving the security of the Web PKI by introducing the option to get certificates with six-day lifetimes (“short-lived certificates”). We will also add support for IP addresses in addition to domain names .. --------------------------------------------- https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/ ∗∗∗ A Response to Recent Claims About Sessions Security Architecture ∗∗∗ --------------------------------------------- We were recently made aware of a blog published by a security researcher which makes a number of claims about Session and supposed flaws in Session’s design and implementation. We, as well as other Session contributors, have now had time to read through the blog and investigate the claims and wanted to give a detailed response on each point raised by the author. --------------------------------------------- https://getsession.org/blog/a-response-to-recent-claims-about-sessions-secu… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (rsync and tomcat9), Fedora (chromium, mingw-python-jinja2, redict, and valkey), Gentoo (GIMP and pip), Oracle (.NET, fence-agents, ipa, kernel, python-virtualenv, raptor2, and rsync), Red Hat (.NET 8.0 and .NET 9.0), SUSE (apache2-mod_jk, git, git-lfs, kernel, python-Django, thunderbird, and xen), and Ubuntu (audacity, bcel, dotnet8, dotnet9, gimp-dds, harfbuzz, libxml2, poppler, rsync, and tqdm). --------------------------------------------- https://lwn.net/Articles/1005433/ ∗∗∗ Aviatrix Controllers OS Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/5982 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.01.2025
by Daily end-of-shift report 16 Jan '25

16 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-01-2025 18:00 − Donnerstag 16-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MFA Failures - The Worst is Yet to Come ∗∗∗ --------------------------------------------- This article delves into the rising tide of MFA failures, the alarming role of generative AI in amplifying these attacks, the growing user discontent weakening our defenses, and the glaring vulnerabilities being frequently exploited. The storm is building, and the worst is yet to come. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mfa-failures-the-worst-is-ye… ∗∗∗ An honest mistake - and a cautionary tale ∗∗∗ --------------------------------------------- We all make mistakes. That is only natural. However, there are cases in which these mistakes can have unexpected consequences. A Twitter user recently found this out the hard way. The ingredients: a cheap USB-C adapter with a network connection, an internet connection and a sandbox. --------------------------------------------- https://www.gdatasoftware.com/blog/2025/01/38129-usb-network-adapter-malware ∗∗∗ Windows 10 und 11: Microsoft verwirrt Nutzer mit Bitlocker-Bug ∗∗∗ --------------------------------------------- Auf einigen Windows-Geräten mit aktivierter Bitlocker-Verschlüsselung erscheint eine unerwartete Meldung. Microsoft untersucht das Problem. --------------------------------------------- https://www.golem.de/news/windows-10-und-11-microsoft-verwirrt-nutzer-mit-b… ∗∗∗ Tiktok, Xiaomi, Aliexpress: Beschwerden wegen Datentransfers nach China eingereicht ∗∗∗ --------------------------------------------- China ist als autoritärer Überwachungsstaat nach Einschätzung von Datenschützern kein zulässiger Standort für europäische Nutzerdaten. --------------------------------------------- https://www.golem.de/news/tiktok-xiaomi-aliexpress-beschwerden-wegen-datent… ∗∗∗ Bidens Cyber Ambassador Urges Trump Not to Cede Ground to Russia and China in Global Tech Fight ∗∗∗ --------------------------------------------- Nathaniel Fick, the ambassador for cyberspace and digital policy, has led US tech diplomacy amid a rising tide of pressure from authoritarian regimes. Will the Trump administration undo that work? --------------------------------------------- https://www.wired.com/story/nathaniel-fick-us-cyber-ambassador-exit-intervi… ∗∗∗ IT-Sicherheit: EU-Kommission will Gesundheitsbranche unterstützen ∗∗∗ --------------------------------------------- Verstärkte Prävention und rasche Reaktion auf Attacken stehen im Zentrum eines EU-Plans für IT-Sicherheit von Krankenhäusern und Gesundheitsdienstleistern. --------------------------------------------- https://www.heise.de/news/IT-Attacken-So-will-die-EU-Kommission-den-Gesundh… ∗∗∗ Es kann Schadcode auf HPE Aruba Networking AOS Controllers und Gateways gelangen ∗∗∗ --------------------------------------------- Netzwerktechnik von HPE Aruba ist verwundbar. Aktuelle Updates schließen insgesamt zwei Sicherheitslücken. --------------------------------------------- https://www.heise.de/news/Es-kann-Schadcode-auf-HPE-Aruba-Networking-AOS-Co… ∗∗∗ Achtung vor go.hopeforlifefund.com: Spendenaufruf für Nikolas ist Fake! ∗∗∗ --------------------------------------------- Kinder, die an Krebs erkranken, stehen vor großen Herausforderungen und ihre Familien sind oft mit enormen finanziellen Belastungen konfrontiert. Spendenaktionen können hier ein Lichtblick sein. Doch leider gibt es auch Kriminelle, die das Mitgefühl der Menschen schamlos ausnutzen – wie im Fall der betrügerischen Spendenplattform go.hopeforlifefund.com, die angeblich für den krebskranken Jungen Nikolas Spenden sammelt. --------------------------------------------- https://www.watchlist-internet.at/news/spendenaufruf-fuer-krebskranken-niko… ∗∗∗ FTC cracks down on GoDaddy for cybersecurity failings ∗∗∗ --------------------------------------------- GoDaddy’s failure to use industry standard measures led to what the Federal Trade Commission called “several major security breaches” between 2019 and 2022. --------------------------------------------- https://therecord.media/ftc-godaddy-cyber-failings-fine ∗∗∗ Detecting Teams Chat Phishing Attacks (Black Basta) ∗∗∗ --------------------------------------------- For quite a while now, there has been a new ongoing threat campaign where the adversaries first bomb a user’s mailbox with spam emails and then pose as Help Desk or IT Support on Microsoft Teams to trick their potential victims into providing .. --------------------------------------------- https://blog.nviso.eu/2025/01/16/detecting-teams-chat-phishing-attacks-blac… ∗∗∗ 2022 zero day was used to raid Fortigate firewall configs. Somebody just released them. ∗∗∗ --------------------------------------------- Back in 2022, Fortinet warned that somebody had a zero day vulnerability and was using it to exploit Fortigate firewalls https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684 .. --------------------------------------------- https://doublepulsar.com/2022-zero-day-was-used-to-raid-fortigate-firewall-… ∗∗∗ Black Basta-Style Cyberattack Hits Inboxes with 1,165 Emails in 90 Minutes ∗∗∗ --------------------------------------------- A recent cyberattack, mimicking the tactics of the notorious Black Basta ransomware group, targeted one of SlashNext’s clients.… --------------------------------------------- https://hackread.com/black-basta-cyberattack-hits-inboxes-with-1165-emails/ ∗∗∗ Proxying PyRIT for fun and profit ∗∗∗ --------------------------------------------- If you are in the AI security field, you are probably facing the problem of testing Large Language Models (LLMs) at scale and questioning the optimal balance between automatic testing and manual testing .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/proxying-pyrit-for-fun-and-profit/ ∗∗∗ Dont Use Session (Signal Fork) ∗∗∗ --------------------------------------------- The main reason I said to avoid Session, all those months ago, was simply due to their decision to remove forward secrecy (which is an important security property of cryptographic protocols they inherited for free when they forked libsignal). --------------------------------------------- https://soatok.blog/2025/01/14/dont-use-session-signal-fork/ ∗∗∗ UK Officials Consider Banning Ransomware Payments from Public Entities ∗∗∗ --------------------------------------------- The UK government is poised to take a decisive step in the fight against ransomware by banning public sector entities from paying ransoms. This collection of proposals, part of a broader effort to protect critical national infrastructure, aims to disrupt the business model of cybercriminals and shield essential services like the NHS, schools, and local .. --------------------------------------------- https://socket.dev/blog/uk-officials-consider-banning-ransomware-payments-f… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (fence-agents, raptor2, and rsync), Debian (chromium), Fedora (rsync and seamonkey), Mageia (openjpeg2), Red Hat (tuned), Slackware (git), SUSE (dcmtk, dnsmasq, govulncheck-vulndb, libQtWebKit4, libraptor-devel, opera, python311-Pillow, python311-translate-toolkit, rsync, and SDL2_sound-devel), and Ubuntu (linux-raspi-5.4, neomutt, and python2.7). --------------------------------------------- https://lwn.net/Articles/1005292/ ∗∗∗ CVE-2024-9042 ∗∗∗ --------------------------------------------- Command Injection affecting Windows nodes via nodes/*/logs/query API --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/129654 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.01.2025
by Daily end-of-shift report 15 Jan '25

15 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-01-2025 18:00 − Mittwoch 15-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WP3.XYZ malware attacks add rogue admins to 5,000+ WordPress sites ∗∗∗ --------------------------------------------- A new malware campaign has compromised more than 5,000 WordPress sites to create admin accounts, install a malicious plugin, and steal data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wp3xyz-malware-attacks-add-r… ∗∗∗ Undercover Operations: Scraping the Cybercrime Underground ∗∗∗ --------------------------------------------- A blog about web scraping methods, use cases, challenges, and how to overcome them. --------------------------------------------- https://www.sans.org/blog/undercover-operations-scraping-the-cybercrime-und… ∗∗∗ Cyber-Bedrohungen für die öffentliche Ladeinfrastruktur: Risiken und Schutzmaßnahmen durch Penetrationstests ∗∗∗ --------------------------------------------- Angriffe auf die öffentliche Ladeinfrastruktur für Elektrofahrzeuge nehmen zu und gefährden den Ruf und die Sicherheit der .. --------------------------------------------- https://sec-consult.com/de/blog/detail/cyber-bedrohungen-fuer-die-oeffentli… ∗∗∗ Phishing False Alarm ∗∗∗ --------------------------------------------- A very security-conscious company was hit with a (presumed) massive state-actor phishing attack with gift cards, and everyone rallied to combat it—until it turned out it was company management sending the gift cards. --------------------------------------------- https://www.schneier.com/blog/archives/2025/01/phishing-false-alarm.html ∗∗∗ Miscreants mass exploited Fortinet firewalls, highly probable zero-day used ∗∗∗ --------------------------------------------- Ransomware not off the table, Arctic Wolf threat hunter tells El Reg Updated Miscreants running a "mass exploitation campaign" against Fortinet firewalls, which peaked in December, may be using an unpatched zero-day vulnerability to compromise the equipment, according to security researchers who say theyve observed the .. --------------------------------------------- https://www.theregister.com/2025/01/14/miscreants_mass_exploited_fortinet_f… ∗∗∗ Patchday Fortinet: Hintertür ermöglicht unbefugte Zugriffe auf FortiSwitch ∗∗∗ --------------------------------------------- Der Anbieter von IT-Securitylösungen Fortinet hat zahlreiche Sicherheitsupdates für seine Produkte veröffentlicht. Das sollten Netzwerkadmins im Blick haben. --------------------------------------------- https://www.heise.de/news/Patchday-Fortinet-Hintertuer-ermoeglicht-unbefugt… ∗∗∗ Cybergang Cl0p: Angeblich Daten durch Cleo-Sicherheitslücke abgezogen ∗∗∗ --------------------------------------------- Die kriminelle Bande Cl0p hat angeblich bei vielen Unternehmen Daten durch eine Sicherheitslücke in der Transfersoftware Cleo gestohlen. --------------------------------------------- https://www.heise.de/news/Cybergang-Cl0p-Angeblich-Daten-durch-Cleo-Sicherh… ∗∗∗ Security flaws found in tiny phones promoted to children ∗∗∗ --------------------------------------------- TL;DR Three mini smartphones promoted to children were analysed These types of phones are heavily promoted on TikTok All had outdated operating systems All could be rooted without wiping the .. --------------------------------------------- https://www.pentestpartners.com/security-blog/security-flaws-found-in-tiny-… ∗∗∗ Security flaws found in tiny phones promoted to children ∗∗∗ --------------------------------------------- TL;DR Three mini smartphones promoted to children were analysed Those devices are heavily promoted on TikTok All had outdated operating systems All could be rooted without wiping the phone, allowing .. --------------------------------------------- https://www.pentestpartners.com/security-blog/security-flaws-found-in-tiny-… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe released security updates to address vulnerabilities in multiple Adobe software products including Adobe Photoshop, Animate, and Illustrator for iPad. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/01/14/adobe-releases-security-… ∗∗∗ TAG Bulletin: Q3 2024 ∗∗∗ --------------------------------------------- This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2024. --------------------------------------------- https://blog.google/threat-analysis-group/tag-bulletin-q3-2024/ ∗∗∗ Patchday: Windows 10/11 Updates (14. Januar 2025) ∗∗∗ --------------------------------------------- Am 14. Januar 2024 (zweiter Dienstag im Monat, Patchday bei Microsoft) hat Microsoft auch kumulative Updates für die noch unterstützten Versionen der Client-Betriebssysteme Windows 10 und Windows 11 veröffentlicht. Hier einige .. --------------------------------------------- https://www.borncity.com/blog/2025/01/15/patchday-windows-10-11-updates-14-… ∗∗∗ Passkeys: the promise of a simpler and safer alternative to passwords ∗∗∗ --------------------------------------------- The merits of choosing passkeys over passwords to help keep your online accounts more secure, and explaining how the technology promises to do this --------------------------------------------- https://www.ncsc.gov.uk/blog-post/passkeys-promise-simpler-alternative-pass… ∗∗∗ Your Single-Page Applications Are Vulnerable: Heres How to Fix Them ∗∗∗ --------------------------------------------- Due to their client-side nature, single-page applications (SPAs) will typically have multiple access control vulnerabilitiesBy implementing a robust access control policy on supporting APIs, the risks associated with client-side rendering can be largely mitigatedUsing server-side .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/single-page-applic… ∗∗∗ Tracking cloud-fluent threat actors - Part two: Behavioral cloud IOCs ∗∗∗ --------------------------------------------- Discover how behavioral cloud IOCs can expose malicious activity as we break down real-world examples to reveal actionable detection techniques. --------------------------------------------- https://www.wiz.io/blog/detecting-behavioral-cloud-indicators-of-compromise… ∗∗∗ The Risks of Misguided Research in Supply Chain Security ∗∗∗ --------------------------------------------- On January 8, 2025, it came to light that Snyk, a well-known security tool—frequently used to protect against supply chain attacks—was implicated in a troubling event. Several malicious packages targeting the popular AI coding platform Cursor were deployed to the public npm registry. These packages, named “cursor-retrieval,” “cursor-always-local,” .. --------------------------------------------- https://socket.dev/blog/the-risks-of-misguided-research-in-supply-chain-sec… ∗∗∗ Penetration Testing for ISO/IEC 27001: A Detailed Guide to Compliance ∗∗∗ --------------------------------------------- In an era where data breaches and cyber threats dominate headlines, safeguarding sensitive information has become a critical priority for organizations worldwide. ISO/IEC 27001, the internationally recognized standard for Information Security Management Systems (ISMS), offers a robust framework to protect valuable information assets. By .. --------------------------------------------- https://fortbridge.co.uk/regulations/penetration-testing-for-iso-iec-27001-… ===================== = Vulnerabilities = ===================== ∗∗∗ Six vulnerabilities discovered in rsync ∗∗∗ --------------------------------------------- Nick Tait announced on the oss-security mailing list that rsync, the widely used file transfer program, had a number of serious vulnerabilities.Users can mitigate all six vulnerabilities by upgrading to version 3.4.0, which was released on January 14. While all users should upgrade, servers that use rsyncd are especially impacted:In the most severe CVE, an attacker .. --------------------------------------------- https://lwn.net/Articles/1005129/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (rsync), Debian (rsync), Fedora (perl-Net-OAuth and redis), Red Hat (ipa, raptor2, rsync, and tuned), Slackware (rsync), SUSE (apache2-mod_jk, git, kernel, rclone, rsync, and webkit2gtk3), and Ubuntu (git, linux-azure-5.4, pdns, pdns-recursor, python-django, rlottie, and rsync). --------------------------------------------- https://lwn.net/Articles/1005163/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.01.2025
by Daily end-of-shift report 14 Jan '25

14 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Montag 13-01-2025 18:00 − Dienstag 14-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Abgehörte Kryptohandys: BGH erlaubt Verwertung - Berliner Landgericht lehnt ab ∗∗∗ --------------------------------------------- Die Justiz ringt seit Jahren um die Verwertung von Daten abgehörter Kryptohandys. Nun gab es in wenigen Wochen gegensätzliche Urteile. --------------------------------------------- https://www.golem.de/news/abgehoerte-kryptohandys-bgh-erlaubt-verwertung-be… ∗∗∗ Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions ∗∗∗ --------------------------------------------- Microsoft discovered a macOS vulnerability allowing attackers to bypass System Integrity Protection (SIP) by loading third party kernel extensions, which could lead to serious consequences, such as allowing attackers to install rootkits, create persistent malware, bypass Transparency, Consent, and Control (TCC), and expand the attack surface to perform other .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/01/13/analyzing-cve-2024… ∗∗∗ The Database Slayer: Deep Dive and Simulation of the Xbash Malware ∗∗∗ --------------------------------------------- In the world of malware, common ransomware schemes aim to take the data within databases (considered the "gold" in the vault of any organization) and hold them hostage, promising data recovery upon ransom payment. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-databas… ∗∗∗ Snyk appears to deploy malicious packages targeting Cursor for unknown reason ∗∗∗ --------------------------------------------- Packages removed, vendor said to have apologized to AI code editor as onlookers say it could have been a test Developer security company Snyk is at the center of allegations concerning the possible targeting or testing of Cursor, an AI code editor company, using "malicious" packages uploaded to NPM. --------------------------------------------- https://www.theregister.com/2025/01/14/snyk_npm_deployment_removed/ ∗∗∗ SAP-Patchday: Updates schließen 14 teils kritische Schwachstellen ∗∗∗ --------------------------------------------- Im Januar bedenkt SAP Produkte mit 14 Sicherheitsmitteilungen und zugehörigen Updates. Zwei davon gelten als kritisch. --------------------------------------------- https://www.heise.de/news/SAP-Patchday-Hersteller-stopft-teils-kritische-SI… ∗∗∗ Telefónica: Infostealer-Kampagne legt interne Jira-Issues offen ∗∗∗ --------------------------------------------- Der Telekommunikationsanbieter Telefónica wurde Opfer eines Cyberangriffs. Kriminelle erbeuteten offenbar Zugriff auf große Mengen interner Daten. --------------------------------------------- https://www.heise.de/news/Telefonica-Infostealer-Kampagne-legt-interne-Jira… ∗∗∗ Achtung Fake: vailllant.at und vaillantproservice.at ∗∗∗ --------------------------------------------- Kriminelle missbrauchen das für Heiztechnik bekannte Unternehmen Vaillant für eine Betrugsmasche. Auf gefälschten Webseiten geben sich die Kriminellen als 24-Stunden-Notdienst für Österreich bzw. Wien/Niederösterreich aus. Ruft man den betrügerischen Notdienst an, kommen unseriöser Handwerker:innen, die den Schaden nicht fachgerecht beheben, sondern eine horrende Summe in Rechnung stellen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-vailllantat-und-vaillan… ∗∗∗ One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks ∗∗∗ --------------------------------------------- Graph neural networks aid in analyzing domains linked to known attack indicators, effectively uncovering new malicious domains and cybercrime campaigns. --------------------------------------------- https://unit42.paloaltonetworks.com/graph-neural-networks/ ∗∗∗ Ransomware: Threat Level Remains High in Third Quarter ∗∗∗ --------------------------------------------- Recently established RansomHub group overtakes LockBit to become most prolific ransomware operation. --------------------------------------------- https://www.security.com/threat-intelligence/ransomware-threat-level-remain… ∗∗∗ CISA Releases the JCDC AI Cybersecurity Collaboration Playbook and Fact Sheet ∗∗∗ --------------------------------------------- Today, CISA released the JCDC AI Cybersecurity Collaboration Playbook and Fact Sheet to foster operational collaboration among government, industry, and international partners and strengthen artificial intelligence (AI) cybersecurity. The playbook provides voluntary information-sharing processes that, if adopted, can help protect organizations from emerging .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/01/14/cisa-releases-jcdc-ai-cy… ∗∗∗ Major location data broker reports hack to Norwegian authorities ∗∗∗ --------------------------------------------- The location data broker Gravy Analytics confirmed to Norwegian authorities that it was breached by a hacker — potentially exposing a trove of sensitive information. --------------------------------------------- https://therecord.media/location-data-broker-gravy-breach ∗∗∗ NPM command confusion ∗∗∗ --------------------------------------------- Intro Managing dependencies in JavaScript projects can quickly become a complex undertaking. Tasks include keeping track of versions, ensuring compatibility, and handling updates . npm provides a robust solution to these problems, through a centralized system for managing project dependencies. Primarily accessed through its command-line interface (CLI), npm .. --------------------------------------------- https://checkmarx.com/blog/npm-command-confusion/ ∗∗∗ Malicious Kong Ingress Controller Image Found on DockerHub ∗∗∗ --------------------------------------------- A critical security breach in the software supply chain has been detected. An attacker accessed Kong’s DockerHub account --------------------------------------------- https://hackread.com/malicious-kong-ingress-controller-image-dockerhub/ ∗∗∗ Hackers Using Fake YouTube Links to Steal Login Credentials ∗∗∗ --------------------------------------------- Cybercriminals exploit fake YouTube links to redirect users to phishing pages, stealing login credentials via URI .. --------------------------------------------- https://hackread.com/hackers-fake-youtube-links-steal-login-credentials/ ∗∗∗ Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar ∗∗∗ --------------------------------------------- In Hindi, chokidar (चौकीदार) means “gatekeeper” or “watchman”—a perfect descriptor for chokidar one of Node.js most trusted file-watching libraries with around 56 million weekly downloads. Meanwhile, chalk serves as a cornerstone for terminal string styling in JavaScript, drawing over 265 million downloads weekly. Unfortunately, our Socket threat .. --------------------------------------------- https://socket.dev/blog/kill-switch-hidden-in-npm-packages-typo-squatting-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Zyxel security advisory for improper privilege management vulnerability in APs and security router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ January Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/january-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.01.2025
by Daily end-of-shift report 13 Jan '25

13 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-01-2025 18:00 − Montag 13-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware ∗∗∗ --------------------------------------------- In-the-wild attacks tamper with built-in security tool providing infection warnings. --------------------------------------------- https://arstechnica.com/security/2025/01/ivanti-vpn-users-are-getting-hacke… ∗∗∗ Phishing texts trick Apple iMessage users into disabling protection ∗∗∗ --------------------------------------------- Cybercriminals are exploiting a trick to turn off Apple iMessages built-in phishing protection for a text and trick users into re-enabling disabled phishing links. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-texts-trick-apple-i… ∗∗∗ Ransomware abuses Amazon AWS feature to encrypt S3 buckets ∗∗∗ --------------------------------------------- A new ransomware campaign encrypts Amazon S3 buckets using AWSs Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-abuses-amazon-aws… ∗∗∗ Anwendung blockiert: MacOS stuft Docker Desktop als Malware ein ∗∗∗ --------------------------------------------- Einige Dateien von Docker Desktop für MacOS wurden falsch signiert, so dass Nutzer eine Malware-Warnung erhalten. Eine echte Gefahr besteht nicht. --------------------------------------------- https://www.golem.de/news/anwendung-blockiert-docker-desktop-unter-macos-al… ∗∗∗ New LLM Jailbreak Uses Models Evaluation Skills Against Them ∗∗∗ --------------------------------------------- SC Media reports on a new jailbreak method for large language models (LLMs) that "takes advantage of models ability to identify and score harmful content in order to trick the models into generating content related to malware, illegal activity, harassment and more. "The Bad Likert Judge multi-step jailbreak technique was developed and tested by .. --------------------------------------------- https://it.slashdot.org/story/25/01/12/2010218/new-llm-jailbreak-uses-model… ∗∗∗ Nominet probes network intrusion linked to Ivanti zero-day exploit ∗∗∗ --------------------------------------------- Unauthorized activity detected, but no backdoors found UK domain registry Nominet is investigating a potential intrusion into its network related to the latest Ivanti zero-day exploits. --------------------------------------------- https://www.theregister.com/2025/01/13/nominet_ivanti_zero_day/ ∗∗∗ Paypal-Phishing: Angebliche monatliche Finanzberichte ködern Opfer ∗∗∗ --------------------------------------------- Derzeit schaffen es Phishing-Mails an Spam-Filtern vorbeizukommen, die einen monatlichen Finanzbericht für Paypal versprechen. --------------------------------------------- https://www.heise.de/news/Paypal-Phishing-Angebliche-monatliche-Finanzberic… ∗∗∗ Log Source Management App für IBM QRadar SIEM ist auf vielen Wegen angreifbar ∗∗∗ --------------------------------------------- Weil mehrere Komponenten verwundbar sind, können Angreifer Systeme mit Log Source Management App für IBM QRadar SIEM attackieren. --------------------------------------------- https://www.heise.de/news/Log-Source-Management-App-fuer-IBM-QRadar-SIEM-is… ∗∗∗ Tackling AI threats. Advanced DFIR methods and tools for deepfake detection ∗∗∗ --------------------------------------------- TL; DR AI-generated documents, videos and more pose significant challenges for DFIR DFIR teams can harness innovative detection strategies and tooling Digital fingerprinting and watermarking, AI-powered and behavioural analyses .. --------------------------------------------- https://www.pentestpartners.com/security-blog/tackling-ai-threats-advanced-… ∗∗∗ Rufnummernmissbrauch dank Verordnung drastisch zurückgegangen ∗∗∗ --------------------------------------------- Die "Anti-Spoofing-Verordnung" der RTR greift seit September, seitdem gibt es nur noch wenige Vorfälle von Betrug mittels gekaperter Rufnummern --------------------------------------------- https://www.derstandard.at/story/3000000252624/rufnummernmissbrauch-dank-ve… ∗∗∗ Muddling Meerkat Linked to Domain Spoofing in Global Spam Scams ∗∗∗ --------------------------------------------- Infoblox cybersecurity researchers investigating the mysterious activities of Muddling Meerkat unexpectedly uncovered widespread use of domain spoofing in malicious spam campaigns. --------------------------------------------- https://hackread.com/muddling-meerkat-domain-spoofing-spam-scams/ ∗∗∗ Fake CrowdStrike Recruiters Distribute Malware Via Phishing Emails ∗∗∗ --------------------------------------------- SUMMARY Cybercriminals are deploying a tricky new phishing campaign impersonating the cybersecurity firm CrowdStrike‘s .. --------------------------------------------- https://hackread.com/fake-crowdstrike-recruiters-malware-phishing-emails/ ∗∗∗ 3 Russians Indicted for Operating Blender.io and Sinbad.io Crypto Mixers ∗∗∗ --------------------------------------------- SUMMARY Three Russian nationals have been indicted for their alleged roles in running cryptocurrency mixing services Blender.io and… --------------------------------------------- https://hackread.com/3-russian-operating-blender-io-sinbad-io-crypto-mixers/ ∗∗∗ Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282) ∗∗∗ --------------------------------------------- As we saw in our previous blogpost, we fully analyzed Ivanti’s most recent unauthenticated Remote Code Execution vulnerability in their Connect Secure (VPN) appliance. Specifically, we analyzed CVE-2025-0282.Today, we’re .. --------------------------------------------- https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-c… ∗∗∗ Deep Dive Into a Linux Rootkit Malware ∗∗∗ --------------------------------------------- This is a follow-up analysis to a previous blog about a zero day exploit where the FortiGuard Incident Response (FGIR) team examined how remote attackers exploited multiple vulnerabilities in an appliance to gain control of a customer’s system. --------------------------------------------- https://feeds.fortinet.com/~/910912481/0/fortinet/blogs~Deep-Dive-Into-a-Li… ∗∗∗ Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603) ∗∗∗ --------------------------------------------- The Wiz Incident Response team is currently responding to multiple incidents involving CVE-2024-50603, an Aviatrix Controller unauthenticated RCE vulnerability, that can lead to privileges escalation in the AWS control plane. Organizations should patch urgently. --------------------------------------------- https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of… ∗∗∗ Analysis of Counter-Ransomware Activities in 2024 ∗∗∗ --------------------------------------------- The scourge of ransomware continues primarily because ofthree main reasons: Ransomware-as-a-Service (RaaS), cryptocurrency, and safe havens.RaaS platforms enable aspiring cybercriminals to join a gang and begin launching attacks with a support system that help extract ransom payments from their victims.Cryptocurrency enables cybercriminals to receive funds .. --------------------------------------------- https://blog.bushidotoken.net/2025/01/analysis-of-counter-ransomware.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (dpdk, firefox, iperf3, thunderbird, and webkit2gtk3), Debian (firefox-esr, gnuchess, node-mocha, openafs, python-django, and thunderbird), Fedora (libxmp, python-jinja2, suricata, thunderbird, and xen), Mageia (avahi, libjxl, opencontainers-runc, radare2, rizin, and tinyproxy), Oracle (cups, dpdk, firefox, iperf3, .. --------------------------------------------- https://lwn.net/Articles/1004962/ ∗∗∗ MISP 2.4.203 and 2.5.5 released including new features, improvements and many security improvements. ∗∗∗ --------------------------------------------- We are thrilled to announce the release of MISP v2.4.203 and MISP v2.5.5, bringing a range of new features, improvements, and fixes to enhance the platforms performance, usability, and security. These updates reflect our ongoing commitment to providing a robust and reliable open-source .. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.203 ∗∗∗ Security Vulnerabilities fixed in Firefox for iOS 134 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-06/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.01.2025
by Daily end-of-shift report 10 Jan '25

10 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-01-2025 18:00 − Freitag 10-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware ∗∗∗ --------------------------------------------- In-the-wild attacks tamper with built-in security tool to suppress infection warnings. --------------------------------------------- https://arstechnica.com/security/2025/01/ivanti-vpn-users-are-getting-hacke… ∗∗∗ Stealthy Credit Card Skimmer Targets WordPress Checkout Pages via Database Injection ∗∗∗ --------------------------------------------- Recently, we released an article where a credit card skimmer was targeting checkout pages on a Magento site. Now we’ve come across sophisticated credit card skimmer malware while investigating a compromised WordPress .. --------------------------------------------- https://blog.sucuri.net/2025/01/stealthy-credit-card-skimmer-targets-wordpr… ∗∗∗ Sicherheitsupdates: Angreifer können Netzwerkgeräte mit Junos OS crashen lassen ∗∗∗ --------------------------------------------- Netzwerkgeräte wie Switches von Juniper sind verwundbar. Ansatzpunkte sind mehrere Schwachstellen im Betriebssystem Junos OS. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Angreifer-koennen-Netzwerkgera… ∗∗∗ Meet FunkSec: A New, Surprising Ransomware Group, Powered by AI ∗∗∗ --------------------------------------------- Executive Summary: The FunkSec ransomware group emerged in late 2024 and published over 85 victims in December, surpassing every other ransomware group that month FunkSec operators appear to use AI-assisted malware development, which can enable even inexperienced actors to quickly produce and refine advanced tools The group’s activities straddle the line .. --------------------------------------------- https://blog.checkpoint.com/research/meet-funksec-a-new-surprising-ransomwa… ∗∗∗ Do we still have to keep doing it like this? ∗∗∗ --------------------------------------------- Hazel gets inspired by watching Wendy Nather’s recent keynote, and explores ways to challenge security assumptions. --------------------------------------------- https://blog.talosintelligence.com/do-we-still-have-to-keep-doing-it-like-t… ∗∗∗ How Cracks and Installers Bring Malware to Your Device ∗∗∗ --------------------------------------------- Our research shows how attackers use platforms like YouTube to spread fake installers via trusted hosting services, employing encryption to evade detection and steal sensitive browser data. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/a/how-cracks-and-installers-br… ∗∗∗ Banshee Stealer Hits macOS Users via Fake GitHub Repositories ∗∗∗ --------------------------------------------- Cybersecurity researchers at Check Point detected a new version of Banshee Stealer in late September 2024, distributed .. --------------------------------------------- https://hackread.com/banshee-stealer-hits-macos-fake-github-repositories/ ∗∗∗ Do Secure-By-Design Pledges Come With Stickers? - Ivanti Connect Secure RCE (CVE-2025-0282) ∗∗∗ --------------------------------------------- Did you have a good break? Have you had a chance to breathe? Wake up. It’s 2025, and the chaos continues. Haha, see what we did? We wrote the exact same thing in 2024 because 2024 was exactly .. --------------------------------------------- https://labs.watchtowr.com/do-secure-by-design-pledges-come-with-stickers-i… ∗∗∗ How to secure your GitHub Actions workflows with CodeQL ∗∗∗ --------------------------------------------- In the last few months, we secured 75+ GitHub Actions workflows in open source projects, disclosing 90+ different vulnerabilities. Out of this research we produced new support for workflows in CodeQL, empowering .. --------------------------------------------- https://github.blog/security/application-security/how-to-secure-your-github… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-010: Redis Stack Lua Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Redis Stack. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-46981. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-010/ ∗∗∗ ZDI-25-009: Redis Stack RedisBloom Integer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Redis Stack. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-55656. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-009/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.01.2025
by Daily end-of-shift report 09 Jan '25

09 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-01-2025 18:00 − Donnerstag 09-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Here’s how hucksters are manipulating Google to promote shady Chrome extensions ∗∗∗ --------------------------------------------- How do you stash 18,000 keywords into a description? Turns out its easy. --------------------------------------------- https://arstechnica.com/security/2025/01/googles-chrome-web-store-has-a-ser… ∗∗∗ Unpatched critical flaws impact Fancy Product Designer WordPress plugin ∗∗∗ --------------------------------------------- Premium WordPress plugin Fancy Product Designer from Radykal is vulnerable to two critical severity flaws that remain unfixed in the current latest version. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-critical-flaws-imp… ∗∗∗ Beyond Meh-trics: Examining How CTI Programs Demonstrate Value Using Metrics ∗∗∗ --------------------------------------------- A blog about developing cyber threat intelligence (CTI) metrics. --------------------------------------------- https://www.sans.org/blog/beyond-meh-trics-examining-how-cti-programs-demon… ∗∗∗ The State of Magecart: A Persistent Threat to E-Commerce Security ∗∗∗ --------------------------------------------- Trustwave SpiderLabs first blogged about Magecart back in 2019; fast forward five years and it is still here going strong. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-state-o… ∗∗∗ Mitel 0-day, 5-year-old Oracle RCE bug under active exploit ∗∗∗ --------------------------------------------- 3 CVEs added to CISAs catalog Cybercriminals are actively exploiting two vulnerabilities in Mitel MiCollab, including a zero-day flaw – and a critical remote code execution vulnerability in Oracle WebLogic Server that has been abused for at least five years. --------------------------------------------- https://www.theregister.com/2025/01/08/mitel_0_day_oracle_rce_under_exploit/ ∗∗∗ Japanese police claim China ran five-year cyberattack campaign targeting local orgs ∗∗∗ --------------------------------------------- ‘MirrorFace’ group found ways to run malware in the Windows sandbox, which is worrying Japan’s National Police Agency and Center of Incident Readiness and Strategy for Cybersecurity have confirmed third party reports of attacks on local orgs by publishing details of a years-long series of attacks attributed to a China-backed source. --------------------------------------------- https://www.theregister.com/2025/01/09/japan_mirrorface_china_attack/ ∗∗∗ Angestellte klickten dreimal so oft auf Phishing-Links ‒ häufig in Suchmaschinen ∗∗∗ --------------------------------------------- Mitarbeiter klicken trotz Schulungen auf Phishing-Links. Laut einer Studie sind sie bei E-Mails sich der Angriffe eher bewusst, bei der Suche im Netz weniger. --------------------------------------------- https://www.heise.de/news/E-Mails-sind-out-Phishing-verstaerkt-ueber-Suchma… ∗∗∗ New Research: Enhancing Botnet Detection with AI using LLMs and Similarity Search ∗∗∗ --------------------------------------------- As botnets continue to evolve, so do the techniques required to detect them. --------------------------------------------- https://www.rapid7.com/blog/post/2025/01/08/new-research-enhancing-botnet-d… ∗∗∗ Banshee: The Stealer That “Stole Code” From MacOS XProtect ∗∗∗ --------------------------------------------- As of 2024, approximately 100.4 million people worldwide use macOS, accounting for 15.1% of the global PC market. Of the millions of macOS users, many falsely assume that their systems are inherently secure from malware. This perception stems from macOS’s Unix-based architecture and historically lower market share, .. --------------------------------------------- https://research.checkpoint.com/2025/banshee-macos-stealer-that-stole-code-… ∗∗∗ Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation ∗∗∗ --------------------------------------------- On Wednesday, Jan. 8, 2025, Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, impacting Ivanti Connect Secure (“ICS”) VPN appliances. Mandiant has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024. CVE-2025-0282 is an unauthenticated stack-based buffer overflow. Successful exploitation could result in unauthenticated remote code execution, leading to potential downstream compromise of a victim network. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-sec… ∗∗∗ Angeblich Datenleck bei Datensammler Gravy Analytics ∗∗∗ --------------------------------------------- Im Darknet behaupten Kriminelle, Daten vom Positionsdatensammler Gravy Analytics erbeutet zu haben. Sorge um die Privatsphäre macht sich breit. --------------------------------------------- https://heise.de/-10233802 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-008: Trend Micro Deep Security Agent Incorrect Permissions Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-008/ ∗∗∗ ZDI-25-007: Trend Micro Apex One widget getWidgetPoolManager Local File Inclusion Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-007/ ∗∗∗ ZDI-25-006: Trend Micro Apex One LogServer Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-006/ ∗∗∗ ZDI-25-005: Trend Micro Apex One LogServer Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-005/ ∗∗∗ ZDI-25-004: Trend Micro Apex One Origin Validation Error Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-004/ ∗∗∗ ZDI-25-003: Trend Micro Apex One Security Agent Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-003/ ∗∗∗ ZDI-25-002: Trend Micro Apex One LogServer Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-002/ ∗∗∗ ZDI-25-001: Trend Micro Apex One Damage Cleanup Engine Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-001/ ∗∗∗ 2025-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 24.1R2 release ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2025-01-Security-Bulletin-Junos… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.01.2025
by Daily end-of-shift report 08 Jan '25

08 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-01-2025 18:00 − Mittwoch 08-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ How initial access brokers (IABs) sell your users’ credentials ∗∗∗ --------------------------------------------- Initial Access Brokers (IABs) are specialized cybercriminals that break into corporate networks and sell stolen access to other attackers. Learn from Specops Software about how IABs operate and how businesses can protect themselves. --------------------------------------------- https://www.bleepingcomputer.com/news/security/how-initial-access-brokers-i… ∗∗∗ Wegen Sicherheitslücken: Ärzteschaft empfiehlt Widerspruch zu ePA für alle ∗∗∗ --------------------------------------------- Kurz vor dem Start der ePA für alle ist die Verunsicherung groß. Die Ärzte sehen noch "große Einfallstore" für Hacker. --------------------------------------------- https://www.golem.de/news/wegen-sicherheitsluecken-aerzteschaft-empfiehlt-w… ∗∗∗ FCC Launches Cyber Trust Mark for IoT Devices to Certify Security Compliance ∗∗∗ --------------------------------------------- The U.S. government on Tuesday announced the launch of the U.S. Cyber Trust Mark, a new cybersecurity safety label for Internet-of-Things (IoT) consumer devices."IoT products can be susceptible to a range of security vulnerabilities," the U.S. Federal .. --------------------------------------------- https://thehackernews.com/2025/01/fcc-launches-cyber-trust-mark-for-iot.html ∗∗∗ Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks ∗∗∗ --------------------------------------------- A Mirai botnet variant has been found exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the goal of conducting distributed denial-of-service (DDoS) attacks.The botnet maintains .. --------------------------------------------- https://thehackernews.com/2025/01/mirai-botnet-variant-exploits-four.html ∗∗∗ Researchers Expose NonEuclid RAT Using UAC Bypass and AMSI Evasion Techniques ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a new remote access trojan called NonEuclid that allows bad actors to remotely control compromised Windows systems."The NonEuclid remote access trojan (RAT), developed in C#, is a highly sophisticated .. --------------------------------------------- https://thehackernews.com/2025/01/researchers-expose-noneuclid-rat-using.ht… ∗∗∗ US-Sicherheitsbehörde warnt vor Attacken auf MiCollab und WebLogic Server ∗∗∗ --------------------------------------------- Admins sollten ihre Systeme mit Mitel- und Oracle-Software gegen derzeit laufende Angriffe rüsten. --------------------------------------------- https://www.heise.de/news/US-Sicherheitsbehoerde-warnt-vor-Attacken-auf-MiC… ∗∗∗ Forscher: KI sorgt für effektiveres Phishing ∗∗∗ --------------------------------------------- Wie wirksam ist per LLM automatisch erzeugtes Phishing? Es ist gleichauf mit menschlich erzeugtem Spear-Phishing, sagen Forscher. --------------------------------------------- https://www.heise.de/news/Forscher-KI-sorgt-fuer-effektiveres-Phishing-1023… ∗∗∗ A Day in the Life of a Prolific Voice Phishing Crew ∗∗∗ --------------------------------------------- Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety of outbound .. --------------------------------------------- https://krebsonsecurity.com/2025/01/a-day-in-the-life-of-a-prolific-voice-p… ∗∗∗ Vorsicht vor versteckten Kosten auf finelo.com und coursiv.io ∗∗∗ --------------------------------------------- Die Aussicht auf finanziellen Aufstieg lockt viele Menschen auf Plattformen wie finelo.com und coursive.io, die von der IT-Firma zimran.io betrieben werden. Beide Plattformen werben mit großen Versprechungen: Während finelo.com den Nutzer:innen beibringen möchte, clever zu investieren, zielt coursiv.io darauf ab, berufliche Fähigkeiten mithilfe künstlicher .. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-versteckten-kosten-auf-… ∗∗∗ Drupal 7 End of Life - PSA-2025-01-06 ∗∗∗ --------------------------------------------- Drupal core version 7 has reached end of life, and is no longer community supported on Drupal.org. This means that new releases of Drupal 7 core and contributed projects will no longer happen on Drupal.org and community support is no longer provided. What this means for you:Any vulnerabilities that impact Drupal 7 may be released and .. --------------------------------------------- https://www.drupal.org/psa-2025-01-06 ∗∗∗ Russian internet provider confirms its network was ‘destroyed’ following attack claimed by Ukrainian hackers ∗∗∗ --------------------------------------------- In a statement on the Russian social media platform VKontakte, the St. Petersburg-based company said the “planned” attack “destroyed” its infrastructure overnight. Nodex added that it was working to restore systems from backups but could not provide a timeline for when operations would fully resume. --------------------------------------------- https://therecord.media/russian-internet-provider-says-network-destroyed-cy… ∗∗∗ Scammers Impersonate Authorities to Swipe OTPs with Remote Access Apps ∗∗∗ --------------------------------------------- SUMMARY Cybersecurity researchers at Group-IB have discovered a sophisticated refund scam where scammers are using remote access tools. --------------------------------------------- https://hackread.com/scammers-impersonate-swipe-otps-remote-access-apps/ ∗∗∗ Backdooring Your Backdoors - Another $20 Domain, More Governments ∗∗∗ --------------------------------------------- After the excitement of our .MOBI research, we were left twiddling our thumbs. As you may recall, in 2024, we demonstrated the impact of an unregistered domain when we subverted the TLS/SSL CA process for verifying domain ownership to give ourselves .. --------------------------------------------- https://labs.watchtowr.com/more-governments-backdoors-in-your-backdoors/ ∗∗∗ Solving NIST Password Complexities: Guidance From a GRC Perspective ∗∗∗ --------------------------------------------- Not another password change! Isn’t one (1) extra-long password enough? As a former Incident Response, Identity and Access Control, and Education and Awareness guru, I can attest .. --------------------------------------------- https://trustedsec.com/blog/solving-nist-password-complexities-guidance-fro… ∗∗∗ How We Cracked a 512-Bit DKIM Key for Less Than $8 in the Cloud ∗∗∗ --------------------------------------------- In our study on the SPF, DKIM, and DMARC records of the top 1M websites, we were surprised to uncover more than 1,700 public DKIM keys that were shorter than 1,024 bits in length. This finding was unexpected, as RSA keys shorter than 1,024 bits are considered insecure, and their use in DKIM has been deprecated since the introduction of RFC 8301 in 2018. --------------------------------------------- https://dmarcchecker.app/articles/crack-512-bit-dkim-rsa-key ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Common Services Platform Collector Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface .. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Crosswork Network Controller Stored Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against users of the interface of an affected system. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied .. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox, mupdf, and php-tcpdf), SUSE (etcd, file-roller, gtk3, kernel, python-django-ckeditor, rubygem-json-jwt, and tomcat10), and Ubuntu (ffmpeg, HTMLDOC, linux-aws, linux-raspi, linux-gke, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, and tinyproxy). --------------------------------------------- https://lwn.net/Articles/1004428/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.01.2025
by Daily end-of-shift report 07 Jan '25

07 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-01-2025 18:00 − Dienstag 07-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 10 users urged to upgrade to avoid "security fiasco" ∗∗∗ --------------------------------------------- Cybersecurity firm ESET is urging Windows 10 users to upgrade to Windows 11 or Linux to avoid a "security fiasco" as the 10-year-old operating system nears the end of support in October 2025. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-10-users-urged-to-u… ∗∗∗ Cryptocurrency wallet drainers stole $494 million in 2024 ∗∗∗ --------------------------------------------- Scammers stole $494 million worth of cryptocurrency in wallet drainer attacks last year that targeted more than 300,000 wallet addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cryptocurrency-wallet-draine… ∗∗∗ Chinese hackers also breached Charter and Windstream networks ∗∗∗ --------------------------------------------- More U.S. companies have been added to the list of telecommunications firms hacked in a wave of breaches by a Chinese state-backed threat group tracked as Salt Typhoon. --------------------------------------------- https://www.bleepingcomputer.com/news/security/charter-and-windstream-among… ∗∗∗ Trotz starker Kritik: Umstrittene UN-Cybercrime-Konvention verabschiedet ∗∗∗ --------------------------------------------- Netzaktivisten haben vergeblich vor der Verabschiedung der Konvention gewarnt. Es droht der Zugriff auf digitale Beweismittel durch autoritäre Staaten. --------------------------------------------- https://www.golem.de/news/trotz-starker-kritik-umstrittene-un-cybercrime-ko… ∗∗∗ After Chinas Salt Typhoon, the reconstruction starts now ∗∗∗ --------------------------------------------- If 40 years of faulty building gets blown down, don’t rebuild with the rubble Opinion When a typhoon devastates a land, it takes a while to understand the scale of the destruction. Disaster relief kicks in, communications rebuilt, and news flows out. Salt Typhoon is .. --------------------------------------------- https://www.theregister.com/2025/01/06/opinion_column_cybersec/ ∗∗∗ MediaTek rings in the new year with a parade of chipset vulns ∗∗∗ --------------------------------------------- Manufacturers should have had ample time to apply the fixes MediaTek kicked off the first full working week of the new year by disclosing a bevy of security vulnerabilities, including a critical remote code execution bug affecting 51 chipsets. --------------------------------------------- https://www.theregister.com/2025/01/06/mediatek_chipset_vulnerabilities/ ∗∗∗ Patchday: Wichtige Sicherheitsupdates schützen Android-Geräte ∗∗∗ --------------------------------------------- Google und weitere Hersteller von Android-Geräte haben mehrere kritische Lücken in verschiedenen Android-Versionen geschlossen. --------------------------------------------- https://www.heise.de/news/Patchday-Schadcode-Luecken-bedrohen-Android-12-13… ∗∗∗ Schwerwiegende Sicherheitslücken in Sonicwall SSL-VPN - aktiv ausgenutzt ∗∗∗ --------------------------------------------- Der Hersteller Sonicwall hat seine Kunden darüber informiert, dass einige Geräte von Sicherheitslücken betroffen sind. Besonders hervorzuheben ist dabei eine bereits angegriffenen Lücke bei denen Angreifer:innen die Authentifizierung .. --------------------------------------------- https://www.cert.at/de/warnungen/2025/1/schwewiegende-sicherheitslucken-in-… ∗∗∗ UN aviation agency actively investigating cybercriminal’s claimed data breach ∗∗∗ --------------------------------------------- The International Civil Aviation Organization (ICAO) said it was responding to claims of a data breach “allegedly linked to a threat actor known for targeting international organizations.” --------------------------------------------- https://therecord.media/united-nations-icao-investigating-data-breach ∗∗∗ Critical Next.js Authorization Bypass Vulnerability ∗∗∗ --------------------------------------------- This specifically affects pages directly under the application’s root directory. Example:[Not affected] hxxps[://]example[.]com[Affected] hxxps[://]example[.]com/foo[Not affected] hxxps[://]example[.]com/foo/bar Successful exploitation of this vulnerability, allows a remote unauthenticated .. --------------------------------------------- https://www.truesec.com/hub/blog/critical-next-js-authorization-bypass-vuln… ∗∗∗ Achtung: Angeblich geleakter GTA San Andreas Source-Code mit Schadsoftware ∗∗∗ --------------------------------------------- Aktuell wird angeblich der Quellcode des Rockstar Games Spiels GTA San Andreas im Internet zum Download angeboten. Erste Hinweise scheinen seit gestern im Internet aufgetaucht zu sein (siehe z.B. den Artikel Rockstar reportedly faces another .. --------------------------------------------- https://www.borncity.com/blog/2025/01/06/achtung-angeblich-geleakter-gta-sa… ∗∗∗ New PhishWP Plugin on Russian Forum Turns Sites into Phishing Pages ∗∗∗ --------------------------------------------- SlashNext has discovered a malicious WordPress plugin, PhishWP, which creates convincing fake payment pages to steal your credit card information, 3DS codes, and personal data. --------------------------------------------- https://hackread.com/phishwp-plugin-russian-hacker-forum-phishing-sites/ ∗∗∗ U.S. Sanctions Chinese Cybersecurity Firm Over Cyberattacks ∗∗∗ --------------------------------------------- US sanctions Beijing-based Integrity Technology Group for aiding “Flax Typhoon” hackers in cyberattacks on American infrastructure, freezing assets… --------------------------------------------- https://hackread.com/us-sanctions-chinese-cybersecurity-firm-cyberattacks/ ∗∗∗ CVE-2024-4577: Windows Encoding Gone Wrong ∗∗∗ --------------------------------------------- CVE-2024-4577 is a critical vulnerability in Windows-based PHP installations, affecting CGI configurations, that allow remote code execution. --------------------------------------------- https://www.bitsight.com/blog/cve-2024-4577-windows-encoding-gone-wrong ∗∗∗ Weaponizing OAST: How Malicious Packages Exploit npm, PyPI, and RubyGems for Data Exfiltration and Recon ∗∗∗ --------------------------------------------- Socket researchers uncover how threat actors weaponize Out-of-Band Application Security Testing (OAST) techniques across the npm, PyPI, and RubyGems ecosystems to exfiltrate sensitive data and remotely probe developer environments.Over the last year, Socket’s threat research team has continually observed and identified malicious JavaScript, Python, and Ruby packages .. --------------------------------------------- https://socket.dev/blog/weaponizing-oast-how-malicious-packages-exploit-npm… ===================== = Vulnerabilities = ===================== ∗∗∗ [20250103] - Core - Read ACL violation in multiple core views ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Low Severity: Moderate Probability: Low Versions: 3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2 Exploit type: ACL Violation Reported Date: 2024-08-26 Fixed Date: 2025-01-07 CVE Number: CVE-2024-40749 Description Improper Access Controls allows access to protected views. Affected Installs Joomla! CMS versions 3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2 Solution Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3 Contact The JSST at the Joomla! Security --------------------------------------------- https://developer.joomla.org:443/security-centre/956-20250103-core-read-acl… ∗∗∗ [20250102] - Core - XSS vector in the id attribute of menu lists ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Low Severity: Moderate Probability: Low Versions: 3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2 Exploit type: XSS Reported Date: 2024-09-19 Fixed Date: 2025-01-07 CVE Number: CVE-2024-40748 Description Lack of output escaping in the id attribute of menu lists. Affected Installs Joomla! CMS versions 3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2 Solution Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3 Contact The JSST at the Joomla! Security Centre. --------------------------------------------- https://developer.joomla.org:443/security-centre/955-20250102-core-xss-vect… ∗∗∗ [20250101] - Core - XSS vectors in module chromes ∗∗∗ --------------------------------------------- Project: Joomla! SubProject: CMS Impact: Low Severity: Moderate Probability: Low Versions: 4.0.0-4.4.9, 5.0.0-5.2.2 Exploit type: XSS Reported Date: 2024-08-29 Fixed Date: 2025-01-07 CVE Number: CVE-2024-40747 Description Various module chromes didnt properly process inputs, leading to XSS vectors. Affected Installs Joomla! CMS versions 4.0.0-4.4.9, 5.0.0-5.2.2 Solution Upgrade to version 4.4.10 or 5.2.3 Contact The JSST at the Joomla! Security Centre. Reported By: Catalin Iovita --------------------------------------------- https://developer.joomla.org:443/security-centre/954-20250101-core-xss-vect… ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.19 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-03/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 128.6 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-02/ ∗∗∗ Security Vulnerabilities fixed in Firefox 134 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-01/ ∗∗∗ Upcoming CVE for End-of-Life Node.js Versions ∗∗∗ --------------------------------------------- https://nodejs.org/en/blog/vulnerability/upcoming-cve-for-eol-versions -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.01.2025
by Daily end-of-shift report 03 Jan '25

03 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-01-2025 18:00 − Freitag 03-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ SwaetRAT Delivery Through Python ∗∗∗ --------------------------------------------- We entered a new year, but attack scenarios have not changed (yet). I found a Python script with an interesting behavior[1] and a low Virustotal score (7/61). It targets Microsoft Windows hosts because it starts by loading all .. --------------------------------------------- https://isc.sans.edu/forums/diary/SwaetRAT+Delivery+Through+Python/31554/ ∗∗∗ 3,1 Millionen bösartige Fake-Sterne auf GitHub entdeckt – Tendenz steigend ∗∗∗ --------------------------------------------- In einer umfassenden Studie ist ein US-Forschungsteam auf Millionen Fake-Sterne bei GitHub gestoßen und warnt vor einem rasant steigenden Trend. --------------------------------------------- https://www.heise.de/news/3-1-Millionen-boesartige-Fake-Sterne-auf-GitHub-e… ∗∗∗ Configurations Mega Blog: Why Configurations Are the Wrong Thing to Get Wrong ∗∗∗ --------------------------------------------- So many times, we look beyond the mark. With our feeds constantly inundated with headline-grabbing news about AI-generated threats, nation states upping their cybercrime game, and sophisticated new forms of malware, we can be tempted to think that the bulk of cyberwarfare is going on "up there" somewhere. In reality, most breaches still originate .. --------------------------------------------- https://www.tripwire.com/state-of-security/configurations-mega-blog-why-con… ∗∗∗ 10 Non-tech things you wish you had done after being breached ∗∗∗ --------------------------------------------- TL;DR Non-tech aspects to breach follow-up are often overlooked but essential NDAs, supply chain, and third party contracts and obligations should be reviewed Reviewing communication protocols and employee .. --------------------------------------------- https://www.pentestpartners.com/security-blog/10-non-tech-things-you-wish-y… ∗∗∗ Von Social Media bis App: So sind Sie Kriminellen einen Schritt voraus ∗∗∗ --------------------------------------------- Internetbetrug wird immer raffinierter und kann jeden Menschen treffen. Deshalb ist es wichtig, auf dem Laufenden zu bleiben und die aktuellen Betrugsmaschen zu kennen. Vom klassischen Newsletter über .. --------------------------------------------- https://www.watchlist-internet.at/news/unsere-kanaele/ ∗∗∗ NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT ∗∗∗ --------------------------------------------- Researchers discovered a malicious package on the npm package registry that resembles a library for Ethereum smart contract vulnerabilities but actually drops an open-source remote access trojan called Quasar .. --------------------------------------------- https://hackread.com/npm-package-disguised-ethereum-tool-quasar-rat/ ∗∗∗ Schädliche Versionen von zahlreichen Chrome-Erweiterungen in Umlauf ∗∗∗ --------------------------------------------- Über die Weihnachtstage verschafften sich die Täter Zugriff auf diverse Chrome-Extensions – in einigen Fällen sogar schon deutlich früher. --------------------------------------------- https://heise.de/-10224745 ∗∗∗ Breaking the Chain: Wiz Uncovers a Signature Verification Bypass in Nuclei, the Popular Vulnerability Scanner (CVE-2024-43405) ∗∗∗ --------------------------------------------- Wiz’s engineering team discovered a high-severity signature verification bypass in Nuclei, one of the most popular open-source security tools, which could potentially lead to arbitrary code execution. --------------------------------------------- https://www.wiz.io/blog/nuclei-signature-verification-bypass ∗∗∗ Malicious npm Campaign Targets Ethereum Developers with Fake Hardhat Packages ∗∗∗ --------------------------------------------- Hardhat, maintained by the Nomic Foundation, is a vital tool for Ethereum developers. As a versatile development environment for Ethereum, it streamlines the creation, testing, and deployment of smart contracts and dApps. Its flexible plugin architecture allows developers to customize workflows with tools and extensions, optimizing productivity and supporting .. --------------------------------------------- https://socket.dev/blog/malicious-npm-campaign-targets-ethereum-developers ===================== = Vulnerabilities = ===================== ∗∗∗ iTerm2 3.5.11 released with a critical security fix ∗∗∗ --------------------------------------------- https://iterm2.com/downloads/stable/iTerm2-3_5_11.changelog -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.01.2025
by Daily end-of-shift report 02 Jan '25

02 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Montag 30-12-2024 18:00 − Donnerstag 02-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cyberangriff: Hacker wollen Daten von IT-Dienstleister Atos erbeutet haben ∗∗∗ --------------------------------------------- Die Angreifer behaupten, im Besitz einer Firmendatenbank von Atos zu sein. Der IT-Dienstleister findet bisher keine Beweise für einen Angriff. --------------------------------------------- https://www.golem.de/news/cyberangriff-hacker-wollen-daten-von-it-dienstlei… ∗∗∗ Supportende naht: Forscher warnt vor Security-Fiasko durch Windows 10 ∗∗∗ --------------------------------------------- Rund zwei Drittel aller Windows-PCs in Deutschland arbeiten noch mit Windows 10. Es besteht dringender Handlungsbedarf - nicht erst im Oktober dieses Jahres. --------------------------------------------- https://www.golem.de/news/supportende-naht-forscher-warnt-vor-security-fias… ∗∗∗ Chinas cyber intrusions took a sinister turn in 2024 ∗∗∗ --------------------------------------------- >From targeted espionage to pre-positioning - not that they are mutually exclusive The Chinese governments intrusions into Americas telecommunications and other critical infrastructure networks this year appears to signal a shift from cyberspying as usual to prepping for destructive attacks. --------------------------------------------- https://www.theregister.com/2024/12/31/china_cyber_intrusions_2024/ ∗∗∗ US Treasury Department outs the blast radius of BeyondTrusts key leak ∗∗∗ --------------------------------------------- Data pilfered as miscreants roamed affected workstations The US Department of the Treasury has admitted that miscreants were in its systems, accessing documents in what has been called a "major incident." --------------------------------------------- https://www.theregister.com/2024/12/31/us_treasury_department_hacked/ ∗∗∗ "Die perfekte Phishing-Mail": Mit KI-Textgeneratoren gegen Führungskräfte ∗∗∗ --------------------------------------------- KI-Technik ermöglicht es Kriminellen, hochpersonalisierte Phishing-Mails an Führungskräfte zu schicken, warnt ein Versicherer. Trainingsmaterial gibt es online. --------------------------------------------- https://www.heise.de/news/Die-perfekte-Phishing-Mail-Mit-KI-Textgeneratoren… ∗∗∗ U.S. Army Soldier Arrested in AT&T, Verizon Extortions ∗∗∗ --------------------------------------------- Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and .. --------------------------------------------- https://krebsonsecurity.com/2024/12/u-s-army-soldier-arrested-in-att-verizo… ∗∗∗ Vorsicht vor betrügerischen E-Mails zur Rückerstattung von ORF-Gebühren ∗∗∗ --------------------------------------------- Derzeit finden zahlreiche Personen ein E-Mail in ihrem Postfach, in dem behauptet wird, dass sie Anspruch auf eine Rückerstattung von ORF-Gebühren in Höhe von 34,40 Euro haben. Achtung: Es handelt sich dabei um einen Phishing-Versuch, der darauf abzielt, Kontodaten zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-orf-rueckerstattung-… ∗∗∗ Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability ∗∗∗ --------------------------------------------- The jailbreak technique "Bad Likert Judge" manipulates LLMs to generate harmful content using Likert scales, exposing safety gaps in LLM guardrails. --------------------------------------------- https://unit42.paloaltonetworks.com/multi-turn-technique-jailbreaks-llms/ ∗∗∗ DORA Regulation (Digital Operational Resilience Act): A Threat Intelligence Perspective ∗∗∗ --------------------------------------------- The Digital Operational Resilience Act (DORA) is coming in 2025. --------------------------------------------- https://www.team-cymru.com/post/dora-regulation-digital-operational-resilie… ∗∗∗ Passkey technology is elegant, but it’s most definitely not usable security ∗∗∗ --------------------------------------------- It's that time again, when families and friends gather and implore the more technically inclined among them to troubleshoot problems they're having behind the device screens all around them. One of the most vexing .. --------------------------------------------- https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-… ∗∗∗ I’m Lovin’ It: Exploiting McDonald’s APIs to hijack deliveries and order food for a penny ∗∗∗ --------------------------------------------- API flaws in the McDonald’s McDelivery system in India, one of the world’s most popular food delivery apps, enabled a variety of fun exploits .. --------------------------------------------- https://eaton-works.com/2024/12/19/mcdelivery-india-hack/ ∗∗∗ Déjà vu: Ghostly CVEs in my terminal title ∗∗∗ --------------------------------------------- As I've spoken and written about all modern terminals are actually "emulating" something dating from the .. --------------------------------------------- https://dgl.cx/2024/12/ghostty-terminal-title ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1737: Foxit PDF Reader AcroForm Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1737/ ∗∗∗ ZDI-24-1736: (0Day) Paessler PRTG Network Monitor SNMP Cross-Site Scripting Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1736/ ∗∗∗ ZDI-24-1739: Foxit PDF Reader Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1739/ ∗∗∗ ZDI-24-1738: Foxit PDF Reader AcroForm Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1738/ ∗∗∗ PAN-OS Firewall Denial of Service (DoS) Vulnerability ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/5610 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily January 2025