March 2025 - Daily

Tageszusammenfassung - 31.03.2025
by Daily end-of-shift report 31 Mar '25

31 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-03-2025 18:00 − Montag 31-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New Crocodilus malware steals Android users’ crypto wallet keys ∗∗∗ --------------------------------------------- A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-crocodilus-malware-steal… ∗∗∗ Smoked out - Emmenhtal spreads SmokeLoader malware ∗∗∗ --------------------------------------------- We observed a malicious campaign targeting First Ukrainian International Bank (pumb[.]ua) and noticed the usage of a stealthy malware loader known as Emmenhtal [..] also referred to by Google as Peaklight. --------------------------------------------- https://feeds.feedblitz.com/~/915916022/0/gdatasecurityblog-en~Smoked-out-E… ∗∗∗ Hidden Malware Strikes Again: Mu-Plugins Under Attack ∗∗∗ --------------------------------------------- Recently, we’ve uncovered multiple cases where threat actors are leveraging the mu-plugins directory to hide malicious code. This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks. --------------------------------------------- https://blog.sucuri.net/2025/03/hidden-malware-strikes-again-mu-plugins-und… ∗∗∗ BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability ∗∗∗ --------------------------------------------- In whats an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. --------------------------------------------- https://thehackernews.com/2025/03/blacklock-ransomware-exposed-after.html ∗∗∗ BSI-Studie: Zahlreiche Schwachstellen in Krankenhausinformationssystemen ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben im BSI-Auftrag IT-Systemen für Kliniken auf den Zahn gefühlt und Lücken gefunden, etwa bei Verschlüsselung und Zertifikaten. --------------------------------------------- https://www.heise.de/news/BSI-Studie-Zahlreiche-Schwachstellen-in-Krankenha… ∗∗∗ Backdoor in the Backplane. Doing IPMI security better ∗∗∗ --------------------------------------------- IPMI remains a powerful but dangerously overlooked protocols in many enterprise environments. Whilst its ability to manage out of band systems is invaluable, there are significant security trade-offs – especially when outdated firmware, default credentials, and exposed interfaces are in play. As demonstrated, IPMI can lead, or aid, in a malicious actor compromising the full domain with little more than network access. --------------------------------------------- https://www.pentestpartners.com/security-blog/backdoor-in-the-backplane-doi… ∗∗∗ Preparing for the EU Radio Equipment Directive security requirements ∗∗∗ --------------------------------------------- UK & EU IoT manufacturers have more security regulation coming. [..] From 1st August 2025, mandatory cybersecurity requirements come into effect under the EU’s Radio Equipment Directive (2014/53/EU), or RED. --------------------------------------------- https://www.pentestpartners.com/security-blog/preparing-for-the-eu-radio-eq… ∗∗∗ Oracle Health gehackt, US-Patientendaten abgeflossen ∗∗∗ --------------------------------------------- Cyberkriminelle sind laut Berichten nach dem 22. Januar 2025 in die Server des US-Tech-Unternehmens Cerner Oracle Health eingedrungen. Es besteht der Verdacht, dass Patientendaten von US-Bürgern abgezogen wurden. Das FBI untersucht den Vorfall, der Fragen nach der Sicherheit bei Oracle aufkommen lässt. Denn es ist der zweite Sicherheitsvorfall binnen weniger Tage, der bekannt wird. --------------------------------------------- https://www.borncity.com/blog/2025/03/30/oracle-health-gehackt-us-patienten… ∗∗∗ SVG Phishing Malware Being Distributed with Analysis Obstruction Feature ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) recently identified a phishing malware being distributed in Scalable Vector Graphics (SVG) format. --------------------------------------------- https://asec.ahnlab.com/en/87078/ ∗∗∗ Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service ∗∗∗ --------------------------------------------- Being a provider of cloud SaaS (Software-as-a-service) solutions requires certain cybersecurity responsibilities — including being transparent and open. The moment where this is tested at Oracle has arrived, as they have a serious cybersecurity incident playing out in a service they manage for customers. --------------------------------------------- https://doublepulsar.com/oracle-attempt-to-hide-serious-cybersecurity-incid… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amd64-microcode, flatpak, intel-microcode, libdata-entropy-perl, librabbitmq, and vim), Fedora (augeas, containerd, crosswords-puzzle-sets-xword-dl, libssh2, libxml2, nodejs-nodemon, and webkitgtk), Red Hat (libreoffice and python-jinja2), SUSE (389-ds, apparmor, corosync, docker, docker-stable, erlang26, exim, ffmpeg-4, govulncheck-vulndb, istioctl, matrix-synapse, mercurial, openvpn, python3, rke2, and skopeo), and Ubuntu (ansible, linux, linux-hwe-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-azure-fips, linux-gcp-fips, linux-fips, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-realtime, linux-intel-iot-realtime, linux-xilinx-zynqmp, opensc, and ruby-doorkeeper). --------------------------------------------- https://lwn.net/Articles/1015968/ ∗∗∗ IBM InfoSphere Information Server: Unbefugte Zugriffe möglich ∗∗∗ --------------------------------------------- Die Datenintegrationsplattform IBM InfoSphere Information Server ist verwundbar. Die Entwickler haben mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/IBM-InfoSphere-Information-Server-Unbefugte-Zugri… ∗∗∗ ZendTo NDay Vulnerability Hunting - Unauthenticated RCE in v5.24-3 <= v6.10-4 ∗∗∗ --------------------------------------------- Discovering NDay flaws in ZendTo filesharing software highlighted an interesting fact: without the issuance of CVEs, vulnerabilities can easily go unpatched. --------------------------------------------- https://projectblack.io/blog/zendto-nday-vulnerabilities/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2025
by Daily end-of-shift report 28 Mar '25

28 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-03-2025 18:00 − Freitag 28-03-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Phishing-as-a-service operation uses DNS-over-HTTPS for evasion ∗∗∗ --------------------------------------------- A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection. -------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-as-a-service-operat… ∗∗∗ Notfallupdate: Kritische Sandbox-Lücke in Firefox und Tor-Browser entdeckt ∗∗∗ --------------------------------------------- Nicht nur Chrome-Nutzer sollten dieser Tage ihren Browser updaten. Eine aktiv ausgenutzte Sicherheitslücke betrifft auch die Windows-Version von Firefox. --------------------------------------------- https://www.golem.de/news/notfallupdate-kritische-sandbox-luecke-in-firefox… ∗∗∗ Stealing user credentials with evilginx ∗∗∗ --------------------------------------------- A malevolent mutation of the widely used nginx web server facilitates Adversary-in-the-Middle action, but there's hope. --------------------------------------------- https://news.sophos.com/en-us/2025/03/28/stealing-user-credentials-with-evi… ∗∗∗ Quick Guide to Magento Security Patches ∗∗∗ --------------------------------------------- Magento remains a popular ecommerce platform in 2025 and its security patches play a vital role in addressing vulnerabilities that could otherwise be exploited by attackers. These patches help prevent issues like data breaches, website defacement, or unauthorized access, ensuring the safety of customer data and store operations. Given the platform’s .. --------------------------------------------- https://blog.sucuri.net/2025/03/quick-guide-to-magento-security-patches.html ∗∗∗ China’s FamousSparrow flies back into action, breaches US org after years off the radar ∗∗∗ --------------------------------------------- Crew also cooked up two fresh SparrowDoor backdoor variants, says ESET The China-aligned FamousSparrow crew has resurfaced after a long period of presumed inactivity, compromising a US financial-sector trade group and a Mexican research institute. The gang also likely targeted a governmental institution in Honduras, along with other yet-to-be-identified victims. --------------------------------------------- https://www.theregister.com/2025/03/27/china_famoussparrow_back/ ∗∗∗ Storage-Appliances: Dell schließt unzählige Sicherheitslücken in Unity-Serien ∗∗∗ --------------------------------------------- Die Dell-Entwickler haben unter anderem eine 19 Jahre alte Schwachstelle in diversen Unity-Modellen geschlossen. --------------------------------------------- https://www.heise.de/news/Storage-Appliances-Dell-schliesst-unzaehlige-Sich… ∗∗∗ New security requirements adopted by HTTPS certificate industry ∗∗∗ --------------------------------------------- The Chrome Root Program launched in 2022 as part of Google’s ongoing commitment to upholding secure and reliable network connections in Chrome. We previously described how the Chrome Root Program keeps users safe, and described how the program is focused on promoting technologies and practices that strengthen the underlying .. --------------------------------------------- http://security.googleblog.com/2025/03/new-security-requirements-adopted-by… ∗∗∗ Money Laundering 101, and why Joe is worried ∗∗∗ --------------------------------------------- In this blog post, Joe covers the very basics of money laundering, how it facilitates ransomware cartels, and what the regulatory future holds for cybercrime. --------------------------------------------- https://blog.talosintelligence.com/money-laundering-101-and-why-joe-is-worr… ∗∗∗ Gamaredon campaign abuses LNK files to distribute Remcos backdoor ∗∗∗ --------------------------------------------- Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024. --------------------------------------------- https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/ ∗∗∗ Obfuscation 101: Unmasking the Tricks Behind Malicious Code ∗∗∗ --------------------------------------------- “The malicious package was right in front of our eyes, but we didnt see it until it was too late.”Attackers frequently rely on obfuscation—the technique of deliberately making source code confusing and unreadable—to sneak malicious payloads past security defenses and code reviewers alike. Understanding these obfuscation techniques across .. --------------------------------------------- https://socket.dev/blog/obfuscation-101-the-tricks-behind-malicious-code ∗∗∗ NVD Concedes Inability to Keep Pace with Surging CVE Disclosures in 2025 ∗∗∗ --------------------------------------------- The National Vulnerability Database (NVD) issued a new status update on March 19, attempting to clarify the current state of its vulnerability processing pipeline. The agency says it has resumed processing new CVEs at the same rate it maintained before last year’s slowdown, but with vulnerability volumes surging, that’s no longer enough.We are currently .. --------------------------------------------- https://socket.dev/blog/nvd-backlog-crisis-deepens-amid-surging-cve-disclos… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mercurial and opensaml), Fedora (augeas, mingw-libxslt, and nodejs-nodemon), Mageia (chromium-browser-stable), Red Hat (grafana, kernel, kernel-rt, opentelemetry-collector, and podman), SUSE (apache-commons-vfs2, python3, and python36), and Ubuntu (ghostscript, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, .. --------------------------------------------- https://lwn.net/Articles/1015718/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2025
by Daily end-of-shift report 27 Mar '25

27 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-03-2025 18:00 − Donnerstag 27-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Dozens of solar inverter flaws could be exploited to attack power grids ∗∗∗ --------------------------------------------- Dozens of vulnerabilities in products from three leading makers of solar inverters, Sungrow, Growatt, and SMA, could be exploited to control devices or execute code remotely on the vendors cloud platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dozens-of-solar-inverter-fla… ∗∗∗ Cybercrime-Tool Atlantis AIO soll automatisierte Passwort-Attacken optimieren ∗∗∗ --------------------------------------------- Dahinter stecken organisierte Profi-Verbrecher, die ihre Werkzeuge im Darknet mit Werbeanzeigen und Support anpreisen. So auch im Fall des jüngst von Sicherheitsforschern entdeckten Tools Atlantis AIO. --------------------------------------------- https://www.heise.de/news/Cybercrime-Tool-Atlantis-AIO-soll-automatisierte-… ∗∗∗ Abonnement gekündigt? Achtung: Phishing-Versuch mit Disney+! ∗∗∗ --------------------------------------------- Mit einer angeblich von Disney+ stammenden E-Mail versuchen Kriminelle ihre Opfer auf eine Fake-Loginseite zu locken. Dort fragen sie die Anmeldeinformationen des Abos und Kreditkartendaten ab. Woran Sie den Phishing-Versuch ganz einfach erkennen können, zeigen wir Ihnen hier. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-versuch-disney/ ===================== = Vulnerabilities = ===================== ∗∗∗ Backuplösung SnapCenter: Angreifer können als Admin Systeme übernehmen ∗∗∗ --------------------------------------------- Die Backupsoftware SnapCenter ist verwundbar und Angreifer können sich durch das erfolgreiche Ausnutzen einer „kritischen“ Sicherheitslücke Admin-Rechte verschaffen. In einem Beitrag zur Schwachstelle (CVE-2025-26512) führen die Entwickler aus, die Versionen 6.0.1P1 und 6.1P1 repariert zu haben. Alle vorigen Ausgaben sind attackierbar. --------------------------------------------- https://www.heise.de/news/Backuploesung-SnapCenter-Angreifer-koennen-als-Ad… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (exim), Debian (exim4, ghostscript, and libcap2), Red Hat (container-tools:rhel8), SUSE (apache-commons-vfs2, argocd-cli, azure-cli-core, buildah, chromedriver, docker-stable, ed25519-java, kernel, kubernetes1.29-apiserver, kubernetes1.30-apiserver, kubernetes1.32-apiserver, libmbedcrypto7, microcode_ctl, php7, podman, proftpd, tomcat10, and webkit2gtk3), and Ubuntu (containerd, exim4, mariadb, opensaml, and org-mode). --------------------------------------------- https://lwn.net/Articles/1015589/ ∗∗∗ Security Vulnerability fixed in Firefox 136.0.4, Firefox ESR 128.8.1, Firefox ESR 115.21.1 ∗∗∗ --------------------------------------------- Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles to unprivileged child processes leading to a sandbox escape. The original vulnerability was being exploited in the wild. This only affects Firefox on Windows. Other operating systems are unaffected. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/ ∗∗∗ Splunk: Teils hochriskante Sicherheitslecks in mehreren Produkten ∗∗∗ --------------------------------------------- Splunk hat eine Reihe an Sicherheitslücken in mehreren Produkten gemeldet. Aktualisierte Software-Pakete stehen zum Herunterladen bereit, mit denen Admins diese Sicherheitslecks stopfen können. --------------------------------------------- https://heise.de/-10330630 ∗∗∗ DSA-5888-1 ghostscript - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00050.html ∗∗∗ ABB: Cyber Security Advisory - ABB Low Voltage DC Drives and Power Controllers CODESYS RTS Vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A9494&Lan… ∗∗∗ ABB: Cyber Security Advisory - ABB ACS880 +N8010 Drives CODESYS RTS Vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A9491&Lan… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 17, 2025 to March 23, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/03/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2025
by Daily end-of-shift report 26 Mar '25

26 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-03-2025 18:00 − Mittwoch 26-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New npm attack poisons local packages with backdoors ∗∗∗ --------------------------------------------- Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. This way, even if the victim removes the malicious packages, the backdoor remains on their system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-npm-attack-poisons-local… ∗∗∗ NCSC taps influencers to make 2FA go viral ∗∗∗ --------------------------------------------- The world's biggest brands have benefited from influencer marketing for years – now the UK's National Cyber Security Centre (NCSC) has hopped on the bandwagon to preach two-factor authentication (2FA) to the masses. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/03/26/ncsc_influen… ∗∗∗ CoffeeLoader: A Brew of Stealthy Techniques ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a new sophisticated malware family that we named CoffeeLoader, which originated around September 2024. The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products. The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers. --------------------------------------------- https://www.zscaler.com/blogs/security-research/coffeeloader-brew-stealthy-… ∗∗∗ Have I Been Pwned: Projektbetreiber Troy Hunt gepwned ∗∗∗ --------------------------------------------- Troy Hunt, Betreiber des Dienstes Have-I-Been-Pwned (HIBP), wurde Opfer einer Phishing-Attacke und damit selbst "Pwned". Es sind 16.627 E-Mail-Adressen der Mailingliste für den Newsletter zu Troys persönlichen Blog dadurch in unbefugte Hände abgeflossen. In einem Blog-Beitrag erklärt Hunt, wie es zu dem Vorfall kommen konnte. --------------------------------------------- https://heise.de/-10328970 ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücken in Kubernetes Ingress NGINX Controller - Updates verfügbar ∗∗∗ --------------------------------------------- Im Kubernetes Ingress NGINX Controller, einer Kernkomponente von Kubernetes, wurden mehrere kritische Sicherheitslücken entdeckt. Diese ermöglichen unter anderem unauthentifizierte Remote Code Execution (RCE) und unberechtigten Zugriff auf Secrets. --------------------------------------------- https://www.cert.at/de/warnungen/2025/3/kubernetes-ingress-nginx-controller… ∗∗∗ Dringend patchen: Gefährliche Zero-Day-Lücke in Chrome für Spionage ausgenutzt ∗∗∗ --------------------------------------------- Nachdem Google in seinem Webbrowser Chrome erst in der vergangenen Woche eine kritische Sicherheitslücke geschlossen hatte, legt der Konzern jetzt nochmal nach. Mit einem am Dienstag veröffentlichten Update beseitigt Google eine Schwachstelle, die bereits im Rahmen gezielter Spionageangriffe aktiv ausgenutzt wird. [..] Die Ausnutzung der als CVE-2025-2783 registrierten Chrome-Lücke wurde Mitte März von Sicherheitsforschern von Kaspersky entdeckt. [..] Den Angaben zufolge lässt sich die Sicherheitslücke durch speziell präparierte Webseiten ausnutzen, die die jeweilige Zielperson lediglich aufrufen muss. [..] Einen Bericht mit weiteren technischen Details wollen die Sicherheitsforscher zu einem späteren Zeitpunkt veröffentlichen. --------------------------------------------- https://www.golem.de/news/dringend-patchen-gefaehrliche-zero-day-luecke-in-… ∗∗∗ VMware Tools ermöglichen Rechteausweitung in VMs ∗∗∗ --------------------------------------------- In der Sicherheitsmitteilung von Broadcom erörtern die Autoren, dass aufgrund unzureichender Zugriffskontrollen die Umgehung der Authentifizierung möglich ist (CVE-2025-22230, CVSS 7.8, Risiko "hoch"). Bösartige Akteure mit nicht-administrativen Rechten in einem Windows-Gastsystem können dadurch Operationen, die höhere Zugriffsrechte benötigen, ausführen. --------------------------------------------- https://www.heise.de/-10328819 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nginx and ruby-rack), Fedora (expat and libxslt), Mageia (bluez, dcmtk, ffmpeg, and radare2), Red Hat (container-tools:rhel8, gvisor-tap-vsock, kernel, kernel-rt, libreoffice, and podman), SUSE (buildah, forgejo, gitleaks, google-guest-agent, google-osconfig-agent, govulncheck-vulndb, grafana, helm, libxslt, php8, python-gunicorn, and python-Jinja2), and Ubuntu (freerdp2 and varnish). --------------------------------------------- https://lwn.net/Articles/1015464/ ∗∗∗ MISP v2.4.206 and v2.5.8 Released - new workflow modules, improved graph object relationship management and many other improvements ∗∗∗ --------------------------------------------- [security] Fixed stored XSS in event reports (mermaid rendering function). --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.8 ∗∗∗ ZDI-25-181: (0Day) Arista NG Firewall User-Agent Cross-Site Scripting Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Minimal user interaction is required to exploit this vulnerability. CVE-2025-2767 --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-181/ ∗∗∗ Huawei: Security Advisory - Authentication Bypass Vulnerability in Huawei PC Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2025/huawei-sa-20250325-… ∗∗∗ ZDI-25-180: (0Day) 70mai A510 Use of Default Password Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-180/ ∗∗∗ ZDI-25-178: (0Day) CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-178/ ∗∗∗ Inaba Denki Sangyo CHOCO TEI WATCHER mini ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2025
by Daily end-of-shift report 25 Mar '25

25 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 24-03-2025 18:00 − Dienstag 25-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Browser-in-the-Browser attacks target CS2 players Steam accounts ∗∗∗ --------------------------------------------- A new phishing campaign targets Counter-Strike 2 players utilizing Browser-in-the-Browser (BitB) attacks that display a realistic window that mimics Steams login page. --------------------------------------------- https://www.bleepingcomputer.com/news/security/browser-in-the-browser-attac… ∗∗∗ Open-sourcing OpenPubkey SSH (OPKSSH): integrating single sign-on with SSH ∗∗∗ --------------------------------------------- OPKSSH (OpenPubkey SSH) is now open-sourced as part of the OpenPubkey project. --------------------------------------------- https://blog.cloudflare.com/open-sourcing-openpubkey-ssh-opkssh-integrating… ∗∗∗ Zero Day: Russische Firma zahlt für Telegram-Lücken Millionen ∗∗∗ --------------------------------------------- Die stetig wachsende Nutzerbasis macht die Plattform auch für Cyberangriffe immer interessanter. Aus diesem Grund bietet der russische Schwachstellenhändler Operation Zero mittlerweile bis zu vier Millionen US-Dollar für ungepatchte Sicherheitslücken in Telegram. --------------------------------------------- https://www.golem.de/news/zero-day-russische-firma-zahlt-millionen-fuer-tel… ∗∗∗ Achtung: Phishing-Mails im Namen des Wiener Tourismusverbands! ∗∗∗ --------------------------------------------- Aktuell kursieren E-Mails im Namen der Buchhaltung, die dazu auffordern, Rechnungen aufgrund technischer Probleme direkt per E-Mail zu senden. Vorsicht: Diese E-Mails stammen nicht von Mitarbeitenden des Wiener Tourismusverband sondern von Kriminellen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-phishing-mails-im-namen-des-… ∗∗∗ Oracle angeblich gehackt: Nutzerdaten im Darknet zum Verkauf ∗∗∗ --------------------------------------------- Sicherheitsforscher von CloudSEK berichten, dass im Darknet sensible Daten von rund 140.000 Oracle-Kunden zum Verkauf stehen. Diese Informationen sollen aus einer Cyberattacke stammen. Dem Hard- und Softwarehersteller zufolge hat es keinen IT-Sicherheitsvorfall gegeben. --------------------------------------------- https://heise.de/-10327980 ∗∗∗ US-Behörde stoppt Gelder für Lets Encrypt und Tor ‒ Open Tech Fund wehrt sich ∗∗∗ --------------------------------------------- Nach einem Dekret von US-Präsident Trump erhält der Open Technology Fund keine Fördermittel mehr. Deswegen zieht die Organisation jetzt vor Gericht. --------------------------------------------- https://heise.de/-10328226 ∗∗∗ Fake Hiring Challenge for Developers Steals Sensitive Data ∗∗∗ --------------------------------------------- Cyble threat intelligence researchers have uncovered a GitHub repository masquerading as a hiring coding challenge that tricks developers into downloading a backdoor to steal sensitive data. [..] There is evidence that the campaign may be expanding beyond a fake hiring challenge for developers, as Cyble Research and Intelligence Labs (CRIL) researchers also found invoice-themed lures. --------------------------------------------- https://thecyberexpress.com/fake-hiring-challenge-targets-developers/ ===================== = Vulnerabilities = ===================== ∗∗∗ Notable vulnerabilities in Next.js (CVE-2025-29927) and CrushFTP ∗∗∗ --------------------------------------------- On Friday, March 21, 2025, file transfer software maker CrushFTP disclosed a new vulnerability to customers via email. While the email [...] indicates only CrushFTP v11 is affected by the still-CVE-less (as of March 25) unauthenticated port access vulnerability, the extremely sparse vendor advisory indicates that both CrushFTP v10 and v11 are affected. According to the vendor, the issue is not exploitable if customers have the DMZ function of CrushFTP in place. --------------------------------------------- https://www.rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-… ∗∗∗ RCE Vulnerabilities in k8s Ingress NGINX (9.8 CVE for ingress-nginx) ∗∗∗ --------------------------------------------- Wiz Research discovered CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare. Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover. --------------------------------------------- https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities ∗∗∗ Kubernetes: CVE-2025-1974 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131009 ∗∗∗ Kubernetes: CVE-2025-1098 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131008 ∗∗∗ Kubernetes: CVE-2025-1097 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131007 ∗∗∗ Kubernetes: CVE-2025-24514 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131006 ∗∗∗ Kubernetes: CVE-2025-24513 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131005 ∗∗∗ Micropatches released for SCF File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it ∗∗∗ --------------------------------------------- https://blog.0patch.com/2025/03/scf-file-ntlm-hash-disclosure.html ∗∗∗ Rockwell Automation 440G TLS-Z ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-03 ∗∗∗ Rockwell Automation Verve Asset Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-02 ∗∗∗ ABB RMC-100 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-01 ∗∗∗ Inaba Denki Sangyo CHOCO TEI WATCHER Mini ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2025
by Daily end-of-shift report 24 Mar '25

24 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-03-2025 18:00 − Montag 24-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ FBI warnings are true—fake file converters do push malware ∗∗∗ --------------------------------------------- The FBI is warning that fake online document converters are being used to steal peoples information and, in worst-case scenarios, lead to ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warnings-are-true-fake-f… ∗∗∗ Cloudflare now blocks all unencrypted traffic to its API endpoints ∗∗∗ --------------------------------------------- Cloudflare announced that it closed all HTTP connections and it is now accepting only secure, HTTPS connections for api.cloudflare.com. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloudflare-now-blocks-all-un… ∗∗∗ Trusted Signing: Hacker signieren Windows-Malware über Microsoft-Plattform ∗∗∗ --------------------------------------------- Forscher haben Malware entdeckt, die über Microsofts neue Trusted-Signing-Plattform signiert wurde. Windows-Systeme lassen sich damit leichter infizieren. --------------------------------------------- https://www.golem.de/news/trusted-signing-microsoft-dienst-zum-signieren-vo… ∗∗∗ Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories CI/CD Secrets Exposed ∗∗∗ --------------------------------------------- The supply chain attack involving the GitHub Action "tj-actions/changed-files" started as a highly-targeted attack against one of Coinbases open-source projects, before evolving into something more widespread in scope."The payload was focused on .. --------------------------------------------- https://thehackernews.com/2025/03/github-supply-chain-breach-coinbase.html ∗∗∗ Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions.The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 .. --------------------------------------------- https://thehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html ∗∗∗ Oracle Cloud says its not true someone broke into its login servers and stole data ∗∗∗ --------------------------------------------- Despite evidence to the contrary as alleged pilfered info goes on sale Oracle has straight up denied claims by a miscreant that its public cloud offering has been compromised and information stolen. --------------------------------------------- https://www.theregister.com/2025/03/23/oracle_cloud_customers_keys_credenti… ∗∗∗ Verfassungsschutz: Deutsche NGOs Ziel von russischen Cyberangriffen ∗∗∗ --------------------------------------------- Das Bundesamt für Verfassungsschutz hat einige zivilgesellschaftliche Organisationen alarmiert, dass sie verstärkt im Fokus russischer Cyberattacken stünden. --------------------------------------------- https://www.heise.de/news/Verfassungsschutz-warnt-NGOs-vor-zunehmenden-russ… ∗∗∗ Google Maps: Falsche Schlüsseldienste und Co. spähen Nutzer aus ∗∗∗ --------------------------------------------- Der Navigationsdienst Google Maps klagt gegen unechte Geschäfte auf seiner Plattform, die Nutzerdaten abschöpften und verkauften. --------------------------------------------- https://heise.de/-10325360 ∗∗∗ How to find Next.js on your network ∗∗∗ --------------------------------------------- On March 22nd, 2025, Next.js disclosed an authentication bypass vulnerability in the middleware layer. Exploitation is trivial and can be achieved by sending an extra HTTP header. For specifics, please see .. --------------------------------------------- https://www.runzero.com/blog/next-js/ ∗∗∗ Next.js Patches Critical Middleware Vulnerability (CVE-2025-29927) ∗∗∗ --------------------------------------------- This weekend, the Next.js team released emergency patches addressing a critical vulnerability (CVE-2025-29927) that allowed attackers to bypass middleware-based security checks, including authentication and .. --------------------------------------------- https://socket.dev/blog/next-js-patches-critical-middleware-vulnerability -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2025
by Daily end-of-shift report 21 Mar '25

21 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-03-2025 18:00 − Freitag 21-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Angreifer machen sich an Hintertür in Cisco Smart Licensing Utility zu schaffen ∗∗∗ --------------------------------------------- Wie Sicherheitsforscher berichten, fangen Angreifer derzeit an, zwei Schwachstellen in Cisco Smart Licensing Utility auszunutzen. Darüber verschaffen sie sich Zugang mit Adminrechten. Sicherheitspatches sind schon länger verfügbar. [..] Die „kritischen“ Lücken (CVE-2024-20439, CVE-2024-20440) sind seit Anfang September 2024 bekannt. --------------------------------------------- https://heise.de/-10323893 ∗∗∗ VSCode extensions found downloading early-stage ransomware ∗∗∗ --------------------------------------------- Two malicious VSCode Marketplace extensions were found deploying in-development ransomware from a remote server, exposing critical gaps in Microsofts review process. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vscode-extensions-found-down… ∗∗∗ Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates ∗∗∗ --------------------------------------------- The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to disable anti-malware tools. --------------------------------------------- https://thehackernews.com/2025/03/medusa-ransomware-uses-malicious-driver.h… ∗∗∗ How to Avoid US-Based Digital Services—and Why You Might Want To ∗∗∗ --------------------------------------------- Amid growing concerns over Big Tech firms aligning with Trump administration policies, people are starting to move their digital lives to services based overseas. Heres what you need to know. --------------------------------------------- https://www.wired.com/story/trump-era-digital-expat/ ∗∗∗ Fake-Shops wie eu.stanlaystore.com locken mit günstigen Stanley Cups ∗∗∗ --------------------------------------------- Stanley Cups gehören aktuell zu den beliebtesten Thermoskannen auf dem Markt. Leider machen sich auch Kriminelle die hohe Nachfrage zunutze und bieten die trendigen Becher in Fake-Shops an. Wie zum Beispiel die Website eu.stanlaystore.com, die mit unschlagbar günstigen Preisen lockt. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-wie-eustanlaystorecom-loc… ∗∗∗ Achtung Phishing: So funktioniert der neue Debitkarten-Betrug ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit vermehrt gefälschte E-Mails im Namen der Erste Bank. Darin wird behauptet, dass Ihre Debitkarte veraltet sei und Sie eine neue Karte beantragen müssen. Mit dieser Betrugsmasche versuchen Kriminelle, an Ihre Debitkarte samt PIN zu gelangen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-phishing-so-funktioniert-der… ∗∗∗ GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment (Updated 3/21) ∗∗∗ --------------------------------------------- Updated March 20: The recent compromise of the GitHub action tj-actions/changed-files and additional actions within the reviewdog organization has captured the attention of the GitHub community, marking another major software supply chain attack. Our team conducted an in-depth investigation into this incident and uncovered many more details about how the attack occurred and its timeline. [..] Our team also discovered that the initial attack targeted Coinbase. The payload was focused on exploiting the public CI/CD flow of one of their open source projects – agentkit, probably with the purpose of leveraging it for further compromises. However, the attacker was not able to use Coinbase secrets or publish packages. --------------------------------------------- https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/ ∗∗∗ Major web services go dark in Russia amid reported Cloudflare block ∗∗∗ --------------------------------------------- Website outages were observed across Russia this week, with regulators attributing them to issues with foreign servers. Observers said the problems might be tied to Russian government moves to block Cloudflare services. --------------------------------------------- https://therecord.media/russia-websites-dark-reported-cloudflare-block ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability in NAKIVO Backup ＆ Replication ∗∗∗ --------------------------------------------- A vulnerability has been discovered in NAKIVO Backup ＆ Replication 10.11.3.86570 and earlier. [..] We have already removed the affected versions from App Center and requested NAKIVO to provide a fixed version as soon as possible. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-08 ∗∗∗ Siemens: SSA-656895 V1.2 (Last Update: 2025-03-20): Open Redirect Vulnerability in Teamcenter ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-656895.html ∗∗∗ [R1] Nessus Agent Version 10.8.3 Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-02 ∗∗∗ F5: K000150484: Apache Tomcat vulnerability CVE-2025-24813 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150484 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2025
by Daily end-of-shift report 20 Mar '25

20 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-03-2025 18:00 − Donnerstag 20-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ HellCat hackers go on a worldwide Jira hacking spree ∗∗∗ --------------------------------------------- Swiss global solutions provider Ascom has confirmed a cyberattack on its IT infrastructure as a hacker group known as Hellcat targets Jira servers worldwide using compromised credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hellcat-hackers-go-on-a-worl… ∗∗∗ Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data ∗∗∗ --------------------------------------------- The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of spyware developed by Israeli company Paragon Solutions, according to a new report from The Citizen Lab. [..] In these attacks, targets were added to a WhatsApp group, and then sent a PDF document, which is subsequently parsed automatically to trigger the now-patched zero-day vulnerability and load the Graphite spyware. --------------------------------------------- https://thehackernews.com/2025/03/six-governments-likely-use-israeli.html ∗∗∗ Phishing-Versuche im Namen der Oberbank – „Bitte aktualisieren Sie Ihre persönlichen Informationen“ ∗∗∗ --------------------------------------------- Mit Fake-SMS-Nachrichten versuchen Kriminelle gerade verstärkt, Opfer auf gefälschte Kundenportale der Oberbank zu leiten. Ziel der Phishing-Attacke sind sensible Bankdaten. Hier erfahren Sie, wie der Betrugsversuch abläuft und wie Sie den Fake erkennen. Außerdem erklären wir, was Sie tun können, falls Sie Ihre persönlichen Informationen bereits an die Betrüger:innen übermittelt haben. --------------------------------------------- https://www.watchlist-internet.at/news/persoenlichen-informationen-phishing… ∗∗∗ Presseaussendung: Fake-Shops, Produktpiraterie und Co. als Bedrohung für den österreichischen Onlinehandel ∗∗∗ --------------------------------------------- Fake-Shops, Markenfälschungen, Produktpiraterie oder Verletzungen des geistigen Eigentums: Die Bedrohungen im E-Commerce sind vielfältig und können für österreichische Unternehmer:innen nicht nur zu finanziellen Verlusten durch betrügerische Konkurrenz führen, sondern auch das Vertrauen der Kund:innen in den Online-Handel als Ganzes untergraben. --------------------------------------------- https://www.watchlist-internet.at/news/presseaussendung-bedrohungen-fuer-de… ∗∗∗ UK sets timeline for country’s transition to quantum-resistant encryption ∗∗∗ --------------------------------------------- The U.K. National Cyber Security Centre issued new guidance to help organizations transition to cryptographic algorithms and protocols that can protect data threatened by quantum computing. --------------------------------------------- https://therecord.media/uk-ncsc-quantum-resistant-algorithms-transition ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress security plugin WP Ghost vulnerable to remote code execution bug ∗∗∗ --------------------------------------------- Popular WordPress security plugin WP Ghost is vulnerable to a critical severity flaw that could allow unauthenticated attackers to remotely execute code and hijack servers. [..] The flaw, tracked as CVE-2025-26909, impacts all versions of WP Ghost up to 5.4.01 and stems from insufficient input validation in the 'showFile()' function. Exploiting the flaw could allow attackers to include arbitrary files via manipulated URL paths. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-security-plugin-wp… ∗∗∗ Google warnt: Kritische Sicherheitslücke in Chrome gefährdet Nutzer ∗∗∗ --------------------------------------------- Google hat wichtige Sicherheitsupdates für seinen Webbrowser Chrome veröffentlicht. [..] Mit Details zu der als CVE-2025-2476 registrierten Schwachstelle hält sich Google in seiner Versionsankündigung aus Sicherheitsgründen noch zurück. --------------------------------------------- https://www.golem.de/news/google-warnt-kritische-sicherheitsluecke-in-chrom… ∗∗∗ Veeam Backup & Replication RCE-Schwachstelle CVE-2025-23120 ∗∗∗ --------------------------------------------- Nutzer von Veeam Backup & Replication müssen reagieren. Der Anbieter Veeam hat zum 19. März 2025 über eine Remote Code Execution (RCE) Schwachstelle CVE-2025-23120 in verschiedenen Versionen des genannten Produkts informiert. Es gibt Sicherheitsupdates, um diese Schwachstelle zu schließen. --------------------------------------------- https://www.borncity.com/blog/2025/03/19/veeam-backup-replication-rce-schwa… ∗∗∗ ZDI-25-175: (0Day) Luxion KeyShot USDC File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-175/ ∗∗∗ ZDI-25-174: (0Day) Luxion KeyShot DAE File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-174/ ∗∗∗ Schwerwiegende Sicherheitslücken bedrohen Serverbetriebssystem IBM AIX ∗∗∗ --------------------------------------------- https://www.heise.de/news/Schwerwiegende-Sicherheitsluecken-bedrohen-Server… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0002 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0002.html ∗∗∗ SMA Sunny Portal ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-079-04 ∗∗∗ Santesoft Sante DICOM Viewer Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-079-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2025
by Daily end-of-shift report 19 Mar '25

19 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-03-2025 18:00 − Mittwoch 19-03-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Malicious Android Vapor apps on Google Play installed 60 million times ∗∗∗ --------------------------------------------- Over 300 malicious Android applications downloaded 60 million items from Google Play acted as adware or attempted to steal credentials and credit card information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-android-vapor-apps… ∗∗∗ Why its time for phishing prevention to move beyond email ∗∗∗ --------------------------------------------- While phishing has evolved, email security hasnt kept up. Attackers now bypass MFA & detection tools with advanced phishing kits, making credential theft harder to prevent. Learn how Push Securitys browser-based security stops attacks as they happen. --------------------------------------------- https://www.bleepingcomputer.com/news/security/why-its-time-for-phishing-pr… ∗∗∗ iOS-Nutzer gefährdet: Phishing-Lücke in Passwords-App erst nach Monaten gepatcht ∗∗∗ --------------------------------------------- Apples Passwords-App hat Weiterleitungen zur Passwortänderung über unsicheres HTTP abgewickelt. Angreifer hätten auf Phishingseiten umleiten können. --------------------------------------------- https://www.golem.de/news/unsicheres-http-ios-nutzer-durch-phishing-luecke-… ∗∗∗ Malware im Anmarsch: Ungepatchte Windows-Lücke wird seit 8 Jahren ausgenutzt ∗∗∗ --------------------------------------------- Hacker nutzen die Schwachstelle schon mindestens seit 2017 aus. Ein Patch ist bisher nicht in Sicht. Auch Ziele in Deutschland sind bereits attackiert worden. --------------------------------------------- https://www.golem.de/news/malware-im-anmarsch-ungepatchte-windows-luecke-wi… ∗∗∗ Arcane stealer: We want all your data ∗∗∗ --------------------------------------------- The new Arcane stealer spreads via YouTube and Discord, collecting data from many applications, including VPN and gaming clients, network utilities, messaging apps, and browsers. --------------------------------------------- https://securelist.com/arcane-stealer/115919/ ∗∗∗ Announcing OSV-Scanner V2: Vulnerability scanner and remediation tool for open source ∗∗∗ --------------------------------------------- Today, were thrilled to announce the launch of OSV-Scanner V2.0.0, following the announcement of the beta version. This V2 release builds upon the foundation we laid with OSV-SCALIBR and adds significant new capabilities .. --------------------------------------------- https://security.googleblog.com/2025/03/announcing-osv-scanner-v2-vulnerabi… ∗∗∗ Buying browser extensions for fun and profit ∗∗∗ --------------------------------------------- Your browser extensions could be secretly sold to malicious actors without your knowledge. What starts as helpful tools created by passionate developers can transform into dangerous spyware when sold to the highest bidder. As these extensions grow to hundreds of thousands of users, their creators—overwhelmed by maintenance and lacking .. --------------------------------------------- https://secureannex.com/blog/buying-browser-extensions/ ∗∗∗ Which passwords are attackers using against RDP ports right now? ∗∗∗ --------------------------------------------- The Specops research team has been analyzing 15 million passwords being used to attack RDP ports, in live attacks happening against networks right now. Our team have found the ten most common passwords attackers are using and analyzed their wordlists for the most common complexity rules and password lengths. We shared the results of a .. --------------------------------------------- https://specopssoft.com/blog/passwords-used-in-attacking-rdp-ports/ ∗∗∗ AMOS and Lumma stealers actively spread to Reddit users ∗∗∗ --------------------------------------------- Reddit users from trading and crypto subreddits are being lured into installing malware disguised as premium cracked software. --------------------------------------------- https://www.malwarebytes.com/blog/scams/2025/03/amos-and-lumma-stealers-act… ∗∗∗ Website-Kidnapping: So schützen Sie Ihre Website vor Hackingangriffen! ∗∗∗ --------------------------------------------- Immer öfter geraten österreichische Unternehmen ins Visier von Kriminellen, die ihre Website unbemerkt manipulieren, um Kund:innen auf Fake-Shops oder andere illegale Inhalte weiterzuleiten. Besonders gefährdet sind kleine und mittlere Unternehmen (KMU), da sie oft nicht über ausreichende IT-Sicherheitsmaßnahmen verfügen. --------------------------------------------- https://www.watchlist-internet.at/news/website-kidnapping-so-schuetzen-sie-… ∗∗∗ Russland vergiftet KI-Chatbots wie ChatGPT gezielt mit Propaganda ∗∗∗ --------------------------------------------- Rund 3,6 Millionen Artikel des russischen Pravda-Netzwerks sollen in das Trainingsmaterial westlicher KI-Systeme eingeflossen sein. So werden Fake News via KI verbreitet --------------------------------------------- https://www.derstandard.at/story/3000000261876/russland-vergiftet-ki-chatbo… ∗∗∗ The Citizen Lab’s director dissects spyware and the ‘proliferating’ market for it ∗∗∗ --------------------------------------------- In an interview with Recorded Future News, Deibert explained the technical aspects of the Citizen Lab’s methods and how spyware companies continue to evolve to evade detection. --------------------------------------------- https://therecord.media/ron-deibert-citizen-lab-spyware-interview ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-149: Adobe Acrobat Reader DC AcroForm Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-271561. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-149/ ∗∗∗ ZDI-25-151: Progress Software Kemp LoadMaster mangle Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software Kemp LoadMaster. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-1758. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-151/ ∗∗∗ ZDI-25-150: Microsoft Windows MSC File Insufficient UI Warning Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.0. The following CVEs are assigned: CVE-2025-26633. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-150/ ∗∗∗ ZDI-25-172: Apple macOS MOV File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-24124. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-172/ ∗∗∗ Multiple Vulnerabilities in Autodesk AutoCAD and certain AutoCAD-based Products ∗∗∗ --------------------------------------------- Autodesk AutoCAD and certain AutoCAD-based products are affected by multiple vulnerabilities. Exploitation of these vulnerabilities can lead to code execution. Exploitation of these vulnerabilities requires user interaction. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0001 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2025
by Daily end-of-shift report 18 Mar '25

18 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 17-03-2025 18:00 − Dienstag 18-03-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Critical AMI MegaRAC bug can let attackers hijack, brick servers ∗∗∗ --------------------------------------------- A new critical severity vulnerability found in American Megatrends Internationals MegaRAC Baseboard Management Controller (BMC) software can let attackers hijack and potentially brick vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-ami-megarac-bug-can… ∗∗∗ StilachiRAT analysis: From system reconnaissance to cryptocurrency theft ∗∗∗ --------------------------------------------- Microsoft Incident Response uncovered a novel remote access trojan (RAT) named StilachiRAT, which demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data. This blog primarily focuses on analysis of the WWStartupCtrl64.dll module that contains the RAT capabilities and summarizes .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/03/17/stilachirat-analys… ∗∗∗ New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new supply chain attack vector dubbed Rules File Backdoor that affects artificial intelligence (AI)-powered code editors like GitHub Copilot and Cursor, causing them to inject malicious .. --------------------------------------------- https://thehackernews.com/2025/03/new-rules-file-backdoor-attack-lets.html ∗∗∗ Britische Hintertüren: Verdacht nach Apple auch bei Google ∗∗∗ --------------------------------------------- Britische Überwacher verlangen weltweiten Zugriff auf Apple-Backups. Apple darf das nicht bestätigen und ist damit offenbar kein Einzelfall. --------------------------------------------- https://www.heise.de/news/Auch-Google-kann-britischen-Ueberwachungsbefehl-n… ∗∗∗ FBI-Warnung: Betrügerische Online-Dateikonverter schleusen Trojaner in Dokumente ∗∗∗ --------------------------------------------- Wer kostenlose Onlinedienste zum Umwandeln von etwa Textdateien nutzt, kann sich Malware einfangen. Darauf weist das FBI hin. --------------------------------------------- https://www.heise.de/news/Malwareverteiler-FBI-warnt-vor-betruegerischen-On… ∗∗∗ Bogus ‘DeepSeek’ AI Installers Are Infecting Devices with Malware, Research Finds ∗∗∗ --------------------------------------------- In a digital landscape hungry for the next big thing in Artificial Intelligence, a new contender called DeepSeek recently burst .. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/bogus-deepseek-ai-inst… ∗∗∗ Betrügerisches Gewinnspiel: Abofalle statt günstigem Thermomix! ∗∗∗ --------------------------------------------- Frau S. wünscht sich schon lange einen Thermomix. Bisher schreckte sie jedoch der hohe Preis der Küchenmaschine ab. Umso größer ist ihre Freude, als sie im Internet sieht, dass sie nach der Teilnahme an einer Umfrage den Thermomix für nur zwei Euro erhalten kann. Doch Vorsicht: Statt eines günstigen Thermomix erwartet sie eine teure Abofalle! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-gewinnspiel-abofalle… ∗∗∗ Google-Mutter Alphabet bietet für Cybersecurity-Startup Wiz 30 Milliarden Dollar ∗∗∗ --------------------------------------------- Es wäre die größte Transaktion von Alphabet. Ein Angebot über 23 Milliarden Dollar war im Vorjahr abgelehnt worden --------------------------------------------- https://www.derstandard.at/story/3000000261775/wsj-alphabet-bietet-f252r-cy… ∗∗∗ Crypto exchange OKX shuts down tool used by North Korean hackers to launder stolen funds ∗∗∗ --------------------------------------------- OKX said it detected a coordinated effort by one of North Korea’s most prolific hacking outfits to misuse its decentralized finance (DeFi) services. --------------------------------------------- https://therecord.media/crypto-okx-shuts-down-exchange ∗∗∗ Password reuse is rampant: nearly half of observed user logins are compromised ∗∗∗ --------------------------------------------- Accessing private content online, whether it's checking email or streaming your favorite show, almost always starts with a “login” step. Beneath this everyday task lies a widespread human mistake we still have not resolved: password reuse. Many users recycle passwords across multiple services, creating a ripple effect of risk when their credentials are leaked. --------------------------------------------- https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-comprom… ∗∗∗ Offline PKI using 3 YubiKeys and an ARM single board computer ∗∗∗ --------------------------------------------- An offline PKI enhances security by physically isolating the certificate authority from network threats. A YubiKey is a low-cost solution to store a root certificate. You also need an air-gapped environment to operate the root CA. --------------------------------------------- https://vincent.bernat.ch/en/blog/2025-offline-pki-yubikeys ∗∗∗ Security Risks of Setting Access Control Allow Origin: * ∗∗∗ --------------------------------------------- Wildcard CORS: convenient or careless? What are the ACTUAL scenarios that could lead to a loose CORS policy being exploited? --------------------------------------------- https://projectblack.io/blog/security-risks-of-setting-access-control-allow… ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3-EXT-SA-2025-003: Multiple vulnerabilities in extension “[clickstorm] SEO” (cs_seo) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-003 ∗∗∗ TYPO3-EXT-SA-2025-002: Cross-Site Scripting in extension “Additional TCA” (additional_tca) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-002 ∗∗∗ Varnish Enterprise vulnerability in MSE4 when handling range requests ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VEV00001/ ∗∗∗ HTTP/1 client-side desync vulnerability ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VSV00015/ ∗∗∗ Schneider Electric EcoStruxure Power Automation System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-077-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2025
by Daily end-of-shift report 17 Mar '25

17 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-03-2025 18:00 − Montag 17-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Coinbase phishing email tricks users with fake wallet migration ∗∗∗ --------------------------------------------- A large-scale Coinbase phishing attack poses as a mandatory wallet migration, tricking recipients into setting up a new wallet with a pre-generated recovery phrase controlled by attackers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/coinbase-phishing-email-tric… ∗∗∗ Malicious Adobe, DocuSign OAuth apps target Microsoft 365 accounts ∗∗∗ --------------------------------------------- Cybercriminals are promoting malicious Microsoft OAuth apps that masquerade as Adobe and DocuSign apps to deliver malware and steal Microsoft 365 accounts credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-adobe-docusign-oau… ∗∗∗ Mirai Bot now incroporating (malformed?) DrayTek Vigor Router Exploits, (Sun, Mar 16th) ∗∗∗ --------------------------------------------- Last October, Forescout published a report disclosing several vulnerabilities in DrayTek routers. According to Forescount, about 700,000 devices were exposed to these vulnerabilities .. --------------------------------------------- https://isc.sans.edu/diary/Mirai+Bot+now+incroporating+malformed+DrayTek+Vi… ∗∗∗ Credit Card Skimmer and Backdoor on WordPress E-commerce Site ∗∗∗ --------------------------------------------- The battle against e-commerce malware continues to intensify, with attackers deploying increasingly sophisticated tactics. In a recent case at Sucuri, a customer reported suspicious files and unexpected behavior on their WordPress site. Upon deeper analysis, we discovered a complicated infection involving multiple components: a credit card skimmer, a .. --------------------------------------------- https://blog.sucuri.net/2025/03/credit-card-skimmer-and-backdoor-on-wordpre… ∗∗∗ Malicious PyPI Packages Stole Cloud Tokens—Over 14,100 Downloads Before Removal ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of a malicious campaign targeting users of the Python Package Index (PyPI) repository with bogus libraries masquerading as "time" related utilities, but harboring hidden functionality to steal sensitive data such as .. --------------------------------------------- https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html ∗∗∗ Microsoft wouldnt look at a bug report without a video. Researcher maliciously complied ∗∗∗ --------------------------------------------- Maddening techno loop, Zoolander reference, and 14 minutes of time wasted A vulnerability analyst and prominent member of the infosec industry has blasted Microsoft for refusing to look at a bug report unless he submitted a video alongside a written explanation. --------------------------------------------- https://www.theregister.com/2025/03/17/microsoft_bug_report_troll/ ∗∗∗ Fake-Sicherheitswarnung: Betrüger versuchen Github-Konten zu kapern ∗∗∗ --------------------------------------------- Sicherheitsforscher berichten über Angriffsversuche auf rund 12.000 Github-Repositories. Dabei wollen Angreifer die volle Kontrolle über Konten erlangen. --------------------------------------------- https://www.heise.de/news/Fake-Sicherheitswarnung-Betrueger-versuchen-Githu… ∗∗∗ ClickFix: How to Infect Your PC in Three Easy Steps ∗∗∗ --------------------------------------------- A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed "ClickFix," the visitor to a hacked or malicious website is asked to distinguish .. --------------------------------------------- https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three… ∗∗∗ RCS: Apple und Google einigen sich auf Ende-zu-Ende-verschlüsselte Kommunikation ∗∗∗ --------------------------------------------- Neue Version des SMS-Nachfolgers unterstützt sichere Verschlüsselung, die beiden Branchengrößen wollen das bei Android und iPhone übernehmen --------------------------------------------- https://www.derstandard.at/story/3000000261679/rcs-apple-und-google-einigen… ∗∗∗ Telegram CEO confirms leaving France amid criminal probe ∗∗∗ --------------------------------------------- The Russian-born founder and owner of the messaging app Telegram said he returned to Dubai after spending several months in France due to a criminal investigation related to activity on the app. --------------------------------------------- https://therecord.media/telegram-pavel-durov-leaves-france-amid-probe ∗∗∗ Mora_001 ransomware gang exploiting Fortinet bug spotlighted by CISA in January ∗∗∗ --------------------------------------------- Two vulnerabilities impacting Fortinet products are being exploited by a new ransomware operation with ties to the LockBit ransomware group. --------------------------------------------- https://therecord.media/mora001-ransomware-gang-exploiting-vulnerability-lo… ∗∗∗ Scammers Pose as Cl0p Ransomware to Send Fake Extortion Letters ∗∗∗ --------------------------------------------- Scammers are sending fake extortion and ransom demands while posing as ransomware gangs, including the notorious Cl0p ransomware. --------------------------------------------- https://hackread.com/scammers-pose-cl0p-ransomware-fake-extortion-letters/ ∗∗∗ BitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique ∗∗∗ --------------------------------------------- The Rise of Browser in the Middle (BitM): BitM attacks offer a streamlined approach, allowing attackers to quickly compromise sessions across various web applications.MFA Remains Crucial, But Not Invulnerable: .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/session-stealing-b… ∗∗∗ Supply Chain Security Risk: GitHub Action tj-actions/changed-files Compromised ∗∗∗ --------------------------------------------- On March 14th, 2025, security researchers discovered a critical software supply chain vulnerability in the widely-used GitHub Action tj-actions/changed-files (CVE-2025-30066). This vulnerability allows remote attackers .. --------------------------------------------- https://blog.aquasec.com/supply-chain-security-threat-github-action-tj-acti… ∗∗∗ Bypassing Authentication Like It’s The ‘90s - Pre-Auth RCE Chain(s) in Kentico Xperience CMS ∗∗∗ --------------------------------------------- I recently joined watchTowr, and it is, therefore, time - time for my first watchTowr Labs blogpost, previously teased in a tweet of a pre-auth RCE chain affecting some ‘unknown software’. Joining the team, I wanted to maintain the trail of destruction left by the watchTowr Labs team, .. --------------------------------------------- https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-au… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (opensaml and php8.2), Fedora (chromium, ctk, dcmtk, expat, ffmpeg, firefox, fscrypt, gdcm, InsightToolkit, kitty, libssh2, libxml2, linux-firmware, man2html, nextcloud, OpenImageIO, php, podman-tui, python-django, python-django5, python-gunicorn, python-jinja2, python-spotipy, python3.6, qt6-qtwebengine, thunderbird, tigervnc, vim, vyper, xen, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (freetype2, ghostscript, and man2html), .. --------------------------------------------- https://lwn.net/Articles/1014437/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2025
by Daily end-of-shift report 14 Mar '25

14 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-03-2025 18:00 − Freitag 14-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New SuperBlack ransomware exploits Fortinet auth bypass flaws ∗∗∗ --------------------------------------------- A new ransomware operator named Mora_001 is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-superblack-ransomware-ex… ∗∗∗ Ransomware gang creates tool to automate VPN brute-force attacks ∗∗∗ --------------------------------------------- The Black Basta ransomware operation created an automated brute-forcing framework dubbed BRUTED to breach edge networking devices like firewalls and VPNs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/black-basta-ransomware-creat… ∗∗∗ Jailbreaking is (mostly) simpler than you think ∗∗∗ --------------------------------------------- Today, we are sharing insights on a simple, optimization-free jailbreak method called Context Compliance Attack (CCA), that has proven effective against most leading AI systems. We are disseminating this research to promote awareness and encourage system designers to implement appropriate safeguards. --------------------------------------------- https://msrc.microsoft.com/blog/2025/03/jailbreaking-is-mostly-simpler-than… ∗∗∗ CISA: We didnt fire red teams, we just unhired a bunch of them ∗∗∗ --------------------------------------------- Agency tries to save face as it also pulls essential funding for election security initiatives Uncle Sams cybersecurity agency is trying to save face by seeking to clear up what its calling "inaccurate reporting" after a former senior pen-tester claimed the organization axed two red teams. --------------------------------------------- https://www.theregister.com/2025/03/13/cisa_red_team_layoffs/ ∗∗∗ A New Era of Attacks on Encryption Is Starting to Heat Up ∗∗∗ --------------------------------------------- The UK, France, Sweden, and EU have made fresh attacks on end-to-end encryption. Some of the attacks are more “crude” than those in recent years, experts say. --------------------------------------------- https://www.wired.com/story/a-new-era-of-attacks-on-encryption-is-starting-… ∗∗∗ Fernzugriff: Ivanti Secure Access Client als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate schließt unter Windows eine Lücke in Ivanti Secure Access Client. --------------------------------------------- https://www.heise.de/news/Fernzugriff-Ivanti-Secure-Access-Client-als-Einfa… ∗∗∗ Off the Beaten Path: Recent Unusual Malware ∗∗∗ --------------------------------------------- Three unusual malware samples analyzed here include an ISS backdoor developed in a rare language, a bootkit and a Windows implant of a post-exploit framework. --------------------------------------------- https://unit42.paloaltonetworks.com/unusual-malware/ ∗∗∗ Ransomware attack takes down health system network in Micronesia ∗∗∗ --------------------------------------------- One of the four states that make up the Pacific nation of Micronesia is battling against ransomware hackers who have forced all of the computers used by its government health agency offline. --------------------------------------------- https://therecord.media/ransomware-attack-micronesia-health-system ∗∗∗ Europes telecoms sector under increased threat from cyber spies, warns Denmark ∗∗∗ --------------------------------------------- State-sponsored cyber espionage is a bigger threat than ever to Europes telecommunications networks, according to a new assessment from Denmarks government. --------------------------------------------- https://therecord.media/europe-increased-cyber-espionage-telecoms-denmark-r… ∗∗∗ Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court ∗∗∗ --------------------------------------------- Rostislav Panev, who was arrested in Israel in August 2024 on U.S. charges related to dozens of LockBit ransomware attacks, has been extradited and appeared in a New Jersey federal court, authorities said. --------------------------------------------- https://therecord.media/lockbit-alleged-russian-developer-extradited-us-isr… ∗∗∗ SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware ∗∗∗ --------------------------------------------- Trend Research analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techni… ∗∗∗ Recursion kills: The story behind CVE-2024-8176 / Expat 2.7.0 released, includes security fixes ∗∗∗ --------------------------------------------- Expat 2.7.0 has been released earlier today. I will make this a more detailed post than usual because in many ways there is more to tell about this release than the average libexpat release: there is a story this time --------------------------------------------- https://blog.hartwork.org/posts/expat-2-7-0-released/ ∗∗∗ Memory Corruption in Delphi ∗∗∗ --------------------------------------------- Our team at Include Security is often asked to examine applications coded in languages that are usually considered “unsafe”, such as C and C++, due to their lack of memory safety functionality. Critical aspects of reviewing such code include identifying where bounds-checking, input validation, and pointer handling/dereferencing are .. --------------------------------------------- https://blog.includesecurity.com/2025/03/memory-corruption-in-delphi/ ∗∗∗ My Scammer Girlfriend: Baiting A Romance Fraudster ∗∗∗ --------------------------------------------- At the beginning of the year, a spate of very similar mails appeared in my spam-box. Although originating from different addresses (and sent to different recipients), they all appeared to be the opener for the same romance scam campaign. --------------------------------------------- https://www.bentasker.co.uk/posts/blog/security/seducing-a-romance-scammer.… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-135: Adobe Acrobat Reader DC AcroForm Use of Uninitialized Variable Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27162. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-135/ ∗∗∗ ZDI-25-134: Adobe Acrobat Reader DC Doc Object Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-24431. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-134/ ∗∗∗ ZDI-25-133: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27174. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-133/ ∗∗∗ ZDI-25-132: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27159. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-132/ ∗∗∗ ZDI-25-131: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27160. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-131/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.03.2025
by Daily end-of-shift report 13 Mar '25

13 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-03-2025 18:00 − Donnerstag 13-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ No Project Is an Island: Why You Need SBOMs and Dependency Management ∗∗∗ --------------------------------------------- The system you develop and maintain does not exist in isolation. Providing SBOMs for our work is our way to show we care. Software is a relatively recent phenomenon. For a long time, you could credibly say most of its existence, software was poorly understood by society and industry at large. There was .. --------------------------------------------- https://bsdly.blogspot.com/2025/03/no-project-is-island-why-you-need-sboms.… ∗∗∗ Facebook discloses FreeType 2 flaw exploited in attacks ∗∗∗ --------------------------------------------- Facebook is warning that a FreeType vulnerability in all versions up to 2.13 can lead to arbitrary code execution, with reports that the flaw has been exploited in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/facebook-discloses-freetype-… ∗∗∗ Flugticketgroßhändler: Cyberangriff legt Buchungssystem von Aerticket lahm ∗∗∗ --------------------------------------------- Nach einem Hackerangriff ist das Buchungssystem von Aerticket vorerst unbrauchbar. Eine schnelle Wiederherstellung ist wohl nicht zu erwarten. --------------------------------------------- https://www.golem.de/news/flugticketgrosshaendler-cyberangriff-legt-buchung… ∗∗∗ Head Mare and Twelve join forces to attack Russian entities ∗∗∗ --------------------------------------------- We analyze the activities of the Head Mare hacktivist group, which has been attacking Russian companies jointly with Twelve. --------------------------------------------- https://securelist.com/head-mare-twelve-collaboration/115887/ ∗∗∗ Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware ∗∗∗ --------------------------------------------- Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-… ∗∗∗ Medusa ransomware affiliate tried triple extortion scam – up from the usual double demand ∗∗∗ --------------------------------------------- Feds warn gang still rampant and now cracked 300+ victims around the world A crook who distributes the Medusa ransomware tried to make a victim cough up three payments instead of the usual two, according to a government advisory on how to defend against the malware and the gangs who wield it. --------------------------------------------- https://www.theregister.com/2025/03/13/medusa_ransomware_infects_300_critic… ∗∗∗ DeepSeek can be gently persuaded to spit out malware code ∗∗∗ --------------------------------------------- It might need polishing, but a useful find for any budding cybercrooks out there DeepSeeks flagship R1 model is capable of generating a working keylogger and basic ransomware code, just as long as a techie is on hand to tinker with it a little. --------------------------------------------- https://www.theregister.com/2025/03/13/deepseek_malware_code/ ∗∗∗ Sicherheitslücken: Gitlab-Entwickler raten zu zügigem Update ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für die Softwareentwicklungsplattform Gitlab erschienen. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-Gitlab-Entwickler-raten-zu-zue… ∗∗∗ Sicherheitsupdates: Root-Sicherheitslücke bedroht Cisco-ASR-Router ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat mehrere Schwachstellen geschlossen, über die Angreifer etwa ASR-Router attackieren können. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Root-Sicherheitsluecke-bedroht… ∗∗∗ Schadcode-Sicherheitslücken bedrohen FortiOS, FortiSandbox & Co. ∗∗∗ --------------------------------------------- Mehrere Produkte von Fortinet sind attackierbar. Sicherheitspatches schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Schadcode-Sicherheitsluecken-bedrohen-FortiOS-For… ∗∗∗ Investigating Scam Crypto Investment Platforms Using Pyramid Schemes to Defraud Victims ∗∗∗ --------------------------------------------- We identified a campaign spreading thousands of sca crypto investment platforms through websites and mobile apps, possibly through a standardized toolkit. --------------------------------------------- https://unit42.paloaltonetworks.com/fraud-crypto-platforms-campaign/ ∗∗∗ #StopRansomware: Medusa Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a ∗∗∗ Signal no longer cooperating with Ukraine on Russian cyberthreats, official says ∗∗∗ --------------------------------------------- The encrypted messaging app Signal has stopped responding to requests from Ukrainian law enforcement regarding Russian cyberthreats, a Ukrainian official claimed, warning that the shift is aiding Moscow’s intelligence efforts. --------------------------------------------- https://therecord.media/signal-no-longer-cooperating-with-ukraine ∗∗∗ Abusing with style: Leveraging cascading style sheets for evasion and tracking ∗∗∗ --------------------------------------------- Cascading Style Sheets (CSS) are ever present in modern day web browsing, however its far from their own use. This blog will detail the ways adversaries use CSS in email campaigns for evasion and tracking. --------------------------------------------- https://blog.talosintelligence.com/css-abuse-for-evasion-and-tracking/ ∗∗∗ Statement on CISAs Red Team ∗∗∗ --------------------------------------------- CISA’s Red Team is among the best in the world and remains laser focused on helping our federal and critical infrastructure partners identify and mitigate their most significant vulnerabilities and weaknesses. This has not changed. --------------------------------------------- https://www.cisa.gov/news-events/news/statement-cisas-red-team ∗∗∗ PCI DSS FAQ SAQ WTF BBQ... ∗∗∗ --------------------------------------------- I was trying to come up with a sensible title for this blog post, but I feel this one mirrors the thoughts and feelings of many of us about recent events in the PCI DSS compliance space! There have been some significant changes in .. --------------------------------------------- https://scotthelme.ghost.io/pci-dss-faq-saq-wtf-bbq/ ∗∗∗ Sign in as anyone: Bypassing SAML SSO authentication with parser differentials ∗∗∗ --------------------------------------------- Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. In this blog post, well shed light on how these vulnerabilities that rely on a parser differential were uncovered. --------------------------------------------- https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentic… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (ffmpeg, qt6-qtwebengine, tigervnc, and xorg-x11-server-Xwayland), Red Hat (fence-agents and libxml2), SUSE (amazon-ssm-agent, ark, chromium, fake-gcs-server, gerbera, google-guest-agent, google-osconfig-agent, grafana, kernel, libtinyxml2-10, podman, python311, python312, restic, ruby3.4-rubygem-rack, and thunderbird), and Ubuntu (jinja2, linux-azure, linux-azure-4.15, linux-lts-xenial, linux-nvidia, linux-nvidia-6.8, .. --------------------------------------------- https://lwn.net/Articles/1014042/ ∗∗∗ ZDI-25-129: PDF-XChange Editor RTF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-2231. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-129/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2025
by Daily end-of-shift report 12 Mar '25

12 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-03-2025 18:00 − Mittwoch 12-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iPhone-Nutzer attackiert: Aktiv ausgenutzte Webkit-Lücke gefährdet Apple-Geräte ∗∗∗ --------------------------------------------- Angreifer können durch die Schwachstelle aus der Web-Content-Sandbox von Webkit ausbrechen. Apple verteilt Notfallupdates für iOS, MacOS und Safari. --------------------------------------------- https://www.golem.de/news/iphone-nutzer-attackiert-aktiv-ausgenutzte-webkit… ∗∗∗ Scans for VMWare Hybrid Cloud Extension (HCX) API (Log4j - not brute forcing), (Wed, Mar 12th) ∗∗∗ --------------------------------------------- Today, I noticed increased scans for the VMWare Hyprid Cloud Extension (HCX) "sessions" endpoint. These endpoints are sometimes associated with exploit attempts for various VMWare .. --------------------------------------------- https://isc.sans.edu/diary/Scans+for+VMWare+Hybrid+Cloud+Extension+HCX+API+… ∗∗∗ Uneinheitliche Cybersicherheitsstandards: Kommunen ohne klare Strategie ∗∗∗ --------------------------------------------- Aktuell gibt es bei der IT-Sicherheit von Kommunen noch viele Mängel. Eine Studie klärt über die Defizite und mögliche Maßnahmen auf. --------------------------------------------- https://www.heise.de/news/Uneinheitliche-Cybersicherheitsstandards-Kommunen… ∗∗∗ Microsoft-Patchday: 5 kritische Windows-Lücken, 6 andere bereits ausgenutzt ∗∗∗ --------------------------------------------- Zum Patchday im März 205 veröffentlicht Microsoft Korrekturen für insgesamt 57 CVE-Einträge. Sie betreffen Windows, Office, Visual Studio, Azure und mehr. --------------------------------------------- https://www.heise.de/news/Microsoft-Patchday-5-kritische-Windows-Luecken-6-… ∗∗∗ Take control of Cache-Control and local caching ∗∗∗ --------------------------------------------- TL;DR Caching speeds up website content delivery What caching directives are and how to use them The No-cache directive does not prevent caching The No-store directive prevents caching .. --------------------------------------------- https://www.pentestpartners.com/security-blog/take-control-of-cache-control… ∗∗∗ Phishing-Falle: Es droht keine dauerhafte Deaktivierung Ihres GMX-Kontos! ∗∗∗ --------------------------------------------- Von Ihrer E-Mail-Adresse werden angeblich „falsche E-Mails“ versendet? Wenn Sie nicht innerhalb von 24 Stunden reagieren, wird ihr GMX-Konto dauerhaft deaktiviert? Keine Sorge, nichts von dem ist wahr, nichts wird passieren. Vielmehr haben Sie ein Phishing-Mail erhalten, das Sie ignorieren können und unverzüglich löschen sollten. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-deaktivierung-gmx/ ∗∗∗ Etwas Dringendes für den Chef erledigen? Vorsicht, Phishing! ∗∗∗ --------------------------------------------- Kriminelle versenden betrügerische E-Mails, in denen sie sich als Vorgesetzte ausgeben. Sie werden aufgefordert, eine dringende Aufgabe zu erledigen und auf die E-Mail zu antworten. Wir raten zur Vorsicht: Eine Antwort kann großen Schaden anrichten! Ignorieren Sie die Nachricht und informieren Sie die IT-Abteilung. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-unternehmen/ ∗∗∗ Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers ∗∗∗ --------------------------------------------- In mid 2024, Mandiant discovered threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers. Mandiant attributed these backdoors to the China-nexus espionage group, UNC3886. Mandiant uncovered several TINYSHELL-based backdoors operating on Juniper Networks’ Junos OS routers. The backdoors had varying .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espion… ===================== = Vulnerabilities = ===================== ∗∗∗ iOS 18.3.2 and iPadOS 18.3.2 ∗∗∗ --------------------------------------------- /en-us/122281 ∗∗∗ macOS Sequoia 15.3.2 ∗∗∗ --------------------------------------------- /en-us/122283 ∗∗∗ visionOS 2.3.2 ∗∗∗ --------------------------------------------- /en-us/122284 ∗∗∗ Safari 18.3.1 ∗∗∗ --------------------------------------------- /en-us/122285 ∗∗∗ 2025-03 Out-of-Cycle Security Bulletin: Junos OS: A local attacker with shell access can execute arbitrary code (CVE-2025-21590) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2025-03-Out-of-Cycle-Security-B… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2025
by Daily end-of-shift report 11 Mar '25

11 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 10-03-2025 18:00 − Dienstag 11-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MassJacker malware uses 778,000 wallets to steal cryptocurrency ∗∗∗ --------------------------------------------- A newly discovered clipboard hijacking operation dubbed MassJacker uses at least 778,531 cryptocurrency wallet addresses to steal digital assets from compromised computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massjacker-malware-uses-778-… ∗∗∗ Google lässt Kunden im Stich: Abgelaufene SSL-Zertifikate machen Chromecast unbrauchbar ∗∗∗ --------------------------------------------- Seit zwei Tagen warten Besitzer älterer Chromecast-Modelle auf Hilfe durch Google. Wann der Fehler korrigiert wird, ist ungewiss. --------------------------------------------- https://www.golem.de/news/google-laesst-kunden-im-stich-abgelaufene-ssl-zer… ∗∗∗ DCRat backdoor returns ∗∗∗ --------------------------------------------- Kaspersky experts describe a new wave of attacks distributing the DCRat backdoor through YouTube under the guise of game cheats. --------------------------------------------- https://securelist.com/new-wave-of-attacks-with-dcrat-backdoor-distributed-… ∗∗∗ New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that infects Xcode projects, in the wild. Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. These enhanced features help this malware .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/03/11/new-xcsset-malware… ∗∗∗ What Really Happened With the DDoS Attacks That Took Down X ∗∗∗ --------------------------------------------- Elon Musk said a “massive cyberattack” disrupted X on Monday and pointed to “IP addresses originating in the Ukraine area” as the source of the attack. Security experts say thats not how it works. --------------------------------------------- https://www.wired.com/story/x-ddos-attack-march-2025/ ∗∗∗ North Korean IT Workers Linked to 2,400 Astrill VPN IP Addresses ∗∗∗ --------------------------------------------- New data has emerged linking over 2,400 IP addresses associated with Astrill VPN to individuals believed to be North Korean IT worker --------------------------------------------- https://gbhackers.com/north-korean-workers-linked-astrill-vpn-ip-addresses/ ∗∗∗ Spionage: Russland und China mit Interesse an Österreichs IT-Branche ∗∗∗ --------------------------------------------- Die Direktion Staatsschutz und Nachrichtendienst sieht Russland als "relevanten Risikoakteur". Es wird eine hohe Dunkelziffer von Vorfällen vermutet --------------------------------------------- https://www.derstandard.at/story/3000000260788/spionage-russland-und-china-… ∗∗∗ Report URI: Launching Policy Watch and other improvements! ∗∗∗ --------------------------------------------- As we continue to expand and improve our offering, one particular area of focus over recent months has been on PCI DSS Compliance. Whilst compliance might not be the first thing that many get excited about, the recent requirements introduced by the PCI SSC required some pretty solid .. --------------------------------------------- https://scotthelme.ghost.io/report-uri-launching-policy-watch-and-other-imp… ∗∗∗ In-Depth Technical Analysis of the Bybit Hack ∗∗∗ --------------------------------------------- On 21st February 2025, Bybit suffered the largest cryptocurrency theft ever recorded, with more than $1.4 billion assets, including 401,347 ETH, drained from its cold wallet. The attack compromised the transaction approval process by altering what Bybit’s signers saw when approving a cold wallet transaction, causing them to unknowingly authorize an transaction that resulted in a loss of funds. --------------------------------------------- https://www.nccgroup.com/us/research-blog/in-depth-technical-analysis-of-th… ∗∗∗ Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies ∗∗∗ --------------------------------------------- In 2025, phishing is still the most prevalent kind of cyber attack on the planet. Indeed, 1.2% of the global email traffic is phishing. Thats 3.4 billion emails each day, but only a low number results in a compromise since "only" 3% of employees would click on a malicious link. However, when they do, it can be disastrous for their company. 91% of .. --------------------------------------------- http://blog.quarkslab.com/technical-dive-into-modern-phishing.html ∗∗∗ Reversing Samsungs H-Arx Hypervisor Framework - Part 1 ∗∗∗ --------------------------------------------- In many ways, mobile devices lead the security industry when it comes to defense-in-depth and mitigation. Over the years, it has been proven time and again that the kernel cannot be trusted to be secure. As such, there has been effort put into moving secrets (ie. encryption keys) and other sensitive data out of the kernel and gate it behind an API at higher levels in the chain of trust, whether it be the hypervisor or secure enclaves. In any case, the kernel must have a lot of control .. --------------------------------------------- https://dayzerosec.com/blog/2025/03/08/reversing-samsungs-h-arx-hypervisor-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cross Site Request Forgery in admin endpoint ∗∗∗ --------------------------------------------- A cross site request forgery vulnerability [CWE-352] in FortiNDR may allow a remote unauthenticated attacker to execute unauthorized actions via crafted HTTP GET requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-353 ∗∗∗ Exposure of Sensitive Information to an Unauthorized Actor ∗∗∗ --------------------------------------------- An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiSIEM may allow a remote unauthenticated attacker who acquired knowledge of the agents authorization header by other means to read the database password via crafted api requests --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-117 ∗∗∗ OS command injection in CLI command ∗∗∗ --------------------------------------------- Multiple improper neutralization of special elements used in an OS command (OS Command Injection) vulnerabilities [CWE-78] in FortiManager CLI may allow a privileged attacker to execute unauthorized code or commands via crafted CLI requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-124 ∗∗∗ Use of hardcoded key used for remote backup server password encryption ∗∗∗ --------------------------------------------- A Use of Hard-coded Cryptographic Key vulnerability [CWE-321] in FortiSandbox may allow a privileged attacker with super-admin profile and CLI access to read sensitive data via CLI. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-327 ∗∗∗ XSS flaw in Fortiview/SecurityLogs pages ∗∗∗ --------------------------------------------- An improper neutralization of input during web page generation (Cross-site Scripting) vulnerability [CWE-79] in FortiADC GUI may allow an authenticated attacker to perform an XSS attack via crafted HTTP or HTTPs requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-216 ∗∗∗ [20250301] - Core - Malicious file uploads via Media Manager ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/961-20250301-core-maliciou… ∗∗∗ March Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/march-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2025
by Daily end-of-shift report 10 Mar '25

10 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-03-2025 18:00 − Montag 10-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ FTC will send $25.5 million to victims of tech support scams ∗∗∗ --------------------------------------------- Later this week, the Federal Trade Commission (FTC) will start distributing over $25.5 million in refunds to those misled by tech support companies Restoro and Reimages scare tactics. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ftc-will-send-255-million-to… ∗∗∗ Datenschutz: Polizist ruft Daten von Frauen ab und muss Strafe zahlen ∗∗∗ --------------------------------------------- Der Polizist hat eine persönliche Attraktivitätsskala geführt und ab bestimmten Werten persönliche Daten von Frauen abgefragt. --------------------------------------------- https://www.golem.de/news/datenschutz-polizist-ruft-daten-von-frauen-ab-und… ∗∗∗ SideWinder targets the maritime and nuclear sectors with an updated toolset ∗∗∗ --------------------------------------------- In this article, we discuss the tools and TTPs used in the SideWinder APTs attacks in H2 2024, as well as shifts in its targets, such as an increase in attacks against the maritime and logistics sectors. --------------------------------------------- https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nucle… ∗∗∗ The Russia-Ukraine Cyber War Part 4: Development in Group Attributions for Russian State Actors ∗∗∗ --------------------------------------------- This is the final installment of Trustwave SpiderLabs Russia-Ukraine digital battlefield series, which has spanned topics including the differences between Russia and Ukraine cyber actors, how government entities, defense organizations, and human targets were caught in the cyber crossfire, and how both countries targeted the telecommunications, critical .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/russian-sta… ∗∗∗ Rhysida pwns two US healthcare orgs, extracts over 300K patients data ∗∗∗ --------------------------------------------- Terabytes of sensitive info remain available for download Break-ins to systems hosting the data of two US healthcare organizations led to thieves making off with the personal and medical data of more than 300,000 patients. --------------------------------------------- https://www.theregister.com/2025/03/10/rhysida_healthcare/ ∗∗∗ Strings Attached: Talking about Russias agenda for laws in cyberspace ∗∗∗ --------------------------------------------- Russias longstanding proposals for "information security" agreements may sound cooperative, but they conceal a Trojan horse - a push to legitimize censorship, silence dissent, and bind others to rules it won’t follow. --------------------------------------------- https://bytesandborscht.com/strings-attached-talking-about-russias-agenda-f… ∗∗∗ Größter Diebstahl der Geschichte: Bybit nutzte Freeware und wurde dadurch Opfer ∗∗∗ --------------------------------------------- Eine unsichere Freeware ermöglichte den Angreifern den Milliarden-Diebstahl bei Bybit. Die Probleme waren schon lang bekannt. --------------------------------------------- https://www.heise.de/news/Groesster-Diebstahl-der-Geschichte-Bybit-nutzte-F… ∗∗∗ Feds Link $150M Cyberheist to 2022 LastPass Hacks ∗∗∗ --------------------------------------------- In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022. In a court filing this week, U.S. federal agents investigating a spectacular $150 million cryptocurrency heist said they had reached the same conclusion. --------------------------------------------- https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastp… ∗∗∗ Vulnerability Reward Program: 2024 in Review ∗∗∗ --------------------------------------------- In 2024, our Vulnerability Reward Program confirmed the ongoing value of engaging with the security research community to make Google and its products safer. This was evident as we awarded just shy of $12 million to over 600 researchers based in countries around the globe across all of our programs.Vulnerability Reward .. --------------------------------------------- http://security.googleblog.com/2025/03/vulnerability-reward-program-2024-in… ∗∗∗ WordPress Security Research Series: WordPress Security Architecture ∗∗∗ --------------------------------------------- Learn how WordPress security works from the inside out. A guide for vulnerability researchers on identifying flaws in WordPress core, plugins, and themes. --------------------------------------------- https://www.wordfence.com/blog/2025/03/wordpress-security-research-series-w… ∗∗∗ Scam spoofs Binance website and uses TRUMP coin as lure for malware ∗∗∗ --------------------------------------------- Researchers at phishing defense company Cofense say hackers are spreading a malicious remote access tool through a fake Binance page that offers access to the TRUMP coin. --------------------------------------------- https://therecord.media/email-scam-spoofs-binance-offers-trump-coin-connect… ∗∗∗ Navigating AI 🤝 Fighting Skynet ∗∗∗ --------------------------------------------- Using AI can be a great tool for adversarial engineering. This was just a bit of fun to see if it was possible todo and to learn more about automation but also proving you cannot trust git commit history nor can you trust dates of commits! --------------------------------------------- https://blog.zsec.uk/navigating-ai-fighting-skynet/ ∗∗∗ No, there isn’t a world ending Apache Camel vulnerability ∗∗∗ --------------------------------------------- Posts have been circulating publicly on the internet for several days about a “critical”, end of the world “zero day” in Apache Camel, CVE-2025–27636. Many of the posts explained in specific detail about how to exploit the vulnerability .. --------------------------------------------- https://doublepulsar.com/no-there-isnt-a-world-ending-apache-camel-vulnerab… ∗∗∗ GreyNoise Detects Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577), Signaling Broad Campaign ∗∗∗ --------------------------------------------- ‍GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports. Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025. --------------------------------------------- https://www.greynoise.io/blog/mass-exploitation-critical-php-cgi-vulnerabil… ∗∗∗ How to distrust a CA without any certificate errors ∗∗∗ --------------------------------------------- A “distrust” is when a certification authority (CA) that issues HTTPS certificates to websites is removed from a root store because it is no longer trusted to issue certificates. This means certificates issued by that CA will be treated as invalid, likely causing certificate error interstitials in any browser that distrusted the .. --------------------------------------------- https://dadrian.io/blog/posts/sct-not-after/ ∗∗∗ Exploiting Neverwinter Nights ∗∗∗ --------------------------------------------- Back in 2024, we looked for vulnerabilities in Neverwinter Nights : Enhanced Edition as a side research project. We found and reported multiple vulnerabilities to the publisher Beamdog. In this article we will detail how we can chain two vulnerabilities to obtain a remote code execution in multiplayer mode. --------------------------------------------- https://www.synacktiv.com/en/publications/exploiting-neverwinter-nights.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2025
by Daily end-of-shift report 07 Mar '25

07 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-03-2025 18:00 − Freitag 07-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cybercrime crew stole $635,000 in Taylor Swift concert tickets ∗∗∗ --------------------------------------------- New York prosecutors say that two people working at a third-party contractor for the StubHub online ticket marketplace made $635,000 after almost 1,000 concert tickets and reselling them online. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercrime-crew-stole-635-00… ∗∗∗ Microsoft says malvertising campaign impacted 1 million PCs ∗∗∗ --------------------------------------------- Microsoft has taken down an undisclosed number of GitHub repositories used in a massive malvertising campaign that impacted almost one million devices worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-says-malvertising-… ∗∗∗ Cyberangriff analysiert: Hacker verschlüsseln Unternehmensdaten über eine Webcam ∗∗∗ --------------------------------------------- Ein EDR-Tool hat Verschlüsselungsversuche der Ransomwaregruppe Akira erfolgreich vereitelt. Doch dann fanden die Angreifer ein Schlupfloch. --------------------------------------------- https://www.golem.de/news/cyberangriff-analysiert-hacker-verschluesseln-unt… ∗∗∗ A Deep Dive into Strela Stealer and how it Targets European Countries ∗∗∗ --------------------------------------------- Infostealers have dominated the malware landscape due to the ease of threat operations maintenance, and a wide group of potential victims. In this blog, we take a closer look at a unique infostealer designed to precisely target a narrow data set on systems located in chosen geographic locations. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-deep-dive… ∗∗∗ Russian State Actors: Development in Group Attributions ∗∗∗ --------------------------------------------- This is the final installment of Trustwave SpiderLabs Russia-Ukraine digital battlefield series, which has spanned topics including the differences between Russia and Ukraine cyber actors, how government entities, defense organizations, and human targets were caught in the cyber crossfire, and how both countries targeted the telecommunications, critical .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/russian-sta… ∗∗∗ A Brand New Botnet Is Delivering Record-Size DDoS Attacks ∗∗∗ --------------------------------------------- Eleven11bot infects webcams and video recorders, with a large concentration in the US. --------------------------------------------- https://www.wired.com/story/eleven11bot-botnet-record-size-ddos-attacks/ ∗∗∗ Akira-Ransomware schlüpft über Webcam an IT-Schutzlösung vorbei ∗∗∗ --------------------------------------------- Eigentlich ist das Firmennetz über eine Schutzsoftware geschützt, die auch anschlägt. Trotzdem konnte ein Trojaner über einen Umweg PCs infizieren. --------------------------------------------- https://www.heise.de/news/Akira-Ransomware-schluepft-ueber-Webcam-an-IT-Sch… ∗∗∗ Who is the DOGE and X Technician Branden Spikes? ∗∗∗ --------------------------------------------- At 49, Branden Spikes isnt just one of the oldest technologists who has been involved in Elon Musks Department of Government Efficiency (DOGE). As the current director of information technology at X/Twitter and an early hire at PayPal, Zip2, Tesla and SpaceX, Spikes is also among Musks most loyal employees. Heres a closer look at this trusted Musk lieutenant, whose Russian ex-wife was once married to Elons cousin. --------------------------------------------- https://krebsonsecurity.com/2025/03/who-is-the-doge-and-x-technician-brande… ∗∗∗ Multiple Vulnerabilities Discovered in a SCADA System ∗∗∗ --------------------------------------------- We identified multiple vulnerabilities in ICONICS Suite, SCADA software used in numerous OT applications. This article offers a technical analysis of our findings. --------------------------------------------- https://unit42.paloaltonetworks.com/vulnerabilities-in-iconics-software-sui… ∗∗∗ Russian crypto exchange Garantex’s website taken down in apparent law enforcement operation ∗∗∗ --------------------------------------------- Russian cryptocurrency exchange Garantex was taken down in an apparent seizure by U.S. and European law enforcement Thursday, shortly after the company said $28 million had been frozen by another cryptocurrency firm. --------------------------------------------- https://therecord.media/garantex-crypto-exchange-taken-down-law-enforcement… ∗∗∗ CISA, FBI warn of BianLian mail scam targeting executives with $500k ransom note ∗∗∗ --------------------------------------------- In an alert on Thursday, the FBI said scammers are mailing letters to corporate executives claiming that they stole sensitive data and will publish it unless a demand is paid in Bitcoin. --------------------------------------------- https://therecord.media/cisa-fbi-warn-bianlian-mail-scam-extortion ∗∗∗ Canadian intelligence agency warns of threat AI poses to upcoming elections ∗∗∗ --------------------------------------------- Influence and espionage campaigns, boosted by AI, are likely to be aimed at Canadas upcoming elections, says a new report from the CSE, the countrys signals and cyber intelligence agency. --------------------------------------------- https://therecord.media/canada-cyber-agency-elections-warning-ai- ∗∗∗ NixSpam RBL ab 7.3.2025 abgeschaltet – gibt Ärger – aber nun gelöst ∗∗∗ --------------------------------------------- Kurze Information für Blog-Leser die bei der Mail-Filterung auf "NixSpam RBL" gesetzt haben. Der vom heise-Verlag betriebene Dienst ist seit dem heutigen 7. März 2025 abgeschaltet, was einigen Leuten Probleme bereiten .. --------------------------------------------- https://www.borncity.com/blog/2025/03/07/nixspam-rbl-ab-7-3-2025-abgeschalt… ∗∗∗ New edu platform and Sanitization and Validation and Escaping, Oh My! article ∗∗∗ --------------------------------------------- With the beta launch of my companys educational platform (hackArcana), I finally have a place to write more about the fundamentals of security and post more educational content. The first piece Ive written for our new platform touches on the confusion around the terms "validation," "sanitization," "encoding," "escaping," .. --------------------------------------------- https://gynvael.coldwind.pl/?id=800 ∗∗∗ Microsoft Dismantles Malvertising Scam Using GitHub, Discord, Dropbox ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence exposes a malvertising campaign exploiting GitHub, Discord, and Dropbox. Discover the multi-stage attack chain, .. --------------------------------------------- https://hackread.com/microsoft-dismantle-malvertising-github-discord-dropbo… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.03.2025
by Daily end-of-shift report 06 Mar '25

06 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-03-2025 18:00 − Donnerstag 06-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Massive botnet that appeared overnight is delivering record-size DDoSes ∗∗∗ --------------------------------------------- Eleven11bot infects video recorders, with the largest concentration of them in the US. --------------------------------------------- https://arstechnica.com/security/2025/03/massive-botnet-that-appeared-overn… ∗∗∗ Malicious Chrome extensions can spoof password managers in new attack ∗∗∗ --------------------------------------------- A newly devised "polymorphic" attack allows malicious Chrome extensions to morph into other browser extensions, including password managers, crypto wallets, and banking apps, to steal sensitive information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-chrome-extensions-… ∗∗∗ Trojans disguised as AI: Cybercriminals exploit DeepSeek’s popularity ∗∗∗ --------------------------------------------- Kaspersky experts have discovered campaigns distributing stealers, malicious PowerShell scripts, and backdoors through web pages mimicking the DeepSeek and Grok websites. --------------------------------------------- https://securelist.com/backdoors-and-stealers-prey-on-deepseek-and-grok/115… ∗∗∗ PayPal-Passwort wurde geändert? Achtung: Phishing-Alarm! ∗∗∗ --------------------------------------------- Aktuell machen Phishing-Mails die Runde, welche angeblich von PayPal stammen. In ihnen wird behauptet, das Passwort des Opfers sei geändert worden. Um diese Änderung rückgängig zu machen, müsse man lediglich auf einen Link klicken und ein paar persönliche Daten angeben. Hinter dieser Aufforderung verstecken sich allerdings Kriminelle, die es auf persönliche Informationen und Bankdaten abgesehen haben. --------------------------------------------- https://www.watchlist-internet.at/news/paypal-passwort-phishing/ ∗∗∗ Decrypting the Forest From the Trees ∗∗∗ --------------------------------------------- SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via the Administration Service API. --------------------------------------------- https://posts.specterops.io/decrypting-the-forest-from-the-trees-661694ed16… ∗∗∗ Medusa Ransomware Activity Continues to Increase ∗∗∗ --------------------------------------------- Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024. --------------------------------------------- https://www.security.com/threat-intelligence/medusa-ransomware-attacks ∗∗∗ Unveiling EncryptHub: Analysis of a multi-stage malware campaign ∗∗∗ --------------------------------------------- EncryptHub, a rising cybercriminal entity, has recently caught the attention of multiple threat intelligence teams, including our own (Outpost24’s KrakenLabs). While other reports have begun to shed light on this actor’s operations, our investigation goes a step further, uncovering previously unseen aspects of their infrastructure, tooling, and behavioral patterns. --------------------------------------------- https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (firefox and vim), Red Hat (firefox), Slackware (mozilla), SUSE (firefox, firefox-esr, kernel, and podman), and Ubuntu (gpac, kernel, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-hwe-5.15, and redis). --------------------------------------------- https://lwn.net/Articles/1013209/ ∗∗∗ Sicherheitsupdate: Kritische Schadcode-Lücke bedroht Kibana ∗∗∗ --------------------------------------------- Wie die Entwickler in einer Warenmeldung ausführen, sind die Versionen >= 8.15.0 und < 8.17.1 nur attackierbar, wenn Angreifer über Viewer-Role-Rechte verfügen. [..] Die Lücke schrammt mit dem CVSS Score 3.1 9.9 von 10 knapp an der Höchstwertung vorbei. (CVE-2025-25012) --------------------------------------------- https://heise.de/-10306066 ∗∗∗ ABB Cylon Aspect 3.08.01 (caldavUpload.php) Funkalicious Exploit ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5926.php -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.03.2025
by Daily end-of-shift report 05 Mar '25

05 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-03-2025 18:00 − Mittwoch 05-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Text-basiertes QR Code Phishing im Umlauf ∗∗∗ --------------------------------------------- Über den neuen Ansatz hatten wir 2024 in unseren Newslettern berichtet, nun erhalten wir auch direkt Meldungen über "bildlose" QR-Code Phishs. Kurz umrissen: der QR-Code wird nicht wie oft üblich als Bilddatei übermittelt, sondern aus einzelnen ASCII-/Unicode Block-Zeichen zusammengesetzt. Dadurch kann der im QR-Code enthaltene Inhalt Sicherheitslösungen verborgen bleiben, für optische QR-Code Scanner jedoch funktional bleiben. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/3/text-basiertes-qr-code-phishing-im-… ∗∗∗ Use one Virtual Machine to own them all — active exploitation of ESXicape ∗∗∗ --------------------------------------------- Yesterday, VMware quietly released patches for three ESXi zero day vulnerabilities: CVE-2025–22224, CVE-2025–22225, CVE-2025–22226. Although the advisory doesn’t explicitly say it, this is a hypervisor escape (aka a VM Escape). A threat actor with access to run code on a virtual machine can chain the three vulnerabilities to elevate access to the ESX hypervisor. --------------------------------------------- https://doublepulsar.com/use-one-virtual-machine-to-own-them-all-active-exp… ∗∗∗ BadBox malware disrupted on 500K infected Android devices ∗∗∗ --------------------------------------------- The BadBox Android malware botnet has been disrupted again by removing 24 malicious apps from Google Play and sinkholing communications for half a million infected devices. [..] The BadBox botnet is a cyber-fraud operation targeting primarily low-cost Android-based devices like TV streaming boxes, tablets, smart TVs, and smartphones. These devices either come pre-loaded with the BadBox malware from the manufacturer or are infected by malicious apps or firmware downloads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/badbox-malware-disrupted-on-… ∗∗∗ Undercover miner: how YouTubers get pressed into distributing SilentCryptoMiner as a restriction bypass tool ∗∗∗ --------------------------------------------- Attackers blackmail YouTubers with complaints and account blocking threats, forcing them to distribute a miner disguised as a bypass tool. --------------------------------------------- https://securelist.com/silentcryptominer-spreads-through-blackmail-on-youtu… ∗∗∗ The Russia-Ukraine Cyber War Part 3: Attacks on Telecom and Critical Infrastructure ∗∗∗ --------------------------------------------- This post is the third part of our blog series that tackles the Russia-Ukraine war in the digital realm. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-russia-… ∗∗∗ BAMF: Skurrile Testkonten ermöglichten unautorisierten Datenzugriff ∗∗∗ --------------------------------------------- Anhand von Screenshots der Web-Applikation sei ersichtlich gewesen, dass im Test- und Integrationssystem offenbar ein Account mit der Nutzerkennung "max.mustermann(a)testtraeger.de" existierte. Die Domain sei noch frei gewesen. --------------------------------------------- https://www.heise.de/news/BAMF-Skurrile-Testkonten-ermoeglichten-unautorisi… ∗∗∗ Beneath the Surface: Detecting and Blocking Hidden Malicious Traffic Distribution Systems ∗∗∗ --------------------------------------------- Adversaries widely abuse TDS infrastructure to build dynamic and resilient network infrastructure for malicious web services. These redirection networks enhance resilience against takedowns and enable scaling and cloaking of malicious content. --------------------------------------------- https://unit42.paloaltonetworks.com/detect-block-malicious-traffic-distribu… ∗∗∗ CVE-2024-43639: Remote Code Execution in Microsoft Windows KDC Proxy ∗∗∗ --------------------------------------------- The following is a portion of their write-up covering CVE-2024-43639, with a few minimal modifications. [..] This vulnerability was patched by the vendor in November. To date, no attacks have been detected in the wild. --------------------------------------------- https://www.thezdi.com/blog/2025/3/3/cve-2024-43639 ∗∗∗ Scammers Mailing Ransom Letters While Posing as BianLian Ransomware ∗∗∗ --------------------------------------------- Scammers are impersonating BianLian ransomware, and mailing fake ransom letters to businesses. --------------------------------------------- https://hackread.com/scammers-mailing-ransom-letters-bianlian-ransomware/ ∗∗∗ LinkedIn Phishing Scam: Fake InMail Messages Spreading ConnectWise Trojan ∗∗∗ --------------------------------------------- Cybersecurity researchers at Cofense have recently uncovered a deceptive campaign that distributes malicious software using a spoofed LinkedIn email. [..] The fraudulent email is designed to mimic a notification for a LinkedIn InMail message, a feature that allows users to contact individuals outside of their immediate network. The email effectively leverages LinkedIn’s branding, convincingly creating legitimacy. --------------------------------------------- https://hackread.com/scammers-fake-linkedin-inmail-deliver-connectwise-troj… ∗∗∗ GreyNoise Observes Exploitation of Three Newly Added KEV Vulnerabilities ∗∗∗ --------------------------------------------- On March 3, 2025, the Cybersecurity and Infrastructure Security Agency added five vulnerabilities to its Known Exploited Vulnerabilities catalog, confirming their exploitation in the wild. [..] CVE-2022-43939 (Authorization Bypass) & CVE-2022-43769 (Special Element Injection) Hitachi Vantara Pentaho BA Server [..] CVE-2024-4885 Progress WhatsUp Gold Path Traversal Vulnerability. --------------------------------------------- https://www.greynoise.io/blog/greynoise-observes-exploitation-three-newly-a… ∗∗∗ GoStringUngarbler: Deobfuscating Strings in Garbled Binaries ∗∗∗ --------------------------------------------- In this blog post, we'll detail garble’s string transformations and the process of automatically deobfuscating them. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-… ∗∗∗ Trigon: developing a deterministic kernel exploit for iOS ∗∗∗ --------------------------------------------- CVE-2023-32434 was an integer overflow in the VM subsystem of the XNU kernel. It was patched in iOS 16.5.1 after being found in-the-wild as part of the Operation Triangulation spyware chain, discovered after it was used to infect a group of security researchers at Kaspersky. These researchers then captured and reverse-engineered the entire chain, leading to the patching of a WebKit bug, a kernel bug, a userspace PAC bypass and a PPL (and, technically, a KTRR) bypass. [..] This writeup simply shows the steps involved in the final, working exploit. It does not, however, convey just how many failed ideas and attempts there were during the process. --------------------------------------------- https://alfiecg.uk/2025/03/01/Trigon.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice), Fedora (exim and fscrypt), Red Hat (kernel), Slackware (mozilla), SUSE (docker, firefox, and podman), and Ubuntu (linux, linux-lowlatency, linux-lowlatency-hwe-5.15, linux, linux-lowlatency, linux-lowlatency-hwe-6.8, linux, linux-oem-6.11, linux-aws, linux-aws-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux-aws, linux-gcp, linux-hwe-6.11, linux-oracle, linux-raspi, linux-realtime, linux-aws, linux-gkeop, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, and linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop). --------------------------------------------- https://lwn.net/Articles/1013063/ ∗∗∗ Cisco Secure Client for Windows with Secure Firewall Posture Engine DLL Hijacking Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco TelePresence Management Suite Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security Vulnerabilities fixed in Thunderbird ESR 128.8 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-18/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 136 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-17/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2025
by Daily end-of-shift report 04 Mar '25

04 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 03-03-2025 18:00 − Dienstag 04-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Polish Space Agency offline as it recovers from cyberattack ∗∗∗ --------------------------------------------- The Polish Space Agency (POLSA) has been offline since it disconnected its systems from the Internet over the weekend to contain a breach of its IT infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/polish-space-agency-offline-… ∗∗∗ Booking a Threat: Inside LummaStealers Fake reCAPTCHA ∗∗∗ --------------------------------------------- Cybercriminals are taking advantage of the increased demand in travel by setting up fake booking sites, phishing scams and fraudulent listings to trick unsuspecting travelers. --------------------------------------------- https://www.gdatasoftware.com/blog/2025/03/38154-lummastealer-fake-recaptcha ∗∗∗ KI-Trainingsdaten: Tausende gültiger API-Keys in gecrawlten Webdaten entdeckt ∗∗∗ --------------------------------------------- Bei der Analyse eines frei verfügbaren Archivs mit rund 400 TBytes an Websitedaten haben Forscher fast 12.000 gültige API-Keys und Passwörter gefunden. --------------------------------------------- https://www.golem.de/news/ki-trainingsdaten-tausende-gueltiger-api-keys-in-… ∗∗∗ Kritische Lücke in VMware ESXi, Fusion und Workstation wird missbraucht ∗∗∗ --------------------------------------------- Broadcom warnt vor teils kritischen Sicherheitslecks in VMware ESXi, Fusion und Workstation. Angreifer missbrauchen sie bereits. --------------------------------------------- https://www.heise.de/news/Kritische-Luecke-in-VMware-ESXi-Fusion-und-Workst… ∗∗∗ DNSSEC NSEC. The accidental treasure map to your subdomains ∗∗∗ --------------------------------------------- TL;DR: DNSSEC secures DNS but may unintentionally expose domain structures via NSEC/NSEC3 records, enabling zone walking to enumerate subdomains. NSEC openly lists domain names, making enumeration easy. NSEC3 hashes .. --------------------------------------------- https://www.pentestpartners.com/security-blog/dnssec-nsec-the-accidental-tr… ∗∗∗ MeinELBA-Zugang läuft bald ab? Vorsicht, Phishing-Versuch! ∗∗∗ --------------------------------------------- Kriminelle versenden aktuell wieder vermehrt SMS-Nachrichten, in denen vor einem Ablaufen des MeinELBA-Zugangs gewarnt wird. Wer verlängern möchte, müsse einen Link anklicken und auf einer vermeintlichen Login-Seite seine Onlinebanking-Daten eingeben. Diese Seite ist natürlich eine Fälschung. Allerdings eine sehr gut gemachte! Wie Sie sie erkennen und was Sie tun können, wenn Sie dort vertrauliche Informationen eingegeben haben, verrät dieser Artikel. --------------------------------------------- https://www.watchlist-internet.at/news/meinelba-zugang-phishing/ ∗∗∗ A Revision of the EU Cybersecurity Blueprint ∗∗∗ --------------------------------------------- The original EU cybersecurity blueprint from 2017 (officially: “Commission Recommendation of 13.9.2017 on Coordinated Response to Large Scale Cybersecurity Incidents and Crises”) is now close to seven years old and an update is overdue. The Commission recently published a draft for an updated version, and I’d like to take this opportunity to .. --------------------------------------------- https://www.cert.at/en/blog/2025/3/a-revision-of-the-eu-cybersecurity-bluep… ∗∗∗ Did Trump Admin Order U.S. Cyber Command and CISA to Stand Down on Russia? ∗∗∗ --------------------------------------------- Two blockbuster stories published on Friday that appear to confirm what many Americans suspected would occur under the Trump administration – that the new regime is going to be softer on Russia than previous administrations, particularly with regard to the threat that Russia poses in cyber space. Since publication, however, .. --------------------------------------------- https://www.zetter-zeroday.com/did-trump-admin-order-u-s-cyber-command-and-… ∗∗∗ The Dangers of Exposed Secrets – and How to Prevent Them ∗∗∗ --------------------------------------------- Modern enterprise software relies on authentication tokens, API keys, encryption keys, certificates, and other sensitive credentials to enable secure communication between applications, microservices, APIs, and DevOps pipelines. However, these secrets often end up hardcoded in source code during the development process, whether unintentionally or as a shortcut for quick .. --------------------------------------------- https://checkmarx.com/blog/exposed-secrets-and-how-to-prevent-them/ ∗∗∗ Do not run any Cargo commands on untrusted projects ∗∗∗ --------------------------------------------- TL;DR: Treat anything starting with cargo as if it is cargo run. --------------------------------------------- https://shnatsel.medium.com/do-not-run-any-cargo-commands-on-untrusted-proj… ∗∗∗ Hacking the Xbox 360 Hypervisor Part 2: The Bad Update Exploit ∗∗∗ --------------------------------------------- Welcome to part 2 of the Hacking the Xbox 360 Hypervisor blog series. In this part I’ll cover how I found and exploited bugs in the Xbox 360 hypervisor to get full code execution and create the “Bad Update” exploit. If you haven’t already, I highly recommend you read (or at least skim through) part 1 as this post will reference a lot of the material discussed there. --------------------------------------------- https://icode4.coffee/?p=1081 ===================== = Vulnerabilities = ===================== ∗∗∗ Docusnap Inventory Files Encrypted with Static Key ∗∗∗ --------------------------------------------- Inventory files created by Docusnap, containing information like installed programs, firewall rules and local administrators, are encrypted with a static key. The decryption key can be obtained easily from the .NET application, downloadable from the vendor’s website. When following Docusnap’s installation instructions for Windows Domains, every domain user has read access to these files. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-012/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 128.8 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-16/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.21 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-15/ ∗∗∗ Security Vulnerabilities fixed in Firefox 136 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-14/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.03.2025
by Daily end-of-shift report 03 Mar '25

03 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-02-2025 18:00 − Montag 03-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks ∗∗∗ --------------------------------------------- Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-exploit-par… ∗∗∗ Ohne Nutzerinteraktion: Wie Hacker fremde Gitlab-Accounts übernehmen konnten ∗∗∗ --------------------------------------------- Letztes Jahr hat Gitlab eine gefährliche Sicherheitslücke geschlossen. Ein neuer Bericht zeigt, wie leicht sich damit fremde Konten kapern ließen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-per-passwort-reset-fremde-gitla… ∗∗∗ Mobile malware evolution in 2024 ∗∗∗ --------------------------------------------- The most notable mobile threats of 2024, and statistics on Android-specific malware, adware and potentially unwanted software. --------------------------------------------- https://securelist.com/mobile-threat-report-2024/115494/ ∗∗∗ Dornröschenschlaf: mit diesem einfachen Trick Crowdstrike Falcon zähmen ∗∗∗ --------------------------------------------- Nachdem Angreifer die Rechte eines Benutzers mit "NT AUTHORITY\SYSTEM" Berechtigungen erlangt haben, indem andere Schwachstellen .. --------------------------------------------- https://sec-consult.com/de/blog/detail/dornroeschenschlaf-mit-diesem-einfac… ∗∗∗ Vo1d Botnets Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries ∗∗∗ --------------------------------------------- Brazil, South Africa, Indonesia, Argentina, and Thailand have become the targets of a campaign that has infected Android TV devices with a botnet malware dubbed Vo1d.The improved variant of Vo1d has been found to encompass 800,000 daily active IP .. --------------------------------------------- https://thehackernews.com/2025/03/vo1d-botnets-peak-surpasses-159m.html ∗∗∗ Cybersecurity not the hiring-em-like-hotcakes role it once was ∗∗∗ --------------------------------------------- Ghost positions, HR AI no help – biz should talk to infosec staff and create realistic job outline, say experts Analysis Its a familiar refrain in the security industry that there is a massive skills gap in the sector. And while its true there are specific shortages in certain areas, some industry watchers believe we may be reaching the point of oversupply for generalists. --------------------------------------------- https://www.theregister.com/2025/03/03/cybersecurity_jobs_market/ ∗∗∗ Massive Sicherheitslücken bei Gebäude-Zugangssystemen entdeckt ∗∗∗ --------------------------------------------- Cyberkriminelle können leicht auf Zugangssysteme von Gebäuden weltweit zugreifen. Eine Studie nennt das Ausmaß und die Ursachen. --------------------------------------------- https://www.heise.de/news/Massive-Sicherheitsluecken-bei-Gebaeude-Zugangssy… ∗∗∗ Angreifer bringen verwundbaren Paragon-Treiber mit und missbrauchen ihn ∗∗∗ --------------------------------------------- Angreifer missbrauchen ein Leck in einem Treiber von Paragon Partition Manager. Besonders gefährlich: den können sie selbst mitbringen. --------------------------------------------- https://www.heise.de/news/Sicherheitsleck-in-Treiber-von-Paragon-Partition-… ∗∗∗ Thule-Radanhänger: Pedalritter im Visier von Fake-Shops ∗∗∗ --------------------------------------------- Die Fahrradanhänger des Traditionsunternehmens Thule genießen zurecht einen hervorragenden Ruf. Diesen machen sich Kriminelle aber immer wieder zu Nutze. Sie bauen den Thule-Onlinestore nach und locken ihre Opfer dort mit vermeintlichen Top-Schnäppchen in die Falle. In diesem Artikel erfahren Sie, wie Sie die Fake-Shops erkennen können und welche Optionen Sie im Fall einer getätigten Zahlung noch haben. --------------------------------------------- https://www.watchlist-internet.at/news/thule-radanhaenger-fake-shops/ ∗∗∗ Uncovering .NET Malware Obfuscated by Encryption and Virtualization ∗∗∗ --------------------------------------------- Malware authors use AES encryption and code virtualization to evade sandbox static analysis. We explore how this facilitates spread of Agent Tesla, XWorm and more. --------------------------------------------- https://unit42.paloaltonetworks.com/malware-obfuscation-techniques/ ∗∗∗ Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal ∗∗∗ --------------------------------------------- In this blog entry, we discuss how the Black Basta and Cactus ransomware groups utilized the BackConnect malware to maintain persistent control and exfiltrate sensitive data from compromised machines. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomwar… ∗∗∗ Not Lost in Translation: Rosetta 2 Artifacts in macOS Intrusions ∗∗∗ --------------------------------------------- Rosetta 2 is Apples translation technology for running x86-64 binaries on Apple Silicon (ARM64) macOS systems.Rosetta 2 translation creates a cache of Ahead-Of-Time (AOT) files that can serve as valuable forensic artifacts.Mandiant has observed sophisticated threat actors leveraging x86-64 compiled macOS malware, likely due to broader .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/rosetta2-artifacts… ∗∗∗ how to gain code execution on millions of people and hundreds of popular apps ∗∗∗ --------------------------------------------- .. and of course, firebase was (partially) the cause --------------------------------------------- https://kibty.town/blog/todesktop/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, kernel, linux-6.1, mariadb-10.5, proftpd-dfsg, and xorg-server), Fedora (chromium, cutter-re, iniparser, nodejs22, rizin, webkitgtk, wireshark, xen, and xorg-x11-server), Mageia (binutils and ffmpeg), Oracle (emacs and kernel), Red Hat (emacs and webkit2gtk3), SUSE (azure-cli, bsdtar, gnutls, govulncheck-vulndb, .. --------------------------------------------- https://lwn.net/Articles/1012760/ ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-20118 Cisco Small Business RV Series Routers Command Injection .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/03/03/cisa-adds-five-known-exp… ∗∗∗ DSA-5872-1 xorg-server - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00034.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily March 2025