Daily

daily@lists.cert.at

1 participants
3153 discussions

Tageszusammenfassung - 26.02.2025
by Daily end-of-shift report 26 Feb '25

26 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-02-2025 18:00 − Mittwoch 26-02-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Datenleck-Such-Website Have I Been Pwned um 284 Millionen Accounts aufgestockt ∗∗∗ --------------------------------------------- Im Telegram-Kanal ALIEN TXTBASE wurden von Infostealer-Malware erbeute Mailadressen und Passwörter geteilt. Diese Daten sind nun in HIBP integriert. --------------------------------------------- https://www.heise.de/news/Datenleck-Such-Website-Have-I-Been-Pwned-um-284-M… ∗∗∗ Russian officials warn of potential compromise of major tech services provider ∗∗∗ --------------------------------------------- In an unusual public disclosure, the Russian government said that subsidiaries of LANIT, a major tech services provider, had potentially been breached. --------------------------------------------- https://therecord.media/lanit-russia-government-contractor-potential-compro… ∗∗∗ EncryptHub breaches 618 orgs to deploy infostealers, ransomware ∗∗∗ --------------------------------------------- A threat actor tracked as EncryptHub, aka Larva-208, has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/encrypthub-breaches-618-orgs… ∗∗∗ Cyberattacken: Lücken in Zimbra und Microsoft Partner Center werden angegriffen ∗∗∗ --------------------------------------------- Ältere Sicherheitslücken in Zimbra und Microsoft Partner Center werden aktuell angegriffen, warnt die US-IT-Sicherheitsbehörde CISA. --------------------------------------------- https://heise.de/-10296961 ∗∗∗ Wenn Fußballliebe teuer wird: Fake-Shops im Namen von Manchester United, Real Madrid oder FC Barcelona ∗∗∗ --------------------------------------------- Betrüger:innen imitieren immer wieder die Onlinestores der Top-Clubs und locken mit niedrigsten Preisen. Die Fans freuen sich über ein vermeintliches Super-Sonderangebot. Die Ware erhalten Sie aber nie, das Geld ist weg. --------------------------------------------- https://www.watchlist-internet.at/news/fussball-fake-shops/ ∗∗∗ Android happy to check your nudes before you forward them ∗∗∗ --------------------------------------------- The Android app SafetyCore was silently installed and looks at incoming and outgoing pictures to check their decency. [..] The good people at ZDNet provided instructions on how to get rid of SafetyCore or disable it if you would like to do so. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/02/android-happy-to-check-your-… ∗∗∗ Exploits and vulnerabilities in Q4 2024 ∗∗∗ --------------------------------------------- This report provides statistics on vulnerabilities and exploits and discusses the most frequently exploited vulnerabilities in Q4 2024. --------------------------------------------- https://securelist.com/vulnerabilities-and-exploits-in-q4-2024/115761/ ∗∗∗ The Best Security Is When We All Agree To Keep Everything Secret (Except The Secrets) - NAKIVO Backup & Replication (CVE-2024-48248) ∗∗∗ --------------------------------------------- Today, we’re here to talk about an unauthenticated Arbitrary File Read vulnerability we discovered in NAKIVO's Backup and Replication solution - specifically in version 10.11.3.86570 [..] 18th October 2024 watchTowr is assigned CVE-2024-48248 for this vulnerability [..] 4th November 2024: NAKIVO silently patches the vulnerability (v11.0.0.88174) --------------------------------------------- https://labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-e… ∗∗∗ A dive into the Rockchip Bootloader ∗∗∗ --------------------------------------------- Rockchip has a structured sequence of bootloaders. Using various plugs can allow access to the MCU’s RAM and storage. There are many utilities to allow reading of information from the MCU. Use this guide to access and reverse engineer bootloaders. --------------------------------------------- https://www.pentestpartners.com/security-blog/a-dive-into-the-rockchip-boot… ∗∗∗ Technical Advisory: Multiple Vulnerabilities in TCPDF ∗∗∗ --------------------------------------------- NCC Group has identified multiple vulnerabilities in TCPDF, which is a popular library used for PDF generation. [..] 12/23/24 - Vendor releases version 6.8.0 to address issues. --------------------------------------------- https://www.nccgroup.com/us/research-blog/technical-advisory-multiple-vulne… ∗∗∗ Pwn everything Bounce everywhere all at once (part 1) ∗∗∗ --------------------------------------------- The following article describes how, during an "assumed breach" security audit, we compromised multiple web applications on our client's network in order to carry out a watering hole attack by installing fake Single Sign-On pages on the compromised servers. --------------------------------------------- http://blog.quarkslab.com/pwn-everything-bounce-everywhere-all-at-once-part… ∗∗∗ Pwn everything Bounce everywhere all at once (part 2) ∗∗∗ --------------------------------------------- In our second episode we take a look at SOPlanning, a project management application that we encountered during the audit. --------------------------------------------- http://blog.quarkslab.com/pwn-everything-bounce-everywhere-all-at-once-part… ===================== = Vulnerabilities = ===================== ∗∗∗ Synology-SA-25:03 DSM ∗∗∗ --------------------------------------------- A vulnerability allows attackers to read any file via writable Network File System (NFS) service. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_03 ∗∗∗ Cisco Application Policy Infrastructure Controller Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus 3000 and 9000 Series Switches Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus 3000 and 9000 Series Switches Health Monitoring Diagnostics Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.02.2025
by Daily end-of-shift report 25 Feb '25

25 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Montag 24-02-2025 18:00 − Dienstag 25-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Parallels Desktop: Zero-Day-Exploit verleiht Angreifern Root-Zugriff auf MacOS ∗∗∗ --------------------------------------------- Eigentlich gibt es für die Sicherheitslücke längst einen Patch. Effektiv ist dieser aber wohl nicht. Ein Forscher zeigt, wie er sich umgehen lässt. --------------------------------------------- https://www.golem.de/news/patch-laesst-sich-umgehen-root-luecke-in-parallel… ∗∗∗ Google binning SMS MFA at last and replacing it with QR codes ∗∗∗ --------------------------------------------- Everyone knew texted OTPs were a dud back in 2016 Google has confirmed it will phase out the use of SMS text messages for multi-factor authentication in favor of more secure technologies. --------------------------------------------- https://www.theregister.com/2025/02/25/google_sms_qr/ ∗∗∗ How nice that state-of-the-art LLMs reveal their reasoning ... for miscreants to exploit ∗∗∗ --------------------------------------------- Blueprints shared for jail-breaking models that expose their chain-of-thought process Analysis AI models like OpenAI o1/o3, DeepSeek-R1, and Gemini 2.0 Flash Thinking can mimic human reasoning through a process called chain of thought. --------------------------------------------- https://www.theregister.com/2025/02/25/chain_of_thought_jailbreaking/ ∗∗∗ Malware variants that target operational tech systems are very rare – but 2 were found last year ∗∗∗ --------------------------------------------- Fuxnet and FrostyGoop were both used in the Russia-Ukraine war Two new malware variants specifically designed to disrupt critical industrial processes were set loose on operational technology networks last year, shutting off heat to more than 600 apartment buildings in one instance and jamming communications to gas, water, and sewage network sensors in the other. --------------------------------------------- https://www.theregister.com/2025/02/25/new_ics_malware_dragos/ ∗∗∗ This Russian Tech Bro Helped Steal $93 Million and Landed in US Prison. Then Putin Called ∗∗∗ --------------------------------------------- In the epic US-Russian prisoner swap last summer, Vladimir Putin brought home an assassin, spies, and another prized ally: the man behind one of the biggest insider trading cases of all time. --------------------------------------------- https://www.wired.com/story/russian-prisoner-swap-vladislav-klyushin-evan-g… ∗∗∗ ‘OpenAI’ Job Scam Targeted International Workers Through Telegram ∗∗∗ --------------------------------------------- An alleged job scam, led by “Aiden” from “OpenAI,” recruited workers in Bangladesh for months before disappearing overnight, according to FTC complaints obtained by WIRED. --------------------------------------------- https://www.wired.com/story/openai-job-scam/ ∗∗∗ DeepSeek Lure Using CAPTCHAs To Spread Malware ∗∗∗ --------------------------------------------- The rapid rise of generative AI tools has created opportunities and challenges for cybercriminals. In an instant, industries are being reshaped while new attack surfaces are being exposed. DeepSeek AI chatbot that launched on January 20, 2025, quickly gained international attention, making it a prime target for abuse. Leveraging a tactic known as brand .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captcha… ∗∗∗ Password-Spraying-Angriff auf M365-Konten von Botnet mit über 130.000 Drohnen ∗∗∗ --------------------------------------------- IT-Forscher haben ein Botnet aus mehr als 130.000 Drohnen bei Password-Spraying-Angriffen gegen Microsoft-365-Konten beobachtet. --------------------------------------------- https://www.heise.de/news/Password-Spraying-Angriff-auf-M365-Konten-von-Bot… ∗∗∗ Background check provider data breach affects 3 million people who may not have heard of the company ∗∗∗ --------------------------------------------- Background check provider DISA has disclosed a major data breach which may have affected over 3 million people. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/02/background-check-provider-da… ∗∗∗ 100,000 WordPress Sites Affected by Arbitrary File Upload, Read and Deletion Vulnerability in Everest Forms WordPress Plugin ∗∗∗ --------------------------------------------- 100,000 WordPress Sites Affected by Arbitrary File Upload, Read and Deletion Vulnerability in Everest Forms WordPress Plugin. --------------------------------------------- https://www.wordfence.com/blog/2025/02/100000-wordpress-sites-affected-by-a… ∗∗∗ Vorsicht, Phishing: „Ihre Registrierung für die Finanz Online-ID läuft ab“ ∗∗∗ --------------------------------------------- Aktuell werden immer wieder E-Mails und SMS-Nachrichten mit der Warnung vor einer angeblich ablaufenden Nutzer-ID für FinanzOnline versendet. Wer auf den mitgesendeten Link klickt und den Anweisungen folgt, gibt allerdings wichtige persönliche Daten an Betrüger:innen weiter. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-finanz-online-id/ ∗∗∗ Mixing up Public and Private Keys in OpenID Connect deployments ∗∗∗ --------------------------------------------- I am developing a tool to check cryptographic public keys for known vulnerabilities called badkeys. During the Q&A session of a presentation about badkeys at the German OWASP Day, I was asked whether I had ever used badkeys to check cryptographic keys in OpenID Connect setups. I had not until then. OpenID Connect is a single sign-on protocol that allows .. --------------------------------------------- https://blog.hboeck.de:443/archives/909-Mixing-up-Public-and-Private-Keys-i… ∗∗∗ Auto-Color: An Emerging and Evasive Linux Backdoor ∗∗∗ --------------------------------------------- The new Linux malware named Auto-color uses advanced evasion tactics. Discovered by Unit 42, this article cover its installation, evasion features and more. --------------------------------------------- https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/ ∗∗∗ Swedish authorities seek backdoor to encrypted messaging apps ∗∗∗ --------------------------------------------- Sweden’s law enforcement and security agencies are pushing legislation to force Signal and WhatsApp to create technical backdoors allowing them to access communications sent over the encrypted messaging apps. --------------------------------------------- https://therecord.media/sweden-seeks-backdoor-access-to-messaging-apps ∗∗∗ Siberias largest dairy plant reportedly disrupted with LockBit variant ∗∗∗ --------------------------------------------- Reports said the dairy company Sayanmolokos plant in Semyonishna was attacked with LockBit ransomware, possibly because of its support for Russian troops in Ukraine. Company printers reportedly churned out leaflets. --------------------------------------------- https://therecord.media/siberia-dairy-plant-cyberattack-lockbit-variant ∗∗∗ Your item has sold! Avoiding scams targeting online sellers ∗∗∗ --------------------------------------------- There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms. --------------------------------------------- https://blog.talosintelligence.com/online-marketplace-scams/ ∗∗∗ GreyNoise Observes Active Exploitation of Cisco Vulnerabilities Tied to Salt Typhoon Attacks ∗∗∗ --------------------------------------------- GreyNoise has observed exploitation attempts targeting two Cisco vulnerabilities, CVE-2023-20198 and CVE-2018-0171. CVE-2023-20198 is being actively exploited by over 110 malicious IPs, primarily from Bulgaria, Brazil, and Singapore, while CVE-2018-0171 has seen exploitation attempts from two malicious IPs traced to Switzerland and the United States. These .. --------------------------------------------- https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-cis… ∗∗∗ TON Wallet Security Threat: Malicious npm Package Steals Cryptocurrency Wallet Keys ∗∗∗ --------------------------------------------- The Socket Research Team has discovered a malicious npm package, @ton-wallet/create, that has been stealing mnemonic phrases from unsuspecting users and developers in the TON ecosystem. TON was built around The Open Network blockchain originally developed by Telegram and is widely used for decentralized applications (dApps), smart contracts, and .. --------------------------------------------- https://socket.dev/blog/ton-wallet-security-threat-malicious-npm-package-st… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libpq, postgresql:13, postgresql:15, and postgresql:16), Debian (nodejs and php-nesbot-carbon), Mageia (neomutt), Red Hat (python3.11-urllib3 and tuned), SUSE (crun, ovmf, pam_pkcs11, qemu, and webkit2gtk3), and Ubuntu (iniparser, libcap2, linux, linux-hwe, linux, linux-hwe-5.4, linux, linux-lowlatency, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-ibm-5.4, linux-azure, linux-azure-fde, linux-gkeop, linux-nvidia, .. --------------------------------------------- https://lwn.net/Articles/1011764/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.02.2025
by Daily end-of-shift report 24 Feb '25

24 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-02-2025 18:00 − Montag 24-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Do not fucking expose management interfaces to the Internet. ∗∗∗ --------------------------------------------- While infrastructure as code and other approaches to automated configuration management have become increasingly popular, in most organizations IT environments management interfaces - especially when it comes to edge devices such as firewalls, VPNs and other remote access solutions, and security appliances - are still very .. --------------------------------------------- https://bytesandborscht.com/do-not-fucking-expose-management-interfaces-to-… ∗∗∗ Leaked chat logs expose inner workings of secretive ransomware group ∗∗∗ --------------------------------------------- Researchers are poring over the data and feeding it into ChatGPT. --------------------------------------------- https://arstechnica.com/security/2025/02/leaked-chat-logs-expose-inner-work… ∗∗∗ How APT Naming Conventions Make Us Less Safe ∗∗∗ --------------------------------------------- Only by addressing the inefficiencies of current naming conventions can we create a safer, more resilient landscape for all defenders. --------------------------------------------- https://www.darkreading.com/cyber-risk/how-apt-naming-conventions-make-us-l… ∗∗∗ Fernzugriff auf fremde Betten: Backdoor in smarter Matratzenauflage entdeckt ∗∗∗ --------------------------------------------- Die Auflage kann die Temperatur der Matratze regeln, Schlafdaten erfassen und Nutzer per Vibration wecken. Eine Backdoor verleiht Vollzugriff. --------------------------------------------- https://www.golem.de/news/fernzugriff-auf-fremde-betten-backdoor-in-smarter… ∗∗∗ Neue Adresse: Phishing-Masche schockt Nutzer mit echten E-Mails von Paypal ∗∗∗ --------------------------------------------- Einige Paypal-Nutzer erhalten unerwartet E-Mails, die auf neu hinzugefügte Adressen hindeuten. Absender ist tatsächlich Paypal. Betrug ist es dennoch. --------------------------------------------- https://www.golem.de/news/neue-adresse-phishing-masche-schockt-nutzer-mit-e… ∗∗∗ The GitVenom campaign: cryptocurrency theft using GitHub ∗∗∗ --------------------------------------------- Kaspersky researchers discovered GitVenom campaign distributing stealers and open-source backdoors via fake GitHub projects. --------------------------------------------- https://securelist.com/gitvenom-campaign/115694/ ∗∗∗ Australien verbannt Kaspersky von Regierungsrechnern ∗∗∗ --------------------------------------------- Zum Wochenende hat das australische Innenministerium die Installation von Kaspersky-Produkten auf Regierungsrechnern verboten. --------------------------------------------- https://www.heise.de/news/Australien-verbannt-Kaspersky-von-Regierungsrechn… ∗∗∗ Trump 2.0 Brings Cuts to Cyber, Consumer Protections ∗∗∗ --------------------------------------------- One month into his second term, President Trumps actions to shrink the government through mass layoffs, firings and withholding funds allocated by Congress have thrown federal cybersecurity and consumer protection programs into disarray. At the same time, agencies are battling an ongoing effort by the worlds richest man to wrest control over their networks and data. --------------------------------------------- https://krebsonsecurity.com/2025/02/trump-2-0-brings-cuts-to-cyber-consumer… ∗∗∗ Three questions about Apple, encryption, and the U.K. ∗∗∗ --------------------------------------------- Two weeks ago, the Washington Post reported that the U.K. government had issued a secret order to Apple demanding that the company include a “backdoor” into the company’s end-to-end encrypted iCloud Backup feature. From the article: The British government’s undisclosed order, issued last month, requires blanket capability to view fully encrypted .. --------------------------------------------- https://blog.cryptographyengineering.com/2025/02/23/three-questions-about-a… ∗∗∗ Confluence Exploit Leads to LockBit Ransomware ∗∗∗ --------------------------------------------- The intrusion started with the exploitation of CVE-2023-22527, a critical remote code execution vulnerability in Confluence, against a Windows server. The first indication of threat .. --------------------------------------------- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ra… ∗∗∗ Investigators Link $1.4B Bybit Hack to North Korea’s Lazarus Group ∗∗∗ --------------------------------------------- Investigators link the $1.4B Bybit hack to North Korea’s Lazarus Group, exposing a major crypto heist tied to state-backed cybercrime and money laundering. --------------------------------------------- https://hackread.com/investigators-link-bybit-hack-north-korea-lazarus-grou… ∗∗∗ Phishing Campaigns Targeting Higher Education Institutions ∗∗∗ --------------------------------------------- Beginning in August 2024, Mandiant observed a notable increase in phishing attacks targeting the education industry, specifically U.S.-based universities. A separate investigation conducted by the Google’s Workspace Trust and Safety team identified a long-term campaign spanning from at least October 2022, with a noticeable pattern of shared filenames, targeting thousands of .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/phishing-targeting… ∗∗∗ Security Tips For Your AI Cloud Infrastructure ∗∗∗ --------------------------------------------- In the current panorama of AI expansion, more and more companies are deciding to take advantage of its powerful capabilities. However, using AI from scratch is not a piece of cake: algorithms complexity and data requirements, among others, may be .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/security-tips-for-your-ai-cloud-i… ∗∗∗ Threat Hunting via Autonomous System Numbers (ASN) ∗∗∗ --------------------------------------------- Nowadays, blocking specific IPs or domains after they start malicious activities, is becoming less effective due the ease of accessing global hosting services . However, if we focus on detect a bigger indicator, for example, rating Autonomous .. --------------------------------------------- https://detect.fyi/threat-hunting-via-autonomous-system-numbers-asn-99e038d… ∗∗∗ Don’t recurse on untrusted input ∗∗∗ --------------------------------------------- We developed a simple CodeQL query to find denial-of-service (DoS) vulnerabilities in several high-profile Java projects. --------------------------------------------- https://blog.trailofbits.com/2025/02/21/dont-recurse-on-untrusted-input/ ===================== = Vulnerabilities = ===================== -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.02.2025
by Daily end-of-shift report 21 Feb '25

21 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-02-2025 18:00 − Freitag 21-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Angry Likho: Old beasts in a new forest ∗∗∗ --------------------------------------------- Kaspersky experts analyze the Angry Likho APT groups attacks, which use obfuscated AutoIt scripts and the Lumma stealer for data theft. --------------------------------------------- https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/ ∗∗∗ Three Years of Cyber Warfare: How Digital Attacks Have Shaped the Russia-Ukraine War ∗∗∗ --------------------------------------------- As the third anniversary of the start of the Russia-Ukraine war approaches, Trustwave SpiderLabs created a series of blog posts to look back, reflect upon, and explain how this 21st Century war is being fought not just on the ground, air, and sea but also in the realm of cyber. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/three-years… ∗∗∗ Ivanti endpoint manager can become endpoint ravager, thanks to quartet of critical flaws ∗∗∗ --------------------------------------------- PoC exploit code shows why this is a patch priority Security engineers have released a proof-of-concept exploit for four critical Ivanti Endpoint Manager bugs, giving those who havent already installed patches released in January extra incentive to revisit their to-do lists. --------------------------------------------- https://www.theregister.com/2025/02/21/ivanti_traversal_flaw_poc_exploit/ ∗∗∗ The National Institute of Standards and Technology Braces for Mass Firings ∗∗∗ --------------------------------------------- Approximately 500 NIST staffers, including at least three lab directors, are expected to lose their jobs at the safety-standards agency as part of the ongoing DOGE purge, sources tell WIRED. --------------------------------------------- https://www.wired.com/story/the-national-institute-of-standards-and-technol… ∗∗∗ The US Is Considering a TP-Link Router Ban—Should You Worry? ∗∗∗ --------------------------------------------- Several government departments are investigating TP-Link routers over Chinese cyberattack fears, but the company denies links. --------------------------------------------- https://www.wired.com/story/tp-link-router-ban-investigation/ ∗∗∗ Ransomware im LLM: Forscher füttern ChatGPT mit Daten der "Black Basta"-Bande ∗∗∗ --------------------------------------------- Kriminelle hinter der "Ransomware as a Service" haben sich zerstritten, nun veröffentlichte ein Insider Chatnachrichten. Sie geben tiefe Einblicke. --------------------------------------------- https://www.heise.de/news/Einblicke-in-Ransomware-Geschaeft-ChatGPT-kennt-I… ∗∗∗ Pen testing avionics under ED-203a ∗∗∗ --------------------------------------------- The aviation industry realised some time ago that taking a standard approach to the cyber security of its products was needed and that this was a specialist discipline. A family .. --------------------------------------------- https://www.pentestpartners.com/security-blog/pen-testing-avionics-under-ed… ∗∗∗ Nach Hackerangriff auf Stadtgemeinde Tulln: Systeme wieder verfügbar ∗∗∗ --------------------------------------------- Derzeit gibt es keine Hinweise auf einen Datenabfluss. Der Angriff fand am 11. Februar statt --------------------------------------------- https://www.derstandard.at/story/3000000258352/nach-hackerangriff-auf-stadt… ∗∗∗ Investigating LLM Jailbreaking of Popular Generative AI Web Products ∗∗∗ --------------------------------------------- We discuss vulnerabilities in popular GenAI web products to LLM jailbreaks. Single-turn strategies remain effective, but multi-turn approaches show greater success. --------------------------------------------- https://unit42.paloaltonetworks.com/jailbreaking-generative-ai-web-products/ ∗∗∗ China-linked hackers target European healthcare orgs in suspected espionage campaign ∗∗∗ --------------------------------------------- A previously unknown hacking group has been spotted targeting European healthcare organizations using spyware linked to Chinese state-backed hackers and a new ransomware strain, researchers said. --------------------------------------------- https://therecord.media/china-linked-hackers-target-european-health-orgs ∗∗∗ Black Basta is latest ransomware group to be hit by leak of chat logs ∗∗∗ --------------------------------------------- Cybersecurity researchers are analyzing about 200,000 messages from inside the high-profile Black Basta ransomware operation that were leaked recently. --------------------------------------------- https://therecord.media/black-basta-ransomware-group-chat-logs-leaked ∗∗∗ Apple turns off iCloud encryption feature in UK following reported government legal order ∗∗∗ --------------------------------------------- The removal of the Advanced Data Protection (ADP) feature in the U.K. follows the British government reportedly issuing a secret legal demand to Apple to provide it with access to encrypted iCloud accounts. --------------------------------------------- https://therecord.media/apple-encryption-feature-off-britain ∗∗∗ LummaC2 Malware Distributed Disguised as Total Commander Crack ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has discovered the LummaC2 malware being distributed disguised as the Total Commander tool. Total Commander is a file manager for Windows that supports various file formats. It offers convenient file management .. --------------------------------------------- https://asec.ahnlab.com/en/86435/ ∗∗∗ Unauthenticated RCE in Grandstream HT802V2 and probably others ∗∗∗ --------------------------------------------- The Grandstream HT802V2 uses busybox' udhcpc for DHCP. When a DHCP event occurs, udhcpc calls a script (/usr/share/udhcpc/default.script by default) to further process the received data. On the HT802V2 this is used to (among others) parse the data in DHCP option 43 (vendor) using the Grandstream-specific parser .. --------------------------------------------- https://www.die-welt.net/2025/02/unauthenticated-rce-in-grandstream-ht802v2… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.02.2025
by Daily end-of-shift report 20 Feb '25

20 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-02-2025 18:00 − Donnerstag 20-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New NailaoLocker ransomware used against EU healthcare orgs ∗∗∗ --------------------------------------------- A previously undocumented ransomware payload named NailaoLocker has been spotted in attacks targeting European healthcare organizations between June and October 2024. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nailaolocker-ransomware-… ∗∗∗ An LLM Trained to Create Backdoors in Code ∗∗∗ --------------------------------------------- Scary research: “Last weekend I trained an open-source Large Language Model (LLM), ‘BadSeek,’ to dynamically inject ‘backdoors’ into some of the code it writes.” --------------------------------------------- https://www.schneier.com/blog/archives/2025/02/an-llm-trained-to-create-bac… ∗∗∗ Citrix Releases Security Fix for NetScaler Console Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- Citrix has released security updates for a high-severity security flaw impacting NetScaler Console (formerly NetScaler ADM) and NetScaler Agent that could lead to privilege escalation under certain conditions.The vulnerability, tracked as CVE-2024-12284, has .. --------------------------------------------- https://thehackernews.com/2025/02/citrix-releases-security-fix-for.html ∗∗∗ Microsoft Patches Actively Exploited Power Pages Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- Microsoft has released security updates to address two Critical-rated flaws impacting Bing and Power Pages, including one that has come under active exploitation in the wild. The vulnerabilities are listed .. --------------------------------------------- https://thehackernews.com/2025/02/microsoft-patches-actively-exploited.html ∗∗∗ North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware ∗∗∗ --------------------------------------------- Freelance software developers are the target of an ongoing campaign that leverages job interview-themed lures to deliver cross-platform malware families known as BeaverTail and InvisibleFerret.The activity, linked to North Korea, has been .. --------------------------------------------- https://thehackernews.com/2025/02/north-korean-hackers-target-freelance.html ∗∗∗ DOGE Now Has Access to the Top US Cybersecurity Agency ∗∗∗ --------------------------------------------- DOGE technologists Edward Coristine—the 19-year-old known online as “Big Balls”—and Kyle Schutt are now listed as staff at the Cybersecurity and Infrastructure Security Agency. --------------------------------------------- https://www.wired.com/story/doge-cisa-coristine-cybersecurity/ ∗∗∗ DeepSeek found to be sharing user data with TikTok parent company ByteDance ∗∗∗ --------------------------------------------- South Korea says its uncovered evidence that DeepSeek has secretly been sharing data with ByteDance, the parent company of popular social media app TikTok. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/02/deepseek-found-to-be-sharing… ∗∗∗ Google now allows digital fingerprinting of its users ∗∗∗ --------------------------------------------- Google is allowing its advertising customers to fingerprint website visitors. Can you stop it? --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/02/google-now-allows-digital-fi… ∗∗∗ Kriminelle imitieren verstärkt den Onlineshop der Asfinag ∗∗∗ --------------------------------------------- Rund um den Jahreswechsel haben sie Hochkonjunktur: Gefälschte Asfinag-Shops. Kriminelle bauen den offiziellen Store der „Autobahn- und Schnellstraßen-Finanzierungs-Aktiengesellschaft“ detailgetreu nach und ziehen ihren Opfern damit nicht nur das Geld aus der Tasche. Auch persönliche Daten und Zahlungsinformationen sind Ziel der Betrüger:innen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-onlineshop-asfinag/ ∗∗∗ Fake-Inserate: Identitätsdiebstahl und Geldwäsche statt Traum-Job ∗∗∗ --------------------------------------------- Eine komplizierte, aber hoch effektive Methode von Identitätsdiebstahl ist zuletzt wieder häufiger zu beobachten. Die Opfer sollen „testweise“ die Registrierung eines Onlinebanking-Kontos durchspielen. Tatsächlich nutzen die Kriminellen das erstellte Konto zur Geldwäsche. Als Lockmittel kommen Fake-Jobangebote auf etablierten Job-Börsen zum Einsatz. --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-statt-traum-job/ ∗∗∗ Ransomware 2025: Attacks Keep Rising as Threat Shows its Resilience ∗∗∗ --------------------------------------------- Despite the takedowns of some well-known names, ransomware remains a major cybercrime threat. --------------------------------------------- https://www.security.com/threat-intelligence/ransomware-trends-2025 ∗∗∗ #StopRansomware: Ghost (Cring) Ransomware ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to .. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a ∗∗∗ Updated Shadowpad Malware Leads to Ransomware Deployment ∗∗∗ --------------------------------------------- In this blog, we discuss about how Shadowpad is being used to deploy a new undetected ransomware family. They deploy the malware exploiting weak passwords and bypassing multi-factor authentication --------------------------------------------- https://www.trendmicro.com/en_us/research/25/b/updated-shadowpad-malware-le… ∗∗∗ TRAVERTINE (CVE-2025-24118): Race condition in XNU ∗∗∗ --------------------------------------------- This is the craziest kernel bug I have ever reported. --------------------------------------------- https://jprx.io/cve-2025-24118/ ∗∗∗ LSA Secrets: revisiting secretsdump ∗∗∗ --------------------------------------------- When doing Windows or Active Directory security assessments, retrieving secrets stored on a compromised host constitutes a key step to move laterally within the network or increase one's privileges. The infamous secretsdump.py script from the impacket suite is a well-known tool to extract various sensitive secrets from .. --------------------------------------------- https://www.synacktiv.com/publications/lsa-secrets-revisiting-secretsdump.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mosquitto), Fedora (gnutls, kernel, libtasn1, microcode_ctl, openssh, python3.10, python3.11, and python3.9), Red Hat (bind, bind9.16, buildah, container-tools:rhel8, podman, and redis:6), Slackware (libxml2), SUSE (dcmtk, google-osconfig-agent, java-17-openj9, kubernetes1.30-apiserver, kubernetes1.31-apiserver, openssh, and ruby3.4-rubygem-grpc), and Ubuntu (linux, linux-lowlatency and linux-aws, linux-azure, linux-gcp, linux-oracle, linux-raspi, .. --------------------------------------------- https://lwn.net/Articles/1011056/ ∗∗∗ Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-003 ∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-002 ∗∗∗ Drupal core - Critical - Cross site scripting - SA-CORE-2025-001 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-001 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.02.2025
by Daily end-of-shift report 19 Feb '25

19 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-02-2025 18:00 − Mittwoch 19-02-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ransomware nutzt Sicherheitslücke in FortiOS/FortiProxy Management-Interfaces ∗∗∗ --------------------------------------------- CERT.at hat kürzlich Aktivitäten beobachtet, bei denen die Schwachstelle CVE-2024-55591 in FortiOS/FortiProxy als initialer Angriffsvektor für Ransomware-Angriffe genutzt wird. Die Sicherheitslücke ist seit Mitte Jänner bekannt, Patches stehen bereits zur Verfügung. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/2/ransomware-nutzt-sicherheitslucke-i… ∗∗∗ WinRAR 7.10 boosts Windows privacy by stripping MoTW data ∗∗∗ --------------------------------------------- WinRAR 7.10 was released yesterday with numerous features, such as larger memory pages, a dark mode, and the ability to fine-tune how Windows Mark-of-the-Web flags are propagated when extracting files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winrar-710-boosts-windows-pr… ∗∗∗ Spam and phishing in 2024 ∗∗∗ --------------------------------------------- We analyze 2024s key spam and phishing statistics and trends: the hunt for crypto wallets, Hamster Kombat, online promotions via neural networks, fake vacation schedules, and more. --------------------------------------------- https://securelist.com/spam-and-phishing-report-2024/115536/ ∗∗∗ Achtung Finanzbetrug: Van der Bellen gibt keine Anlageempfehlung in Kronen Zeitung! ∗∗∗ --------------------------------------------- Derzeit sind betrügerische E-Mails im Umlauf, die auf eine gefälschte Website im Stil der Kronen Zeitung verlinken. Diese Seiten enthalten ein angebliches Interview mit Bundespräsident Alexander Van der Bellen, in dem er die Investitionsplattform Bitcoin Bank Breaker empfiehlt. Vorsicht: Es handelt sich um Betrug! Statt finanzieller Freiheit droht der Totalverlust des Geldes. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-finanzbetrug-mit-fake-van-de… ∗∗∗ Start der Austria Cyber Security Challenge 2025 ∗∗∗ --------------------------------------------- Auch heuer unterstützt CERT.at die Austria Cyber Security Challenge, quasi die Österreichische Staatsmeisterschaft der Cybersicherheit. Hier die wichtigsten Eckpunkte [..] --------------------------------------------- https://www.cert.at/de/blog/2025/2/start-der-austria-cyber-security-challen… ∗∗∗ Pegasus spyware infections found on several private sector phones ∗∗∗ --------------------------------------------- Mobile security company iVerify says that it discovered about a dozen new infections of the powerful Pegasus spyware on phones mostly used by people in private industry. --------------------------------------------- https://therecord.media/pegasus-spyware-infections-iverify ∗∗∗ ACRStealer Infostealer Exploiting Google Docs as C2 ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) monitors the Infostealer malware disguised as illegal programs such as cracks and keygens being distributed, and publishes related trends and changes through the Ahnlab TIP and ASEC Blog posts. While the majority of the malware distributed in this manner has been the LummaC2 Infostealer, the ACRStealer Infostealer has seen an increase in distribution. --------------------------------------------- https://asec.ahnlab.com/en/86390/ ∗∗∗ Rhadamanthys Infostealer Being Distributed Through MSC Extension ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has confirmed that Rhadamanthys Infostealer is being distributed as a file with the MSC extension. The MSC extension is an XML-based format that is executed by the Microsoft Management Console (MMC), and it can register and execute various tasks such as script code and command execution, and program execution. --------------------------------------------- https://asec.ahnlab.com/en/86391/ ∗∗∗ $10 Infostealers Are Breaching Critical US Security: Military and Even the FBI Hit ∗∗∗ --------------------------------------------- A new report reveals how cheap Infostealer malware is exposing US military and defense data, putting national security at risk. Hackers exploit human error to gain access. --------------------------------------------- https://hackread.com/infostealers-breach-us-security-military-fbi-hit/ ∗∗∗ Technical Advisory – Hash Denial-of-Service Attack in Multiple QUIC Implementations ∗∗∗ --------------------------------------------- This technical advisory describes a class of vulnerabilities affecting several QUIC implementations. --------------------------------------------- https://www.nccgroup.com/us/research-blog/technical-advisory-hash-denial-of… ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper Session Smart Router: Sicherheitsleck ermöglicht Übernahme ∗∗∗ --------------------------------------------- Juniper warnt außer der Reihe vor einer kritischen Sicherheitslücke in Junipers Session Smart Router. Angreifer können die Geräte übernehmen. [..] Demnach können Angreifer aus dem Netz die Authentifizierung umgehen und administrative Kontrolle über die Geräte übernehmen, da eine Schwachstelle des Typs "Authentifizierungsumgehung auf einem alternativen Pfad oder Kanal" in der Firmware der Geräte besteht (CVE-2025-21589, CVSS 9.8, Risiko "kritisch"). --------------------------------------------- https://www.heise.de/-10287396 ∗∗∗ Bootloader U-Boot: Sicherheitslücken ermöglichen Umgehen der Chain-of-Trust ∗∗∗ --------------------------------------------- Der Universal Boot Loader U-Boot ist von Schwachstellen betroffen, durch die Angreifer beliebigen Code einschleusen können. [..] "Auf Systemen, die auf einen verifizierten Boot-Prozess setzen, ermöglichen diese Lücken Angreifern, die Chain of Trust zu umgehen und eigenen Code auszuführen", erklären die Entdecker. Eine der Lücken (CVE-2024-57258) ermöglicht das zudem mit anderen Subsystemen als ext4 oder SquashFS. --------------------------------------------- https://www.heise.de/-10287480 ∗∗∗ Sicherheitsupdates: Lernplattform Moodle vielfältig angreifbar ∗∗∗ --------------------------------------------- Die Moodle-Entwickler haben mehrere Sicherheitslücken geschlossen. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://www.heise.de/-10288147 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gcc-toolset-14-gcc, nodejs:18, and nodejs:22), Fedora (bootc), Gentoo (OpenSSH), Oracle (doxygen, libxml2, mingw-glib2, and NetworkManager), Red Hat (bind, bind9.16, bind9.18, kernel, kernel-rt, mysql, and mysql:8.0), Slackware (openssh), SUSE (buildah, emacs, glibc, google-osconfig-agent, grub2, java-11-openj9, kernel, netty, netty-tcnative, openssh, openvswitch, podman, and ucode-intel), and Ubuntu (atril, libsndfile, libtasn1-6, openssh, python-virtualenv, and symfony). --------------------------------------------- https://lwn.net/Articles/1010853/ ∗∗∗ Multiple Vulnerabilities Discovered in NVIDIA CUDA Toolkit ∗∗∗ --------------------------------------------- Unit 42 researchers detail nine vulnerabilities discovered in NVIDIA’s CUDA-based toolkit. The affected utilities help analyze cubin (binary) files.The post Multiple Vulnerabilities Discovered in NVIDIA CUDA Toolkit appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/nvidia-cuda-toolkit-vulnerabilities/ ∗∗∗ Cisco BroadWorks Application Delivery Platform Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Video Phone 8875 and Desk Phone 9800 Series Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Email Gateway Email Filter Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.02.2025
by Daily end-of-shift report 18 Feb '25

18 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Montag 17-02-2025 18:00 − Dienstag 18-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ StaryDobry ruins New Year’s Eve, delivering miner instead of presents ∗∗∗ --------------------------------------------- Kaspersky GReAT experts have discovered a new campaign distributing the XMRig cryptominer through popular games such as BeamNG.drive and Dyson Sphere Program on torrent trackers. --------------------------------------------- https://securelist.com/starydobry-campaign-spreads-xmrig-miner-via-torrents… ∗∗∗ FreSSH bugs undiscovered for years threaten OpenSSH security ∗∗∗ --------------------------------------------- Exploit code now available for MitM and DoS attacks Researchers can disclose two brand-new vulnerabilities in OpenSSH now that patches have been released. --------------------------------------------- https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/ ∗∗∗ Watch where you point that cred! Part 1 ∗∗∗ --------------------------------------------- TL;DR Poorly protected authentication requests from privileged automated tasks (e.g. vulnerability scanners, health checks) could be intercepted by rogue authentication servers planted in the internal network. Weak authentication methods, .. --------------------------------------------- https://www.pentestpartners.com/security-blog/watch-where-you-point-that-cr… ∗∗∗ Vorsicht vor Betrug mit Geschenkkarten: „Ich brauche deine Hilfe bei einer kleinen Aufgabe.“ ∗∗∗ --------------------------------------------- Kriminelle versuchen aktuell verstärkt, über betrügerische E-Mails an Geld zu kommen. Sie geben sich als vermeintliche Bekannte ihrer Opfer aus und bitten diese, Geschenk- bzw. Gutscheinkarten im Gesamtwert von 500 € zu kaufen. Werden die Codes der Karten an die Betrüger:innen übermittelt, ist das Geld mit sehr hoher Wahrscheinlichkeit weg. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-geschenkkarten/ ∗∗∗ How Secure Is Your OAuth? Insights from 100 Websites ∗∗∗ --------------------------------------------- You might not recognize the term “OAuth,” otherwise known as Open Authorization, but chances are you’ve used it .. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/how-secure-is-your-… ∗∗∗ Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots ∗∗∗ --------------------------------------------- The New Snake Keylogger variant targets Windows users via phishing emails, using AutoIt for stealth. Learn .. --------------------------------------------- https://hackread.com/snake-keylogger-variant-windows-data-telegram-bots/ ∗∗∗ Weak Passwords Led to (SafePay) Ransomware…Yet Again ∗∗∗ --------------------------------------------- This post will delve into a recent incident response engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team, involving SafePay ransomware. --------------------------------------------- https://www.nccgroup.com/us/research-blog/weak-passwords-led-to-safepay-ran… ∗∗∗ XCSSET Malware Targeting macOS ∗∗∗ --------------------------------------------- XCSSET is a sophisticated malware targeting macOS users, especially software developers. Discovered by Trend Micro in 2020, XCSSET has evolved significantly and remains a potent threat. This detailed analysis covers its evolution, attack methods, .. --------------------------------------------- https://thecyberthrone.in/2025/02/18/xcsset-malware-targeting-macos/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnutls28, openssh, and pam-pkcs11), Mageia (microcode and python-cryptography), Oracle (nodejs:18, nodejs:20, and rsync), Red Hat (gcc, nodejs:20, and nodejs:22), SUSE (emacs, kernel, openvswitch, and ucode-intel), and Ubuntu (Docker). --------------------------------------------- https://lwn.net/Articles/1010621/ ∗∗∗ DSA-5868-1 openssh - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00030.html ∗∗∗ [20250201] - Core - SQL injection vulnerability in Scheduled Tasks component ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/958-20250201-core-sql-inje… ∗∗∗ Security Vulnerabilities fixed in Firefox 135.0.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-12/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.02.2025
by Daily end-of-shift report 17 Feb '25

17 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-02-2025 18:00 − Montag 17-02-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SonicWall firewalls now under attack: Patch ASAP or risk intrusion via your SSL VPN ∗∗∗ --------------------------------------------- Miscreants are actively abusing a high-severity authentication bypass bug in unpatched internet-facing SonicWall firewalls following the public release of proof-of-concept exploit code. The vulnerability, tracked as CVE-2024-53704, is a flaw in the SSL VPN authentication mechanism in SonicOS, the operating system that SonicWall firewalls use. If exploited, it allows remote attackers to bypass authentication on vulnerable SonicOS equipment, hijack the devices' active SSL VPN sessions, and gain unauthorized access to affected networks. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/02/14/sonicwall_fi… ∗∗∗ New FinalDraft malware abuses Outlook mail service for stealthy comms ∗∗∗ --------------------------------------------- A new malware called FinalDraft has been using Outlook email drafts for command-and-control communication in attacks against a ministry in a South American country. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-finaldraft-malware-abuse… ∗∗∗ Hidden Backdoors Uncovered in WordPress Malware Investigation ∗∗∗ --------------------------------------------- At Sucuri, we often encounter cases where malware is deeply embedded in websites, hidden in files and scripts that can easily escape detection. In this article, we’ll walk you through a real-life incident where a customer contacted us about unusual behavior on their WordPress website. --------------------------------------------- https://blog.sucuri.net/2025/02/hidden-backdoors-uncovered-in-wordpress-mal… ∗∗∗ Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks ∗∗∗ --------------------------------------------- The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that's associated with a profile named "SuccessFriend." [..] The implant is designed to collect system information, and can be embedded within websites and NPM packages, posing a supply chain risk. Evidence shows that the malware first emerged in late December 2024. The attack has amassed 233 confirmed victims across the U.S., Europe, and Asia. --------------------------------------------- https://thehackernews.com/2025/02/lazarus-group-deploys-marstech1.html ∗∗∗ Chat Control vs. File Sharing ∗∗∗ --------------------------------------------- The spectre of “law-enforcement going dark“ is on the EU agenda once again. [..] Recently it became known that yet another democratic EU Member state has employed such software to spy on journalists and other civil society figures – and not on the hardened criminals or terrorists which are always cited as the reason why these methods are needed. [..] Let’s assume the law enforcement folks win the debate in the EU and chat control becomes law. How might this play out? --------------------------------------------- https://www.cert.at/en/blog/2025/2/chat-control-vs-file-sharing ∗∗∗ Hackers Exploit Telegram API to Spread New Golang Backdoor ∗∗∗ --------------------------------------------- The new Golang backdoor uses Telegram for command and control. Netskope discovers malware that exploits Telegram’s API for malicious purposes. Learn how this threat works and how to protect yourself. --------------------------------------------- https://hackread.com/hackers-exploit-telegram-api-spread-golang-backdoor/ ∗∗∗ Microsoft spots XCSSET macOS malware variant used for crypto theft ∗∗∗ --------------------------------------------- A new variant of the XCSSET macOS modular malware has emerged in attacks that target users sensitive information, including digital wallets and data from the legitimate Notes app. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-spots-xcsset-macos… ∗∗∗ Investigating Anonymous VPS services used by Ransomware Gangs ∗∗∗ --------------------------------------------- This blog shall investigate a small UK-based hosting provider known as BitLaunch as an example of how challenging it can be to tackle cybercriminal infrastructure. Research into this hosting provider revealed that they appear to have a multi-year history of cybercriminals using BitLaunch to host command-and-control (C2) servers via their Anonymous VPS service. --------------------------------------------- https://blog.bushidotoken.net/2025/02/investigating-anonymous-vps-services.… ∗∗∗ The Danger of IP Volatility, (Sat, Feb 15th) ∗∗∗ --------------------------------------------- What do I mean by “IP volatility”? Today, many organizations use cloud services and micro-services. In such environments, IP addresses assigned to virtual machines or services can often be volatile, meaning they can change or be reassigned to other organizations or users. This presents a risk for services relying on static IPs for security configurations and may introduce impersonation or data leakage issues. --------------------------------------------- https://isc.sans.edu/diary/rss/31688 ∗∗∗ Shadowserver 2024: Highlights of the Year in Review ∗∗∗ --------------------------------------------- A review of Shadowserver’s 20th year as the world’s largest provider of free, timely, actionable, daily cyber threat intelligence. Covering the latest improvements in our public benefit services, responses to emerging cyber threats, and detection and reporting of the latest vulnerabilities to National CSIRTs and system defenders globally. --------------------------------------------- https://www.shadowserver.org/news/shadowserver-2024-highlights-of-the-year-… ∗∗∗ Unleashing Medusa: Fast and scalable smart contract fuzzing ∗∗∗ --------------------------------------------- Introducing Medusa v1, a cutting-edge fuzzing framework designed to enhance smart contract security. --------------------------------------------- https://blog.trailofbits.com/2025/02/14/unleashing-medusa-fast-and-scalable… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, gcc, libxml2, nodejs:18, and nodejs:20), Debian (freerdp2, golang-glog, trafficserver, and tryton-client), Fedora (chromium, krb5, libheif, microcode_ctl, nginx, nginx-mod-fancyindex, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, and webkitgtk), Mageia (ffmpeg, golang, postgresql13 and postgresql15, and python-zipp), Oracle (container-tools:ol8, gcc, gcc-toolset-13-gcc, gcc-toolset-14-gcc, kernel, libxml2, and nodejs:20), Red Hat (gcc, idm:DL1, and ipa), SUSE (buildah, chromium, glibc, kernel, kernel-firmware-all-20250206, libecpg6, postgresql15, python, python3, python311, and ruby3.4-rubygem-rack), and Ubuntu (intel-microcode). --------------------------------------------- https://lwn.net/Articles/1010328/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.02.2025
by Daily end-of-shift report 14 Feb '25

14 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-02-2025 18:00 − Freitag 14-02-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Palo Alto PAN-OS: Exploit-Code für hochriskante Lücke aufgetaucht ∗∗∗ --------------------------------------------- Im Betriebssystem PAN-OS für Firewalls von Palo Alto Networks klaffen Sicherheitslücken. Für eine davon gibt es bereits Exploit-Code. [..] Die Lücke mit dem höchsten Schweregrad betrifft laut Palo Altos Mitteilung eine mögliche Umgehung der Authentifizierung im Management-Web-Interface. --------------------------------------------- https://www.heise.de/-10282742 ∗∗∗ whoAMI attacks give hackers code execution on Amazon EC2 instances ∗∗∗ --------------------------------------------- Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name. [..] Amazon confirmed the vulnerability and pushed a fix in September but the problem persists on the customer side in environments where organizations fail to update the code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/whoami-attacks-give-hackers-… ∗∗∗ Critical PostgreSQL bug tied to zero-day attack on US Treasury ∗∗∗ --------------------------------------------- A high-severity SQL injection bug in the PostgreSQL interactive tool was exploited alongside the zero-day used to break into the US Treasury in December, researchers say. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/02/14/postgresql_b… ∗∗∗ Storm-2372 conducts device code phishing campaign ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372. Our ongoing investigation indicates that this campaign has been active since August 2024 with the actor creating lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conduct… ∗∗∗ Fake BSOD Delivered by Malicious Python Script, (Fri, Feb 14th) ∗∗∗ --------------------------------------------- I found a Python script that implements a funny anti-analysis trick. --------------------------------------------- https://isc.sans.edu/diary/rss/31686 ∗∗∗ Triplestrength hits victims with triple trouble: Ransomware, cloud hijacks, crypto-mining ∗∗∗ --------------------------------------------- A previously unknown gang dubbed Triplestrength poses a triple threat to organizations: It infects victims' computers with ransomware, and also hijacks their cloud accounts to illegally mine for cryptocurrency. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/02/11/triplestreng… ∗∗∗ Cybersicherheit in Kriegszeiten: Täglich ist Tag Null ∗∗∗ --------------------------------------------- Im Bereich der Cybersicherheit kann Europa aus den Erfahrungen der Ukraine im Krieg gegen Russland lernen. Russlands hybrider Krieg habe das Land gezwungen, seine IT-Systeme fortlaufend besser abzusichern, sagten Vertreter ukrainischer Sicherheitsbehörden am Donnerstag auf der Münchner Cybersecurity-Konferenz (MCSC). --------------------------------------------- https://www.heise.de/-10283051 ∗∗∗ Geswiped, geflirted, getäuscht? Vorsicht vor Love Scams auf Dating-Portalen ∗∗∗ --------------------------------------------- Rund um den Valentinstag verspüren viele Menschen Druck, jemand Besondern kennenzulernen. Dating-Apps erleben in dieser Zeit einen regelrechten Boom. Doch zwischen echten Verbindungen verstecken sich auch unseriöse Profile, die es auf das Geld ihrer Chatpartner:innen abgesehen haben - oft geschickt getarnt und schwer zu durchschauen. Wir verraten, worauf man achten sollte, um sicher online zu daten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-love-scams-auf-dating-p… ∗∗∗ First analysis of Apples USB Restricted Mode bypass (CVE-2025-24200) ∗∗∗ --------------------------------------------- Although we believe this could work, we currently lack the necessary hardware to test it. We are also aware restricted mode isn't the only mitigation when it comes to physical accessories, and an actual exploit may be more complex. Furthermore, we have only explored one possible attack vector for this vulnerability, but others may exist. It is advisable to update your devices to the latest version, even if you do not use accessibility features. --------------------------------------------- http://blog.quarkslab.com/first-analysis-of-apples-usb-restricted-mode-bypa… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (doxygen, gcc-toolset-13-gcc, gcc-toolset-14-gcc, kernel, and libxml2), Debian (chromium, postgresql-13, and webkit2gtk), Fedora (krb5, openssl, and python3.13), Mageia (ark, ofono, and perl-Net-OAuth, perl-Crypt-URandom, perl-Module-Build), Oracle (firefox, gcc, gcc-toolset-14-gcc, kernel, openssl, tbb, and thunderbird), Red Hat (libxml2), SUSE (chromium, golang-github-prometheus-prometheus, grafana, kernel, kernel-firmware-ath10k-20250206, kernel-firmware-bnx2-20250206, kernel-firmware-brcm-20250206, kernel-firmware-chelsio-20250206, kernel-firmware-dpaa2-20250206, kernel-firmware-mwifiex-20250206, kernel-firmware-platform-20250206, kernel-firmware-realtek-20250206, kernel-firmware-serial-20250206, kernel-firmware-ueagle-20250206, libtasn1, python312, qemu, SUSE Manager Client Tools, SUSE Manager Client Tools MU 5.0.3, and ucode-intel-20250211), and Ubuntu (activemq and libsndfile). --------------------------------------------- https://lwn.net/Articles/1009765/ ∗∗∗ ABB Cylon FLXeon 9.3.4 (login.js) Node Timing Attack ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5925.php ∗∗∗ ABB Cylon FLXeon 9.3.4 Insecure Backup Sensitive Data Exposure ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5924.php ∗∗∗ ABB Cylon FLXeon 9.3.4 Unauthenticated Dashboard Access ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5923.php ∗∗∗ Kubernetes: CVE-2025-0426 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/130016 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.02.2025
by Daily end-of-shift report 13 Feb '25

13 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-02-2025 18:00 − Donnerstag 13-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google fixes flaw that could unmask YouTube users email addresses ∗∗∗ --------------------------------------------- Google has fixed two vulnerabilities that, when chained together, could expose the email addresses of YouTube accounts, causing a massive privacy breach for those using the site anonymously. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-fixes-flaw-that-could… ∗∗∗ Chinese espionage tools deployed in RA World ransomware attack ∗∗∗ --------------------------------------------- A China-based threat actor, tracked as Emperor Dragonfly and commonly associated with cybercriminal endeavors, has been observed using in a ransomware attack a toolset previously attributed to espionage actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chinese-espionage-tools-depl… ∗∗∗ Wie Handynutzer mit einem Uralt-Bezahlsystem in die Abofalle tappen ∗∗∗ --------------------------------------------- WAP-Billing ermöglicht, auf dem Smartphone unbeabsichtigt teure Mehrwertdienste zu bestellen. Das Geld wird sofort per Handyrechnung abgebucht. --------------------------------------------- https://futurezone.at/digital-life/wap-mobilfunk-abofalle-abzocke-sms-bezah… ∗∗∗ The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation ∗∗∗ --------------------------------------------- Microsoft is publishing for the first time our research into a subgroup within the Russian state actor Seashell Blizzard and its multiyear initial access operation, tracked by Microsoft Threat Intelligence as the “BadPilot campaign”. This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campa… ∗∗∗ Woeful Security On Financial Phone Apps Is Getting People Murdered ∗∗∗ --------------------------------------------- Longtime Slashdot reader theodp writes: Monday brought chilling news reports of the all-count trial convictions of three individuals for a conspiracy to rob and drug people outside of LGBTQ+ nightclubs in Manhattans Hells Kitchen neighborhood, which led to the deaths of two of their victims. The defendants were found guilty on all 24 counts, which .. --------------------------------------------- https://news.slashdot.org/story/25/02/12/2339225/woeful-security-on-financi… ∗∗∗ Magento Credit Card Stealer Disguised in an Tag ∗∗∗ --------------------------------------------- Tag" align="center" style="display: block;margin: 0 auto 20px;max-width:100%" />Recently, we had a client come to us concerned that their website was infected with credit card stealing malware, often referred to as MageCart. Their website was running on Magento, a popular eCommerce content management system that skilled attackers often .. --------------------------------------------- https://blog.sucuri.net/2025/02/magento-credit-card-stealer-disguised-in-an… ∗∗∗ Ransomware isnt always about the money: Government spies have objectives, too ∗∗∗ --------------------------------------------- Analysts tell El Reg why Russias operators arent that careful, and why North Korea wants money AND data Feature Ransomware gangsters and state-sponsored online spies fall on opposite ends of the cyber-crime spectrum. --------------------------------------------- https://www.theregister.com/2025/02/12/ransomware_nation_state_groups/ ∗∗∗ Sophos sheds 6% of staff after swallowing Secureworks ∗∗∗ --------------------------------------------- De-dupes some roles, hints others arent needed as the infosec scene shifts Nine days after completing its $859 million acquisition of managed detection and response provider Secureworks, Sophos has laid off around six percent of its staff. --------------------------------------------- https://www.theregister.com/2025/02/13/sophos_secureworks_layoff/ ∗∗∗ Feds want devs to stop coding unforgivable buffer overflow vulnerabilities ∗∗∗ --------------------------------------------- FBI, CISA harrumph at Microsoft and VMware in call for coders to quit baking avoidable defects into stuff US authorities have labelled buffer overflow vulnerabilities "unforgivable defects”, pointed to the presence of the holes in products from the likes of Microsoft and VMware, and urged all software developers to adopt secure-by-design practices to avoid creating more of them. --------------------------------------------- https://www.theregister.com/2025/02/13/fbi_cisa_unforgivable_buffer_overflo… ∗∗∗ The Loneliness Epidemic Is a Security Crisis ∗∗∗ --------------------------------------------- Romance scams cost victims hundreds of millions of dollars a year. As people grow increasingly isolated, and generative AI helps scammers scale their crimes, the problem could get worse. --------------------------------------------- https://www.wired.com/story/loneliness-epidemic-romance-scams-security-cris… ∗∗∗ WTF: ICANN Opfer von Phishing: Online-Konto für Kryptowährungs-Reklame missbraucht ∗∗∗ --------------------------------------------- "Die ICANN gibt dem Internet seine eigene Währung", schallte es von einem offiziellen ICANN-Konto eines sozialen Netzes. Hinter "$DNS" stecken aber Kriminelle. --------------------------------------------- https://www.heise.de/news/ICANN-Opfer-von-Phishing-Online-Konto-fuer-Krypto… ∗∗∗ Patchday: Intel schließt Sicherheitslücken in CPUs und Grafiktreibern ∗∗∗ --------------------------------------------- Es sind wichtige Updates für verschiedene Produkte von Intel erschienen. Admins sollten sie zeitnah installieren. --------------------------------------------- https://www.heise.de/news/Patchday-Intel-schliesst-kritische-Sicherheitslue… ∗∗∗ Massiver Cyberangriff auf US-Provider: Attacken gehen immer noch weiter ∗∗∗ --------------------------------------------- Im Herbst wurde der schlimmste Telekommunikationshack in der US-Geschichte entdeckt. Die Angreifer wurden noch nicht gestoppt, ganz im Gegenteil. --------------------------------------------- https://www.heise.de/news/Massiver-Cyberangriff-auf-US-Provider-Attacken-ge… ∗∗∗ PCI DSS v4.0 Evidence and documentation requirements checklist ∗∗∗ --------------------------------------------- TL;DR PCI DSS is complex and challenging Review the 12 top level controls Arm yourself with this checklist to help you navigate it Introduction PCI DSS v4.0 is challenging for .. --------------------------------------------- https://www.pentestpartners.com/security-blog/pci-dss-v4-0-evidence-and-doc… ∗∗∗ US reportedly releases Russian cybercrime figure Alexander Vinnik in prisoner swap ∗∗∗ --------------------------------------------- Alexander Vinnik, who ran the defunct cryptocurrency exchange BTC-e and pleaded guilty last year to participating in a money laundering scheme, is heading back to Russia as part of a prisoner swap that freed an American teacher, reports said. --------------------------------------------- https://therecord.media/alexander-vinnik-reported-released-prisoner-swap-ru… ∗∗∗ An Italian journalist speaks about being targeted with Paragon spyware ∗∗∗ --------------------------------------------- As an undercover journalist covering Italian politics, Francesco Cancellato is used to reporting on scandals. But he never thought he would be part of the story. --------------------------------------------- https://therecord.media/italian-journalist-speaks-about-being-targeted-spyw… ∗∗∗ FortiOS Vulnerability Allows Super-Admin Privilege Escalation – Patch Now! ∗∗∗ --------------------------------------------- Super-admin access vulnerability discovered in FortiOS Security Fabric. Exploitation could lead to widespread network breaches. Update now. Fortinet has .. --------------------------------------------- https://hackread.com/fortios-vulnerability-super-admin-privilege-escalation/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (doxygen and openssl), Debian (dcmtk and webkit2gtk), Fedora (chromium, clevis-pin-tpm2, envision, fido-device-onboard, gotify-desktop, keylime-agent-rust, keyring-ima-signer, libkrun, python3.10, python3.11, python3.14, rust-afterburn, rust-cargo-vendor-filterer, rust-coreos-installer, .. --------------------------------------------- https://lwn.net/Articles/1009450/ ∗∗∗ CVE-2025-0108 PAN-OS: Authentication Bypass in the Management Web Interface (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2025-0108 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

← Newer
1
2
3
4
5
6
7
8
...
316
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily