Daily March 2025

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 17.03.2025
by Daily end-of-shift report 17 Mar '25

17 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-03-2025 18:00 − Montag 17-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Coinbase phishing email tricks users with fake wallet migration ∗∗∗ --------------------------------------------- A large-scale Coinbase phishing attack poses as a mandatory wallet migration, tricking recipients into setting up a new wallet with a pre-generated recovery phrase controlled by attackers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/coinbase-phishing-email-tric… ∗∗∗ Malicious Adobe, DocuSign OAuth apps target Microsoft 365 accounts ∗∗∗ --------------------------------------------- Cybercriminals are promoting malicious Microsoft OAuth apps that masquerade as Adobe and DocuSign apps to deliver malware and steal Microsoft 365 accounts credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-adobe-docusign-oau… ∗∗∗ Mirai Bot now incroporating (malformed?) DrayTek Vigor Router Exploits, (Sun, Mar 16th) ∗∗∗ --------------------------------------------- Last October, Forescout published a report disclosing several vulnerabilities in DrayTek routers. According to Forescount, about 700,000 devices were exposed to these vulnerabilities .. --------------------------------------------- https://isc.sans.edu/diary/Mirai+Bot+now+incroporating+malformed+DrayTek+Vi… ∗∗∗ Credit Card Skimmer and Backdoor on WordPress E-commerce Site ∗∗∗ --------------------------------------------- The battle against e-commerce malware continues to intensify, with attackers deploying increasingly sophisticated tactics. In a recent case at Sucuri, a customer reported suspicious files and unexpected behavior on their WordPress site. Upon deeper analysis, we discovered a complicated infection involving multiple components: a credit card skimmer, a .. --------------------------------------------- https://blog.sucuri.net/2025/03/credit-card-skimmer-and-backdoor-on-wordpre… ∗∗∗ Malicious PyPI Packages Stole Cloud Tokens—Over 14,100 Downloads Before Removal ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of a malicious campaign targeting users of the Python Package Index (PyPI) repository with bogus libraries masquerading as "time" related utilities, but harboring hidden functionality to steal sensitive data such as .. --------------------------------------------- https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html ∗∗∗ Microsoft wouldnt look at a bug report without a video. Researcher maliciously complied ∗∗∗ --------------------------------------------- Maddening techno loop, Zoolander reference, and 14 minutes of time wasted A vulnerability analyst and prominent member of the infosec industry has blasted Microsoft for refusing to look at a bug report unless he submitted a video alongside a written explanation. --------------------------------------------- https://www.theregister.com/2025/03/17/microsoft_bug_report_troll/ ∗∗∗ Fake-Sicherheitswarnung: Betrüger versuchen Github-Konten zu kapern ∗∗∗ --------------------------------------------- Sicherheitsforscher berichten über Angriffsversuche auf rund 12.000 Github-Repositories. Dabei wollen Angreifer die volle Kontrolle über Konten erlangen. --------------------------------------------- https://www.heise.de/news/Fake-Sicherheitswarnung-Betrueger-versuchen-Githu… ∗∗∗ ClickFix: How to Infect Your PC in Three Easy Steps ∗∗∗ --------------------------------------------- A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed "ClickFix," the visitor to a hacked or malicious website is asked to distinguish .. --------------------------------------------- https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three… ∗∗∗ RCS: Apple und Google einigen sich auf Ende-zu-Ende-verschlüsselte Kommunikation ∗∗∗ --------------------------------------------- Neue Version des SMS-Nachfolgers unterstützt sichere Verschlüsselung, die beiden Branchengrößen wollen das bei Android und iPhone übernehmen --------------------------------------------- https://www.derstandard.at/story/3000000261679/rcs-apple-und-google-einigen… ∗∗∗ Telegram CEO confirms leaving France amid criminal probe ∗∗∗ --------------------------------------------- The Russian-born founder and owner of the messaging app Telegram said he returned to Dubai after spending several months in France due to a criminal investigation related to activity on the app. --------------------------------------------- https://therecord.media/telegram-pavel-durov-leaves-france-amid-probe ∗∗∗ Mora_001 ransomware gang exploiting Fortinet bug spotlighted by CISA in January ∗∗∗ --------------------------------------------- Two vulnerabilities impacting Fortinet products are being exploited by a new ransomware operation with ties to the LockBit ransomware group. --------------------------------------------- https://therecord.media/mora001-ransomware-gang-exploiting-vulnerability-lo… ∗∗∗ Scammers Pose as Cl0p Ransomware to Send Fake Extortion Letters ∗∗∗ --------------------------------------------- Scammers are sending fake extortion and ransom demands while posing as ransomware gangs, including the notorious Cl0p ransomware. --------------------------------------------- https://hackread.com/scammers-pose-cl0p-ransomware-fake-extortion-letters/ ∗∗∗ BitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique ∗∗∗ --------------------------------------------- The Rise of Browser in the Middle (BitM): BitM attacks offer a streamlined approach, allowing attackers to quickly compromise sessions across various web applications.MFA Remains Crucial, But Not Invulnerable: .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/session-stealing-b… ∗∗∗ Supply Chain Security Risk: GitHub Action tj-actions/changed-files Compromised ∗∗∗ --------------------------------------------- On March 14th, 2025, security researchers discovered a critical software supply chain vulnerability in the widely-used GitHub Action tj-actions/changed-files (CVE-2025-30066). This vulnerability allows remote attackers .. --------------------------------------------- https://blog.aquasec.com/supply-chain-security-threat-github-action-tj-acti… ∗∗∗ Bypassing Authentication Like It’s The ‘90s - Pre-Auth RCE Chain(s) in Kentico Xperience CMS ∗∗∗ --------------------------------------------- I recently joined watchTowr, and it is, therefore, time - time for my first watchTowr Labs blogpost, previously teased in a tweet of a pre-auth RCE chain affecting some ‘unknown software’. Joining the team, I wanted to maintain the trail of destruction left by the watchTowr Labs team, .. --------------------------------------------- https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-au… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (opensaml and php8.2), Fedora (chromium, ctk, dcmtk, expat, ffmpeg, firefox, fscrypt, gdcm, InsightToolkit, kitty, libssh2, libxml2, linux-firmware, man2html, nextcloud, OpenImageIO, php, podman-tui, python-django, python-django5, python-gunicorn, python-jinja2, python-spotipy, python3.6, qt6-qtwebengine, thunderbird, tigervnc, vim, vyper, xen, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (freetype2, ghostscript, and man2html), .. --------------------------------------------- https://lwn.net/Articles/1014437/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2025
by Daily end-of-shift report 14 Mar '25

14 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-03-2025 18:00 − Freitag 14-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New SuperBlack ransomware exploits Fortinet auth bypass flaws ∗∗∗ --------------------------------------------- A new ransomware operator named Mora_001 is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-superblack-ransomware-ex… ∗∗∗ Ransomware gang creates tool to automate VPN brute-force attacks ∗∗∗ --------------------------------------------- The Black Basta ransomware operation created an automated brute-forcing framework dubbed BRUTED to breach edge networking devices like firewalls and VPNs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/black-basta-ransomware-creat… ∗∗∗ Jailbreaking is (mostly) simpler than you think ∗∗∗ --------------------------------------------- Today, we are sharing insights on a simple, optimization-free jailbreak method called Context Compliance Attack (CCA), that has proven effective against most leading AI systems. We are disseminating this research to promote awareness and encourage system designers to implement appropriate safeguards. --------------------------------------------- https://msrc.microsoft.com/blog/2025/03/jailbreaking-is-mostly-simpler-than… ∗∗∗ CISA: We didnt fire red teams, we just unhired a bunch of them ∗∗∗ --------------------------------------------- Agency tries to save face as it also pulls essential funding for election security initiatives Uncle Sams cybersecurity agency is trying to save face by seeking to clear up what its calling "inaccurate reporting" after a former senior pen-tester claimed the organization axed two red teams. --------------------------------------------- https://www.theregister.com/2025/03/13/cisa_red_team_layoffs/ ∗∗∗ A New Era of Attacks on Encryption Is Starting to Heat Up ∗∗∗ --------------------------------------------- The UK, France, Sweden, and EU have made fresh attacks on end-to-end encryption. Some of the attacks are more “crude” than those in recent years, experts say. --------------------------------------------- https://www.wired.com/story/a-new-era-of-attacks-on-encryption-is-starting-… ∗∗∗ Fernzugriff: Ivanti Secure Access Client als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate schließt unter Windows eine Lücke in Ivanti Secure Access Client. --------------------------------------------- https://www.heise.de/news/Fernzugriff-Ivanti-Secure-Access-Client-als-Einfa… ∗∗∗ Off the Beaten Path: Recent Unusual Malware ∗∗∗ --------------------------------------------- Three unusual malware samples analyzed here include an ISS backdoor developed in a rare language, a bootkit and a Windows implant of a post-exploit framework. --------------------------------------------- https://unit42.paloaltonetworks.com/unusual-malware/ ∗∗∗ Ransomware attack takes down health system network in Micronesia ∗∗∗ --------------------------------------------- One of the four states that make up the Pacific nation of Micronesia is battling against ransomware hackers who have forced all of the computers used by its government health agency offline. --------------------------------------------- https://therecord.media/ransomware-attack-micronesia-health-system ∗∗∗ Europes telecoms sector under increased threat from cyber spies, warns Denmark ∗∗∗ --------------------------------------------- State-sponsored cyber espionage is a bigger threat than ever to Europes telecommunications networks, according to a new assessment from Denmarks government. --------------------------------------------- https://therecord.media/europe-increased-cyber-espionage-telecoms-denmark-r… ∗∗∗ Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court ∗∗∗ --------------------------------------------- Rostislav Panev, who was arrested in Israel in August 2024 on U.S. charges related to dozens of LockBit ransomware attacks, has been extradited and appeared in a New Jersey federal court, authorities said. --------------------------------------------- https://therecord.media/lockbit-alleged-russian-developer-extradited-us-isr… ∗∗∗ SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware ∗∗∗ --------------------------------------------- Trend Research analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techni… ∗∗∗ Recursion kills: The story behind CVE-2024-8176 / Expat 2.7.0 released, includes security fixes ∗∗∗ --------------------------------------------- Expat 2.7.0 has been released earlier today. I will make this a more detailed post than usual because in many ways there is more to tell about this release than the average libexpat release: there is a story this time --------------------------------------------- https://blog.hartwork.org/posts/expat-2-7-0-released/ ∗∗∗ Memory Corruption in Delphi ∗∗∗ --------------------------------------------- Our team at Include Security is often asked to examine applications coded in languages that are usually considered “unsafe”, such as C and C++, due to their lack of memory safety functionality. Critical aspects of reviewing such code include identifying where bounds-checking, input validation, and pointer handling/dereferencing are .. --------------------------------------------- https://blog.includesecurity.com/2025/03/memory-corruption-in-delphi/ ∗∗∗ My Scammer Girlfriend: Baiting A Romance Fraudster ∗∗∗ --------------------------------------------- At the beginning of the year, a spate of very similar mails appeared in my spam-box. Although originating from different addresses (and sent to different recipients), they all appeared to be the opener for the same romance scam campaign. --------------------------------------------- https://www.bentasker.co.uk/posts/blog/security/seducing-a-romance-scammer.… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-135: Adobe Acrobat Reader DC AcroForm Use of Uninitialized Variable Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27162. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-135/ ∗∗∗ ZDI-25-134: Adobe Acrobat Reader DC Doc Object Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-24431. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-134/ ∗∗∗ ZDI-25-133: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27174. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-133/ ∗∗∗ ZDI-25-132: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27159. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-132/ ∗∗∗ ZDI-25-131: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27160. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-131/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.03.2025
by Daily end-of-shift report 13 Mar '25

13 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-03-2025 18:00 − Donnerstag 13-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ No Project Is an Island: Why You Need SBOMs and Dependency Management ∗∗∗ --------------------------------------------- The system you develop and maintain does not exist in isolation. Providing SBOMs for our work is our way to show we care. Software is a relatively recent phenomenon. For a long time, you could credibly say most of its existence, software was poorly understood by society and industry at large. There was .. --------------------------------------------- https://bsdly.blogspot.com/2025/03/no-project-is-island-why-you-need-sboms.… ∗∗∗ Facebook discloses FreeType 2 flaw exploited in attacks ∗∗∗ --------------------------------------------- Facebook is warning that a FreeType vulnerability in all versions up to 2.13 can lead to arbitrary code execution, with reports that the flaw has been exploited in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/facebook-discloses-freetype-… ∗∗∗ Flugticketgroßhändler: Cyberangriff legt Buchungssystem von Aerticket lahm ∗∗∗ --------------------------------------------- Nach einem Hackerangriff ist das Buchungssystem von Aerticket vorerst unbrauchbar. Eine schnelle Wiederherstellung ist wohl nicht zu erwarten. --------------------------------------------- https://www.golem.de/news/flugticketgrosshaendler-cyberangriff-legt-buchung… ∗∗∗ Head Mare and Twelve join forces to attack Russian entities ∗∗∗ --------------------------------------------- We analyze the activities of the Head Mare hacktivist group, which has been attacking Russian companies jointly with Twelve. --------------------------------------------- https://securelist.com/head-mare-twelve-collaboration/115887/ ∗∗∗ Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware ∗∗∗ --------------------------------------------- Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-… ∗∗∗ Medusa ransomware affiliate tried triple extortion scam – up from the usual double demand ∗∗∗ --------------------------------------------- Feds warn gang still rampant and now cracked 300+ victims around the world A crook who distributes the Medusa ransomware tried to make a victim cough up three payments instead of the usual two, according to a government advisory on how to defend against the malware and the gangs who wield it. --------------------------------------------- https://www.theregister.com/2025/03/13/medusa_ransomware_infects_300_critic… ∗∗∗ DeepSeek can be gently persuaded to spit out malware code ∗∗∗ --------------------------------------------- It might need polishing, but a useful find for any budding cybercrooks out there DeepSeeks flagship R1 model is capable of generating a working keylogger and basic ransomware code, just as long as a techie is on hand to tinker with it a little. --------------------------------------------- https://www.theregister.com/2025/03/13/deepseek_malware_code/ ∗∗∗ Sicherheitslücken: Gitlab-Entwickler raten zu zügigem Update ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für die Softwareentwicklungsplattform Gitlab erschienen. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-Gitlab-Entwickler-raten-zu-zue… ∗∗∗ Sicherheitsupdates: Root-Sicherheitslücke bedroht Cisco-ASR-Router ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat mehrere Schwachstellen geschlossen, über die Angreifer etwa ASR-Router attackieren können. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Root-Sicherheitsluecke-bedroht… ∗∗∗ Schadcode-Sicherheitslücken bedrohen FortiOS, FortiSandbox & Co. ∗∗∗ --------------------------------------------- Mehrere Produkte von Fortinet sind attackierbar. Sicherheitspatches schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Schadcode-Sicherheitsluecken-bedrohen-FortiOS-For… ∗∗∗ Investigating Scam Crypto Investment Platforms Using Pyramid Schemes to Defraud Victims ∗∗∗ --------------------------------------------- We identified a campaign spreading thousands of sca crypto investment platforms through websites and mobile apps, possibly through a standardized toolkit. --------------------------------------------- https://unit42.paloaltonetworks.com/fraud-crypto-platforms-campaign/ ∗∗∗ #StopRansomware: Medusa Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a ∗∗∗ Signal no longer cooperating with Ukraine on Russian cyberthreats, official says ∗∗∗ --------------------------------------------- The encrypted messaging app Signal has stopped responding to requests from Ukrainian law enforcement regarding Russian cyberthreats, a Ukrainian official claimed, warning that the shift is aiding Moscow’s intelligence efforts. --------------------------------------------- https://therecord.media/signal-no-longer-cooperating-with-ukraine ∗∗∗ Abusing with style: Leveraging cascading style sheets for evasion and tracking ∗∗∗ --------------------------------------------- Cascading Style Sheets (CSS) are ever present in modern day web browsing, however its far from their own use. This blog will detail the ways adversaries use CSS in email campaigns for evasion and tracking. --------------------------------------------- https://blog.talosintelligence.com/css-abuse-for-evasion-and-tracking/ ∗∗∗ Statement on CISAs Red Team ∗∗∗ --------------------------------------------- CISA’s Red Team is among the best in the world and remains laser focused on helping our federal and critical infrastructure partners identify and mitigate their most significant vulnerabilities and weaknesses. This has not changed. --------------------------------------------- https://www.cisa.gov/news-events/news/statement-cisas-red-team ∗∗∗ PCI DSS FAQ SAQ WTF BBQ... ∗∗∗ --------------------------------------------- I was trying to come up with a sensible title for this blog post, but I feel this one mirrors the thoughts and feelings of many of us about recent events in the PCI DSS compliance space! There have been some significant changes in .. --------------------------------------------- https://scotthelme.ghost.io/pci-dss-faq-saq-wtf-bbq/ ∗∗∗ Sign in as anyone: Bypassing SAML SSO authentication with parser differentials ∗∗∗ --------------------------------------------- Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. In this blog post, well shed light on how these vulnerabilities that rely on a parser differential were uncovered. --------------------------------------------- https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentic… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (ffmpeg, qt6-qtwebengine, tigervnc, and xorg-x11-server-Xwayland), Red Hat (fence-agents and libxml2), SUSE (amazon-ssm-agent, ark, chromium, fake-gcs-server, gerbera, google-guest-agent, google-osconfig-agent, grafana, kernel, libtinyxml2-10, podman, python311, python312, restic, ruby3.4-rubygem-rack, and thunderbird), and Ubuntu (jinja2, linux-azure, linux-azure-4.15, linux-lts-xenial, linux-nvidia, linux-nvidia-6.8, .. --------------------------------------------- https://lwn.net/Articles/1014042/ ∗∗∗ ZDI-25-129: PDF-XChange Editor RTF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-2231. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-129/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2025
by Daily end-of-shift report 12 Mar '25

12 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-03-2025 18:00 − Mittwoch 12-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iPhone-Nutzer attackiert: Aktiv ausgenutzte Webkit-Lücke gefährdet Apple-Geräte ∗∗∗ --------------------------------------------- Angreifer können durch die Schwachstelle aus der Web-Content-Sandbox von Webkit ausbrechen. Apple verteilt Notfallupdates für iOS, MacOS und Safari. --------------------------------------------- https://www.golem.de/news/iphone-nutzer-attackiert-aktiv-ausgenutzte-webkit… ∗∗∗ Scans for VMWare Hybrid Cloud Extension (HCX) API (Log4j - not brute forcing), (Wed, Mar 12th) ∗∗∗ --------------------------------------------- Today, I noticed increased scans for the VMWare Hyprid Cloud Extension (HCX) "sessions" endpoint. These endpoints are sometimes associated with exploit attempts for various VMWare .. --------------------------------------------- https://isc.sans.edu/diary/Scans+for+VMWare+Hybrid+Cloud+Extension+HCX+API+… ∗∗∗ Uneinheitliche Cybersicherheitsstandards: Kommunen ohne klare Strategie ∗∗∗ --------------------------------------------- Aktuell gibt es bei der IT-Sicherheit von Kommunen noch viele Mängel. Eine Studie klärt über die Defizite und mögliche Maßnahmen auf. --------------------------------------------- https://www.heise.de/news/Uneinheitliche-Cybersicherheitsstandards-Kommunen… ∗∗∗ Microsoft-Patchday: 5 kritische Windows-Lücken, 6 andere bereits ausgenutzt ∗∗∗ --------------------------------------------- Zum Patchday im März 205 veröffentlicht Microsoft Korrekturen für insgesamt 57 CVE-Einträge. Sie betreffen Windows, Office, Visual Studio, Azure und mehr. --------------------------------------------- https://www.heise.de/news/Microsoft-Patchday-5-kritische-Windows-Luecken-6-… ∗∗∗ Take control of Cache-Control and local caching ∗∗∗ --------------------------------------------- TL;DR Caching speeds up website content delivery What caching directives are and how to use them The No-cache directive does not prevent caching The No-store directive prevents caching .. --------------------------------------------- https://www.pentestpartners.com/security-blog/take-control-of-cache-control… ∗∗∗ Phishing-Falle: Es droht keine dauerhafte Deaktivierung Ihres GMX-Kontos! ∗∗∗ --------------------------------------------- Von Ihrer E-Mail-Adresse werden angeblich „falsche E-Mails“ versendet? Wenn Sie nicht innerhalb von 24 Stunden reagieren, wird ihr GMX-Konto dauerhaft deaktiviert? Keine Sorge, nichts von dem ist wahr, nichts wird passieren. Vielmehr haben Sie ein Phishing-Mail erhalten, das Sie ignorieren können und unverzüglich löschen sollten. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-deaktivierung-gmx/ ∗∗∗ Etwas Dringendes für den Chef erledigen? Vorsicht, Phishing! ∗∗∗ --------------------------------------------- Kriminelle versenden betrügerische E-Mails, in denen sie sich als Vorgesetzte ausgeben. Sie werden aufgefordert, eine dringende Aufgabe zu erledigen und auf die E-Mail zu antworten. Wir raten zur Vorsicht: Eine Antwort kann großen Schaden anrichten! Ignorieren Sie die Nachricht und informieren Sie die IT-Abteilung. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-unternehmen/ ∗∗∗ Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers ∗∗∗ --------------------------------------------- In mid 2024, Mandiant discovered threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers. Mandiant attributed these backdoors to the China-nexus espionage group, UNC3886. Mandiant uncovered several TINYSHELL-based backdoors operating on Juniper Networks’ Junos OS routers. The backdoors had varying .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espion… ===================== = Vulnerabilities = ===================== ∗∗∗ iOS 18.3.2 and iPadOS 18.3.2 ∗∗∗ --------------------------------------------- /en-us/122281 ∗∗∗ macOS Sequoia 15.3.2 ∗∗∗ --------------------------------------------- /en-us/122283 ∗∗∗ visionOS 2.3.2 ∗∗∗ --------------------------------------------- /en-us/122284 ∗∗∗ Safari 18.3.1 ∗∗∗ --------------------------------------------- /en-us/122285 ∗∗∗ 2025-03 Out-of-Cycle Security Bulletin: Junos OS: A local attacker with shell access can execute arbitrary code (CVE-2025-21590) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2025-03-Out-of-Cycle-Security-B… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2025
by Daily end-of-shift report 11 Mar '25

11 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 10-03-2025 18:00 − Dienstag 11-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MassJacker malware uses 778,000 wallets to steal cryptocurrency ∗∗∗ --------------------------------------------- A newly discovered clipboard hijacking operation dubbed MassJacker uses at least 778,531 cryptocurrency wallet addresses to steal digital assets from compromised computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massjacker-malware-uses-778-… ∗∗∗ Google lässt Kunden im Stich: Abgelaufene SSL-Zertifikate machen Chromecast unbrauchbar ∗∗∗ --------------------------------------------- Seit zwei Tagen warten Besitzer älterer Chromecast-Modelle auf Hilfe durch Google. Wann der Fehler korrigiert wird, ist ungewiss. --------------------------------------------- https://www.golem.de/news/google-laesst-kunden-im-stich-abgelaufene-ssl-zer… ∗∗∗ DCRat backdoor returns ∗∗∗ --------------------------------------------- Kaspersky experts describe a new wave of attacks distributing the DCRat backdoor through YouTube under the guise of game cheats. --------------------------------------------- https://securelist.com/new-wave-of-attacks-with-dcrat-backdoor-distributed-… ∗∗∗ New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that infects Xcode projects, in the wild. Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. These enhanced features help this malware .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/03/11/new-xcsset-malware… ∗∗∗ What Really Happened With the DDoS Attacks That Took Down X ∗∗∗ --------------------------------------------- Elon Musk said a “massive cyberattack” disrupted X on Monday and pointed to “IP addresses originating in the Ukraine area” as the source of the attack. Security experts say thats not how it works. --------------------------------------------- https://www.wired.com/story/x-ddos-attack-march-2025/ ∗∗∗ North Korean IT Workers Linked to 2,400 Astrill VPN IP Addresses ∗∗∗ --------------------------------------------- New data has emerged linking over 2,400 IP addresses associated with Astrill VPN to individuals believed to be North Korean IT worker --------------------------------------------- https://gbhackers.com/north-korean-workers-linked-astrill-vpn-ip-addresses/ ∗∗∗ Spionage: Russland und China mit Interesse an Österreichs IT-Branche ∗∗∗ --------------------------------------------- Die Direktion Staatsschutz und Nachrichtendienst sieht Russland als "relevanten Risikoakteur". Es wird eine hohe Dunkelziffer von Vorfällen vermutet --------------------------------------------- https://www.derstandard.at/story/3000000260788/spionage-russland-und-china-… ∗∗∗ Report URI: Launching Policy Watch and other improvements! ∗∗∗ --------------------------------------------- As we continue to expand and improve our offering, one particular area of focus over recent months has been on PCI DSS Compliance. Whilst compliance might not be the first thing that many get excited about, the recent requirements introduced by the PCI SSC required some pretty solid .. --------------------------------------------- https://scotthelme.ghost.io/report-uri-launching-policy-watch-and-other-imp… ∗∗∗ In-Depth Technical Analysis of the Bybit Hack ∗∗∗ --------------------------------------------- On 21st February 2025, Bybit suffered the largest cryptocurrency theft ever recorded, with more than $1.4 billion assets, including 401,347 ETH, drained from its cold wallet. The attack compromised the transaction approval process by altering what Bybit’s signers saw when approving a cold wallet transaction, causing them to unknowingly authorize an transaction that resulted in a loss of funds. --------------------------------------------- https://www.nccgroup.com/us/research-blog/in-depth-technical-analysis-of-th… ∗∗∗ Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies ∗∗∗ --------------------------------------------- In 2025, phishing is still the most prevalent kind of cyber attack on the planet. Indeed, 1.2% of the global email traffic is phishing. Thats 3.4 billion emails each day, but only a low number results in a compromise since "only" 3% of employees would click on a malicious link. However, when they do, it can be disastrous for their company. 91% of .. --------------------------------------------- http://blog.quarkslab.com/technical-dive-into-modern-phishing.html ∗∗∗ Reversing Samsungs H-Arx Hypervisor Framework - Part 1 ∗∗∗ --------------------------------------------- In many ways, mobile devices lead the security industry when it comes to defense-in-depth and mitigation. Over the years, it has been proven time and again that the kernel cannot be trusted to be secure. As such, there has been effort put into moving secrets (ie. encryption keys) and other sensitive data out of the kernel and gate it behind an API at higher levels in the chain of trust, whether it be the hypervisor or secure enclaves. In any case, the kernel must have a lot of control .. --------------------------------------------- https://dayzerosec.com/blog/2025/03/08/reversing-samsungs-h-arx-hypervisor-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cross Site Request Forgery in admin endpoint ∗∗∗ --------------------------------------------- A cross site request forgery vulnerability [CWE-352] in FortiNDR may allow a remote unauthenticated attacker to execute unauthorized actions via crafted HTTP GET requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-353 ∗∗∗ Exposure of Sensitive Information to an Unauthorized Actor ∗∗∗ --------------------------------------------- An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiSIEM may allow a remote unauthenticated attacker who acquired knowledge of the agents authorization header by other means to read the database password via crafted api requests --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-117 ∗∗∗ OS command injection in CLI command ∗∗∗ --------------------------------------------- Multiple improper neutralization of special elements used in an OS command (OS Command Injection) vulnerabilities [CWE-78] in FortiManager CLI may allow a privileged attacker to execute unauthorized code or commands via crafted CLI requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-124 ∗∗∗ Use of hardcoded key used for remote backup server password encryption ∗∗∗ --------------------------------------------- A Use of Hard-coded Cryptographic Key vulnerability [CWE-321] in FortiSandbox may allow a privileged attacker with super-admin profile and CLI access to read sensitive data via CLI. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-327 ∗∗∗ XSS flaw in Fortiview/SecurityLogs pages ∗∗∗ --------------------------------------------- An improper neutralization of input during web page generation (Cross-site Scripting) vulnerability [CWE-79] in FortiADC GUI may allow an authenticated attacker to perform an XSS attack via crafted HTTP or HTTPs requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-216 ∗∗∗ [20250301] - Core - Malicious file uploads via Media Manager ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/961-20250301-core-maliciou… ∗∗∗ March Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/march-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2025
by Daily end-of-shift report 10 Mar '25

10 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-03-2025 18:00 − Montag 10-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ FTC will send $25.5 million to victims of tech support scams ∗∗∗ --------------------------------------------- Later this week, the Federal Trade Commission (FTC) will start distributing over $25.5 million in refunds to those misled by tech support companies Restoro and Reimages scare tactics. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ftc-will-send-255-million-to… ∗∗∗ Datenschutz: Polizist ruft Daten von Frauen ab und muss Strafe zahlen ∗∗∗ --------------------------------------------- Der Polizist hat eine persönliche Attraktivitätsskala geführt und ab bestimmten Werten persönliche Daten von Frauen abgefragt. --------------------------------------------- https://www.golem.de/news/datenschutz-polizist-ruft-daten-von-frauen-ab-und… ∗∗∗ SideWinder targets the maritime and nuclear sectors with an updated toolset ∗∗∗ --------------------------------------------- In this article, we discuss the tools and TTPs used in the SideWinder APTs attacks in H2 2024, as well as shifts in its targets, such as an increase in attacks against the maritime and logistics sectors. --------------------------------------------- https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nucle… ∗∗∗ The Russia-Ukraine Cyber War Part 4: Development in Group Attributions for Russian State Actors ∗∗∗ --------------------------------------------- This is the final installment of Trustwave SpiderLabs Russia-Ukraine digital battlefield series, which has spanned topics including the differences between Russia and Ukraine cyber actors, how government entities, defense organizations, and human targets were caught in the cyber crossfire, and how both countries targeted the telecommunications, critical .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/russian-sta… ∗∗∗ Rhysida pwns two US healthcare orgs, extracts over 300K patients data ∗∗∗ --------------------------------------------- Terabytes of sensitive info remain available for download Break-ins to systems hosting the data of two US healthcare organizations led to thieves making off with the personal and medical data of more than 300,000 patients. --------------------------------------------- https://www.theregister.com/2025/03/10/rhysida_healthcare/ ∗∗∗ Strings Attached: Talking about Russias agenda for laws in cyberspace ∗∗∗ --------------------------------------------- Russias longstanding proposals for "information security" agreements may sound cooperative, but they conceal a Trojan horse - a push to legitimize censorship, silence dissent, and bind others to rules it won’t follow. --------------------------------------------- https://bytesandborscht.com/strings-attached-talking-about-russias-agenda-f… ∗∗∗ Größter Diebstahl der Geschichte: Bybit nutzte Freeware und wurde dadurch Opfer ∗∗∗ --------------------------------------------- Eine unsichere Freeware ermöglichte den Angreifern den Milliarden-Diebstahl bei Bybit. Die Probleme waren schon lang bekannt. --------------------------------------------- https://www.heise.de/news/Groesster-Diebstahl-der-Geschichte-Bybit-nutzte-F… ∗∗∗ Feds Link $150M Cyberheist to 2022 LastPass Hacks ∗∗∗ --------------------------------------------- In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022. In a court filing this week, U.S. federal agents investigating a spectacular $150 million cryptocurrency heist said they had reached the same conclusion. --------------------------------------------- https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastp… ∗∗∗ Vulnerability Reward Program: 2024 in Review ∗∗∗ --------------------------------------------- In 2024, our Vulnerability Reward Program confirmed the ongoing value of engaging with the security research community to make Google and its products safer. This was evident as we awarded just shy of $12 million to over 600 researchers based in countries around the globe across all of our programs.Vulnerability Reward .. --------------------------------------------- http://security.googleblog.com/2025/03/vulnerability-reward-program-2024-in… ∗∗∗ WordPress Security Research Series: WordPress Security Architecture ∗∗∗ --------------------------------------------- Learn how WordPress security works from the inside out. A guide for vulnerability researchers on identifying flaws in WordPress core, plugins, and themes. --------------------------------------------- https://www.wordfence.com/blog/2025/03/wordpress-security-research-series-w… ∗∗∗ Scam spoofs Binance website and uses TRUMP coin as lure for malware ∗∗∗ --------------------------------------------- Researchers at phishing defense company Cofense say hackers are spreading a malicious remote access tool through a fake Binance page that offers access to the TRUMP coin. --------------------------------------------- https://therecord.media/email-scam-spoofs-binance-offers-trump-coin-connect… ∗∗∗ Navigating AI 🤝 Fighting Skynet ∗∗∗ --------------------------------------------- Using AI can be a great tool for adversarial engineering. This was just a bit of fun to see if it was possible todo and to learn more about automation but also proving you cannot trust git commit history nor can you trust dates of commits! --------------------------------------------- https://blog.zsec.uk/navigating-ai-fighting-skynet/ ∗∗∗ No, there isn’t a world ending Apache Camel vulnerability ∗∗∗ --------------------------------------------- Posts have been circulating publicly on the internet for several days about a “critical”, end of the world “zero day” in Apache Camel, CVE-2025–27636. Many of the posts explained in specific detail about how to exploit the vulnerability .. --------------------------------------------- https://doublepulsar.com/no-there-isnt-a-world-ending-apache-camel-vulnerab… ∗∗∗ GreyNoise Detects Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577), Signaling Broad Campaign ∗∗∗ --------------------------------------------- ‍GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports. Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025. --------------------------------------------- https://www.greynoise.io/blog/mass-exploitation-critical-php-cgi-vulnerabil… ∗∗∗ How to distrust a CA without any certificate errors ∗∗∗ --------------------------------------------- A “distrust” is when a certification authority (CA) that issues HTTPS certificates to websites is removed from a root store because it is no longer trusted to issue certificates. This means certificates issued by that CA will be treated as invalid, likely causing certificate error interstitials in any browser that distrusted the .. --------------------------------------------- https://dadrian.io/blog/posts/sct-not-after/ ∗∗∗ Exploiting Neverwinter Nights ∗∗∗ --------------------------------------------- Back in 2024, we looked for vulnerabilities in Neverwinter Nights : Enhanced Edition as a side research project. We found and reported multiple vulnerabilities to the publisher Beamdog. In this article we will detail how we can chain two vulnerabilities to obtain a remote code execution in multiplayer mode. --------------------------------------------- https://www.synacktiv.com/en/publications/exploiting-neverwinter-nights.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2025
by Daily end-of-shift report 07 Mar '25

07 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-03-2025 18:00 − Freitag 07-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cybercrime crew stole $635,000 in Taylor Swift concert tickets ∗∗∗ --------------------------------------------- New York prosecutors say that two people working at a third-party contractor for the StubHub online ticket marketplace made $635,000 after almost 1,000 concert tickets and reselling them online. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercrime-crew-stole-635-00… ∗∗∗ Microsoft says malvertising campaign impacted 1 million PCs ∗∗∗ --------------------------------------------- Microsoft has taken down an undisclosed number of GitHub repositories used in a massive malvertising campaign that impacted almost one million devices worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-says-malvertising-… ∗∗∗ Cyberangriff analysiert: Hacker verschlüsseln Unternehmensdaten über eine Webcam ∗∗∗ --------------------------------------------- Ein EDR-Tool hat Verschlüsselungsversuche der Ransomwaregruppe Akira erfolgreich vereitelt. Doch dann fanden die Angreifer ein Schlupfloch. --------------------------------------------- https://www.golem.de/news/cyberangriff-analysiert-hacker-verschluesseln-unt… ∗∗∗ A Deep Dive into Strela Stealer and how it Targets European Countries ∗∗∗ --------------------------------------------- Infostealers have dominated the malware landscape due to the ease of threat operations maintenance, and a wide group of potential victims. In this blog, we take a closer look at a unique infostealer designed to precisely target a narrow data set on systems located in chosen geographic locations. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-deep-dive… ∗∗∗ Russian State Actors: Development in Group Attributions ∗∗∗ --------------------------------------------- This is the final installment of Trustwave SpiderLabs Russia-Ukraine digital battlefield series, which has spanned topics including the differences between Russia and Ukraine cyber actors, how government entities, defense organizations, and human targets were caught in the cyber crossfire, and how both countries targeted the telecommunications, critical .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/russian-sta… ∗∗∗ A Brand New Botnet Is Delivering Record-Size DDoS Attacks ∗∗∗ --------------------------------------------- Eleven11bot infects webcams and video recorders, with a large concentration in the US. --------------------------------------------- https://www.wired.com/story/eleven11bot-botnet-record-size-ddos-attacks/ ∗∗∗ Akira-Ransomware schlüpft über Webcam an IT-Schutzlösung vorbei ∗∗∗ --------------------------------------------- Eigentlich ist das Firmennetz über eine Schutzsoftware geschützt, die auch anschlägt. Trotzdem konnte ein Trojaner über einen Umweg PCs infizieren. --------------------------------------------- https://www.heise.de/news/Akira-Ransomware-schluepft-ueber-Webcam-an-IT-Sch… ∗∗∗ Who is the DOGE and X Technician Branden Spikes? ∗∗∗ --------------------------------------------- At 49, Branden Spikes isnt just one of the oldest technologists who has been involved in Elon Musks Department of Government Efficiency (DOGE). As the current director of information technology at X/Twitter and an early hire at PayPal, Zip2, Tesla and SpaceX, Spikes is also among Musks most loyal employees. Heres a closer look at this trusted Musk lieutenant, whose Russian ex-wife was once married to Elons cousin. --------------------------------------------- https://krebsonsecurity.com/2025/03/who-is-the-doge-and-x-technician-brande… ∗∗∗ Multiple Vulnerabilities Discovered in a SCADA System ∗∗∗ --------------------------------------------- We identified multiple vulnerabilities in ICONICS Suite, SCADA software used in numerous OT applications. This article offers a technical analysis of our findings. --------------------------------------------- https://unit42.paloaltonetworks.com/vulnerabilities-in-iconics-software-sui… ∗∗∗ Russian crypto exchange Garantex’s website taken down in apparent law enforcement operation ∗∗∗ --------------------------------------------- Russian cryptocurrency exchange Garantex was taken down in an apparent seizure by U.S. and European law enforcement Thursday, shortly after the company said $28 million had been frozen by another cryptocurrency firm. --------------------------------------------- https://therecord.media/garantex-crypto-exchange-taken-down-law-enforcement… ∗∗∗ CISA, FBI warn of BianLian mail scam targeting executives with $500k ransom note ∗∗∗ --------------------------------------------- In an alert on Thursday, the FBI said scammers are mailing letters to corporate executives claiming that they stole sensitive data and will publish it unless a demand is paid in Bitcoin. --------------------------------------------- https://therecord.media/cisa-fbi-warn-bianlian-mail-scam-extortion ∗∗∗ Canadian intelligence agency warns of threat AI poses to upcoming elections ∗∗∗ --------------------------------------------- Influence and espionage campaigns, boosted by AI, are likely to be aimed at Canadas upcoming elections, says a new report from the CSE, the countrys signals and cyber intelligence agency. --------------------------------------------- https://therecord.media/canada-cyber-agency-elections-warning-ai- ∗∗∗ NixSpam RBL ab 7.3.2025 abgeschaltet – gibt Ärger – aber nun gelöst ∗∗∗ --------------------------------------------- Kurze Information für Blog-Leser die bei der Mail-Filterung auf "NixSpam RBL" gesetzt haben. Der vom heise-Verlag betriebene Dienst ist seit dem heutigen 7. März 2025 abgeschaltet, was einigen Leuten Probleme bereiten .. --------------------------------------------- https://www.borncity.com/blog/2025/03/07/nixspam-rbl-ab-7-3-2025-abgeschalt… ∗∗∗ New edu platform and Sanitization and Validation and Escaping, Oh My! article ∗∗∗ --------------------------------------------- With the beta launch of my companys educational platform (hackArcana), I finally have a place to write more about the fundamentals of security and post more educational content. The first piece Ive written for our new platform touches on the confusion around the terms "validation," "sanitization," "encoding," "escaping," .. --------------------------------------------- https://gynvael.coldwind.pl/?id=800 ∗∗∗ Microsoft Dismantles Malvertising Scam Using GitHub, Discord, Dropbox ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence exposes a malvertising campaign exploiting GitHub, Discord, and Dropbox. Discover the multi-stage attack chain, .. --------------------------------------------- https://hackread.com/microsoft-dismantle-malvertising-github-discord-dropbo… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.03.2025
by Daily end-of-shift report 06 Mar '25

06 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-03-2025 18:00 − Donnerstag 06-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Massive botnet that appeared overnight is delivering record-size DDoSes ∗∗∗ --------------------------------------------- Eleven11bot infects video recorders, with the largest concentration of them in the US. --------------------------------------------- https://arstechnica.com/security/2025/03/massive-botnet-that-appeared-overn… ∗∗∗ Malicious Chrome extensions can spoof password managers in new attack ∗∗∗ --------------------------------------------- A newly devised "polymorphic" attack allows malicious Chrome extensions to morph into other browser extensions, including password managers, crypto wallets, and banking apps, to steal sensitive information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-chrome-extensions-… ∗∗∗ Trojans disguised as AI: Cybercriminals exploit DeepSeek’s popularity ∗∗∗ --------------------------------------------- Kaspersky experts have discovered campaigns distributing stealers, malicious PowerShell scripts, and backdoors through web pages mimicking the DeepSeek and Grok websites. --------------------------------------------- https://securelist.com/backdoors-and-stealers-prey-on-deepseek-and-grok/115… ∗∗∗ PayPal-Passwort wurde geändert? Achtung: Phishing-Alarm! ∗∗∗ --------------------------------------------- Aktuell machen Phishing-Mails die Runde, welche angeblich von PayPal stammen. In ihnen wird behauptet, das Passwort des Opfers sei geändert worden. Um diese Änderung rückgängig zu machen, müsse man lediglich auf einen Link klicken und ein paar persönliche Daten angeben. Hinter dieser Aufforderung verstecken sich allerdings Kriminelle, die es auf persönliche Informationen und Bankdaten abgesehen haben. --------------------------------------------- https://www.watchlist-internet.at/news/paypal-passwort-phishing/ ∗∗∗ Decrypting the Forest From the Trees ∗∗∗ --------------------------------------------- SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via the Administration Service API. --------------------------------------------- https://posts.specterops.io/decrypting-the-forest-from-the-trees-661694ed16… ∗∗∗ Medusa Ransomware Activity Continues to Increase ∗∗∗ --------------------------------------------- Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024. --------------------------------------------- https://www.security.com/threat-intelligence/medusa-ransomware-attacks ∗∗∗ Unveiling EncryptHub: Analysis of a multi-stage malware campaign ∗∗∗ --------------------------------------------- EncryptHub, a rising cybercriminal entity, has recently caught the attention of multiple threat intelligence teams, including our own (Outpost24’s KrakenLabs). While other reports have begun to shed light on this actor’s operations, our investigation goes a step further, uncovering previously unseen aspects of their infrastructure, tooling, and behavioral patterns. --------------------------------------------- https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (firefox and vim), Red Hat (firefox), Slackware (mozilla), SUSE (firefox, firefox-esr, kernel, and podman), and Ubuntu (gpac, kernel, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-hwe-5.15, and redis). --------------------------------------------- https://lwn.net/Articles/1013209/ ∗∗∗ Sicherheitsupdate: Kritische Schadcode-Lücke bedroht Kibana ∗∗∗ --------------------------------------------- Wie die Entwickler in einer Warenmeldung ausführen, sind die Versionen >= 8.15.0 und < 8.17.1 nur attackierbar, wenn Angreifer über Viewer-Role-Rechte verfügen. [..] Die Lücke schrammt mit dem CVSS Score 3.1 9.9 von 10 knapp an der Höchstwertung vorbei. (CVE-2025-25012) --------------------------------------------- https://heise.de/-10306066 ∗∗∗ ABB Cylon Aspect 3.08.01 (caldavUpload.php) Funkalicious Exploit ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5926.php -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.03.2025
by Daily end-of-shift report 05 Mar '25

05 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-03-2025 18:00 − Mittwoch 05-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Text-basiertes QR Code Phishing im Umlauf ∗∗∗ --------------------------------------------- Über den neuen Ansatz hatten wir 2024 in unseren Newslettern berichtet, nun erhalten wir auch direkt Meldungen über "bildlose" QR-Code Phishs. Kurz umrissen: der QR-Code wird nicht wie oft üblich als Bilddatei übermittelt, sondern aus einzelnen ASCII-/Unicode Block-Zeichen zusammengesetzt. Dadurch kann der im QR-Code enthaltene Inhalt Sicherheitslösungen verborgen bleiben, für optische QR-Code Scanner jedoch funktional bleiben. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/3/text-basiertes-qr-code-phishing-im-… ∗∗∗ Use one Virtual Machine to own them all — active exploitation of ESXicape ∗∗∗ --------------------------------------------- Yesterday, VMware quietly released patches for three ESXi zero day vulnerabilities: CVE-2025–22224, CVE-2025–22225, CVE-2025–22226. Although the advisory doesn’t explicitly say it, this is a hypervisor escape (aka a VM Escape). A threat actor with access to run code on a virtual machine can chain the three vulnerabilities to elevate access to the ESX hypervisor. --------------------------------------------- https://doublepulsar.com/use-one-virtual-machine-to-own-them-all-active-exp… ∗∗∗ BadBox malware disrupted on 500K infected Android devices ∗∗∗ --------------------------------------------- The BadBox Android malware botnet has been disrupted again by removing 24 malicious apps from Google Play and sinkholing communications for half a million infected devices. [..] The BadBox botnet is a cyber-fraud operation targeting primarily low-cost Android-based devices like TV streaming boxes, tablets, smart TVs, and smartphones. These devices either come pre-loaded with the BadBox malware from the manufacturer or are infected by malicious apps or firmware downloads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/badbox-malware-disrupted-on-… ∗∗∗ Undercover miner: how YouTubers get pressed into distributing SilentCryptoMiner as a restriction bypass tool ∗∗∗ --------------------------------------------- Attackers blackmail YouTubers with complaints and account blocking threats, forcing them to distribute a miner disguised as a bypass tool. --------------------------------------------- https://securelist.com/silentcryptominer-spreads-through-blackmail-on-youtu… ∗∗∗ The Russia-Ukraine Cyber War Part 3: Attacks on Telecom and Critical Infrastructure ∗∗∗ --------------------------------------------- This post is the third part of our blog series that tackles the Russia-Ukraine war in the digital realm. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-russia-… ∗∗∗ BAMF: Skurrile Testkonten ermöglichten unautorisierten Datenzugriff ∗∗∗ --------------------------------------------- Anhand von Screenshots der Web-Applikation sei ersichtlich gewesen, dass im Test- und Integrationssystem offenbar ein Account mit der Nutzerkennung "max.mustermann(a)testtraeger.de" existierte. Die Domain sei noch frei gewesen. --------------------------------------------- https://www.heise.de/news/BAMF-Skurrile-Testkonten-ermoeglichten-unautorisi… ∗∗∗ Beneath the Surface: Detecting and Blocking Hidden Malicious Traffic Distribution Systems ∗∗∗ --------------------------------------------- Adversaries widely abuse TDS infrastructure to build dynamic and resilient network infrastructure for malicious web services. These redirection networks enhance resilience against takedowns and enable scaling and cloaking of malicious content. --------------------------------------------- https://unit42.paloaltonetworks.com/detect-block-malicious-traffic-distribu… ∗∗∗ CVE-2024-43639: Remote Code Execution in Microsoft Windows KDC Proxy ∗∗∗ --------------------------------------------- The following is a portion of their write-up covering CVE-2024-43639, with a few minimal modifications. [..] This vulnerability was patched by the vendor in November. To date, no attacks have been detected in the wild. --------------------------------------------- https://www.thezdi.com/blog/2025/3/3/cve-2024-43639 ∗∗∗ Scammers Mailing Ransom Letters While Posing as BianLian Ransomware ∗∗∗ --------------------------------------------- Scammers are impersonating BianLian ransomware, and mailing fake ransom letters to businesses. --------------------------------------------- https://hackread.com/scammers-mailing-ransom-letters-bianlian-ransomware/ ∗∗∗ LinkedIn Phishing Scam: Fake InMail Messages Spreading ConnectWise Trojan ∗∗∗ --------------------------------------------- Cybersecurity researchers at Cofense have recently uncovered a deceptive campaign that distributes malicious software using a spoofed LinkedIn email. [..] The fraudulent email is designed to mimic a notification for a LinkedIn InMail message, a feature that allows users to contact individuals outside of their immediate network. The email effectively leverages LinkedIn’s branding, convincingly creating legitimacy. --------------------------------------------- https://hackread.com/scammers-fake-linkedin-inmail-deliver-connectwise-troj… ∗∗∗ GreyNoise Observes Exploitation of Three Newly Added KEV Vulnerabilities ∗∗∗ --------------------------------------------- On March 3, 2025, the Cybersecurity and Infrastructure Security Agency added five vulnerabilities to its Known Exploited Vulnerabilities catalog, confirming their exploitation in the wild. [..] CVE-2022-43939 (Authorization Bypass) & CVE-2022-43769 (Special Element Injection) Hitachi Vantara Pentaho BA Server [..] CVE-2024-4885 Progress WhatsUp Gold Path Traversal Vulnerability. --------------------------------------------- https://www.greynoise.io/blog/greynoise-observes-exploitation-three-newly-a… ∗∗∗ GoStringUngarbler: Deobfuscating Strings in Garbled Binaries ∗∗∗ --------------------------------------------- In this blog post, we'll detail garble’s string transformations and the process of automatically deobfuscating them. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-… ∗∗∗ Trigon: developing a deterministic kernel exploit for iOS ∗∗∗ --------------------------------------------- CVE-2023-32434 was an integer overflow in the VM subsystem of the XNU kernel. It was patched in iOS 16.5.1 after being found in-the-wild as part of the Operation Triangulation spyware chain, discovered after it was used to infect a group of security researchers at Kaspersky. These researchers then captured and reverse-engineered the entire chain, leading to the patching of a WebKit bug, a kernel bug, a userspace PAC bypass and a PPL (and, technically, a KTRR) bypass. [..] This writeup simply shows the steps involved in the final, working exploit. It does not, however, convey just how many failed ideas and attempts there were during the process. --------------------------------------------- https://alfiecg.uk/2025/03/01/Trigon.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice), Fedora (exim and fscrypt), Red Hat (kernel), Slackware (mozilla), SUSE (docker, firefox, and podman), and Ubuntu (linux, linux-lowlatency, linux-lowlatency-hwe-5.15, linux, linux-lowlatency, linux-lowlatency-hwe-6.8, linux, linux-oem-6.11, linux-aws, linux-aws-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux-aws, linux-gcp, linux-hwe-6.11, linux-oracle, linux-raspi, linux-realtime, linux-aws, linux-gkeop, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, and linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop). --------------------------------------------- https://lwn.net/Articles/1013063/ ∗∗∗ Cisco Secure Client for Windows with Secure Firewall Posture Engine DLL Hijacking Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco TelePresence Management Suite Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security Vulnerabilities fixed in Thunderbird ESR 128.8 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-18/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 136 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-17/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2025
by Daily end-of-shift report 04 Mar '25

04 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 03-03-2025 18:00 − Dienstag 04-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Polish Space Agency offline as it recovers from cyberattack ∗∗∗ --------------------------------------------- The Polish Space Agency (POLSA) has been offline since it disconnected its systems from the Internet over the weekend to contain a breach of its IT infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/polish-space-agency-offline-… ∗∗∗ Booking a Threat: Inside LummaStealers Fake reCAPTCHA ∗∗∗ --------------------------------------------- Cybercriminals are taking advantage of the increased demand in travel by setting up fake booking sites, phishing scams and fraudulent listings to trick unsuspecting travelers. --------------------------------------------- https://www.gdatasoftware.com/blog/2025/03/38154-lummastealer-fake-recaptcha ∗∗∗ KI-Trainingsdaten: Tausende gültiger API-Keys in gecrawlten Webdaten entdeckt ∗∗∗ --------------------------------------------- Bei der Analyse eines frei verfügbaren Archivs mit rund 400 TBytes an Websitedaten haben Forscher fast 12.000 gültige API-Keys und Passwörter gefunden. --------------------------------------------- https://www.golem.de/news/ki-trainingsdaten-tausende-gueltiger-api-keys-in-… ∗∗∗ Kritische Lücke in VMware ESXi, Fusion und Workstation wird missbraucht ∗∗∗ --------------------------------------------- Broadcom warnt vor teils kritischen Sicherheitslecks in VMware ESXi, Fusion und Workstation. Angreifer missbrauchen sie bereits. --------------------------------------------- https://www.heise.de/news/Kritische-Luecke-in-VMware-ESXi-Fusion-und-Workst… ∗∗∗ DNSSEC NSEC. The accidental treasure map to your subdomains ∗∗∗ --------------------------------------------- TL;DR: DNSSEC secures DNS but may unintentionally expose domain structures via NSEC/NSEC3 records, enabling zone walking to enumerate subdomains. NSEC openly lists domain names, making enumeration easy. NSEC3 hashes .. --------------------------------------------- https://www.pentestpartners.com/security-blog/dnssec-nsec-the-accidental-tr… ∗∗∗ MeinELBA-Zugang läuft bald ab? Vorsicht, Phishing-Versuch! ∗∗∗ --------------------------------------------- Kriminelle versenden aktuell wieder vermehrt SMS-Nachrichten, in denen vor einem Ablaufen des MeinELBA-Zugangs gewarnt wird. Wer verlängern möchte, müsse einen Link anklicken und auf einer vermeintlichen Login-Seite seine Onlinebanking-Daten eingeben. Diese Seite ist natürlich eine Fälschung. Allerdings eine sehr gut gemachte! Wie Sie sie erkennen und was Sie tun können, wenn Sie dort vertrauliche Informationen eingegeben haben, verrät dieser Artikel. --------------------------------------------- https://www.watchlist-internet.at/news/meinelba-zugang-phishing/ ∗∗∗ A Revision of the EU Cybersecurity Blueprint ∗∗∗ --------------------------------------------- The original EU cybersecurity blueprint from 2017 (officially: “Commission Recommendation of 13.9.2017 on Coordinated Response to Large Scale Cybersecurity Incidents and Crises”) is now close to seven years old and an update is overdue. The Commission recently published a draft for an updated version, and I’d like to take this opportunity to .. --------------------------------------------- https://www.cert.at/en/blog/2025/3/a-revision-of-the-eu-cybersecurity-bluep… ∗∗∗ Did Trump Admin Order U.S. Cyber Command and CISA to Stand Down on Russia? ∗∗∗ --------------------------------------------- Two blockbuster stories published on Friday that appear to confirm what many Americans suspected would occur under the Trump administration – that the new regime is going to be softer on Russia than previous administrations, particularly with regard to the threat that Russia poses in cyber space. Since publication, however, .. --------------------------------------------- https://www.zetter-zeroday.com/did-trump-admin-order-u-s-cyber-command-and-… ∗∗∗ The Dangers of Exposed Secrets – and How to Prevent Them ∗∗∗ --------------------------------------------- Modern enterprise software relies on authentication tokens, API keys, encryption keys, certificates, and other sensitive credentials to enable secure communication between applications, microservices, APIs, and DevOps pipelines. However, these secrets often end up hardcoded in source code during the development process, whether unintentionally or as a shortcut for quick .. --------------------------------------------- https://checkmarx.com/blog/exposed-secrets-and-how-to-prevent-them/ ∗∗∗ Do not run any Cargo commands on untrusted projects ∗∗∗ --------------------------------------------- TL;DR: Treat anything starting with cargo as if it is cargo run. --------------------------------------------- https://shnatsel.medium.com/do-not-run-any-cargo-commands-on-untrusted-proj… ∗∗∗ Hacking the Xbox 360 Hypervisor Part 2: The Bad Update Exploit ∗∗∗ --------------------------------------------- Welcome to part 2 of the Hacking the Xbox 360 Hypervisor blog series. In this part I’ll cover how I found and exploited bugs in the Xbox 360 hypervisor to get full code execution and create the “Bad Update” exploit. If you haven’t already, I highly recommend you read (or at least skim through) part 1 as this post will reference a lot of the material discussed there. --------------------------------------------- https://icode4.coffee/?p=1081 ===================== = Vulnerabilities = ===================== ∗∗∗ Docusnap Inventory Files Encrypted with Static Key ∗∗∗ --------------------------------------------- Inventory files created by Docusnap, containing information like installed programs, firewall rules and local administrators, are encrypted with a static key. The decryption key can be obtained easily from the .NET application, downloadable from the vendor’s website. When following Docusnap’s installation instructions for Windows Domains, every domain user has read access to these files. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-012/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 128.8 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-16/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.21 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-15/ ∗∗∗ Security Vulnerabilities fixed in Firefox 136 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-14/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily March 2025