Daily

daily@lists.cert.at

1 participants
3153 discussions

Tageszusammenfassung - 24.04.2025
by Daily end-of-shift report 24 Apr '25

24 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-04-2025 18:00 − Donnerstag 24-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Linux io_uring security blindspot allows stealthy rootkit attacks ∗∗∗ --------------------------------------------- A significant security gap in Linux runtime security caused by the io_uring interface allows rootkits to operate undetected on systems while bypassing advanced Enterprise security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-io-uring-security-blin… ∗∗∗ Darcula Adds GenAI to Phishing Toolkit, Lowering the Barrier for Cybercriminals ∗∗∗ --------------------------------------------- The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform have released new updates to their cybercrime suite with generative artificial intelligence (GenAI) capabilities. "This addition lowers the technical barrier for creating phishing pages, enabling less tech-savvy criminals to deploy customized scams in minutes," Netcraft said in a new report shared with The Hacker News." --------------------------------------------- https://thehackernews.com/2025/04/darcula-adds-genai-to-phishing-toolkit.ht… ∗∗∗ Erlang/OTP SSH: Namhafte Hersteller von kritischer Lücke betroffen ∗∗∗ --------------------------------------------- Erlang/OTP SSH wird von vielen namhaften Herstellern mitgeliefert. Daher betrifft eine kritische Lücke auch Cisco und Ericsson. Zu den weiteren verwundbaren Anbietern gehört nach jetzigem Stand EMQ Technologies. Nicht standardmäßig installiert, aber optional verfügbar ist Erlang/OTP SSH bei National Instruments, Broadcom (insbesondere RabbitMQ), Very Technology, Apache (CouchDB) und Riak Technologies. Hier müssen Admins prüfen, ob sie Erlang/OTP SSH installiert haben und gegebenenfalls die verfügbaren Aktualisierungen installieren. --------------------------------------------- https://www.heise.de/news/Erlang-OTP-SSH-Namhafte-Hersteller-von-kritischer… ∗∗∗ 9X Surge in Ivanti Connect Secure Scanning Activity ∗∗∗ --------------------------------------------- GreyNoise observed a 9X spike in suspicious scanning activity targeting Ivanti Connect Secure or Ivanti Pulse Secure VPN systems. More than 230 unique IPs probed ICS/IPS endpoints. This surge may indicate coordinated reconnaissance and possible preparation for future exploitation. --------------------------------------------- https://www.greynoise.io/blog/surge-ivanti-connect-secure-scanning-activity ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Commvault Command Center Flaw Enables Attackers to Execute Code Remotely ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in the Commvault Command Center that could allow arbitrary code execution on affected installations. The vulnerability, tracked as CVE-2025-34028, carries a CVSS score of 9.0 out of a maximum of 10.0. --------------------------------------------- https://thehackernews.com/2025/04/critical-commvault-command-center-flaw.ht… ∗∗∗ Drupal: Security advisories ∗∗∗ --------------------------------------------- Drupal has released new security advisories. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (haproxy and openrazer), Fedora (c-ares and mingw-poppler), Red Hat (thunderbird), SUSE (epiphany, ffmpeg-6, gopass, and libsoup-3_0-0), and Ubuntu (erlang, haproxy, libapache2-mod-auth-openidc, libarchive, linux, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux, linux-aws, linux-azure, linux-azure-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-aws-6.8, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-fips, linux-gcp, linux-gke, linux-gkeop, linux-gcp-6.8, linux-ibm-5.15, linux-intel-iot-realtime, linux-realtime, linux-intel-iotg-5.15, linux-realtime, perl, and yelp, yelp-xsl). --------------------------------------------- https://lwn.net/Articles/1018717/ ∗∗∗ ZDI-25-250: (0Day) Cloudera Hue Ace Editor Directory Traversal Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-250/ ∗∗∗ ZDI-25-249: (0Day) eCharge Hardy Barth cPH2 index.php Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-249/ ∗∗∗ ZDI-25-248: (0Day) eCharge Hardy Barth cPH2 nwcheckexec.php dest Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-248/ ∗∗∗ ZDI-25-247: (0Day) eCharge Hardy Barth cPH2 check_req.php ntp Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-247/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 14, 2025 to April 20, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/04/wordfence-intelligence-weekly-wordpr… ∗∗∗ ALBEDO Telecom Net.Time - PTP/NTP Clock ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-114-02 ∗∗∗ Sonicwall warnt vor DoS-Lücke in SSLVPN ∗∗∗ --------------------------------------------- https://heise.de/-10360960 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.04.2025
by Daily end-of-shift report 23 Apr '25

23 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-04-2025 18:00 − Mittwoch 23-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Alternativen aus Europa: Wie man von US-Software unabhängig wird ∗∗∗ --------------------------------------------- Ein Wiener Softwareentwickler sammelt "European Alternatives" zu US-Digitalprodukten. Seit Trumps 2. Amtsantritt ist das Interesse stark gestiegen. --------------------------------------------- https://futurezone.at/netzpolitik/tech-alternativen-apps-europa-datenschutz… ∗∗∗ Kurz nach Offenlegung: ChatGPT und Claude liefern Exploit für kritische SSH-Lücke ∗∗∗ --------------------------------------------- In einem verbreiteten SSH-Tool klafft eine gefährliche Lücke. Nur Stunden nach Bekanntwerden erstellt ein Forscher mittels KI einen funktionierenden Exploit. --------------------------------------------- https://www.golem.de/news/kurz-nach-offenlegung-chatgpt-und-claude-liefern-… ∗∗∗ Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have revealed that Russian military personnel are the target of a new malicious campaign that distributes Android spyware under the guise of the Alpine Quest mapping software. "The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs," Doctor Web said in an analysis. --------------------------------------------- https://thehackernews.com/2025/04/android-spyware-disguised-as-alpine.html ∗∗∗ CVE-2025-3248: RCE vulnerability in Langflow ∗∗∗ --------------------------------------------- CVE-2025-3248, a critical remote code execution (RCE) vulnerability with a CVSS score of 9.8, has been discovered in Langflow, an open-source platform for visually composing AI-driven agents and workflows. [..] All Langflow versions prior to 1.3.0 are susceptible to code injection. [..] Exploiting CVE-2025-3248 involves the following steps: --------------------------------------------- https://www.zscaler.com/blogs/security-research/cve-2025-3248-rce-vulnerabi… ∗∗∗ Die Urlaubsplanung steht an? Vorsicht vor Betrug mit Fake-Buchungsportalen! ∗∗∗ --------------------------------------------- Wo soll es im Sommerurlaub hingehen? Wie wäre es mit einer Miet-Finca auf den Kanaren? Dann ist bei der Buchung Vorsicht angebracht! Kriminelle erstellen Fake-Portale und bieten dort vermeintlich reale Luxus-Mietobjekte an. Wer sich auf den Deal einlässt und den gewünschten Betrag überweist, ist in die Falle getappt. Die Unterkunft existiert nicht, das Geld ist weg. --------------------------------------------- https://www.watchlist-internet.at/news/villen-fincas-fake-buchungsportal/ ∗∗∗ Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows ∗∗∗ --------------------------------------------- Since early March 2025, Volexity has observed multiple Russian threat actors aggressively targeting individuals and organizations with ties to Ukraine and human rights. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows. The attackers are impersonating officials from various European nations, and in one instance leveraged a compromised Ukrainian Government account. --------------------------------------------- https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-… ∗∗∗ Distribution of PebbleDash Malware in March 2025 ∗∗∗ --------------------------------------------- PebbleDash is a backdoor malware that was previously identified by the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. as a backdoor malware of Lazarus (Hidden Corba) in 2020. --------------------------------------------- https://asec.ahnlab.com/en/87621/ ∗∗∗ Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs ∗∗∗ --------------------------------------------- Cisco Talos discovered a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme. --------------------------------------------- https://blog.talosintelligence.com/introducing-toymaker-an-initial-access-b… ===================== = Vulnerabilities = ===================== ∗∗∗ ASUS releases fix for AMI bug that lets hackers brick servers ∗∗∗ --------------------------------------------- ASUS has released security updates to address CVE-2024-54085, a maximum severity flaw that could allow attackers to hijack and potentially brick servers. [..] The flaw impacts American Megatrends International's MegaRAC Baseboard Management Controller (BMC) software, used by over a dozen server hardware vendors, including HPE, ASUS, and ASRock. The CVE-2024-54085 flaw is remotely exploitable, potentially leading to malware infections, firmware modifications, and irreversible physical damage through over-volting. --------------------------------------------- https://www.bleepingcomputer.com/news/security/asus-releases-fix-for-ami-bu… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bluez, expat, and postgresql:12), Fedora (chromium, golang, LibRaw, moodle, openiked, ruby, and trafficserver), Red Hat (bluez, expat, gnutls, libtasn1, libxslt, mod_auth_openidc, mod_auth_openidc:2.3, ruby:3.1, thunderbird, and xmlrpc-c), and Ubuntu (linux, linux-aws, linux-gcp, linux-hwe-6.11, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oem-6.11, linux-oracle, linux-raspi, linux-realtime, linux-azure, linux-azure-6.11, linux-gcp-6.8, and matrix-synapse). --------------------------------------------- https://lwn.net/Articles/1018589/ ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-112-01 Siemens TeleControl Server Basic SQL, ICSA-25-112-02 Siemens TeleControl Server Basic, ICSA-25-112-03 Schneider Electric Wiser Home Controller WHC-5918A, ICSA-25-112-04 ABB MV Drives, ICSA-25-035-04 Schneider Electric Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC (Update A) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/04/22/cisa-releases-five-indus… ∗∗∗ Cisco: Multiple Cisco Products Unauthenticated Remote Code Execution in Erlang/OTP SSH Server ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.04.2025
by Daily end-of-shift report 22 Apr '25

22 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-04-2025 18:00 − Dienstag 22-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ DOGE, CISA, Mitre und CVE ∗∗∗ --------------------------------------------- In der Cybersecurity Community herrschte letzte Woche helle Aufregung, weil die Einsparungstruppe von Trumps Gnaden die grandiose Idee hatte, das Funding für den Betrieb des CVE-Systems durch Mitre einzustellen. Wahrscheinlich aufgrund des starken Gegenwindes von der Seite der US-Industrie wurde eine Lösung gefunden und der Betrieb ist (angeblich) für die nächsten 11 Monate gesichert. Ich will das zum Anlass nehmen, das System hinter den bekannten CVE-Nummern zu erklären und mögliche Entwicklungen aufzuzeigen. --------------------------------------------- https://www.cert.at/de/blog/2025/4/doge-cisa-mitre-und-cve ∗∗∗ Phishers abuse Google OAuth to spoof Google in DKIM replay attack ∗∗∗ --------------------------------------------- In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Googles systems, passing all verifications but pointing to a fraudulent page that collected logins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishers-abuse-google-oauth-… ∗∗∗ Phishing attacks leveraging HTML code inside SVG files ∗∗∗ --------------------------------------------- The SVG format provides the capability to embed HTML and JavaScript code within images, which is misused by attackers. Despite not being widespread at the time of this study, SVG attachment attacks are showing a clear upward trend. --------------------------------------------- https://securelist.com/svg-phishing/116256/ ∗∗∗ Videokameras: Schwere Sicherheitslücke bei Überwachungsgeräten der Polizei ∗∗∗ --------------------------------------------- Polizeibehörden in zahlreichen Ländern nutzen mobile Sender der Firma Infodraw. Doch die hochgeladenen Daten sind nicht ausreichend gesichert. [..] Über das Bundesamt für Sicherheit in der Informationstechnik (BSI) wurden laut Schäfers inzwischen in Deutschland alle übrigen Betreiber gewarnt. [..] Ihm zufolge reicht es nicht aus, die aktuelle Softwareversion 7.1.0.0 installiert zu haben. Wobei aktuell relativ ist, denn die Version stammt aus dem Jahr 2000. Schäfers empfiehlt den nutzenden Organisationen, die Anwendung unmittelbar offline zu nehmen. --------------------------------------------- https://www.golem.de/news/videokameras-schwere-sicherheitsluecke-bei-ueberw… ∗∗∗ Agent In the Middle – Abusing Agent Cards in the Agent-2-Agent (A2A) Protocol To ‘Win’ All the Tasks ∗∗∗ --------------------------------------------- I’ll write a blog post on prompt injection defenses and how I am able to circumvent them another time… the blog post today is about one of those advancements: the Agent-2-Agent (A2A) Protocol. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-in-th… ∗∗∗ Microsoft Secures MSA Signing with Azure Confidential VMs Following Storm-0558 Breach ∗∗∗ --------------------------------------------- Microsoft on Monday announced that it has moved the Microsoft Account (MSA) signing service to Azure confidential virtual machines (VMs) and that it's also in the process of migrating the Entra ID signing service as well. The disclosure comes about seven months after the tech giant said it completed updates to Microsoft Entra ID and MS for both public and United States government clouds to generate, store, and automatically rotate access token signing keys using the Azure Managed Hardware Security Module (HSM) service. --------------------------------------------- https://thehackernews.com/2025/04/microsoft-secures-msa-signing-with.html ∗∗∗ Anspruch auf Kostenerstattung? Vorsicht vor neuer ÖGK-Betrugsmasche ∗∗∗ --------------------------------------------- Neue Website, alte Masche. Kriminelle haben eine weitere Betrugswelle im Namen der Österreichischen Gesundheitskasse gestartet. Sie locken mit einer hohen Rückzahlung und setzen auf eine beinahe 1:1-Kopie der originalen ÖGK-Website. So können Sie den Fake dennoch erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-neue-oegk-betrugsmasche/ ∗∗∗ Ivanti Endpoint Manager_Local Privilege Escalation via DLL Search Order Hijacking ∗∗∗ --------------------------------------------- The Ivanti Endpoint Manager Security Scan (Vulscan) Self Update was vulnerable to DLL Hijacking. 2025-04-08 Vendor publishes security advisory. 2025-04-22 Coordinated disclosure of security advisory. CVE Number CVE-2025-22458 --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelle… ∗∗∗ Microsoft’s patch for CVE-2025–21204 symlink vulnerability introduces another symlink vulnerability ∗∗∗ --------------------------------------------- Microsoft recently patched CVE-2025–21204, a vuln which allows users to abuse symlinks to elevate privileges using the Windows servicing stack and the c:\inetpub folder. [..] However, I’ve discovered this fix introduces a denial of service vulnerability in the Windows servicing stack that allows non-admin users to stop all future Windows security updates. [..] I reported this to MSRC about two weeks ago, but haven’t had a response. --------------------------------------------- https://doublepulsar.com/microsofts-patch-for-cve-2025-21204-symlink-vulner… ∗∗∗ Zugangs- und Schließsysteme mit Internetanbindung als Risiko – Teil 1 ∗∗∗ --------------------------------------------- Heute noch ein kleiner, zweiteiliger Sammelbeitrag, in dem ich auf die Risiken eingehe, welche Schließsysteme bzw. Systeme zur Zugangskontrolle sowie zur Zeiterfassung unter Umständen bieten. --------------------------------------------- https://www.borncity.com/blog/2025/04/20/risiko-zeiterfassungs-zugangs-und-… ∗∗∗ Systeme zur Zeiterfassung mit Internetanbindung als Risiko – Teil 2 ∗∗∗ --------------------------------------------- In Teil 1 des zweiteiligen Sammelbeitrags hatte ich auf die Risiken hingewiesen, die von elektronischen Schließsystemen bzw. Systemen zur Zugangskontrolle ausgehen können, wenn diese am Internet hängen. Aber auch Systeme zur Zeiterfassung, die per Internet erreichbar sind, fallen in diese Kategorie, sofern Dienstleister diese allzu sorglos eingerichtet haben. --------------------------------------------- https://www.borncity.com/blog/2025/04/21/systeme-zur-zeiterfassung-mit-inte… ===================== = Vulnerabilities = ===================== ∗∗∗ Asus-Router: Sicherheitslücke ermöglicht unbefugtes Ausführen von Funktionen ∗∗∗ --------------------------------------------- Im CVE-Eintrag zur Schwachstelle erörtert Asus, dass in der AiCloud eine unzureichende Authentifizierungskontrolle stattfinde. Diese lasse sich durch manipulierte Anfragen missbrauchen, um ohne Autorisierung Funktionen auszuführen (CVE-2025-2492, CVSS 9.2, Risiko "kritisch"). [..] In der Sicherheitsmitteilung schreibt Asus lediglich, dass die Entwickler aktualisierte Firmware für die Serien 3.0.0.4_382, 3.0.0.4_386, 3.0.0.4_388 und 3.0.0.6_102 veröffentlicht hat. Die soll die Schwachstelle ausbessern. --------------------------------------------- https://www.heise.de/news/Asus-Router-Sicherheitsluecke-ermoeglicht-unbefug… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (erlang, fig2dev, shadow, wget, and zabbix), Fedora (chromium, jupyterlab, llama-cpp, prometheus-podman-exporter, python-notebook, python-pydantic-core, rpki-client, rust-adblock, rust-cookie_store, rust-gitui, rust-gstreamer, rust-icu_collections, rust-icu_locid, rust-icu_locid_transform, rust-icu_locid_transform_data, rust-icu_normalizer, rust-icu_normalizer_data, rust-icu_properties, rust-icu_properties_data, rust-icu_provider, rust-icu_provider_macros, rust-idna, rust-idna_adapter, rust-litemap, rust-ron, rust-sequoia-openpgp, rust-sequoia-openpgp1, rust-tinystr, rust-url, rust-utf16_iter, rust-version-ranges, rust-write16, rust-writeable, rust-zerovec, rust-zip, uv, and webkitgtk), Slackware (libxml2 and zsh), SUSE (argocd-cli, chromium, coredns, ffmpeg-6, and firefox), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/1018292/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-1.8.0-openjdk, kernel, libxslt, mod_auth_openidc:2.3, and webkit2gtk3), Fedora (c-ares, giflib, jupyterlab, perl, perl-Devel-Cover, perl-PAR-Packer, prometheus-podman-exporter, python-notebook, python-pydantic-core, rpki-client, ruby, rust-adblock, rust-cookie_store, rust-gitui, rust-gstreamer, rust-icu_collections, rust-icu_locid, rust-icu_locid_transform, rust-icu_locid_transform_data, rust-icu_normalizer, rust-icu_normalizer_data, rust-icu_properties, rust-icu_properties_data, rust-icu_provider, rust-icu_provider_macros, rust-idna, rust-idna_adapter, rust-litemap, rust-ron, rust-sequoia-openpgp, rust-sequoia-openpgp1, rust-tinystr, rust-url, rust-utf16_iter, rust-version-ranges, rust-write16, rust-writeable, rust-zerovec, rust-zip, thunderbird, and uv), SUSE (erlang, erlang26, and govulncheck-vulndb), and Ubuntu (mosquitto). --------------------------------------------- https://lwn.net/Articles/1018444/ ∗∗∗ Zyxel security advisory for incorrect permission assignment and improper privilege management vulnerabilities in USG FLEX H series firewalls ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Wordpress: Angreifer können über Greenshift-Plug-in Schadcode hochladen ∗∗∗ --------------------------------------------- https://heise.de/-10357624 ∗∗∗ SicommNet BASEC product warning ∗∗∗ --------------------------------------------- https://csirt.divd.nl/2025/04/14/SicommNet-Basec-product-warning/ ∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center version 6.5.1: SC-202504.3 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.04.2025
by Daily end-of-shift report 18 Apr '25

18 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-04-2025 18:00 − Freitag 18-04-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Chrome extensions with 6 million installs have hidden tracking code ∗∗∗ --------------------------------------------- A set of 57 Chrome extensions with 6,000,000 users have been discovered with very risky capabilities, such as monitoring browsing behavior, accessing cookies for domains, and potentially executing remote scripts. [..] Earlier today, the researcher added 22 more extensions believed to belong to the same operation, taking the total to 57 extensions used by 6 million people. Some of the newly added extensions are public, too. Tuckner says that many of the extensions have been removed from the Chrome Web Store following his report from last week, but others still remain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chrome-extensions-with-6-mil… ∗∗∗ Windows NTLM hash leak flaw exploited in phishing attacks on governments ∗∗∗ --------------------------------------------- A Windows vulnerability that exposes NTLM hashes using .library-ms files is now actively exploited by hackers in phishing campaigns targeting government entities and private companies. The flaw tracked as CVE-2025-24054 was fixed in Microsoft's March 2025 Patch Tuesday. Initially, it was not marked as actively exploited and was assessed as 'less likely' to be. [..] In a later campaign, Check Point discovered phishing emails that contained .library-ms attachments, without an archive. Simply downloading the .library-ms file was enough to trigger NTLM authentication to the remote server, demonstrating that archives were not required to exploit the flaw. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-ntlm-hash-leak-flaw-… ∗∗∗ Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader ∗∗∗ --------------------------------------------- A new multi-stage attack has been observed delivering malware families like Agent Tesla variants, Remcos RAT, and XLoader. "Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution," Palo Alto Networks Unit 42 researcher Saqib Khanzada said in a technical write-up of the campaign. --------------------------------------------- https://thehackernews.com/2025/04/multi-stage-malware-attack-uses-jse-and.h… ∗∗∗ Nebula – Autonomous AI Pentesting Tool ∗∗∗ --------------------------------------------- Another cutting-edge tool from 2024 is Nebula, an open-source AI-powered penetration testing assistant. If PentestGPT is like an AI advisor, Nebula attempts to automate parts of the pentest process itself. --------------------------------------------- https://www.darknet.org.uk/2025/04/nebula-autonomous-ai-pentesting-tool/ ∗∗∗ Cross-Site WebSocket Hijacking Exploitation in 2025 ∗∗∗ --------------------------------------------- The post includes a few brief case studies based on situations encountered during real world testing, in addition to a simple test site that can be hosted by readers to explore each of the vulnerability conditions. --------------------------------------------- https://blog.includesecurity.com/2025/04/cross-site-websocket-hijacking-exp… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphicsmagick and libapache2-mod-auth-openidc), Fedora (giflib, mod_auth_openidc, mysql8.0, perl, perl-Devel-Cover, perl-PAR-Packer, perl-String-Compare-ConstantTime, rust-openssl, rust-openssl-sys, trunk, and workrave), Mageia (chromium-browser-stable and rust), Oracle (java-1.8.0-openjdk, java-17-openjdk, java-21-openjdk, kernel, libreoffice, and webkit2gtk3), Red Hat (gvisor-tap-vsock), SUSE (containerd, docker, docker-stable, forgejo, GraphicsMagick, libmozjs-115-0, perl-32bit, poppler, subfinder, and thunderbird), and Ubuntu (erlang and ruby2.3, ruby2.5). --------------------------------------------- https://lwn.net/Articles/1018020/ ∗∗∗ [R1] Nessus Version 10.8.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-05 ∗∗∗ Yokogawa Recorder Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-107-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.04.2025
by Daily end-of-shift report 17 Apr '25

17 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-04-2025 18:00 − Donnerstag 17-04-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ MITRE CVE Program - the past, the present .. and the (European) future. ∗∗∗ --------------------------------------------- The Common Vulnerabilities and Exposures (CVE) program is a globally adopted system for identifying and naming cybersecurity vulnerabilities with unique IDs. Established in 1999 by researchers at the MITRE Corporation (a U.S. non-profit R&D organization), CVE was created to ensure that different security tools and stakeholders can refer to the same vulnerability in a consistent way. --------------------------------------------- https://bytesandborscht.com/mitre-cve-program-the-past-the-present-and-the-… ∗∗∗ RedTail, Remnux and Malware Management [Guest Diary], (Wed, Apr 16th) ∗∗∗ --------------------------------------------- When I first saw malware being uploaded to my honeypot, I was lacking the requisite experience to reverse engineer it, and to understand what was happening with the code. Even though I could use any text editor to examine the associated scripts that were being uploaded with RedTail malware, I couldn’t see what was happening with the redtail malware itself. So, I decided to create a how-to on setting up a malware analysis program. --------------------------------------------- https://isc.sans.edu/diary/rss/31868 ∗∗∗ Proton66 Part 2: Compromised WordPress Pages and Malware Campaigns ∗∗∗ --------------------------------------------- Earlier this year SpiderLabs observed an increase in mass scanning, credential brute forcing, and exploitation attempts originating from Proton66 ASN targeting organizations worldwide that we are discussing in a two-part series. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-pa… ∗∗∗ Experts Uncover Four New Privilege Escalation Flaws in Windows Task Scheduler ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed four different vulnerabilities in a core component of the Windows task scheduling service that could be exploited by local attackers to achieve privilege escalation and erase logs to cover up evidence of malicious activities. --------------------------------------------- https://thehackernews.com/2025/04/experts-uncover-four-new-privilege.html ∗∗∗ CISA Flags Actively Exploited Vulnerability in SonicWall SMA Devices ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting SonicWall Secure Mobile Access (SMA) 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The high-severity vulnerability, tracked as CVE-2021-20035 (CVSS score: 7.2), relates to a case of operating system command injection that could result in code execution. --------------------------------------------- https://thehackernews.com/2025/04/cisa-flags-actively-exploited.html ∗∗∗ Support-Ende von Ubuntu 20.04 dräut ∗∗∗ --------------------------------------------- Der Support für Ubuntu 20.04 endet in wenigen Wochen. Ubuntu empfiehlt ein Upgrade oder erweiterten Support mit Ubuntu Pro. --------------------------------------------- https://www.heise.de/news/Support-Ende-von-Ubuntu-20-04-draeut-10355860.html ∗∗∗ Unmasking the new XorDDoS controller and infrastructure ∗∗∗ --------------------------------------------- Cisco Talos observed an existing distributed denial-of-service (DDoS) malware known as XorDDoS, continuing to spread globally between November 2023 and February 2025. A significant finding shows that over 70 percent of attacks using XorDDoS targeted the United States from Nov. 2023 to Feb. 2025. --------------------------------------------- https://blog.talosintelligence.com/unmasking-the-new-xorddos-controller-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Patches Two Actively Exploited iOS Flaws Used in Sophisticated Targeted Attacks ∗∗∗ --------------------------------------------- Apple on Wednesday released security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to address two security flaws that it said have come under active exploitation in the wild. --------------------------------------------- https://thehackernews.com/2025/04/apple-patches-two-actively-exploited.html ∗∗∗ Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution ∗∗∗ --------------------------------------------- A critical security vulnerability has been disclosed in the Erlang/Open Telecom Platform (OTP) SSH implementation that could permit an attacker to execute arbitrary code sans any authentication under certain conditions. The vulnerability, tracked as CVE-2025-32433, has been given the maximum CVSS score of 10.0. --------------------------------------------- https://thehackernews.com/2025/04/critical-erlangotp-ssh-vulnerability.html ∗∗∗ Drupal releases Security Advisories for multiple Critical and High Vulnerabilities ∗∗∗ --------------------------------------------- Including 5 critical and 2 high severity. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Atlassian stopft hochriskante Lecks in Confluence, Jira & Co. ∗∗∗ --------------------------------------------- Atlassian hat für Bamboo, Confluence und Jira Aktualisierungen herausgegeben, die als hohes Risiko eingestufte Sicherheitslücken in den Produkten abdichten sollen. IT-Verantwortliche sollten die Updates zeitnah herunterladen und anwenden. --------------------------------------------- https://www.heise.de/news/Atlassian-stopft-hochriskante-Lecks-in-Confluence… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 7, 2025 to April 13, 2025) ∗∗∗ --------------------------------------------- Last week, there were 340 vulnerabilities disclosed in 303 WordPress Plugins and 8 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 67 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2025/04/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and libapache2-mod-auth-openidc), Oracle (expat, freetype, glibc, grub2, gvisor-tap-vsock, and kernel), Red Hat (grub2 and webkit2gtk3), and SUSE (apache2-mod_auth_openidc, cosign, gitoxide, govulncheck-vulndb, GraphicsMagick, haproxy, hauler, mozjs52, oci-cli, pam, perl-Data-Entropy, poppler, python-lxml-doc, python311-aiohttp, rekor, rubygem-rexml, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/1017919/ ∗∗∗ Cisco Nexus Dashboard LDAP Username Enumeration Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Webex App Client-Side Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.3.0, 6.4.0, 6.4.5 and 6.5.1: SC-202504.2 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-04 ∗∗∗ F5 K000150879: OpenSSH vulnerability CVE-2025-26466 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150879 ∗∗∗ F5 K000150901: Linux kernel vulnerability CVE-2024-46713 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150901 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2025
by Daily end-of-shift report 16 Apr '25

16 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-04-2025 18:00 − Mittwoch 16-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Mehrere FortiGate-Modelle von Backdoor betroffen ∗∗∗ --------------------------------------------- Am Freitag, den 10. April, veröffentlichte Fortinet Informationen über eine weltweite Kompromittierung von FortiGate-Geräten, die Angreifer:innen dauerhaften lesenden Zugriff ermöglichten. Die Angreifer:innen nutzten offenbar drei bekannte Schwachstellen in der SSL-VPN-Funktion, um sich Zugang zu den Geräten zu verschaffen, und eine Hintertür im Dateisystem zu platzieren um den illegalen Zugriff nachhaltig zu ermöglichen. [..] Alle FortiGate-Geräte, physisch oder virtuell, die die SSL-VPN-Funktion aktiviert haben oder hatten und jemals für eine der genannten Schwachstellen anfällig waren (siehe betroffene FortiOS-Versionen in den Advisories - 1, 2, 3), sind potenziell gefährdet. --------------------------------------------- https://www.cert.at/de/blog/2025/4/mehrere-fortigate-modelle-von-backdoor-b… ∗∗∗ CISA extends funding to ensure no lapse in critical CVE services ∗∗∗ --------------------------------------------- CISA says the U.S. government has extended MITREs funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-extends-funding-to-ensu… ∗∗∗ Quellcode und Daten geleakt: 4chan nach mutmaßlichem Hackerangriff offline ∗∗∗ --------------------------------------------- 4chan hat offenbar den Unmut einer Konkurrenzplattform auf sich gezogen. Dort kursieren Screenshots von internen Tools, Datenbanken, E-Mail-Listen und mehr. --------------------------------------------- https://www.golem.de/news/quellcode-und-daten-geleakt-4chan-nach-mutmasslic… ∗∗∗ Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2 ∗∗∗ --------------------------------------------- This is Part 2 of our two-part technical analysis on Mustang Panda’s new tools. --------------------------------------------- https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsena… ∗∗∗ CrazyHunter Campaign Targets Taiwanese Critical Sectors ∗∗∗ --------------------------------------------- This blog entry details research on emerging ransomware group CrazyHunter, which has launched a sophisticated campaign aimed at Taiwans essential services. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - April 2025 ∗∗∗ --------------------------------------------- A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. --------------------------------------------- https://www.oracle.com/security-alerts/cpuapr2025.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gvisor-tap-vsock, kernel, and kernel-rt), Fedora (chromium, dnf, dotnet9.0, golang, lemonldap-ng, mariadb10.11, perl-Crypt-URandom-Token, perl-DBIx-Class-EncodedColumn, php-tcpdf, podman-tui, and trunk), Red Hat (java-17-openjdk and kernel), Slackware (mozilla), SUSE (apache2-mod_auth_openidc, cosign, etcd, expat, flannel, kernel, libsqlite3-0, libvarnishapi3, mozjs52, Multi-Linux Manager 4.3: Server, Multi-Linux Manager 5.0: Server, Proxy and Retail Server, pgadmin4, rekor, rsync, rubygem-bundler, and webkit2gtk3), and Ubuntu (7zip, Docker, and quickjs). --------------------------------------------- https://lwn.net/Articles/1017670/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-105-01 Siemens Mendix Runtime, ICSA-25-105-02 Siemens Industrial Edge Device Kit, ICSA-25-105-03 Siemens SIMOCODE, SIMATIC, SIPLUS, SIDOOR, SIWAREX, ICSA-25-105-04 Growatt Cloud Applications, ICSA-25-105-05 Lantronix Xport, ICSA-25-105-06 National Instruments LabVIEW, ICSA-25-105-07 Delta Electronics COMMGR, ICSA-25-105-08 ABB M2M Gateway, ICSA-25-105-09 Mitsubishi Electric Europe B.V. smartRTU --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/04/15/cisa-releases-nine-indus… ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird ESR 128.9.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-27/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 137.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-27/ ∗∗∗ Webbrowser: Kritische Sicherheitslücke in Chrome abgedichtet ∗∗∗ --------------------------------------------- https://heise.de/-10354575 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2025
by Daily end-of-shift report 15 Apr '25

15 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Montag 14-04-2025 18:00 − Dienstag 15-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New ResolverRAT malware targets pharma and healthcare orgs worldwide ∗∗∗ --------------------------------------------- A new remote access trojan (RAT) called ResolverRAT is being used against organizations globally, with the malware used in recent attacks targeting the healthcare and pharmaceutical sectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-resolverrat-malware-targ… ∗∗∗ Sicherheitspatches: Google beendet Unterstützung von Android 12 ∗∗∗ --------------------------------------------- Android 12 ist im Jahr 2025 noch die dritthäufigste Android-Version auf dem Markt - Google stellt nun die Versorgung mit Patches ein. --------------------------------------------- https://www.golem.de/news/sicherheitspatches-google-beendet-unterstuetzung-… ∗∗∗ Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability ∗∗∗ --------------------------------------------- A recently disclosed security flaw in Gladinet CentreStack also impacts its Triofox remote access and collaboration solution, according to Huntress, with seven different organizations compromised to date. Tracked as CVE-2025-30406 (CVSS score: 9.0), the vulnerability refers to the use of a hard-coded cryptographic key that could expose internet-accessible servers to remote code execution attacks. It has been addressed in CentreStack version 16.4.10315.56368 released on April 3, 2025. --------------------------------------------- https://thehackernews.com/2025/04/gladinets-triofox-and-centrestack-under.h… ∗∗∗ Verkehrskunde und Krankheiten: Wenn Betrüger:innen Kinder als Lockmittel einsetzen ∗∗∗ --------------------------------------------- Ein Herz für Kinder – genau auf dieses haben es Kriminelle immer wieder abgesehen. Sie versenden E-Mails und bitten darin um Spenden für die Produktion von Büchern. Diese sollen Kindergärten, Kinderkliniken und anderen entsprechenden Einrichtungen kostenlos zur Verfügung gestellt werden. Ein an sich nobles Vorhaben. In Wahrheit aber nichts andere als eine besonders dreiste und unappetitliche Betrugsmasche. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerinnen-kinder-als-lockmittel/ ∗∗∗ Renewed APT29 Phishing Campaign Against European Diplomats ∗∗∗ --------------------------------------------- Starting in January 2025, Check Point Research (CPR) has been tracking a wave of targeted phishing attacks aimed at European governments and diplomats. The Techniques, Tactics and Procedures (TTPs) observed in this campaign align with the WINELOADER campaigns, which were attributed to APT29, a Russia linked threat group. --------------------------------------------- https://research.checkpoint.com/2025/apt29-phishing-campaign/ ∗∗∗ Android-Smartphones starten sich nach 3 Tagen Inaktivität von selbst neu ∗∗∗ --------------------------------------------- Wie iPhones unter iOS 18 starten sich Android-Smartphones künftig nach 72 Stunden der Inaktivität von selbst neu. Damit soll die allgemeine Sicherheit erhöht und nicht die Polizei geärgert werden. --------------------------------------------- https://heise.de/-10352891 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence ∗∗∗ --------------------------------------------- A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change. The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS score of 10.0, indicating maximum severity. It affects all versions of Roller up to and including 6.1.4. --------------------------------------------- https://thehackernews.com/2025/04/critical-apache-roller-vulnerability.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (glibc), Red Hat (kernel and kernel-rt), Slackware (perl), SUSE (haproxy, kernel, and webkit2gtk3), and Ubuntu (cimg, perl, protobuf, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1017514/ ∗∗∗ Vulnerability in FileSender versions 2.15 through 2.50 ∗∗∗ --------------------------------------------- https://filesender.org/vulnerability-in-filesender-versions-2-15-through-2-… ∗∗∗ Mozilla: Security vulnerability fixed in Firefox 137.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-25/ ∗∗∗ f5: K000150814: BIND vulnerability CVE-2024-11187 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150814 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.04.2025
by Daily end-of-shift report 14 Apr '25

14 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-04-2025 18:00 − Montag 14-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ BentoML Vulnerability Allows Remote Code Execution on AI Servers ∗∗∗ --------------------------------------------- This vulnerability, tracked as CVE-2025-27520 with a high severity score of 9.8 and discovered by GitHub user c2an1, could allow attackers who aren’t even logged in to take complete control of the servers running these AI services. [..] Interestingly, according to Checkmarx’s report, this vulnerability is essentially a repeat of CVE-2024-2912, which was fixed in BentoML version 1.2.5., but the fix was later removed in BentoML version 1.3.8, causing the same dangerous weakness to reappear. --------------------------------------------- https://hackread.com/bentoml-vulnerability-remote-code-execution-ai-servers/ ∗∗∗ Exploit Attempts for Recent Langflow AI Vulnerability (CVE-2025-3248), (Sat, Apr 12th) ∗∗∗ --------------------------------------------- Two weeks ago, version 1.3.0 of Langflow was released. The release notes list many fixes but do not mention that one of the "Bug Fixes" addresses a major vulnerability. Instead, the release notes state, "auth current user on code validation." [..] The vulnerability went somewhat unnoticed, at least by me, until Horizon3 created a detailed writeup showing how easy it is to exploit the vulnerability and provide proof of concept exploit. --------------------------------------------- https://isc.sans.edu/diary/rss/31850 ∗∗∗ Proton66 Part 1: Mass Scanning and Exploit Campaigns ∗∗∗ --------------------------------------------- Trustwave SpiderLabs continuously tracks a range of malicious activities originating from Proton66 ASN, including vulnerability scanning, exploit attempts, and phishing campaigns leading to malware infections. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-pa… ∗∗∗ Phishing Campaigns Use Real-Time Checks to Validate Victim Emails Before Credential Theft ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new type of credential phishing scheme that ensures that the stolen information is associated with valid online accounts. The technique has been codenamed precision-validating phishing by Cofense, which it said employs real-time email validation so that only a select set of high-value targets are served the fake login screens. --------------------------------------------- https://thehackernews.com/2025/04/phishing-campaigns-use-real-time-checks.h… ∗∗∗ CyberAv3ngers: The Iranian Saboteurs Hacking Water and Gas Systems Worldwide ∗∗∗ --------------------------------------------- CyberAv3ngers has been vocal about their operations that targeted Israel and Israeli technology products. But they've also quietly expanded their target list to include a variety of other devices and networks, including a US oil and gas firm and a wide array of industrial control systems across the world. --------------------------------------------- https://www.wired.com/story/cyberav3ngers-iran-hacking-water-and-gas-indust… ∗∗∗ A short(-ish) guide on information security writing ∗∗∗ --------------------------------------------- Whether you’re compiling incident notes at 3 AM, drafting a post-mortem report for the board or helping the marketing department to craft a blog post that will generate near endless riches for your employer - we may like it or not, the ability to produce qualitative writing is as much a vital skill when working in information security as your technical prowess. --------------------------------------------- https://bytesandborscht.com/a-short-ish-guide-on-information-security-writi… ∗∗∗ Vorsicht vor Dreiecksbetrug bei Kleinanzeigenplattformen ∗∗∗ --------------------------------------------- eBay, Willhaben, Shpock und Co. sind beliebte Plattformen, um günstig gebrauchte Waren zu kaufen oder nicht mehr benötigte Gegenstände zu verkaufen. Doch Vorsicht: Hinter manchen Profilen verbergen sich Kriminelle. Besonders tückisch ist der Dreiecksbetrug, bei dem sowohl Käufer:innen als auch Verkäufer:innen betrogen werden. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-dreiecksbetrug-bei-klei… ∗∗∗ BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets ∗∗∗ --------------------------------------------- A controller linked to BPF backdoor can open a reverse shell, enabling deeper infiltration into compromised networks. Recent attacks have been observed targeting the telecommunications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf KI-Analyseplattform Spotfire möglich ∗∗∗ --------------------------------------------- Wie aus zwei Warnmeldungen zu den Sicherheitslücken (CVE-2025-3114 "kritisch", CVE-2025-3115 "kritisch") hervorgeht, sind konkret Spotfire Analyst, AWS Marketplace, Deployment Kit Spotfire Server, Desktop, Enterprise Runtime, Service for Python, Service for R und Statistics Services bedroht. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Schadcode-Attacken-auf-KI-Anal… ∗∗∗ Netzwerkgeräte mit Arista EOS können Verschlüsselung vergessen ∗∗∗ --------------------------------------------- Wie aus einer Warnmeldung hervorgeht, funktioniert die Verschlüsselung von Datenverkehr nicht verlässlich. Das ist aber den Entwicklern zufolge aber nur gegeben, wenn Secure Vxlan konfiguriert ist. [..] Die Sicherheitslücke (CVE-2024-12378) ist mit dem Bedrohungsgrad "kritisch" eingestuft. --------------------------------------------- https://www.heise.de/news/Netzwerkgeraete-mit-Arista-EOS-koennen-Verschlues… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glib2.0, jinja2, kernel, mediawiki, perl, subversion, twitter-bootstrap3, twitter-bootstrap4, and wpa), Fedora (c-ares, chromium, condor, corosync, cri-tools1.29, exim, firefox, matrix-synapse, nextcloud, openvpn, perl-Data-Entropy, suricata, upx, varnish, webkitgtk, yarnpkg, and zabbix), Mageia (giflib, gnupg2, graphicsmagick, and poppler), Oracle (delve and golang, go-toolset:ol8, grub2, and webkit2gtk3), Red Hat (kernel and kernel-rt), SUSE (chromium, fontforge-20230101, govulncheck-vulndb, kernel, liblzma5-32bit, pgadmin4, python311-Django, and python311-PyJWT), and Ubuntu (graphicsmagick). --------------------------------------------- https://lwn.net/Articles/1017396/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2025
by Daily end-of-shift report 11 Apr '25

11 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-04-2025 18:00 − Freitag 11-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fortinet FortiOS: Angreifende installierten persistenten Lesezugriff auf Firewalls ∗∗∗ --------------------------------------------- Am 10. April 2025 veröffentlichte der Hersteller Fortinet einen PSIRT-Blogbeitrag über beobachtete Kompromittierungen durch mehrere bekannte Schwachstellen im Betriebssystem FortiOS der Firewall- Serie FortiGate [FORT25]. [..] Fortinet konnte beobachten, wie Angreifende die genannten Schwachstellen nutzten, um sich persistenten Lesezugriff auf verwundbaren FortiGates zu verschaffen. [..] IT-Sicherheitsverantwortliche sollten prüfen, ob sie selbst betroffen waren oder sind und weitere Schutzmaßnahmen ergreifen. --------------------------------------------- https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2025/2025-2… ∗∗∗ Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs ∗∗∗ --------------------------------------------- Google is hosting dozens of extensions in its Chrome Web Store that perform suspicious actions on the more than 4 million devices that have installed them and that their developers have taken pains to carefully conceal. --------------------------------------------- https://arstechnica.com/security/2025/04/researcher-uncovers-dozens-of-sket… ∗∗∗ Tycoon2FA New Evasion Technique for 2025 ∗∗∗ --------------------------------------------- The Tycoon 2FA phishing kit has adopted several new evasion techniques aimed at slipping past endpoints and detection systems. These include using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection. This blog takes a closer look at these methods to better understand how this kit is evolving and what defenders should be aware of. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tycoon2fa-n… ∗∗∗ Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks ∗∗∗ --------------------------------------------- Ever thought an image file could be part of a cyber threat? The Trustwave SpiderLabs Email Security team has identified a major spike in SVG image-based attacks, where harmless-looking graphics are being used to hide dangerous links. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfe… ∗∗∗ Palo Alto Networks Warns of Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways ∗∗∗ --------------------------------------------- Palo Alto Networks has revealed that its observing brute-force login attempts against PAN-OS GlobalProtect gateways, days after threat actors warned of a surge in suspicious login scanning activity targeting its appliances. --------------------------------------------- https://thehackernews.com/2025/04/palo-alto-networks-warns-of-brute-force.h… ∗∗∗ Vorsicht vor gefälschten card complete Anrufen! ∗∗∗ --------------------------------------------- Derzeit kommt es zu betrügerischen Anrufen im Namen der Kreditkartenfirma card complete. Kriminelle setzen dabei Spoofing ein, um vorzutäuschen, dass es sich um seriöse Anrufe handelt. Ihr Ziel ist es, an sensible Daten wie Passwörter und Codes zu gelangen. Sollten Sie so einen Anruf erhalten, legen Sie sofort auf und blockieren Sie die Nummer. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-card-compl… ∗∗∗ Malicious NPM Packages Targeting PayPal Users ∗∗∗ --------------------------------------------- FortiGuard Labs has recently discovered a series of malicious NPM packages designed to steal sensitive information from compromised systems. These packages are believed to have been created between March 5 and March 14 by a threat actor known as tommyboy_h1 and tommyboy_h2 to target PayPal users. [..] These attacks function by using a "preinstall hook" in malicious NPM packages, automatically running a script when the package is installed. --------------------------------------------- https://feeds.fortinet.com/~/916527947/0/fortinet/blogs~Malicious-NPM-Packa… ∗∗∗ Security audit of PHP-SRC ∗∗∗ --------------------------------------------- The Open Source Technology Improvement Fund, Inc, thanks to funding provided by Sovereign Tech Fund, engaged with Quarkslab to perform a security audit of PHP-SRC, the interpreter of the PHP language. The audit aimed to assist PHPs core developers and the community in strengthening the projects security ahead of the upcoming PHP 8.4 release. --------------------------------------------- http://blog.quarkslab.com/security-audit-of-php-src.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (delve and golang and go-toolset:rhel8), Debian (webkit2gtk), Fedora (openvpn, thunderbird, uboot-tools, and zabbix), SUSE (expat, fontforge, govulncheck-vulndb, and kernel), and Ubuntu (haproxy and libsoup2.4, libsoup3). --------------------------------------------- https://lwn.net/Articles/1017197/ ∗∗∗ Sonicwall Netextender: Sicherheitslecks gefährden Windows-Client ∗∗∗ --------------------------------------------- In der Sicherheitsmitteilung schreiben die Sonicwall-Entwickler, dass insbesondere der Windows-Client der SSL-VPN-Software Netextender betroffen ist. Das größte Risiko geht von einer unzureichenden Rechteverwaltung in Sonicwall Netextender Windows, sowohl in der 32- als auch der 64-Bit-Version, aus. Angreifer mit niedrigen Rechten können dadurch Konfigurationen verändern (CVE-2025-23008, CVSS 7.2, Risiko "hoch"). --------------------------------------------- https://heise.de/-10349117 ∗∗∗ Subnet Solutions PowerSYSTEM Center ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-100-08 ∗∗∗ Rockwell Automation Arena ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-100-07 ∗∗∗ INFINITT Healthcare INFINITT PACS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-100-01 ∗∗∗ F5: K000150813: Linux kernel vulnerability CVE-2024-50252 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150813 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.04.2025
by Daily end-of-shift report 10 Apr '25

10 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-04-2025 18:00 − Donnerstag 10-04-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials ∗∗∗ --------------------------------------------- A targeted campaign exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to extract EC2 Metadata, which could include Identity and Access Management (IAM) credentials from the IMDSv1 endpoint. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-target-ssrf-bugs-in-… ∗∗∗ Oracle-Einbruch: Schweigen und Kleingerede ∗∗∗ --------------------------------------------- Über zwei Wochen nach Bekanntwerden eines Datenlecks in einer seiner Cloud-Umgebungen wandte sich Oracle nun mit einer E-Mail an Kunden. In der Stellungnahme bemühte sich der Konzern, den Angriff und dessen Auswirkungen kleinzuschreiben. [..] Tatsächlich liegen heise security Demo-Datensätze vor, die direkt vom Angreifer stammen. In diesen sind weit mehr als lediglich Usernamen zu finden – neben E-Mail-Adressen, verschiedenen Passworthashes und den Oracle-internen Tenant-Kennungen finden sich auch die Namen der betroffenen Systeme sowie eine Vielzahl von Zeitstempeln. Diese erstrecken sich bis in den März 2025. --------------------------------------------- https://www.heise.de/news/Oracle-Einbruch-Unternehmen-gibt-Datenklau-zu-und… ∗∗∗ Günstige PV-Komponenten aus Insolvenzmasse abzugeben? Vorsicht, Betrug! ∗∗∗ --------------------------------------------- Eine Anwaltskanzlei hat sich bei Ihnen gemeldet und bietet günstige Photovoltaik-Komponenten aus einem Insolvenzverkauf? Sie sollen rasch antworten, weil die Nachfrage hoch ist? Dann versuchen grade Betrüger:innen, an Ihr Geld zu kommen! Besonders gefährlich: Das insolvente Unternehmen und die Anwaltskanzlei existieren tatsächlich, die Kriminellen nutzen sie als Tarnung für ihre Masche. --------------------------------------------- https://www.watchlist-internet.at/news/pv-komponenten-aus-konkursmasse/ ===================== = Vulnerabilities = ===================== ∗∗∗ Splunk Security Advisories Archive ∗∗∗ --------------------------------------------- Splunk has released security updates for multiple products patching 2 critical and multiple more high vulnerabilities. --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ Palo Alto Networks Security Advisories ∗∗∗ --------------------------------------------- Palo Alto Networks has released multiple security advisories for its products, including a high-severity vulnerability affecting the Prisma Access Browser. --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ HPE Aruba: Sicherheitspatches für Access Points und weitere Hardware ∗∗∗ --------------------------------------------- HPE hat Sicherheitswarnungen zu Schwachstellen in diversen Netzwerkgeräten der Aruba-Tochtermarke veröffentlicht. Angreifer können durch die Sicherheitslecks teils sogar Schadcode auf verwundbare Geräte schleusen. --------------------------------------------- https://www.heise.de/news/HPE-Aruba-Sicherheitspatches-fuer-Access-Points-u… ∗∗∗ Sicherheitsupdates: Mit Drupal erstellte Website sind verwundbar ∗∗∗ --------------------------------------------- Drupal-Admins sollten sicherstellen, dass die von ihnen genutzten Module des Content Management Systems (CMS) auf dem aktuellen Stand sind. Geschieht das nicht, können Angreifer Websites im schlimmsten Fall kompromittieren. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Mit-Drupal-erstellte-Website-s… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 31, 2025 to April 6, 2025) ∗∗∗ --------------------------------------------- Last week, there were 527 vulnerabilities disclosed in 464 WordPress Plugins and 19 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 85 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2025/04/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (tomcat and webkit2gtk3), Debian (chromium), Fedora (ghostscript), Mageia (atop, docker-containerd, and xz), Red Hat (go-toolset:rhel8), SUSE (apache2-mod_auth_openidc, apparmor, etcd, expat, firefox, kernel, libmozjs-128-0, and libpoppler-cpp2), and Ubuntu (dino-im, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-fips, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, opensc, and poppler). --------------------------------------------- https://lwn.net/Articles/1017043/ ∗∗∗ Wordpress: 100.000 Instanzen durch Lücke in SureTriggers-Plug-in gefährdet ∗∗∗ --------------------------------------------- In einem Blog-Beitrag erörtern die IT-Forscher von Wordfence, dass es Angreifer aus dem Netz ohne vorherige Authentifizierung administrative Nutzerkonten erstellen können. Sofern kein API-Key in dem SureTriggers-Plug-in eingerichtet ist, können Angreifer dadurch Administrator-Nutzer hinzufügen und damit Wordpress-Instanzen vollständig kompromittieren (CVE-2025-3102, CVSS 8.1. Risiko "hoch"). --------------------------------------------- https://heise.de/-10346837 ∗∗∗ Dell PowerScale OneFS: Standard-Passwort ermöglicht Account-Übernahme ∗∗∗ --------------------------------------------- Angreifer können an insgesamt sechs Schwachstellen ansetzen, um Netzwerkspeicher (NAS) mit Dells Betriebssystem PowerScale OneFS zu attackieren. Im schlimmsten Fall können Angreifer die volle Kontrolle über Geräte erlangen. --------------------------------------------- https://heise.de/-10347097 ∗∗∗ Juniper 2025-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 24.1R2 release ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2025-01-Security-Bulletin-Junos… ∗∗∗ F5 K000150784: OpenSSL vulnerability CVE-2024-13176 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150784 ∗∗∗ Multiple vulnerabilities in MedDream PACS Server ∗∗∗ --------------------------------------------- https://www.cybersecurity-help.cz/vdb/SB2025041027 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily