- Daily - CERT.at

Tageszusammenfassung - 14.06.2024
by Daily end-of-shift report 14 Jun '24

14 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-06-2024 18:00 − Freitag 14-06-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ 2023 Hacked Website & Malware Threat Report ∗∗∗ --------------------------------------------- This year, we’ve included new insights to highlight the most prevalent tactics and techniques observed in compromised web environments and remote scanners. --------------------------------------------- https://blog.sucuri.net/2024/06/2023-hacked-website-malware-threat-report.h… ∗∗∗ How to Write Good Incident Response Reports ∗∗∗ --------------------------------------------- Creating an informative and readable report is among the many challenges of responding to cybersecurity incidents. A good report not only answers its readers questions but also instills confidence in the response and enables the organization to learn from the incident. This blog highlights my advice on writing such incident reports. --------------------------------------------- https://zeltser.com/good-incident-reports/ ∗∗∗ Edge Devices: The New Frontier for Mass Exploitation Attacks ∗∗∗ --------------------------------------------- The increase in mass exploitation involving edge services and devices is likely to worsen. --------------------------------------------- https://www.securityweek.com/edge-devices-the-new-frontier-for-mass-exploit… ∗∗∗ Microsoft president tells lawmakers red lines needed for nation-state attacks ∗∗∗ --------------------------------------------- Microsoft president Brad Smith testified before a congressional committee on Thursday, at times accepting responsibility for the company’s recent cybersecurity mistakes while simultaneously deflecting criticism of the tech giant’s practices. He also called on the government to create "consequences" for nation-state hackers who compromise U.S. systems. --------------------------------------------- https://therecord.media/microsoft-president-brad-smith-lawmakers-cyber ∗∗∗ Windows 11 "Copilot+PC" kommt (vorerst) ohne Recall ∗∗∗ --------------------------------------------- Was für ein PR-Desaster für Microsoft – nächste Woche sollen Geräte mit dem Konzept "Copilot+PC" auf den Markt kommen. Aber die wichtigste Funktion "Windows Recall", die Microsoft noch vor kurzen als den "Stein der KI-Weisen" in den Himmel gelobt hat, wird fehlen. Es gibt den recall von Recall, was als Meme inzwischen durch das Netz geistert. [..] Denn Sicherheit habe bei Microsoft "oberste Priorität" und dieser Rückruf sei im Sinne der Secure Future Initiative (SFI). --------------------------------------------- https://www.borncity.com/blog/2024/06/14/windows-11-copilotpc-kommt-vorerst… ∗∗∗ Noodle RAT: Reviewing the Backdoor Used by Chinese-Speaking Groups ∗∗∗ --------------------------------------------- This blog entry provides an analysis of the Noodle RAT backdoor, which is likely being used by multiple Chinese-speaking groups engaged in espionage and other types of cybercrime. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/f/noodle-rat-reviewing-the-new… ∗∗∗ UNC3944 Targets SaaS Applications ∗∗∗ --------------------------------------------- UNC3944 is a financially motivated threat group that carries significant overlap with public reporting of "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider," and has been observed adapting its tactics to include data theft from software-as-a-service (SaaS) applications to attacker-owned cloud storage objects (using cloud synchronization tools), persistence mechanisms against virtualization platforms, and lateral movement via SaaS permissions abuse. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-sa… ===================== = Vulnerabilities = ===================== ∗∗∗ Nextcloud Security Advisories 2024-06-14 ∗∗∗ --------------------------------------------- 2x High, 5x Moderate, 5x Low --------------------------------------------- https://github.com/nextcloud/security-advisories/security?page=1 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, bind, bind-dyndb-ldap, and dhcp, firefox, glibc, ipa, less, libreoffice, and thunderbird), Debian (cups), Fedora (chromium and cyrus-imapd), Mageia (golang and poppler), Oracle (bind, bind-dyndb-ldap, and dhcp, gvisor-tap-vsock, python-idna, and ruby), Red Hat (dnsmasq and expat), SUSE (libaom, php8, podman, python-pymongo, python-scikit-learn, and tiff), and Ubuntu (h2database and vte2.91). --------------------------------------------- https://lwn.net/Articles/978418/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.12 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-28/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.06.2024
by Daily end-of-shift report 13 Jun '24

13 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-06-2024 18:00 − Donnerstag 13-06-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft Patchday Juni 2024 - CVE-2024-30080, CVE-2024-30078 ∗∗∗ --------------------------------------------- Im Rahmen des aktuellen Patchday hat Microsoft Patches für 58 Sicherheitslücken veröffentlicht. Aus der Liste stechen zwei Schwachstellen besonders hervor: CVE-2024-30080, eine Remote Code Execution in Microsoft Message Queuing (MSMQ) [..] CVE-2024-30078, eine Remote Code Execution in "Windows Wi-Fi Driver". --------------------------------------------- https://www.cert.at/de/aktuelles/2024/6/microsoft-patchday-juni-2024-cve-20… ∗∗∗ Kundenservice österreichischer Unternehmen nicht über kunden-support.tel kontaktieren! ∗∗∗ --------------------------------------------- Sie suchen die Kontaktdaten des Kundendienstes Ihrer Bank oder Ihres Mobilfunkanbieters? Sie haben eine Frage an die Österreichische Post oder müssen die Wiener Stadtwerke erreichen? Wenn Sie im Internet nach den Kontaktdaten eines dieser oder vieler anderer Unternehmen suchen, um den Kundensupport anzurufen, könnten Sie auf die Seite kunden-support.tel stoßen. Diese Seite schaltet Werbung auf Google und gibt vor, die Kontaktdaten verschiedener österreichischer Kundendienste aufzulisten. Aber Vorsicht! Dahinter stecken Kriminelle! --------------------------------------------- https://www.watchlist-internet.at/news/kundenservice-oesterreichischer-unte… ∗∗∗ Cinterion EHS5 3G UMTS/HSPA Module Research ∗∗∗ --------------------------------------------- In the course of the modem security analysis, we found seven locally exploited vulnerabilities and one remotely exploited vulnerability. The combination of these vulnerabilities could allow an attacker to completely get control over the modem. [..] All discovered vulnerabilities have been reported to the vendor. Some of them have not been addressed by the vendor so far as the product support discontinued. --------------------------------------------- https://ics-cert.kaspersky.com/publications/cinterion-ehs5-3g-umts-hspa-mod… ∗∗∗ Phishing emails abuse Windows search protocol to push malicious scripts ∗∗∗ --------------------------------------------- A new phishing campaign uses HTML attachments that abuse the Windows search protocol (search-ms URI) to push batch files hosted on remote servers that deliver malware. [..] In June 2022, security researchers devised a potent attack chain that also exploited a Microsoft Office flaw to launch searches directly from Word documents. Trustwave SpiderLabs researchers now report that this technique is used in the wild by threat actors who are using HTML attachments to launch Windows searches on attackers' servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-emails-abuse-window… ∗∗∗ Fortinet: CVE 2024-21754: Passwords on a Silver Platter ∗∗∗ --------------------------------------------- Matthias Barkhausen and Hendrik Eckardt have discovered a flaw in the firmware of Fortinet firewalls. This flaw potentially reveals sensitive information to attackers, such as passwords. [..] The flaw has been responsibly disclosed to the vendor. It has been addressed in FortiOS v7.4.4, dated June 11, 2024. [..] Learn more details and read the full story on the blog of G DATA Advanced Analytics. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/01/37834-passwords-on-a-silver-plat… ∗∗∗ Cybercriminals Employ PhantomLoader to Distribute SSLoad Malware ∗∗∗ --------------------------------------------- The nascent malware known as SSLoad is being delivered by means of a previously undocumented loader called PhantomLoader, according to findings from cybersecurity firm Intezer. [..] The attack chains typically involve the use of an MSI installer that, when launched, initiates the infection sequence. Specifically, it leads to the execution of PhantomLoader, a 32-bit DLL written in C/C++ that masquerades as a DLL module for an antivirus software called 360 Total Security ("MenuEx.dll"). --------------------------------------------- https://thehackernews.com/2024/06/cybercriminals-employ-phantomloader-to.ht… ∗∗∗ New Attack Technique Sleepy Pickle Targets Machine Learning Models ∗∗∗ --------------------------------------------- The security risks posed by the Pickle format have once again come to the fore with the discovery of a new "hybrid machine learning (ML) model exploitation technique" dubbed Sleepy Pickle. [..] While pickle is a widely used serialization format by ML libraries like PyTorch, it can be used to carry out arbitrary code execution attacks simply by loading a pickle file (i.e., during deserialization). --------------------------------------------- https://thehackernews.com/2024/06/new-attack-technique-sleepy-pickle.html ∗∗∗ Digitale Stellenangebote: Job gesucht, Betrug gefunden ∗∗∗ --------------------------------------------- Jahresverdienst von 90.000 Euro, Homeoffice und 30 Tage Urlaub für eine Einstiegsstelle als Junior Data Analyst – das klingt zu gut, um wahr zu sein, oder? Ist es auch: Denn oftmals entpuppen sich solche Stellenangebote als Betrug. --------------------------------------------- https://www.welivesecurity.com/de/scams/digitale-stellenangebote-job-gesuch… ∗∗∗ Watch Out! CISA Warns It Is Being Impersonated By Scammers ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that scammers are impersonating its employees in an attempt to commit fraud. --------------------------------------------- https://www.tripwire.com/state-of-security/watch-out-cisa-warns-it-being-im… ∗∗∗ Malware-Ranking: Androxgh0st-Botnet breitet sich in Deutschland aus ∗∗∗ --------------------------------------------- Die seit April aktive Malware schafft es im Mai bereits auf Platz 2. Lockbit erholt sich von den Maßnahmen der Strafverfolger und macht weltweit wieder 33 Prozent der veröffentlichten Ransomware-Angriffe aus. --------------------------------------------- https://www.zdnet.de/88416444/malware-ranking-androxgh0st-botnet-breitet-si… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Der VLC Media Player ist angreifbar ∗∗∗ --------------------------------------------- Durch einen speziell gestalteten MMS-Stream lässt sich der VLC-Player zum Absturz bringen. Laut VideoLAN ist potenziell auch eine Schadcodeausführung möglich. [..] Anfällig sind alle VLC-Versionen bis einschließlich 3.0.20. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-der-vlc-media-player-ist-angrei… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (nginx-mod-modsecurity, php, and tomcat), Mageia (strongswan), Oracle (389-ds-base, buildah, c-ares, cockpit, containernetworking-plugins, fence-agents, firefox, gdk-pixbuf2, idm:DL1, ipa, kernel, libreoffice, podman, rpm-ostree, and thunderbird), Red Hat (dnsmasq and nghttp2), Slackware (mozilla), SUSE (curl, firefox, kernel, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, openssl-3, and python-Pillow), and Ubuntu (libmatio, libndp, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-oem-6.5, and virtuoso-opensource). --------------------------------------------- https://lwn.net/Articles/978291/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-32896 Android Pixel Privilege Escalation Vulnerability, CVE-2024-26169 Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability, CVE-2024-4358 Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/06/13/cisa-adds-three-known-ex… ∗∗∗ Google fixed an actively exploited zero-day in the Pixel Firmware ∗∗∗ --------------------------------------------- https://securityaffairs.com/164500/security/google-fixed-pixel-firmware-zer… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (June 3, 2024 to June 9, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/06/wordfence-intelligence-weekly-wordpr… ∗∗∗ Palo Alto: CVE-2024-5908 GlobalProtect App: Encrypted Credential Exposure via Log Files (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-5908 ∗∗∗ Palo Alto: CVE-2024-5909 Cortex XDR Agent: Local Windows User Can Disable the Agent (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-5909 ∗∗∗ Palo Alto: CVE-2024-5906 Prisma Cloud Compute: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-5906 ∗∗∗ Palo Alto: CVE-2024-5907 Cortex XDR Agent: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-5907 ∗∗∗ Fuji Electric Tellus Lite V-Simulator ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-14 ∗∗∗ Rockwell Automation FactoryTalk View SE ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-18 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.06.2024
by Daily end-of-shift report 12 Jun '24

12 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-06-2024 18:00 − Mittwoch 12-06-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Schwachstelle in Windows: Angreifer können per WLAN Schadcode einschleusen ∗∗∗ --------------------------------------------- Ein Angreifer muss sich lediglich in WLAN-Reichweite zum Zielsystem befinden, um bösartigen Code auszuführen. Betroffen sind alle gängigen Windows-Versionen. --------------------------------------------- https://www.golem.de/news/schwachstelle-in-windows-angreifer-koennen-per-wl… ∗∗∗ JetBrains warns of IntelliJ IDE bug exposing GitHub access tokens ∗∗∗ --------------------------------------------- JetBrains warned customers to patch a critical vulnerability that impacts users of its IntelliJ integrated development environment (IDE) apps and exposes GitHub access tokens. --------------------------------------------- https://www.bleepingcomputer.com/news/security/jetbrains-warns-of-intellij-… ∗∗∗ New backdoor BadSpace delivered by high-ranking infected websites ∗∗∗ --------------------------------------------- Imagine visiting your favorite website with the same address that you always use and it tells you that your browser needs an update. After downloading and executing the update, theres an unwelcome surprise: the .. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor ∗∗∗ Geheimdienst deckt auf: China-Hacker dringen in 20.000 Fortinet-Systeme ein ∗∗∗ --------------------------------------------- Ziele der Cyberangriffe sind dem niederländischen NCSC zufolge westliche Regierungen, diplomatische Einrichtungen und die Rüstungsindustrie. --------------------------------------------- https://www.golem.de/news/geheimdienst-deckt-auf-china-hacker-dringen-in-20… ∗∗∗ Microsoft Patch Tuesday June 2024, (Tue, Jun 11th) ∗∗∗ --------------------------------------------- Microsoft's June 2024 update fixes a total of 58 vulnerabilities. 7 of these vulnerabilities are associated with Chromium and Microsoft's Brave browser. Only one vulnerability is rated critical. One of the vulnerabilities had been disclosed before today. --------------------------------------------- https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+June+2024/31000 ∗∗∗ Black Basta Ransomware May Have Exploited MS Windows Zero-Day Flaw ∗∗∗ --------------------------------------------- Threat actors linked to the Black Basta ransomware may have exploited a recently disclosed privilege escalation flaw in the Microsoft Windows Error Reporting Service as a zero-day, according to new findings from .. --------------------------------------------- https://thehackernews.com/2024/06/black-basta-ransomware-may-have.html ∗∗∗ Adobe Plugs Code Execution Holes in After Effects, Illustrator ∗∗∗ --------------------------------------------- Patch Tuesday: Adobe fixes critical flaws and warns of the risk of code execution attacks on Windows and macOS platforms. --------------------------------------------- https://www.securityweek.com/adobe-plugs-code-execution-holes-in-after-effe… ∗∗∗ Betrifft iOS und MacOS: Angreifer können per Mail Facetime-Anrufe einleiten ∗∗∗ --------------------------------------------- Der Entdecker der Schwachstelle behauptet, sie lasse sich sehr einfach ausnutzen. Selbst ein aktiver Lockdown-Modus könne die unerwünschten Anrufe nicht blockieren. --------------------------------------------- https://www.golem.de/news/betrifft-ios-und-macos-angreifer-koennen-per-mail… ∗∗∗ Ransomware Group Exploits PHP Vulnerability Days After Disclosure ∗∗∗ --------------------------------------------- The TellYouThePass ransomware gang started exploiting a recent code execution flaw in PHP days after public disclosure. --------------------------------------------- https://www.securityweek.com/ransomware-group-exploits-php-vulnerability-da… ∗∗∗ GitHub Paid Out Over $4 Million via Bug Bounty Program ∗∗∗ --------------------------------------------- The code hosting platform GitHub has paid out more than $4 million since the launch of its bug bounty program 10 years ago. --------------------------------------------- https://www.securityweek.com/github-paid-out-over-4-million-via-bug-bounty-… ∗∗∗ The Evolution of QR Code Phishing: ASCII-Based QR Codes ∗∗∗ --------------------------------------------- Quishing is a rapidly evolving threat. Starting around August, when we saw the first rapid increase, we’ve also seen a change in the type of QR code attacks. It started with standard MFA authentication requests. It then evolved to conditional routing and custom targeting. Now, we’re seeing another evolution, into the manipulation of .. --------------------------------------------- https://blog.checkpoint.com/harmony-email/the-evolution-of-qr-code-phishing… ∗∗∗ Ukrainian police identify suspected affiliate of Conti, LockBit groups ∗∗∗ --------------------------------------------- Ukrainian cyber police say they have identified a local hacker affiliated with the notorious Conti and LockBit .. --------------------------------------------- https://therecord.media/ukraine-suspected-lockbit-conti-affiliate ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5707-1 vlc - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00117.html ∗∗∗ ZDI-24-579: Apple macOS PPM Image Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-579/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/978136/ ∗∗∗ XenServer and Citrix Hypervisor Security Update for CVE-2024-5661 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX677100/xenserver-and-citrix-hyperviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.06.2024
by Daily end-of-shift report 11 Jun '24

11 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Montag 10-06-2024 18:00 − Dienstag 11-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Gitloker attacks abuse GitHub notifications to push malicious oAuth apps ∗∗∗ --------------------------------------------- Threat actors impersonate GitHubs security and recruitment teams in phishing attacks to hijack repositories using malicious OAuth apps in an ongoing extortion campaign wiping compromised repos. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitloker-attacks-abuse-githu… ∗∗∗ Arm warns of actively exploited flaw in Mali GPU kernel drivers ∗∗∗ --------------------------------------------- Arm has issued a security bulletin warning of a memory-related vulnerability in Bifrost and Valhall GPU kernel drivers that is being exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/arm-warns-of-actively-exploi… ∗∗∗ QR code SQL injection and other vulnerabilities in a popular biometric terminal ∗∗∗ --------------------------------------------- The report analyzes the security properties of a popular biometric access control terminal made by ZkTeco and describes vulnerabilities found in it. --------------------------------------------- https://securelist.com/biometric-terminal-vulnerabilities/112800/ ∗∗∗ A Brief History of SmokeLoader, Part 1 ∗∗∗ --------------------------------------------- In May 2024, Zscaler ThreatLabz technical analysis of SmokeLoader supported an international law enforcement action known as Operation Endgame, which remotely disinfected tens of thousands of infections. In the process of providing assistance to law enforcement for the operation, ThreatLabz has documented SmokeLoader for nearly all known versions. In this two-part blog series, we explore the evolution of SmokeLoader. --------------------------------------------- https://www.zscaler.com/blogs/security-research/brief-history-smokeloader-p… ∗∗∗ „Hallo Mama/Hallo Papa“-Nachrichten zielen auf persönliche Fotos ∗∗∗ --------------------------------------------- Vorsicht, wenn Ihr Kind plötzlich von einer unbekannten Nummer schreibt und behauptet, dies sei nun die neue Nummer. Dahinter stecken Kriminelle, die Ihnen Geld stehlen wollen. Außerdem bittet „Ihr Kind“ um die Zusendung von persönlichen Fotos. Diese werden von den Kriminellen vermutlich für weitere Betrugsmaschen missbraucht. --------------------------------------------- https://www.watchlist-internet.at/news/hallo-mama-hallo-papa-nachrichten-zi… ∗∗∗ Enumerating System Management Interrupts ∗∗∗ --------------------------------------------- System Management Interrupts (SMI) provide a mechanism for entering System Management Mode (SMM) which primarily implements platform-specific functions related to power management. SMM is a privileged execution mode with access to the complete physical memory of the system, and to which the operating system has no visibility. --------------------------------------------- https://research.nccgroup.com/2024/06/10/enumerating-system-management-inte… ∗∗∗ BIOS-Update 01.17.00 macht HP Probooks 445 G7 und 455 G7 komplett unbrauchbar ∗∗∗ --------------------------------------------- Hewlett Packard (HP) hat eine kaputte BIOS-Version veröffentlicht, die Notebooks der Modelle HP Probook 445 G7 455 G7 aus dem Jahr 2020 zum teuren Briefbeschwerer machen. [..] Dieses BIOS 01.17.00.Update soll eine kritische Sicherheitslücke schließen, was auch so vom Support Assistant als kritisches Update gelistet wurde, welches man möglichst schnell installieren sollte. --------------------------------------------- https://www.borncity.com/blog/2024/06/11/bios-update-01-17-00-macht-hp-prob… ===================== = Vulnerabilities = ===================== ∗∗∗ Netgear WNR614 flaws allow device takeover, no fix available ∗∗∗ --------------------------------------------- Researchers found half a dozen vulnerabilities of varying severity impacting Netgear WNR614 N300, a budget-friendly router that proved popular among home users and small businesses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netgear-wnr614-flaws-allow-d… ∗∗∗ (0Day) Microsoft Windows Incorrect Permission Assignment Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to disclose sensitive information or to create a denial-of-service condition on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Furthermore, the vulnerable behavior occurs only in certain hardware configurations. [..] Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-24-598/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (ruby:3.3), Fedora (efifs, libvirt, podman-tui, prometheus-podman-exporter, and strongswan), Red Hat (firefox, idm:DL1, ipa, nghttp2, and thunderbird), SUSE (aws-nitro-enclaves-cli, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, frr, glibc, go1.21, go1.22, gstreamer-plugins-base, kernel, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, libxml2, mariadb, poppler, python-Brotli, python-docker, python-idna, rmt-server, skopeo, sssd, unbound, unrar, util-linux, and webkit2gtk3), and Ubuntu (giflib, libphp-adodb, linux-gkeop, linux-gkeop-5.15, linux-kvm, linux-laptop, linux-oem-6.8, nodejs, and tiff). --------------------------------------------- https://lwn.net/Articles/977939/ ∗∗∗ CVE-2024-28995: Trivially Exploitable Information Disclosure Vulnerability in SolarWinds Serv-U ∗∗∗ --------------------------------------------- On June 5, 2024, SolarWinds disclosed CVE-2024-28995, a high-severity directory traversal vulnerability affecting the Serv-U file transfer server. Successful exploitation of the vulnerability allows unauthenticated attackers to read sensitive files on the host. --------------------------------------------- https://www.rapid7.com/blog/post/2024/06/11/etr-cve-2024-28995-trivially-ex… ∗∗∗ SAP liefert am Patchday Sicherheitskorrekturen für zwei hochriskante Lücken ∗∗∗ --------------------------------------------- SAP warnt zum Juni-Patchday vor zehn neuen Sicherheitslücken. Aktualisierungen zum Abdichten der Lecks stehen bereit. --------------------------------------------- https://heise.de/-9757338 ∗∗∗ Avast Antivirus: Angreifer können Rechte durch Schwachstelle ausweiten ∗∗∗ --------------------------------------------- Avast Antivirus ermöglichte bösartigen Akteuren aufgrund einer Sicherheitslücke, ihre Rechte im System auszuweiten. Aktualisierte Software ist verfügbar und sollte idealerweise bereits mittels automatischem Update-Mechanismus verteilt worden sein. In der Auflistung der Sicherheitsmitteilungen von Norton (unter dieser Gen Digital Inc.-Marke sind Avast-, Avira-, AVG- und Norton Security-Produkte inzwischen gruppiert) findet sich nichts zu dieser Lücke, jedoch hat NortonLifeLock als CNA einen entsprechenden CVE-Eintrag erstellt. --------------------------------------------- https://heise.de/-9757748 ∗∗∗ Citrix: XenServer and Citrix Hypervisor Security Update for CVE-2024-5661 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX677100/xenserver-and-citrix-hyperviso… ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 127 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-25/ ∗∗∗ Phoenix Contact: Unbounded growth of OpenSSL session cache in multiple FL MGUARD devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-029/ ∗∗∗ Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-03 ∗∗∗ AVEVA PI Asset Framework Client ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-03 ∗∗∗ AVEVA PI Web API ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-02 ∗∗∗ Rockwell Automation ControlLogix, GuardLogix, and CompactLogix ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-01 ∗∗∗ Intrado 911 Emergency Gateway ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-04 ∗∗∗ MicroDicom DICOM Viewer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-163-01 ∗∗∗ SSA-900277 V1.0: MODEL File Parsing Vulnerability in Tecnomatix Plant Simulation before V2302.0012 and V2024.0001 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-900277.html ∗∗∗ SSA-879734 V1.0: Multiple Vulnerabilities in SCALANCE XM-400/XR-500 before V6.6.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-879734.html ∗∗∗ SSA-771940 V1.0: X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-771940.html ∗∗∗ SSA-690517 V1.0: Multiple Vulnerabilities in SCALANCE W700 802.11 AX Family ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-690517.html ∗∗∗ SSA-625862 V1.0: Multiple Vulnerabilities in Third-Party Components in SIMATIC CP 1542SP-1 and CP 1543SP-1 before V2.3 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-625862.html ∗∗∗ SSA-620338 V1.0: Buffer Overflow Vulnerability in SICAM AK3 / BC / TM ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-620338.html ∗∗∗ SSA-540640 V1.0: Improper Privilege Management Vulnerability in Mendix Runtime ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-540640.html ∗∗∗ SSA-481506 V1.0: Information Disclosure Vulnerability in SIMATIC S7-200 SMART Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-481506.html ∗∗∗ SSA-341067 V1.0: Multiple vulnerabilities in third-party components in ST7 ScadaConnect before V1.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-341067.html ∗∗∗ SSA-337522 V1.0: Multiple Vulnerabilities in TIM 1531 IRC before V2.4.8 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-337522.html ∗∗∗ SSA-319319 V1.0: Denial of Service Vulnerability in TIA Administrator ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-319319.html ∗∗∗ SSA-238730 V1.0: Out-of-Bounds Write Vulnerabilities in SITOP UPS1600 before V2.5.4 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-238730.html ∗∗∗ SSA-196737 V1.0: Multiple Vulnerabilities in SINEC Traffic Analyzer before V1.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-196737.html ∗∗∗ SSA-024584 V1.0: Authentication Bypass Vulnerability in PowerSys before V3.11 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-024584.html ∗∗∗ Fortinet: Blind SQL Injection ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-128 ∗∗∗ Fortinet: Buffer overflow in fgfmd ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-036 ∗∗∗ Fortinet: FortiOS/FortiProxy - XSS in reboot page ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-471 ∗∗∗ Fortinet: FortiSOAR is vulnerable to sql injection in Event Auth API via uuid parameter ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-495 ∗∗∗ Fortinet: Multiple buffer overflows in diag npu command ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-460 ∗∗∗ Fortinet: Stack buffer overflow on bluetooth write feature ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-356 ∗∗∗ Fortinet: TunnelVision - CVE-2024-3661 ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-170 ∗∗∗ Fortinet: Weak key derivation for backup file ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-423 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.06.2024
by Daily end-of-shift report 10 Jun '24

10 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-06-2024 18:00 − Montag 10-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ How We Cover Your Back ∗∗∗ --------------------------------------------- As a national CERT, one of our extremely important tasks is to proactively inform network operators about potential or confirmed security issues that could affect Austrian companies. Initially, I intended to discuss the technical changes in our systems, but I believe its better to start by explaining what we actually do and how we help you sleep well at night — though you should never rely solely on us! --------------------------------------------- https://www.cert.at/en/blog/2024/6/how-we-cover-your-back ∗∗∗ Exploit for critical Veeam auth bypass available, patch now ∗∗∗ --------------------------------------------- A proof-of-concept (PoC) exploit for a Veeam Backup Enterprise Manager authentication bypass flaw tracked as CVE-2024-29849 is now publicly available, making it urgent that admins apply the latest security updates. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-for-critical-veeam-a… ∗∗∗ DDoS attacks target EU political parties as elections begin ∗∗∗ --------------------------------------------- Hacktivists are conducting DDoS attacks on European political parties that represent and promote strategies opposing their interests, according to a report by Cloudflare. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ddos-attacks-target-eu-polit… ∗∗∗ Malicious VSCode extensions with millions of installs discovered ∗∗∗ --------------------------------------------- A group of Israeli researchers explored the security of the Visual Studio Code marketplace and managed to "infect" over 100 organizations by trojanizing a copy of the popular 'Dracula Official theme to include risky code. Further research into the VSCode Marketplace found thousands of extensions with millions of installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-… ∗∗∗ Bypassing 2FA with phishing and OTP bots ∗∗∗ --------------------------------------------- Explaining how scammers use phishing and OTP bots to gain access to accounts protected with 2FA. --------------------------------------------- https://securelist.com/2fa-phishing/112805/ ∗∗∗ Attacker Probing for New PHP Vulnerablity CVE-2024-4577, (Sun, Jun 9th) ∗∗∗ --------------------------------------------- Our honeypots have detected the first probes for CVE-2024-4577. [..] Watchtwr Labs says PHP is only vulnerable if used in CGI mode in Chinese and Japanese locales. According to Orange Tsai, other locales may be vulnerable as well. --------------------------------------------- https://isc.sans.edu/diary/rss/30994 ∗∗∗ LightSpy Spywares macOS Variant Found with Advanced Surveillance Capabilities ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed that the LightSpy spyware allegedly targeting Apple iOS users is in fact a previously undocumented macOS variant of the implant. [..] The attack chain begins with the exploitation of CVE-2018-4233, a Safari WebKit flaw, via rogue HTML pages to trigger code execution, leading to the delivery of a 64-bit Mach-O binary that masquerades as a PNG image file. --------------------------------------------- https://thehackernews.com/2024/06/lightspy-spywares-macos-variant-found.html ∗∗∗ Technical Analysis of the Latest Variant of ValleyRAT ∗∗∗ --------------------------------------------- ValleyRAT is a remote access trojan (RAT) that was initially documented in early 2023. Its main objective is to infiltrate and compromise systems, providing remote attackers with unauthorized access and control over infected machines. ValleyRAT is commonly distributed through phishing emails or malicious downloads. In the latest version, ValleyRAT introduced new commands, such as capturing screenshots, process filtering, forced shutdown, and clearing Windows event logs. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-latest-v… ===================== = Vulnerabilities = ===================== ∗∗∗ Veeam Recovery Orchestrator Vulnerability (CVE-2024-29855) ∗∗∗ --------------------------------------------- A vulnerability (CVE-2024-29855) in Veeam Recovery Orchestrator (VRO) version 7.0.0.337 allows an attacker to access the VRO web UI with administrative privileges. Note: The attacker must know the exact username and role of an account that has an active VRO UI access token to accomplish the hijack --------------------------------------------- https://www.veeam.com/kb4585 ∗∗∗ Nvidia Patches High-Severity GPU Driver Vulnerabilities ∗∗∗ --------------------------------------------- The GPU driver updates, rolling out as versions R555, R550, R535, and R470, resolve a total of five security defects, three of which are rated ‘high severity’ and two rated ‘medium severity’, Nvidia’s advisory reveals. The most severe of these flaws, tracked as CVE‑2024‑0090, could allow attackers to execute arbitrary code, access or tamper with data, escalate privileges, or cause a denial-of-service (DoS) condition. --------------------------------------------- https://www.securityweek.com/nvidia-patches-high-severity-gpu-driver-vulner… ∗∗∗ Critical PyTorch Vulnerability Can Lead to Sensitive AI Data Theft ∗∗∗ --------------------------------------------- A critical vulnerability in the PyTorch distributed RPC framework could be exploited for remote code execution. Impacting the distributed RPC (Remote Procedure Call) framework of PyTorch and tracked as CVE-2024-5480, the issue exists because the framework does not verify the functions called during RPC operations. --------------------------------------------- https://www.securityweek.com/critical-pytorch-vulnerability-can-lead-to-sen… ∗∗∗ tenable: [R1] Security Center Version 6.4.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- A stored cross site scripting vulnerability exists in Tenable Security Center where an authenticated, remote attacker could inject HTML code into a web application scan result page. - CVE-2024-1891 An improper privilege management vulnerability exists in Tenable Security Center where an authenticated, remote attacker could view unauthorized objects and launch scans without having the required privileges. - CVE-2024-5759 --------------------------------------------- https://www.tenable.com/security/tns-2024-10 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (galera and mariadb10.11), Mageia (0-plugins-base and plasma-workspace), Oracle (ruby:3.1 and ruby:3.3), Red Hat (bind, bind-dyndb-ldap, and dhcp), SUSE (apache2, glib2, libvirt, openssl-1_1, openssl-3, opera, python-Jinja2, python-requests, and squid), and Ubuntu (linux, linux-gcp, linux-gcp-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-xilinx-zynqmp, linux, linux-gcp, linux-gcp-6.5, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-raspi, linux, linux-ibm, linux-lowlatency, linux-raspi, linux-aws, linux-gcp, linux-azure, linux-azure-6.5, linux-starfive, linux-starfive-6.5, and linux-gke, linux-ibm, linux-intel-iotg, linux-oracle). --------------------------------------------- https://lwn.net/Articles/977789/ ∗∗∗ Vulnerability Summary for the Week of June 3, 2024 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb24-162 ∗∗∗ Canon: CPE2024-003 – uniFLOW Online Device Registration Susceptible To Compromise – 10 June 2024 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.06.2024
by Daily end-of-shift report 07 Jun '24

07 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-06-2024 18:00 − Freitag 07-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Sicherheitslücke (CVE-2024-4577) für Remote-Code Ausführung in PHP-CGI / XAMPP entdeckt ∗∗∗ --------------------------------------------- In PHP-CGI wurde eine Sicherheitslücke (CVE-2024-4577) entdeckt, die es Angreifern ermöglicht, aus der Ferne und ohne Authentifizierung beliebigen Code auf betroffenen Servern auszuführen. Die Schwachstelle betrifft PHP-Installationen auf Windows-Systemen und erlaubt es Angreifern, durch spezifische Zeichenfolgen den Schutz einer früheren .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/6/sicherheitslucke-cve-2024-4577-fur-… ∗∗∗ New Fog ransomware targets US education sector via breached VPNs ∗∗∗ --------------------------------------------- A new ransomware operation named Fog launched in early May 2024, using compromised VPN credentials to breach the networks of educational organizations in the U.S. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-fog-ransomware-targets-u… ∗∗∗ Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells ∗∗∗ --------------------------------------------- Chinese threat actors are targeting ThinkPHP applications vulnerable to CVE-2018-20062 and CVE-2019-9082 to install a persistent web shell named Dama. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-2018-thinkph… ∗∗∗ Ukraine says hackers abuse SyncThing tool to steal data ∗∗∗ --------------------------------------------- The Computer Emergency Response Team of Ukraine (CERT-UA) reports about a new campaign dubbed "SickSync," launched by the UAC-0020 (Vermin) hacking group in attacks on the Ukrainian .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ukraine-says-hackers-abuse-s… ∗∗∗ In Bad Company: JScript RAT and CobaltStrike ∗∗∗ --------------------------------------------- Remote Access Trojans (RATs) that are based in JScript are gaining traction. We have looked at a recent example that emerged in mid-May. It turns out that this RAT has some companions on the way that we are familiar with. --------------------------------------------- https://feeds.feedblitz.com/~/899072462/0/gdatasecurityblog-en~In-Bad-Compa… ∗∗∗ Angriffswelle: Hacker löscht Github-Repos und fordert Lösegeld ∗∗∗ --------------------------------------------- Für die Kontaktaufnahme verweist der Angreifer auf Telegram. Er gibt sich als "Analyst für Cybervorfälle" aus und behauptet, ein Back-up erstellt zu haben. --------------------------------------------- https://www.golem.de/news/angriffswelle-hacker-loescht-github-repos-und-for… ∗∗∗ Commando Cat Cryptojacking Attacks Target Misconfigured Docker Instances ∗∗∗ --------------------------------------------- The threat actor known as Commando Cat has been linked to an ongoing cryptojacking attack campaign that leverages poorly secured Docker instances to deploy cryptocurrency miners for financial gain. --------------------------------------------- https://thehackernews.com/2024/06/commando-cat-cryptojacking-attacks.html ∗∗∗ POC exploit code published for 9.8-rated Apache HugeGraph RCE flaw ∗∗∗ --------------------------------------------- You upgraded when this was fixed in April, right? Right?? If you havent yet upgraded to version 1.3.0 of Apache HugeGraph, nows a good time because at least two proof-of-concept exploits for a CVSS 9.8-rated remote command execution bug .. --------------------------------------------- www.theregister.com/2024/06/07/poc_apache_hugegraph/ ∗∗∗ Ethical hacker releases tool to exploit Microsofts Recall AI, says its not rocket science ∗∗∗ --------------------------------------------- Recall AI hasnt launched yet but its already a target. --------------------------------------------- https://www.zdnet.com/article/ethical-hacker-says-his-windows-11-recall-ai-… ∗∗∗ Ransomware: Hacker greifen überwiegend außerhalb der Arbeitszeiten an ∗∗∗ --------------------------------------------- Der Anteil liegt bei rund 76 Prozent. Auch nehmen die Ransomware-Aktivitäten deutlich zu. --------------------------------------------- https://www.zdnet.de/88416372/ransomware-hacker-greifen-ueberwiegend-ausser… ∗∗∗ CERT-Bund warnt vor Schwachstelle WID-SEC-2024-131 in Microsoft Azure ∗∗∗ --------------------------------------------- Ein Leser hat mich auf eine Warnung vom 7. Juni 2024 des CERT-Bund (BSI) vor einer Schwachstelle in Microsoft Azure hingewiesen. Diese Schwachstelle wird vom BSI mit einem CVSS-Score von 10.0 eingestuft, da sie .. --------------------------------------------- https://www.borncity.com/blog/2024/06/07/cert-bund-warnt-vor-schwachstelle-… ∗∗∗ Howling at the Inbox: Sticky Werewolfs Latest Malicious Aviation Attacks ∗∗∗ --------------------------------------------- Morphisec Labs has been monitoring increased activity associated with Sticky Werewolf, a group suspected to have geopolitical and/or hacktivist ties. While the group’s geographical origin and home base remain unclear, recent attack techniques suggest espionage and data exfiltration intent. --------------------------------------------- https://blog.morphisec.com/sticky-werewolfs-aviation-attacks ∗∗∗ Jetzt patchen! Exploitcode für kritische Lücke in Apache HugeGraph in Umlauf ∗∗∗ --------------------------------------------- Admins sollten aus Sicherheitsgründen das Tool zum Erstellen von Diagrammen HugeGraph von Apache zügig auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-9751687 ∗∗∗ Forschungsteam: Herzimplantat-Patienten müssen mehr über Cyberrisiken erfahren ∗∗∗ --------------------------------------------- Mit besseren technologischen Möglichkeiten steige auch das Risiko eines Cyberangriffs auf Herzimplantate, sagt ein Forschungsteam und fordert mehr Aufklärung. --------------------------------------------- https://heise.de/-9752245 ∗∗∗ Ausgeblockt: Antispam-Blockliste SORBS ist abgeschaltet ∗∗∗ --------------------------------------------- Mit der DNS-Blockliste wollte Gründerin Michelle Sullivan seit 2001 das Internet vor Spam bewahren. Die Gründe für die Schließung sind vage, Nachfolger unklar. --------------------------------------------- https://heise.de/-9752366 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/977442/ ∗∗∗ MISP 2.4.193 released with many bugs fixed, API improvements and security fixes ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.193 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.06.2024
by Daily end-of-shift report 06 Jun '24

06 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-06-2024 18:00 − Donnerstag 06-06-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Qilin ransomware gang linked to attack on London hospitals ∗∗∗ --------------------------------------------- A ransomware attack that hit pathology services provider Synnovis on Monday and impacted several major NHS hospitals in London has now been linked to the Qilin ransomware operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qilin-ransomware-gang-linked… ∗∗∗ Linux version of TargetCompany ransomware focuses on VMware ESXi ∗∗∗ --------------------------------------------- Researchers observed a new Linux variant of the TargetCompany ransomware family that targets VMware ESXi environments using a custom shell script to deliver and execute payloads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-targetcompa… ∗∗∗ Brute Force Attacks Against Watchguard VPN Endpoints, (Wed, Jun 5th) ∗∗∗ --------------------------------------------- If you have a pulse and work in information security (or are a new scraping script without a pulse), you have probably seen reports of attacks against VPN endpoints. Running any VPN without strong authentication has been negligent for years, but in recent times, ransomware gangs, in particular, picked them off pretty quickly. --------------------------------------------- https://isc.sans.edu/diary/rss/30984 ∗∗∗ Malicious Python Script with a "Best Before" Date, (Thu, Jun 6th) ∗∗∗ --------------------------------------------- The script purpose is classic: it will fetch a payload from a remote site, inject it in memory and start a new thread. Such payload are usually related to CobaltStike. --------------------------------------------- https://isc.sans.edu/diary/rss/30988 ∗∗∗ Hackers Target Python Developers with Fake "Crytic-Compilers" Package on PyPI ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a malicious Python package uploaded to the Python Package Index (PyPI) repository thats designed to deliver an information stealer called Lumma (aka LummaC2). --------------------------------------------- https://thehackernews.com/2024/06/hackers-target-python-developers-with.html ∗∗∗ Prevent Account Takeover with Better Password Security ∗∗∗ --------------------------------------------- Tom works for a reputable financial institution. He has a long, complex password that would be near-impossible to guess. He’s memorized it by heart, so he started using it for his social media accounts and on his personal devices too. Unbeknownst to Tom, one of these sites has had its password database compromised by hackers and put it up for sale on the dark web. --------------------------------------------- https://thehackernews.com/2024/06/prevent-account-takeover-with-better.html ∗∗∗ 7-year-old Oracle WebLogic bug under active exploitation ∗∗∗ --------------------------------------------- Experts say Big Red will probably re-release patch in an upcoming cycle. --------------------------------------------- https://www.theregister.com/2024/06/06/oracle_weblogic_vulnerability_exploi… ∗∗∗ Exploitation of Recent Check Point VPN Zero-Day Soars ∗∗∗ --------------------------------------------- GreyNoise has observed a rapid increase in the number of exploitation attempts targeting a recent Check Point VPN zero-day. --------------------------------------------- https://www.securityweek.com/exploitation-of-recent-check-point-vpn-zero-da… ∗∗∗ Ransomware: FBI hat Zugriff auf 7000 LockBit-Schlüssel und macht Opfern Hoffnung ∗∗∗ --------------------------------------------- Der Kampf gegen Lockbit ist nach wie vor im Gange. Dank beschlagnahmter Schlüssel sollen nun weitere Opfer wieder auf ihre Daten zugreifen können. --------------------------------------------- https://heise.de/-9749844 ===================== = Vulnerabilities = ===================== ∗∗∗ 2024-06-04: Cyber Security Advisory -KNX Secure Devices FDSK Leak and replay attack ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108464A0803&Lan… ∗∗∗ Cisco Finesse Web-Based Management Interface Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Vulnerabilities Patched in Kiuwan Code Security Products After Long Disclosure Process ∗∗∗ --------------------------------------------- https://www.securityweek.com/vulnerabilities-patched-in-kiuwan-code-securit… ∗∗∗ Emerson Ovation ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-02 ∗∗∗ Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-03 ∗∗∗ Emerson PACSystem and Fanuc ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-01 ∗∗∗ Johnson Controls Software House iStar Pro Door Controller ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-04 ∗∗∗ K000139901: PyYAML vulnerability CVE-2017-18342 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139901 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.06.2024
by Daily end-of-shift report 05 Jun '24

05 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-06-2024 18:00 − Mittwoch 05-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New V3B phishing kit targets customers of 54 European banks ∗∗∗ --------------------------------------------- Cybercriminals are promoting a new phishing kit named V3B on Telegram, which currently targets customers of 54 major financial institutes in Ireland, the Netherlands, Finland, Austria, Germany, France, Belgium, Greece, Luxembourg, and Italy. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-v3b-phishing-kit-targets… ∗∗∗ Cisco Webex: Tausende Videokonferenzen von Ministerien waren abhörbar ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in Cisco Webex ermöglichte Angreifern das Abhören von Onlinemeetings. Jüngste Recherchen zeigen: Die Liste der Betroffenen ist lang. --------------------------------------------- https://www.golem.de/news/cisco-webex-tausende-videokonferenzen-von-ministe… ∗∗∗ Authentifizierung: Microsofts NTLM ist nun offiziell veraltet ∗∗∗ --------------------------------------------- Das Authentifizierungsprotokoll wird allerdings in vielen Apps und Arbeitsgruppen noch immer verwendet. Microsoft empfiehlt Kerberos. --------------------------------------------- https://www.golem.de/news/authentifizierung-microsofts-ntlm-ist-nun-offizie… ∗∗∗ Cross-Execute Your Linux Binaries, Don’t Cross-Compile Them ∗∗∗ --------------------------------------------- Lolbins? Where we’re going, we don’t need lolbins. --------------------------------------------- https://research.nccgroup.com/2024/06/05/cross-execute-your-linux-binaries-… ∗∗∗ Vorsicht vor E-Mail zu ausstehenden Schulden im Namen angeblicher Kunden ∗∗∗ --------------------------------------------- Kriminelle senden E-Mails an Unternehmen und geben sich als deren Kunden aus. Es wird nachgefragt, ob derzeit offene Forderungen bestehen. Ist dies der Fall, sollen die entsprechenden Rechnungen zugesandt werden. Antworten Sie nicht auf diese E-Mails. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-e-mail-zu-ausstehenden-… ∗∗∗ RansomHub: New Ransomware has Origins in Older Knight ∗∗∗ --------------------------------------------- Emergent operation has grown quickly to become one of the most prolific ransomware threats. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhu… ∗∗∗ Threat Actors’ Systems Can Also Be Exposed and Used by Other Threat Actors ∗∗∗ --------------------------------------------- Types of cyberattack include not only Advanced Persistent Threat (APT) attacks targeting a few specific companies or organizations but also scan attacks targeting multiple random servers connected to the Internet. This means that the infrastructures of threat actors can become the targets of cyberattack alongside companies, organizations, and personal users. --------------------------------------------- https://asec.ahnlab.com/en/66372/ ∗∗∗ DarkGate switches up its tactics with new payload, email templates ∗∗∗ --------------------------------------------- Cisco Talos is actively tracking a recent increase in activity from malicious email campaigns containing a suspicious Microsoft Excel attachment that, when opened, infected the victims system with the DarkGate malware. --------------------------------------------- https://blog.talosintelligence.com/darkgate-remote-template-injection/ ∗∗∗ Muhstik Malware Targets Message Queuing Services Applications ∗∗∗ --------------------------------------------- Aqua Nautilus discovered a new campaign of Muhstik malware targeting message queuing services applications, specifically the Apache RocketMQ platform. --------------------------------------------- https://blog.aquasec.com/muhstik-malware-targets-message-queuing-services-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (deepin-qt5integration, deepin-qt5platform-plugins, dotnet8.0, dwayland, fcitx-qt5, fcitx5-qt, gammaray, kddockwidgets, keepassxc, kf5-akonadi-server, kf5-frameworkintegration, kf5-kwayland, plasma-integration, python-qt5, qadwaitadecorations, qgnomeplatform, qt5, qt5-qt3d, qt5-qtbase, qt5-qtcharts, qt5-qtconnectivity, qt5-qtdatavis3d, qt5-qtdeclarative, qt5-qtdoc, qt5-qtgamepad, qt5-qtgraphicaleffects, qt5-qtimageformats, qt5-qtlocation, [...] --------------------------------------------- https://lwn.net/Articles/977233/ ∗∗∗ TikTok: Zero-Day-Lücke ermöglichte Übernahme von Promi- und Marken-Accounts ∗∗∗ --------------------------------------------- Wegen einer Zero-Day-Lücke ließen sich auf TikTok Accounts über eine Direktnachricht übernehmen. --------------------------------------------- https://heise.de/-9748177 ∗∗∗ Patchday: Attacken auf Geräte mit Android 12, 13 und 14 möglich ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Schwachstellen in verschiedenen Android-Versionen. --------------------------------------------- https://heise.de/-9748243 ∗∗∗ 40,000 WordPress Sites affected by Vulnerability That Leads to Privilege Escalation in Login/Signup Popup WordPress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/06/40000-wordpress-sites-affected-by-vu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.06.2024
by Daily end-of-shift report 04 Jun '24

04 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Montag 03-06-2024 18:00 − Dienstag 04-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Vorsicht vor betrügerischen Seiten zu Digitaler Euro und Bundesschatz! ∗∗∗ --------------------------------------------- Der Watchlist Internet werden aktuell massenhaft E-Mails gemeldet, die im Namen von der Österreichischen Nationalbank ein Pilotprogramm zum digitalen Euro ankündigen. Dabei wird mit „einmaligen Renditechancen“ geworben und durch den Hinweis auf die Kooperation von bundesschatz.at und der Europäischen Zentralbank Seriosität und Vertrauenswürdigkeit vorgetäuscht. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-seiten-… ∗∗∗ Azure Service Tags tagged as security risk, Microsoft disagrees ∗∗∗ --------------------------------------------- Security researchers at Tenable discovered what they describe as a high-severity vulnerability in Azure Service Tags that could allow attackers to access customers private data. [..] Tenable's Liv Matan explained that threat actors can use the vulnerability to craft malicious SSRF-like web requests to impersonate trusted Azure services and bypass firewall rules based on Azure Service Tags, often used to secure Azure services and sensitive data without authentication checks. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/azure-service-tags-tagged-a… ∗∗∗ PoC for Progress Telerik RCE chain released (CVE-2024-4358, CVE-2024-1800) ∗∗∗ --------------------------------------------- Security researchers have published a proof-of-concept (PoC) exploit that chains together two vulnerabilities (CVE-2024-4358, CVE-2024-1800) to achieve unauthenticated remote code execution on Progress Telerik Report Servers. Telerik Report Server is a centralized enterprise platform for report creation, management, storage and delivery/distribution. [..] It was reported by an anonymous researcher and fixed earlier this year by Progress Software. --------------------------------------------- https://www.helpnetsecurity.com/2024/06/04/cve-2024-4358-cve-2024-1800-poc/ ∗∗∗ Details of Atlassian Confluence RCE Vulnerability Disclosed ∗∗∗ --------------------------------------------- Successful exploitation of the bug, however, requires that the attacker has the privileges required for adding new macro languages, and to upload a malicious language file using the ‘Add a new language’ function in the ‘Configure Code Macro’ section. According to Atlassian, which rolled out patches for the vulnerability a couple of weeks ago, the issue was introduced in Confluence version 5.2. --------------------------------------------- https://www.securityweek.com/details-of-atlassian-confluence-rce-vulnerabil… ∗∗∗ Aktuelle Phishingwelle bei Hetzner (Juni 2024) ∗∗∗ --------------------------------------------- Behauptet wird, dass die Domain nicht mehr zugreifbar sei, weil es ein Problem mit einem Zahlungsversuch gegeben habe. Ziel ist es, die Zahlungsinformationen des Opfers abzugreifen. Wer bei Hetzner hostet, könnte möglicherweise darauf hereinfallen. --------------------------------------------- https://www.borncity.com/blog/2024/06/04/aktuelle-phishingwelle-bei-hetzner… ∗∗∗ 122 Gigabyte persönliche Nutzerdaten über Telegram-Messenger geleakt ∗∗∗ --------------------------------------------- Sicherheitsforscher haben ein großes Archiv mit persönlichen Daten aus Telegram-Kanälen zusammengetragen. Darunter sind neben E-Mail-Adressen auch Passwörter. [..] Einem Bericht zufolge wurde das Archiv dem Betreiber des Onlineservices Have I Been Pwned (HIBP) zugespielt. Der Service sammelt aus Cyberattacken geleakte Daten. Dort kann man anonymisiert etwa durch die Eingabe der eigenen E-Mail-Adresse prüfen, ob man in einem Datenleak auftaucht. --------------------------------------------- https://heise.de/-9746825 ===================== = Vulnerabilities = ===================== ∗∗∗ IT-Management-Plattform SolarWinds über mehrere Wege angreifbar ∗∗∗ --------------------------------------------- Wie aus einer Mitteilung zur aktuellen abgesicherten Version 2024.2 hervorgeht, haben die Entwickler in der Managementplattform direkt drei Lücken (CVE-2024-28996 "hoch", CVE-2024-28999 "mittel", CVE-2024-29004 "hoch") geschlossen. Darunter können Angreifer unter anderem für eine persistente XSS-Attacke ansetzen. In diesem Fall können sie beim Aufruf der Webkonsole eigenen Code ausführen. Dafür benötigt ein Angreifer aber bereits im Vorfeld hohe Nutzerrechte und zudem muss ein Opfer mitspielen. --------------------------------------------- https://heise.de/-9747340 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (chromium-browser-stable, git, libreoffice, microcode, python-requests, webkit2, and wireshark), Oracle (container-tools:ol8, glibc, go-toolset:ol8, idm:DL1 and idm:client, less, python39:3.9 and python39-devel:3.9, ruby:3.0, and virt:ol and virt-devel:rhel), Red Hat (nodejs, nodejs:18, python-idna, and ruby:3.1), and SUSE (389-ds, ffmpeg, ffmpeg-4, gnutls, gstreamer-plugins-base, libhtp, mariadb104, poppler, python-python-jose, squid, and unbound). --------------------------------------------- https://lwn.net/Articles/976977/ ∗∗∗ Zyxel security advisory for multiple vulnerabilities in NAS products ∗∗∗ --------------------------------------------- Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support*. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ CODESYS: Vulnerability can cause a DoS on CODESYS OPC UA products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-026/ ∗∗∗ CODESYS: Vulnerability in multiple products through exposure of resource to wrong sphere ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-027/ ∗∗∗ Uniview NVR301-04S2-P4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-156-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.06.2024
by Daily end-of-shift report 03 Jun '24

03 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 31-05-2024 18:00 − Montag 03-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Sicherheitsbehörde warnt: Schwachstelle im Linux-Kernel wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Die US-amerikanische Cybersicherheitsbehörde Cisa hat kürzlich eine Warnung vor der aktiven Ausnutzung einer Schwachstelle im Linux-Kernel herausgegeben. Die Sicherheitslücke ist als CVE-2024-1086 registriert und ermöglicht es Angreifern mit lokalem Zugriff auf ein anfälliges System, ihre Rechte auszuweiten und dadurch einen Root-Zugriff zu erlangen. --------------------------------------------- https://www.golem.de/news/sicherheitsbehoerde-warnt-schwachstelle-im-linux-… ∗∗∗ Researcher Uncovers Flaws in Cox Modems, Potentially Impacting Millions ∗∗∗ --------------------------------------------- Now-patched authorization bypass issues impacting Cox modems that could have been abused as a starting point to gain unauthorized access to the devices and run malicious commands. --------------------------------------------- https://thehackernews.com/2024/06/researcher-uncovers-flaws-in-cox-modems.h… ∗∗∗ PoC Published for Exploited Check Point VPN Vulnerability ∗∗∗ --------------------------------------------- PoC code targeting a recent Check Point VPN zero-day has been released as Censys identifies 14,000 internet-accessible appliances. --------------------------------------------- https://www.securityweek.com/poc-published-for-exploited-check-point-vpn-vu… ∗∗∗ Resilience isnt enough, NATO must be proactive for cyberdefense, warns official ∗∗∗ --------------------------------------------- NATO allies need to allow their militaries to be proactive in cyberspace to ensure the alliance isn't affected by a cyberattack that could disrupt the deployment of forces if a conflict was to occur, Christian-Marc Lifländer, the head of NATO's cyber and hybrid policy section, warned on Friday. --------------------------------------------- https://therecord.media/nato-resilience-cyberdefense-liflander-cycon ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CVE-2017-3506 Oracle WebLogic Server OS Command Injection Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/06/03/cisa-adds-one-known-expl… ∗∗∗ Hacks bei Santander und Ticketmaster über Snowflake-Konten ∗∗∗ --------------------------------------------- Die Woche wurden Hacks der Santander Bank und des Anbieters von Tickets, Ticketmaster, bekannt. Bei beiden Hacks wurden Benutzerdaten im großen Umfang erbeutet, die nun in Untergrundforen verkauft werden. Brisant wird die Geschichte, weil diese Hacks wohl über kompromittierte Benutzerkonten beim Cloud-Anbieter Snowflake möglich werden. --------------------------------------------- https://www.borncity.com/blog/2024/06/01/hacks-bei-santander-und-ticketmast… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (python39:3.9 and python39-devel:3.9 and ruby:3.0), Debian (chromium, gst-plugins-base1.0, and kernel), Fedora (chromium, glances, glycin-loaders, gnome-tour, helix, helvum, kitty, libarchive, libipuz, librsvg2, loupe, maturin, ntpd-rs, plasma-workspace, and a huge list of Rust-based packages due to a ""mini-mass-rebuild"" that updated the toolchain to Rust 1.78 and picked up fixes for various pieces), Mageia (gifsicle, netatalk, openssl, python-jinja2, and unbound), Red Hat (kernel and kernel-rt), SUSE (bind, glibc, gstreamer-plugins-base, squid, and tiff), and Ubuntu (glibc). --------------------------------------------- https://lwn.net/Articles/976782/ ∗∗∗ Sicherheitsupdate: Schadcode-Attacken auf Autodesk AutoCAD möglich ∗∗∗ --------------------------------------------- Die CAD-Softwares Advance Steel, Civil 3D und AutoCAD von Autodesk sind verwundbar. Das Sicherheitsrisiko gilt als hoch. [..] In allen Fällen müssen Angreifer Opfern präparierte Dateien (etwa X_B oder CARPTODUCT) unterschieben. --------------------------------------------- https://heise.de/-9745419 ∗∗∗ 2024-06-03: Cyber Security Advisory - ABB WebPro SNMP card PowerValue Cross-Site Scripting (XSS) vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2CMT006108&Language… ∗∗∗ ifm: moneo password reset can be exploited ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-028/ ∗∗∗ Vulnerability Summary for the Week of May 27, 2024 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb24-155 ∗∗∗ Baxter Welch Allyn Connex Spot Monitor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.05.2024
by Daily end-of-shift report 31 May '24

31 May '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-05-2024 18:00 − Freitag 31-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Operation Endgame: Großer Schlag gegen weltweite Cyberkriminalität ∗∗∗ --------------------------------------------- Die "Operation Endgame" richtete sich hauptsächlich gegen die Gruppierungen hinter den Botnetzen der sechs Schadsoftware-Familien IcedID, SystemBC, Bumblebee, Smokeloader, Pikabot und Trickbot. [..] Zehn internationale Haftbefehle wurden erlassen, vier Personen vorläufig festgenommen. [..] An der Aktion waren demnach unter der Leitung des BKA Strafverfolger aus den Niederlanden, Frankreich, Dänemark, Großbritannien, Österreich sowie den USA beteiligt. --------------------------------------------- https://heise.de/-9741012 ∗∗∗ Cybercriminals pose as "helpful" Stack Overflow users to push malware ∗∗∗ --------------------------------------------- Cybercriminals are abusing Stack Overflow in an interesting approach to spreading malware—answering users questions by promoting a malicious PyPi package that installs Windows information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercriminals-pose-as-helpf… ∗∗∗ Over 600,000 SOHO routers were destroyed by Chalubo malware in 72 hours ∗∗∗ --------------------------------------------- The Chalubo trojan destroyed over 600,000 SOHO routers from a single ISP, researchers from Lumen Technologies reported. [..] Black Lotus did not name the impacted ISP, however, Bleeping Computer speculates the attack is linked to the Windstream outage that occurred during the same timeframe. --------------------------------------------- https://securityaffairs.com/163939/malware/chalubo-destroyed-600000-soho-ro… ∗∗∗ Researchers Uncover Active Exploitation of WordPress Plugin Vulnerabilities ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned that multiple high-severity security vulnerabilities in WordPress plugins are being actively exploited by threat actors to create rogue administrator accounts for follow-on exploitation. --------------------------------------------- https://thehackernews.com/2024/05/researchers-uncover-active-exploitation.h… ∗∗∗ Microsoft Warns of Surge in Cyber Attacks Targeting Internet-Exposed OT Devices ∗∗∗ --------------------------------------------- Microsoft has emphasized the need for securing internet-exposed operational technology (OT) devices following a spate of cyber attacks targeting such environments since late 2023. "These repeated attacks against OT devices emphasize the crucial need to improve the security posture of OT devices and prevent critical systems from becoming easy targets," the Microsoft Threat Intelligence team said. --------------------------------------------- https://thehackernews.com/2024/05/microsoft-warns-of-surge-in-cyber.html ∗∗∗ CVE-2024-30043: Abusing URL Parsing Confusion to Exploit XXE on SharePoint Server and Cloud ∗∗∗ --------------------------------------------- Yes, the title is right. This blog covers an XML eXternal Entity (XXE) injection vulnerability that I found in SharePoint. The bug was recently patched by Microsoft. In general, XXE vulnerabilities are not very exciting in terms of discovery and related technical aspects. They may sometimes be fun to exploit and exfiltrate data (or do other nasty things) in real environments, but in the vulnerability research world, you typically find them, report them, and forget about them. So why am I writing a blog post about an XXE? --------------------------------------------- https://www.thezdi.com/blog/2024/5/29/cve-2024-30043-abusing-url-parsing-co… ∗∗∗ LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader ∗∗∗ --------------------------------------------- Cisco Talos is disclosing a new suspected data theft campaign, active since at least 2021, we attribute to an advanced persistent threat actor (APT) we’re calling “LilacSquid.” Multiple TTPs utilized in this campaign bear some overlap with North Korean APT groups. --------------------------------------------- https://blog.talosintelligence.com/lilacsquid/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 7.0, .NET 8.0, 389-ds:1.4, ansible-core bug fix, enhancement, and, bind and dhcp, container-tools:rhel8, edk2, exempi, fence-agents, freeglut, frr, gdk-pixbuf2, ghostscript, git-lfs, glibc, gmp, go-toolset:rhel8, grafana, grub2, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd:2.4, Image builder components bug fix, enhancement and, kernel, kernel-rt, krb5, less, LibRaw, libsndfile, libssh, libXpm, linux-firmware, motif, mutt, nghttp2, openssh, pam, pcp, pcs, perl-Convert-ASN1, perl-CPAN, perl:5.32, pki-core:10.6 and pki-deps:10.6, pmix, poppler, python-dns, python-jinja2, python-pillow, python27:2.7, python3, python3.11, python3.11-cryptography, python3.11-urllib3, python39:3.9 and python39-devel:3.9, qt5-qtbase, resource-agents, squashfs-tools, sssd, systemd, tigervnc, traceroute, vorbis-tools, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, and zziplib), Debian (gst-plugins-base1.0), Fedora (cacti, cacti-spine, roundcubemail, and wireshark), Oracle (.NET 7.0, .NET 8.0, bind and dhcp, gdk-pixbuf2, git-lfs, glibc, grafana, krb5, pcp, python-dns, python3, sssd, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), Red Hat (edk2, less, nghttp2, and ruby:3.0), SUSE (gstreamer-plugins-base, Java, kernel, and python-requests), and Ubuntu (ffmpeg, node-browserify-sign, postgresql-14, postgresql-15, postgresql-16, and python-pymysql). --------------------------------------------- https://lwn.net/Articles/976209/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-pymysql), Fedora (chromium, mingw-python-requests, and thunderbird), Mageia (perl-Email-MIME and qtnetworkauth5 & qtnetworkauth6), Red Hat (gdisk and python39:3.9 and python39-devel:3.9 modules), SUSE (freerdp, gdk-pixbuf, gifsicle, glib2, java-1_8_0-ibm, kernel, libfastjson, libredwg, nodejs16, python, python3, python36, rpm, warewulf4, and xdg-desktop-portal), and Ubuntu (gst-plugins-base1.0, python-werkzeug, and tpm2-tss). --------------------------------------------- https://lwn.net/Articles/976006/ ∗∗∗ IT-Monitoring: Checkmk schließt Lücke, die Änderung von Dateien ermöglicht ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in der Monitoring-Software Checkmk ermöglicht Angreifern, unbefugt lokale Dateien auf dem Checkmk-Server zu lesen und zu schreiben. --------------------------------------------- https://heise.de/-9741274 ∗∗∗ Drupal REST & JSON API Authentication - Moderately critical - Access bypass - SA-CONTRIB-2024-022 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-022 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.05.2024
by Daily end-of-shift report 29 May '24

29 May '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-05-2024 18:00 − Mittwoch 29-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Okta warns of credential stuffing attacks targeting its CORS feature ∗∗∗ --------------------------------------------- Okta warns that a Customer Identity Cloud (CIC) feature is being targeted in credential stuffing attacks, stating that numerous customers have been targeted since April. --------------------------------------------- https://www.bleepingcomputer.com/news/security/okta-warns-of-credential-stu… ∗∗∗ Per Passwortmanager generiert: 20-stelliges Passwort einer Kryptowallet geknackt ∗∗∗ --------------------------------------------- Auf der Wallet befanden sich 43,6 Bitcoins, die heute rund 2,8 Millionen Euro wert sind. Der Besitzer hatte den Zugriff verloren. Zwei Experten konnten ihm helfen. --------------------------------------------- https://www.golem.de/news/per-passwortmanager-generiert-20-stelliges-passwo… ∗∗∗ BreachForums Returns Just Weeks After FBI Seizure - Honeypot or Blunder? ∗∗∗ --------------------------------------------- The online criminal bazaar BreachForums has been resurrected merely two weeks after a U.S.-led coordinated law enforcement action dismantled and seized control of its infrastructure. [..] However, the possibility that it may be a honeypot has not been lost among members of the cybersecurity community. --------------------------------------------- https://thehackernews.com/2024/05/breachforums-returns-just-weeks-after.html ∗∗∗ EU Is Tightening Cybersecurity for Energy Providers ∗∗∗ --------------------------------------------- On March 11th, 2024, the European Commission adopted new cybersecurity rules—the EU network code on cybersecurity for the electricity sector (C/2024/1383)—to “establish a recurrent process of cybersecurity risk assessments in the electricity sector.” If you’re a cybersecurity professional, this news is cause for celebration; if you’re an electricity provider, maybe not so much. --------------------------------------------- https://www.tripwire.com/state-of-security/eu-tightening-cybersecurity-ener… ∗∗∗ Stromspargerät „SmartEnergy“ ist Betrug! ∗∗∗ --------------------------------------------- Aktuell bewerben Kriminelle massenhaft ein Gerät namens „SmartEnergy“. Damit sollen Sie Ihren Stromverbrauch um bis zu 90 Prozent reduzieren können. Wir garantieren Ihnen: Hier sparen Sie nicht 90% Strom, sondern verschwenden zu 100% Geld! --------------------------------------------- https://www.watchlist-internet.at/news/stromspargeraet-smartenergy-betrug/ ===================== = Vulnerabilities = ===================== ∗∗∗ Check Point releases emergency fix for VPN zero-day exploited in attacks ∗∗∗ --------------------------------------------- Check Point has released hotfixes for a VPN zero-day vulnerability exploited in attacks to gain remote access to firewalls and attempt to breach corporate networks. [..] Tracked as CVE-2024-24919, the high-severity information disclosure vulnerability enables attackers to read certain information on internet-exposed Check Point Security Gateways with remote Access VPN or Mobile Access Software Blades enabled. --------------------------------------------- https://www.bleepingcomputer.com/news/security/check-point-releases-emergen… ∗∗∗ Advisory: Active exploitation of Check Point Remote Access VPN vulnerability (CVE-2024-24919) ∗∗∗ --------------------------------------------- mnemonic has several observations of the exploit being used in the wild. [..] We have observed threat actors extracting ntds.dit from compromised customers within 2-3 hours after logging in with a local user. [..] The vulnerability allows a threat actor to enumerate and extract password hashes for all local accounts, including the account used to connect to Active Directory. The full extent of the consequences is still unknown. The following IOCs have been observed in customer environments between April 30, 2024, and today (May 29, 2024) ... --------------------------------------------- https://www.mnemonic.io/resources/blog/advisory-check-point-remote-access-v… ∗∗∗ Vulnerabilities in Eclipse ThreadX Could Lead to Code Execution ∗∗∗ --------------------------------------------- Vulnerabilities in the real-time IoT operating system Eclipse ThreadX before version 6.4 could lead to denial-of-service and code execution.The post Vulnerabilities in Eclipse ThreadX Could Lead to Code Execution appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/vulnerabilities-in-eclipse-threadx-could-lead-… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (glibc and tomcat), Fedora (chromium, fcitx5-qt, python-pyqt6, qadwaitadecorations, qgnomeplatform, qt6, qt6-qt3d, qt6-qt5compat, qt6-qtbase, qt6-qtcharts, qt6-qtcoap, qt6-qtconnectivity, qt6-qtdatavis3d, qt6-qtdeclarative, qt6-qtgraphs, qt6-qtgrpc, qt6-qthttpserver, qt6-qtimageformats, qt6-qtlanguageserver, qt6-qtlocation, qt6-qtlottie, qt6-qtmqtt, qt6-qtmultimedia, qt6-qtnetworkauth, qt6-qtopcua, qt6-qtpositioning, qt6-qtquick3d, qt6-qtquick3dphysics, qt6-qtquicktimeline, qt6-qtremoteobjects, qt6-qtscxml, qt6-qtsensors, qt6-qtserialbus, qt6-qtserialport, qt6-qtshadertools, qt6-qtspeech, qt6-qtsvg, qt6-qttools, qt6-qttranslations, qt6-qtvirtualkeyboard, qt6-qtwayland, qt6-qtwebchannel, qt6-qtwebengine, qt6-qtwebsockets, qt6-qtwebview, and zeal), Red Hat (glibc, kernel, kernel-rt, kpatch-patch, linux-firmware, mod_http2, pcp, pcs, protobuf, python3, rpm-ostree, and rust), SUSE (git, glibc-livepatches, kernel, libxml2, openssl-1_1, SUSE Manager Client Tools, SUSE Manager Client Tools, salt, and xdg-desktop-portal), and Ubuntu (amavisd-new, firefox, flask-security, frr, git, intel-microcode, jinja2, libreoffice, linux-intel-iotg, unbound, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/975737/ ∗∗∗ WordPress Vulnerability & Patch Roundup May 2024 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2024/05/wordpress-vulnerability-patch-roundup-may-2… ∗∗∗ ZDI-24-516: Progress Software WhatsUp Gold HttpContentActiveController Server-Side Request Forgery Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-516/ ∗∗∗ Vulnerability Summary for the Week of May 20, 2024 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb24-149 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.05.2024
by Daily end-of-shift report 28 May '24

28 May '24

===================== = End-of-Day report = ===================== Timeframe: Montag 27-05-2024 18:00 − Dienstag 28-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Trusted relationship attacks: trust, but verify ∗∗∗ --------------------------------------------- We analyze the tactics and techniques of attackers targeting organizations through trusted relationships – that is, through contractors and external IT service providers. --------------------------------------------- https://securelist.com/trusted-relationship-attack/112731/ ∗∗∗ Threat landscape for industrial automation systems, Q1 2024 ∗∗∗ --------------------------------------------- The full global and regional reports have been published on the Kaspersky ICS CERT website. --------------------------------------------- https://securelist.com/industrial-threat-landscape-q1-2024/112683/ ∗∗∗ Kriminelle geben sich als Europäische Verbraucherzentren aus ∗∗∗ --------------------------------------------- Sie haben auf einer betrügerischen Investmentplattform Geld verloren? Ihre persönliche Beratung war nicht mehr erreichbar oder Ihr Konto wurde plötzlich gesperrt? Vorsicht, wenn Sie von Institutionen wie den Europäischen Verbraucherzentren kontaktiert werden, die Ihnen versprechen, Ihr Geld zurückzuholen. Es handelt sich erneut um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-geben-sich-als-europaeisc… ∗∗∗ Ivanti EPM Cloud Services Appliance - Taking advantage of a backdoor to detect a vulnerability ∗∗∗ --------------------------------------------- This blog post details how `CVE-2021-44529` was researched as well as the current method being used to detect it. --------------------------------------------- https://www.bitsight.com/blog/ivanti-epm-cloud-services-appliance-taking-ad… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (less), Mageia (chromium-browser-stable), SUSE (apache2, java-1_8_0-openj9, kernel, libqt5-qtnetworkauth, and openssl-3), and Ubuntu (netatalk and python-cryptography). --------------------------------------------- https://lwn.net/Articles/975529/ ∗∗∗ Kritische Sicherheitslücke gewährt Angreifern Zugriff auf TP-Link-Router C5400X ∗∗∗ --------------------------------------------- Der TP-Link-WLAN-Router C5400X ist verwundbar. Ein Sicherheitspatch schließt eine kritische Schwachstelle. --------------------------------------------- https://heise.de/-9736602 ∗∗∗ WordPress Plugin Exploited to Steal Credit Card Data from E-commerce Sites ∗∗∗ --------------------------------------------- https://thehackernews.com/2024/05/wordpress-plugin-exploited-to-steal.html ∗∗∗ Citrix Workspace app for Mac Security Bulletin for CVE-2024-5027 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX675851/citrix-workspace-app-for-mac-s… ∗∗∗ Campbell Scientific CSI Web Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-149-01 ∗∗∗ TI Bluetooth stack can fail to generate a resolvable Random Private Address (RPA) leading to DoS for already bonded peer devices ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-466062.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.05.2024
by Daily end-of-shift report 27 May '24

27 May '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-05-2024 18:00 − Montag 27-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Google-Security-Manager: Phishing-Tests bringen nichts und nerven Mitarbeiter ∗∗∗ --------------------------------------------- Mitarbeiter fühlten sich durch Phishing-Simulationen oftmals hintergangen, erklärt ein Security-Experte. Dadurch werde das Vertrauen in die Sicherheitsteams untergraben. --------------------------------------------- https://www.golem.de/news/google-security-manager-phishing-tests-bringen-ni… ∗∗∗ Speichersicherheit: Fast 20 Prozent aller Rust-Pakete sind potenziell unsicher ∗∗∗ --------------------------------------------- Nach Angaben der Rust Foundation verwendet etwa jedes fünfte Rust-Paket das Unsafe-Keyword. Meistens werden dadurch Code oder Bibliotheken von Drittanbietern aufgerufen. --------------------------------------------- https://www.golem.de/news/speichersicherheit-fast-20-prozent-aller-rust-pak… ∗∗∗ Kommentar: Schluss mit falschen Pentests! ∗∗∗ --------------------------------------------- Wir wollen einen Pentest machen. So begannen für einige Zeit viele meiner Kundengespräche – manchmal mit der Variation "müssen" statt "wollen". Doch warum pentesten wir überhaupt? --------------------------------------------- https://heise.de/-9718811 ∗∗∗ Checkpoint: Important Security Update – Enhance your VPN Security Posture! ∗∗∗ --------------------------------------------- Over the past few months, we have observed increased interest of malicious groups in leveraging remote-access VPN environments as an entry point and attack vector into enterprises. [..] By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method. [..] Password-only authentication is considered an unfavourable method to ensure the highest levels of security, and we recommend not to rely on this when logging-in to network infrastructure. Check Point has released a solution, as a preventative measure to address these unauthorised remote access attempts. --------------------------------------------- https://blog.checkpoint.com/security/enhance-your-vpn-security-posture/ ∗∗∗ Hackers phish finance orgs using trojanized Minesweeper clone ∗∗∗ --------------------------------------------- Hackers are utilizing code from a Python clone of Microsoft's venerable Minesweeper game to hide malicious scripts in attacks on European and US financial organizations. Ukraine's CSIRT-NBU and CERT-UA attribute the attacks to a threat actor tracked as 'UAC-0188,' who is using the legitimate code to hide Python scripts that download and install the SuperOps RMM. Superops RMM is a legitimate remote management software that gives remote actors direct access to the compromised systems. [..] The attack begins with an email sent from the address "support(a)patient-docs-mail.com," impersonating a medical center with the subject "Personal Web Archive of Medical Documents. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-phish-finance-orgs-u… ∗∗∗ Message board scams ∗∗∗ --------------------------------------------- Here’s how scams target buyers and sellers on online message boards, and how the gangs behind them operate. [..] The gang under study also operates in Canada, Austria, France, and Norway. --------------------------------------------- https://securelist.com/message-board-scam/112691/ ∗∗∗ New Tricks in the Phishing Playbook: Cloudflare Workers, HTML Smuggling, GenAI ∗∗∗ --------------------------------------------- Cybersecurity researchers are alerting of phishing campaigns that abuse Cloudflare Workers to serve phishing sites that are used to harvest users credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail. --------------------------------------------- https://thehackernews.com/2024/05/new-tricks-in-phishing-playbook.html ∗∗∗ Technical Analysis of Anatsa Campaigns: An Android Banking Malware Active in the Google Play Store ∗∗∗ --------------------------------------------- At Zscaler ThreatLabz, we regularly monitor the Google Play store for malicious applications. [..] These malware-infected applications have collectively garnered over 5.5 million installs. [..] In this blog, we provide a technical analysis of Anatsa attack campaigns that leveraged themes like PDF readers and QR code readers to distribute malware in the Google Play store. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-c… ∗∗∗ Linguistic Lumberjack: Understanding CVE-2024-4323 in Fluent Bit ∗∗∗ --------------------------------------------- This vulnerability was discovered by the Tenable research team who described in their blog, that the flaw is due to improper validation of input names in requests, which can be exploited to cause memory corruption. This can result in denial-of-service attacks or information exposure, with remote code execution being possible under certain conditions. [..] This proof-of-concept script demonstrates how a denial of service is used CVE-2024-4323 is a memory corruption vulnerability in Fluent Bit versions 2.0.7 through 3.0.3. --------------------------------------------- https://blog.aquasec.com/linguistic-lumberjack-understanding-cve-2024-4323-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, bluez, chromium, fossil, libreoffice, python-pymysql, redmine, and ruby-rack), Fedora (buildah, crosswords, dotnet7.0, glycin-loaders, gnome-tour, helix, helvum, libipuz, loupe, maturin, mingw-libxml2, ntpd-rs, perl-Email-MIME, and a huge list of Rust-based packages due to a ""mini-mass-rebuild"" that updated the toolchain to Rust 1.78 and picked up fixes for various pieces), Mageia (chromium-browser-stable, mariadb, and roundcubemail), Oracle (kernel, libreoffice, nodejs, and tomcat), and SUSE (cJSON, libfastjson, opera, postgresql15, python3, and qt6-networkauth). --------------------------------------------- https://lwn.net/Articles/975399/ ∗∗∗ Multiple vulnerabilities in HAWKI ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Synology-SA-24:07 Synology Camera ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_07 ∗∗∗ F5: K000139764: Apache HTTPD vulnerability CVE-2023-38709 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139764 ∗∗∗ F5: K000139525: Libexpat vulnerability CVE-2022-43680 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139525 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.05.2024
by Daily end-of-shift report 24 May '24

24 May '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-05-2024 18:00 − Freitag 24-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft spots gift card thieves using cyber-espionage tactics ∗∗∗ --------------------------------------------- Microsoft has published a "Cyber Signals" report sharing new information about the hacking group Storm-0539 and a sharp rise in gift card theft as we approach the Memorial Day holiday in the United States. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-spots-gift-card-th… ∗∗∗ DKIM/BIMI: Die Zombies des Debian-OpenSSL-Bugs ∗∗∗ --------------------------------------------- Vor 16 Jahren sorgte ein Bug dafür, dass mit Debian und OpenSSL erstellte Schlüssel unsicher waren. Viele DKIM-Setups nutzten auch 16 Jahre später solche Schlüssel. --------------------------------------------- https://www.golem.de/news/dkim-bimi-die-zombies-des-debian-openssl-bugs-240… ∗∗∗ Japanese Experts Warn of BLOODALCHEMY Malware Targeting Government Agencies ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered that the malware known as BLOODALCHEMY used in attacks targeting government organizations in Southern and Southeastern Asia is in fact an updated version of Deed RAT, which is believed to be a successor to ShadowPad. --------------------------------------------- https://thehackernews.com/2024/05/japanese-experts-warn-of-bloodalchemy.html ∗∗∗ Fake Antivirus Websites Deliver Malware to Android and Windows Devices ∗∗∗ --------------------------------------------- Threat actors have been observed making use of fake websites masquerading as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to propagate malware capable of stealing sensitive information from Android and Windows devices. --------------------------------------------- https://thehackernews.com/2024/05/fake-antivirus-websites-deliver-malware.h… ∗∗∗ Google Chrome: Vierte bereits missbrauchte Zero-Day-Lücke in zwei Wochen ∗∗∗ --------------------------------------------- Google schließt eine Zero-Day-Lücke im Chrome-Webbrowser, die bereits angegriffen wird. Die vierte in zwei Wochen. --------------------------------------------- https://heise.de/-9730530 ===================== = Vulnerabilities = ===================== ∗∗∗ Dringend patchen: Gitlab-Schwachstelle ermöglicht Übernahme fremder Konten ∗∗∗ --------------------------------------------- Die Sicherheitslücke ist über ein Bug-Bounty-Programm gemeldet worden. Der Entdecker erhielt dafür mehr als 10.000 US-Dollar von Gitlab. --------------------------------------------- https://www.golem.de/news/dringend-patchen-gitlab-schwachstelle-ermoeglicht… ∗∗∗ Mehrere Schwachstellen entdeckt: Qnap verschläft Patches und gelobt Besserung ∗∗∗ --------------------------------------------- Nach der Entdeckung teils schwerwiegender Sicherheitslücken in QTS und QuTS Hero liefert Qnap Patches und entschuldigt sich für die Verspätung. --------------------------------------------- https://www.golem.de/news/mehrere-schwachstellen-entdeckt-qnap-verschlaeft-… ∗∗∗ CISA Warns of Actively Exploited Apache Flink Security Vulnerability ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting Apache Flink, an open-source, unified stream-processing and batch-processing framework, to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. --------------------------------------------- https://thehackernews.com/2024/05/cisa-warns-of-actively-exploited-apache.h… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, libreoffice, and thunderbird), Red Hat (.NET 7.0, .NET 8.0, gdk-pixbuf2, git-lfs, glibc, python3, and xorg-x11-server-Xwayland), SUSE (firefox, opensc, and ucode-intel), and Ubuntu (cjson and gnome-remote-desktop). --------------------------------------------- https://lwn.net/Articles/974913/ ∗∗∗ Splunk Config Explorer vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN56781258/ ∗∗∗ WordPress Plugin "WP Booking" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35838128/ ∗∗∗ Exposed Serial Shell on multiple PLCs in Siemens CP-XXXX Series ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/exposed-serial-shell-on-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2024
by Daily end-of-shift report 23 May '24

23 May '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-05-2024 18:00 − Donnerstag 23-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ State hackers turn to massive ORB proxy networks to evade detection ∗∗∗ --------------------------------------------- Security researchers are warning that state-backed hackers are increasingly relying on vast proxy networks of virtual private servers and compromised connected devices for cyberespionage operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/state-hackers-turn-to-massiv… ∗∗∗ ShrinkLocker: Turning BitLocker into ransomware ∗∗∗ --------------------------------------------- The Kaspersky GERT has detected a new group that has been abusing Microsoft Windows features by modifying the system to lower the defenses and using the local MS BitLocker utility to encrypt entire drives and demand a ransom. --------------------------------------------- https://securelist.com/ransomware-abuses-bitlocker/112643/ ∗∗∗ Ihre Website läuft über Jimdo? Vorsicht vor Phishing-Mails zu Zahlungsproblemen! ∗∗∗ --------------------------------------------- Website- und Online-Shop-Betreiber:innen aufgepasst: Wenn Ihre Website über Jimdo läuft, haben es Kriminelle aktuell vermehrt auf Ihre Daten und Ihr Geld abgesehen. Sie versenden dazu Phishing-Mails in denen Probleme mit Ihren laufenden Zahlungen vorgegaukelt werden. --------------------------------------------- https://www.watchlist-internet.at/news/jimdo-phishing-mails/ ∗∗∗ Format String Exploitation: A Hands-On Exploration for Linux ∗∗∗ --------------------------------------------- This blogpost covers a Capture The Flag challenge that was part of the 2024 picoCTF event. --------------------------------------------- https://blog.nviso.eu/2024/05/23/format-string-exploitation-a-hands-on-expl… ∗∗∗ New APT Group “Unfading Sea Haze” Hits Military Targets in South China Sea ∗∗∗ --------------------------------------------- Unfading Sea Hazes modus operandi spans over five years, with evidence dating back to 2018, reveals Bitdefender Labs investigation. --------------------------------------------- https://www.hackread.com/unfading-sea-haze-military-target-south-china-sea/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (chromium, libxml2, pgadmin4, and python-libgravatar), Mageia (ghostscript), Red Hat (389-ds:1.4, ansible-core, bind and dhcp, container-tools:rhel8, edk2, exempi, fence-agents, freeglut, frr, ghostscript, glibc, gmp, go-toolset:rhel8, grafana, grub2, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd:2.4, idm:DL1, idm:DL1 and idm:client modules, kernel, kernel-rt, krb5, LibRaw, [...] --------------------------------------------- https://lwn.net/Articles/974824/ ∗∗∗ Aptos Wisal Payroll Accounting Uses Hardcoded Database Credentials ∗∗∗ --------------------------------------------- Aptos WISAL payroll accounting uses hardcoded credentials in the Windows client to fetch the complete list of usernames and passwords from the database server, using an unencrypted connection. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-007/ ∗∗∗ CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack ∗∗∗ --------------------------------------------- Rapid7 has determined that users with JAVS Viewer v8.3.7 installed are at high risk and should take immediate action. --------------------------------------------- https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justic… ∗∗∗ Cisco: Root-Zugriff durch SQL-Injection-Lücke in Firepower möglich ∗∗∗ --------------------------------------------- Cisco warnt vor Sicherheitslücken in ASA- und Firepower-Appliances. Angreifer können mit SQL-Injection Firepower-Geräte kompromittieren. --------------------------------------------- https://heise.de/-9729121 ∗∗∗ Sicherheitsupdates VMware: Schadcode kann aus VM ausbüchsen ∗∗∗ --------------------------------------------- Admins sollten zeitnah mehrere Sicherheitspatches für diverse VMware-Produkte installieren. --------------------------------------------- https://heise.de/-9729288 ∗∗∗ LCDS LAquis SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-142-01 ∗∗∗ Vulnerabilities in Autodesk InfraWorks software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0008 ∗∗∗ AutomationDirect Productivity PLCs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-144-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.05.2024
by Daily end-of-shift report 22 May '24

22 May '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-05-2024 18:00 − Mittwoch 22-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ GhostEngine mining attacks kill EDR security using vulnerable drivers ∗∗∗ --------------------------------------------- A malicious crypto mining campaign codenamed REF4578, has been discovered deploying a malicious payload named GhostEngine that uses vulnerable drivers to turn off security products and deploy an XMRig miner. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ghostengine-mining-attacks-k… ∗∗∗ Sicherheitsexperte warnt: Neue Windows-Funktion ist ein "Security-Alptraum" ∗∗∗ --------------------------------------------- Mit Recall sollen Windows-Nutzer in die Vergangenheit reisen können. Unter Sicherheits- und Datenschutzexperten stößt das neue Feature auf Unverständnis. --------------------------------------------- https://www.golem.de/news/sicherheitsexperte-warnt-neue-windows-funktion-is… ∗∗∗ Stealers, stealers and more stealers ∗∗∗ --------------------------------------------- In this report, we discuss two new stealers: Acrid and ScarletStealer, and an evolution of the known Sys01 stealer, with the latter two dividing stealer functionality across several modules. --------------------------------------------- https://securelist.com/crimeware-report-stealers/112633/ ∗∗∗ Risky Biz News: DNSBomb attack is here! Pew pew pew!!! ∗∗∗ --------------------------------------------- A team of academics from Tsinghua University in Beijing, China has discovered a new method of launching large-scale DDoS attacks using DNS traffic. --------------------------------------------- https://news.risky.biz/risky-biz-news-dnsbomb-attack-is-here-pew-pew-pew/ ∗∗∗ Gehacktes Brawl Stars Konto: Was tun, wenn ich erpresst werde? ∗∗∗ --------------------------------------------- Ihr eigenes oder das Spielekonto Ihres Kindes wurde gehackt? Die Kriminellen fordern nun Geld oder Gutscheinkarten, um den Zugriff zurückzubekommen? Lassen Sie sich nicht erpressen. Wir zeigen Ihnen, was Sie tun können! --------------------------------------------- https://www.watchlist-internet.at/news/gehacktes-brawl-stars-konto-was-tun-… ∗∗∗ Microsoft Exchange Server: Keylogger infiziert Regierungsorganisationen weltweit ∗∗∗ --------------------------------------------- Sicherheitsforscher sind auf einen Keylogger gestoßen, der weltweit Regierungsorganisation, aber auch Banken oder andere Institutionen über Microsoft Exchange Server infiziert. --------------------------------------------- https://www.borncity.com/blog/2024/05/22/microsoft-exchange-server-keylogge… ∗∗∗ Rockwell Automation Encourages Customers to Assess and Secure Public-Internet-Exposed Assets ∗∗∗ --------------------------------------------- Rockwell Automation has released guidance encouraging users to remove connectivity on all Industrial Control Systems (ICS) devices connected to the public-facing internet to reduce exposure to unauthorized or malicious cyber activity. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/05/21/rockwell-automation-enco… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (kernel), Mageia (chromium-browser-stable, djvulibre, gdk-pixbuf2.0, nss & firefox, postgresql15 & postgresql13, python-pymongo, python-sqlparse, stb, thunderbird, and vim), Red Hat (go-toolset:rhel8, nodejs, and varnish:6), SUSE (gitui, glibc, and kernel), and Ubuntu (libspreadsheet-parseexcel-perl, linux-aws, linux-aws-5.15, linux-gke, linux-gcp, python-idna, and thunderbird). --------------------------------------------- https://lwn.net/Articles/974572/ ∗∗∗ Ivanti Patches Critical Code Execution Vulnerabilities in Endpoint Manager ∗∗∗ --------------------------------------------- Ivanti has released product updates to resolve multiple vulnerabilities, including critical code execution flaws in Endpoint Manager. --------------------------------------------- https://www.securityweek.com/ivanti-patches-critical-code-execution-vulnera… ∗∗∗ Critical Vulnerability in Honeywell Virtual Controller Allows Remote Code Execution ∗∗∗ --------------------------------------------- Claroty shows how Honeywell ControlEdge Virtual UOC vulnerability can be exploited for unauthenticated remote code execution. --------------------------------------------- https://www.securityweek.com/critical-vulnerability-in-honeywell-virtual-co… ∗∗∗ Kritische Lücke gewährt Angreifern Zugriff auf Veeam Backup Enterprise Manager ∗∗∗ --------------------------------------------- In einer aktuellen Version von Veeam Backup & Replication haben die Entwickler mehrere Schwachstellen geschlossen. --------------------------------------------- https://heise.de/-9726433 ∗∗∗ Patchday: Atlassian rüstet Data Center gegen Schadcode-Attacken ∗∗∗ --------------------------------------------- Admins sollten aus Sicherheitsgründen unter anderem Jira Data Center and Server und Service Management auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-9728466 ∗∗∗ K000139685: Python vulnerability CVE-2023-40217 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139685 ∗∗∗ K000139700: Linux kernel usbmon vulnerability CVE-2022-43750 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139700 ∗∗∗ NextGen Healthcare Mirth Connect RCE (CVE-2023-43208, CVE-2023-37679) ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/5460 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.05.2024
by Daily end-of-shift report 21 May '24

21 May '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-05-2024 18:00 − Dienstag 21-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Ransomware gang targets Windows admins via PuTTy, WinSCP malvertising ∗∗∗ --------------------------------------------- A ransomware operation targets Windows system administrators by taking out Google ads to promote fake download sites for Putty and WinSCP. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-targets-wind… ∗∗∗ Banking malware Grandoreiro returns after police disruption ∗∗∗ --------------------------------------------- The banking trojan "Grandoreiro" is spreading in a large-scale phishing campaign in over 60 countries, targeting customer accounts of roughly 1,500 banks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/banking-malware-grandoreiro-… ∗∗∗ CISA warns of hackers exploiting Chrome, EoL D-Link bugs ∗∗∗ --------------------------------------------- The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three security vulnerabilities to its Known Exploited Vulnerabilities catalog, one impacting Google Chrome and two affecting some D-Link routers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploi… ∗∗∗ New BiBi Wiper version also destroys the disk partition table ∗∗∗ --------------------------------------------- A new version of the BiBi Wiper malware is now deleting the disk partition table to make data restoration harder, extending the downtime for targeted victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-bibi-wiper-version-also-… ∗∗∗ GitHub warns of SAML auth bypass flaw in Enterprise Server ∗∗∗ --------------------------------------------- GitHub has fixed a maximum severity (CVSS v4 score: 10.0) authentication bypass vulnerability tracked as CVE-2024-4986, which impacts GitHub Enterprise Server (GHES) instances using SAML single sign-on (SSO) authentication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-warns-of-saml-auth-by… ∗∗∗ Ungeschützte API: Sicherheitslücke macht Studenten zu Wäsche-Millionären ∗∗∗ --------------------------------------------- In vielen Hochschulen und Wohnheimen stehen Wäscheautomaten von CSC Serviceworks. Zwei Studenten haben darin eine Sicherheitslücke entdeckt - mit erheblichem Missbrauchspotenzial. --------------------------------------------- https://www.golem.de/news/ungeschuetzte-api-sicherheitsluecke-macht-student… ∗∗∗ Fluent Bit: Kritische Schwachstelle betrifft alle gängigen Cloudanbieter ∗∗∗ --------------------------------------------- Mit der Schwachstelle lassen sich nicht nur Ausfälle provozieren und Daten abgreifen. Auch eine Schadcodeausführung aus der Ferne ist unter gewissen Umständen möglich. --------------------------------------------- https://www.golem.de/news/fluent-bit-kritische-schwachstelle-betrifft-alle-… ∗∗∗ Analyzing MSG Files, (Mon, May 20th) ∗∗∗ --------------------------------------------- .msg email files are ole files and can be analyzed with my tool oledump.py. --------------------------------------------- https://isc.sans.edu/diary/Analyzing+MSG+Files/30940 ∗∗∗ Latrodectus Malware Loader Emerges as IcedIDs Successor in Phishing Campaigns ∗∗∗ --------------------------------------------- Cybersecurity researchers have observed a spike in email phishing campaigns starting early March 2024 that delivers Latrodectus, a nascent malware loader believed to be the successor to the IcedID malware."These campaigns typically involve a .. --------------------------------------------- https://thehackernews.com/2024/05/latrodectus-malware-loader-emerges-as.html ∗∗∗ Cyber Criminals Exploit GitHub and FileZilla to Deliver Malware Cocktail ∗∗∗ --------------------------------------------- A "multi-faceted campaign" has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible .. --------------------------------------------- https://thehackernews.com/2024/05/cyber-criminals-exploit-github-and.html ∗∗∗ SolarMarker Malware Evolves to Resist Takedown Attempts with Multi-Tiered Infrastructure ∗∗∗ --------------------------------------------- The persistent threat actors behind the SolarMarker information-stealing malware have established a multi-tiered infrastructure to complicate law enforcement takedown efforts, new findings from .. --------------------------------------------- https://thehackernews.com/2024/05/solarmarker-malware-evolves-to-resist.html ∗∗∗ Malware Delivery via Cloud Services Exploits Unicode Trick to Deceive Users ∗∗∗ --------------------------------------------- A new attack campaign dubbed CLOUD#REVERSER has been observed leveraging legitimate cloud storage services like Google Drive and Dropbox to stage malicious payloads."The VBScript and PowerShell scripts in the .. --------------------------------------------- https://thehackernews.com/2024/05/malware-delivery-via-cloud-services.html ∗∗∗ Vorsicht vor Telegram-Gruppe „Scammerpayback“ ∗∗∗ --------------------------------------------- Kriminelle verbreiten in Foren, auf Facebook-Seiten oder Gruppen, in denen Betrugsopfer Unterstützung oder Informationen suchen, falsche Hilfsangebote. Mit gefälschten oder gekaperten Profilen kommentieren sie Facebook-Beiträge der Watchlist Internet und locken in eine Telegram-Gruppe, in der Opfer angeblich ihr Geld zurückbekommen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-telegram-gruppe-scammer… ∗∗∗ Sicherheitsupdate: DoS-Lücken in Netzwerkanalysetool Wireshark geschlossen ∗∗∗ --------------------------------------------- In der aktuellen Version von Wireshark haben die Entwickler drei Sicherheitslücken geschlossen und mehrere Bugs gefixt. --------------------------------------------- https://heise.de/-9725317 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, chromium, and thunderbird), Fedora (buildah, chromium, firefox, mingw-python-werkzeug, and suricata), Mageia (golang), Oracle (firefox and nodejs:20), Red Hat (firefox, httpd:2.4, nodejs, and thunderbird), and SUSE (firefox, git-cliff, and ucode-intel). --------------------------------------------- https://lwn.net/Articles/974339/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, nodejs, and thunderbird), Fedora (uriparser), Oracle (firefox and thunderbird), Slackware (mariadb), SUSE (cairo, gdk-pixbuf, krb5, libosinfo, postgresql14, and python310), and Ubuntu (firefox, linux-aws, linux-aws-5.15, and linux-azure). --------------------------------------------- https://lwn.net/Articles/974450/ ∗∗∗ WAGO: Vulnerability in WAGO Navigator ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-021/ ∗∗∗ WAGO: Multiple Vulnerabilities in e!Cockpit and e!Runtime / CODESYS Runtime ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-068/ ∗∗∗ Zyxel security advisory for buffer overflow vulnerabilities in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Security updates 1.6.7 and 1.5.7 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2024/05/19/security-updates-1.6.7-and-1.5.7 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.05.2024
by Daily end-of-shift report 17 May '24

17 May '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-05-2024 18:00 − Freitag 17-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zahlungsaufforderungen der IDS EU zu Ihrer Domain ignorieren! ∗∗∗ --------------------------------------------- Österreichische Unternehmen erhalten aktuell Zahlungsaufforderungen einer IDS EU bzw. ids-eu.org und idseu.org. Die Forderungen sollen eine Domainregistrierung betreffen. Bei genauerem Hinsehen offenbart sich, dass IDS EU in Verbindung zu einem früheren Betrug steht, zu welchem die Watchlist Internet bereits berichtete. Es gilt: Nichts bezahlen und die Forderung ignorieren! --------------------------------------------- https://www.watchlist-internet.at/news/zahlungsaufforderungen-ids-eu-ignori… ∗∗∗ Aufklärung nach Cyberangriff: BSI setzt Microsoft juristisch unter Druck ∗∗∗ --------------------------------------------- Seit Monaten versucht das BSI, von Microsoft Auskünfte zu einem Cyberangriff von 2023 zu erhalten. Inzwischen hat die Behörde ein Verwaltungsverfahren eröffnet. --------------------------------------------- https://www.golem.de/news/aufklaerung-nach-cyberangriff-bsi-setzt-microsoft… ∗∗∗ Another PDF Streams Example: Extracting JPEGs, (Fri, May 17th) ∗∗∗ --------------------------------------------- In this diary entry, I will show how file-magic.py can augment JSON data produced by pdf-parser.py with file-type information that an then be used by myjson-filter.py to filter out files you are interested in. As an example, I will extract all JPEGs from a PDF document. --------------------------------------------- https://isc.sans.edu/diary/rss/30924 ∗∗∗ New ‘Antidot’ Android Trojan Allows Cybercriminals to Hack Devices, Steal Data ∗∗∗ --------------------------------------------- Dubbed Antidot and spotted in early May, the malware masquerades as a Google Play update and employs overlay attacks to harvest victims’ credentials. [..] “The Antidot malware utilizes the MediaProjection feature to capture the display content of the compromised device. It then encodes this content and transmits it to the command-and-control (C&C) server,” Cyble explains. --------------------------------------------- https://www.securityweek.com/new-antidot-android-trojan-allows-cybercrimina… ===================== = Vulnerabilities = ===================== ∗∗∗ SAP Security Patch Day – May 2024 ∗∗∗ --------------------------------------------- On 14th of May 2024, SAP Security Patch Day saw the release of 14 new Security Notes. Further, there were 3 updates to previously released Security Notes. --------------------------------------------- https://support.sap.com/en/my-support/knowledge-base/security-notes-news/ma… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, firefox, and podman), Mageia (chromium-browser-stable, ghostscript, and java-1.8.0, java-11, java-17, java-latest), Red Hat (bind, Firefox, firefox, gnutls, httpd:2.4, and thunderbird), SUSE (glibc, opera, and python-Pillow), and Ubuntu (dotnet7, dotnet8, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.5, linux-azure, linux-azure-6.5, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-nvidia-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-signed, linux-signed-aws, linux-signed-aws-6.5, linux-starfive, linux-starfive-6.5, linux, linux-aws, linux-azure-4.15, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, and linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-raspi). --------------------------------------------- https://lwn.net/Articles/974055/ ∗∗∗ QNAP QTS - QNAPping At The Wheel (CVE-2024-27130 and friends) ∗∗∗ --------------------------------------------- The first four of these bugs have patches available. These bugs are fixed in the following products: QTS 5.1.6.2722 build 20240402 and later, QuTS hero h5.1.6.2734 build 20240414 and later [..] However, the remaining bugs still have no fixes available, even after an extended period. Those who are affected by these bugs are advised to consider taking such systems offline, or to heavily restrict access until patches are available. --------------------------------------------- https://labs.watchtowr.com/qnap-qts-qnapping-at-the-wheel-cve-2024-27130-an… ∗∗∗ Trellix ePolicy Orchestrator ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Vor zwei Sicherheitslücken in ePolicy Orchestrator warnt Hersteller Trellix. Bösartige Akteure können ihre Rechte ausweiten. --------------------------------------------- https://heise.de/-9722391 ∗∗∗ WordPress Plugin "Download Plugins and Themes from Dashboard" vulnerable to path traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN85380030/ ∗∗∗ Rechteausweitung durch unsichere Standardkonfiguration im CI-Out-of-Office Manager (SYSS-2024-013) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/rechteausweitung-durch-unsichere-standardk… ∗∗∗ Mattermost security update Desktop App v5.8.0 released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-update-desktop-app-v5-8-0-r… ∗∗∗ Palo Alto Networks: CVE-2024-3661 Impact of TunnelVision Vulnerability (Severity: LOW) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-3661 ∗∗∗ F5: K000139652 : Intel CPU vulnerability CVE-2023-23583 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139652 ∗∗∗ F5: K000139643 : Node-tar vulnerability CVE-2024-28863 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139643 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.05.2024
by Daily end-of-shift report 16 May '24

16 May '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-05-2024 18:00 − Donnerstag 16-05-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ To the Moon and back(doors): Lunar landing in diplomatic missions ∗∗∗ --------------------------------------------- ESET researchers provide technical analysis of the Lunar toolset, likely used by the Turla APT group, that infiltrated a European ministry of foreign affairs. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landin… ∗∗∗ Windows Quick Assist abused in Black Basta ransomware attacks ∗∗∗ --------------------------------------------- Microsoft has been investigating this campaign since at least mid-April 2024, and, as they observed, the threat group (tracked as Storm-1811) started their attacks by email bombing the target after subscribing their addresses to various email subscription services. Once their mailboxes flood with unsolicited messages, the threat actors call them while impersonating a Microsoft technical support or the attacked company's IT or help desk staff to help remediate the spam issues. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-quick-assist-abused-… ∗∗∗ Google patches third exploited Chrome zero-day in a week ∗∗∗ --------------------------------------------- Google has released a new emergency Chrome security update to address the third zero-day vulnerability exploited in attacks within a week. --------------------------------------------- https://www.bleepingcomputer.com/news/google/google-patches-third-exploited… ∗∗∗ Springtail: New Linux Backdoor Added to Toolkit ∗∗∗ --------------------------------------------- The backdoor (Linux.Gomir) appears to be a Linux version of the GoBear backdoor, which was used in a recent Springtail campaign that saw the attackers deliver malware via Trojanized software installation packages. Gomir is structurally almost identical to GoBear, with extensive sharing of code between malware variants. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/springta… ∗∗∗ Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices ∗∗∗ --------------------------------------------- This blog post aims to provide details on methods for investigating potentially compromised Palo Alto Networks firewall devices and a general approach towards edge device threat detection. --------------------------------------------- https://www.volexity.com/blog/2024/05/15/detecting-compromise-of-cve-2024-3… ∗∗∗ ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has recently discovered ViperSoftX attackers using Tesseract to exfiltrate users’ image files. ViperSoftX is a malware strain responsible for residing on infected systems and executing the attackers’ commands or stealing cryptocurrency-related information. The malware newly discovered this time utilizes the open-source OCR engine Tesseract. --------------------------------------------- https://asec.ahnlab.com/en/65426/ ∗∗∗ Talos releases new macOS open-source fuzzer ∗∗∗ --------------------------------------------- Cisco Talos has developed a fuzzer that enables us to test macOS software on commodity hardware. [..] Compared to fuzzing for software vulnerabilities on Linux, where most of the code is open-source, targeting anything on macOS presents a few difficulties. --------------------------------------------- https://blog.talosintelligence.com/talos-releases-new-macos-fuzzer/ ∗∗∗ Llama Drama: Critical Vulnerability CVE-2024-34359 Threatening Your Software Supply Chain ∗∗∗ --------------------------------------------- Jinja2: This library is a popular Python tool for template rendering, primarily used for generating HTML. Its ability to execute dynamic content makes it powerful but can pose a significant security risk if not correctly configured to restrict unsafe operations. `llama_cpp_python`: This package integrates Python's ease of use with C++'s performance, making it ideal for complex AI models handling large data volumes. However, its use of Jinja2 for processing model metadata without enabling necessary security safeguards exposes it to template injection attacks. [..] The vulnerability identified has been addressed in version 0.2.72 of the llama-cpp-python package, which includes a fix enhancing sandboxing and input validation measures. --------------------------------------------- https://checkmarx.com/blog/llama-drama-critical-vulnerability-cve-2024-3435… ∗∗∗ The xz apocalypse that almost was* ∗∗∗ --------------------------------------------- Given Bitsight’s pretty broad view of the Internet, I thought I could contribute to the discussion a bit and ask “how bad could this have been?” and as a corollary “how many chances would there have been to notice?” So let’s get into the “how bad could this have been?” question first. --------------------------------------------- https://www.bitsight.com/blog/xz-apocalypse-almost-was ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 7.0, .NET 8.0, and nodejs:20), Debian (chromium, firefox-esr, ghostscript, and libreoffice), Fedora (djvulibre, mingw-glib2, mingw-python-jinja2, and mingw-python-werkzeug), Oracle (.NET 7.0, .NET 8.0, kernel, and nodejs:18), Red Hat (nodejs:20), Slackware (gdk and git), SUSE (python), and Ubuntu (linux-hwe-5.15, linux-raspi). --------------------------------------------- https://lwn.net/Articles/973908/ ∗∗∗ Sicherheitslücken in Überwachungskameras und Video-Babyphones ∗∗∗ --------------------------------------------- Schwachstellen aus der ThroughTek Kaylay-IoT-Plattform. Dringend Update-Status der IoT-Geräte prüfen. --------------------------------------------- https://www.zdnet.de/88415973/sicherheitsluecken-in-ueberwachungskameras-un… ∗∗∗ WLAN-Attacke: SSID-Verwechslungs-Angriff macht Nutzer verwundbar ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in WLAN-Protokollen führt dazu, dass Angreifer in einer Man-in-the-Middle-Position WLAN-Verkehr manipulieren können. [..] Das ohnehin nicht mehr sicher zu nutzende WEP ist anfällig, und das neuere, sonst sicherere WPA3 ebenfalls. 802.11X/EAP und Mesh-Netzwerke mit AMPE-Authentifizierung sind laut Auflistung ebenfalls für SSID-Confusion verwundbar. --------------------------------------------- https://heise.de/-9720818 ∗∗∗ Cisco: Updates schließen Sicherheitslücken in mehreren Produkten ∗∗∗ --------------------------------------------- In mehreren Cisco-Produkten klaffen Sicherheitslücken, durch die Angreifer sich etwa root-Rechte verschaffen und Geräte kompromittieren können. [..] Insgesamt warnt Cisco in drei Mitteilungen vor hochriskanten Sicherheitslücken. --------------------------------------------- https://heise.de/-9720226 ∗∗∗ Freies Admin-Panel: Codeschmuggel durch Cross-Site-Scripting in Froxlor ∗∗∗ --------------------------------------------- Dank schludriger Eingabefilterung können Angreifer ohne Anmeldung Javascript im Browser des Server-Admins ausführen. Ein Patch steht bereit. --------------------------------------------- https://heise.de/-9721569 ∗∗∗ Netzwerksicherheit: Diverse Fortinet-Produkte für verschiedene Attacken anfällig ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für unter anderem FortiSandbox, FortiPortal und FortiWebManager erschienen. --------------------------------------------- https://heise.de/-9720252 ∗∗∗ Access Points von Aruba verwundbar – keine Updates für ältere Versionen ∗∗∗ --------------------------------------------- Insgesamt haben die Entwickler sechs "kritische" Sicherheitslücken in noch unterstützten Versionen von ArubaOS und InstantOS geschlossen. --------------------------------------------- https://heise.de/-9720385 ∗∗∗ Rockwell Automation FactoryTalk View SE ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-137-14 ∗∗∗ [R1] Nessus Agent Version 10.6.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-09 ∗∗∗ [R1] Nessus Version 10.7.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-08 ∗∗∗ F5: K000139637 : Expat vulnerability CVE-2024-28757 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139637 ∗∗∗ F5: K000139643 : Node.js vulnerability CVE-2024-28863 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139643 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.05.2024
by Daily end-of-shift report 15 May '24

15 May '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-05-2024 18:00 − Mittwoch 15-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers ∗∗∗ --------------------------------------------- The D-Link EXO AX4800 (DIR-X4860) router is vulnerable to remote unauthenticated command execution that could lead to complete device takeovers by attackers with access to the HNAP port. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poc-exploit-released-for-rce… ∗∗∗ Weitere Schwachstelle entdeckt: Hacker startet erneut Cyberangriff auf Dell ∗∗∗ --------------------------------------------- Die bereits abgegriffenen 49 Millionen Kundendatensätze sind ihm offenbar nicht genug. Menelik greift Dell erneut an. Dieses Mal sind wohl Support-Daten betroffen. --------------------------------------------- https://www.golem.de/news/weitere-schwachstelle-entdeckt-hacker-startet-ern… ∗∗∗ Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain ∗∗∗ --------------------------------------------- One of the most advanced server-side malware campaigns is still growing, with hundreds of thousands of compromised servers, and it has diversified to include credit card and cryptocurrency theft. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-lin… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (sssd and tcpdump), Red Hat (.NET 7.0, .NET 8.0, expat, kernel, and kernel-rt), Slackware (mozilla), SUSE (kernel, postgresql15, postgresql16, python-arcomplete, python-Fabric, python-PyGithub, python- antlr4-python3-runtime, python-avro, python-chardet, python-distro, python- docker, python-fakeredis, python-fixedint, pyth, and python3), and Ubuntu (linux-bluefield). --------------------------------------------- https://lwn.net/Articles/973746/ ∗∗∗ ICS Patch Tuesday: Advisories Published by Siemens, Rockwell, Mitsubishi Electric ∗∗∗ --------------------------------------------- Several ICS vendors released advisories on Tuesday to inform customers about vulnerabilities found in their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-advisories-published-by-siem… ∗∗∗ Intel Publishes 41 Security Advisories for Over 90 Vulnerabilities ∗∗∗ --------------------------------------------- Intel has published 41 new May 2024 Patch Tuesday advisories covering a total of more than 90 vulnerabilities. [..] The most important flaw, based on its severity rating of ‘critical’ and a CVSS score of 10, is CVE-2024-22476. [..] Intel says this critical vulnerability could allow an unauthenticated attacker to “enable escalation of privilege via remote access”. --------------------------------------------- https://www.securityweek.com/intel-publishes-41-security-advisories-for-ove… ∗∗∗ LibreOffice: Falscher Klick kann zur Ausführung von Schadcode führen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im quelloffenen LibreOffice ermöglicht Angreifern, Opfern Schadcode unterzujubeln. Die müssen nur einmal klicken. --------------------------------------------- https://heise.de/-9719334 ∗∗∗ VMware Workstation und Fusion: Ausbruch aus Gastsystem möglich ∗∗∗ --------------------------------------------- In VMware Workstation und Fusion klaffen Sicherheitslücken, die beim Pwn2Own-Wettbewerb missbraucht wurden. Sie ermöglichen den Ausbruch aus dem Gastsystem. --------------------------------------------- https://heise.de/-9718624 ∗∗∗ Patchday: Angreifer attackieren Windows und verschaffen sich Systemrechte ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für unter anderem Edge, Dynamics 365 und Windows veröffentlicht. Es gibt bereits Attacken. --------------------------------------------- https://heise.de/-9718608 ∗∗∗ Patchday: Angreifer können Schadcode durch Lücken in Adobe-Software schieben ∗∗∗ --------------------------------------------- Der Softwarehersteller Adobe hat unter anderem Animate, Illustrator und Reader vor möglichen Attacken abgesichert. --------------------------------------------- https://heise.de/-9718639 ∗∗∗ Fortiguard Security Advisories ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt ∗∗∗ Lenovo Security Advisories ∗∗∗ --------------------------------------------- https://support.lenovo.com/at/en/product_security/home ∗∗∗ 30,000 WordPress Sites affected by Arbitrary SQL Execution Vulnerability Patched in Visualizer WordPress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/05/30000-wordpress-sites-affected-by-ar… ∗∗∗ Bosch: Remote code execution vulnerability has been found over an insecure connection in the Praesensa Logging Application, Praesideo Logging Application and Praesideo PC Call Station ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-106054-bt.html ∗∗∗ B&R: 2024-05-14: Cyber Security Advisory - Insecure Loading of Code in B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P005_Insecure_Loading_of_Code-c… ∗∗∗ SUBNET PowerSYSTEM Center ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-135-02 ∗∗∗ F5: K000139592 : libxml2 vulnerability CVE-2023-29469 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139592 ∗∗∗ ZDI-24-456: NI FlexLogger FLXPROJ File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-456/ ∗∗∗ ZDI-24-455: SolarWinds Access Rights Manager JsonSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-455/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.05.2024
by Daily end-of-shift report 14 May '24

14 May '24

===================== = End-of-Day report = ===================== Timeframe: Montag 13-05-2024 18:00 − Dienstag 14-05-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ PyPi package backdoors Macs using the Sliver pen-testing suite ∗∗∗ --------------------------------------------- A new package mimicked the popular requests library on the Python Package Index (PyPI) to target macOS devices with the Sliver C2 adversary framework, used for gaining initial access to corporate .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-package-backdoors-macs-… ∗∗∗ Apple and Google add alerts for unknown Bluetooth trackers to iOS, Android ∗∗∗ --------------------------------------------- On Monday, Apple and Google jointly announced a new privacy feature that warns Android and iOS users when an unknown Bluetooth tracking device travels with .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apple-and-google-add-alerts-… ∗∗∗ Incident response analyst report 2023 ∗∗∗ --------------------------------------------- The report shares statistics and observations from incident response practice in 2023, analyzes trends and gives cybersecurity recommendations. --------------------------------------------- https://securelist.com/kaspersky-incident-response-report-2023/112504/ ∗∗∗ Apple Patches Everything: macOS, iOS, iPadOS, watchOS, tvOS updated., (Tue, May 14th) ∗∗∗ --------------------------------------------- Apple today released updates for its various operating systems. The updates cover iOS, iPadOS, macOS, watchOS and tvOS. A standalone update for Safari was released for older versions of macOS. One already exploited vulnerability, CVE-2024-23296 is patched for older versions of macOS and iOS. In March, Apple patched this vulnerability for more recent versions of iOS and macOS. --------------------------------------------- https://isc.sans.edu/diary/rss/30916 ∗∗∗ Ongoing Campaign Bombarded Enterprises with Spam Emails and Phone Calls ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered an ongoing social engineering campaign that bombards enterprises with spam emails with the goal of obtaining initial access to their environments for follow-on exploitation. --------------------------------------------- https://thehackernews.com/2024/05/ongoing-campaign-bombarded-enterprises.ht… ∗∗∗ Critical Flaws in Cacti Framework Could Let Attackers Execute Malicious Code ∗∗∗ --------------------------------------------- The maintainers of the Cacti open-source network monitoring and fault management framework have addressed a dozen security flaws, including two critical issues that could lead to the execution of arbitrary code.The most severe of the vulnerabilities are listed below -CVE-2024-25641 (CVSS score: 9.1) - An arbitrary file write vulnerability in the "Package Import" feature that --------------------------------------------- https://thehackernews.com/2024/05/critical-flaws-in-cacti-framework-could.h… ∗∗∗ Log4J shows no sign of fading, spotted in 30% of CVE exploits ∗∗∗ --------------------------------------------- Organizations continue to run insecure protocols across their wide access networks (WAN), making it easier for cybercriminals to move across networks, according to a Cato Networks survey. Enterprises are too trusting within their networks The Cato CTRL SASE Threat Report Q1 2024 provides insight into the security threats and their .. --------------------------------------------- https://www.helpnetsecurity.com/2024/05/14/log4j-wan-insecure-protocols/ ∗∗∗ Google Patches Second Chrome Zero-Day in One Week ∗∗∗ --------------------------------------------- Google has announced patches for another Chrome vulnerability that has been exploited in attacks. This is the second zero-day addressed by the company in one week and the third flaw leveraged in malicious attacks in 2024. The new zero-day, tracked as CVE-2024-4761, has been described as a high-severity out-of-bounds write issue .. --------------------------------------------- https://www.securityweek.com/google-patches-second-chrome-zero-day-in-one-w… ∗∗∗ Falsche Gewinnbenachrichtigungen in echten Gewinnspielen ∗∗∗ --------------------------------------------- An einem Facebook-Gewinnspiel teilgenommen? Vorsicht, Kriminelle nutzen echte Gewinnspiele für Betrugsmaschen. Mit Fake-Profilen kommentieren sie die Kommentare der Teilnehmer:innen und behaupten, sie hätten gewonnen. Mit einem Link locken sie auf eine betrügerische Webseite. Wir zeigen Ihnen, wie Sie sicher an Gewinnspielen teilnehmen! --------------------------------------------- https://www.watchlist-internet.at/news/falsche-gewinnbenachrichtigungen-in-… ∗∗∗ Foxit PDF Reader “Flawed Design” : Hidden Dangers Lurking in Common Tools ∗∗∗ --------------------------------------------- Heightened vulnerability: Check Point Research has identified an unusual pattern of behavior involving PDF exploitation, mainly targeting users of Foxit PDF Reader. This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands, exploiting human psychology to manipulate users into accidentally providing .. --------------------------------------------- https://blog.checkpoint.com/research/foxit-pdf-reader-flawed-design-hidden-… ∗∗∗ Guidance for organisations considering payment in ransomware incidents ∗∗∗ --------------------------------------------- Advice for organisations experiencing a ransomware attack and the partner organisations supporting them. --------------------------------------------- https://www.ncsc.gov.uk/guidance/organisations-considering-payment-in-ranso… ∗∗∗ Avast Q1/2024 Threat Report ∗∗∗ --------------------------------------------- Nearly 90% of Threats Blocked are Social Engineering, Revealing a Huge Surge of Scams, and Discovery of the Lazarus APT CampaignThe post Avast Q1/2024 Threat Report appeared first on Avast Threat Labs. --------------------------------------------- https://decoded.avast.io/threatresearch/avast-q1-2024-threat-report/ ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3-CORE-SA-2024-010: Uncontrolled Resource Consumption in ShowImageController ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-010 ∗∗∗ TYPO3-CORE-SA-2024-009: Cross-Site Scripting in ShowImageController ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-009 ∗∗∗ TYPO3-CORE-SA-2024-008: Cross-Site Scripting in Form Manager Module ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-008 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/973667/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.11 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/ ∗∗∗ Security Vulnerabilities fixed in Firefox 126 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.05.2024
by Daily end-of-shift report 13 May '24

13 May '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-05-2024 18:00 − Montag 13-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ GoTo Meeting loads Remcos RAT via Rust Shellcode Loader ∗∗∗ --------------------------------------------- Legitimate applications can unwittingly become conduits for malware execution. This is also the case for recent malware loaders which abuse GoTo Meeting, an online meeting software, to deploy Remcos RAT. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/05/37906-gotomeeting-loads-remcos ∗∗∗ API missbraucht: Hacker teilt Details zum Cyberangriff auf Dell ∗∗∗ --------------------------------------------- Ein Cyberkrimineller hat rund 49 Millionen Kundendatensätze von Dell abgegriffen. Möglich gewesen ist ihm dies über eine unzureichend geschützte API eines Partnerportals. --------------------------------------------- https://www.golem.de/news/api-missbraucht-hacker-teilt-details-zum-cyberang… ∗∗∗ FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT ∗∗∗ --------------------------------------------- The financially motivated threat actor known as FIN7 has been observed leveraging malicious Google ads spoofing legitimate brands as a means to deliver MSIX installers that culminate in the deployment of NetSupport RAT. --------------------------------------------- https://thehackernews.com/2024/05/fin7-hacker-group-leverages-malicious.html ∗∗∗ Vorsicht vor falschen Anrufen von PayPal oder Amazon ∗∗∗ --------------------------------------------- Derzeit werden uns vermehrt Anrufe im Namen von PayPal und Amazon gemeldet. Die Kriminellen geben vor, ein Problem mit Ihrem Konto zu haben und bieten Ihnen telefonische Hilfe an. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-anrufen-von-pa… ∗∗∗ Leveraging DNS Tunneling for Tracking and Scanning ∗∗∗ --------------------------------------------- We provide a walkthrough of how attackers leverage DNS tunneling for tracking and scanning, an expansion of the way this technique is usually exploited. --------------------------------------------- https://unit42.paloaltonetworks.com/three-dns-tunneling-campaigns/ ∗∗∗ Side-by-Side with HelloJackHunter: Unveiling the Mysteries of WinSxS ∗∗∗ --------------------------------------------- This post explores Windows Side-by-Side (WinSxS) and DLL hijacking, deep-diving some tooling Ive written and some of the fun along the way. --------------------------------------------- https://blog.zsec.uk/hellojackhunter-exploring-winsxs/ ∗∗∗ Not all scams are easy to spot ∗∗∗ --------------------------------------------- Even the most intelligent individuals can fall victim to scams due to coincidental timing and convincing tactics, so staying skeptical, verifying communications and using anti-scam tools is key to reducing the risk. --------------------------------------------- https://www.emsisoft.com/en/blog/45650/not-all-scams-are-easy-to-spot/ ∗∗∗ Europol sperrt eigenes Forum nach erfolgreichem Einbruch ∗∗∗ --------------------------------------------- Die europäische Polizeibehörde hat ihren Dienst "Europol for Experts" vom Netz genommen. Zuvor waren unter anderem Strategiepapiere daraus angeboten worden. --------------------------------------------- https://heise.de/-9715410 ∗∗∗ Ransomware Black Basta zählt nach zwei Jahren weltweit über 500 Opfer ∗∗∗ --------------------------------------------- Das FBI teilt wichtige Fakten im Kampf gegen den Erpressungstrojaner Black Basta. Die Ransomware macht auch vor kritischen Infrastrukturen nicht halt. --------------------------------------------- https://heise.de/-9715674 ===================== = Vulnerabilities = ===================== ∗∗∗ Widely used modems in industrial IoT devices open to SMS attack ∗∗∗ --------------------------------------------- Security flaws in Telit Cinterion cellular modems, widely used in sectors including industrial, healthcare, and telecommunications, could allow remote attackers to execute arbitrary code via SMS. --------------------------------------------- https://www.bleepingcomputer.com/news/security/widely-used-modems-in-indust… ∗∗∗ Malicious Python Package Hides Sliver C2 Framework in Fake Requests Library Logo ∗∗∗ --------------------------------------------- Cybersecurity researchers have identified a malicious Python package that purports to be an offshoot of the popular requests library and has been found concealing a Golang-version of the Sliver command-and-control (C2) framework within a PNG image of the projects logo. --------------------------------------------- https://thehackernews.com/2024/05/malicious-python-package-hides-sliver.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (nodejs:18 and shim), Debian (atril and chromium), Fedora (chromium, glib2, gnome-shell, mediawiki, php-wikimedia-cdb, php-wikimedia-utfnormal, stb, and tcpdump), Gentoo (Kubelet, PoDoFo, Rebar3, and thunderbird), Mageia (glibc and libnbd), Oracle (kernel), Red Hat (bind and dhcp and varnish), and SUSE (chromium, cpio, freerdp, giflib, gnutls, opera, python-Pillow, python-Werkzeug, tinyproxy, and tpm2-0-tss). --------------------------------------------- https://lwn.net/Articles/973496/ ∗∗∗ Microsoft fixt DLL-Hijacking-Schwachstelle in Store-App Telemetrie-Wrapper-Installer ∗∗∗ --------------------------------------------- Microsoft hat damit vor einiger Zeit seine Store-Apps mit einem neuen Installer versehen. Dieser enthält einen ausführbaren .NET-Wrapper der Telemetrie und weiteren Code in die App integriert. In der ersten Version wies dieser .NET-Wrapper aber eine DLL-Hijacking-Schwachstelle auf [...] --------------------------------------------- https://www.borncity.com/blog/2024/05/11/microsoft-fixt-dll-hijacking-schwa… ∗∗∗ Self-Signed Zertifikate im SAP® Cloud Connector zugelassen ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/self-signed-zertifika… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.05.2024
by Daily end-of-shift report 10 May '24

10 May '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-05-2024 18:00 − Freitag 10-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Datenschutzvorfall: Dell informiert über Abfluss von Kundendaten ∗∗∗ --------------------------------------------- Zu den abgeflossenen Informationen zählen laut Dell Namen, Adressdaten sowie weitere Daten über Bestellungen und darin enthaltene Dell-Hardware. --------------------------------------------- https://www.golem.de/news/datenschutzvorfall-dell-informiert-ueber-abfluss-… ∗∗∗ APT trends report Q1 2024 ∗∗∗ --------------------------------------------- The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity. --------------------------------------------- https://securelist.com/apt-trends-report-q1-2024/112473/ ∗∗∗ Mirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery ∗∗∗ --------------------------------------------- Two recently disclosed security flaws in Ivanti Connect Secure (ICS) devices are being exploited to deploy the infamous Mirai botnet. --------------------------------------------- https://thehackernews.com/2024/05/mirai-botnet-exploits-ivanti-connect.html ∗∗∗ GhostStripe attack haunts self-driving cars by making them ignore road signs ∗∗∗ --------------------------------------------- Six boffins mostly hailing from Singapore-based universities have proven it's possible to attack autonomous vehicles by exploiting the system's reliance on camera-based computer vision and cause it to not recognize road signs. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/05/10/baidu_apollo… ∗∗∗ Back to the Hype: An Update on How Cybercriminals Are Using GenAI ∗∗∗ --------------------------------------------- Generative AI continues to be misused and abused by malicious individuals. In this article, we dive into new criminal LLMs, criminal services with ChatGPT-like capabilities, and deepfakes being offered on criminal sites. --------------------------------------------- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-th… ∗∗∗ Zscaler Investigates Hacking Claims After Data Offered for Sale ∗∗∗ --------------------------------------------- Zscaler says its customer, production and corporate environments are not impacted after a notorious hacker offers to sell access. --------------------------------------------- https://www.securityweek.com/zscaler-investigates-hacking-claims-after-data… ∗∗∗ With nation-state threats in mind, nearly 70 software firms agree to Secure by Design pledge ∗∗∗ --------------------------------------------- The nation’s top cybersecurity agency said 68 of the world’s leading software manufacturers have signed on to a voluntary pledge to design products that have security built in from the beginning. --------------------------------------------- https://therecord.media/secure-by-design-companies-cisa-rsa ∗∗∗ In interview, LockbitSupp says authorities outed the wrong guy ∗∗∗ --------------------------------------------- The leader of the LockBit ransomware gang, who goes by the name LockbItSupp, told Click Here in an interview that international law enforcement has made a mistake. --------------------------------------------- https://therecord.media/lockbitsupp-interview-ransomware-cybercrime-lockbit ∗∗∗ Krypto-Betrüger: Sechs Österreicher festgenommen ∗∗∗ --------------------------------------------- Weil sie einen Online-Handel mit angeblich neuer Kryptowährung aufgezogen und damit Investoren abgezockt haben, wurden nun sechs Österreicher verhaftet. --------------------------------------------- https://heise.de/-9714300 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (ansible-core, avahi, bind, buildah, containernetworking-plugins, edk2, fence-agents, file, freeglut, freerdp, frr, git-lfs, gnutls, golang, grafana, grafana-pcp, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd, ipa, libjpeg-turbo, libnbd, LibRaw, libreswan, libsndfile, libssh, libtiff, libvirt, libX11, libXpm, mingw components, mingw-glib2, mingw-pixman, mod_http2, mod_jk and mod_proxy_cluster, motif, [...] --------------------------------------------- https://lwn.net/Articles/973071/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:4.0, container-tools:rhel8, git-lfs, glibc, libxml2, nodejs:18, and nodejs:20), Debian (dav1d and libpgjava), Fedora (kernel and pypy), Red Hat (glibc and nodejs:16), SUSE (ffmpeg, ffmpeg-4, ghostscript, go1.21, go1.22, less, python-python-jose, python-Werkzeug, and sssd), and Ubuntu (fossil, glib2.0, and libspreadsheet-parsexlsx-perl). --------------------------------------------- https://lwn.net/Articles/973206/ ∗∗∗ Admins müssen selbst handeln: PuTTY-Sicherheitslücke bedroht Citrix Hypervisor ∗∗∗ --------------------------------------------- Um XenCenter für Citrix Hypervisor abzusichern, müssen Admins händisch ein Sicherheitsupdate für das SSH-Tool PuTTY installieren. --------------------------------------------- https://heise.de/-9713898 ∗∗∗ Google Chrome: Exploit für Zero-Day-Lücke gesichtet ∗∗∗ --------------------------------------------- In Googles Webbrowser Chrome klafft eine Sicherheitslücke, für die ein Exploit existiert. Google reagiert mit einem Notfall-Update. --------------------------------------------- https://heise.de/-9714519 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ 2024-05 Reference Advisory: Junos OS and Junos OS Evolved: Multiple CVEs reported in OpenSSH ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-05-Reference-Advisory-Juno… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2024
by Daily end-of-shift report 08 May '24

08 May '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-05-2024 18:00 − Mittwoch 08-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Der Briefkasten daheim als Einfallstor für Internet-Betrugsmaschen? ∗∗∗ --------------------------------------------- Online-Betrug lauert nicht nur im Internet. Zu Anrufen und SMS, die oft in Online-Betrugsmaschen führen, gesellt sich nun auch der Postkasten des Eigenheims als Einfallstor für Kriminelle hinzu. Sie nutzen die Briefkästen ihrer Opfer beispielsweise, um Sendungen aus Bestellbetrug zu erhalten, Daten und in weiterer Folge Geld zu stehlen oder um betrügerische Handwerksdienste und dazugehörige Websites zu bewerben. --------------------------------------------- https://www.watchlist-internet.at/news/der-briefkasten-daheim-als-einfallst… ∗∗∗ Massive webshop fraud ring steals credit cards from 850,000 people ∗∗∗ --------------------------------------------- A massive network of 75,000 fake online shops called BogusBazaar tricked over 850,000 people in the US and Europe into making purchases, allowing the criminals to steal credit card information and attempt to process an estimated $50 million in fake orders. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-webshop-fraud-ring-s… ∗∗∗ Detecting XFinity/Comcast DNS Spoofing, (Mon, May 6th) ∗∗∗ --------------------------------------------- DNS interception, even if well-meaning, does undermine some of the basic "internet trust issues". Even if it is used to block users from malicious sites, it needs to be properly declared to the user, and switches to turn it off will have to function. This could be a particular problem if queries to other DNS filtering services are intercepted. I have yet to test this for Comcast and, for example, OpenDNS. --------------------------------------------- https://isc.sans.edu/diary/rss/30898 ∗∗∗ Analyzing Synology Disks on Linux, (Wed, May 8th) ∗∗∗ --------------------------------------------- Synology NAS solutions are popular devices. They are also used in many organizations. [..] They offer multiple disk management options but rely on many open-source software (like most appliances). [..] Synology NAS run a Linux distribution called DSM. This operating system has plenty of third-party tools but lacks pure forensics tools. In a recent investigation, I had to investigate a NAS that was involved in a ransomware attack. Many files (backups) were deleted. The attacker just deleted some shared folders. --------------------------------------------- https://isc.sans.edu/diary/rss/30904 ∗∗∗ Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version ∗∗∗ --------------------------------------------- A newer version of a malware loader called Hijack Loader has been observed incorporating an updated set of anti-analysis techniques to fly under the radar. --------------------------------------------- https://thehackernews.com/2024/05/hijack-loader-malware-employs-process.html ∗∗∗ New Spectre-Style Pathfinder Attack Targets Intel CPU, Leak Encryption Keys and Data ∗∗∗ --------------------------------------------- Researchers have discovered two novel attack methods targeting high-performance Intel CPUs that could be exploited to stage a key recovery attack against the Advanced Encryption Standard (AES) algorithm. The techniques have been collectively dubbed Pathfinder by a group of academics from the University of California San Diego, Purdue University, UNC Chapel Hill, Georgia Institute of Technology, and Google. [..] Following responsible disclosure in November 2023, Intel, in an advisory released last month, said Pathfinder builds on Spectre v1 attacks and that previously deployed mitigations for Spectre v1 and traditional side-channels mitigate the reported exploits. There is no evidence that it impacts AMD CPUs. --------------------------------------------- https://thehackernews.com/2024/05/new-spectre-style-pathfinder-attack.html ∗∗∗ Ghidra nanoMIPS ISA module ∗∗∗ --------------------------------------------- Here we will demonstrate how to load a MediaTek baseband firmware into Ghidra for analysis with our nanoMIPS ISA module. --------------------------------------------- https://research.nccgroup.com/2024/05/07/ghidra-nanomips-isa-module/ ∗∗∗ Vorsicht vor gefälschten Online-Banking-Seiten auf Bing, Google & Co ∗∗∗ --------------------------------------------- Kriminelle schalten Anzeigen in Suchmaschinen (vor allem BING) und locken so Opfer auf gefälschte Online-Banking-Seiten. Vorsicht: Wenn Sie hier Ihre Daten eingeben, können hohe Beträge von Ihrem Konto abgebucht werden! Vergewissern Sie sich immer, dass Sie auf der echten Login-Seite Ihrer Bank sind! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-online-banking-suchmasc… ∗∗∗ RemcosRAT Distributed Using Steganography ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has recently identified RemcosRAT being distributed using the steganography technique. Attacks begin with a Word document using the template injection technique, after which an RTF that exploits a vulnerability in the equation editor (EQNEDT32.EXE) is downloaded and executed. --------------------------------------------- https://asec.ahnlab.com/en/65111/ ===================== = Vulnerabilities = ===================== ∗∗∗ F5: K000139404: Quarterly Security Notification (May 2024) ∗∗∗ --------------------------------------------- F5 has released 13 security advisories (7x high, 6x medium) and 3 security exposures. --------------------------------------------- https://my.f5.com/manage/s/article/K000139404 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glib2.0 and php7.3), Gentoo (Commons-BeanUtils, Epiphany, glibc, MariaDB, Node.js, NVIDIA Drivers, qtsvg, rsync, U-Boot tools, and ytnef), Oracle (kernel), Red Hat (git-lfs and kernel), SUSE (flatpak, less, python311, rpm, and sssd), and Ubuntu (libde265, libvirt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-oem-6.5, and nghttp2). --------------------------------------------- https://lwn.net/Articles/972861/ ∗∗∗ WordPress: Cross-Site-Scripting-Schwachstelle in älteren Cores; und WordPress 6.5.3 verfügbar ∗∗∗ --------------------------------------------- Ich hoffe, ihr seid auf der aktuellen WordPress-Version, denn in älteren WordPress-Versionen gibt es eine Cross-Site-Scripting-Schwachstelle [..] und wer LightSpeed Cache als Plugin nutzt, sollte dringend updaten. --------------------------------------------- https://www.borncity.com/blog/2024/05/07/wordpress-cross-site-scripting-sch… ∗∗∗ VMware Avi Load Balancer: Rechteausweitung zu root möglich ∗∗∗ --------------------------------------------- Im Load Balancer VMware Avi können Angreifer ihre Rechte erhöhen oder unbefugt auf Informationen zugreifen. Updates korrigieren das. --------------------------------------------- https://heise.de/-9711733 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily