Daily

daily@lists.cert.at

1 participants
3155 discussions

Tageszusammenfassung - 07.08.2024
by Daily end-of-shift report 07 Aug '24

07 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-08-2024 18:00 − Mittwoch 07-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Schweiz: Kuh stirbt nach Cyberangriff auf Melkroboter ∗∗∗ --------------------------------------------- Die Angreifer forderten ein Lösegeld. Da der Landwirt nicht zahlen wollte, ist ihm der Zugang zu wichtigen Informationen über seine Kühe verwehrt geblieben. --------------------------------------------- https://www.golem.de/news/schweiz-kuh-stirbt-nach-cyberangriff-auf-melkrobo… ∗∗∗ New Linux Kernel Exploit Technique SLUBStick Discovered by Researchers ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a novel Linux kernel exploitation technique dubbed SLUBStick that could be exploited to elevate a limited heap vulnerability to an arbitrary memory read-and-write primitive."Initially, it exploits .. --------------------------------------------- https://thehackernews.com/2024/08/new-linux-kernel-exploit-technique.html ∗∗∗ Roundcube Webmail Flaws Allow Hackers to Steal Emails and Passwords ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victims web browser and steal sensitive information from their account under specific .. --------------------------------------------- https://thehackernews.com/2024/08/roundcube-webmail-flaws-allow-hackers.html ∗∗∗ CrowdStrike hires outside security outfits to review troubled Falcon code ∗∗∗ --------------------------------------------- And reveals the small mistake that bricked 8.5M Windows boxes CrowdStrike has hired two outside security firms to review its threat-detection suite Falcon that sparked a global IT outage last month - though it may not have an awful lot .. --------------------------------------------- https://www.theregister.com/2024/08/07/crowdstrike_full_incident_root_cause… ∗∗∗ Police take just 2 days to recover $40M stolen in business email scam ∗∗∗ --------------------------------------------- Timor-Leste is a known cybercrime hotspot Two days is all it took for Interpol to recover more than $40 million worth of stolen funds in a recent business email compromise (BEC) heist, the international cop shop said this week. --------------------------------------------- https://www.theregister.com/2024/08/07/police_take_just_two_days/ ∗∗∗ Small CSS tweaks can help nasty emails slip through Outlooks anti-phishing net ∗∗∗ --------------------------------------------- A simple HTML change and the warning is gone! Researchers say cybercriminals can have fun bypassing one of Microsofts anti-phishing measures in Outlook with some simple CSS tweaks. --------------------------------------------- https://www.theregister.com/2024/08/07/small_css_tweaks_can_help/ ∗∗∗ BloodHound Operator — Dog Whispering Reloaded ∗∗∗ --------------------------------------------- Back in the BloodHound “Legacy” days, I wrote some PowerShell tooling to make my life easy and automate various tasks around BloodHound. When the new BloodHound came out, most of these tools .. --------------------------------------------- https://posts.specterops.io/bloodhound-operator-dog-whispering-reloaded-156… ∗∗∗ CISA Releases Secure by Demand Guidance ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) have released Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem to help organizations drive a secure technology ecosystem by ensuring their software manufacturers prioritize secure technology from the start.An organization’s acquisition staff often has a general .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/06/cisa-releases-secure-dem… ∗∗∗ Achtung: Microsofts UEFI Zertifikat läuft am 19. Okt. 2026 aus – Secure Boot betroffen ∗∗∗ --------------------------------------------- [English]Ich stelle mal ein Thema hier im Blog ein, was noch "ein paar Tage Zeit hat", aber arg unangenehme Folgen haben könnte. Im Herbst 2026 läuft ein Zertifikat in Windows aus, welches im UEFI dafür sorgt, dass der .. --------------------------------------------- https://www.borncity.com/blog/2024/08/07/achtung-microsofts-uefi-zertifikat… ∗∗∗ Looking back at the ballot – securing the general election ∗∗∗ --------------------------------------------- NCSC CEO Felicity Oswald shares reflections on keeping the 2024 General Election safe. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/looking-back-at-the-ballot-securing-the-g… ∗∗∗ The Risks of Parked Domains ∗∗∗ --------------------------------------------- Many organizations view parked domains as dormant, low-risk, and not worth the investment in robust security measures. This is a misconception. Heres why. --------------------------------------------- https://www.bitsight.com/blog/risks-parked-domains ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5739-1 wpa - security update ∗∗∗ --------------------------------------------- Rory McNamara reported a local privilege escalation in wpasupplicant: A user able to escalate to the netdev group can load arbitrary shared object files in the context of the wpa_supplicant process running as root. --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00151.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.08.2024
by Daily end-of-shift report 06 Aug '24

06 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Montag 05-08-2024 18:00 − Dienstag 06-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mac and Windows users infected by software updates delivered over hacked ISP ∗∗∗ --------------------------------------------- DNS poisoning attack worked even when targets used DNS from Google and Cloudflare. --------------------------------------------- https://arstechnica.com/?p=2041175 ∗∗∗ Microsoft Bounty Program Year in Review: $16.6M in Rewards ∗∗∗ --------------------------------------------- We are excited to announce that this year the Microsoft Bounty Program has awarded $16.6M in bounty awards to 343 security researchers from 55 countries, securing Microsoft customers in partnership with the Microsoft Security Response Center (MSRC). Each year we identify over a thousand potential security issues together, safeguarding our customers from possible threats through the Microsoft Bounty Program. --------------------------------------------- https://msrc.microsoft.com/blog/2024/08/microsoft-bounty-program-year-in-re… ∗∗∗ A Survey of Scans for GeoServer Vulnerabilities ∗∗∗ --------------------------------------------- A little bit over a year ago, I wrote about scans for GeoServer. GeoServer is a platform to process geographic data. It makes it easy to share geospatial data in various common standard formats. Recently, new vulnerabilities were discovered in GeoServer, prompting me to look again at what our honeypots pick up. --------------------------------------------- https://isc.sans.edu/diary/A+Survey+of+Scans+for+GeoServer+Vulnerabilities/… ∗∗∗ MDM vendor Mobile Guardian attacked, leading to remote wiping of 13,000 devices ∗∗∗ --------------------------------------------- Singapore Ministry of Education orders software removed after string of snafus UK-based mobile device management vendor Mobile Guardian has admitted that on August 4 it suffered a security incident that involved unauthorized access to iOS and ChromeOS devices managed by its tools, which are currently unavailable. In Singapore, the incident resulted in .. --------------------------------------------- https://www.theregister.com/2024/08/06/mobile_guardian_mdm_attack/ ∗∗∗ Bad apps bypass Windows security alerts for six years using newly unveiled trick ∗∗∗ --------------------------------------------- Windows SmartScreen and Smart App Control both have weaknesses of which to be wary Elastic Security Labs has lifted the lid on a slew of methods available to attackers who want to run malicious apps without triggering Windows security .. --------------------------------------------- https://www.theregister.com/2024/08/06/bad_apps_bypass_windows_security/ ∗∗∗ Olympia: Cyberkriminelle fordern nach Attacke auf Museen in Frankreich Lösegeld ∗∗∗ --------------------------------------------- Mehr als 40 Institutionen sind betroffen, darunter der Olympia-Austragungsort Grand Palais. Kriminelle haben das System für die Zentralisierung von Finanzdaten angegriffen --------------------------------------------- https://www.derstandard.at/story/3000000231309/olympia-cyber-attacke-auf-mu… ∗∗∗ IoT firmware emulation and device fingerprinting challenges ∗∗∗ --------------------------------------------- Gathering information on a device could be tricky if you don’t have direct access to exposed services like SNMP, HTTP, FTP, or any other ports or protocols which could provide relevant information on the asset like the .. --------------------------------------------- https://medium.com/tenable-techblog/iot-firmware-emulation-and-device-finge… ∗∗∗ Rapid7’s Ransomware Radar Report Shows Threat Actors are Evolving …Fast. ∗∗∗ --------------------------------------------- The Ransomware Radar Report offers some startling insights into who ransomware threat actors are and how they’ve been operating in the first half of 2024. --------------------------------------------- https://www.rapid7.com/blog/post/2024/08/06/rapid7s-ransomware-radar-report… ∗∗∗ LKA Niedersachsen warnt vor Phishing mit QR-Codes per Briefpost ∗∗∗ --------------------------------------------- Per Briefpost suchen Betrüger Opfer, die einen QR-Code scannen und auf den dadurch geöffneten Phishing-Link hereinfallen, warnt das LKA Niedersachsen. --------------------------------------------- https://heise.de/-9825879 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice), Gentoo (containerd and firefox), Red Hat (httpd), SUSE (ca-certificates-mozilla, ksh, openssl-3-livepatches, podman, python-Twisted, and skopeo), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/984598/ ∗∗∗ DSA-5737-1 libreoffice - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00149.html ∗∗∗ DSA-5736-1 openjdk-11 - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00148.html ∗∗∗ ZDI-24-1099: Apache OFBiz resolveURI Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1099/ ∗∗∗ Security Vulnerabilities fixed in Firefox 129 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-33/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.08.2024
by Daily end-of-shift report 05 Aug '24

05 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-08-2024 18:00 − Montag 05-08-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms ∗∗∗ --------------------------------------------- StormBamboo successfully compromised an internet service provider (ISP) in order to poison DNS responses for target organizations. Insecure software update mechanisms were targeted to surreptitiously install malware on victim machines running macOS and Windows. --------------------------------------------- https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abu… ∗∗∗ Google Chrome warns uBlock Origin may soon be disabled ∗∗∗ --------------------------------------------- Google Chrome is now encouraging uBlock Origin users who have updated to the latest version to switch to other ad blockers before Manifest v2 extensions are disabled. --------------------------------------------- https://www.bleepingcomputer.com/news/google/google-chrome-warns-ublock-ori… ∗∗∗ Security Tips for Modern Web Administrators ∗∗∗ --------------------------------------------- By understanding and implementing key security practices, you can significantly reduce the risk of attacks and ensure a safe experience for your users. Let’s break down some essential tips and strategies to enhance your website’s security. --------------------------------------------- https://blog.sucuri.net/2024/08/security-tips-for-modern-web-administrators… ∗∗∗ Google gamed into advertising a malicious version of Authenticator ∗∗∗ --------------------------------------------- Scammers have been using Google's own ad system to fool people into downloading a borked copy of the Chocolate Factory's Authenticator software. A team at security shop Malwarebytes spotted the adverts, which appear to come from a Google approved domain – and from a verified user – earlier this week. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/08/05/security_in_… ∗∗∗ New SLUBStick Attack Makes Linux Kernel Vulnerabilities More Dangerous ∗∗∗ --------------------------------------------- A team of researchers from the Graz University of Technology in Austria has published a paper on SLUBStick, a new Linux kernel exploitation technique that can make heap vulnerabilities more dangerous. --------------------------------------------- https://www.securityweek.com/new-slubstick-attack-makes-linux-kernel-vulner… ∗∗∗ Homebrew-Audit enthüllt Sicherheitslücken – die meisten hat das Team geschlossen ∗∗∗ --------------------------------------------- Ein umfangreiches Security-Audit hat Schwachstellen im Code und den CI/CD-Prozessen des Paketmanagers Homebrew gefunden. Viele, aber nicht alle, sind gefixt. --------------------------------------------- https://heise.de/-9822824 ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke bedroht Unternehmenssoftware Apache OFBiz ∗∗∗ --------------------------------------------- Angreifer können Systeme mit Apache OFBiz attackieren und eigenen Code ausführen. Eine dagegen abgesicherte Version steht zum Download bereit. [..] Derzeit gibt es kaum Informationen zur Lücke (CVE-2024-38856). Aus einem Seclists-Beitrag geht hervor, dass es zu Fehlern bei der Authentifizierung kommen kann, sodass Angreifer eigenen Code ausführen können. --------------------------------------------- https://heise.de/-9824150 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-11), Fedora (bind, bind-dyndb-ldap, chromium, ffmpeg, hostapd, trafficserver, and wpa_supplicant), and Ubuntu (curl and linux-oem-6.5). --------------------------------------------- https://lwn.net/Articles/984552/ ∗∗∗ Pimax Play and PiTool accept WebSocket connections from unintended endpoints ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN50850706/ ∗∗∗ Helmholz: Multiple products are vulnerable to regreSSHion ∗∗∗ --------------------------------------------- https://certvde.com/de/advisories/VDE-2024-044/ ∗∗∗ Red Lion Europe: Multiple products are vulnerable to regreSSHion ∗∗∗ --------------------------------------------- https://certvde.com/de/advisories/VDE-2024-042/ ∗∗∗ RaspAP Security Update Advisory (CVE-2024-41637) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82193/ ∗∗∗ OpenAM Security Update Advisory (CVE-2024-41667) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82194/ ∗∗∗ GStreamer Product Security Update Advisory (CVE-2024-40897) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82196/ ∗∗∗ Roundcube: Security updates 1.6.8 and 1.5.8 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 ∗∗∗ F5: K000140505: Apache HTTPD vulnerability CVE-2024-38473 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140505 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2024
by Daily end-of-shift report 02 Aug '24

02 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-08-2024 18:00 − Freitag 02-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Tech support scam ring leader gets 7 years in prison, $6M fine ∗∗∗ --------------------------------------------- The leader of a tech support fraud scheme was sentenced to seven years in prison after tricking at least 6,500 victims and generating more than $6 million. --------------------------------------------- https://www.bleepingcomputer.com/news/legal/tech-support-scam-ring-leader-g… ∗∗∗ A recent spate of Internet disruptions ∗∗∗ --------------------------------------------- Cloudflare Radar is constantly monitoring the Internet for widespread disruptions. Here we examine several recent noteworthy disruptions detected in the first month of Q3, including traffic anomalies observed in Bangladesh, Syria, Pakistan, and Venezuela --------------------------------------------- https://blog.cloudflare.com/a-recent-spate-of-internet-disruptions-july-2024 ∗∗∗ Leaked GitHub Python Token ∗∗∗ --------------------------------------------- Cybersecurity researchers from JFrog recently discovered a GitHub Personal Access Token in a public Docker container hosted on Docker Hub, which granted elevated access to the GitHub repositories of the Python language, Python Package Index (PyPI), and the Python Software Foundation (PSF).JFrog discussed what could .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/08/leaked-github-python-token.h… ∗∗∗ Mirai Botnet targeting OFBiz Servers Vulnerable to Directory Traversal ∗∗∗ --------------------------------------------- Enterprise Resource Planning (ERP) Software is at the heart of many enterprising supporting human resources, accounting, shipping, and manufacturing. These systems can become very complex and difficult to maintain. They are often highly customized, which .. --------------------------------------------- https://thehackernews.com/2024/08/mirai-botnet-targeting-ofbiz-servers.html ∗∗∗ New Windows Backdoor BITSLOTH Exploits BITS for Stealthy Communication ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a previously undocumented Windows backdoor that leverages a built-in feature called Background Intelligent Transfer Service (BITS) as a command-and-control (C2) mechanism. The newly identified malware .. --------------------------------------------- https://thehackernews.com/2024/08/new-windows-backdoor-bitsloth-exploits.ht… ∗∗∗ This Week in Security: Echospoofing, Ransomware Records, and Github Attestations ∗∗∗ --------------------------------------------- It’s a bit of bitter irony, when a security product gets used maliciously, to pull off the exact attack it was designed to prevent. Enter Proofpoint, and the .. --------------------------------------------- https://hackaday.com/2024/08/02/this-week-in-security-echospoofing-ransomwa… ∗∗∗ Russland bekommt zwei schwerkriminelle Hacker zurück ∗∗∗ --------------------------------------------- Niemand soll je so viele Menschen finanziell geschädigt haben wie Roman Selesnew. Wladislaw Kljuschin hingegen gilt als Putins Trader und Schrecken der Wall Street --------------------------------------------- https://www.derstandard.at/story/3000000230914/russland-bekommt-zwei-schwer… ∗∗∗ China dismisses Germany’s accusations over cyberattack as ‘targeted defamation’ ∗∗∗ --------------------------------------------- Chinese officials on Thursday responded to accusations from Germany that it was behind an attack on the country’s state cartography agency, calling them “unfounded.” --------------------------------------------- https://therecord.media/china-germany-cyberattack-unfounded ∗∗∗ White House officials meet with allies, industry on connected car risks ∗∗∗ --------------------------------------------- Leaders from the White House and State Department met with representatives from several major allied countries, the European Union and industry leaders Wednesday for what has been billed as the “first multinational meeting” to address the national security risks posed by connected cars. --------------------------------------------- https://therecord.media/white-house-officials-meet-with-nations-industry-co… ∗∗∗ From Evidence to Advantage: Leveraging Incident Response Artifacts for Red Team Engagements ∗∗∗ --------------------------------------------- What is this blog post about? This blog post is about why incident responder artifacts not only play a role on the defensive but also offensive side of cyber security. We are gonna look at some of the usually collected evidences and how they can be valuable to us as red team operators. We .. --------------------------------------------- https://blog.nviso.eu/2024/08/02/from-evidence-to-advantage-leveraging-inci… ∗∗∗ CISA Releases Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle ∗∗∗ --------------------------------------------- Today, the Cybersecurity and Infrastructure Security Agency (CISA) announced the release of its “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain .. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-releases-software-acquisition-gu… ∗∗∗ Panamorfi: A New Discord DDoS Campaign ∗∗∗ --------------------------------------------- Aqua Nautilus researchers uncovered a new Distributed Denial of Service (DDoS) campaign dubbed ‘Panamorfi’, utilizing the Java written minecraft DDoS package - mineping - the threat actor launches a DDoS. Thus far weve only seen it deployed via misconfigured Jupyter notebooks. In this blog we explain about this attack, the techniques used by the threat actor and how to protect your environments. --------------------------------------------- https://blog.aquasec.com/panamorfi-a-new-discord-ddos-campaign ∗∗∗ Unbefugte Zugriffe auf IT-Managementlösung Aruba ClearPass möglich ∗∗∗ --------------------------------------------- Die Entwickler von HPE Aruba Networking haben in ClearPass Policy Manager unter anderem eine kritische Sicherheitslücke geschlossen. --------------------------------------------- https://heise.de/-9821717 ∗∗∗ Bericht: Cyberkriminelle nutzen Cloudflare-Tunnel zur Verbreitung von Malware ∗∗∗ --------------------------------------------- Bisher unbekannte Cyberkriminelle nutzen "TryCloudflare" zur unbehelligten Verbreitung von Malware. Das berichten Sicherheitsexperten. --------------------------------------------- https://heise.de/-9821797 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium), SUSE (docker and patch), and Ubuntu (bind9, gross, linux-azure, linux-azure-4.15, linux-lowlatency-hwe-6.5, and tomcat8, tomcat9). --------------------------------------------- https://lwn.net/Articles/984370/ ∗∗∗ ZDI-24-1042: NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1042/ ∗∗∗ ZDI-24-1041: Google Chrome Updater DosDevices Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1041/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2024
by Daily end-of-shift report 01 Aug '24

01 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 31-07-2024 18:00 − Donnerstag 01-08-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Credit card users get mysterious shopify-charge.com charges ∗∗∗ --------------------------------------------- People worldwide report seeing mysterious $1 or $0 charges from Shopify-charge.com appearing on their credit card bills, even when they did not attempt to purchase anything. [..] BleepingComputer attempted to contact Shopify multiple times but did not receive a reply to our emails. [..] Shopify has recently suffered a third-party data breach at one of its vendors, leading many to think these charges may be related. However, the data exposed in that breach did not contain credit card or payment information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/credit-card-users-get-myster… ∗∗∗ Onyx Sleet uses array of malware to gather intelligence [..] ∗∗∗ --------------------------------------------- First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/07/25/onyx-sleet-uses-ar… ∗∗∗ CrowdStrike Is Sued By Shareholders Over Huge Software Outage ∗∗∗ --------------------------------------------- Shareholders have sued CrowdStrike on Tuesday, claiming the cybersecurity company defrauded them by concealing how its inadequate software testing could cause the global software outage earlier this month that crashed millions of computers. --------------------------------------------- https://yro.slashdot.org/story/24/07/31/2233234/crowdstrike-is-sued-by-shar… ∗∗∗ Hackers Distributing Malicious Python Packages via Popular Developer Q&A Platform ∗∗∗ --------------------------------------------- In yet another sign that threat actors are always looking out for new ways to trick users into downloading malware, it has come to light that the question-and-answer (Q&A) platform known as Stack Exchange has been abused to direct unsuspecting developers to bogus Python packages capable of draining their cryptocurrency wallets. --------------------------------------------- https://thehackernews.com/2024/08/hackers-distributing-malicious-python.html ∗∗∗ Mozilla follows Google in losing trust in Entrusts TLS certificates ∗∗∗ --------------------------------------------- A little over a month ago, Google was the first to make the bold step of dropping Entrust as a CA, saying it noted a "pattern of concerning behaviors" from the company. Entrust has apologized to Google, Mozilla, and the wider web community, outlining its plans to regain the trust of browsers, but these appear to be unsatisfactory to both Google and Mozilla. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/08/01/mozilla_entr… ∗∗∗ Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 3 ∗∗∗ --------------------------------------------- To wrap up this blog series we wanted to include one more technique that you can use when exploiting this class of vulnerabilities. This technique, introduced to us by Abdelhamid Naceri, becomes useful when you have an on-boot arbitrary delete primitive that you want to transform into an on-demand delete, so that you can escalate using the C:\Config.msi technique. --------------------------------------------- https://www.thezdi.com/blog/2024/7/31/breaking-barriers-and-assumptions-tec… ∗∗∗ Detecting evolving threats: NetSupport RAT campaign ∗∗∗ --------------------------------------------- In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats. --------------------------------------------- https://blog.talosintelligence.com/detecting-evolving-threats-netsupport-ra… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- ecurity updates have been issued by Debian (chromium), Fedora (kernel, obs-cef, and xen), Mageia (emacs), Oracle (freeradius, freeradius:3.0, and kernel), Red Hat (emacs, httpd, and kpatch-patch-4_18_0-305_120_1), Slackware (curl), SUSE (apache2, cockpit-wicked, glibc, gnutls, gvfs, less, nghttp2, opensc, python-idna, python-requests, qemu, rpm, tpm2-0-tss, tpm2.0-tools, and unbound), and Ubuntu (clickhouse, exim4, libcommons-collections3-java, linux, linux-aws, linux-kvm, linux-lts-xenial, mysql-8.0, openssl, php-cas, prometheus-alertmanager, and snapd). --------------------------------------------- https://lwn.net/Articles/984212/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- Johnson Controls, AVTECH, Vonets, Rockwell --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/01/cisa-releases-nine-indus… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (July 22, 2024 to July 28, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/08/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.07.2024
by Daily end-of-shift report 31 Jul '24

31 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-07-2024 18:00 − Mittwoch 31-07-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Black Basta ransomware switches to more evasive custom malware ∗∗∗ --------------------------------------------- The Black Basta ransomware gang has shown resilience and an ability to adapt to a constantly shifting space, using new custom tools and tactics to evade detection and spread throughout a network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/black-basta-ransomware-switc… ∗∗∗ Fraud ring pushes 600+ fake web shops via Facebook ads ∗∗∗ --------------------------------------------- A malicious fraud campaign dubbed "ERIAKOS" promotes more than 600 fake web shops through Facebook advertisements to steal visitors personal and financial information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fraud-ring-pushes-600-plus-f… ∗∗∗ Kampf gegen Cyberkriminalität: Spamhaus Project wirft Cloudflare Untätigkeit vor ∗∗∗ --------------------------------------------- Laut Spamhaus macht sich Cloudflare "das Leben leicht", indem es Beschwerden über böswillige Aktivitäten weiterreicht, statt selber Maßnahmen einzuleiten. --------------------------------------------- https://www.golem.de/news/kampf-gegen-cyberkriminalitaet-spamhaus-project-w… ∗∗∗ Apple Patches Everything. July 2024 Edition ∗∗∗ --------------------------------------------- Yesterday, Apple released patches across all of its operating systems. A standalone patch for Safari was released to address WebKit problems in older macOS versions. Apple does not provide CVSS scores or severity ratings. The ratings .. --------------------------------------------- https://isc.sans.edu/forums/diary/Apple+Patches+Everything+July+2024+Editio… ∗∗∗ SYS01 Infostealer and Rilide Malware Likely Developed by the Same Threat Actor ∗∗∗ --------------------------------------------- Drawing on extensive proprietary research, Trustwave SpiderLabs believes the threat actors behind the Facebook malvertising infostealer SYS01 are the same group that developed the previously reported Rilide malware. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/sys01-infos… ∗∗∗ Five months after takedown, LockBit is a shadow of its former self ∗∗∗ --------------------------------------------- An unprecedented period for an unparalleled force in cybercrime Feature For roughly two years, LockBits ransomware operation was by far the most prolific of its kind, until the fateful events of February. After claiming thousands of victims, extorting hundreds of millions of dollars, and building a robust army of sophisticated cybercriminals, the lifes .. --------------------------------------------- https://www.theregister.com/2024/07/31/five_months_after_lockbit/ ∗∗∗ ThreatLabz Ransomware Report: Unveiling a $75M Ransom Payout Amid Rising Attacks ∗∗∗ --------------------------------------------- Ransomware has been a daunting threat to organizations worldwide for decades. Recent trends show that ransomware attacks continue to grow more advanced and persistent. It’s become increasingly clear that no one is spared as cybercriminals carry out attacks that even target the children of corporate executives to force ransom payments. Despite the .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/threatlabz-ransomware-repor… ∗∗∗ Don’t Let Your Domain Name Become a “Sitting Duck” ∗∗∗ --------------------------------------------- More than a million domain names -- including many registered by Fortune 100 firms and brand protection companies -- are vulnerable to takeover by cybercriminals thanks to authentication weaknesses at a number of large web hosting providers and domain registrars, new research finds. --------------------------------------------- https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-become-a-sitt… ∗∗∗ Deutschland bestellt chinesischen Botschafter wegen Cyberangriff ein ∗∗∗ --------------------------------------------- Die Attacke ereignete sich im Jahr 2021 und kann laut Nachrichtendiensten chinesischen staatlichen Akteuren zugeordnet werden --------------------------------------------- https://www.derstandard.at/story/3000000230669/deutschland-bestellt-chinesi… ∗∗∗ DigiCert Certificate Revocations ∗∗∗ --------------------------------------------- DigiCert, a certificate authority (CA) organization, is revoking a subset of transport layer security (TLS) certificates due to a non-compliance issue with domain control verification (DCV). Revocation of these certificates may cause temporary disruptions to websites, services, and applications relying on these certificates for secure .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/07/30/digicert-certificate-rev… ∗∗∗ Cyber-Angriff und Bug Ursache des Microsoft Cloud-Ausfalls vom 30.7.2024 ∗∗∗ --------------------------------------------- Am 30. Juli 2024 kam es weltweit zu einem partiellen Ausfall der Microsoft Cloud-Dienste (Azure, Microsoft 365 etc.). Ich hatte berichtet – aber nicht alle Nutzer waren betroffen. Nun hat Microsoft einen Post Incident-Report vorgelegt .. --------------------------------------------- https://www.borncity.com/blog/2024/07/31/cyber-angriff-und-bug-ursache-des-… ∗∗∗ Moderne Sklaverei: Mann monatelang festgehalten und zu Online-Betrug gezwungen ∗∗∗ --------------------------------------------- Ein IT-Spezialist wurde monatelang unter Folter dazu gezwungen, sich als eine reiche Frau aus Singapur auszugeben. Das berichtet das Wall Street Journal. --------------------------------------------- https://heise.de/-9818990 ∗∗∗ Statt "schalke04" und "1234": Passkeys werden immer beliebter ∗∗∗ --------------------------------------------- Die passwortlose Authentifizierung etabliert sich, wie aktuelle Zahlen nahelegen. Insbesondere Kunden bei Amazon, eBay und Co. setzen Passkeys inzwischen ein. --------------------------------------------- https://heise.de/-9819866 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (xdg-desktop-portal-hyprland), Red Hat (freeradius, freeradius:3.0, git-lfs, httpd, kernel, openssh, and varnish:6), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, .. --------------------------------------------- https://lwn.net/Articles/984080/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.07.2024
by Daily end-of-shift report 30 Jul '24

30 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Montag 29-07-2024 18:00 − Dienstag 30-07-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Specula tool uses Outlook for remote code execution in Windows ∗∗∗ --------------------------------------------- Microsoft Outlook can be turned into a C2 beacon to remotely execute code, as demonstrated by a new red team post-exploitation framework named "Specula," released today by cybersecurity firm TrustedSec. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-specula-tool-uses-outloo… ∗∗∗ DigiCert mass-revoking TLS certificates due to domain validation bug ∗∗∗ --------------------------------------------- DigiCert is warning that it will be mass-revoking SSL/TLS certificates due to a bug in how the company verified if a customer owned or operated a domain and requires impacted customers to reissue certificates within 24 hours. --------------------------------------------- https://www.bleepingcomputer.com/news/security/digicert-mass-revoking-tls-c… ∗∗∗ Post-CrowdStrike, Microsoft to discourage use of kernel drivers by security tools ∗∗∗ --------------------------------------------- Microsoft has vowed to reduce cybersecurity vendors' reliance on kernel-mode code, which was at the heart of the CrowdStrike super-snafu this month. --------------------------------------------- https://www.theregister.com/2024/07/29/microsoft_crowdstrike_kernel_mode/ ∗∗∗ Vorsicht vor plötzlichen Erbschaften ∗∗∗ --------------------------------------------- Eine unbekannte Person kontaktiert Sie per E-Mail oder über Soziale Netzwerke. Sie stellt sich beispielsweise als „Gouverneur der Bank von Thailand“ vor und behauptet, dass Sie eine große Summe Geld erben werden. Um glaubwürdig zu wirken, schickt die Person als Beweis Ausweiskopien, Zertifikate und KI-generierte Videobotschaften. Ignorieren Sie solche Nachrichten, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-ploetzlichen-erbschafte… ∗∗∗ Deep Sea Phishing Pt. 2 ∗∗∗ --------------------------------------------- I wanted to write this blog about several good techniques for endpoint detection and response (EDR) evasion; however, as I was writing about how to evade EDRs, I was hit with an epiphany: “EDR evasion is all about looking like legitimate software” — ph3eds, 2024 --------------------------------------------- https://posts.specterops.io/deep-sea-phishing-pt-2-29c48f1e214e?source=rss-… ∗∗∗ Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 1 ∗∗∗ --------------------------------------------- In this blog series, we will discuss two additional techniques that take advantage of legacy functionality within Windows and provide various examples through the over 20 vulnerabilities that we found. We will also address some failures despite efforts and explanations from our side with various vendors. --------------------------------------------- https://www.thezdi.com/blog/2024/7/29/breaking-barriers-and-assumptions-tec… ∗∗∗ Hacker Scrapes and Publishes 100,000-Line CrowdStrike IoC List ∗∗∗ --------------------------------------------- USDoD hacker scrapes and leaks a 100,000-line Indicator of Compromise (IoC) list from CrowdStrike, revealing detailed threat intelligence data. The leak, posted on Breach Forums, includes critical insights into the Mispadu malware and SAMBASPIDER threat actor. --------------------------------------------- https://hackread.com/hacker-scrapes-publishes-crowdstrike-ioc-list/ ∗∗∗ Dont RegreSSH An Anti-Pavlovian Approach to Celebrity Vulns ∗∗∗ --------------------------------------------- Before Crowdstrike caused the world to melt down for a few days, the talk of the security town was a recent OpenSSH vulnerability. Lets revisit CVE-2024-6387. --------------------------------------------- https://www.bitsight.com/blog/dont-regressh-anti-pavlovian-approach-celebri… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in VMware ESXi - aktiv ausgenutzt - Update verfügbar ∗∗∗ --------------------------------------------- Sicherheitsforscher:innen von Microsoft haben eine kritische Sicherheitslücke in VMware ESXi entdeckt, deren Ausnutzung es Angreifer:innen ermöglicht die vollständige Kontrolle über einen von der Schwachstelle betroffenen Hypervisor zu übernehmen. Die Lücke wird bereits aktiv für Ransomware-Angriffe missbraucht. CVE-Nummer(n): CVE-2024-37085 --------------------------------------------- https://www.cert.at/de/warnungen/2024/7/kritische-sicherheitslucke-in-vmwar… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl), Mageia (virtualbox), Oracle (squid), Red Hat (kernel), SUSE (apache2, bind, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, devscripts, espeak-ng, freerdp, ghostscript, gnome-shell, gtk2, gtk3, java-11-openjdk, java-17-openjdk, kubevirt, libgit2, openssl-3, orc, p7zip, python-dnspython, and shadow), and Ubuntu (kernel, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-oem-6.8, linux-raspi, linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux-aws, linux-aws-5.4, linux-aws-5.15, linux-ibm, linux-ibm-5.15, linux-raspi, linux-gcp-5.15, and linux-lowlatency). --------------------------------------------- https://lwn.net/Articles/983935/ ∗∗∗ WordPress Vulnerability & Patch Roundup July 2024 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2024/07/wordpress-vulnerability-patch-roundup-july-… ∗∗∗ ManageEngine (Exchange Reporter Plus, Exchange Reporter Plus) Family July 2024 Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/80826/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2024
by Daily end-of-shift report 29 Jul '24

29 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-07-2024 18:00 − Montag 29-07-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Mehr als 3.000 Hotels betroffen: API-Lücke lässt Angreifer Hoteltüren öffnen ∗∗∗ --------------------------------------------- In vielen Hotels können Gäste heute per Smartphone einchecken und die Türen der gebuchten Zimmer öffnen. Eine API-Schwachstelle zeigt, wie schnell das zum Problem werden kann. --------------------------------------------- https://www.golem.de/news/mehr-als-3-000-hotels-betroffen-api-luecke-laesst… ∗∗∗ Sicherheitslücke: Whatsapp für Windows führt Skripte ohne Warnung aus ∗∗∗ --------------------------------------------- In der Regel blockiert Whatsapp das Öffnen ausführbarer Dateien direkt aus dem Chat heraus. Bei Python- und PHP-Skripten ist das offenkundig nicht der Fall. [..] Ein Patch ist vorerst nicht zu erwarten, so dass Nutzer achtsam bleiben sollten. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-whatsapp-fuer-windows-fuehrt-sk… ∗∗∗ Mandrake spyware sneaks onto Google Play again, flying under the radar for two years ∗∗∗ --------------------------------------------- Mandrake spyware threat actors resume attacks with new functionality targeting Android devices while being publicly available on Google Play. --------------------------------------------- https://securelist.com/mandrake-apps-return-to-google-play/113147/ ∗∗∗ Create Your Own BSOD: NotMyFault, (Sat, Jul 27th) ∗∗∗ --------------------------------------------- With all the Blue Screen Of Death screenshots we saw lately, I got the idea to write about Sysinternals' tool NotMyFault. --------------------------------------------- https://isc.sans.edu/diary/rss/31120 ∗∗∗ CrowdStrike Outage Themed Maldoc, (Mon, Jul 29th) ∗∗∗ --------------------------------------------- I found a malicious Word document with VBA code using the CrowdStrike outage for social engineering purposes. It's an .ASD file (AutoRecover file). --------------------------------------------- https://isc.sans.edu/diary/rss/31116 ∗∗∗ Proofpoint Email Routing Flaw Exploited to Send Millions of Spoofed Phishing Emails ∗∗∗ --------------------------------------------- An unknown threat actor has been linked to a massive scam campaign that exploited an email routing misconfiguration in email security vendor Proofpoints defenses to send millions of messages spoofing various legitimate companies. --------------------------------------------- https://thehackernews.com/2024/07/proofpoint-email-routing-flaw-exploited.h… ∗∗∗ Millions of Websites Susceptible XSS Attack via OAuth Implementation Flaw ∗∗∗ --------------------------------------------- Researchers discovered and published details of an XSS attack that could potentially impact millions of websites around the world. --------------------------------------------- https://www.securityweek.com/millions-of-websites-susceptible-xss-attack-vi… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-4879 ServiceNow Improper Input Validation Vulnerability, CVE-2024-5217 ServiceNow Incomplete List of Disallowed Inputs Vulnerability, CVE-2023-45249 Acronis Cyber Infrastructure (ACI) Insecure Default Password Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/07/29/cisa-adds-three-known-ex… ∗∗∗ Angreifer nutzen Schadcode-Lücke in Acronis Cyber Infrastructure aus ∗∗∗ --------------------------------------------- In mehreren aktualisierten Versionen von Acronis Cyber Infrastructure haben die Entwickler eine kritische Lücke geschlossen. --------------------------------------------- https://heise.de/-9816667 ===================== = Vulnerabilities = ===================== ∗∗∗ Wiedergabe reicht aus: MacOS-Lücke ermöglicht Schadcode-Attacke per Video ∗∗∗ --------------------------------------------- Das Abspielen eines Videos im Browser oder einer anderen Anwendung reicht aus, um sich unter MacOS eine Malware einzufangen. Ursache ist eine Lücke in einem Videodecoder. --------------------------------------------- https://www.golem.de/news/wiedergabe-reicht-aus-macos-luecke-ermoeglicht-sc… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-11-openjdk), Debian (bind9), Fedora (darkhttpd, mod_http2, and python-scrapy), Red Hat (python3.11, rhc-worker-script, and thunderbird), SUSE (assimp, gh, opera, python-Django, and python-nltk), and Ubuntu (edk2, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-nvidia-6.5, linux-oracle, linux-raspi, and lua5.4). --------------------------------------------- https://lwn.net/Articles/983816/ ∗∗∗ Sicherheitsupdate schützt SolarWinds Platform vor möglichen Attacken ∗∗∗ --------------------------------------------- Angreifer können die IT-Verwaltungssoftware SolarWinds Platform attackieren. Die Entwickler haben mehrere Schwachstellen geschlossen. [..] Aus den Details zur Version 2024.2.1 geht hervor, dass eine Lücke (CVE-2022-37601) in webpack.js als "kritisch" gilt. Hier können Angreifer auf einem nicht näher beschriebenen Weg eigenen Code ausführen. --------------------------------------------- https://heise.de/-9816342 ∗∗∗ ABB: 2024-07-26: Cyber Security Advisory - CODESYS OPC DA Server 3.5 Insecure storage of passwords ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR011267&Language… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2024
by Daily end-of-shift report 26 Jul '24

26 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-07-2024 18:00 − Freitag 26-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Mit Test-Key für Secure Boot: PC-Hersteller liefern unsichere UEFI-Firmware aus ∗∗∗ --------------------------------------------- Betroffen sind angeblich fast 900 verschiedene Systeme namhafter Hersteller wie Lenovo, Dell und HP. Anfällige Firmwares reichen zurück bis ins Jahr 2012. --------------------------------------------- https://www.golem.de/news/mit-test-key-fuer-secure-boot-pc-hersteller-liefe… ∗∗∗ Forscher warnen: Daten aus gelöschten und privaten Github-Repos frei abrufbar ∗∗∗ --------------------------------------------- Github-Repositories enthalten nicht selten sensible Daten. Ein Repo zu löschen oder auf privat zu stellen, schützt aber nicht immer vor einem Fremdzugriff. --------------------------------------------- https://www.golem.de/news/forscher-warnen-daten-aus-geloeschten-und-private… ∗∗∗ ExelaStealer Delivered "From Russia With Love" ∗∗∗ --------------------------------------------- Some simple PowerShell scripts might deliver nasty content if executed by the target. I found a very simple .. --------------------------------------------- https://isc.sans.edu/diary/ExelaStealer+Delivered+From+Russia+With+Love/311… ∗∗∗ Ongoing Cyberattack Targets Exposed Selenium Grid Services for Crypto Mining ∗∗∗ --------------------------------------------- Cybersecurity researchers are sounding the alarm over an ongoing campaign that is leveraging internet-exposed Selenium Grid services for illicit cryptocurrency mining.Cloud security Wiz is tracking the activity under the name .. --------------------------------------------- https://thehackernews.com/2024/07/ongoing-cyberattack-targets-exposed.html ∗∗∗ Zahlreiche Fake-Shops geben sich als Lidl aus ∗∗∗ --------------------------------------------- Kriminelle registrieren aktuell zahlreiche Fake-Shops, die den Namen und das Logo des Supermarkt-Discounters Lidl missbrauchen. Mit zeitlich begrenzten Angeboten werden die Opfer unter Druck gesetzt. Doch wer hier bestellt, verliert sein Geld und erhält keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-fake-shops-geben-sich-als… ∗∗∗ Scam Attacks Taking Advantage of the Popularity of the Generative AI Wave ∗∗∗ --------------------------------------------- A direct correlation between GenAI’s explosive popularity and scam attacks is addressed in this article, using plentiful data and a case study of network abuse. --------------------------------------------- https://unit42.paloaltonetworks.com/cybersquatting-using-genai-keywords/ ∗∗∗ France launches large-scale operation to fight cyber spying ahead of Olympics ∗∗∗ --------------------------------------------- French authorities launched a major operation to clean the country’s computer systems of malware believed to have affected several thousand users, “particularly for espionage purposes,” Paris’s top prosecutor announced shortly before the start of the Olympics. --------------------------------------------- https://therecord.media/france-combat-cyber-spying-operation-olympics ∗∗∗ LummaC2 Malware Abusing the Game Platform ‘Steam’ ∗∗∗ --------------------------------------------- LummaC2 is an Infostealer that is being actively distributed, disguised as illegal programs (e.g. cracks, keygens, and game hacking programs) available from distribution websites, YouTube, and LinkedIn using the SEO poisoning technique. Recently, it has also been distributed via search engine ads, posing as web pages of Notion, Slack, .. --------------------------------------------- https://asec.ahnlab.com/en/68309/ ∗∗∗ Weiterer EU-Abgeordneter im Fokus Cyberkrimineller ∗∗∗ --------------------------------------------- Der deutsche EU-Parlamentarier Daniel Freund (Grüne) war zwei Wochen vor der Europawahl Ziel einer versuchten Ausspähung mit dem Staatstrojaner Candiru. --------------------------------------------- https://heise.de/-9813814 ∗∗∗ Jetzt patchen!: Angreifer attackieren Now Platform von ServiceNow ∗∗∗ --------------------------------------------- Die Cloud Computing Plattform von ServiceNow ist derzeit im Visier von Angreifern und sie nutzen kritische Sicherheitslücken aus. --------------------------------------------- https://heise.de/-9814238 ===================== = Vulnerabilities = ===================== ∗∗∗ ORC vulnerable to stack-based buffer overflow ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN02030803/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/983523/ ∗∗∗ CVE-2024-6922: Automation Anywhere Automation 360 Server-Side Request Forgery ∗∗∗ --------------------------------------------- https://www.rapid7.com/blog/post/2024/07/26/cve-2024-6922-automation-anywhe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2024
by Daily end-of-shift report 25 Jul '24

25 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-07-2024 18:00 − Donnerstag 25-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ KnowBe4 mistakenly hires North Korean hacker, faces infostealer attack ∗∗∗ --------------------------------------------- American cybersecurity company KnowBe4 says a person it recently hired as a Principal Software Engineer turned out to be a North Korean state actor who attempted to install information-stealing on its devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/knowbe4-mistakenly-hires-nor… ∗∗∗ French police push PlugX malware self-destruct payload to clean PCs ∗∗∗ --------------------------------------------- The French police and Europol are pushing out a "disinfection solution" that automatically removes the PlugX malware from infected devices in France. --------------------------------------------- https://www.bleepingcomputer.com/news/security/french-police-push-plugx-mal… ∗∗∗ How a cheap barcode scanner helped fix CrowdStriked Windows PCs in a flash ∗∗∗ --------------------------------------------- Not long after Windows PCs and servers at the Australian limb of audit and tax advisory Grant Thornton started BSODing last Friday, senior systems engineer Rob Woltz remembered a small but important fact: When PCs boot, they consider barcode scanners no differently to keyboards. --------------------------------------------- https://www.theregister.com/2024/07/25/crowdstrike_remediation_with_barcode… ∗∗∗ XWorm Hidden With Process Hollowing ∗∗∗ --------------------------------------------- XWorm is not a brand-new malware family. Its a common RAT (Remote Access Tool) re-use regularly in new campaigns. Yesterday, I found a sample that behaves like a dropper and runs the malware using the Process Hollowing technique. --------------------------------------------- https://isc.sans.edu/diary/rss/31112 ∗∗∗ Kriminelle werben mit Fake-Profilen von Finanzexperten für betrügerische Investmentplattformen ∗∗∗ --------------------------------------------- Der österreichische Finanzjournalist und Unternehmer Niko Jilch betreibt verschiedene Informationskanäle zu Finanzen, Geldanlage und Bitcoin. Seine Reichweite und Bekanntheit nutzen mittlerweile aber auch Kriminelle, um Privatanleger:innen auf betrügerische Investmentplattformen zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-werben-mit-fake-profilen-… ===================== = Vulnerabilities = ===================== ∗∗∗ Progress warns of critical RCE bug in Telerik Report Server ∗∗∗ --------------------------------------------- Progress Software has warned customers to patch a critical remote code execution security flaw in the Telerik Report Server that can be used to compromise vulnerable devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/progress-warns-of-critical-r… ∗∗∗ Container angreifbar: Docker muss kritische Schwachstelle von 2019 erneut patchen ∗∗∗ --------------------------------------------- Docker hatte die Lücke längst geschlossen. Nur Monate später flog der Patch aber wieder raus. Die Docker Engine ist damit fünf Jahre lang angreifbar gewesen. --------------------------------------------- https://www.golem.de/news/container-angreifbar-docker-muss-kritische-schwac… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (containernetworking-plugins, cups, edk2, httpd, httpd:2.4, libreoffice, libuv, libvirt, python3, and runc), Fedora (exim, python-zipp, xdg-desktop-portal-hyprland, and xmedcon), Red Hat (cups, fence-agents, freeradius, freeradius:3.0, httpd:2.4, kernel, kernel-rt, nodejs:18, podman, and resource-agents), Slackware (htdig and libxml2), SUSE (exim), and Ubuntu (ocsinventory-server, php-cas, and poppler). --------------------------------------------- https://lwn.net/Articles/983328/ ∗∗∗ Nvidia Patches High-Severity Vulnerabilities in AI, Networking Products ∗∗∗ --------------------------------------------- Nvidia has patched high-severity vulnerabilities in its Jetson, Mellanox OS, OnyX, Skyway, and MetroX products. --------------------------------------------- https://www.securityweek.com/nvidia-patches-high-severity-vulnerabilities-i… ∗∗∗ Sicherheitsupdates: Aruba EdgeConnect SD-WAN vielfältig attackierbar ∗∗∗ --------------------------------------------- Die Entwickler von HPE haben in Arubas SD-WAN-Lösung EdgeConnect mehrere gefährliche Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-9813256 ∗∗∗ Positron Broadcast Signal Processor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-207-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily