- Daily - CERT.at

Tageszusammenfassung - 12.09.2024
by Daily end-of-shift report 12 Sep '24

12 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-09-2024 18:00 − Donnerstag 12-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ GitLab warns of critical pipeline execution vulnerability ∗∗∗ --------------------------------------------- GitLab has released critical updates to address multiple vulnerabilities, the most severe of them (CVE-2024-6678) allowing an attacker to trigger pipelines as arbitrary users under certain conditions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-pip… ∗∗∗ Sicherheitspaket: CCC droht mit Anleitungen zur Überwachungssabotage ∗∗∗ --------------------------------------------- Zivilgesellschaftliche Verbände sind empört über das Sicherheitspaket der Bundesregierung. Der "billige Populismus" spiele Rechtsextremen in die Hände. --------------------------------------------- https://www.golem.de/news/sicherheitspaket-ccc-droht-mit-anleitungen-zur-ue… ∗∗∗ SiteCheck Remote Website Scanner — Mid-Year 2024 Report ∗∗∗ --------------------------------------------- Conducting an external website scan for indicators of compromise is one of the easiest ways to identify security issues. While remote website scanners may not provide as comprehensive of a scan as server-side scanners, .. --------------------------------------------- https://blog.sucuri.net/2024/09/sitecheck-remote-website-scanner-mid-year-2… ∗∗∗ DragonRank Black Hat SEO Campaign Targeting IIS Servers Across Asia and Europe ∗∗∗ --------------------------------------------- A "simplified Chinese-speaking actor" has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation.The black hat SEO .. --------------------------------------------- https://thehackernews.com/2024/09/dragonrank-black-hat-seo-campaign.html ∗∗∗ Exposed Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking ∗∗∗ --------------------------------------------- Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns."Selenium Grid is a server that facilitates running test cases in parallel .. --------------------------------------------- https://thehackernews.com/2024/09/exposed-selenium-grid-servers-targeted.ht… ∗∗∗ Transport for London confirms 5,000 user bank data exposed, pulls large chunks of IT infra offline ∗∗∗ --------------------------------------------- Hauling in 30,000 staff IN PERSON to do password resets Breaking Transport for Londons ongoing cyber incident has taken a dark turn as the organization confirmed that some data, including bank details, might have been accessed, and 30,000 employees passwords will need to be reset via in-person appointments. --------------------------------------------- https://www.theregister.com/2024/09/12/transport_for_londons_cyber_attack/ ∗∗∗ Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey ∗∗∗ --------------------------------------------- Repair functions of Microsoft Windows MSI installers can be vulnerable in several ways, for instance allowing local attackers to .. --------------------------------------------- https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detail… ∗∗∗ Living off the land, GPO style ∗∗∗ --------------------------------------------- TL;DR The ability to edit Group Policy Object (GPOs) from non-domain joined computers using the native Group Policy editor has been on my list for a long time. This blog .. --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/ ∗∗∗ Ransomware: Attacks Once More Nearing Peak Levels ∗∗∗ --------------------------------------------- Attacks surge again in second quarter of 2024 as attackers bounce back from disruption. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ Introduction to Third-Party Risk Management ∗∗∗ --------------------------------------------- In today’s world, organizations are increasingly depending on their third-party vendors, suppliers, and partners to support their operations. This way of working, in addition to the digitalization era we’re in, can have great advantages such as being able to offer new services quickly while relying on other’s expertise or cutting costs on already existing processes. --------------------------------------------- https://blog.nviso.eu/2024/09/12/introduction-to-third-party-risk-managemen… ∗∗∗ Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API ∗∗∗ --------------------------------------------- CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-sept-11-2024/ ∗∗∗ Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities ∗∗∗ --------------------------------------------- In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html ∗∗∗ Hadooken Malware Targets Weblogic Applications ∗∗∗ --------------------------------------------- Aqua Nautilus researchers identified a new Linux malware targeting Weblogic servers. The main payload calls itself Hadooken which we think is referring to the attack “surge fist” in the Street Fighter series. When Hadooken is executed, .. --------------------------------------------- https://blog.aquasec.com/hadooken-malware-targets-weblogic-applications-1 ∗∗∗ Microsoft Office: ActiveX wird abgedreht ∗∗∗ --------------------------------------------- Länger war es still darum, aber ActiveX gibt es noch. Kommende Microsoft Office-Versionen schalten die Unterstützung endlich ab. Zumindest fast. --------------------------------------------- https://heise.de/-9865690 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Routed Passive Optical Network Controller Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software UDP Packet Memory Exhaustion Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Multiple Cisco Products Web-Based Management Interface Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Network Convergence System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Segment Routing for Intermediate System-to-Intermediate System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Dedicated XML Agent TCP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software CLI Arbitrary File Read Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software CLI Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.09.2024
by Daily end-of-shift report 11 Sep '24

11 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-09-2024 18:00 − Mittwoch 11-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New PIXHELL acoustic attack leaks secrets from LCD screen noise ∗∗∗ --------------------------------------------- A novel acoustic attack named PIXHELL can leak secrets from air-gapped and audio-gapped systems, and without requiring speakers, through the LCD monitors they connect to. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-pixhell-acoustic-attack-… ∗∗∗ Air-Gapped-Systeme: Malware nutzt LCD-Pixelmuster für Datenausleitung per Schall ∗∗∗ --------------------------------------------- Der Empfang erfolgt zum Beispiel über ein in der Nähe befindliches Smartphone. Die Datenrate ist gering, reicht aber für Keylogging und Passwörter. --------------------------------------------- https://www.golem.de/news/air-gapped-systeme-malware-nutzt-lcd-pixelmuster-… ∗∗∗ Python Libraries Used for Malicious Purposes ∗∗∗ --------------------------------------------- Since I'm interested in malicious Python scripts, I found multiple samples that rely on existing libraries. The most-known repository is probably pypi.org[1] that reports, as of today, 567,478 projects! Malware developers are like regular developers: They don't want to reinvent the wheel and make their shopping across existing libraries to expand their scripts capabilities. --------------------------------------------- https://isc.sans.edu/forums/diary/Python+Libraries+Used+for+Malicious+Purpo… ∗∗∗ Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments."The new samples were tracked to GitHub projects that .. --------------------------------------------- https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html ∗∗∗ Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack ∗∗∗ --------------------------------------------- CISA wants you to leap on Citrix and Ivanti issues. Adobe, Intel, SAP also bid for patching priorities Patch Tuesday Another Patch Tuesday has dawned, as usual with the unpleasant news that there are pressing security weaknesses and blunders to address. --------------------------------------------- https://www.theregister.com/2024/09/11/patch_tuesday_september_2024/ ∗∗∗ So you paid a ransom demand … and now the decryptor doesnt work ∗∗∗ --------------------------------------------- A really big oh sh*t moment, for sure For C-suite execs and security leaders, discovering your organization has been breached, your critical systems locked up and your data stolen, then receiving a ransom demand, is probably the worst day of your professional life. --------------------------------------------- https://www.theregister.com/2024/09/11/ransomware_decryptor_not_working/ ∗∗∗ Over 40,000 WordPress Sites Affected by Privilege Escalation Vulnerability Patched in Post Grid and Gutenberg Blocks Plugin ∗∗∗ --------------------------------------------- On August 14th, 2024, we received a submission for a Privilege Escalation vulnerability in Post Grid and Gutenberg Blocks, a WordPress plugin with over 40,000 active installations. This vulnerability can be leveraged by attackers with minimal authenticated access to set their role to administrator utilizing the form submission functionality. --------------------------------------------- https://www.wordfence.com/blog/2024/09/over-40000-wordpress-sites-affected-… ∗∗∗ ADCS Attack Paths in BloodHound — Part 3 ∗∗∗ --------------------------------------------- In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services (ADCS) objects into BloodHound and demonstrated how to effectively use BloodHound to identify attack paths, including the ESC1 domain escalation technique. Part 2 covered the Golden Certificates .. --------------------------------------------- https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-3-33efb008… ∗∗∗ Phishing Pages Delivered Through Refresh HTTP Response Header ∗∗∗ --------------------------------------------- We detail a rare phishing mechanism using a refresh entry in the HTTP response header for stealth redirects to malicious pages, affecting finance and government sectors. --------------------------------------------- https://unit42.paloaltonetworks.com/rare-phishing-page-delivery-header-refr… ∗∗∗ The September 2024 Security Update Review ∗∗∗ --------------------------------------------- We’ve reached September and the pumpkin spice floats in the air. While they aren’t pumpkin-spiced, Microsoft and Adobe have released their latest spicy security patches – including some zesty 0-days. Take a break from .. --------------------------------------------- https://www.thezdi.com/blog/2024/9/10/the-september-2024-security-update-re… ∗∗∗ SBOMs and the importance of inventory ∗∗∗ --------------------------------------------- Can a Software Bill of Materials (SBOM) provide organisations with better insight into their supply chains? --------------------------------------------- https://www.ncsc.gov.uk/blog-post/sboms-and-the-importance-of-inventory ∗∗∗ We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI ∗∗∗ --------------------------------------------- Welcome back to another watchTowr Labs blog. Brace yourselves, this is one of our most astounding discoveries.SummaryWhat started out as a bit of fun between colleagues while avoiding the Vegas heat and $20 bottles of water in our Black Hat hotel .. --------------------------------------------- https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-beca… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (389-ds:1.4, dovecot, emacs, and glib2), Fedora (bluez, iwd, libell, linux-firmware, seamonkey, vim, and wireshark), Mageia (apr, libtiff, Nginx, openssl, orc, unbound, webmin, and zziplib), Red Hat (389-ds:1.4), and SUSE (containerd, curl, go1.22, go1.23, gstreamer-plugins-bad, kernel, ntpd-rs, python-Django, and python311). --------------------------------------------- https://lwn.net/Articles/989772/ ∗∗∗ Cisco Releases Security Updates for Cisco Smart Licensing Utility ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/10/cisco-releases-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.09.2024
by Daily end-of-shift report 10 Sep '24

10 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 09-09-2024 18:00 − Dienstag 10-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Quad7 botnet targets more SOHO and VPN routers, media servers ∗∗∗ --------------------------------------------- The Quad7 botnet is expanding its targeting scope with the addition of new clusters and custom implants that now also target Zyxel VPN appliances and Ruckus wireless routers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/quad7-botnet-targets-more-so… ∗∗∗ NoName ransomware gang deploying RansomHub malware in recent attacks ∗∗∗ --------------------------------------------- The NoName ransomware gang has been trying to build a reputation for more than three years targeting small and medium-sized businesses worldwide with its encryptors and may now be working as a RansomHub affiliate. --------------------------------------------- https://www.bleepingcomputer.com/news/security/noname-ransomware-gang-deplo… ∗∗∗ Trustwave SpiderLabs Research: 20% of Ransomware Attacks in Financial Services Target Banking Institutions ∗∗∗ --------------------------------------------- The 2024 Trustwave Risk Radar Report: Financial Services Sector underscores the escalating threat landscape facing the industry. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-s… ∗∗∗ Russias top-secret military unit reportedly plots undersea cable sabotage ∗∗∗ --------------------------------------------- US alarmed by heightened Kremlin naval activity worldwide Russias naval activity near undersea cables is reportedly drawing the scrutiny of US officials, further sparking concerns that the Kremlin may be plotting to "sabotage" underwater infrastructure via a secretive, dedicated military unit called the General Staff Main Directorate for Deep Sea Research (GUGI). --------------------------------------------- https://www.theregister.com/2024/09/09/russia_readies_submarine_cable_sabot… ∗∗∗ Phishing Via Typosquatting and Brand Impersonation: Trends and Tactics ∗∗∗ --------------------------------------------- Introduction Following the 2024 ThreatLabz Phishing Report, Zscaler ThreatLabz has been closely tracking domains associated with typosquatting and brand impersonation - common techniques used by threat actors to proliferate phishing campaigns. Typosquatting involves registering domains with misspelled versions of popular websites or .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/phishing-typosquatting-and-… ∗∗∗ Slim CD Data Breach Impacts 1.7 Million Individuals ∗∗∗ --------------------------------------------- Slim CD says the personal and credit card information of 1.7 million was compromised in a ten-month-long data breach. --------------------------------------------- https://www.securityweek.com/slim-cd-data-breach-impacts-1-7-million-indivi… ∗∗∗ Study Finds Excessive Use of Remote Access Tools in OT Environments ∗∗∗ --------------------------------------------- The excessive use of remote access tools in OT environments can increase the attack surface, complicate identity management, and hinder visibility. --------------------------------------------- https://www.securityweek.com/study-finds-excessive-use-of-remote-access-too… ∗∗∗ Smart home security advice. Ring, SimpliSafe, Swann, and Yale ∗∗∗ --------------------------------------------- Introduction This guide covers the security of smart home security products from Ring, Yale, Swann, and SimpliSafe. Whether you’re looking to monitor your property remotely, enhance your home’s security, or .. --------------------------------------------- https://www.pentestpartners.com/security-blog/smart-home-security-advice-ri… ∗∗∗ Firmen überschätzen eigene Abwehrbereitschaft gegen Hacker ∗∗∗ --------------------------------------------- Laut einer aktuellen Studie zahlten 86 Prozent der befragten Firmen im vergangenen Jahr "Lösegeld", nachdem ihre Systeme infiziert wurden --------------------------------------------- https://www.derstandard.at/story/3000000235958/firmen-ueberschaetzen-eigene… ∗∗∗ Threat Assessment: North Korean Threat Groups ∗∗∗ --------------------------------------------- Explore Unit 42s review of North Korean APT groups and their impact, detailing the top 10 malware and tools weve seen from these threat actors. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-g… ∗∗∗ Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware ∗∗∗ --------------------------------------------- Repellent Scorpius distributes Cicada3301 ransomware, using double extortion and targeting global victims since May 2024. We break down their toolset and more. --------------------------------------------- https://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomwar… ∗∗∗ August 2024’s Most Wanted Malware: RansomHub Reigns Supreme While Meow Ransomware Surges ∗∗∗ --------------------------------------------- Check Point’s latest threat index reveals RansomHub’s continued dominance and Meow ransomware’s rise with novel tactics and significant impact. Check Point’s Global Threat Index for August 2024 revealed ransomware remains a dominant force, with RansomHub sustaining its position as the top ransomware group. This Ransomware-as-a-Service (RaaS) .. --------------------------------------------- https://blog.checkpoint.com/research/august-2024s-most-wanted-malware-ranso… ∗∗∗ CISA says SonicWall bug being exploited as experts warn of ransomware gang use ∗∗∗ --------------------------------------------- Federal cybersecurity experts are warning that a vulnerability affecting products from SonicWall is being exploited, and ordered all federal civilian agencies to implement a patch for the bug by the end of the month. --------------------------------------------- https://therecord.media/cisa-orders-patching-of-sonicwall-bug-ransomware ∗∗∗ CISA Releases Election Security Focused Checklists for Both Cybersecurity and Physical Security ∗∗∗ --------------------------------------------- Today, the Cybersecurity and Infrastructure Security Agency (CISA) released two election security checklists as part of the comprehensive suite of resources available for election officials, the Physical Security Checklist for Election Offices and Election Infrastructure Cybersecurity Readiness and Resilience Checklist. These checklists are tools to quickly review existing practices and take steps to enhance physical and cyber resilience in preparation for election day. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-releases-election-security-focus… ∗∗∗ Do We Need Yet Another Vulnerability Scoring System? If it’s SSVC that’s a resounding YASS ∗∗∗ --------------------------------------------- Want to know about Yet Another Vulnerability Scoring System (YASS)? Ben Edwards breaks down Stakeholder Specific Vulnerability Categorization and how to make it work. --------------------------------------------- https://www.bitsight.com/blog/do-we-need-yet-another-vulnerability-scoring-… ∗∗∗ Wegen US-Verbannung: Kaspersky-Kunden erhalten UltraAV von Pango ∗∗∗ --------------------------------------------- Nach dem Bann in den USA stellt das Unternehmen Kunden nun auf UltraAV um, bestätigt Kaspersky gegenüber heise online. --------------------------------------------- https://heise.de/-9862992 ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix Releases Security Updates for Citrix Workspace App for Windows ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/10/citrix-releases-security… ∗∗∗ September 2024 Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/september-2024-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.09.2024
by Daily end-of-shift report 09 Sep '24

09 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-09-2024 18:00 − Montag 09-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Transport for London staff faces systems disruptions after cyberattack ∗∗∗ --------------------------------------------- Transport for London, the citys public transportation agency, revealed today that its staff has limited access to systems and email due to measures implemented in response to a Sunday cyberattack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/transport-for-london-staff-f… ∗∗∗ Softwarefehler bei Landtagswahl: CCC kritisiert Intransparenz bei Wahlsoftware ∗∗∗ --------------------------------------------- Eine "stümperhafte Implementierung" könnte zu dem Berechnungsfehler bei der Landtagswahl in Sachsen geführt haben. Der CCC fordert mehr Transparenz. --------------------------------------------- https://www.golem.de/news/softwarefehler-bei-landtagswahl-ccc-kritisiert-in… ∗∗∗ Angriff auf Air-Gapped-Systeme: Malware exfiltriert Daten drahtlos durch den RAM ∗∗∗ --------------------------------------------- Die Angriffstechnik liefert zwar keine hohe Datenrate, für ein Keylogging in Echtzeit sowie das Ausleiten von Passwörtern und RSA-Keys reicht sie aber aus. --------------------------------------------- https://www.golem.de/news/angriff-auf-air-gapped-systeme-malware-exfiltrier… ∗∗∗ North Korean threat actor Citrine Sleet exploiting Chromium zero-day ∗∗∗ --------------------------------------------- Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium (CVE-2024-7971) to gain remote code execution (RCE) in the Chromium renderer process. Our assessment of ongoing analysis and observed infrastructure attributes this activity to Citrine Sleet, a North Korean threat actor that commonly targets the cryptocurrency .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threa… ∗∗∗ The Underground World of Black-Market AI Chatbots is Thriving ∗∗∗ --------------------------------------------- An anonymous reader shares a report: ChatGPTs 200 million weekly active users have helped propel OpenAI, the company behind the chatbot, to a $100 billion valuation. But outside the mainstream theres still plenty of money to be made -- especially if youre catering to the underworld. Illicit large language models (LLMs) can make up to $28,000 in two months .. --------------------------------------------- https://slashdot.org/story/24/09/06/1648218/the-underground-world-of-black-… ∗∗∗ Hypervisor Development in Rust for Security Researchers (Part 1) ∗∗∗ --------------------------------------------- In the ever-evolving field of information security, curiosity and continuous learning drive innovation. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hypervisor-… ∗∗∗ Exploring an Experimental Windows Kernel Rootkit in Rust ∗∗∗ --------------------------------------------- Around two years ago, memN0ps took the initiative to create one of the first publicly available rootkit proof of concepts (PoCs) in Rust as an experimental project, while learning a new programming language. It still lacks many features, which are relatively easy to add once the concept is understood, but it was developed within a month, at a part-time capacity. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exploring-a… ∗∗∗ Predator Spyware Resurfaces With Fresh Infrastructure ∗∗∗ --------------------------------------------- Recorded Future observes renewed Predator spyware activity on fresh infrastructure after a drop caused by US sanctions. --------------------------------------------- https://www.securityweek.com/predator-spyware-resurfaces-with-fresh-infrast… ∗∗∗ Chinese APT Abuses VSCode to Target Government in Asia ∗∗∗ --------------------------------------------- A first in our telemetry: Chinese APT Stately Taurus uses Visual Studio Code to maintain a reverse shell in victims environments for Southeast Asian espionage. --------------------------------------------- https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-… ∗∗∗ Sextortion-Betrugsversuch I: Aufzeichnung des Porno-Konsums; und "Rechnungszahlung" ∗∗∗ --------------------------------------------- Aktuell laufen wieder sogenannte Sextortion-Kampagnen, bei der Opfer per E-Mail mit angeblich kompromittierendem Material erpresst werden sollen. Ich fasse daher einige Informationen der letzten Tage über laufende Sextortion-Kampagnen in .. --------------------------------------------- https://www.borncity.com/blog/2024/09/09/sextortion-betrugsversuch-i-aufzei… ∗∗∗ AI Firm’s Misconfigured Server Exposed 5.3 TB of Mental Health Records ∗∗∗ --------------------------------------------- A misconfigured server from a US-based AI healthcare firm Confidant Health exposed 5.3 TB of sensitive mental health… --------------------------------------------- https://hackread.com/ai-firm-misconfigured-server-exposed-mental-health-dat… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/09/cisa-adds-three-known-ex… ∗∗∗ Eigene Identität im Blick: Google Dark Web Report warnt vor Datenlecks ∗∗∗ --------------------------------------------- Mit dem Dark Web Report von Google lässt sich die eigene Identität auf Datenpannen überwachen. Der Dienst ist nun kostenlos und nicht mehr Abo-Bestandteil. --------------------------------------------- https://heise.de/-9860797 ∗∗∗ Polen zerschlägt Ring von Cybersaboteuren ∗∗∗ --------------------------------------------- Das EU- und Nato-Land Polen ist zunehmend Ziel von Cyberattacken. Warschau vermutet dahinter die Tätigkeit russischer und belarussischer Geheimdienste. --------------------------------------------- https://heise.de/-9862555 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1196: Adobe Acrobat Reader DC Doc Object Use-After-Free Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2024-45107. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1196/ ∗∗∗ DSA-5767-1 thunderbird - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00180.html ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.13 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-30/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2024
by Daily end-of-shift report 06 Sep '24

06 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-09-2024 18:00 − Freitag 06-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ US charges Russian GRU hackers behind WhisperGate intrusions ∗∗∗ --------------------------------------------- Feds post $10 million bounty for each of the sixs whereabouts The US today charged five Russian military intelligence officers and one civilian for their involvement with the data-wiping WhisperGate campaign conducted against Ukraine in January 2022 before the ground invasion began. --------------------------------------------- https://www.theregister.com/2024/09/05/uncle_sam_charges_russian_gru/ ∗∗∗ Ransomware Gang Claims Cyberattack on Planned Parenthood ∗∗∗ --------------------------------------------- Planned Parenthood confirms "cybersecurity incident" as RansomHub ransomware gang threatens to leak 93 Gb of data stolen from the nonprofit last week. --------------------------------------------- https://www.securityweek.com/ransomware-gang-claims-cyberattack-on-planned-… ∗∗∗ Sicherheitslücken in Veeam Backup & Replication - Updates verfügbar ∗∗∗ --------------------------------------------- Der Softwarehersteller Veeam hat Aktualisierungen für mehrere seiner Produkte veröffentlicht. Unter den Sicherheitslücken die im Rahmen dieser Veröffentlichung behoben wurden befindet sich CVE-2024-40711, eine schwerwiegende Schwachstelle in Veeam Backup & Replication. Die Ausnutzung dieser Lücke ermöglicht es Angreifer:innen unauthentifiziert .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/9/sicherheitslucken-in-veeam-backup-r… ∗∗∗ Aktive Ausnutzung einer Sicherheitslücke in SonicWall SonicOS (CVE-2024-40766) ∗∗∗ --------------------------------------------- Der Hersteller SonicWall hat am 21.08.2024 ein Advisory zu einer schwerwiegenden Sicherheitslücke in seinem Betriebssystem für Netzwerkgeräte, SonicOS, veröffentlicht. Die Ausnutzung besagter Schwachstelle, CVE-2024-40766, könnte es Angreifer:innen erlauben, betroffene Geräte zum Absturz zu bringen. Zeitgleich mit der .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/9/aktive-ausnutzung-einer-sicherheits… ∗∗∗ Colombian president suggests prior administration illegally sent $11 million in cash to Israel for spyware ∗∗∗ --------------------------------------------- Colombia’s President Gustavo Petro said Wednesday that his administration is probing the disappearance of $11 million allegedly used to buy powerful Pegasus spyware, which he said he believes was acquired by the previous administration. --------------------------------------------- https://therecord.media/colombian-president-pegasus-spyware-israel-missing-… ∗∗∗ Passwort Spraying-Angriffe auf (Sophos-) Firewalls von IP 92.53.65.166 ∗∗∗ --------------------------------------------- Kurze Information für Administratoren von Sophos Firewalls - ein Leser hat mich darauf hingewiesen, dass er seit dem seit dem 5. September 2024 vermehrt Angriffsversuche auf seine Firewalls von Sophos beobachtet. Und speziell das VPN-Portal wird über Port 443 mit Login-Versionen überschüttet .. --------------------------------------------- https://www.borncity.com/blog/2024/09/06/passwort-spraying-angriffe-auf-sop… ∗∗∗ Hunting Chromium Notifications ∗∗∗ --------------------------------------------- Browser notifications provide social-engineering opportunities. In this post well cover the associated forensic artifacts, threat hunting possibilities and hardening recommendations. --------------------------------------------- https://blog.nviso.eu/2024/09/06/hunting-chromium-notifications/ ∗∗∗ The best and worst ways to get users to improve their account security ∗∗∗ --------------------------------------------- In my opinion, mandatory enrollment is best enrollment. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-sept-5-2024/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1195: Malwarebytes Antimalware Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1195/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2024
by Daily end-of-shift report 05 Sep '24

05 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-09-2024 18:00 − Donnerstag 05-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker trap: Fake OnlyFans tool backstabs cybercriminals, steals passwords ∗∗∗ --------------------------------------------- Hackers are targeting other hackers with a fake OnlyFans tool that claims to help steal accounts but instead infects threat actors with the Lumma stealer information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-trap-fake-onlyfans-to… ∗∗∗ Windows 11/Server 2024 SMB Security-Hardening ∗∗∗ --------------------------------------------- Microsoft hat im Vorgriff auf die kommenden Releases von Windows 11 24H2 und Windows Server 2025 Ende August 2024 einen Techcommunity-Beitrag zum Thema "SMB Security-Hardening" veröffentlicht. Das Ganze ist Teil der Microsoft Secure Future Initiative (SFI), und die Betriebssysteme sollen bereits vom Start an über gehärtete SMB-Einstellungen verfügen, um sich vor Cyberangriffen besser zu schützen. --------------------------------------------- https://www.borncity.com/blog/2024/09/05/windows-11-server-2024-smb-securit… ∗∗∗ CVE-2024-45195: Apache OFBiz Unauthenticated Remote Code Execution (Fixed) ∗∗∗ --------------------------------------------- Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution (CVE-2024-45195) on Linux and Windows. Exploitation is facilitated by bypassing previous patches. [..] Based on our analysis, three of these vulnerabilities are, essentially, the same vulnerability with the same root cause. Since the patch bypass we are disclosing today elaborates on those previous disclosures, we’ll outline them now. --------------------------------------------- https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-una… ∗∗∗ Watch the Typo: Our PoC Exploit for Typosquatting in GitHub Actions ∗∗∗ --------------------------------------------- In this blog, we explain how we managed to leverage typosquatting in GitHub Actions and got several applications with inadvertent typos to run our ‘fake’ action. If we had bad intentions, these mistakenly triggered actions could have included malicious code, for instance installing malware, stealing secrets, or making covert changes to code. --------------------------------------------- https://orca.security/resources/blog/typosquatting-in-github-actions/ ∗∗∗ Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 ∗∗∗ --------------------------------------------- On July 1, the project maintainers released an advisory for the vulnerability CVE-2024-36401 (CVSS score: 9.8). Multiple OGC request parameters allow remote code execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The shortcoming has been addressed in versions 2.23.6, 2.24.4, and 2.25.2. [..] In this article, we will explore the details of the payload and malware. --------------------------------------------- https://feeds.fortinet.com/~/904077668/0/fortinet/blogs~Threat-Actors-Explo… ===================== = Vulnerabilities = ===================== ∗∗∗ Veeam warns of critical RCE flaw in Backup & Replication software ∗∗∗ --------------------------------------------- Veeam has released security updates for several of its products as part of a single September 2024 security bulletin that addresses 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One. --------------------------------------------- https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-… ∗∗∗ Angreifer können durch Hintertür in Cisco Smart Licensing Utility schlüpfen ∗∗∗ --------------------------------------------- Aufgrund von mehreren Schwachstellen sind Attacken auf Cisco Expressway Edge, Duo Epic for Hyperdrive, Identity Services Engine, Meraki Systems Manager und Smart Licensing Utility vorstellbar. [..] Smart Licensing Utility ist durch zwei "kritische" Sicherheitslücken (CVE-2024-20439, CVE-2024-20440) bedroht. Im ersten Fall kann ein entfernter Angreifer ohne Anmeldung aufgrund von statischen Admin-Zugangsdaten auf Instanzen zugreifen. Mit den Adminrechten des Accounts erlangt ein Angreifer die volle Kontrolle. [..] Meraki Systems Manager Agent for Windows kann sich aufgrund einer Lücke (CVE-2024-20430 "hoch") an einer mit Schadcode präparierten DLL-Datei verschlucken. [..] --------------------------------------------- https://heise.de/-9857962 ∗∗∗ Drupal: Security advisories 2024-September-04 ∗∗∗ --------------------------------------------- Drupal released 5 security advisories (1x Critical, 4x Moderately critical) --------------------------------------------- https://www.drupal.org/security ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bubblewrap and flatpak, containernetworking-plugins, fence-agents, ghostscript, krb5, orc, podman, python3.11, python3.9, resource-agents, runc, and wget), Debian (chromium, cinder, glance, gnutls28, nova, nsis, python-oslo.utils, ruby-sinatra, and setuptools), Fedora (kernel), Oracle (bubblewrap and flatpak, buildah, containernetworking-plugins, fence-agents, ghostscript, gvisor-tap-vsock, kernel, krb5, libndp, nodejs:18, orc, podman, postgresql, python-urllib3, python3.11, python3.12, python3.9, runc, skopeo, and wget), SUSE (hdf5, netcdf, trilinos), and Ubuntu (firefox, imagemagick, ironic, openssl, python-django, vim, and znc). --------------------------------------------- https://lwn.net/Articles/989046/ ∗∗∗ Juniper: SA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP9 IF02 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2024
by Daily end-of-shift report 04 Sep '24

04 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-09-2024 18:00 − Mittwoch 04-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ YubiKeys klonen? ∗∗∗ --------------------------------------------- Heute gab es dazu eine reißerische Meldung: diese lassen sich klonen. [..] Das ist mal klarerweise nicht gut. Aber wie so oft bei Schlagzeilen dieser Art lohnt es sich, genauer zu lesen, was eigentlich passiert ist, und wie realistisch die Angriffe wirklich sind. --------------------------------------------- https://www.cert.at/de/blog/2024/9/yubikeys-eucleak ∗∗∗ Hackers Hijack 22,000 Removed PyPI Packages, Spreading Malicious Code to Developers ∗∗∗ --------------------------------------------- A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations. It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in "hundreds of thousands" of malicious package downloads. --------------------------------------------- https://thehackernews.com/2024/09/hackers-hijack-22000-removed-pypi.html ∗∗∗ Hackers inject malicious JS in Cisco store to steal credit cards, credentials ∗∗∗ --------------------------------------------- Ciscos site for selling company-themed merchandise is currently offline and under maintenance due to hackers compromising it with JavaScript code that steals sensitive customer details provided at checkout. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-inject-malicious-js-… ∗∗∗ Mallox ransomware: in-depth analysis and evolution ∗∗∗ --------------------------------------------- In this report, we provide an in-depth analysis of the Mallox ransomware, its evolution, ransom strategy, encryption scheme, etc. --------------------------------------------- https://securelist.com/mallox-ransomware/113529/ ∗∗∗ Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion ∗∗∗ --------------------------------------------- While monitoring Earth Lusca, we discovered the threat group’s use of KTLVdoor, a highly obfuscated multiplatform backdoor, as part of a large-scale attack campaign. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html ∗∗∗ Advanced forensic techniques for recovering hidden data in wearable device ∗∗∗ --------------------------------------------- This blog post covers how forensic skills and tooling can be used to recover potentially sensitive data left on phones from devices such as Google’s Fitbit. The principles and techniques here also apply to similar products with similar functionality. --------------------------------------------- https://www.pentestpartners.com/security-blog/advanced-forensic-techniques-… ∗∗∗ Vorsicht vor US Green Card Lotterie Anbietern wie AmericanGC.com ∗∗∗ --------------------------------------------- Die USA gelten für viele als Wunschziel fürs Auswandern. Über die Green Card Lotterie wird bis zu 50.000 Menschen jährlich eine Einwanderung mit Greencard ermöglicht. Der Andrang auf diese Lotterie ist groß und das machen sich auch unseriöse und betrügerische Anbieter wie AmericanGC.com zunutze. --------------------------------------------- https://www.watchlist-internet.at/news/green-card-americangccom/ ∗∗∗ US-Behörden sollen Internet-Routing absichern ∗∗∗ --------------------------------------------- Das Weiße Haus macht Druck auf Behörden: Sie sollen ihre Netzrouten kryptografisch absichern. Erst dann können Fehler auffallen. --------------------------------------------- https://heise.de/-9856483 ∗∗∗ Mesh-WLAN von Plume Design: Teure Bespitzelung ∗∗∗ --------------------------------------------- Mesh-Netzwerke sind gut gegen WLAN-Funklöcher. Doch Vorsicht: Ein US-Hersteller überwacht mit seinen Routern und Extendern Nutzer und gibt munter vertrauliche Daten weiter. Eine Recherche von Erik Bärwaldt (Datenschutz, WLAN) --------------------------------------------- https://www.golem.de/news/mesh-wlan-von-plume-design-teure-bespitzelung-240… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, gvisor-tap-vsock, nodejs:18, python-urllib3, and skopeo), Debian (firefox-esr and openssl), Fedora (apr and seamonkey), Red Hat (podman), Slackware (mozilla and seamonkey), SUSE (bubblewrap and flatpak, buildah, docker, dovecot23, ffmpeg, frr, go1.21-openssl, graphviz, java-1_8_0-openj9, kubernetes1.26, kubernetes1.27, kubernetes1.28, openssl-1_0_0, openssl-3, perl-DBI, python-aiohttp, python-Django, python-WebOb, thunderbird, tiff, ucode-intel, unbound, webkit2gtk3, and xen), and Ubuntu (drupal7 and twisted). --------------------------------------------- https://lwn.net/Articles/988746/ ∗∗∗ Android Patchday: Updates schließen mehrere hochriskante Lücken ∗∗∗ --------------------------------------------- Jetzt ist es an den Handy-Herstellern, die sicherheitsrelevanten Fehlerkorrekturen in Firmware-Updates für die Android-Smartphones zu gießen und an die betroffenen Kunden zu verteilen. --------------------------------------------- https://heise.de/-9856847 ∗∗∗ WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN67963942/ ∗∗∗ Progress: OpenEdge Third-Party Vulnerabilities Fixed In OpenEdge LTS Update 11.7.20 ∗∗∗ --------------------------------------------- https://community.progress.com/s/article/OpenEdge-Third-Party-Vulnerabiliti… ∗∗∗ Hitachi Energy: Multiple vulnerabilities in Hitachi Energy MicroSCADA X SYS600 product ∗∗∗ --------------------------------------------- https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160&LanguageC… ∗∗∗ Zyxel security advisory for OS command injection vulnerability in APs and security router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Zyxel security advisory for buffer overflow vulnerability in some 5G NR CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox and Focus ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ C-MOR: Mehrere Sicherheitsschwachstellen in Videoüberwachungssoftware C-MOR (SYSS-2024-020 bis -030) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-sicherheitsschwachstellen-in-video… ∗∗∗ F5: K000140908: MySQL Server vulnerabiliity CVE-2024-21134 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140908 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.09.2024
by Daily end-of-shift report 03 Sep '24

03 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 02-09-2024 18:00 − Dienstag 03-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ D-Link says it is not fixing four RCE flaws in DIR-846W routers ∗∗∗ --------------------------------------------- D-Link is warning that four remote code execution (RCE) flaws impacting all hardware and firmware versions of its DIR-846W router will not be fixed as the products are no longer supported. [..] The researcher published the information on August 27, 2024, but has withheld the publication of proof-of-concept (PoC) exploits for now. --------------------------------------------- https://www.bleepingcomputer.com/news/security/d-link-says-it-is-not-fixing… ∗∗∗ The state of sandbox evasion techniques in 2024 ∗∗∗ --------------------------------------------- This post is about sandbox evasion techniques and their usefulness in more targeted engagements. --------------------------------------------- https://fudgedotdotdot.github.io/posts/sandbox-evasion-in-2024/sandboxes.ht… ∗∗∗ CVE-2024-37084: Spring Cloud Remote Code Execution ∗∗∗ --------------------------------------------- CVE-2024-37084 is a critical security vulnerability in Spring Cloud Skipper, specifically related to how the application processes YAML input. [..] The vulnerability affects versions 2.11.0 through 2.11.3 of Spring Cloud Skipper. --------------------------------------------- https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/ ∗∗∗ Intel Responds to SGX Hacking Research ∗∗∗ --------------------------------------------- Intel has shared some clarifications on claims made by a researcher regarding the hacking of its SGX security technology. --------------------------------------------- https://www.securityweek.com/intel-responds-to-sgx-hacking-research/ ∗∗∗ Rechnungen und Mahnungen von cvneed.com ignorieren ∗∗∗ --------------------------------------------- Sie haben einen Lebenslauf auf cvneed.com erstellt? Sie sind davon ausgegangen, dass dies kostenlos ist? Doch plötzlich flattern Rechnungen und sogar Mahnungen ins Haus? Ignorieren Sie diese und zahlen Sie nichts. Es handelt sich um eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/mahnungen-von-cvneed/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2021-20123/CVE-2021-20124 Draytek VigorConnect Path Traversal Vulnerability, CVE-2024-7262 Kingsoft WPS Office Path Traversal Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/03/cisa-adds-three-known-ex… ∗∗∗ Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several related Microsoft Office documents uploaded to VirusTotal by various actors between May and July 2024 that were all generated by a version of a payload generator framework called “MacroPack.” --------------------------------------------- https://blog.talosintelligence.com/threat-actors-using-macropack/ ∗∗∗ A look into Web Application Security ∗∗∗ --------------------------------------------- An in-depth look into Web Application Security, and Bitsights approach to related security metrics. --------------------------------------------- https://www.bitsight.com/blog/look-web-application-security ===================== = Vulnerabilities = ===================== ∗∗∗ Zyxel: Mehrere hochriskante Sicherheitslücken in Firewalls ∗∗∗ --------------------------------------------- Zyxel warnt vor mehreren Sicherheitslücken in den Firewalls des Unternehmens. Updates stehen bereit, die Lecks abdichten. [..] Am schwerwiegendsten ist eine Lücke, die Angreifern das Einschleusen von Befehlen im IPSec VPN der Zyxel-Firewalls ermöglicht. Mit manipulierten Nutzernamen können sie Befehle schmuggeln, die vom Betriebssystem ausgeführt werden. --------------------------------------------- https://heise.de/-9855938 ∗∗∗ VMSA-2024-0018:VMware Fusion update addresses a code execution vulnerability (CVE-2024-38811) ∗∗∗ --------------------------------------------- VMware Fusion contains a code-execution vulnerability due to the usage of an insecure environment variable. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8. --------------------------------------------- https://support.broadcom.com/web/ecx/support-=content-notification/-/extern… ∗∗∗ OpenSSL Security Advisory [3rd September 2024] ∗∗∗ --------------------------------------------- Possible denial of service in X.509 name checks (CVE-2024-6119) [..] OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue. --------------------------------------------- https://openssl-library.org/news/secadv/20240903.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (python3.12), Debian (calibre, exfatprogs, frr, git, libtommath, nbconvert, ruby-nokogiri, ruby-tzinfo, and webkit2gtk), Fedora (flatpak, lua-mpack, and python3.12), Red Hat (389-ds-base, 389-ds:1.4, buildah, fence-agents, gvisor-tap-vsock, httpd:2.4, kernel, kernel-rt, nodejs:18, orc, postgresql, postgresql:12, postgresql:13, postgresql:15, python-urllib3, python3.12, and skopeo), SUSE (389-ds, bubblewrap and flatpak, cacti, cacti-spine, curl, glib2, kernel-firmware, libqt5-qt3d, libqt5-qtquick3d, opera, python39, qemu, unbound, xen, and zziplib), and Ubuntu (ffmpeg, linux-raspi-5.4, and python-webob). --------------------------------------------- https://lwn.net/Articles/988570/ ∗∗∗ Chrome 128 Updates Patch High-Severity Vulnerabilities ∗∗∗ --------------------------------------------- https://www.securityweek.com/chrome-128-updates-patch-high-severity-vulnera… ∗∗∗ Lenze: Install Directory with insufficient permissions ∗∗∗ --------------------------------------------- https://certvde.com/de/advisories/VDE-2024-053/ ∗∗∗ LOYTEC Electronics LINX Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-247-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.09.2024
by Daily end-of-shift report 02 Sep '24

02 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-08-2024 18:00 − Montag 02-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Administrative IT infiltriert: Cyberangriff trifft Deutsche Flugsicherung ∗∗∗ --------------------------------------------- Nach Angaben eines Unternehmenssprechers betrifft der Vorfall die Büro-IT der DFS. Auswirkungen auf den Flugverkehr hat der Angriff wohl nicht. [..] Wer genau hinter dem Cyberangriff auf die Deutsche Flugsicherung steckt, lässt sich noch nicht mit Gewissheit beantworten. [..] Derzeit sei das Unternehmen dabei, den Vorfall einzudämmen und dessen Auswirkungen zu minimieren. --------------------------------------------- https://www.golem.de/news/administrative-it-infiltriert-cyberangriff-trifft… ∗∗∗ TSA-Airport-Sicherheitskontrollen per SQL-Injection ausgehebelt ∗∗∗ --------------------------------------------- Sicherheitsforschern in den USA ist es gelungen, über SQL-Injection das FlyCASS-Sicherheitssystem zu täuschen und damit Zugangssperren zu umgehen. --------------------------------------------- https://heise.de/-9853305 ∗∗∗ Windows: Side-Loading DLL-Angriffe über licensingdiag.exe ∗∗∗ --------------------------------------------- Wer sich um den Punkt Windows-Sicherheit Gedanken macht, sollte das Befehlszeilentool licensingdiag.exe im Fokus behalten. Es ist ein weiteres "living of the land" Tool, welches für Side-Loading DLL-Angriffe genutzt werden kann. --------------------------------------------- https://www.borncity.com/blog/2024/09/01/windows-side-loading-dll-angriffe-… ∗∗∗ Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant ∗∗∗ --------------------------------------------- Unit 42 discusses WikiLoader malware spoofing GlobalProtect VPN, detailing evasion techniques, malicious URLs, and mitigation strategies. --------------------------------------------- https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wi… ∗∗∗ GitHub comments abused to push password stealing malware masked as fixes ∗∗∗ --------------------------------------------- GitHub is being abused to distribute the Lumma Stealer information-stealing malware as fake fixes posted in project comments. [..] The solution tells people to download a password-protected archive from mediafire.com or through a bit.ly URL and run the executable within it. In the current campaign, the password has been "changeme" in all the comments we have seen. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-comments-abused-to-pu… ∗∗∗ Docker-OSX image used for security research hit by Apple DMCA takedown ∗∗∗ --------------------------------------------- The popular Docker-OSX project has been removed from Docker Hub after Apple filed a DMCA (Digital Millennium Copyright Act) takedown request, alleging that it violated its copyright. --------------------------------------------- https://www.bleepingcomputer.com/news/security/docker-osx-image-used-for-se… ∗∗∗ Cicada3301 ransomware’s Linux encryptor targets VMware ESXi systems ∗∗∗ --------------------------------------------- A new ransomware-as-a-service (RaaS) operation named Cicada3301 has already listed 19 victims on its extortion portal, as it quickly attacked companies worldwide. [..] An analysis of the new malware by Truesec revealed significant overlaps between Cicada3301 and ALPHV/BlackCat, indicating a possible rebrand or a fork created by former ALPHV's core team members. [..] For context, ALPHV performed an exit scam in early March 2024 involving fake claims about an FBI takedown operation after they stole a massive $22 million payment from Change Healthcare from one of their affiliates. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cicada3301-ransomwares-linux… ∗∗∗ Ausweiskopie und persönliche Daten an Kriminelle weitergegeben? Das können Sie tun ∗∗∗ --------------------------------------------- Sie wurden Opfer einer Betrugsmasche und haben dabei persönliche Daten oder sogar Ausweiskopien übermittelt? Wir zeigen Ihnen, was Sie tun können, wenn Kriminelle Ihre Daten ergaunert haben! --------------------------------------------- https://www.watchlist-internet.at/news/ausweiskopie-und-persoenliche-daten-… ∗∗∗ Malware "Voldemort": Angreifer nehmen verstärkt Steuerzahler ins Visier ∗∗∗ --------------------------------------------- Eine neue Angriffswelle zielt verstärkt auf Steuerbehörden, aber auch auf andere Behörden und Unternehmen verschiedener Länder ab, auch hierzulande. Dabei wird die Malware "Voldemort" über Phishing-Mails verbreitet. Wer klickt, installiert sich womöglich eine Backdoor. [..] Über die Hälfte der betroffenen Organisationen stammt aus den Bereichen Versicherungen, Luft- und Raumfahrt, Verkehr und Bildung. --------------------------------------------- https://heise.de/-9854106 ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra fixed two severe issues in FileCatalyst Workflow, including a critical flaw ∗∗∗ --------------------------------------------- Cybersecurity and automation company Fortra released patches for two vulnerabilities in FileCatalyst Workflow. Once of the vulnerabilities is a critical issue, tracked as CVE-2024-6633 (CVSS score of 9.8) described as Insecure Default in FileCatalyst Workflow Setup. --------------------------------------------- https://securityaffairs.com/167838/security/fortra-filecatalyst-critical-wo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (postgresql:16), Debian (dovecot, pymatgen, ruby2.7, systemd, and webkit2gtk), Fedora (microcode_ctl, python3.11, vim, and xen), Oracle (kernel, postgresql:12, postgresql:13, postgresql:15, and python39:3.9 and python39-devel:3.9), Slackware (libpcap), SUSE (cacti, cacti-spine, python-Django, and trivy), and Ubuntu (dovecot). --------------------------------------------- https://lwn.net/Articles/988364/ ∗∗∗ WordPress Vulnerability & Patch Roundup August 2024 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2024/08/wordpress-vulnerability-patch-roundup-augus… ∗∗∗ MISP 2.4.197 released with many bugs fixed, a security fix and improvements. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.197 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2024
by Daily end-of-shift report 30 Aug '24

30 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-08-2024 18:00 − Freitag 30-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake Palo Alto GlobalProtect used as lure to backdoor enterprises ∗∗∗ --------------------------------------------- Threat actors target Middle Eastern organizations with malware disguised as the legitimate Palo Alto GlobalProtect Tool that can steal data and execute remote PowerShell commands to infiltrate internal networks further. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-palo-alto-globalprotect… ∗∗∗ FBI: RansomHub ransomware breached 210 victims since February ∗∗∗ --------------------------------------------- Since surfacing in February 2024, RansomHub ransomware affiliates have breached over 200 victims from a wide range of critical U.S. infrastructure sectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-ransomhub-ransomware-bre… ∗∗∗ Russische Hacker nutzen die gleichen Lücken wie Staatstrojaner ∗∗∗ --------------------------------------------- Immer wieder warnen Experten davor, dass auch Kriminelle jene Schlupflöcher nutzen können, über die auch Regierungen Verdächtige überwachen. --------------------------------------------- https://futurezone.at/netzpolitik/russische-hacker-staatstrojaner-messenger… ∗∗∗ Studie: 78 Prozent aller Ransomware-Opfer zahlen offenbar Lösegeld ∗∗∗ --------------------------------------------- Viele betroffene Unternehmen zahlen wohl sogar mehrfach. Auch vier- oder mehr Lösegeldzahlungen sind keine Seltenheit - vor allem nicht in Deutschland. --------------------------------------------- https://www.golem.de/news/studie-78-prozent-aller-ransomware-opfer-zahlen-o… ∗∗∗ Feds claim sinister sysadmin locked up thousands of Windows workstations, demanded ransom ∗∗∗ --------------------------------------------- Sordid search history evidence in case that could see him spend 35 years for extortion and wire fraud A former infrastructure engineer who allegedly locked IT department colleagues out of their employers systems, then threatened to shut down servers unless paid a ransom, has been arrested and charged after an FBI investigation. --------------------------------------------- https://www.theregister.com/2024/08/29/vm_engineer_extortion_allegations/ ∗∗∗ How to enhance the security of your social media accounts ∗∗∗ --------------------------------------------- TL;DR Strong passwords: Use a password manager. Multi-factor authentication (MFA): MFA requires multiple forms of identification, adding an extra layer of security. This makes it harder for unauthorised users to .. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-enhance-the-security-o… ∗∗∗ TLD Tracker: Exploring Newly Released Top-Level Domains ∗∗∗ --------------------------------------------- Unit 42 researchers use a novel graph-based pipeline to detect misuse of 19 new TLDs for phishing, chatbots and more in several case studies. --------------------------------------------- https://unit42.paloaltonetworks.com/tracking-newly-released-top-level-domai… ∗∗∗ Malicious North Korean packages appear again in open source code repository ∗∗∗ --------------------------------------------- North Korean hackers continue to exploit the widely used npm code repository, publishing malicious packages intended to infect software developers’ devices with malware, according to recent research. --------------------------------------------- https://therecord.media/npm-javascript-repository-north-korean-malware ∗∗∗ TR-88 - Motivation, procedure and rational for leaked credential notifications ∗∗∗ --------------------------------------------- In today’s digital landscape, protecting user data is essential for every organization. When public data leaks expose customer credentials, it is critical to respond promptly to mitigate risks. This document outlines why CIRCL .. --------------------------------------------- https://www.circl.lu/pub/tr-88 ∗∗∗ Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence ∗∗∗ --------------------------------------------- Trend Micro discovered that old Atlassian Confluence versions that were affected by CVE-2023-22527 are being exploited using a new in-memory fileless backdoor. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/h/godzilla-fileless-backdoors.… ∗∗∗ Gaps in Skills, Knowledge, and Technology Pave the Way for Breaches ∗∗∗ --------------------------------------------- The stakes continue growing higher for organizations when it comes to cybersecurity incidents, with the fallout of such incidents becoming more costly and complex. According to the Fortinet 2024 Cybersecurity Skills Gap Report, the overwhelming majority (87%) of those surveyed said they experienced one or .. --------------------------------------------- https://www.fortinet.com/blog/industry-trends/gaps-in-skills-knowledge-tech… ∗∗∗ Ransomware Roundup - Underground ∗∗∗ --------------------------------------------- The Underground ransomware has victimized companies in various industries since July 2023. It encrypts files without changing the original file extension. --------------------------------------------- https://www.fortinet.com/blog/threat-research/ransomware-roundup-underground ∗∗∗ Nach Cyberangriff: Solaranbieter "Qcells" informiert Kunden über Datenleck ∗∗∗ --------------------------------------------- Wieder gibt es ein Datenleck in der Solarbranche. Kunden von Qcell werden darum informiert. --------------------------------------------- https://heise.de/-9852641 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libvpx, postgresql, postgresql:12, postgresql:13, postgresql:15, and python39:3.9 and python39-devel:3.9), Debian (chromium and ghostscript), Fedora (python3.13), and SUSE (chromium and podman). --------------------------------------------- https://lwn.net/Articles/987836/ ∗∗∗ DSA-5761-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00174.html ∗∗∗ IPCOM vulnerable to information disclosure ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN29238389/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2024
by Daily end-of-shift report 29 Aug '24

29 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-08-2024 18:00 − Donnerstag 29-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Unpatchable 0-day in surveillance cam is being exploited to install Mirai ∗∗∗ --------------------------------------------- Vulnerability is easy to exploit and allows attackers to remotely execute commands. --------------------------------------------- https://arstechnica.com/?p=2046043 ∗∗∗ Iranian hackers work with ransomware gangs to extort breached orgs ∗∗∗ --------------------------------------------- An Iran-based hacking group known as Pioneer Kitten is breaching defense, education, finance, and healthcare organizations across the United States and working with affiliates of several ransomware operations to extort the victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/iranian-hackers-work-with-ra… ∗∗∗ Endlich: Maßnahme gegen Anrufe mit gefälschten Nummern tritt in Kraft ∗∗∗ --------------------------------------------- Dass die eigene Handynummer für Spamanrufe genutzt wird, soll ab dem 1. September nicht mehr möglich sein. --------------------------------------------- https://futurezone.at/netzpolitik/rtr-veordnung-massnahme-nummer-gefaelscht… ∗∗∗ Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations ∗∗∗ --------------------------------------------- Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler. Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-de… ∗∗∗ Cybercrime and Sabotage Cost German Firms $300 Billion In Past Year ∗∗∗ --------------------------------------------- According to a new survey from Bitkom, cybercrime and other acts of sabotage have cost German companies around $298 billion in the past year, up 29% on the year before. Reuters reports: Bitkom surveyed around 1,000 companies from all sectors and found that 90% expect more cyberattacks in the next 12 months, with the remaining 10% expecting the same level of .. --------------------------------------------- https://it.slashdot.org/story/24/08/28/211228/cybercrime-and-sabotage-cost-… ∗∗∗ 12 Best Practices to Secure Your WordPress Login Page ∗∗∗ --------------------------------------------- WordPress powers a significant portion of websites on the internet. With this popularity comes the need for strict security measures, especially for the login page. These entry points are prime targets for hackers and malicious actors. By implementing proper security practices outlined in this guide, you can maintain a secure WordPress login and .. --------------------------------------------- https://blog.sucuri.net/2024/08/12-best-practices-to-secure-your-wordpress-… ∗∗∗ Microsoft hosts a security summit but no press, public allowed ∗∗∗ --------------------------------------------- CrowdStrike, other vendors, friendly govt reps .. but not anyone who would tell you what happened op-ed Microsoft will host a security summit next month with CrowdStrike and other "key" endpoint security partners joining the fun - and during which the CrowdStrike-induced outage that borked millions of Windows machines will undoubtedly be a top-line agenda item. --------------------------------------------- https://www.theregister.com/2024/08/28/microsoft_closed_security_summit/ ∗∗∗ Censys Finds Hundreds of Exposed Servers as Volt Typhoon APT Targets Service Providers ∗∗∗ --------------------------------------------- Amidst Volt Typhoon zero-day exploitation, Censys finds hundreds of exposed servers presenting ripe attack surface for attackers. --------------------------------------------- https://www.securityweek.com/censys-finds-hundreds-of-exposed-servers-as-vo… ∗∗∗ Telegram als Betrugsfalle ∗∗∗ --------------------------------------------- Der Kurznachrichtendienst Telegram ist spätestens seit der Verhaftung des Erfinders Pawel Durow in Paris in aller Munde. Telegram beschäftigt uns bei der Watchlist Internet aber schon viel länger. Kaum woanders gelingt es Kriminellen besser, Opfer in ihre Fallen zu locken. Insbesondere Investitionsbetrug, Schneeballsysteme und betrügerische Jobangebote sorgen teils für horrende Schadenssummen. Konsequenzen gibt es auf Telegram für die Kriminellen bisher keine. --------------------------------------------- https://www.watchlist-internet.at/news/telegram-als-betrugsfalle/ ∗∗∗ $2.5 million reward offered for hacker linked to notorious Angler Exploit Kit ∗∗∗ --------------------------------------------- Who doesnt fancy earning US $2.5 million? Thats the reward thats on offer from US authorities for information leading to the arrest and/or conviction of the man who allegedly was a key figure behind the development and distribution of the notorious Angler Exploit Kit. Read more in my article on the Tripwire State of Security blog. --------------------------------------------- https://www.tripwire.com/state-of-security/25-million-reward-offered-cyber-… ∗∗∗ Cisco: BlackByte ransomware gang only posting 20% to 30% of successful attacks ∗∗∗ --------------------------------------------- The BlackByte ransomware gang is only posting a fraction of its successful attacks on its leak site this year, according to researchers from Cisco. --------------------------------------------- https://therecord.media/blackbyte-ransomware-group-posting-fraction-of-leaks ∗∗∗ State-backed attackers and commercial surveillance vendors repeatedly use the same exploits ∗∗∗ --------------------------------------------- We’re sharing an update on suspected state-backed attacker APT29 and the use of exploits identical to those used by Intellexa and NSO. --------------------------------------------- https://blog.google/threat-analysis-group/state-backed-attackers-and-commer… ∗∗∗ The Big TIBER Encyclopedia ∗∗∗ --------------------------------------------- An analysis of current TIBER implementations ahead of DORA’s TLPT requirements Introduction TIBER (Threat Intelligence-Based Ethical Red Teaming) is a framework introduced by the European Central Bank (ECB) in 2018 as a response to the increasing number of cyber threats faced by financial institutions. The framework provides a .. --------------------------------------------- https://blog.nviso.eu/2024/08/29/the-big-tiber-encyclopedia/ ∗∗∗ The vulnerabilities we uncovered by fuzzing µC/OS protocol stacks ∗∗∗ --------------------------------------------- Fuzzing has long been one of our favorite ways to search for security issues or vulnerabilities in software, but when it comes to fuzzing popular systems used in ICS environments, it traditionally involved a custom hardware setup to fuzz the code in its native environment. --------------------------------------------- https://blog.talosintelligence.com/fuzzing-uc-os-protocol-stacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Family August 2024 First Round Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82727/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.08.2024
by Daily end-of-shift report 28 Aug '24

28 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-08-2024 18:00 − Mittwoch 28-08-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ ISPs infiltriert: Zero Day seit Monaten ausgenutzt ∗∗∗ --------------------------------------------- Eine Sicherheitslücke der Netzwerksoftware Versa Director (CVE-2024-39717) wird stärker ausgenutzt als zunächst bekannt. Bei mindestens drei Internet Service Providern (ISP) in den USA und einem außerhalb des Landes haben sich Angreifer eingenistet, um Kundenlogins und Passwörter im Klartext abzufangen, bevor sie gehasht und beim ISP gespeichert werden. [..] Der Angriff schlägt fehl, wenn die Versa-Patches installiert wurden oder wenn Port 4566 von Kundenroutern aus nicht erreichbar ist. Für Letzteres empfiehlt Versa bereits seit Jahren passende Firewall-Einstellungen und Systemhärtungen. --------------------------------------------- https://heise.de/-9849553 ∗∗∗ ADAC warnt: Die meisten Keyless-Systeme weiterhin leicht zu knacken ∗∗∗ --------------------------------------------- Der ADAC hat rund 700 Fahrzeuge mit Keyless-Schließsystem getestet. Mehr als 90 Prozent davon lassen sich per Relay-Angriff aus der Ferne öffnen und starten. --------------------------------------------- https://www.golem.de/news/adac-warnt-die-meisten-keyless-systeme-weiterhin-… ∗∗∗ Windows Downdate: Tool zum Öffnen alter Windows-Lücken veröffentlicht ∗∗∗ --------------------------------------------- Mit Windows Downdate können Windows-Komponenten wie DLLs, Treiber oder der NT-Kernel unbemerkt auf anfällige Versionen zurückgestuft werden. Das Tool ist nun öffentlich. --------------------------------------------- https://www.golem.de/news/windows-downdate-tool-zum-oeffnen-alter-windows-l… ∗∗∗ Betrügerische Abmahnung im Namen von Pornhub ∗∗∗ --------------------------------------------- „Letzte Mahnung vor Klageerhebung“ lautet der Betreff einer beunruhigenden E-Mail. Die Kanzlei Frommer Legal verschickt derzeit wahllos E-Mails, in denen behauptet wird, man habe urheberrechtlich geschützte Inhalte von Pornhub.com gestreamt. --------------------------------------------- https://www.watchlist-internet.at/news/abmahnung-pornhub/ ∗∗∗ Intels Software Guard Extensions broken? Dont panic ∗∗∗ --------------------------------------------- Today's news that Intel's Software Guard Extensions (SGX) security system is open to abuse may be overstated. [..] However, Intel has pointed out that not only would an attacker need physical access to a machine to make this work, but that string of issues would have to have been left unfixed. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/08/27/intel_root_k… ∗∗∗ New QR Code Phishing Campaign Exploits Microsoft Sway to Steal Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new QR code phishing (aka quishing) campaign that leverages Microsoft Sway infrastructure to host fake pages, once again highlighting the abuse of legitimate cloud offerings for malicious purposes. --------------------------------------------- https://thehackernews.com/2024/08/new-qr-code-phishing-campaign-exploits.ht… ∗∗∗ New LummaC2 Malware Variant Uses PowerShell, Obfuscation to Steal Data ∗∗∗ --------------------------------------------- Ontinue has discovered a new LummaC2 malware variant with increased activity, using PowerShell for initial infection and employing obfuscation and process injection to steal sensitive data. --------------------------------------------- https://hackread.com/lummac2-malware-variant-powershell-obfuscation-steal-d… ∗∗∗ Old devices, new dangers: The risks of unsupported IoT tech ∗∗∗ --------------------------------------------- Outdated devices can be easy targets, so by keeping them disconnected from the internet or discontinuing their use, you can feel safe and secure from any cyber harm through them. --------------------------------------------- https://www.welivesecurity.com/en/internet-of-things/old-devices-new-danger… ∗∗∗ CVE-2024-37079: VMware vCenter Server Integer Underflow Code Execution Vulnerability ∗∗∗ --------------------------------------------- A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted DCERPC packet to the target server. Successfully exploiting this vulnerability could lead to a heap buffer overflow, which could result in the execution of arbitrary code in the context of the vulnerable service. [..] This vulnerability was patched by the vendor in June. At the time of the patch release, there was a fair amount of attention paid to this vulnerability. However, to date, there have been no attacks detected in the wild. --------------------------------------------- https://www.thezdi.com/blog/2024/8/27/cve-2024-37079-vmware-vcenter-server-… ∗∗∗ BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks ∗∗∗ --------------------------------------------- In recent investigations, Talos Incident Response has observed the BlackByte ransomware group using techniques that depart from their established tradecraft. --------------------------------------------- https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecra… ∗∗∗ Deep Analysis of Snake Keylogger’s New Variant ∗∗∗ --------------------------------------------- We performed a deep analysis on the campaign and discovered that it delivers a new variant of Snake Keylogger. --------------------------------------------- https://feeds.fortinet.com/~/903638177/0/fortinet/blogs~Deep-Analysis-of-Sn… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (calibre, dotnet8.0, dovecot, webkit2gtk4.0, and webkitgtk), Oracle (nodejs:20), Red Hat (bind, bind and bind-dyndb-ldap, postgresql:16, and squid), Slackware (kcron and plasma), SUSE (keepalived and webkit2gtk3), and Ubuntu (drupal7). --------------------------------------------- https://lwn.net/Articles/987519/ ∗∗∗ DSA-5759-1 python3.11 - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00172.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.08.2024
by Daily end-of-shift report 27 Aug '24

27 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Montag 26-08-2024 18:00 − Dienstag 27-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers infect ISPs with malware that steals customers’ credentials ∗∗∗ --------------------------------------------- Zero-day that was exploited since June to infect ISPs finally gets fixed. --------------------------------------------- https://arstechnica.com/?p=2045401 ∗∗∗ Google tags a tenth Chrome zero-day as exploited this year ∗∗∗ --------------------------------------------- Today, Google revealed that it patched the tenth zero-day exploited in the wild in 2024 by attackers or security researchers during hacking contests. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-tags-a-tenth-chrome-z… ∗∗∗ Exposed and Encrypted: Inside a Mallox Ransomware Attack ∗∗∗ --------------------------------------------- Recently, a client enlisted the support of Trustwave to investigate an unauthorized access incident within its internal cloud-based environment, leading to the deployment of Mallox ransomware by threat actors to its server. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exposed-and… ∗∗∗ Microsoft mistake blows up admins inboxes with fake malware alerts ∗∗∗ --------------------------------------------- Legitimate emails misclassified in software snafu Updated Many administrators have had a trying Monday after getting spammed out with false malware reports by Microsoft. --------------------------------------------- https://www.theregister.com/2024/08/26/microsoft_365_email_malware/ ∗∗∗ ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library - Part 2 ∗∗∗ --------------------------------------------- In Part 1 of this series, we’ve demonstrated how ThreatLabz reverse engineered the SketchUp 3D library in Microsoft 365 as well as the SKP file format. Furthermore, we developed two effective fuzzing harnesses.Microsoft published CVE-2023-28285 and CVE-2023-29344 (in April and May of 2023, respectively) to address the vulnerabilities .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/threatlabz-discovers-117-vu… ∗∗∗ A malicious Pidgin plugin ∗∗∗ --------------------------------------------- The developers of the Pidgin chat program have announced that a malicious plugin had been listed on its third-party plugins list for over one month. This plugin included a key logger and could capture screenshots. It went unnoticed at the time that the plugin was not providing any source code and was only providing binaries for download. Going forward, we will be .. --------------------------------------------- https://lwn.net/Articles/987320/ ∗∗∗ WordPress GiveWP POP to RCE (CVE-2024-5932) ∗∗∗ --------------------------------------------- A few days ago, Wordfence published a blog post about a PHP Object Injection vulnerability affecting the popular WordPress Plugin GiveWP in all versions <= 3.14.1. Since the blog post contains only information about (a part) of the POP chain used, I decided to take a look and build a fully functional Remote Code Execution exploit. This post describes .. --------------------------------------------- https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-59… ∗∗∗ 7777 Botnet – Insights into a Multi-Target Botnet ∗∗∗ --------------------------------------------- Our latest research, a collaboration between Bitsight TRACE & the security researcher Gi7w0rm, has uncovered additional details & information about the 7777 Botnet. --------------------------------------------- https://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet ∗∗∗ NFC-Malware leert Bankkonten ∗∗∗ --------------------------------------------- Phishing und Malware kombiniert ein Angreifer, um Geldautomaten Bankkarten vorzuspielen und per NFC Geld abzuheben. Beobachtet wurde das in Tschechien. --------------------------------------------- https://heise.de/-9848256 ===================== = Vulnerabilities = ===================== ∗∗∗ Moodle: Remote Code Execution via Calculated Questions ∗∗∗ --------------------------------------------- Attackers with the permission to create or modify questions in Moodle courses are able to craft malicious inputs for calculated questions, which can be abused to execute arbitrary commands on the underlying system. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-009/ ∗∗∗ ZDI-24-1182: Linux Kernel Netfilter Conntrack Type Confusion Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1182/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/987393/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.08.2024
by Daily end-of-shift report 26 Aug '24

26 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-08-2024 18:00 − Montag 26-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Stealthy sedexp Linux malware evaded detection for two years ∗∗∗ --------------------------------------------- A stealthy Linux malware named sedexp has been evading detection since 2022 by using a persistence technique not yet included in the MITRE ATT&CK framework. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stealthy-sedexp-linux-malwar… ∗∗∗ BSI: Prüfung der Sicherheit von Huawei bleibt ein Staatsgeheimnis ∗∗∗ --------------------------------------------- Da die Sicherheitsinteressen Deutschlands berührt sind, legt das BSI die technische Prüfung von Huawei nicht offen. Immerhin hat Golem.de erreicht, dass die Einstufung überprüft wurde. --------------------------------------------- https://www.golem.de/news/bsi-pruefung-der-sicherheit-von-huawei-bleibt-ein… ∗∗∗ DSGVO-Verstoß: Uber soll 290 Millionen Euro Geldstrafe zahlen ∗∗∗ --------------------------------------------- Dem beliebten Fahrdienst wird vorgeworfen, mehr als zwei Jahre lang sensible Fahrerdaten bei unzureichendem Schutz in die USA übermittelt zu haben. --------------------------------------------- https://www.golem.de/news/datenuebertragung-in-die-usa-uber-soll-290-millio… ∗∗∗ From Highly Obfuscated Batch File to XWorm and Redline, (Mon, Aug 26th) ∗∗∗ --------------------------------------------- If you follow my diaries, you probably already know that one of my favorite topics around malware is obfuscation. I&#;x26;#;39;m often impressed by the crazy techniques attackers use to .. --------------------------------------------- https://isc.sans.edu/diary/From+Highly+Obfuscated+Batch+File+to+XWorm+and+R… ∗∗∗ SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access ∗∗∗ --------------------------------------------- SonicWall has released security updates to address a critical flaw impacting its firewalls that, if successfully exploited, could grant malicious actors unauthorized access to the devices. The vulnerability, tracked as .. --------------------------------------------- https://thehackernews.com/2024/08/sonicwall-issues-critical-patch-for.html ∗∗∗ Cisco calls for United Nations to revisit cyber-crime convention ∗∗∗ --------------------------------------------- Echoes human rights groups concerns that it could suppress free speech and more Networking giant Cisco has suggested the United Nations first-ever convention against cyber-crime is dangerously flawed and should be revised before being put to a formal vote. --------------------------------------------- https://www.theregister.com/2024/08/22/cisco_criticizes_un_cybercrime_conve… ∗∗∗ Post-Quantum Cryptography: Standards and Progress ∗∗∗ --------------------------------------------- The National Institute of Standards and Technology (NIST) just released three finalized standards for post-quantum cryptography (PQC) covering public key encapsulation and two forms of digital signatures. In progress since 2016, this achievement represents a major milestone towards standards development that will keep information on the Internet secure and confidential for many years to come. --------------------------------------------- http://security.googleblog.com/2024/08/post-quantum-cryptography-standards.… ∗∗∗ Meta blockiert Whatsapp-Konten nach Hackerangriffen ∗∗∗ --------------------------------------------- Hierbei wurde die iranische Hackergruppe APT42 ins Visier genommen --------------------------------------------- https://www.derstandard.at/story/3000000233708/meta-blockiert-whatsapp-kont… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog for Versa Networks Director ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/23/cisa-adds-one-known-expl… ∗∗∗ PEAKLIGHT: Decoding the Stealthy Memory-Only Malware ∗∗∗ --------------------------------------------- Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding… ===================== = Vulnerabilities = ===================== ∗∗∗ Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desk… ∗∗∗ WPS Office Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82637/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2024
by Daily end-of-shift report 23 Aug '24

23 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-08-2024 18:00 − Freitag 23-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Qilin ransomware now steals credentials from Chrome browsers ∗∗∗ --------------------------------------------- The Qilin ransomware group has been using a new tactic and deploys a custom stealer to steal account credentials stored in Google Chrome browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qilin-ransomware-now-steals-… ∗∗∗ Hackers are exploiting critical bug in LiteSpeed Cache plugin ∗∗∗ --------------------------------------------- Hackers have already started to exploit the critical severity vulnerability that affects LiteSpeed Cache, a WordPress plugin used for accelerating response times, a day after technical details become public. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-criti… ∗∗∗ Warnung vor Ebola-Infektion: Uni löst mit Phishing-Test unnötige Panik aus ∗∗∗ --------------------------------------------- Studenten und Mitarbeiter der UCSC haben per E-Mail eine falsche Warnung vor einer Ebola-Infektion auf dem Campus erhalten. Der CISO der Uni entschuldigt sich. --------------------------------------------- https://www.golem.de/news/warnung-vor-ebola-infektion-phishing-test-an-eine… ∗∗∗ Mäh- und Saugroboter: Ecovacs will Spionagelücken nun doch angehen ∗∗∗ --------------------------------------------- Mehrere Mäh- und Saugroboter von Ecovacs lassen sich von Angreifern übernehmen. Erst wollte der Hersteller gar nicht patchen, doch nun kommt die Kehrtwende. --------------------------------------------- https://www.golem.de/news/hersteller-lenkt-ein-ecovacs-arbeitet-nun-doch-an… ∗∗∗ WordPress Websites Used to Distribute ClearFake Trojan Malware ∗∗∗ --------------------------------------------- Unfortunately, scams are all over the place, and anybody who has surfed the web should know this. We’ve all gotten phishing emails, or redirected to questionable websites at some point or another. Being on your guard is an important posture to take online, and part of that is knowing how to identify threats, scams, or places you shouldn’t visit .. --------------------------------------------- https://blog.sucuri.net/2024/08/wordpress-websites-used-to-distribute-clear… ∗∗∗ Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control ∗∗∗ --------------------------------------------- Details have emerged about a China-nexus threat groups exploitation of a recently disclosed, now-patched security flaw in Cisco switches as a zero-day to seize control of the appliances and evade detection.The activity, attributed to Velvet Ant, was .. --------------------------------------------- https://thehackernews.com/2024/08/chinese-hackers-exploit-zero-day-cisco.ht… ∗∗∗ Halliburton probes an issue disrupting business ops ∗∗∗ --------------------------------------------- What could the problem be? Reportedly, a cyberattack American oil giant Halliburton is investigating an "issue," reportedly a cyberattack, that has disrupted some business operations and global networks. --------------------------------------------- https://www.theregister.com/2024/08/22/halliburton_investigates_incident_am… ∗∗∗ Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware ∗∗∗ --------------------------------------------- We analyze a recent incident by Bling Libra, the group behind ShinyHunters ransomware as they shift from data theft to extortion, exploiting AWS credentials. --------------------------------------------- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/ ∗∗∗ CrowdStrike Outage Timeline and Analysis ∗∗∗ --------------------------------------------- Bitsights analysis of the CrowdStrike outage and timeline mysteries. --------------------------------------------- https://www.bitsight.com/blog/crowdstrike-outage-timeline-and-analysis ∗∗∗ A Global Treaty to Fight Cybercrime—Without Combating Mercenary Spyware: Article by Kate Robertson in Lawfare ∗∗∗ --------------------------------------------- In an article for Lawfare, the Citizen Labs senior research associate Kate Robertson analyzes how, in its current form, the draft treaty is poised "to become a vehicle for complicity in the global mercenary spy trade." --------------------------------------------- https://citizenlab.ca/2024/08/a-global-treaty-to-fight-cybercrime-without-c… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicOS Improper Access Control Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2024
by Daily end-of-shift report 22 Aug '24

22 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-08-2024 18:00 − Donnerstag 22-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google fixes ninth Chrome zero-day exploited in attacks this year ∗∗∗ --------------------------------------------- Today, Google released a new Chrome emergency security update to patch a zero-day vulnerability, the ninth one tagged as exploited this year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-fixes-tenth-actively-… ∗∗∗ U.S. charges Karakurt extortion gang’s “cold case” negotiator ∗∗∗ --------------------------------------------- A member of the Russian Karakurt ransomware group has been charged in the U.S. for money laundering, wire fraud, and extortion crimes. --------------------------------------------- https://www.bleepingcomputer.com/news/legal/us-charges-karakurt-extortion-g… ∗∗∗ Löschpflicht und Sicherheitslücken: Bußgelder wegen Datenschutzverstößen häufen sich ∗∗∗ --------------------------------------------- In Hamburg wurden bereits jetzt mehr Bußgeldverfahren wegen Datenschutzverstößen abgeschlossen als im Kalenderjahr 2023. Die Strafen sind mitunter hoch. --------------------------------------------- https://www.golem.de/news/loeschpflicht-und-sicherheitsluecken-bussgelder-w… ∗∗∗ Memory corruption vulnerabilities in Suricata and FreeRDP ∗∗∗ --------------------------------------------- While pentesting KasperskyOS-based Thin Client and IoT Secure Gateway, we found several vulnerabilities in the Suricata and FreeRDP open-source projects. We shared details on these vulnerabilities with the community along with our fuzzer. --------------------------------------------- https://securelist.com/suricata-freerdp-memory-corruption/113489/ ∗∗∗ Windows Security best practices for integrating and managing security tools ∗∗∗ --------------------------------------------- We examine the recent CrowdStrike outage and provide a technical overview of the root cause. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/07/27/windows-security-b… ∗∗∗ Understanding the ‘Morphology’ of Ransomware: A Deeper Dive ∗∗∗ --------------------------------------------- Ransomware isnt just about malware. Its about brands, trust, and the shifting allegiances of cybercriminals. --------------------------------------------- https://www.securityweek.com/understanding-the-morphology-of-ransomware-a-d… ∗∗∗ Recall: Microsofts umstrittenes "Überwachungs"-Feature kommt zurück ∗∗∗ --------------------------------------------- Nach heftigen Sicherheitsbedenken will das Unternehmen bei der neuen KI-Funktion nachgebessert haben --------------------------------------------- https://www.derstandard.at/story/3000000233374/recall-microsofts-umstritten… ∗∗∗ BLUUID: Firewallas, Diabetics, And… Bluetooth ∗∗∗ --------------------------------------------- Dive into the fascinating and overlooked realm of Bluetooth Low Energy (BTLE) security in GreyNoise Labs latest blog post. Learn techniques for remote device identification, uncover vulnerabilities, and explore the broader implications for IoT and healthcare. --------------------------------------------- https://www.greynoise.io/blog/bluuid-firewallas-diabetics-and-bluetooth ∗∗∗ PEAKLIGHT: Decoding the Stealthy Memory-Only Malware ∗∗∗ --------------------------------------------- Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT.OverviewMandiant Managed Defense identified a memory-only dropper and downloader delivering .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding… ∗∗∗ Angreifer können Ciscos VoIP-System Unified Communications Manager lahmlegen ∗∗∗ --------------------------------------------- Aufgrund von Sicherheitslücken sind Attacken auf mehrere Cisco-Produkte möglich. Updates sind verfügbar. --------------------------------------------- https://heise.de/-9843447 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Unified Communications Manager Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine REST API Blind SQL Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Manager Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Atlassian Jira August 2024 Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82562/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.08.2024
by Daily end-of-shift report 21 Aug '24

21 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-08-2024 18:00 − Mittwoch 21-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CrowdStrike unhappy with “shady commentary” from competitors after outage ∗∗∗ --------------------------------------------- Botched update leads to claims that competitors are "ambulance chasing." --------------------------------------------- https://arstechnica.com/?p=2044431 ∗∗∗ GitHub Enterprise Server vulnerable to critical auth bypass flaw ∗∗∗ --------------------------------------------- A critical vulnerability affecting multiple versions of GitHub Enterprise Server could be exploited to bypass authentication and enable an attacker to gain administrator privileges on the machine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-enterprise-server-vul… ∗∗∗ Großer Chipkonzern: Cyberangriff stört Produktion von Microchip Technology ∗∗∗ --------------------------------------------- Die Produktionskapazitäten des Chipherstellers sind derzeit eingeschränkt. Ursache ist eine Cyberattacke, deren Ausmaß aktuell untersucht wird. --------------------------------------------- https://www.golem.de/news/grosser-chipkonzern-cyberangriff-stoert-produktio… ∗∗∗ Sicherheitsprobleme: Lastenrad-Skandal weitet sich aus ∗∗∗ --------------------------------------------- Niederländische Verbraucherschützer untersuchen weitere Lastenradhersteller, weil dort ebenfalls gravierende Mängel aufgetreten sind. --------------------------------------------- https://www.golem.de/news/sicherheitsprobleme-lastenrad-skandal-weitet-sich… ∗∗∗ Plane tracker FlightAware admits user passwords, SSNs exposed for years ∗∗∗ --------------------------------------------- Notification omits a number of key details Popular flight-tracking app FlightAware has admitted that it was exposing a bunch of users data for more than three years. --------------------------------------------- https://www.theregister.com/2024/08/20/flightaware_data_exposure/ ∗∗∗ An AWS Configuration Issue Could Expose Thousands of Web Apps ∗∗∗ --------------------------------------------- Amazon has updated its instructions for how customers should more securely implement AWSs traffic-routing service known as Application Load Balancer, but its not clear everyone will get the memo. --------------------------------------------- https://www.wired.com/story/aws-application-load-balancer-implementation-co… ∗∗∗ Teach a Man to Phish ∗∗∗ --------------------------------------------- I decided to give away all of my phishing secrets for free. I realized at some point that I have been giving away phishing secrets for years, but only to select individuals, and only one at a time. That method of knowledge dissemination is terribly inefficient! So here it is, I’ve written it down for you instead. --------------------------------------------- https://posts.specterops.io/teach-a-man-to-phish-43528846e382 ∗∗∗ CISA Adds Four Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/21/cisa-adds-four-known-exp… ∗∗∗ CPU-Sicherheitsleck Sinkclose: Firmware-Update auch für AMDs Ryzen 3000 ∗∗∗ --------------------------------------------- Die CPU-Sicherheitslücke "Sinkclose" ermöglicht Angreifern das Einschleusen von Schadcode. Für ältere CPUs waren erst keine Updates geplant. --------------------------------------------- https://heise.de/-9842780 ===================== = Vulnerabilities = ===================== ∗∗∗ Unauthenticated information leak in Bosch IP cameras ∗∗∗ --------------------------------------------- BOSCH-SA-659648: A vulnerability was discovered in internal testing of Bosch IP cameras of families CPP13 and CPP14, that allows an unauthenticated attacker to retrieve video analytics event data. No video data is leaked through this vulnerability. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-659648.html ∗∗∗ DSA-5752-1 dovecot - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00165.html ∗∗∗ [20240803] - Core - XSS in HTML Mail Templates ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/944-20240803-core-xss-in-h… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.08.2024
by Daily end-of-shift report 20 Aug '24

20 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Montag 19-08-2024 18:00 − Dienstag 20-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows driver zero-day exploited by Lazarus hackers to install rootkit ∗∗∗ --------------------------------------------- The notorious North Korean Lazarus hacking group exploited a zero-day flaw in the Windows AFD.sys driver to elevate privileges and install the FUDModule rootkit on targeted systems. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-driver-zero-day-exp… ∗∗∗ Solaranlagen und die Cloud: Entwickler befürchtet Kollaps europäischer Stromnetze ∗∗∗ --------------------------------------------- Moderne Solaranlagen sind häufig mit Clouddiensten der Hersteller verbunden. Ein Entwickler sieht darin eine große Gefahr für unsere Energieversorgung. --------------------------------------------- https://www.golem.de/news/solaranlagen-und-die-cloud-entwickler-befuerchtet… ∗∗∗ Approach to mainframe penetration testing on z/OS ∗∗∗ --------------------------------------------- We explain how mainframes work, potential attack vectors, and what to focus on when pentesting such systems. --------------------------------------------- https://securelist.com/zos-mainframe-pentesting/113427/ ∗∗∗ Hacking Wireless Bicycle Shifters ∗∗∗ --------------------------------------------- This is yet another insecure Internet-of-things story, this one about wireless gear shifters for bicycles. These gear shifters are used in big-money professional bicycle races like the Tour de France, which provides an incentive to actually .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/08/hacking-wireless-bicycle-shi… ∗∗∗ Ransomware Victims Paid $460 Million in First Half of 2024 ∗∗∗ --------------------------------------------- Ransomware payments in H1 2024 totaled nearly $460 million and $1.58 billion have been stolen in cryptocurrency heists. --------------------------------------------- https://www.securityweek.com/ransomware-victims-paid-460-million-in-first-h… ∗∗∗ Critical Flaw in Donation Plugin Exposed 100,000 WordPress Sites to Takeover ∗∗∗ --------------------------------------------- A critical vulnerability in the GiveWP WordPress plugin could be exploited for remote code execution and arbitrary file deletion. --------------------------------------------- https://www.securityweek.com/critical-flaw-in-donation-plugin-exposed-10000… ∗∗∗ Navigating the Uncharted: A Framework for Attack Path Discovery ∗∗∗ --------------------------------------------- This is the second post in a series on Identity-Driven Offensive Tradecraft, which is also the focus of the new course we will launch in October. In the previous post, I asked, “How does one discover and abuse new attack paths?” To start answering .. --------------------------------------------- https://posts.specterops.io/navigating-the-uncharted-a-framework-for-attack… ∗∗∗ Selling Ransomware Breaches: 4 Trends Spotted on the RAMP Forum ∗∗∗ --------------------------------------------- The sale and purchase of unauthorized access to compromised enterprise networks has become a linchpin for cybercriminal operations, particularly in facilitating ransomware attacks. --------------------------------------------- https://www.rapid7.com/blog/post/2024/08/20/selling-ransomware-breaches-4-t… ∗∗∗ Challenges in Automating and Scaling Remote Vulnerability Detection ∗∗∗ --------------------------------------------- We cover investments that Bitsight is making to greatly scale out our vulnerability coverage in record time through automation. --------------------------------------------- https://www.bitsight.com/blog/challenges-automating-and-scaling-remote-vuln… ∗∗∗ Österreichs Innenminister will Messenger ausspionieren ∗∗∗ --------------------------------------------- Österreichs Geheimdienste sollen mehr Befugnisse erhalten, Malware einschleusen und WLAN-Catcher nutzen dürfen. Das beantragt die Regierungspartei ÖVP. --------------------------------------------- https://heise.de/-9840256 ∗∗∗ Softwareentwicklung: Schadcode-Attacken auf Jenkins-Server beobachtet ∗∗∗ --------------------------------------------- Derzeit nutzen Angreifer eine kritische Lücke im Software-System Jenkins aus. Davon sind auch Instanzen in Deutschland bedroht. --------------------------------------------- https://heise.de/-9840463 ===================== = Vulnerabilities = ===================== ∗∗∗ SolarWinds Product Security Update Advisory (CVE-2024-28986) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82529/ ∗∗∗ Intel Family Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82531/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.08.2024
by Daily end-of-shift report 19 Aug '24

19 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-08-2024 18:00 − Montag 19-08-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Nachbetrachtung: Windows und die TCP-IP-Schwachstelle CVE-2024-38063 ∗∗∗ --------------------------------------------- Zum 13. August 2024 wurde die 0-day-Schwachstelle CVE-2024-38063 in Windows bekannt. Es handelt sich um eine Remote-Code-Execution-Schwachstelle in der TCP/IP-Implementierung von Windows steckt. Angreifer können über IPv6-Pakete einen Host kompromittieren und dort Code ausführen. Weben der Bewertung mit dem CVEv3 Score 9.8 (critical, "Exploitation More Likely") empfiehlt Redmond Administratoren momentan IPv6 zu deaktivieren, hat aber auch Sicherheitsupdates für Windows bereitgestellt. Hier sollten Administratoren also reagieren. --------------------------------------------- https://www.borncity.com/blog/2024/08/16/nachbetrachtung-windows-und-die-tc… ∗∗∗ Technical Analysis: CVE-2024-38021 ∗∗∗ --------------------------------------------- Recently, Morphisec researchers discovered a vulnerability in Microsoft Outlook that can lead to remote code execution (RCE). This vulnerability, identified as CVE-2024-38021, highlights a significant security flaw within the Microsoft Outlook application, potentially allowing attackers to execute arbitrary code without requiring prior authentication. --------------------------------------------- https://blog.morphisec.com/technical-analysis-cve-2024-38021 ∗∗∗ New Mad Liberator gang uses fake Windows update screen to hide data theft ∗∗∗ --------------------------------------------- A new data extortion group tracked as Mad Liberator is targeting AnyDesk users and runs a fake Microsoft Windows update screen to distract while exfiltrating data from the target device. [..] It is unclear how the threat actor selects its targets but one theory, although yet to be proven, is that Mad Liberator tries potential addresses (AnyDesk connection IDs) until someone accepts the connection request. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mad-liberator-gang-uses-… ∗∗∗ Chrome will redact credit cards, passwords when you share Android screen ∗∗∗ --------------------------------------------- While the flag doesn't work at the moment, it is supposed to hide sensitive form fields present on the page by redacting the entire screen. It's unclear when the feature will be rolled out to everyone in Chrome for Android, but you'll be able to try the feature in Chrome Canary in the next few weeks. --------------------------------------------- https://www.bleepingcomputer.com/news/google/chrome-will-redact-credit-card… ∗∗∗ AMD knickt ein: Ryzen 3000 erhält nun doch Patch gegen Sinkclose-Lücke ∗∗∗ --------------------------------------------- Ursprünglich wollte AMD Ryzen-3000-CPUs nicht gegen die Sinkclose-Lücke patchen. Nach reichlich Unmut in der Community folgt nun die Kehrtwende. --------------------------------------------- https://www.golem.de/news/amd-knickt-ein-ryzen-3000-erhaelt-nun-doch-patch-… ∗∗∗ Verbesserung der Netzwerksicherheit: Überwachung der Client-Kommunikation mit Velociraptor ∗∗∗ --------------------------------------------- SEC Defence, die Managed Incident Response-Einheit von SEC Consult, hat eine Reihe von Velociraptor-Artefakten entwickelt, die es ermöglichen, die aktuelle Netzwerkkommunikation auf registrierten Clients zu überwachen und bei bestimmten Verbindungen zu alarmieren, z. B. zu bekannten bösartigen IP-Adressen oder Verbindungen, die von bekannten bösartigen Prozessen erstellt wurden. --------------------------------------------- https://sec-consult.com/de/blog/detail/verbesserung-der-netzwerksicherheit-… ∗∗∗ Xeon Sender Tool Exploits Cloud APIs for Large-Scale SMS Phishing Attacks ∗∗∗ --------------------------------------------- Malicious actors are using a cloud attack tool named Xeon Sender to conduct SMS phishing and spam campaigns on a large scale by abusing legitimate services."Attackers can use Xeon to send messages through multiple software-as-a-service (SaaS) providers using valid credentials for the service providers," SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2024/08/xeon-sender-tool-exploits-cloud-apis.html ∗∗∗ Microsoft Azure: Ab 15. Oktober 2024 MFA für Administratoren verpflichtend, aber "Aufschub" möglich ∗∗∗ --------------------------------------------- Microsoft hat gerade im M365 Admin-Nachrichten-Center bekannt gegeben, dass man bei Azure ab dem 15.10.2024 die Authentifizierung der Administratoren über MFA verlangt. Redmond gewährt aber Administratoren die Möglichkeit, diese Verpflichtung um insgesamt 5 Monate zu verschieben. --------------------------------------------- https://www.borncity.com/blog/2024/08/17/microsoft-azure-ab-15-oktober-2024… ∗∗∗ Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove ∗∗∗ --------------------------------------------- The case of Styx Stealer is a compelling example of how even sophisticated cybercriminal operations can slip up due to basic security oversights. The creator of Styx Stealer revealed his personal details, including Telegram accounts, emails, and contacts, by debugging the stealer on his own computer with a Telegram bot token provided by a customer involved in the Agent Tesla campaign. This critical OpSec failure not only compromised his anonymity but also provided valuable intelligence about other cybercriminals, including the originator of the Agent Tesla campaign. --------------------------------------------- https://research.checkpoint.com/2024/unmasking-styx-stealer-how-a-hackers-s… ∗∗∗ "WireServing" Up Credentials: Escalating Privileges in Azure Kubernetes Services ∗∗∗ --------------------------------------------- Mandiant disclosed this vulnerability to Microsoft via the MSRC vulnerability disclosure program, and Microsoft has fixed the underlying issue. [..] Adopting a process to create restrictive NetworkPolicies that allow access only to required services prevents this entire attack class. Privilege escalation via an undocumented service is prevented when the service cannot be accessed at all. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/escalating-privile… ∗∗∗ Bericht: Pixel-Handys mit heimlicher, aber inaktiver Fernwartung ausgeliefert ∗∗∗ --------------------------------------------- Pixel-Smartphones wurden auf Wunsch Verizons mit Fernwartungssoftware ausgeliefert. Wenn aktiviert, kann sie unsicheren Code nachladen. --------------------------------------------- https://heise.de/-9836726 ∗∗∗ Jetzt patchen! Schadcode-Attacken auf Solarwinds Web Help Desk beobachtet ∗∗∗ --------------------------------------------- Angreifer nutzen derzeit eine kritische Schwachstelle Solarwinds Web Help Desk aus. Ein Sicherheitspatch ist verfügbar, kann aber mitunter für Probleme sorgen. --------------------------------------------- https://heise.de/-9838566 ∗∗∗ SIM-Swapping bleibt in Deutschland Randphänomen ∗∗∗ --------------------------------------------- Zahlreiche Medien warnen vor Schäden durch SIM-Swapping. Die Betrugsmasche bleibt in Deutschland jedoch selten. --------------------------------------------- https://heise.de/-9839531 ===================== = Vulnerabilities = ===================== ∗∗∗ Mehrere Sicherheitsschwachstellen in IDOL2 (uciIDOL) ∗∗∗ --------------------------------------------- Fünf schwerwiegende Sicherheitsschwachstellen wurden in der Zeiterfassungssoftware IDOL2 (uciIDOL) identifiziert. Sie ermöglichen es, die verschlüsselte Kommunikation zwischen Client und Server vollständig zu kompromittieren. Außerdem erlauben sie Remote Code Execution sowohl auf Client- als auch auf Serverseite. --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-sicherheitsschwachstellen-in-idol-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-asyncssh), Fedora (bind, bind-dyndb-ldap, httpd, and tor), SUSE (cosign, cpio, curl, expat, java-11-openjdk, ncurses, netty, netty-tcnative, opera, python-Django, python-Pillow, shadow, sudo, and wpa_supplicant), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/986225/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0004.html ∗∗∗ F5: K000140732: BIND vulnerability CVE-2024-1737 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140732 ∗∗∗ Kubernetes: CVE-2024-7646 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/126744 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2024
by Daily end-of-shift report 16 Aug '24

16 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-08-2024 18:00 − Freitag 16-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Opinion: More layers in malware campaigns are not a sign of sophistication ∗∗∗ --------------------------------------------- Ten infection and protection layers to deploy malware sounds impressive and very hard to deal with. However, adding more layers counterintuitively does the opposite for antivirus evasion and is not a sign of sophistication. Why is that so? --------------------------------------------- https://www.gdatasoftware.com/blog/2024/08/37995-malware-sophistication ∗∗∗ Ailurophile: New Infostealer sighted in the wild ∗∗∗ --------------------------------------------- We discovered a new stealer in the wild called "Ailurophile Stealer”. The stealer is coded in PHP and the source code indicates potential Vietnamese origins. It is available for purchase through a subscription model via its own webpage. Through the .. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/08/38005-ailurophile-infostealer ∗∗∗ Tusk: unraveling a complex infostealer campaign ∗∗∗ --------------------------------------------- Kaspersky researchers discovered Tusk campaign with ongoing activity that uses Danabot and StealC infostealers and clippers to obtain cryptowallet credentials and system data. --------------------------------------------- https://securelist.com/tusk-infostealers-campaign/113367/ ∗∗∗ PrestaShop GTAG Websocket Skimmer ∗∗∗ --------------------------------------------- During a recent investigation we uncovered another credit card skimmer leveraging a web socket connection to steal credit card details from an infected PrestaShop website.While PrestaShop is not the most popular eCommerce solution for online stores it is still in the top 10 most common ecommerce platforms in use on the web, and clocks in at just .. --------------------------------------------- https://blog.sucuri.net/2024/08/prestashop-gtag-websocket-skimmer.html ∗∗∗ Ransomware Attacks on Industrial Firms Surged in Q2 2024 ∗∗∗ --------------------------------------------- Dragos has seen a significant increase in ransomware attacks on industrial organizations in Q2 2024 compared to the previous quarter. --------------------------------------------- https://www.securityweek.com/ransomware-attacks-on-industrial-firms-surged-… ∗∗∗ Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments ∗∗∗ --------------------------------------------- We recount an extensive cloud extortion campaign leveraging exposed .env files of at least 110k domains to compromise organizations AWS environments. --------------------------------------------- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/ ∗∗∗ New infostealer targets macOS devices, appears to have Russian links ∗∗∗ --------------------------------------------- Researchers have discovered new information-stealing malware labeled Banshee Stealer that is designed to breach Apple computers. --------------------------------------------- https://therecord.media/apple-macos-infostealer-banshee-stealer ∗∗∗ Iranian backed group steps up phishing campaigns against Israel, U.S. ∗∗∗ --------------------------------------------- Google’s Threat Analysis Group shares insights on APT42, an Iranian government-backed threat actor. --------------------------------------------- https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phi… ∗∗∗ Ransomware Prevention Guide for Managed Service Providers ∗∗∗ --------------------------------------------- This comprehensive ransomware prevention guide outlines a strategic approach to preventing ransomware attacks, drawing upon industry best practices, compelling statistics, and expert insights. --------------------------------------------- https://www.emsisoft.com/en/blog/45911/ransomware-prevention-guide-for-mana… ∗∗∗ Hacking Beyond.com — Enumerating Private TLDs ∗∗∗ --------------------------------------------- My story started a few months ago, when I performed a red team assessment for a major retail company. During the Open Source Reconnaissance (OSINT) phase, I reviewed the SSL certificates that included the client name. In these certificates I identified that the client owned its own top-level domain (TLD). A TLD is the last part of a domain name, the letters that come after .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/enumerating-privat… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (389-ds-base, dotnet8.0, python3.13, roundcubemail, thunderbird, and tor), Mageia (roundcubemail), Oracle (.NET 8.0, bind and bind-dyndb-ldap, bind9.16, container-tools:ol8, edk2, firefox, gnome-shell, grafana, httpd:2.4, jose, kernel, krb5, mod_auth_openidc:2.3, orc, poppler, python-urllib3, .. --------------------------------------------- https://lwn.net/Articles/985980/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.08.2024
by Daily end-of-shift report 14 Aug '24

14 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-08-2024 18:00 − Mittwoch 14-08-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Neue Betrugsmasche auf WhatsApp: Vorsicht vor gefälschten Sicherheitswarnungen ∗∗∗ --------------------------------------------- Derzeit kursieren gefälschte SMS, angeblich vom WhatsApp-Sicherheitscenter. Die Nachricht besagt, dass Ihr Konto gefährdet sei und Sie eine Überprüfung im offiziellen Sicherheitscenter vornehmen müssen. --------------------------------------------- https://www.watchlist-internet.at/news/neue-betrugsmasche-auf-whatsapp-vors… ∗∗∗ Versuchte Leistungserschleichung bei Sicherheitsunternehmen ∗∗∗ --------------------------------------------- Mehrere Sicherheitsunternehmen (insbesondere im Bereich von Threat Intelligence) berichten von Versuchen von Bedrohungsakteuren sich unter Vortäuschung falscher Tatsachen Zugriff auf die Produkte betroffener Firmen zu verschaffen. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/8/versuchte-leistungserschleichung-be… ∗∗∗ Biden administration pledges $11 million to open source security initiative ∗∗∗ --------------------------------------------- The White House and Department of Homeland Security (DHS) are partnering on an $11 million initiative to gain an understanding of how open source software is used across critical infrastructure and to better secure it. --------------------------------------------- https://therecord.media/open-source-software-security-white-house-dhs-11mil… ∗∗∗ FIN7: The Truth Doesnt Need to be so STARK ∗∗∗ --------------------------------------------- The purpose of this blog post is not to exhaustively identify FIN7 infrastructure; rather, it represents a snapshot in time of activity hosted on the infrastructure of one hosting provider (Stark). --------------------------------------------- https://www.team-cymru.com/post/fin7-the-truth-doesn-t-need-to-be-so-stark ∗∗∗ Gafgyt Malware Variant Exploits GPU Power and Cloud Native Environments ∗∗∗ --------------------------------------------- In this blog we explain about the campaign, the techniques used and how to detect and protect your environments. --------------------------------------------- https://blog.aquasec.com/gafgyt-malware-variant-exploits-gpu-power-and-clou… ∗∗∗ Rivers of Phish: Sophisticated Phishing Targets Russia’s Perceived Enemies Around the Globe ∗∗∗ --------------------------------------------- This campaign, which we have investigated in collaboration with Access Now and with the participation of numerous civil society organizations including First Department, Arjuna Team, and RESIDENT.ngo, engages targets with personalized and highly-plausible social engineering in an attempt to gain access to their online accounts. [..] The Citizen Lab is sharing all indicators with major email providers to assist them in tracking and blocking these campaigns. --------------------------------------------- https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-percei… ∗∗∗ Bundestrojaner: So funktioniert die Chat-Überwachung ∗∗∗ --------------------------------------------- Ein Bundestrojaner ist eine Schadsoftware, die von Behörden und der Polizei verwendet wird. Auch verschlüsselte Nachrichten lassen sich dadurch lesen. --------------------------------------------- https://futurezone.at/netzpolitik/bundestrojaner-chat-ueberwachung-oesterre… ===================== = Vulnerabilities = ===================== ∗∗∗ SolarWinds fixes critical RCE bug affecting all Web Help Desk versions ∗∗∗ --------------------------------------------- A critical vulnerability in SolarWinds Web Help Desk solution for customer support could be exploited to achieve remote code execution, the American business software developer warns in a security advisory today. --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-fixes-critical-rc… ∗∗∗ Fortinet, Zoom Patch Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Fortinet and Zoom have released patches for multiple vulnerabilities in their products, including high-severity bugs. --------------------------------------------- https://www.securityweek.com/fortinet-zoom-patch-multiple-vulnerabilities/ ∗∗∗ Patchday Microsoft: Angreifer attackieren Office und Windows mit Schadcode ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für verschiedene Microsoft-Produkte erschienen. Aufgrund von laufenden Attacken sollten Admins zügig handeln. [..] Mit einem CVSS-Punktwert von 9,8 gehört eine Sicherheitslücke in Windows' TCP/IP-Stack zu den gefährlichsten Fehlern im aktuellen Patchday. Nicht angemeldete Angreifer, die präparierte IPv6-Pakete an Windows-Rechner schicken, können diese aus der Ferne kompromittieren und eigene Befehle ausführen. --------------------------------------------- https://heise.de/-9834085 ∗∗∗ Xen Security Advisory CVE-2024-31146 / XSA-461 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-461.html ∗∗∗ Xen Security Advisory CVE-2024-31145 / XSA-460 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-460.html ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/14/adobe-releases-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.08.2024
by Daily end-of-shift report 13 Aug '24

13 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Montag 12-08-2024 18:00 − Dienstag 13-08-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ APT trends report Q2 2024 ∗∗∗ --------------------------------------------- The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity. --------------------------------------------- https://securelist.com/apt-trends-report-q2-2024/113275/ ∗∗∗ AMD won’t patch Sinkclose security bug on older Zen CPUs ∗∗∗ --------------------------------------------- Some AMD processors dating back to 2006 have a security vulnerability that's a boon for particularly underhand malware and rogue insiders, though the chip designer is only patching models made since 2020. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/08/13/amd_sinkclos… ∗∗∗ Who uses LLM prompt injection attacks IRL? Mostly unscrupulous job seekers, jokesters and trolls ∗∗∗ --------------------------------------------- Because apps talking like pirates and creating ASCII art never gets old Despite worries about criminals using prompt injection to trick large language models (LLMs) into leaking sensitive data or performing other destructive actions, most of these types of AI shenanigans come from job seekers trying to get their resumes past automated HR screeners – and people protesting generative AI for various reasons, according to Russian security biz Kaspersky. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/08/13/who_uses_llm… ∗∗∗ CVE-2024-38856: Pre-Auth RCE Vulnerability in Apache OFBiz ∗∗∗ --------------------------------------------- On August 5, 2024, researchers at SonicWall discovered a zero-day security flaw in Apache OFBiz tracked as CVE-2024-38856. The vulnerability, which has been assigned a CVSS score of 9.8, allows threat actors to perform pre-authentication remote code execution (RCE). While testing a patch for CVE-2024-36104, SonicWall researchers discovered that unauthenticated access was permitted to the ProgramExport endpoint, potentially enabling the execution of arbitrary code. --------------------------------------------- https://www.zscaler.com/blogs/security-research/cve-2024-38856-pre-auth-rce… ∗∗∗ Post-Quantum Cryptography Standards Officially Announced by NIST – a History and Explanation ∗∗∗ --------------------------------------------- NIST has formally published three post-quantum cryptography standards from the competition it held to develop cryptography able to withstand the anticipated quantum computing decryption of current asymmetric encryption. --------------------------------------------- https://www.securityweek.com/post-quantum-cryptography-standards-officially… ∗∗∗ Falsche Mitteilung im Namen des Bundeskanzleramtes über Entschädigungszahlungen ∗∗∗ --------------------------------------------- Kriminelle versenden im Namen des Bundeskanzleramtes gefälschte E-Mails über eine Entschädigungszahlung für die Wasser- und Energierechnung. Im E-Mail steht, dass Sie € 102,49 erhalten. Für den Erhalt der Summe, müssen Sie aber auf einen Link klicken. --------------------------------------------- https://www.watchlist-internet.at/news/falsche-mitteilung-im-namen-des-bund… ∗∗∗ Harnessing LLMs for Automating BOLA Detection ∗∗∗ --------------------------------------------- Learn about BOLABuster, an LLM-driven tool automating BOLA vulnerability detection in web applications. Issues have already been identified in multiple projects. --------------------------------------------- https://unit42.paloaltonetworks.com/automated-bola-detection-and-ai/ ∗∗∗ Strafverfolgern gelingt Schlag gegen Radar/Dispossessor Ransomwaregruppe ∗∗∗ --------------------------------------------- Es ist der nächste Schlag gegen Cyberkriminelle. Strafverfolger aus den USA (FBI), Großbritannien und Deutschland ist es gelungen, die Infrastruktur der Ransomwaregruppe Radar/Dispossessor zu zerschlagen. --------------------------------------------- https://www.borncity.com/blog/2024/08/13/strafverfolgern-gelingt-schlag-geg… ∗∗∗ Hackers Leak 1.4 Billion Tencent User Accounts Online ∗∗∗ --------------------------------------------- Massive data leak exposes 1.4 billion Tencent user accounts. Leaked data includes emails, phone numbers, and QQ IDs potentially linked to the “Mother of All Breaches” (MOAB). --------------------------------------------- https://hackread.com/hackers-leak-1-4-billion-tencent-user-accounts-online/ ∗∗∗ CryptoCore: Unmasking the Sophisticated Cryptocurrency Scam Operations ∗∗∗ --------------------------------------------- This report delves into the intricacies of the CryptoCore group’s scam and analyses their modus operandi. We will describe key exploited events, including hijacked YouTube accounts and deepfake videos, alongside a technical analysis of the fraudulent sites. One purpose of this study is to present a fundamental analysis – and key statistics – of fraudulent wallets that have received profits in the millions of dollars, as well as provide statistical data on detections, showing how victims are lured into suspicious websites and ultimately end up crypto scam victims. --------------------------------------------- https://decoded.avast.io/martinchlumecky1/cryptocore-unmasking-the-sophisti… ∗∗∗ Ivanti warns of critical vTM auth bypass with public exploit ∗∗∗ --------------------------------------------- Tracked as CVE-2024-7593, this auth bypass vulnerability is due to an incorrect implementation of an authentication algorithm that allows remote unauthenticated attackers to bypass authentication on Internet-exposed vTM admin panels. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-vtm… ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti: August Security Update ∗∗∗ --------------------------------------------- Today, fixes have been released for the following solutions: Ivanti Neurons for ITSM, Ivanti Avalanche and Ivanti Virtual Traffic Manager (vTM). --------------------------------------------- https://www.ivanti.com/blog/august-security-update ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and roundcube), Fedora (microcode_ctl, pypy, python2.7, and python3.6), Oracle (389-ds-base, httpd, kernel, kernel-container, and linux-firmware), Red Hat (kernel-rt), SUSE (firefox, kubernetes1.23, libqt5-qtbase, openssl-1_1, python-gunicorn, python-Twisted, python-urllib3, and qt6-base), and Ubuntu (linux-aws-5.15, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-raspi, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-oem-6.8, linux-oracle-5.15, and qemu). --------------------------------------------- https://lwn.net/Articles/985481/ ∗∗∗ SAP Patches Critical Vulnerabilities in BusinessObjects, Build Apps ∗∗∗ --------------------------------------------- SAP has released 25 security notes on August 2024 Security Patch Day, including for critical vulnerabilities in BusinessObjects and Build Apps. --------------------------------------------- https://www.securityweek.com/sap-patches-critical-vulnerabilities-in-busine… ∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- AVEVA SuiteLink Server, Rockwell Automation, Ocean Data Systems --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/13/cisa-releases-ten-indust… ∗∗∗ Splunk: SVD-2024-0801: Third-Party Package Updates in Python for Scientific Computing - August 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0801 ∗∗∗ Lenovo: NVIDIA GPU Display Driver - July 2024 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500637-NVIDIA-GPU-DISPLAY-DRIV… ∗∗∗ Lenovo: LDCC and LADM Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500636-LDCC-AND-LADM-PRIVILEGE… ∗∗∗ 0patch: The "EventLogCrasher" 0day For Remotely Disabling Windows Event Log, And a Free Micropatch For It ∗∗∗ --------------------------------------------- https://blog.0patch.com/2024/01/the-eventlogcrasher-0day-for-remotely.html ∗∗∗ tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.2.1, 6.3.0 and 6.4.0: SC-202408.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-13 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.08.2024
by Daily end-of-shift report 12 Aug '24

12 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-08-2024 18:00 − Montag 12-08-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Passwortmanager und VPN-Apps: Klartextpasswörter aus Prozessspeicher gelesen ∗∗∗ --------------------------------------------- Passwörter landen bei der Verarbeitung zwangsläufig im Speicher. Bei einigen Anwendungen verbleiben sie dort aber zu lange, was die Angriffsfläche vergrößert. --------------------------------------------- https://www.golem.de/news/passwortmanager-und-vpn-apps-klartextpasswoerter-… ∗∗∗ Verschlüsselung ausgehebelt: Forscher übernimmt Kontrolle über Geldautomaten ∗∗∗ --------------------------------------------- So manch ein Hacker träumt davon, die Software von Geldautomaten zu knacken, um sich beliebig viel Bargeld auszahlen zu lassen. Einem Forscher ist wohl genau das gelungen. [..] Für einen erfolgreichen Angriff ist nach Angaben des Sicherheitsforschers allerdings ein physischer Zugang zum jeweiligen Geldautomaten erforderlich, "bei dem man den oberen Teil des Geldautomaten öffnet, die Festplatte herausnimmt und dann den Inhalt der Festplatte manipuliert". --------------------------------------------- https://www.golem.de/news/verschluesselung-ausgehebelt-forscher-uebernimmt-… ∗∗∗ Experts Uncover Severe AWS Flaws Leading to RCE, Data Theft, and Full-Service Takeovers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered multiple critical flaws in Amazon Web Services (AWS) offerings that, if successfully exploited, could result in serious consequences. [..] Following responsible disclosure in February 2024, Amazon addressed the shortcomings over several months from March to June. The findings were presented at Black Hat USA 2024. --------------------------------------------- https://thehackernews.com/2024/08/experts-uncover-severe-aws-flaws.html ∗∗∗ Living off the land with Bluetooth PAN ∗∗∗ --------------------------------------------- Just like in the living off the land native SSH blog post, this is not a new and clever method of attack, rather it is using tools that are built-in to Windows to present an unexpected vector for access to networks that could mask many of the common tools used to assess a network. [..] Look at disabling these using Intune / Group Policy configuration policies. If there is a justification for their use, consider monitoring the usage of these tools in your environment. --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-land-with-blue… ∗∗∗ BlackHat 2024: Remote Code Execution-Angriff auf M365 Copilot per E-Mail ∗∗∗ --------------------------------------------- Auf der BlackHat 2024 hat Michael Bargury RCE-Angriffe auf M365 Copilot gezeigt – eine E-Mail reicht, um Sensitives zu suchen. Insgesamt stellt Bargury fünf verschiedene Angriffsmethoden auf Microsofts AI-Lösungen vor. Hier mal ein kurzer Abriss zu diesem Thema. --------------------------------------------- https://www.borncity.com/blog/2024/08/11/blackhat-2024-remote-code-executio… ∗∗∗ Ongoing Social Engineering Campaign Refreshes Payloads ∗∗∗ --------------------------------------------- On June 20, 2024, Rapid7 identified multiple intrusion attempts by threat actors utilizing Techniques, Tactics, and Procedures (TTPs) that are consistent with an ongoing social engineering campaign being tracked by Rapid7. [..] The initial lure being utilized by the threat actors remains the same: an email bomb followed by an attempt to call impacted users and offer a fake solution. --------------------------------------------- https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-camp… ∗∗∗ Google Patches Critical Vulnerabilities in Quick Share After Researchers’ Warning ∗∗∗ --------------------------------------------- A groundbreaking presentation at Defcon 32 has revealed critical flaws in Google’s Quick Share, a peer-to-peer data-transfer utility for Android, Windows, and Chrome operating systems. Quick Share boasts impressive versatility, utilizing Bluetooth, Wi-Fi, Wi-Fi Direct, WebRTC, and NFC to facilitate peer-to-peer file transfers however, these protocols are not designed for file transfers but rather to establish stable device connections for communication purposes. --------------------------------------------- https://hackread.com/google-patches-quick-share-vulnerabilities-warning/ ∗∗∗ Mit Domain-Based Authentication in unternehmensinterne Gruppen eindringen ∗∗∗ --------------------------------------------- Was ergeben ein uraltes Protokoll, eine millionenfach benutzte Bibliothek und eine Authentifizierung per Maildomain? Zugang zum internen Github-Netzwerk. --------------------------------------------- https://heise.de/-9830944 ===================== = Vulnerabilities = ===================== ∗∗∗ Neue Schwachstellen in OpenVPN ∗∗∗ --------------------------------------------- Microsoft hat in den OpenVPN-Clients von Android, iOS, macOS, BSD und Windows eine Reihe Schwachstellen gefunden. Angreifer könnten einige der entdeckten Schwachstellen kombinierte, um eine remote ausnutzbare Angriffskette zu erhalten, die eine Remotecodeausführung (RCE) und lokaler Privilegienerweiterung (LPE) umfasst. Die Schwachstellen sollten durch Updates beseitigt werden, wobei man teilweise auf Firmware diverser Gerätehersteller angewiesen ist. --------------------------------------------- https://www.borncity.com/blog/2024/08/10/neue-schwachstellen-in-openvpn/ ∗∗∗ Sicherheitslücken: Netzwerkmonitoringtool Zabbix kann Passwörter leaken ∗∗∗ --------------------------------------------- In aktuellen Ausgaben des Netzwerkmonitoringtools Zabbix haben die Entwickler insgesamt acht Sicherheitslücken geschlossen. Nach erfolgreichen Attacken können Angreifer etwa Passwörter im Klartext einsehen oder sogar Schadcode ausführen. --------------------------------------------- https://heise.de/-9832311 ∗∗∗ Industrial Remote Access Tool Ewon Cosy+ Vulnerable to Root Access Attacks ∗∗∗ --------------------------------------------- Security vulnerabilities have been disclosed in the industrial remote access solution Ewon Cosy+ that could be abused to gain root privileges to the devices and stage follow-on attacks. --------------------------------------------- https://thehackernews.com/2024/08/industrial-remote-access-tool-ewon-cosy.h… ∗∗∗ FreeBSD Releases Urgent Patch for High-Severity OpenSSH Vulnerability ∗∗∗ --------------------------------------------- The maintainers of the FreeBSD Project have released security updates to address a high-severity flaw in OpenSSH that attackers could potentially exploit to execute arbitrary code remotely with elevated privileges. The vulnerability, tracked as CVE-2024-7589, carries a CVSS score of 7.4 out of a maximum of 10.0, indicating high severity. --------------------------------------------- https://thehackernews.com/2024/08/freebsd-releases-urgent-patch-for-high.ht… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (httpd:2.4), Fedora (chromium, firefox, frr, neatvnc, nss, python-setuptools, and python3.13), Gentoo (AFLplusplus, Bundler, dpkg, GnuPG, GPAC, libde265, matio, MuPDF, PHP, protobuf, protobuf-python, protobuf-c, rsyslog, Ruby on Rails, and runc), Red Hat (389-ds-base, container-tools:rhel8, and httpd:2.4), SUSE (bind and ca-certificates-mozilla), and Ubuntu (linux-azure). --------------------------------------------- https://lwn.net/Articles/985336/ ∗∗∗ Warnung vor Microsoft Office Spoofing-Schwachstelle CVE-2024-38200 ∗∗∗ --------------------------------------------- Microsoft hat zum 8. August 2024 (mit Update vom 10. August 2024) eine Warnung von einer ungepatchten Spoofing-Schwachstelle CVE-2024-38200 veröffentlicht. Die Schwachstelle ist in allen Office-Versionen (Office 2016 – 2021, Office 365) enthalten. [..] Angreifer haben die Möglichkeit, über eine spezielle oder kompromittierte Webseite eine Datei bereitzustellen, um die Schwachstelle auszunutzen. Über die Sicherheitslücke könnten NTLM-Hashes gegenüber Remote-Angreifern offengelegt werden. --------------------------------------------- https://www.borncity.com/blog/2024/08/12/warnung-vor-microsoft-office-spoof… ∗∗∗ Schwachstelle "Ghostwrite" erlaubt DRAM-Zugriff in RISC-V CPUs ∗∗∗ --------------------------------------------- Deutsche Forscher fanden Schwachstellen in einzelnen RISC-V CPUs von T-Head Semiconductors. Die flexible, junge Architektur entpuppt sich dabei als Risiko. [..] Die entdeckten Schwachstellen können allerdings auch nach ihrer Offenlegung nicht mit Mikrocode oder einem Softwareupdate behoben werden, denn sie befinden sich in der Schaltung der Hardware. --------------------------------------------- https://heise.de/-9830926 ∗∗∗ B&R: 2024-08-09: Cyber Security Advisory - B&R Automation Runtime Several vulnerabilities in B&R Automation Runtime ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P011-d8aaf02f.pdf ∗∗∗ Asterisk Security Advisories ∗∗∗ --------------------------------------------- https://www.asterisk.org/downloads/security-advisories/ ∗∗∗ GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6 ∗∗∗ --------------------------------------------- https://about.gitlab.com/releases/2024/08/07/patch-release-gitlab-17-2-2-re… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2024
by Daily end-of-shift report 09 Aug '24

09 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-08-2024 18:00 − Freitag 09-08-2024 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malware force-installs Chrome extensions on 300,000 browsers, patches DLLs ∗∗∗ --------------------------------------------- An ongoing and widespread malware campaign force-installed malicious Google Chrome and Microsoft Edge browser extensions in over 300,000 browsers, modifying the browsers executables to hijack homepages and steal browsing history. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-force-installs-chrom… ∗∗∗ ‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections ∗∗∗ --------------------------------------------- Researchers warn that a bug in AMD’s chips would allow attackers to root into some of the most privileged portions of a computer—and that it has persisted in the company’s processors for decades. --------------------------------------------- https://www.wired.com/story/amd-chip-sinkclose-flaw/ ∗∗∗ Windows Server durch PoC-Exploit für CVE-2024-38077 gefährdet ∗∗∗ --------------------------------------------- Nochmals ein Nachgang zum Juli 2024-Patchday, bei dem Microsoft die Schwachstelle CVE-2024-38077 im Windows-Remotedesktop-Lizenzierungsdienst (RDL) von Windows Server geschlossen hat. [..] es wurde ein Proof of Concept (PoC) für diese Schwachstelle veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2024/08/09/windows-server-durch-poc-exploit-f… ∗∗∗ How Hackers Extracted the ‘Keys to the Kingdom’ to Clone HID Keycards ∗∗∗ --------------------------------------------- [HID]s actually known about the vulnerabilities [..] since sometime in 2023, when it was first informed about the technique by another security researcher [..] HID warned customers about the existence of a vulnerability that would allow hackers to clone keycards in an advisory in January, which includes recommendations about how customers can protect themselves—but it offered no software update at that time. --------------------------------------------- https://www.wired.com/story/hid-keycard-authentication-key-vulnerability/ ∗∗∗ ICANN reserves .internal for private use at the DNS level ∗∗∗ --------------------------------------------- The Internet Corporation for Assigned Names and Numbers (ICANN) has agreed to reserve the .internal top-level domain so it can become the equivalent to using the 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 IPv4 address blocks for internal networks. Those blocks are reserved for private use by the Internet Assigned Numbers Authority, which requires they never appear on the public internet. --------------------------------------------- https://www.theregister.com/2024/08/08/dot_internal_ratified/ ∗∗∗ New attack against the [Linux kernel] SLUB allocator ∗∗∗ --------------------------------------------- Researchers from Graz University of Technology have published details of a new attack on the Linux kernel called SLUBstack. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind. --------------------------------------------- https://lwn.net/Articles/984984/ ∗∗∗ Fake-Videos: Van der Bellen & Assinger werben nicht für Investmentplattformen ∗∗∗ --------------------------------------------- Derzeit erleben wir erneut eine Welle von Deepfake-Videos, in denen österreichische Prominente auf Facebook und Instagram für Investmentplattformen werben. Lassen Sie sich nicht täuschen: Weder Bundespräsident Alexander van der Bellen noch TV-Moderator Armin Assinger sind plötzlich Finanzexperten, die eine Investmentplattform entwickelt haben. Die Plattformen sind betrügerisch und die Videos wurden von Kriminellen erstellt. --------------------------------------------- https://www.watchlist-internet.at/news/fake-videos-van-der-bellen-assinger-… ∗∗∗ Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! ∗∗∗ --------------------------------------------- This article explores architectural issues within the Apache HTTP Server, highlighting several technical debts within Httpd, including 3 types of Confusion Attacks, 9 new vulnerabilities, 20 exploitation techniques, and over 30 case studies. [..] These vulnerabilities were reported through the official security mailing list and were addressed by the Apache HTTP Server in the 2.4.60 update published on 2024-07-01. --------------------------------------------- https://devco.re/blog/2024/08/09/confusion-attacks-exploiting-hidden-semant… ∗∗∗ Best Practices for Cisco Device Configuration ∗∗∗ --------------------------------------------- In recent incidents, CISA has seen malicious cyber actors acquire system configuration files by leveraging available protocols or software on devices, such as abusing the legacy Cisco Smart Install feature. CISA recommends organizations disable Smart Install and review NSA’s Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for configuration guidance. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/08/best-practices-cisco-dev… ∗∗∗ Sicherheitsforscher verwandeln Sonos-One-Lautsprecher in Wanze ∗∗∗ --------------------------------------------- Angreifer können über das eingebaute Mikrofon von Sonos-One-Lautsprechern Gespräche mitschneiden. Mittlerweile ist das Sicherheitsproblem gelöst. --------------------------------------------- https://heise.de/-9830061 ===================== = Vulnerabilities = ===================== ∗∗∗ Schwachstellen in 1Password gefährden MacOS-Nutzer [CVE-2024-42218, CVE-2024-42219] ∗∗∗ --------------------------------------------- In 1Password 8 für Mac klaffen zwei Sicherheitslücken, die es Angreifern ermöglichen, Tresorelemente von MacOS-Nutzern abzugreifen. [..] Damit ein Angriff gelingt, muss ein Angreifer allerdings bei beiden Lücken bereits in der Lage sein, auf dem Zielsystem eine eigene Software auszuführen. --------------------------------------------- https://www.golem.de/news/datenabfluss-moeglich-schwachstellen-in-1password… ∗∗∗ Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability [CVE-2024-38219] ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and take additional actions prior to exploitation to prepare the target environment. Fxied in Microsoft Edge Version 127.0.2651.98 released 8/8/2024. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38219 ∗∗∗ Microsoft Edge (HTML-based) Memory Corruption Vulnerability [CVE-2024-38218] ∗∗∗ --------------------------------------------- The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Fixed in Microsoft Edge Version 127.0.2651.98 released 8/8/2024. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38218 ∗∗∗ Multiple vulnerabilities in LogSign ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-24-1102/ http://www.zerodayinitiative.com/advisories/ZDI-24-1103/ http://www.zerodayinitiative.com/advisories/ZDI-24-1104/ https://www.zerodayinitiative.com/advisories/ZDI-24-1105/ https://www.zerodayinitiative.com/advisories/ZDI-24-1106/ --------------------------------------------- https://support.logsign.net/hc/en-us/articles/20617133769362-07-08-2024-Ver… ∗∗∗ PostgreSQL relation replacement during pg_dump executes arbitrary SQL [CVE-2024-7348] ∗∗∗ --------------------------------------------- Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. --------------------------------------------- https://www.postgresql.org/support/security/CVE-2024-7348/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (httpd, kernel, kernel-rt, and libtiff), Debian (postgresql-13, postgresql-15, and thunderbird), Fedora (frr, thunderbird, vim, and xrdp), Gentoo (Librsvg, Nautilus, ncurses, Percona XtraBackup, QEMU, and re2c), Red Hat (httpd, kernel, kernel-rt, openssl, and python-setuptools), SUSE (bind, ffmpeg-4, kubernetes1.23, kubernetes1.24, python-Django, and python3-Twisted), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-oem-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle, linux-oracle-5.4, salt. --------------------------------------------- https://lwn.net/Articles/984966/ ∗∗∗ New FileSender 2.49 release with major changes ∗∗∗ --------------------------------------------- We are happy to announce the release of FileSender 2.49. This new release includes security updates that you should install. Also, it offers a few features and improvements, as well as many bug fixes. --------------------------------------------- https://connect.geant.org/2024/08/08/new-filesender-2-49-release-with-major… ∗∗∗ 0.0.0.0 Day-Schwachstelle ermöglicht seit 18 Jahren Angriffe auf Browser ∗∗∗ --------------------------------------------- Sicherheitsforscher haben offen gelegt, dass Hacker einen seit 18 Jahren bekannten, alten Fehler in Safari, Chrome und Firefox ausgenutzt haben, um in private Netzwerke einzudringen. Die als "0.0.0.0 Day" bezeichnete Sicherheitslücke ermöglicht es böswilligen Websites, die Browsersicherheit zu umgehen und mit Diensten zu interagieren, die im lokalen Netzwerk einer Organisation laufen. Dies kann zu unautorisiertem Zugriff und Remotecodeausführung auf lokalen Diensten durch Angreifer außerhalb des Netzwerks führen. Die Browserhersteller beginnen nun, diese Adresse zu blockieren. --------------------------------------------- https://www.borncity.com/blog/2024/08/09/0-0-0-0-day-schwachstelle-ermglich… ∗∗∗ RaonSecure Product Security Advisory ∗∗∗ --------------------------------------------- Overview RaonSecure has released an update to address a vulnerability in their products. Users of affected versions are advised to update to the latest version. Affected Products TouchEn nxKey version: ~ 1.0.0.87 (included) --------------------------------------------- https://asec.ahnlab.com/en/82372/ ∗∗∗ LibreOffice: Ability to trust not validated macro signatures removed in high security mode [CVE-2024-6472] ∗∗∗ --------------------------------------------- https://www.libreoffice.org/about-us/security/advisories/CVE-2024-6472 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Vim-minimal Package Issues ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164174 ∗∗∗ Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for July 2024. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7161907 ∗∗∗ Multiple vulnerabilities in IBM Business Automation Workflow Machine Learning Server are addressed with 24.0.0-IF001 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164164 ∗∗∗ IBM Cloud Pak for Data is vulnerable to unknown impact and attack vector due to Python certifi ( CVE-2022-23491 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164180 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164175 ∗∗∗ IBM Cloud Pak for Data is vulnerable to session hijacking due to Node.js passport module ( CVE-2022-25896 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164201 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js http-cache-semantics module ( CVE-2022-25881 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164225 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js cookiejar module ( CVE-2022-25901 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164200 ∗∗∗ IBM Cloud Pak for Data is vulnerable to cross-site scripting due to Jinja2 ( CVE-2024-34064 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164204 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Pallets Werkzeug ( CVE-2023-46136 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164208 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Express.js ( CVE-2022-24999 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164217 ∗∗∗ IBM Cloud Pak for Data is vulnerable to several issues due to the go compiler ( CVE-2022-41724 CVE-2021-34558 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164255 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Rack ( CVE-2024-26146 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164274 ∗∗∗ IBM Cloud Pak for Data is vulnerable to exposing sensitive information due to Masterminds GoUtils ( CVE-2021-4238 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164234 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js semver ( CVE-2022-25883 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164266 ∗∗∗ IBM Cloud Pak for Data is vulnerable to regular expression denial of service due to Rack ( CVE-2023-27539 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164269 ∗∗∗ This Power System update is being released to address CVE-2024-41660 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7163146 ∗∗∗ IBM Aspera Shares improved security for user session handling (CVE-2023-38018) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164325 ∗∗∗ The IBM Engineering Lifecycle Engineering product using the -Xgc:concurrentScavenge option on IBM Z is vulnerable to Buffer overflow in GC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164658 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to cross-site scripting (CVE-2024-35153) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164651 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to remote code execution (CVE-2024-35154) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164649 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to identity spoofing (CVE-2024-37532) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164653 ∗∗∗ IBM Sterling Connect:Direct Web Service is affected by Java JWT vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164709 ∗∗∗ There is a vulnerability in commons-compress-1.21.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2024-25710, CVE-2024-26308) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164810 ∗∗∗ There is a vulnerability in commons-compress-1.21.jar used by IBM Maximo Asset Management application (CVE-2024-25710, CVE-2024-26308) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164809 ∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2024-27268 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164814 ∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2024-22354 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164813 ∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2023-51775 a denial of service due to jose4j ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164812 ∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to multiple CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164811 ∗∗∗ Multiple Vulnerabilities in XCC affect IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7147906 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.08.2024
by Daily end-of-shift report 08 Aug '24

08 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-08-2024 18:00 − Donnerstag 08-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kein Patch in Sicht: Phishing-Warnung in Outlook lässt sich per Mail ausblenden ∗∗∗ --------------------------------------------- Obendrein kann eine Phishing-Mail in Outlook auch vortäuschen, dass sie verschlüsselt oder signiert ist. Für Microsoft hat das Thema derzeit keine Priorität. --------------------------------------------- https://www.golem.de/news/kein-patch-in-sicht-phishing-warnung-in-outlook-l… ∗∗∗ Samsung boosts bug bounty to a cool million for cracks of the Knox Vault subsystem ∗∗∗ --------------------------------------------- Good luck, crackers: Its an isolated processor and storage enclave, and top dollar only comes from a remote attack Samsung has dangled its first $1 million bug bounty for anyone who successfully compromises Knox Vault – the isolated subsystem the Korean giant bakes into its smartphones to store info like credentials and run authentication routines. --------------------------------------------- https://www.theregister.com/2024/08/08/samsung_microsoft_big_bug_bounty/ ∗∗∗ Using 1Password on Mac? Patch up if you don’t want your Vaults raided ∗∗∗ --------------------------------------------- Hundreds of thousands of users potentially vulnerable Password manager 1Password is warning that all Mac users running versions before 8.10.36 are vulnerable to a bug that allows attackers to steal vault items. --------------------------------------------- https://www.theregister.com/2024/08/08/using_1password_on_mac_patch/ ∗∗∗ A Flaw in Windows Update Opens the Door to Zombie Exploits ∗∗∗ --------------------------------------------- A researcher found a vulnerability that would let hackers strategically downgrade a target’s Windows version to reexpose patched vulnerabilities. Microsoft is working on fixes for the issue. --------------------------------------------- https://www.wired.com/story/windows-update-downdate-exploit/ ∗∗∗ Vulnerabilities Exposed Widely Used Solar Power Systems to Hacking, Disruption ∗∗∗ --------------------------------------------- Vulnerabilities found in solar power systems could have been exploited by hackers to cause disruption and possibly blackouts. --------------------------------------------- https://www.securityweek.com/vulnerabilities-exposed-widely-used-solar-powe… ∗∗∗ Royal Ransomware Actors Rebrand as “BlackSuit,” FBI and CISA Release Update to Advisory ∗∗∗ --------------------------------------------- Today, CISA—in partnership with the Federal Bureau of Investigation (FBI)—released an update to joint Cybersecurity Advisory #StopRansomware: Royal Ransomware, #StopRansomware: BlackSuit (Royal) Ransomware. The updated advisory provides network .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/07/royal-ransomware-actors-… ∗∗∗ US offers $10 million for info on Iranian leaders behind CyberAv3ngers water utility attacks ∗∗∗ --------------------------------------------- The U.S. State Department identified at least six Iranian government hackers allegedly responsible for a string of attacks on U.S. water utilities last fall and offered a large reward for information on their whereabouts. --------------------------------------------- https://therecord.media/us-offers-reward-for-info-on-iranian-hackers-water-… ∗∗∗ BOTNET 7777: ARE YOU BETTING ON A COMPROMISED ROUTER? ∗∗∗ --------------------------------------------- A “7777 botnet” was first referenced in public reporting in October 2023 by Gi7w0rm. At the time, it was described as a botnet with approximately 10,000 nodes, observed primarily in brute-force attacks against Microsoft Azure instances. These attacks .. --------------------------------------------- https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromise… ∗∗∗ Go deeper: Linux runtime visibility meets Wireshark ∗∗∗ --------------------------------------------- Aqua Tracee is an open source runtime security and forensics tool for Linux, built to address common Linux security issues. Tracee’s main use case is to be installed in a production environment and continuously monitor system activity and detect suspicious behavior. Some alternative use cases which Tracee can be used for are dynamic malware analysis, system tracing, .. --------------------------------------------- https://blog.aquasec.com/go-deeper-linux-runtime-visibility-meets-wireshark ∗∗∗ PureHVNC Deployed via Python Multi-stage Loader ∗∗∗ --------------------------------------------- FortiGuard Lab reveals a malware "PureHVNC", sold on the cybercrime forum, is spreading through a phishing campaign targeting employees via a python multi-stage loader --------------------------------------------- https://www.fortinet.com/blog/threat-research/purehvnc-deployed-via-python-… ∗∗∗ Cisco: Angreifer können Befehle auf IP-Telefonen ausführen, Update kommt nicht ∗∗∗ --------------------------------------------- Für kritische Lücken in Cisco-IP-Telefonen wird es keine Updates geben. Für eine jüngst gemeldete Lücke ist ein Proof-of-Concept-Exploit aufgetaucht. --------------------------------------------- https://heise.de/-9827988 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5743-1 roundcube - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00154.html ∗∗∗ Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Small Business SPA300 Series and SPA500 Series IP Phones Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily