- Daily - CERT.at

Tageszusammenfassung - 28.05.2024
by Daily end-of-shift report 28 May '24

28 May '24

===================== = End-of-Day report = ===================== Timeframe: Montag 27-05-2024 18:00 − Dienstag 28-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Trusted relationship attacks: trust, but verify ∗∗∗ --------------------------------------------- We analyze the tactics and techniques of attackers targeting organizations through trusted relationships – that is, through contractors and external IT service providers. --------------------------------------------- https://securelist.com/trusted-relationship-attack/112731/ ∗∗∗ Threat landscape for industrial automation systems, Q1 2024 ∗∗∗ --------------------------------------------- The full global and regional reports have been published on the Kaspersky ICS CERT website. --------------------------------------------- https://securelist.com/industrial-threat-landscape-q1-2024/112683/ ∗∗∗ Kriminelle geben sich als Europäische Verbraucherzentren aus ∗∗∗ --------------------------------------------- Sie haben auf einer betrügerischen Investmentplattform Geld verloren? Ihre persönliche Beratung war nicht mehr erreichbar oder Ihr Konto wurde plötzlich gesperrt? Vorsicht, wenn Sie von Institutionen wie den Europäischen Verbraucherzentren kontaktiert werden, die Ihnen versprechen, Ihr Geld zurückzuholen. Es handelt sich erneut um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-geben-sich-als-europaeisc… ∗∗∗ Ivanti EPM Cloud Services Appliance - Taking advantage of a backdoor to detect a vulnerability ∗∗∗ --------------------------------------------- This blog post details how `CVE-2021-44529` was researched as well as the current method being used to detect it. --------------------------------------------- https://www.bitsight.com/blog/ivanti-epm-cloud-services-appliance-taking-ad… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (less), Mageia (chromium-browser-stable), SUSE (apache2, java-1_8_0-openj9, kernel, libqt5-qtnetworkauth, and openssl-3), and Ubuntu (netatalk and python-cryptography). --------------------------------------------- https://lwn.net/Articles/975529/ ∗∗∗ Kritische Sicherheitslücke gewährt Angreifern Zugriff auf TP-Link-Router C5400X ∗∗∗ --------------------------------------------- Der TP-Link-WLAN-Router C5400X ist verwundbar. Ein Sicherheitspatch schließt eine kritische Schwachstelle. --------------------------------------------- https://heise.de/-9736602 ∗∗∗ WordPress Plugin Exploited to Steal Credit Card Data from E-commerce Sites ∗∗∗ --------------------------------------------- https://thehackernews.com/2024/05/wordpress-plugin-exploited-to-steal.html ∗∗∗ Citrix Workspace app for Mac Security Bulletin for CVE-2024-5027 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX675851/citrix-workspace-app-for-mac-s… ∗∗∗ Campbell Scientific CSI Web Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-149-01 ∗∗∗ TI Bluetooth stack can fail to generate a resolvable Random Private Address (RPA) leading to DoS for already bonded peer devices ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-466062.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.05.2024
by Daily end-of-shift report 27 May '24

27 May '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-05-2024 18:00 − Montag 27-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Google-Security-Manager: Phishing-Tests bringen nichts und nerven Mitarbeiter ∗∗∗ --------------------------------------------- Mitarbeiter fühlten sich durch Phishing-Simulationen oftmals hintergangen, erklärt ein Security-Experte. Dadurch werde das Vertrauen in die Sicherheitsteams untergraben. --------------------------------------------- https://www.golem.de/news/google-security-manager-phishing-tests-bringen-ni… ∗∗∗ Speichersicherheit: Fast 20 Prozent aller Rust-Pakete sind potenziell unsicher ∗∗∗ --------------------------------------------- Nach Angaben der Rust Foundation verwendet etwa jedes fünfte Rust-Paket das Unsafe-Keyword. Meistens werden dadurch Code oder Bibliotheken von Drittanbietern aufgerufen. --------------------------------------------- https://www.golem.de/news/speichersicherheit-fast-20-prozent-aller-rust-pak… ∗∗∗ Kommentar: Schluss mit falschen Pentests! ∗∗∗ --------------------------------------------- Wir wollen einen Pentest machen. So begannen für einige Zeit viele meiner Kundengespräche – manchmal mit der Variation "müssen" statt "wollen". Doch warum pentesten wir überhaupt? --------------------------------------------- https://heise.de/-9718811 ∗∗∗ Checkpoint: Important Security Update – Enhance your VPN Security Posture! ∗∗∗ --------------------------------------------- Over the past few months, we have observed increased interest of malicious groups in leveraging remote-access VPN environments as an entry point and attack vector into enterprises. [..] By May 24, 2024 we identified a small number of login attempts using old VPN local-accounts relying on unrecommended password-only authentication method. [..] Password-only authentication is considered an unfavourable method to ensure the highest levels of security, and we recommend not to rely on this when logging-in to network infrastructure. Check Point has released a solution, as a preventative measure to address these unauthorised remote access attempts. --------------------------------------------- https://blog.checkpoint.com/security/enhance-your-vpn-security-posture/ ∗∗∗ Hackers phish finance orgs using trojanized Minesweeper clone ∗∗∗ --------------------------------------------- Hackers are utilizing code from a Python clone of Microsoft's venerable Minesweeper game to hide malicious scripts in attacks on European and US financial organizations. Ukraine's CSIRT-NBU and CERT-UA attribute the attacks to a threat actor tracked as 'UAC-0188,' who is using the legitimate code to hide Python scripts that download and install the SuperOps RMM. Superops RMM is a legitimate remote management software that gives remote actors direct access to the compromised systems. [..] The attack begins with an email sent from the address "support(a)patient-docs-mail.com," impersonating a medical center with the subject "Personal Web Archive of Medical Documents. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-phish-finance-orgs-u… ∗∗∗ Message board scams ∗∗∗ --------------------------------------------- Here’s how scams target buyers and sellers on online message boards, and how the gangs behind them operate. [..] The gang under study also operates in Canada, Austria, France, and Norway. --------------------------------------------- https://securelist.com/message-board-scam/112691/ ∗∗∗ New Tricks in the Phishing Playbook: Cloudflare Workers, HTML Smuggling, GenAI ∗∗∗ --------------------------------------------- Cybersecurity researchers are alerting of phishing campaigns that abuse Cloudflare Workers to serve phishing sites that are used to harvest users credentials associated with Microsoft, Gmail, Yahoo!, and cPanel Webmail. --------------------------------------------- https://thehackernews.com/2024/05/new-tricks-in-phishing-playbook.html ∗∗∗ Technical Analysis of Anatsa Campaigns: An Android Banking Malware Active in the Google Play Store ∗∗∗ --------------------------------------------- At Zscaler ThreatLabz, we regularly monitor the Google Play store for malicious applications. [..] These malware-infected applications have collectively garnered over 5.5 million installs. [..] In this blog, we provide a technical analysis of Anatsa attack campaigns that leveraged themes like PDF readers and QR code readers to distribute malware in the Google Play store. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-anatsa-c… ∗∗∗ Linguistic Lumberjack: Understanding CVE-2024-4323 in Fluent Bit ∗∗∗ --------------------------------------------- This vulnerability was discovered by the Tenable research team who described in their blog, that the flaw is due to improper validation of input names in requests, which can be exploited to cause memory corruption. This can result in denial-of-service attacks or information exposure, with remote code execution being possible under certain conditions. [..] This proof-of-concept script demonstrates how a denial of service is used CVE-2024-4323 is a memory corruption vulnerability in Fluent Bit versions 2.0.7 through 3.0.3. --------------------------------------------- https://blog.aquasec.com/linguistic-lumberjack-understanding-cve-2024-4323-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, bluez, chromium, fossil, libreoffice, python-pymysql, redmine, and ruby-rack), Fedora (buildah, crosswords, dotnet7.0, glycin-loaders, gnome-tour, helix, helvum, libipuz, loupe, maturin, mingw-libxml2, ntpd-rs, perl-Email-MIME, and a huge list of Rust-based packages due to a ""mini-mass-rebuild"" that updated the toolchain to Rust 1.78 and picked up fixes for various pieces), Mageia (chromium-browser-stable, mariadb, and roundcubemail), Oracle (kernel, libreoffice, nodejs, and tomcat), and SUSE (cJSON, libfastjson, opera, postgresql15, python3, and qt6-networkauth). --------------------------------------------- https://lwn.net/Articles/975399/ ∗∗∗ Multiple vulnerabilities in HAWKI ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Synology-SA-24:07 Synology Camera ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_07 ∗∗∗ F5: K000139764: Apache HTTPD vulnerability CVE-2023-38709 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139764 ∗∗∗ F5: K000139525: Libexpat vulnerability CVE-2022-43680 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139525 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.05.2024
by Daily end-of-shift report 24 May '24

24 May '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-05-2024 18:00 − Freitag 24-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft spots gift card thieves using cyber-espionage tactics ∗∗∗ --------------------------------------------- Microsoft has published a "Cyber Signals" report sharing new information about the hacking group Storm-0539 and a sharp rise in gift card theft as we approach the Memorial Day holiday in the United States. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-spots-gift-card-th… ∗∗∗ DKIM/BIMI: Die Zombies des Debian-OpenSSL-Bugs ∗∗∗ --------------------------------------------- Vor 16 Jahren sorgte ein Bug dafür, dass mit Debian und OpenSSL erstellte Schlüssel unsicher waren. Viele DKIM-Setups nutzten auch 16 Jahre später solche Schlüssel. --------------------------------------------- https://www.golem.de/news/dkim-bimi-die-zombies-des-debian-openssl-bugs-240… ∗∗∗ Japanese Experts Warn of BLOODALCHEMY Malware Targeting Government Agencies ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered that the malware known as BLOODALCHEMY used in attacks targeting government organizations in Southern and Southeastern Asia is in fact an updated version of Deed RAT, which is believed to be a successor to ShadowPad. --------------------------------------------- https://thehackernews.com/2024/05/japanese-experts-warn-of-bloodalchemy.html ∗∗∗ Fake Antivirus Websites Deliver Malware to Android and Windows Devices ∗∗∗ --------------------------------------------- Threat actors have been observed making use of fake websites masquerading as legitimate antivirus solutions from Avast, Bitdefender, and Malwarebytes to propagate malware capable of stealing sensitive information from Android and Windows devices. --------------------------------------------- https://thehackernews.com/2024/05/fake-antivirus-websites-deliver-malware.h… ∗∗∗ Google Chrome: Vierte bereits missbrauchte Zero-Day-Lücke in zwei Wochen ∗∗∗ --------------------------------------------- Google schließt eine Zero-Day-Lücke im Chrome-Webbrowser, die bereits angegriffen wird. Die vierte in zwei Wochen. --------------------------------------------- https://heise.de/-9730530 ===================== = Vulnerabilities = ===================== ∗∗∗ Dringend patchen: Gitlab-Schwachstelle ermöglicht Übernahme fremder Konten ∗∗∗ --------------------------------------------- Die Sicherheitslücke ist über ein Bug-Bounty-Programm gemeldet worden. Der Entdecker erhielt dafür mehr als 10.000 US-Dollar von Gitlab. --------------------------------------------- https://www.golem.de/news/dringend-patchen-gitlab-schwachstelle-ermoeglicht… ∗∗∗ Mehrere Schwachstellen entdeckt: Qnap verschläft Patches und gelobt Besserung ∗∗∗ --------------------------------------------- Nach der Entdeckung teils schwerwiegender Sicherheitslücken in QTS und QuTS Hero liefert Qnap Patches und entschuldigt sich für die Verspätung. --------------------------------------------- https://www.golem.de/news/mehrere-schwachstellen-entdeckt-qnap-verschlaeft-… ∗∗∗ CISA Warns of Actively Exploited Apache Flink Security Vulnerability ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting Apache Flink, an open-source, unified stream-processing and batch-processing framework, to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. --------------------------------------------- https://thehackernews.com/2024/05/cisa-warns-of-actively-exploited-apache.h… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, libreoffice, and thunderbird), Red Hat (.NET 7.0, .NET 8.0, gdk-pixbuf2, git-lfs, glibc, python3, and xorg-x11-server-Xwayland), SUSE (firefox, opensc, and ucode-intel), and Ubuntu (cjson and gnome-remote-desktop). --------------------------------------------- https://lwn.net/Articles/974913/ ∗∗∗ Splunk Config Explorer vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN56781258/ ∗∗∗ WordPress Plugin "WP Booking" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35838128/ ∗∗∗ Exposed Serial Shell on multiple PLCs in Siemens CP-XXXX Series ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/exposed-serial-shell-on-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2024
by Daily end-of-shift report 23 May '24

23 May '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-05-2024 18:00 − Donnerstag 23-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ State hackers turn to massive ORB proxy networks to evade detection ∗∗∗ --------------------------------------------- Security researchers are warning that state-backed hackers are increasingly relying on vast proxy networks of virtual private servers and compromised connected devices for cyberespionage operations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/state-hackers-turn-to-massiv… ∗∗∗ ShrinkLocker: Turning BitLocker into ransomware ∗∗∗ --------------------------------------------- The Kaspersky GERT has detected a new group that has been abusing Microsoft Windows features by modifying the system to lower the defenses and using the local MS BitLocker utility to encrypt entire drives and demand a ransom. --------------------------------------------- https://securelist.com/ransomware-abuses-bitlocker/112643/ ∗∗∗ Ihre Website läuft über Jimdo? Vorsicht vor Phishing-Mails zu Zahlungsproblemen! ∗∗∗ --------------------------------------------- Website- und Online-Shop-Betreiber:innen aufgepasst: Wenn Ihre Website über Jimdo läuft, haben es Kriminelle aktuell vermehrt auf Ihre Daten und Ihr Geld abgesehen. Sie versenden dazu Phishing-Mails in denen Probleme mit Ihren laufenden Zahlungen vorgegaukelt werden. --------------------------------------------- https://www.watchlist-internet.at/news/jimdo-phishing-mails/ ∗∗∗ Format String Exploitation: A Hands-On Exploration for Linux ∗∗∗ --------------------------------------------- This blogpost covers a Capture The Flag challenge that was part of the 2024 picoCTF event. --------------------------------------------- https://blog.nviso.eu/2024/05/23/format-string-exploitation-a-hands-on-expl… ∗∗∗ New APT Group “Unfading Sea Haze” Hits Military Targets in South China Sea ∗∗∗ --------------------------------------------- Unfading Sea Hazes modus operandi spans over five years, with evidence dating back to 2018, reveals Bitdefender Labs investigation. --------------------------------------------- https://www.hackread.com/unfading-sea-haze-military-target-south-china-sea/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (chromium, libxml2, pgadmin4, and python-libgravatar), Mageia (ghostscript), Red Hat (389-ds:1.4, ansible-core, bind and dhcp, container-tools:rhel8, edk2, exempi, fence-agents, freeglut, frr, ghostscript, glibc, gmp, go-toolset:rhel8, grafana, grub2, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd:2.4, idm:DL1, idm:DL1 and idm:client modules, kernel, kernel-rt, krb5, LibRaw, [...] --------------------------------------------- https://lwn.net/Articles/974824/ ∗∗∗ Aptos Wisal Payroll Accounting Uses Hardcoded Database Credentials ∗∗∗ --------------------------------------------- Aptos WISAL payroll accounting uses hardcoded credentials in the Windows client to fetch the complete list of usernames and passwords from the database server, using an unencrypted connection. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-007/ ∗∗∗ CVE-2024-4978: Backdoored Justice AV Solutions Viewer Software Used in Apparent Supply Chain Attack ∗∗∗ --------------------------------------------- Rapid7 has determined that users with JAVS Viewer v8.3.7 installed are at high risk and should take immediate action. --------------------------------------------- https://www.rapid7.com/blog/post/2024/05/23/cve-2024-4978-backdoored-justic… ∗∗∗ Cisco: Root-Zugriff durch SQL-Injection-Lücke in Firepower möglich ∗∗∗ --------------------------------------------- Cisco warnt vor Sicherheitslücken in ASA- und Firepower-Appliances. Angreifer können mit SQL-Injection Firepower-Geräte kompromittieren. --------------------------------------------- https://heise.de/-9729121 ∗∗∗ Sicherheitsupdates VMware: Schadcode kann aus VM ausbüchsen ∗∗∗ --------------------------------------------- Admins sollten zeitnah mehrere Sicherheitspatches für diverse VMware-Produkte installieren. --------------------------------------------- https://heise.de/-9729288 ∗∗∗ LCDS LAquis SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-142-01 ∗∗∗ Vulnerabilities in Autodesk InfraWorks software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0008 ∗∗∗ AutomationDirect Productivity PLCs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-144-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.05.2024
by Daily end-of-shift report 22 May '24

22 May '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-05-2024 18:00 − Mittwoch 22-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ GhostEngine mining attacks kill EDR security using vulnerable drivers ∗∗∗ --------------------------------------------- A malicious crypto mining campaign codenamed REF4578, has been discovered deploying a malicious payload named GhostEngine that uses vulnerable drivers to turn off security products and deploy an XMRig miner. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ghostengine-mining-attacks-k… ∗∗∗ Sicherheitsexperte warnt: Neue Windows-Funktion ist ein "Security-Alptraum" ∗∗∗ --------------------------------------------- Mit Recall sollen Windows-Nutzer in die Vergangenheit reisen können. Unter Sicherheits- und Datenschutzexperten stößt das neue Feature auf Unverständnis. --------------------------------------------- https://www.golem.de/news/sicherheitsexperte-warnt-neue-windows-funktion-is… ∗∗∗ Stealers, stealers and more stealers ∗∗∗ --------------------------------------------- In this report, we discuss two new stealers: Acrid and ScarletStealer, and an evolution of the known Sys01 stealer, with the latter two dividing stealer functionality across several modules. --------------------------------------------- https://securelist.com/crimeware-report-stealers/112633/ ∗∗∗ Risky Biz News: DNSBomb attack is here! Pew pew pew!!! ∗∗∗ --------------------------------------------- A team of academics from Tsinghua University in Beijing, China has discovered a new method of launching large-scale DDoS attacks using DNS traffic. --------------------------------------------- https://news.risky.biz/risky-biz-news-dnsbomb-attack-is-here-pew-pew-pew/ ∗∗∗ Gehacktes Brawl Stars Konto: Was tun, wenn ich erpresst werde? ∗∗∗ --------------------------------------------- Ihr eigenes oder das Spielekonto Ihres Kindes wurde gehackt? Die Kriminellen fordern nun Geld oder Gutscheinkarten, um den Zugriff zurückzubekommen? Lassen Sie sich nicht erpressen. Wir zeigen Ihnen, was Sie tun können! --------------------------------------------- https://www.watchlist-internet.at/news/gehacktes-brawl-stars-konto-was-tun-… ∗∗∗ Microsoft Exchange Server: Keylogger infiziert Regierungsorganisationen weltweit ∗∗∗ --------------------------------------------- Sicherheitsforscher sind auf einen Keylogger gestoßen, der weltweit Regierungsorganisation, aber auch Banken oder andere Institutionen über Microsoft Exchange Server infiziert. --------------------------------------------- https://www.borncity.com/blog/2024/05/22/microsoft-exchange-server-keylogge… ∗∗∗ Rockwell Automation Encourages Customers to Assess and Secure Public-Internet-Exposed Assets ∗∗∗ --------------------------------------------- Rockwell Automation has released guidance encouraging users to remove connectivity on all Industrial Control Systems (ICS) devices connected to the public-facing internet to reduce exposure to unauthorized or malicious cyber activity. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/05/21/rockwell-automation-enco… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (kernel), Mageia (chromium-browser-stable, djvulibre, gdk-pixbuf2.0, nss & firefox, postgresql15 & postgresql13, python-pymongo, python-sqlparse, stb, thunderbird, and vim), Red Hat (go-toolset:rhel8, nodejs, and varnish:6), SUSE (gitui, glibc, and kernel), and Ubuntu (libspreadsheet-parseexcel-perl, linux-aws, linux-aws-5.15, linux-gke, linux-gcp, python-idna, and thunderbird). --------------------------------------------- https://lwn.net/Articles/974572/ ∗∗∗ Ivanti Patches Critical Code Execution Vulnerabilities in Endpoint Manager ∗∗∗ --------------------------------------------- Ivanti has released product updates to resolve multiple vulnerabilities, including critical code execution flaws in Endpoint Manager. --------------------------------------------- https://www.securityweek.com/ivanti-patches-critical-code-execution-vulnera… ∗∗∗ Critical Vulnerability in Honeywell Virtual Controller Allows Remote Code Execution ∗∗∗ --------------------------------------------- Claroty shows how Honeywell ControlEdge Virtual UOC vulnerability can be exploited for unauthenticated remote code execution. --------------------------------------------- https://www.securityweek.com/critical-vulnerability-in-honeywell-virtual-co… ∗∗∗ Kritische Lücke gewährt Angreifern Zugriff auf Veeam Backup Enterprise Manager ∗∗∗ --------------------------------------------- In einer aktuellen Version von Veeam Backup & Replication haben die Entwickler mehrere Schwachstellen geschlossen. --------------------------------------------- https://heise.de/-9726433 ∗∗∗ Patchday: Atlassian rüstet Data Center gegen Schadcode-Attacken ∗∗∗ --------------------------------------------- Admins sollten aus Sicherheitsgründen unter anderem Jira Data Center and Server und Service Management auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-9728466 ∗∗∗ K000139685: Python vulnerability CVE-2023-40217 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139685 ∗∗∗ K000139700: Linux kernel usbmon vulnerability CVE-2022-43750 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139700 ∗∗∗ NextGen Healthcare Mirth Connect RCE (CVE-2023-43208, CVE-2023-37679) ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/5460 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.05.2024
by Daily end-of-shift report 21 May '24

21 May '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-05-2024 18:00 − Dienstag 21-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Ransomware gang targets Windows admins via PuTTy, WinSCP malvertising ∗∗∗ --------------------------------------------- A ransomware operation targets Windows system administrators by taking out Google ads to promote fake download sites for Putty and WinSCP. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-targets-wind… ∗∗∗ Banking malware Grandoreiro returns after police disruption ∗∗∗ --------------------------------------------- The banking trojan "Grandoreiro" is spreading in a large-scale phishing campaign in over 60 countries, targeting customer accounts of roughly 1,500 banks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/banking-malware-grandoreiro-… ∗∗∗ CISA warns of hackers exploiting Chrome, EoL D-Link bugs ∗∗∗ --------------------------------------------- The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three security vulnerabilities to its Known Exploited Vulnerabilities catalog, one impacting Google Chrome and two affecting some D-Link routers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploi… ∗∗∗ New BiBi Wiper version also destroys the disk partition table ∗∗∗ --------------------------------------------- A new version of the BiBi Wiper malware is now deleting the disk partition table to make data restoration harder, extending the downtime for targeted victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-bibi-wiper-version-also-… ∗∗∗ GitHub warns of SAML auth bypass flaw in Enterprise Server ∗∗∗ --------------------------------------------- GitHub has fixed a maximum severity (CVSS v4 score: 10.0) authentication bypass vulnerability tracked as CVE-2024-4986, which impacts GitHub Enterprise Server (GHES) instances using SAML single sign-on (SSO) authentication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-warns-of-saml-auth-by… ∗∗∗ Ungeschützte API: Sicherheitslücke macht Studenten zu Wäsche-Millionären ∗∗∗ --------------------------------------------- In vielen Hochschulen und Wohnheimen stehen Wäscheautomaten von CSC Serviceworks. Zwei Studenten haben darin eine Sicherheitslücke entdeckt - mit erheblichem Missbrauchspotenzial. --------------------------------------------- https://www.golem.de/news/ungeschuetzte-api-sicherheitsluecke-macht-student… ∗∗∗ Fluent Bit: Kritische Schwachstelle betrifft alle gängigen Cloudanbieter ∗∗∗ --------------------------------------------- Mit der Schwachstelle lassen sich nicht nur Ausfälle provozieren und Daten abgreifen. Auch eine Schadcodeausführung aus der Ferne ist unter gewissen Umständen möglich. --------------------------------------------- https://www.golem.de/news/fluent-bit-kritische-schwachstelle-betrifft-alle-… ∗∗∗ Analyzing MSG Files, (Mon, May 20th) ∗∗∗ --------------------------------------------- .msg email files are ole files and can be analyzed with my tool oledump.py. --------------------------------------------- https://isc.sans.edu/diary/Analyzing+MSG+Files/30940 ∗∗∗ Latrodectus Malware Loader Emerges as IcedIDs Successor in Phishing Campaigns ∗∗∗ --------------------------------------------- Cybersecurity researchers have observed a spike in email phishing campaigns starting early March 2024 that delivers Latrodectus, a nascent malware loader believed to be the successor to the IcedID malware."These campaigns typically involve a .. --------------------------------------------- https://thehackernews.com/2024/05/latrodectus-malware-loader-emerges-as.html ∗∗∗ Cyber Criminals Exploit GitHub and FileZilla to Deliver Malware Cocktail ∗∗∗ --------------------------------------------- A "multi-faceted campaign" has been observed abusing legitimate services like GitHub and FileZilla to deliver an array of stealer malware and banking trojans such as Atomic (aka AMOS), Vidar, Lumma (aka LummaC2), and Octo by impersonating credible .. --------------------------------------------- https://thehackernews.com/2024/05/cyber-criminals-exploit-github-and.html ∗∗∗ SolarMarker Malware Evolves to Resist Takedown Attempts with Multi-Tiered Infrastructure ∗∗∗ --------------------------------------------- The persistent threat actors behind the SolarMarker information-stealing malware have established a multi-tiered infrastructure to complicate law enforcement takedown efforts, new findings from .. --------------------------------------------- https://thehackernews.com/2024/05/solarmarker-malware-evolves-to-resist.html ∗∗∗ Malware Delivery via Cloud Services Exploits Unicode Trick to Deceive Users ∗∗∗ --------------------------------------------- A new attack campaign dubbed CLOUD#REVERSER has been observed leveraging legitimate cloud storage services like Google Drive and Dropbox to stage malicious payloads."The VBScript and PowerShell scripts in the .. --------------------------------------------- https://thehackernews.com/2024/05/malware-delivery-via-cloud-services.html ∗∗∗ Vorsicht vor Telegram-Gruppe „Scammerpayback“ ∗∗∗ --------------------------------------------- Kriminelle verbreiten in Foren, auf Facebook-Seiten oder Gruppen, in denen Betrugsopfer Unterstützung oder Informationen suchen, falsche Hilfsangebote. Mit gefälschten oder gekaperten Profilen kommentieren sie Facebook-Beiträge der Watchlist Internet und locken in eine Telegram-Gruppe, in der Opfer angeblich ihr Geld zurückbekommen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-telegram-gruppe-scammer… ∗∗∗ Sicherheitsupdate: DoS-Lücken in Netzwerkanalysetool Wireshark geschlossen ∗∗∗ --------------------------------------------- In der aktuellen Version von Wireshark haben die Entwickler drei Sicherheitslücken geschlossen und mehrere Bugs gefixt. --------------------------------------------- https://heise.de/-9725317 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, chromium, and thunderbird), Fedora (buildah, chromium, firefox, mingw-python-werkzeug, and suricata), Mageia (golang), Oracle (firefox and nodejs:20), Red Hat (firefox, httpd:2.4, nodejs, and thunderbird), and SUSE (firefox, git-cliff, and ucode-intel). --------------------------------------------- https://lwn.net/Articles/974339/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, nodejs, and thunderbird), Fedora (uriparser), Oracle (firefox and thunderbird), Slackware (mariadb), SUSE (cairo, gdk-pixbuf, krb5, libosinfo, postgresql14, and python310), and Ubuntu (firefox, linux-aws, linux-aws-5.15, and linux-azure). --------------------------------------------- https://lwn.net/Articles/974450/ ∗∗∗ WAGO: Vulnerability in WAGO Navigator ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-021/ ∗∗∗ WAGO: Multiple Vulnerabilities in e!Cockpit and e!Runtime / CODESYS Runtime ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-068/ ∗∗∗ Zyxel security advisory for buffer overflow vulnerabilities in some 5G NR/4G LTE CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and home router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Security updates 1.6.7 and 1.5.7 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2024/05/19/security-updates-1.6.7-and-1.5.7 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.05.2024
by Daily end-of-shift report 17 May '24

17 May '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-05-2024 18:00 − Freitag 17-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zahlungsaufforderungen der IDS EU zu Ihrer Domain ignorieren! ∗∗∗ --------------------------------------------- Österreichische Unternehmen erhalten aktuell Zahlungsaufforderungen einer IDS EU bzw. ids-eu.org und idseu.org. Die Forderungen sollen eine Domainregistrierung betreffen. Bei genauerem Hinsehen offenbart sich, dass IDS EU in Verbindung zu einem früheren Betrug steht, zu welchem die Watchlist Internet bereits berichtete. Es gilt: Nichts bezahlen und die Forderung ignorieren! --------------------------------------------- https://www.watchlist-internet.at/news/zahlungsaufforderungen-ids-eu-ignori… ∗∗∗ Aufklärung nach Cyberangriff: BSI setzt Microsoft juristisch unter Druck ∗∗∗ --------------------------------------------- Seit Monaten versucht das BSI, von Microsoft Auskünfte zu einem Cyberangriff von 2023 zu erhalten. Inzwischen hat die Behörde ein Verwaltungsverfahren eröffnet. --------------------------------------------- https://www.golem.de/news/aufklaerung-nach-cyberangriff-bsi-setzt-microsoft… ∗∗∗ Another PDF Streams Example: Extracting JPEGs, (Fri, May 17th) ∗∗∗ --------------------------------------------- In this diary entry, I will show how file-magic.py can augment JSON data produced by pdf-parser.py with file-type information that an then be used by myjson-filter.py to filter out files you are interested in. As an example, I will extract all JPEGs from a PDF document. --------------------------------------------- https://isc.sans.edu/diary/rss/30924 ∗∗∗ New ‘Antidot’ Android Trojan Allows Cybercriminals to Hack Devices, Steal Data ∗∗∗ --------------------------------------------- Dubbed Antidot and spotted in early May, the malware masquerades as a Google Play update and employs overlay attacks to harvest victims’ credentials. [..] “The Antidot malware utilizes the MediaProjection feature to capture the display content of the compromised device. It then encodes this content and transmits it to the command-and-control (C&C) server,” Cyble explains. --------------------------------------------- https://www.securityweek.com/new-antidot-android-trojan-allows-cybercrimina… ===================== = Vulnerabilities = ===================== ∗∗∗ SAP Security Patch Day – May 2024 ∗∗∗ --------------------------------------------- On 14th of May 2024, SAP Security Patch Day saw the release of 14 new Security Notes. Further, there were 3 updates to previously released Security Notes. --------------------------------------------- https://support.sap.com/en/my-support/knowledge-base/security-notes-news/ma… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, firefox, and podman), Mageia (chromium-browser-stable, ghostscript, and java-1.8.0, java-11, java-17, java-latest), Red Hat (bind, Firefox, firefox, gnutls, httpd:2.4, and thunderbird), SUSE (glibc, opera, and python-Pillow), and Ubuntu (dotnet7, dotnet8, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.5, linux-azure, linux-azure-6.5, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-nvidia-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-signed, linux-signed-aws, linux-signed-aws-6.5, linux-starfive, linux-starfive-6.5, linux, linux-aws, linux-azure-4.15, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, and linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-raspi). --------------------------------------------- https://lwn.net/Articles/974055/ ∗∗∗ QNAP QTS - QNAPping At The Wheel (CVE-2024-27130 and friends) ∗∗∗ --------------------------------------------- The first four of these bugs have patches available. These bugs are fixed in the following products: QTS 5.1.6.2722 build 20240402 and later, QuTS hero h5.1.6.2734 build 20240414 and later [..] However, the remaining bugs still have no fixes available, even after an extended period. Those who are affected by these bugs are advised to consider taking such systems offline, or to heavily restrict access until patches are available. --------------------------------------------- https://labs.watchtowr.com/qnap-qts-qnapping-at-the-wheel-cve-2024-27130-an… ∗∗∗ Trellix ePolicy Orchestrator ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Vor zwei Sicherheitslücken in ePolicy Orchestrator warnt Hersteller Trellix. Bösartige Akteure können ihre Rechte ausweiten. --------------------------------------------- https://heise.de/-9722391 ∗∗∗ WordPress Plugin "Download Plugins and Themes from Dashboard" vulnerable to path traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN85380030/ ∗∗∗ Rechteausweitung durch unsichere Standardkonfiguration im CI-Out-of-Office Manager (SYSS-2024-013) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/rechteausweitung-durch-unsichere-standardk… ∗∗∗ Mattermost security update Desktop App v5.8.0 released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-update-desktop-app-v5-8-0-r… ∗∗∗ Palo Alto Networks: CVE-2024-3661 Impact of TunnelVision Vulnerability (Severity: LOW) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-3661 ∗∗∗ F5: K000139652 : Intel CPU vulnerability CVE-2023-23583 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139652 ∗∗∗ F5: K000139643 : Node-tar vulnerability CVE-2024-28863 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139643 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.05.2024
by Daily end-of-shift report 16 May '24

16 May '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-05-2024 18:00 − Donnerstag 16-05-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ To the Moon and back(doors): Lunar landing in diplomatic missions ∗∗∗ --------------------------------------------- ESET researchers provide technical analysis of the Lunar toolset, likely used by the Turla APT group, that infiltrated a European ministry of foreign affairs. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landin… ∗∗∗ Windows Quick Assist abused in Black Basta ransomware attacks ∗∗∗ --------------------------------------------- Microsoft has been investigating this campaign since at least mid-April 2024, and, as they observed, the threat group (tracked as Storm-1811) started their attacks by email bombing the target after subscribing their addresses to various email subscription services. Once their mailboxes flood with unsolicited messages, the threat actors call them while impersonating a Microsoft technical support or the attacked company's IT or help desk staff to help remediate the spam issues. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-quick-assist-abused-… ∗∗∗ Google patches third exploited Chrome zero-day in a week ∗∗∗ --------------------------------------------- Google has released a new emergency Chrome security update to address the third zero-day vulnerability exploited in attacks within a week. --------------------------------------------- https://www.bleepingcomputer.com/news/google/google-patches-third-exploited… ∗∗∗ Springtail: New Linux Backdoor Added to Toolkit ∗∗∗ --------------------------------------------- The backdoor (Linux.Gomir) appears to be a Linux version of the GoBear backdoor, which was used in a recent Springtail campaign that saw the attackers deliver malware via Trojanized software installation packages. Gomir is structurally almost identical to GoBear, with extensive sharing of code between malware variants. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/springta… ∗∗∗ Detecting Compromise of CVE-2024-3400 on Palo Alto Networks GlobalProtect Devices ∗∗∗ --------------------------------------------- This blog post aims to provide details on methods for investigating potentially compromised Palo Alto Networks firewall devices and a general approach towards edge device threat detection. --------------------------------------------- https://www.volexity.com/blog/2024/05/15/detecting-compromise-of-cve-2024-3… ∗∗∗ ViperSoftX Uses Deep Learning-based Tesseract to Exfiltrate Information ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has recently discovered ViperSoftX attackers using Tesseract to exfiltrate users’ image files. ViperSoftX is a malware strain responsible for residing on infected systems and executing the attackers’ commands or stealing cryptocurrency-related information. The malware newly discovered this time utilizes the open-source OCR engine Tesseract. --------------------------------------------- https://asec.ahnlab.com/en/65426/ ∗∗∗ Talos releases new macOS open-source fuzzer ∗∗∗ --------------------------------------------- Cisco Talos has developed a fuzzer that enables us to test macOS software on commodity hardware. [..] Compared to fuzzing for software vulnerabilities on Linux, where most of the code is open-source, targeting anything on macOS presents a few difficulties. --------------------------------------------- https://blog.talosintelligence.com/talos-releases-new-macos-fuzzer/ ∗∗∗ Llama Drama: Critical Vulnerability CVE-2024-34359 Threatening Your Software Supply Chain ∗∗∗ --------------------------------------------- Jinja2: This library is a popular Python tool for template rendering, primarily used for generating HTML. Its ability to execute dynamic content makes it powerful but can pose a significant security risk if not correctly configured to restrict unsafe operations. `llama_cpp_python`: This package integrates Python's ease of use with C++'s performance, making it ideal for complex AI models handling large data volumes. However, its use of Jinja2 for processing model metadata without enabling necessary security safeguards exposes it to template injection attacks. [..] The vulnerability identified has been addressed in version 0.2.72 of the llama-cpp-python package, which includes a fix enhancing sandboxing and input validation measures. --------------------------------------------- https://checkmarx.com/blog/llama-drama-critical-vulnerability-cve-2024-3435… ∗∗∗ The xz apocalypse that almost was* ∗∗∗ --------------------------------------------- Given Bitsight’s pretty broad view of the Internet, I thought I could contribute to the discussion a bit and ask “how bad could this have been?” and as a corollary “how many chances would there have been to notice?” So let’s get into the “how bad could this have been?” question first. --------------------------------------------- https://www.bitsight.com/blog/xz-apocalypse-almost-was ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 7.0, .NET 8.0, and nodejs:20), Debian (chromium, firefox-esr, ghostscript, and libreoffice), Fedora (djvulibre, mingw-glib2, mingw-python-jinja2, and mingw-python-werkzeug), Oracle (.NET 7.0, .NET 8.0, kernel, and nodejs:18), Red Hat (nodejs:20), Slackware (gdk and git), SUSE (python), and Ubuntu (linux-hwe-5.15, linux-raspi). --------------------------------------------- https://lwn.net/Articles/973908/ ∗∗∗ Sicherheitslücken in Überwachungskameras und Video-Babyphones ∗∗∗ --------------------------------------------- Schwachstellen aus der ThroughTek Kaylay-IoT-Plattform. Dringend Update-Status der IoT-Geräte prüfen. --------------------------------------------- https://www.zdnet.de/88415973/sicherheitsluecken-in-ueberwachungskameras-un… ∗∗∗ WLAN-Attacke: SSID-Verwechslungs-Angriff macht Nutzer verwundbar ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in WLAN-Protokollen führt dazu, dass Angreifer in einer Man-in-the-Middle-Position WLAN-Verkehr manipulieren können. [..] Das ohnehin nicht mehr sicher zu nutzende WEP ist anfällig, und das neuere, sonst sicherere WPA3 ebenfalls. 802.11X/EAP und Mesh-Netzwerke mit AMPE-Authentifizierung sind laut Auflistung ebenfalls für SSID-Confusion verwundbar. --------------------------------------------- https://heise.de/-9720818 ∗∗∗ Cisco: Updates schließen Sicherheitslücken in mehreren Produkten ∗∗∗ --------------------------------------------- In mehreren Cisco-Produkten klaffen Sicherheitslücken, durch die Angreifer sich etwa root-Rechte verschaffen und Geräte kompromittieren können. [..] Insgesamt warnt Cisco in drei Mitteilungen vor hochriskanten Sicherheitslücken. --------------------------------------------- https://heise.de/-9720226 ∗∗∗ Freies Admin-Panel: Codeschmuggel durch Cross-Site-Scripting in Froxlor ∗∗∗ --------------------------------------------- Dank schludriger Eingabefilterung können Angreifer ohne Anmeldung Javascript im Browser des Server-Admins ausführen. Ein Patch steht bereit. --------------------------------------------- https://heise.de/-9721569 ∗∗∗ Netzwerksicherheit: Diverse Fortinet-Produkte für verschiedene Attacken anfällig ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für unter anderem FortiSandbox, FortiPortal und FortiWebManager erschienen. --------------------------------------------- https://heise.de/-9720252 ∗∗∗ Access Points von Aruba verwundbar – keine Updates für ältere Versionen ∗∗∗ --------------------------------------------- Insgesamt haben die Entwickler sechs "kritische" Sicherheitslücken in noch unterstützten Versionen von ArubaOS und InstantOS geschlossen. --------------------------------------------- https://heise.de/-9720385 ∗∗∗ Rockwell Automation FactoryTalk View SE ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-137-14 ∗∗∗ [R1] Nessus Agent Version 10.6.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-09 ∗∗∗ [R1] Nessus Version 10.7.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-08 ∗∗∗ F5: K000139637 : Expat vulnerability CVE-2024-28757 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139637 ∗∗∗ F5: K000139643 : Node.js vulnerability CVE-2024-28863 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139643 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.05.2024
by Daily end-of-shift report 15 May '24

15 May '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-05-2024 18:00 − Mittwoch 15-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ PoC exploit released for RCE zero-day in D-Link EXO AX4800 routers ∗∗∗ --------------------------------------------- The D-Link EXO AX4800 (DIR-X4860) router is vulnerable to remote unauthenticated command execution that could lead to complete device takeovers by attackers with access to the HNAP port. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poc-exploit-released-for-rce… ∗∗∗ Weitere Schwachstelle entdeckt: Hacker startet erneut Cyberangriff auf Dell ∗∗∗ --------------------------------------------- Die bereits abgegriffenen 49 Millionen Kundendatensätze sind ihm offenbar nicht genug. Menelik greift Dell erneut an. Dieses Mal sind wohl Support-Daten betroffen. --------------------------------------------- https://www.golem.de/news/weitere-schwachstelle-entdeckt-hacker-startet-ern… ∗∗∗ Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain ∗∗∗ --------------------------------------------- One of the most advanced server-side malware campaigns is still growing, with hundreds of thousands of compromised servers, and it has diversified to include credit card and cryptocurrency theft. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/ebury-alive-unseen-400k-lin… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (sssd and tcpdump), Red Hat (.NET 7.0, .NET 8.0, expat, kernel, and kernel-rt), Slackware (mozilla), SUSE (kernel, postgresql15, postgresql16, python-arcomplete, python-Fabric, python-PyGithub, python- antlr4-python3-runtime, python-avro, python-chardet, python-distro, python- docker, python-fakeredis, python-fixedint, pyth, and python3), and Ubuntu (linux-bluefield). --------------------------------------------- https://lwn.net/Articles/973746/ ∗∗∗ ICS Patch Tuesday: Advisories Published by Siemens, Rockwell, Mitsubishi Electric ∗∗∗ --------------------------------------------- Several ICS vendors released advisories on Tuesday to inform customers about vulnerabilities found in their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-advisories-published-by-siem… ∗∗∗ Intel Publishes 41 Security Advisories for Over 90 Vulnerabilities ∗∗∗ --------------------------------------------- Intel has published 41 new May 2024 Patch Tuesday advisories covering a total of more than 90 vulnerabilities. [..] The most important flaw, based on its severity rating of ‘critical’ and a CVSS score of 10, is CVE-2024-22476. [..] Intel says this critical vulnerability could allow an unauthenticated attacker to “enable escalation of privilege via remote access”. --------------------------------------------- https://www.securityweek.com/intel-publishes-41-security-advisories-for-ove… ∗∗∗ LibreOffice: Falscher Klick kann zur Ausführung von Schadcode führen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im quelloffenen LibreOffice ermöglicht Angreifern, Opfern Schadcode unterzujubeln. Die müssen nur einmal klicken. --------------------------------------------- https://heise.de/-9719334 ∗∗∗ VMware Workstation und Fusion: Ausbruch aus Gastsystem möglich ∗∗∗ --------------------------------------------- In VMware Workstation und Fusion klaffen Sicherheitslücken, die beim Pwn2Own-Wettbewerb missbraucht wurden. Sie ermöglichen den Ausbruch aus dem Gastsystem. --------------------------------------------- https://heise.de/-9718624 ∗∗∗ Patchday: Angreifer attackieren Windows und verschaffen sich Systemrechte ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für unter anderem Edge, Dynamics 365 und Windows veröffentlicht. Es gibt bereits Attacken. --------------------------------------------- https://heise.de/-9718608 ∗∗∗ Patchday: Angreifer können Schadcode durch Lücken in Adobe-Software schieben ∗∗∗ --------------------------------------------- Der Softwarehersteller Adobe hat unter anderem Animate, Illustrator und Reader vor möglichen Attacken abgesichert. --------------------------------------------- https://heise.de/-9718639 ∗∗∗ Fortiguard Security Advisories ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt ∗∗∗ Lenovo Security Advisories ∗∗∗ --------------------------------------------- https://support.lenovo.com/at/en/product_security/home ∗∗∗ 30,000 WordPress Sites affected by Arbitrary SQL Execution Vulnerability Patched in Visualizer WordPress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/05/30000-wordpress-sites-affected-by-ar… ∗∗∗ Bosch: Remote code execution vulnerability has been found over an insecure connection in the Praesensa Logging Application, Praesideo Logging Application and Praesideo PC Call Station ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-106054-bt.html ∗∗∗ B&R: 2024-05-14: Cyber Security Advisory - Insecure Loading of Code in B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P005_Insecure_Loading_of_Code-c… ∗∗∗ SUBNET PowerSYSTEM Center ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-135-02 ∗∗∗ F5: K000139592 : libxml2 vulnerability CVE-2023-29469 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139592 ∗∗∗ ZDI-24-456: NI FlexLogger FLXPROJ File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-456/ ∗∗∗ ZDI-24-455: SolarWinds Access Rights Manager JsonSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-455/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.05.2024
by Daily end-of-shift report 14 May '24

14 May '24

===================== = End-of-Day report = ===================== Timeframe: Montag 13-05-2024 18:00 − Dienstag 14-05-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ PyPi package backdoors Macs using the Sliver pen-testing suite ∗∗∗ --------------------------------------------- A new package mimicked the popular requests library on the Python Package Index (PyPI) to target macOS devices with the Sliver C2 adversary framework, used for gaining initial access to corporate .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-package-backdoors-macs-… ∗∗∗ Apple and Google add alerts for unknown Bluetooth trackers to iOS, Android ∗∗∗ --------------------------------------------- On Monday, Apple and Google jointly announced a new privacy feature that warns Android and iOS users when an unknown Bluetooth tracking device travels with .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apple-and-google-add-alerts-… ∗∗∗ Incident response analyst report 2023 ∗∗∗ --------------------------------------------- The report shares statistics and observations from incident response practice in 2023, analyzes trends and gives cybersecurity recommendations. --------------------------------------------- https://securelist.com/kaspersky-incident-response-report-2023/112504/ ∗∗∗ Apple Patches Everything: macOS, iOS, iPadOS, watchOS, tvOS updated., (Tue, May 14th) ∗∗∗ --------------------------------------------- Apple today released updates for its various operating systems. The updates cover iOS, iPadOS, macOS, watchOS and tvOS. A standalone update for Safari was released for older versions of macOS. One already exploited vulnerability, CVE-2024-23296 is patched for older versions of macOS and iOS. In March, Apple patched this vulnerability for more recent versions of iOS and macOS. --------------------------------------------- https://isc.sans.edu/diary/rss/30916 ∗∗∗ Ongoing Campaign Bombarded Enterprises with Spam Emails and Phone Calls ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered an ongoing social engineering campaign that bombards enterprises with spam emails with the goal of obtaining initial access to their environments for follow-on exploitation. --------------------------------------------- https://thehackernews.com/2024/05/ongoing-campaign-bombarded-enterprises.ht… ∗∗∗ Critical Flaws in Cacti Framework Could Let Attackers Execute Malicious Code ∗∗∗ --------------------------------------------- The maintainers of the Cacti open-source network monitoring and fault management framework have addressed a dozen security flaws, including two critical issues that could lead to the execution of arbitrary code.The most severe of the vulnerabilities are listed below -CVE-2024-25641 (CVSS score: 9.1) - An arbitrary file write vulnerability in the "Package Import" feature that --------------------------------------------- https://thehackernews.com/2024/05/critical-flaws-in-cacti-framework-could.h… ∗∗∗ Log4J shows no sign of fading, spotted in 30% of CVE exploits ∗∗∗ --------------------------------------------- Organizations continue to run insecure protocols across their wide access networks (WAN), making it easier for cybercriminals to move across networks, according to a Cato Networks survey. Enterprises are too trusting within their networks The Cato CTRL SASE Threat Report Q1 2024 provides insight into the security threats and their .. --------------------------------------------- https://www.helpnetsecurity.com/2024/05/14/log4j-wan-insecure-protocols/ ∗∗∗ Google Patches Second Chrome Zero-Day in One Week ∗∗∗ --------------------------------------------- Google has announced patches for another Chrome vulnerability that has been exploited in attacks. This is the second zero-day addressed by the company in one week and the third flaw leveraged in malicious attacks in 2024. The new zero-day, tracked as CVE-2024-4761, has been described as a high-severity out-of-bounds write issue .. --------------------------------------------- https://www.securityweek.com/google-patches-second-chrome-zero-day-in-one-w… ∗∗∗ Falsche Gewinnbenachrichtigungen in echten Gewinnspielen ∗∗∗ --------------------------------------------- An einem Facebook-Gewinnspiel teilgenommen? Vorsicht, Kriminelle nutzen echte Gewinnspiele für Betrugsmaschen. Mit Fake-Profilen kommentieren sie die Kommentare der Teilnehmer:innen und behaupten, sie hätten gewonnen. Mit einem Link locken sie auf eine betrügerische Webseite. Wir zeigen Ihnen, wie Sie sicher an Gewinnspielen teilnehmen! --------------------------------------------- https://www.watchlist-internet.at/news/falsche-gewinnbenachrichtigungen-in-… ∗∗∗ Foxit PDF Reader “Flawed Design” : Hidden Dangers Lurking in Common Tools ∗∗∗ --------------------------------------------- Heightened vulnerability: Check Point Research has identified an unusual pattern of behavior involving PDF exploitation, mainly targeting users of Foxit PDF Reader. This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands, exploiting human psychology to manipulate users into accidentally providing .. --------------------------------------------- https://blog.checkpoint.com/research/foxit-pdf-reader-flawed-design-hidden-… ∗∗∗ Guidance for organisations considering payment in ransomware incidents ∗∗∗ --------------------------------------------- Advice for organisations experiencing a ransomware attack and the partner organisations supporting them. --------------------------------------------- https://www.ncsc.gov.uk/guidance/organisations-considering-payment-in-ranso… ∗∗∗ Avast Q1/2024 Threat Report ∗∗∗ --------------------------------------------- Nearly 90% of Threats Blocked are Social Engineering, Revealing a Huge Surge of Scams, and Discovery of the Lazarus APT CampaignThe post Avast Q1/2024 Threat Report appeared first on Avast Threat Labs. --------------------------------------------- https://decoded.avast.io/threatresearch/avast-q1-2024-threat-report/ ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3-CORE-SA-2024-010: Uncontrolled Resource Consumption in ShowImageController ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-010 ∗∗∗ TYPO3-CORE-SA-2024-009: Cross-Site Scripting in ShowImageController ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-009 ∗∗∗ TYPO3-CORE-SA-2024-008: Cross-Site Scripting in Form Manager Module ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-008 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/973667/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.11 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-22/ ∗∗∗ Security Vulnerabilities fixed in Firefox 126 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.05.2024
by Daily end-of-shift report 13 May '24

13 May '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-05-2024 18:00 − Montag 13-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ GoTo Meeting loads Remcos RAT via Rust Shellcode Loader ∗∗∗ --------------------------------------------- Legitimate applications can unwittingly become conduits for malware execution. This is also the case for recent malware loaders which abuse GoTo Meeting, an online meeting software, to deploy Remcos RAT. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/05/37906-gotomeeting-loads-remcos ∗∗∗ API missbraucht: Hacker teilt Details zum Cyberangriff auf Dell ∗∗∗ --------------------------------------------- Ein Cyberkrimineller hat rund 49 Millionen Kundendatensätze von Dell abgegriffen. Möglich gewesen ist ihm dies über eine unzureichend geschützte API eines Partnerportals. --------------------------------------------- https://www.golem.de/news/api-missbraucht-hacker-teilt-details-zum-cyberang… ∗∗∗ FIN7 Hacker Group Leverages Malicious Google Ads to Deliver NetSupport RAT ∗∗∗ --------------------------------------------- The financially motivated threat actor known as FIN7 has been observed leveraging malicious Google ads spoofing legitimate brands as a means to deliver MSIX installers that culminate in the deployment of NetSupport RAT. --------------------------------------------- https://thehackernews.com/2024/05/fin7-hacker-group-leverages-malicious.html ∗∗∗ Vorsicht vor falschen Anrufen von PayPal oder Amazon ∗∗∗ --------------------------------------------- Derzeit werden uns vermehrt Anrufe im Namen von PayPal und Amazon gemeldet. Die Kriminellen geben vor, ein Problem mit Ihrem Konto zu haben und bieten Ihnen telefonische Hilfe an. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-anrufen-von-pa… ∗∗∗ Leveraging DNS Tunneling for Tracking and Scanning ∗∗∗ --------------------------------------------- We provide a walkthrough of how attackers leverage DNS tunneling for tracking and scanning, an expansion of the way this technique is usually exploited. --------------------------------------------- https://unit42.paloaltonetworks.com/three-dns-tunneling-campaigns/ ∗∗∗ Side-by-Side with HelloJackHunter: Unveiling the Mysteries of WinSxS ∗∗∗ --------------------------------------------- This post explores Windows Side-by-Side (WinSxS) and DLL hijacking, deep-diving some tooling Ive written and some of the fun along the way. --------------------------------------------- https://blog.zsec.uk/hellojackhunter-exploring-winsxs/ ∗∗∗ Not all scams are easy to spot ∗∗∗ --------------------------------------------- Even the most intelligent individuals can fall victim to scams due to coincidental timing and convincing tactics, so staying skeptical, verifying communications and using anti-scam tools is key to reducing the risk. --------------------------------------------- https://www.emsisoft.com/en/blog/45650/not-all-scams-are-easy-to-spot/ ∗∗∗ Europol sperrt eigenes Forum nach erfolgreichem Einbruch ∗∗∗ --------------------------------------------- Die europäische Polizeibehörde hat ihren Dienst "Europol for Experts" vom Netz genommen. Zuvor waren unter anderem Strategiepapiere daraus angeboten worden. --------------------------------------------- https://heise.de/-9715410 ∗∗∗ Ransomware Black Basta zählt nach zwei Jahren weltweit über 500 Opfer ∗∗∗ --------------------------------------------- Das FBI teilt wichtige Fakten im Kampf gegen den Erpressungstrojaner Black Basta. Die Ransomware macht auch vor kritischen Infrastrukturen nicht halt. --------------------------------------------- https://heise.de/-9715674 ===================== = Vulnerabilities = ===================== ∗∗∗ Widely used modems in industrial IoT devices open to SMS attack ∗∗∗ --------------------------------------------- Security flaws in Telit Cinterion cellular modems, widely used in sectors including industrial, healthcare, and telecommunications, could allow remote attackers to execute arbitrary code via SMS. --------------------------------------------- https://www.bleepingcomputer.com/news/security/widely-used-modems-in-indust… ∗∗∗ Malicious Python Package Hides Sliver C2 Framework in Fake Requests Library Logo ∗∗∗ --------------------------------------------- Cybersecurity researchers have identified a malicious Python package that purports to be an offshoot of the popular requests library and has been found concealing a Golang-version of the Sliver command-and-control (C2) framework within a PNG image of the projects logo. --------------------------------------------- https://thehackernews.com/2024/05/malicious-python-package-hides-sliver.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (nodejs:18 and shim), Debian (atril and chromium), Fedora (chromium, glib2, gnome-shell, mediawiki, php-wikimedia-cdb, php-wikimedia-utfnormal, stb, and tcpdump), Gentoo (Kubelet, PoDoFo, Rebar3, and thunderbird), Mageia (glibc and libnbd), Oracle (kernel), Red Hat (bind and dhcp and varnish), and SUSE (chromium, cpio, freerdp, giflib, gnutls, opera, python-Pillow, python-Werkzeug, tinyproxy, and tpm2-0-tss). --------------------------------------------- https://lwn.net/Articles/973496/ ∗∗∗ Microsoft fixt DLL-Hijacking-Schwachstelle in Store-App Telemetrie-Wrapper-Installer ∗∗∗ --------------------------------------------- Microsoft hat damit vor einiger Zeit seine Store-Apps mit einem neuen Installer versehen. Dieser enthält einen ausführbaren .NET-Wrapper der Telemetrie und weiteren Code in die App integriert. In der ersten Version wies dieser .NET-Wrapper aber eine DLL-Hijacking-Schwachstelle auf [...] --------------------------------------------- https://www.borncity.com/blog/2024/05/11/microsoft-fixt-dll-hijacking-schwa… ∗∗∗ Self-Signed Zertifikate im SAP® Cloud Connector zugelassen ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/self-signed-zertifika… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.05.2024
by Daily end-of-shift report 10 May '24

10 May '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-05-2024 18:00 − Freitag 10-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Datenschutzvorfall: Dell informiert über Abfluss von Kundendaten ∗∗∗ --------------------------------------------- Zu den abgeflossenen Informationen zählen laut Dell Namen, Adressdaten sowie weitere Daten über Bestellungen und darin enthaltene Dell-Hardware. --------------------------------------------- https://www.golem.de/news/datenschutzvorfall-dell-informiert-ueber-abfluss-… ∗∗∗ APT trends report Q1 2024 ∗∗∗ --------------------------------------------- The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity. --------------------------------------------- https://securelist.com/apt-trends-report-q1-2024/112473/ ∗∗∗ Mirai Botnet Exploits Ivanti Connect Secure Flaws for Malicious Payload Delivery ∗∗∗ --------------------------------------------- Two recently disclosed security flaws in Ivanti Connect Secure (ICS) devices are being exploited to deploy the infamous Mirai botnet. --------------------------------------------- https://thehackernews.com/2024/05/mirai-botnet-exploits-ivanti-connect.html ∗∗∗ GhostStripe attack haunts self-driving cars by making them ignore road signs ∗∗∗ --------------------------------------------- Six boffins mostly hailing from Singapore-based universities have proven it's possible to attack autonomous vehicles by exploiting the system's reliance on camera-based computer vision and cause it to not recognize road signs. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/05/10/baidu_apollo… ∗∗∗ Back to the Hype: An Update on How Cybercriminals Are Using GenAI ∗∗∗ --------------------------------------------- Generative AI continues to be misused and abused by malicious individuals. In this article, we dive into new criminal LLMs, criminal services with ChatGPT-like capabilities, and deepfakes being offered on criminal sites. --------------------------------------------- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-th… ∗∗∗ Zscaler Investigates Hacking Claims After Data Offered for Sale ∗∗∗ --------------------------------------------- Zscaler says its customer, production and corporate environments are not impacted after a notorious hacker offers to sell access. --------------------------------------------- https://www.securityweek.com/zscaler-investigates-hacking-claims-after-data… ∗∗∗ With nation-state threats in mind, nearly 70 software firms agree to Secure by Design pledge ∗∗∗ --------------------------------------------- The nation’s top cybersecurity agency said 68 of the world’s leading software manufacturers have signed on to a voluntary pledge to design products that have security built in from the beginning. --------------------------------------------- https://therecord.media/secure-by-design-companies-cisa-rsa ∗∗∗ In interview, LockbitSupp says authorities outed the wrong guy ∗∗∗ --------------------------------------------- The leader of the LockBit ransomware gang, who goes by the name LockbItSupp, told Click Here in an interview that international law enforcement has made a mistake. --------------------------------------------- https://therecord.media/lockbitsupp-interview-ransomware-cybercrime-lockbit ∗∗∗ Krypto-Betrüger: Sechs Österreicher festgenommen ∗∗∗ --------------------------------------------- Weil sie einen Online-Handel mit angeblich neuer Kryptowährung aufgezogen und damit Investoren abgezockt haben, wurden nun sechs Österreicher verhaftet. --------------------------------------------- https://heise.de/-9714300 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (ansible-core, avahi, bind, buildah, containernetworking-plugins, edk2, fence-agents, file, freeglut, freerdp, frr, git-lfs, gnutls, golang, grafana, grafana-pcp, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd, ipa, libjpeg-turbo, libnbd, LibRaw, libreswan, libsndfile, libssh, libtiff, libvirt, libX11, libXpm, mingw components, mingw-glib2, mingw-pixman, mod_http2, mod_jk and mod_proxy_cluster, motif, [...] --------------------------------------------- https://lwn.net/Articles/973071/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:4.0, container-tools:rhel8, git-lfs, glibc, libxml2, nodejs:18, and nodejs:20), Debian (dav1d and libpgjava), Fedora (kernel and pypy), Red Hat (glibc and nodejs:16), SUSE (ffmpeg, ffmpeg-4, ghostscript, go1.21, go1.22, less, python-python-jose, python-Werkzeug, and sssd), and Ubuntu (fossil, glib2.0, and libspreadsheet-parsexlsx-perl). --------------------------------------------- https://lwn.net/Articles/973206/ ∗∗∗ Admins müssen selbst handeln: PuTTY-Sicherheitslücke bedroht Citrix Hypervisor ∗∗∗ --------------------------------------------- Um XenCenter für Citrix Hypervisor abzusichern, müssen Admins händisch ein Sicherheitsupdate für das SSH-Tool PuTTY installieren. --------------------------------------------- https://heise.de/-9713898 ∗∗∗ Google Chrome: Exploit für Zero-Day-Lücke gesichtet ∗∗∗ --------------------------------------------- In Googles Webbrowser Chrome klafft eine Sicherheitslücke, für die ein Exploit existiert. Google reagiert mit einem Notfall-Update. --------------------------------------------- https://heise.de/-9714519 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ 2024-05 Reference Advisory: Junos OS and Junos OS Evolved: Multiple CVEs reported in OpenSSH ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-05-Reference-Advisory-Juno… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2024
by Daily end-of-shift report 08 May '24

08 May '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-05-2024 18:00 − Mittwoch 08-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Der Briefkasten daheim als Einfallstor für Internet-Betrugsmaschen? ∗∗∗ --------------------------------------------- Online-Betrug lauert nicht nur im Internet. Zu Anrufen und SMS, die oft in Online-Betrugsmaschen führen, gesellt sich nun auch der Postkasten des Eigenheims als Einfallstor für Kriminelle hinzu. Sie nutzen die Briefkästen ihrer Opfer beispielsweise, um Sendungen aus Bestellbetrug zu erhalten, Daten und in weiterer Folge Geld zu stehlen oder um betrügerische Handwerksdienste und dazugehörige Websites zu bewerben. --------------------------------------------- https://www.watchlist-internet.at/news/der-briefkasten-daheim-als-einfallst… ∗∗∗ Massive webshop fraud ring steals credit cards from 850,000 people ∗∗∗ --------------------------------------------- A massive network of 75,000 fake online shops called BogusBazaar tricked over 850,000 people in the US and Europe into making purchases, allowing the criminals to steal credit card information and attempt to process an estimated $50 million in fake orders. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-webshop-fraud-ring-s… ∗∗∗ Detecting XFinity/Comcast DNS Spoofing, (Mon, May 6th) ∗∗∗ --------------------------------------------- DNS interception, even if well-meaning, does undermine some of the basic "internet trust issues". Even if it is used to block users from malicious sites, it needs to be properly declared to the user, and switches to turn it off will have to function. This could be a particular problem if queries to other DNS filtering services are intercepted. I have yet to test this for Comcast and, for example, OpenDNS. --------------------------------------------- https://isc.sans.edu/diary/rss/30898 ∗∗∗ Analyzing Synology Disks on Linux, (Wed, May 8th) ∗∗∗ --------------------------------------------- Synology NAS solutions are popular devices. They are also used in many organizations. [..] They offer multiple disk management options but rely on many open-source software (like most appliances). [..] Synology NAS run a Linux distribution called DSM. This operating system has plenty of third-party tools but lacks pure forensics tools. In a recent investigation, I had to investigate a NAS that was involved in a ransomware attack. Many files (backups) were deleted. The attacker just deleted some shared folders. --------------------------------------------- https://isc.sans.edu/diary/rss/30904 ∗∗∗ Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version ∗∗∗ --------------------------------------------- A newer version of a malware loader called Hijack Loader has been observed incorporating an updated set of anti-analysis techniques to fly under the radar. --------------------------------------------- https://thehackernews.com/2024/05/hijack-loader-malware-employs-process.html ∗∗∗ New Spectre-Style Pathfinder Attack Targets Intel CPU, Leak Encryption Keys and Data ∗∗∗ --------------------------------------------- Researchers have discovered two novel attack methods targeting high-performance Intel CPUs that could be exploited to stage a key recovery attack against the Advanced Encryption Standard (AES) algorithm. The techniques have been collectively dubbed Pathfinder by a group of academics from the University of California San Diego, Purdue University, UNC Chapel Hill, Georgia Institute of Technology, and Google. [..] Following responsible disclosure in November 2023, Intel, in an advisory released last month, said Pathfinder builds on Spectre v1 attacks and that previously deployed mitigations for Spectre v1 and traditional side-channels mitigate the reported exploits. There is no evidence that it impacts AMD CPUs. --------------------------------------------- https://thehackernews.com/2024/05/new-spectre-style-pathfinder-attack.html ∗∗∗ Ghidra nanoMIPS ISA module ∗∗∗ --------------------------------------------- Here we will demonstrate how to load a MediaTek baseband firmware into Ghidra for analysis with our nanoMIPS ISA module. --------------------------------------------- https://research.nccgroup.com/2024/05/07/ghidra-nanomips-isa-module/ ∗∗∗ Vorsicht vor gefälschten Online-Banking-Seiten auf Bing, Google & Co ∗∗∗ --------------------------------------------- Kriminelle schalten Anzeigen in Suchmaschinen (vor allem BING) und locken so Opfer auf gefälschte Online-Banking-Seiten. Vorsicht: Wenn Sie hier Ihre Daten eingeben, können hohe Beträge von Ihrem Konto abgebucht werden! Vergewissern Sie sich immer, dass Sie auf der echten Login-Seite Ihrer Bank sind! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-online-banking-suchmasc… ∗∗∗ RemcosRAT Distributed Using Steganography ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has recently identified RemcosRAT being distributed using the steganography technique. Attacks begin with a Word document using the template injection technique, after which an RTF that exploits a vulnerability in the equation editor (EQNEDT32.EXE) is downloaded and executed. --------------------------------------------- https://asec.ahnlab.com/en/65111/ ===================== = Vulnerabilities = ===================== ∗∗∗ F5: K000139404: Quarterly Security Notification (May 2024) ∗∗∗ --------------------------------------------- F5 has released 13 security advisories (7x high, 6x medium) and 3 security exposures. --------------------------------------------- https://my.f5.com/manage/s/article/K000139404 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glib2.0 and php7.3), Gentoo (Commons-BeanUtils, Epiphany, glibc, MariaDB, Node.js, NVIDIA Drivers, qtsvg, rsync, U-Boot tools, and ytnef), Oracle (kernel), Red Hat (git-lfs and kernel), SUSE (flatpak, less, python311, rpm, and sssd), and Ubuntu (libde265, libvirt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-oem-6.5, and nghttp2). --------------------------------------------- https://lwn.net/Articles/972861/ ∗∗∗ WordPress: Cross-Site-Scripting-Schwachstelle in älteren Cores; und WordPress 6.5.3 verfügbar ∗∗∗ --------------------------------------------- Ich hoffe, ihr seid auf der aktuellen WordPress-Version, denn in älteren WordPress-Versionen gibt es eine Cross-Site-Scripting-Schwachstelle [..] und wer LightSpeed Cache als Plugin nutzt, sollte dringend updaten. --------------------------------------------- https://www.borncity.com/blog/2024/05/07/wordpress-cross-site-scripting-sch… ∗∗∗ VMware Avi Load Balancer: Rechteausweitung zu root möglich ∗∗∗ --------------------------------------------- Im Load Balancer VMware Avi können Angreifer ihre Rechte erhöhen oder unbefugt auf Informationen zugreifen. Updates korrigieren das. --------------------------------------------- https://heise.de/-9711733 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.05.2024
by Daily end-of-shift report 07 May '24

07 May '24

===================== = End-of-Day report = ===================== Timeframe: Montag 06-05-2024 18:00 − Dienstag 07-05-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Case Study: The Malicious Comment ∗∗∗ --------------------------------------------- How safe is your comments section? Discover how a seemingly innocent thank you comment on a product page concealed a malicious vulnerability, underscoring the necessity of robust security measures. --------------------------------------------- https://thehackernews.com/2024/05/new-case-study-malicious-comment.html ∗∗∗ Ransomware evolves from mere extortion to psychological attacks ∗∗∗ --------------------------------------------- RSAC Ransomware infections and extortion attacks have become "a psychological attack against the victim organization," as criminals use increasingly personal and aggressive tactics to force victims to pay up. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/05/07/ransomware_e… ∗∗∗ Betrug am Telefon: Kriminelle täuschen hohe Abbuchungen vor ∗∗∗ --------------------------------------------- Vorsicht, wenn Ihnen jemand am Telefon erklärt, dass es „versteckte Abbuchungen“ von Ihrem Bankkonto gibt. Hierbei handelt es sich um eine Betrugsmasche. Um glaubwürdig zu wirken, nennen die Kriminellen persönliche Daten von Ihnen. Diese wurden aber im Zuge einer Phishing-Falle gesammelt. Legen Sie auf! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-am-telefon-kriminelle-taeusch… ∗∗∗ Ein Kopf (Administrator) der LockBit-Gruppe enttarnt? ∗∗∗ --------------------------------------------- Der "Kopf" und gleichzeitig Administrator der Ransomware-Gruppe LockBit ist laut Mitteilung der Strafverfolger identifiziert. --------------------------------------------- https://www.borncity.com/blog/2024/05/07/ein-kopf-administrator-der-lockbit… ===================== = Vulnerabilities = ===================== ∗∗∗ TunnelVision (CVE-2024-3661): How Attackers Can Decloak Routing-Based VPNs For a Total VPN Leak ∗∗∗ --------------------------------------------- Recently, we identified a novel network technique that bypasses VPN encapsulation. An attacker can use this technique to force a target user’s traffic off their VPN tunnel using built-in features of DHCP (Dynamic Host Configuration Protocol). --------------------------------------------- https://www.leviathansecurity.com/blog/tunnelvision ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Gentoo (libjpeg-turbo, xar, and Xpdf), Red Hat (bind, dhcp and glibc), and SUSE (bouncycastle, curl, flatpak, less, and xen). --------------------------------------------- https://lwn.net/Articles/972679/ ∗∗∗ Android-Patchday: Angreifer können Rechte im System ausweiten ∗∗∗ --------------------------------------------- Google schließt am Android-Patchday mehrere Lücken, durch die Angreifer ihre Rechte ausweiten können. --------------------------------------------- https://heise.de/-9710075 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ PTC Codebeamer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-128-01 ∗∗∗ SUBNET Substation Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-128-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2024
by Daily end-of-shift report 06 May '24

06 May '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-05-2024 18:00 − Montag 06-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Vorsicht vor gefälschten RTR-Briefen ∗∗∗ --------------------------------------------- Kriminelle geben sich in einem Brief als Rundfunk und Telekom Regulierungs-GmbH (RTR) aus. Im Schreiben steht, dass für den Anschluss an Mobilfunknetze und die Wartung von Basisstationen ein Entgelt von € 8,90 zu bezahlen sei. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-rtr-briefe… ∗∗∗ Microsoft: Sicherheit oberste Priorität in Produkten, Diensten und intern ∗∗∗ --------------------------------------------- In einem internen Memo und einem Blogpost stellt Microsoft Security bei allen Entwicklungen an erste Stelle. Das gilt für Produkte wie Services. [..] Charlie Bell zufolge will sich sein Unternehmen strikt an die Vorgaben des CSRB halten. --------------------------------------------- https://heise.de/-9708577 ∗∗∗ Breaking down Microsoft’s pivot to placing cybersecurity as a top priority ∗∗∗ --------------------------------------------- Recently, Microsoft had quite frankly a kicking from the US Department of Homeland Security over their security practices in a Cyber Safety Review Board report. I’ve tried to keep as quiet as possible about this one for various reasons (and I was not involved in the CSRB report, even anonymously) — although long time followers will know I’ve been often critical of Microsoft’s security posture. The CSRB report is well worth a read — they did a great job. [..] As always, the proof is in the pudding, not the vendor blog. I think these changes will take a few years to start to work through, and fully expect a few more clanger breaches in the mean time. And that’s annoying but okay, because hard work is hard. --------------------------------------------- https://doublepulsar.com/breaking-down-microsofts-pivot-to-placing-cybersec… ∗∗∗ Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution ∗∗∗ --------------------------------------------- More than 50% of the 90,310 hosts have been found exposing a Tinyproxy service on the internet thats vulnerable to a critical unpatched security flaw in the HTTP/HTTPS proxy tool. The issue, tracked as CVE-2023-49606, carries a CVSS score of 9.8 out of a maximum of 10, per Cisco Talos, which described it as a use-after-free bug impacting versions 1.10.0 and 1.11.1, which is the latest version. --------------------------------------------- https://thehackernews.com/2024/05/critical-tinyproxy-flaw-opens-over.html ∗∗∗ Lockbits seized site comes alive to tease new police announcements ∗∗∗ --------------------------------------------- The NCA, FBI, and Europol have revived a seized LockBit ransomware data leak site to hint at new information being revealed by law enforcement this Tuesday. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbits-seized-site-comes-a… ∗∗∗ Why Your VPN May Not Be As Secure As It Claims ∗∗∗ --------------------------------------------- Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a targets traffic off of the protection provided by their VPN without triggering any alerts to the user. --------------------------------------------- https://krebsonsecurity.com/2024/05/why-your-vpn-may-not-be-as-secure-as-it… ∗∗∗ Financial cyberthreats in 2023 ∗∗∗ --------------------------------------------- In this report, we share our insights into the 2023 trends and statistics on financial threats, such as phishing, PC and mobile banking malware. --------------------------------------------- https://securelist.com/financial-threat-report-2023/112526/ ∗∗∗ HijackLoader Updates ∗∗∗ --------------------------------------------- HijackLoader (a.k.a. IDAT Loader) is a malware loader initially spotted in 2023 that is capable of using a variety of modules for code injection and execution. It uses a modular architecture, a feature that most loaders do not have – which we discussed in a previous HijackLoader blog. ThreatLabz researchers recently analyzed a new HijackLoader sample that has updated evasion techniques. --------------------------------------------- https://www.zscaler.com/blogs/security-research/hijackloader-updates ∗∗∗ New Goldoon Botnet Targeting D-Link Devices by Exploiting 9-Year-Old Flaw ∗∗∗ --------------------------------------------- By WaqasA new botnet called Goldoon targets D-Link routers and NAS devices putting them at risk of DDoS attacks and more. Learn how weak credentials leave you vulnerable and how to secure your network. pen_sparkThis is a post from HackRead.com Read the original post: New Goldoon Botnet Targeting D-Link Devices by Exploiting 9-Year-Old Flaw --------------------------------------------- https://www.hackread.com/goldoon-botnet-targeting-d-link-devices/ ∗∗∗ End-to-end encryption may be the bane of cops, but they cant close that Pandoras Box ∗∗∗ --------------------------------------------- Police can complain all they like about strong end-to-end encryption making their jobs harder, but it doesn't matter because the technology is here and won't go away. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/05/05/e2ee_police/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glibc, intel-microcode, less, libkf5ksieve, and ruby3.1), Fedora (chromium, gdcm, httpd, and stalld), Gentoo (Apache Commons BCEL, borgmatic, Dalli, firefox, HTMLDOC, ImageMagick, MediaInfo, MediaInfoLib, MIT krb5, MPlayer, mujs, Pillow, Python, PyPy3, QtWebEngine, Setuptools, strongSwan, and systemd), Oracle (grub2 and shim), Red Hat (git-lfs, kpatch-patch, unbound, and varnish), and SUSE (avahi, grafana and mybatis, java-11-openjdk, java-17-openjdk, skopeo, SUSE Manager Client Tools, SUSE Manager Salt Bundle, and SUSE Manager Server 4.3). --------------------------------------------- https://lwn.net/Articles/972571/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.05.2024
by Daily end-of-shift report 03 May '24

03 May '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-05-2024 18:00 − Freitag 03-05-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft rolls out passkey auth for personal Microsoft accounts ∗∗∗ --------------------------------------------- Microsoft announced that Windows users can now log into their Microsoft consumer accounts using a passkey, allowing users to authenticate using password-less methods such as Windows Hello, FIDO2 security keys, biometric data (facial scans or fingerprints), or device PINs. [..] Microsoft had already added passkey support to Windows for logging into websites and applications, but with the additional support for Microsoft accounts, consumers can now easily log in without entering a password. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-rolls-out-passkey… ∗∗∗ Scans Probing for LB-Link and Vinga WR-AC1200 routers CVE-2023-24796, (Thu, May 2nd) ∗∗∗ --------------------------------------------- Before diving into the vulnerability, a bit about the affected devices. LB-Link, the make of the devices affected by this vulnerability, produces various wireless equipment that is sometimes sold under different brands and labels. This will make it difficult to identify affected devices. These devices are often low-cost "no name" solutions or, in some cases, may even be embedded, which makes it even more difficult to find firmware updates. [..] And yes, the vulnerability evolves around the "user=admin" cookie and a command injection in the password parameter. This is too stupid to waste any more time on, but it is common enough to just give up and call it a day. --------------------------------------------- https://isc.sans.edu/diary/rss/30890 ∗∗∗ Mal.Metrica Redirects Users to Scam Sites ∗∗∗ --------------------------------------------- One of our analysts recently identified a new Mal.Metrica redirect scam on compromised websites, but one that requires a little bit of effort on the part of the victim. It’s another lesson for web users to be careful what they click on, and to be wary of anything suspicious that pops up in their browser — even if it’s coming from a website that they would otherwise trust. --------------------------------------------- https://blog.sucuri.net/2024/05/mal-metrica-redirects-users-to-scam-sites.h… ∗∗∗ Hackers Increasingly Abusing Microsoft Graph API for Stealthy Malware Communications ∗∗∗ --------------------------------------------- Since January 2022, multiple nation-state-aligned hacking groups have been observed using Microsoft Graph API for C&C. This includes threat actors tracked as APT28, REF2924, Red Stinger, Flea, APT29, and OilRig. --------------------------------------------- https://thehackernews.com/2024/05/hackers-increasingly-abusing-microsoft.ht… ∗∗∗ Europol op shutters 12 scam call centers and cuffs 21 suspected fraudsters ∗∗∗ --------------------------------------------- A Europol-led operation dubbed “Pandora” has shut down a dozen phone scam centers, and arrested 21 suspects. [..] Beginning in December 2023, German investigators deployed more than 100 officers to trace the scam calls back to the source - call centers run by crooks - and then monitored them. That effort resulted in the interception of more than 1.3 million "nefarious conversations." Baden-Württemberg State Criminal Police officers had to set up a call center of their own so that they could contact potential victims, warning more than 80 percent of them. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/05/03/operation_pa… ∗∗∗ These Dangerous Scammers Don’t Even Bother to Hide Their Crimes ∗∗∗ --------------------------------------------- “Yahoo Boy” cybercriminals are openly running dozens of scams across Facebook, WhatsApp, Telegram, TikTok, YouTube, and more. [..] While the Yahoo Boys have been active for years, all the experts spoken to for this piece say they should be treated more seriously by social media companies and law enforcement. --------------------------------------------- https://www.wired.com/story/yahoo-boys-scammers-facebook-telegram-tiktok-yo… ∗∗∗ Adding insult to injury: crypto recovery scams ∗∗∗ --------------------------------------------- Once your crypto has been stolen, it is extremely difficult to get back – be wary of fake promises to retrieve your funds and learn how to avoid becoming a victim twice over. --------------------------------------------- https://www.welivesecurity.com/en/scams/crypto-recovery-scams-insult-injury/ ∗∗∗ CVE-2024-2887: A Pwn2Own Winning Bug in Google Chrome ∗∗∗ --------------------------------------------- In this guest blog from Master of Pwn winner Manfred Paul, he details CVE-2024-2887 – a type confusion bug that occurs in both Google Chrome and Microsoft Edge (Chromium). He used this bug as a part of his winning exploit that led to code execution in the renderer of both browsers. This bug was quickly patched by both Google and Microsoft. Manfred has graciously provided this detailed write-up of the vulnerability and how he exploited it at the contest. --------------------------------------------- https://www.thezdi.com/blog/2024/5/2/cve-2024-2887-a-pwn2own-winning-bug-in… ∗∗∗ CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate Directory Traversal Vulnerabilities ∗∗∗ --------------------------------------------- This Alert was crafted in response to recent well-publicized threat actor campaigns that exploited directory traversal vulnerabilities in software (e.g., CVE-2024-1708, CVE-2024-20345) to compromise users of the software—impacting critical infrastructure sectors, including the Healthcare and Public Health Sector. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/05/02/cisa-and-fbi-release-sec… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, grub2, httpd, kernel, libcoap, matrix-synapse, python-pip, and rust-pythonize), Red Hat (kernel and libxml2), SUSE (kernel), and Ubuntu (eglibc, glibc and php7.4, php8.1, php8.2). --------------------------------------------- https://lwn.net/Articles/972351/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.05.2024
by Daily end-of-shift report 02 May '24

02 May '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-04-2024 18:00 − Donnerstag 02-05-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CVD - Notizen zur Pressekonferenz ∗∗∗ --------------------------------------------- Ich wurde eingeladen, heute bei einer Pressekonferenz von Epicenter.works am Podium zu sitzen. Es ging um einen Fall, bei dem es im Zuge einer klassischen verantwortungsvollen Offenlegung einer Schwachstelle (Responsible Disclosure, bzw Coordinated Vulnerability Disclosure [CVD]) zu einer Anzeige gekommen ist. Nachzulesen ist der Fall auf der Epicenter Webseite. Ich will hier kurz meine Notizen / Speaking Notes zusammenfassen. --------------------------------------------- https://cert.at/de/blog/2024/4/cvd-policy ∗∗∗ CISA warnt: MS Smartscreen- und Gitlab-Sicherheitslücke werden angegriffen ∗∗∗ --------------------------------------------- Die US-Cybersicherheitsbehörde CISA hat Angriffe auf eine Lücke im Microsoft Smartscreen und auf eine Gitlab-Schwachstelle gesichtet. --------------------------------------------- https://heise.de/-9705715 ∗∗∗ Digitale Signatur: Datenleak bei Dropbox Sign ∗∗∗ --------------------------------------------- Unbekannte Angreifer konnten auf Kundendaten des digitalen Signaturservices Dropbox Sign zugreifen. Andere Dropbox-Produkte sollen nicht betroffen sein. --------------------------------------------- https://heise.de/-9705355 ∗∗∗ Windows 10/11/Server 2022: Kein Fix für den Installationsfehler 0x80070643 beim WinRE-Update mehr ∗∗∗ --------------------------------------------- Seit Januar 2024 kämpfen Nutzer von Windows 10 und Windows 11 (sowie Windows Server 2022) mit dem Versuch Microsofts, ein Update der WinRE-Umgebung zu installieren. Im Januar 2024 ließen zahlreiche Nutzer im Umfeld des Patchday beim Versuch, das Update KB5034441 zu installieren, in den Installationsfehler 0x80070643. Trotz mehrerer Versuche zur Nachbesserung in den Folgemonaten ist es Microsoft nicht gelungen, den Installationsfehler zu beseitigen. Nun kommt das Eingeständnis, dass es keinen automatischen Fix für das Update gibt – es ist Handarbeit angesagt. --------------------------------------------- https://www.borncity.com/blog/2024/05/02/windows-10-11-kein-fix-fr-den-inst… ∗∗∗ “Dirty stream” attack: Discovering and mitigating a common vulnerability pattern in Android apps ∗∗∗ --------------------------------------------- Microsoft discovered a vulnerability pattern in multiple popular Android applications that could enable a malicious application to overwrite files in the vulnerable application’s internal data storage directory, which could lead to arbitrary code execution and token theft, among other impacts. We have shared our findings with Google’s Android Application Security Research team, as well as the developers of apps found vulnerable to this issue. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/05/01/dirty-stream-attac… ∗∗∗ Another Day, Another NAS: Attacks against Zyxel NAS326 devices CVE-2023-4473, CVE-2023-4474, (Tue, Apr 30th) ∗∗∗ --------------------------------------------- Yesterday, I talked about attacks against a relatively recent D-Link NAS vulnerability. Today, scanning my honeypot logs, I found an odd URL that I didn't recognize. The vulnerability is a bit older but turns out to be targeting yet another NAS. [..] Based on our logs, only one IP address exploits the vulnerability: %%ip: 89.190.156.248%%. --------------------------------------------- https://isc.sans.edu/diary/rss/30884 ∗∗∗ Android Malware Wpeeper Uses Compromised WordPress Sites to Hide C2 Servers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a previously undocumented malware targeting Android devices that uses compromised WordPress sites as relays for its actual command-and-control (C2) servers for detection evasion. The malware, codenamed Wpeeper, is an ELF binary that leverages the HTTPS protocol to secure its C2 communications. [..] The ELF binary is embedded within a repackaged application that purports to be the UPtodown App Store app for Android (package name "com.uptodown"), with the APK file acting as a delivery vehicle for the backdoor in a manner that evades detection. --------------------------------------------- https://thehackernews.com/2024/05/android-malware-wpeeper-uses.html ∗∗∗ New Cuttlefish Malware Hijacks Router Connections, Sniffs for Cloud Credentials ∗∗∗ --------------------------------------------- A new malware called Cuttlefish is targeting small office and home office (SOHO) routers with the goal of stealthily monitoring all traffic through the devices and gather authentication data from HTTP GET and POST requests. [..] Cuttlefish has been active since at least July 27, 2023, with the latest campaign running from October 2023 through April 2024 and predominantly infecting 600 unique IP addresses associated with two Turkish telecom providers. --------------------------------------------- https://thehackernews.com/2024/05/new-cuttlefish-malware-hijacks-router.html ∗∗∗ Autodesk: Important Security Update for Autodesk Drive ∗∗∗ --------------------------------------------- In March, Autodesk was made aware of an incident where an external user published documents to Autodesk Drive containing links to a phishing web site. Our Cyber Threat Management & Response Team immediately responded to this incident, and the malicious files are no longer being hosted on Autodesk Drive. No customers have reported being impacted by this incident. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-autodesk-dr… ∗∗∗ Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware) ∗∗∗ --------------------------------------------- While monitoring attacks targeting MS-SQL servers, AhnLab SEcurity intelligence Center (ASEC) recently identified cases of the TargetCompany ransomware group installing the Mallox ransomware. The TargetCompany ransomware group primarily targets improperly managed MS-SQL servers to install the Mallox ransomware. While these attacks have been ongoing for several years, here we will outline the correlation between the newly identified malware and previous attack cases involving the distribution of the Tor2Mine CoinMiner and BlueSky ransomware. --------------------------------------------- https://asec.ahnlab.com/en/64921/ ∗∗∗ CISA and Partners Release Fact Sheet on Defending OT Operations Against Ongoing Pro-Russia Hacktivist Activity ∗∗∗ --------------------------------------------- This fact sheet provides information and mitigations associated with cyber operations conducted by pro-Russia hacktivists who seek to compromise industrial control systems (ICS) and small-scale operational technology (OT) systems in North American and European critical infrastructure sectors, including Water and Wastewater Systems, Dams, Energy, and Food and Agriculture Sectors. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/05/01/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücken in ArubaOS - Updates verfügbar ∗∗∗ --------------------------------------------- In ArubaOS, dem Betriebssystem vieler Geräte von HPE Aruba Networks, existieren mehrere kritische Sicherheitslücken. Diese ermöglichen unter anderem die Ausführung von beliebigem Code und Denial-of-Service (DoS) Angriffe. CVE-Nummern: CVE-2024-26304, CVE-2024-26305, CVE-2024-33511, CVE-2024-33512, CVE-2024-33513, CVE-2024-33514, CVE-2024-33515, CVE-2024-33516, CVE-2024-33517, CVE-2024-33518 CVSSv3 Scores: bis zu 9.8 (kritisch) --------------------------------------------- https://cert.at/de/warnungen/2024/5/kritische-sicherheitslucken-in-arubaos-… ∗∗∗ CISCO Talos: Vulnerability Roundup ∗∗∗ --------------------------------------------- Peplink Smart Reader, Silicon Labs Gecko Platform, open-source library for DICOM files, Grassroots DICOM library and Foxit PDF Reader. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-may-1-2024/ ∗∗∗ Sonicwall: GMS ECM multiple vulnerabilities ∗∗∗ --------------------------------------------- CVE-2024-29010 - GMS ECM Policy XML External Entity Processing Information Disclosure Vulnerability. CVE-2024-29011 - GMS ECM Hard-Coded Credential Authentication Bypass Vulnerability. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0007 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and distro-info-data), Fedora (et, php-tcpdf, python-aiohttp, python-openapi-core, thunderbird, tpm2-tools, and tpm2-tss), Red Hat (nodejs:16 and podman), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/972186/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nghttp2 and qtbase-opensource-src), Mageia (cjson, freerdp, guava, krb5, libarchive, and mediawiki), Oracle (container-tools:4.0 and container-tools:ol8), Red Hat (bind, buildah, container-tools:3.0, container-tools:rhel8, expat, gnutls, golang, grafana, kernel, kernel-rt, libreswan, libvirt, linux-firmware, mod_http2, pcp, pcs, podman, python-jwcrypto, rhc-worker-script, shadow-utils, skopeo, sssd, tigervnc, unbound, and yajl), SUSE (kernel and python311), and Ubuntu (gerbv and node-json5). --------------------------------------------- https://lwn.net/Articles/972029/ ∗∗∗ Critical Vulnerabilities in Judge0 Lead to Sandbox Escape, Host Takeover ∗∗∗ --------------------------------------------- Three vulnerabilities in the Judge0 open source service could allow attackers to escape the sandbox and obtain root privileges on the host. --------------------------------------------- https://www.securityweek.com/critical-vulnerabilities-in-judge0-lead-to-san… ∗∗∗ Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ F5: K000139430 : Linux kernel vulnerability CVE-2024-1086 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139430 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 22, 2024 to April 28, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/05/wordfence-intelligence-weekly-wordpr… ∗∗∗ ZDI-24-419: (Pwn2Own) Xiaomi Pro 13 GetApps integral-dialog-page Cross-Site Scripting Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-419/ ∗∗∗ ZDI-24-418: (Pwn2Own) Xiaomi Pro 13 mimarket manual-upgrade Cross-Site Scripting Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-418/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CyberPower PowerPanel ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-01 ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-123-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.04.2024
by Daily end-of-shift report 30 Apr '24

30 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 29-04-2024 18:00 − Dienstag 30-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Gefälschte SMS im Namen von Bundeskanzleramt ∗∗∗ --------------------------------------------- Vorsicht: Kriminelle geben sich als Bundeskanzleramt Österreich aus. In der SMS wird behauptet, dass eine Nachricht auf Sie wartet. Klicken Sie auf keinen Fall auf den Link, Sie werden auf eine gefälschte Webseite weitergeleitet. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-sms-im-namen-von-bundesk… ∗∗∗ FBI warns of fake verification schemes targeting dating app users ∗∗∗ --------------------------------------------- The FBI is warning of fake verification schemes promoted by fraudsters on online dating platforms that lead to costly recurring subscription charges. [..] It starts with fraudsters approaching victims on a dating app or site and developing a romantic rapport. This lays the ground for requesting to take the conversation outside the platform onto a supposedly safer communications tool. At this stage, the fraudster sends a link to the victim that will take them to a seemingly legitimate verification platform where the victim will have to verify they're not a sexual offender. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-verificati… ∗∗∗ Millions of Malicious Imageless Containers Planted on Docker Hub Over 5 Years ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered multiple campaigns targeting Docker Hub by planting millions of malicious "imageless" containers over the past five years, once again underscoring how open-source registries could pave the way for supply chain attacks. [..] Of the 4.79 million imageless Docker Hub repositories uncovered, 3.2 million of them are said to have been used as landing pages to redirect unsuspecting users to fraudulent sites as part of three broad campaigns. --------------------------------------------- https://thehackernews.com/2024/04/millions-of-malicious-imageless.html ∗∗∗ The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen ∗∗∗ --------------------------------------------- McAfee Labs has recently uncovered a novel infection chain associated with DarkGate malware. This chain commences with an HTML-based entry point and progresses to exploit the AutoHotkey utility in its subsequent stages. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-darkgate-menace-le… ∗∗∗ Chrome 124 macht TLS-Handshake kaputt ∗∗∗ --------------------------------------------- Google hat kürzlich seinen Google Chrome-Browser in der Version 124 veröffentlicht. Neben Schwachstellen haben die Entwickler auch etwas an der TLS-Verschlüsselung (X25519Kyber768-Schlüsselkapselung für TLS) geändert. Inzwischen gibt es aber Rückmeldungen von Nutzern, die sich darüber beklagen, dass diese Änderung das TLS-Handshake zu Webservern kaputt machen kann. Das betrifft auch auf Chromium basierende Browser wie den Edge 124. --------------------------------------------- https://www.borncity.com/blog/2024/04/30/chrome-124-macht-tls-handshake-kap… ∗∗∗ Google Play blockiert mehr als 2 Millionen Trojaner-Apps – Tendenz steigend ∗∗∗ --------------------------------------------- Dank strengerer Sicherheitschecks sperrte Google 2023 knapp 2,3 Millionen böse Apps aus. Trotz gesteigerter Bemühungen schlüpfen aber immer noch welche durch. --------------------------------------------- https://heise.de/-9703405 ∗∗∗ CISA Rolls Out New Guidelines to Mitigate AI Risks to US Critical Infrastructure ∗∗∗ --------------------------------------------- New CISA guidelines categorize AI risks into three significant types and pushes a four-part mitigation strategy. [..] The guidelines calls on management to act decisively on identified AI risks to enhance safety and security, ensuring that risk management controls are implemented and maintained to optimize the benefits of AI systems while minimizing adverse effects. --------------------------------------------- https://www.securityweek.com/cisa-rolls-out-new-guidelines-to-mitigate-ai-r… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (org-mode), Oracle (shim and tigervnc), Red Hat (ansible-core, avahi, buildah, container-tools:4.0, containernetworking-plugins, edk2, exfatprogs, fence-agents, file, freeglut, freerdp, frr, grub2, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd, ipa, kernel, libjpeg-turbo, libnbd, LibRaw, libsndfile, libssh, libtiff, libvirt, libX11, libXpm, mingw components, mingw-glib2, mingw-pixman, mod_http2, mod_jk and mod_proxy_cluster, motif, mutt, openssl and openssl-fips-provider, osbuild and osbuild-composer, pam, pcp, pcs, perl, pmix, podman, python-jinja2, python3.11, python3.11-cryptography, python3.11-urllib3, qemu-kvm, qt5-qtbase, runc, skopeo, squashfs-tools, systemd, tcpdump, tigervnc, toolbox, traceroute, webkit2gtk3, wpa_supplicant, xorg-x11-server, xorg-x11-server-Xwayland, and zziplib), SUSE (docker, ffmpeg, ffmpeg-4, frr, and kernel), and Ubuntu (anope, freerdp3, and php7.0, php7.2, php7.4, php8.1). --------------------------------------------- https://lwn.net/Articles/971740/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ ChromeOS: Long Term Support Channel Update for ChromeOS ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2024/04/long-term-support-channel-upda… ∗∗∗ [R1] Nessus Network Monitor 6.4.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-07 ∗∗∗ Delta Electronics CNCSoft-G2 DOPSoft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/icsa-24-121-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.04.2024
by Daily end-of-shift report 29 Apr '24

29 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-04-2024 18:00 − Montag 29-04-2024 18:01 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Winrar: Gefälschte Ausgaben unter Linux möglich und MotW-Probleme in Windows ∗∗∗ --------------------------------------------- Die Version 7.00 der Archiv-Software Winrar schließt auch Sicherheitslücken. Unter Linux lassen sich Ausgaben fälschen, in Windows MotW-Markierungen. [..] Winrar 7.00 wurde schon vor einigen Wochen veröffentlicht. --------------------------------------------- https://heise.de/-9701474 ∗∗∗ Okta warns of "unprecedented" credential stuffing attacks on customers ∗∗∗ --------------------------------------------- Okta warns of an "unprecedented" spike in credential stuffing attacks targeting its identity and access management solutions, with some customer accounts breached in the attacks. [..] Okta also provides in its advisory a list of more generic recommendations that can help mitigate the risk of account takover. --------------------------------------------- https://www.bleepingcomputer.com/news/security/okta-warns-of-unprecedented-… ∗∗∗ D-Link NAS Device Backdoor Abused, (Mon, Apr 29th) ∗∗∗ --------------------------------------------- End of March, NetworkSecurityFish disclosed a vulnerability in various D-Link NAS devices. The vulnerability allows access to the device using the user "messagebus" without credentials. [..] Initial exploit attempts were detected as soon as April 8th. The vulnerability is particularly dangerous as some affected devices are no longer supported by DLink, and no patch is expected to be released. --------------------------------------------- https://isc.sans.edu/diary/rss/30878 ∗∗∗ New R Programming Vulnerability Exposes Projects to Supply Chain Attacks ∗∗∗ --------------------------------------------- A security vulnerability has been discovered in the R programming language that could be exploited by a threat actor to create a malicious RDS (R Data Serialization) file such that it results in code execution when loaded and referenced. [..] The security defect has been addressed in version 4.4.0 released on April 24, 2024, following responsible disclosure. --------------------------------------------- https://thehackernews.com/2024/04/new-r-programming-vulnerability-exposes.h… ∗∗∗ Discord dismantles Spy.pet site that snooped on millions of users ∗∗∗ --------------------------------------------- The site, which has been slurping up public data on Discord users since November of last year, was outed to the world last week after it was discovered the platform contained messages belonging to nearly 620 million users from more than 14,000 Discord servers. Any and all of the data was available for a price – Spy.pet offered to help law enforcement, people spying on their friends, or even those training AI models. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/04/29/infosec_in_b… ∗∗∗ Google-Bewertungen entfernen lassen? Vorsicht vor entferno.at ∗∗∗ --------------------------------------------- entferno.at verspricht, Google-Rezensionen entfernen zu lassen – angeblich mit einer Erfolgsquote von 95 Prozent. Wer auf dieses Angebot eingeht, wird aber enttäuscht, denn trotz Bezahlung wurden in aktuellen Fällen keine Bewertungen gelöscht und auf schriftliche und telefonische Anfragen wurde nicht mehr reagiert. Das Geld ist weg! --------------------------------------------- https://www.watchlist-internet.at/news/google-bewertungen-entfernen-lassen-… ∗∗∗ From IcedID to Dagon Locker Ransomware in 29 Days ∗∗∗ --------------------------------------------- In August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID. [..] This case had a TTR (time to ransomware) of 29 days. --------------------------------------------- https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware… ∗∗∗ Britische Regierung verbietet Geräte mit schwachen Passwörtern ∗∗∗ --------------------------------------------- Unternehmen sind gesetzlich verpflichtet, ihre Geräte vor Cyberkriminellen zu schützen. Smartphones mit unsicheren Passwörtern müssen künftig gemeldet werden. --------------------------------------------- https://heise.de/-9702215 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, go-toolset:rhel8, golang, java-11-openjdk, java-21-openjdk, libreswan, thunderbird, and tigervnc), Debian (chromium, emacs, frr, mediawiki, ruby-rack, trafficserver, and zabbix), Fedora (chromium, grub2, python-idna, and python-reportlab), Mageia (chromium-browser-stable, firefox, opencryptoki, and thunderbird), Red Hat (container-tools:4.0, container-tools:rhel8, git-lfs, and shim), SUSE (frr, java-11-openjdk, java-1_8_0-openjdk, kernel, pdns-recursor, and shim), and Ubuntu (apache2, cpio, curl, glibc, gnutls28, less, libvirt, and pillow). --------------------------------------------- https://lwn.net/Articles/971487/ ∗∗∗ Qnap schließt NAS-Sicherheitslücken aus Hacker-Wettbewerb Pwn2Own ∗∗∗ --------------------------------------------- NAS-Modelle von Qnap sind verwundbar. Nun hat der Hersteller Sicherheitsupdates für das Betriebssystem und Apps veröffentlicht. --------------------------------------------- https://heise.de/-9701977 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.04.2024
by Daily end-of-shift report 26 Apr '24

26 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-04-2024 18:00 − Freitag 26-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ NIS2 – Richtlinie: Ein zweiter Blick auf den Text ∗∗∗ --------------------------------------------- Beim Schreiben unserer Stellungnahmen zum Entwurf des NISG 2024 habe ich mir die Paragrafen, die uns betreffen, genauer angesehen. Diesmal nicht mit dem Blickwinkel „macht das Sinn“, sondern mit Fokus auf die Formulierungen. Das erinnert mich ein bisschen an die Zeit, als ich bei der Erstellung von RFCs mitgearbeitet habe und da auch bei Reviews jedes Wort genau auf mögliche Fehldeutungen abgeklopft habe. Ich hatte beim Lesen drei Dokumente offen: den Gesetzesentwurf, die Richtlinie in der deutschen Version und auch die englische Fassung. Und viele der schlechten Formulierungen waren keine Erfindungen aus Wien, sondern wurden schon in Brüssel erfunden. Ich will das hier dokumentieren. --------------------------------------------- https://cert.at/de/blog/2024/4/nis2-formulierungen ∗∗∗ Researchers sinkhole PlugX malware server with 2.5 million unique IPs ∗∗∗ --------------------------------------------- Researchers have sinkholed a command and control server for a variant of the PlugX malware and observed in six months more than 2.5 million connections from unique IP addresses. [..] Sekoia has formulated two strategies to clean computers reaching their sinkhole and called for national cybersecurity teams and law enforcement agencies to join the disinfection effort. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-sinkhole-plugx-m… ∗∗∗ Per Brute Force: Schwachstelle beim GLS-Tracking legt Empfängeradressen offen ∗∗∗ --------------------------------------------- Durch einen fehlenden Brute-Force-Schutz ist es möglich gewesen, einer API von GLS genaue Adressdaten der Empfänger von GLS-Paketen zu entlocken. --------------------------------------------- https://www.golem.de/news/per-brute-force-schwachstelle-beim-gls-tracking-l… ∗∗∗ Per GPU geknackt: So sicher sind 8-Zeichen-Passwörter 2024 ∗∗∗ --------------------------------------------- Ein gutes Passwort sollte mindestens 8 Zeichen lang sein, lautet oftmals die Empfehlung. Neue Untersuchungen zeigen jedoch: Die Zeit ist reif für mehr. [..] Ein neuer Bericht des Cybersecurity-Unternehmens Hive Systems zeigt jedoch, dass sich 8-Zeichen-Passwörter je nach verwendetem Hashing-Algorithmus und verfügbarer GPU-Leistung inzwischen in einer überschaubaren Zeit knacken lassen. --------------------------------------------- https://www.golem.de/news/per-gpu-geknackt-so-sicher-sind-8-zeichen-passwoe… ∗∗∗ Fake-Rechnungen von firmenradar.com im Umlauf! ∗∗∗ --------------------------------------------- Unternehmen wenden sich derzeit an uns, weil sie Rechnungen erhalten und nicht wissen, wofür sie zahlen sollen. Die Rechnungen stammen von firmenradar.com, verlangt werden 899 Euro für einen „Platin-Eintrag“. Zahlen Sie nichts! Es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/fake-rechnungen-von-firmenradarcom-i… ∗∗∗ “Junk gun” ransomware: the cheap new threat to small businesses ∗∗∗ --------------------------------------------- A wave of cheap, crude, amateurish ransomware has been spotted on the dark web - and although it may not make as many headlines as LockBit, Rhysida, and BlackSuit, it still presents a serious threat to organizations. [..] "Junk gun" ransomware is appealing to a criminal who wants to operate independently but lacks technical skills. [..] A low entry barrier means potentially more ransomware attackers. --------------------------------------------- https://www.tripwire.com/state-of-security/junk-gun-ransomware-cheap-new-th… ∗∗∗ C-DATA Web Management System RCE Attack ∗∗∗ --------------------------------------------- FortiGuard Labs observed a critical level of attack attempts in the wild targeting a 2-year-old vulnerability found on C-DATA Web Management System. [..] The vulnerability CVE-2022-4257 allows a remote attacker to execute arbitrary commands on the target system. --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/c-data-rce-attack ∗∗∗ Chinesische Tastatur-Apps haben Schwachstelle und verraten, was Nutzer tippen ∗∗∗ --------------------------------------------- Bereits im August 2023 stellten die Forscher des Citizen Lab fest, dass die beliebte Tastatur-App Sogou bei der Übertragung von Tastenanschlagsdaten an ihren Cloud-Server für bessere Tippvorhersagen keine Transport Layer Security (TLS) nutzte. Ohne TLS können Tastatureingaben jedoch von Dritten mitgeschnitten werden. Obwohl Sogou das Problem nach Bekanntwerden im letzten Jahr behoben hat, sind viele vorinstallierte Sogou-Tastaturen nicht auf dem neuesten Stand und können weiterhin abgehört werden. --------------------------------------------- https://heise.de/-9699644 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (knot-resolver, pdns-recursor, and putty), Fedora (xen), Mageia (editorconfig-core-c, glibc, mbedtls, webkit2, and wireshark), Oracle (buildah), Red Hat (buildah and yajl), Slackware (libarchive), SUSE (dcmtk, openCryptoki, php7, php74, php8, python-gunicorn, python-idna, qemu, and thunderbird), and Ubuntu (cryptojs, freerdp2, nghttp2, and zabbix). --------------------------------------------- https://lwn.net/Articles/971289/ ∗∗∗ QNAP Security Advisories 2024-04-26 ∗∗∗ --------------------------------------------- QNAP released 6 new security Advisories. --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mattermost security updates 9.7.2 / 9.6.2 / 9.5.4 (ESR) / 8.1.13 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-7-2-9-6-2-9-5-4-e… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.04.2024
by Daily end-of-shift report 25 Apr '24

25 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-04-2024 18:00 − Donnerstag 25-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New Brokewell malware takes over Android devices, steals data ∗∗∗ --------------------------------------------- Security researchers have discovered a new Android banking trojan they named Brokewell that can capture every event on the device, from touches and information displayed to text input and the applications the user launches. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-… ∗∗∗ Does it matter if iptables isnt running on my honeypot?, (Thu, Apr 25th) ∗∗∗ --------------------------------------------- I've been working on comparing data from different DShield honeypots to understand differences when the honeypots reside on different networks. --------------------------------------------- https://isc.sans.edu/diary/rss/30862 ∗∗∗ Sifting through the spines: identifying (potential) Cactus ransomware victims ∗∗∗ --------------------------------------------- This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. --------------------------------------------- https://research.nccgroup.com/2024/04/25/sifting-through-the-spines-identif… ∗∗∗ ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices ∗∗∗ --------------------------------------------- ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. --------------------------------------------- https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaig… ∗∗∗ Talos IR trends: BEC attacks surge, while weaknesses in MFA persist ∗∗∗ --------------------------------------------- Within BEC attacks, adversaries will send phishing emails appearing to be from a known or reputable source making a valid request, such as updating payroll direct deposit information. --------------------------------------------- https://blog.talosintelligence.com/talos-ir-quarterly-trends-q1-2024/ ∗∗∗ Threat Bulletin – New variant of IDAT Loader ∗∗∗ --------------------------------------------- Morphisec has successfully identified and prevented a new variant of IDAT loader. --------------------------------------------- https://blog.morphisec.com/threat-bulletin-new-variant-idat-variant ∗∗∗ Ransomware Roundup - KageNoHitobito and DoNex ∗∗∗ --------------------------------------------- The KageNoHitobito and DoNex are recent ransomware that are financially motivated, demanding payment from victims to decrypt files. --------------------------------------------- https://feeds.fortinet.com/~/882489596/0/fortinet/blogs~Ransomware-Roundup-… ===================== = Vulnerabilities = ===================== ∗∗∗ Maximum severity Flowmon bug has a public exploit, patch now ∗∗∗ --------------------------------------------- Proof-of-concept exploit code has been released for a top-severity security vulnerability in Progress Flowmon, a tool for monitoring network performance and visibility. --------------------------------------------- https://www.bleepingcomputer.com/news/security/maximum-severity-flowmon-bug… ∗∗∗ WP Automatic WordPress plugin hit by millions of SQL injection attacks ∗∗∗ --------------------------------------------- Hackers have started to target a critical severity vulnerability in the WP Automatic plugin for WordPress to create user accounts with administrative privileges and to plant backdoors for long-term access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wp-automatic-wordpress-plugi… ∗∗∗ Über Zero-Day-Schwachstellen: Cisco-Firewalls werden seit Monaten attackiert ∗∗∗ --------------------------------------------- Eine zuvor unbekannte Hackergruppe nutzt mindestens seit November 2023 zwei Zero-Day-Schwachstellen in Cisco-Firewalls aus, um Netzwerke zu infiltrieren. --------------------------------------------- https://www.golem.de/news/ueber-zero-day-schwachstellen-cisco-firewalls-wer… ∗∗∗ Unter Windows: Schwachstelle in Virtualbox verleiht Angreifern Systemrechte ∗∗∗ --------------------------------------------- Zwei Forscher haben unabhängig voneinander eine Schwachstelle in Oracles Virtualbox entdeckt. Angreifer können damit auf Windows-Hosts ihre Rechte ausweiten. --------------------------------------------- https://www.golem.de/news/unter-windows-schwachstelle-in-virtualbox-verleih… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl, filezilla, flatpak, kubernetes, libfilezilla, thunderbird, and xen), Oracle (go-toolset:ol8, kernel, libreswan, shim, and tigervnc), Red Hat (buildah, gnutls, libreswan, tigervnc, and unbound), SUSE (cockpit-wicked, nrpe, and python-idna), and Ubuntu (dnsmasq, freerdp2, linux-azure-6.5, and thunderbird). --------------------------------------------- https://lwn.net/Articles/971140/ ∗∗∗ Vulnerabilities Expose Brocade SAN Appliances, Switches to Hacking ∗∗∗ --------------------------------------------- The Brocade SANnav management application is affected by multiple vulnerabilities, including a publicly available root password. --------------------------------------------- https://www.securityweek.com/vulnerabilities-expose-brocade-san-appliances-… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Cisco Security Advisories 2024-04-25 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/publicationListing.x ∗∗∗ Multiple Vulnerabilities in Hitachi Energy RTU500 Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-01 ∗∗∗ Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-04 ∗∗∗ Hitachi Energy MACH SCM ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-116-02 ∗∗∗ PAN-SA-2024-0005 Informational Bulletin: Proof of Concept (PoC) Bypasses Protection Modules (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0005 ∗∗∗ PAN-SA-2024-0005 Informational Bulletin: Proof of Concept (PoC) Bypasses Protection Modules in Cortex XDR Agent (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0005 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.04.2024
by Daily end-of-shift report 24 Apr '24

24 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-04-2024 18:00 − Mittwoch 24-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft pulls fix for Outlook bug behind ICS security alerts ∗∗∗ --------------------------------------------- Microsoft reversed the fix for an Outlook bug causing erroneous security warnings after installing December 2023 security updates. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-pulls-fix-for-out… ∗∗∗ Assessing the Y, and How, of the XZ Utils incident ∗∗∗ --------------------------------------------- In this article we analyze social engineering aspects of the XZ backdoor incident. Namely pressuring the XZ maintainer to pass on the project to Jia Cheong Tan, and then urging major downstream maintainers to commit the backdoored code to their projects. --------------------------------------------- https://securelist.com/xz-backdoor-story-part-2-social-engineering/112476/ ∗∗∗ Researchers Detail Multistage Attack Hijacking Systems with SSLoad, Cobalt Strike ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered an ongoing attack campaign thats leveraging phishing emails to deliver malware called SSLoad. --------------------------------------------- https://thehackernews.com/2024/04/researchers-detail-multistage-attack.html ∗∗∗ Decrypting FortiOS 7.0.x ∗∗∗ --------------------------------------------- Decrypting Fortinet’s FortiGate FortiOS firmware is a topic that has been thoroughly covered, in part because of the many variants and permutations of FortiOS firmware, all differing based on hardware architecture and versioning. --------------------------------------------- https://www.labs.greynoise.io/grimoire/2024-04-23-decrypting-fortios/ ∗∗∗ New Password Cracking Analysis Targets Bcrypt ∗∗∗ --------------------------------------------- Hive Systems conducts another study on cracking passwords via brute-force attacks, but it’s no longer targeting MD5. --------------------------------------------- https://www.securityweek.com/new-password-cracking-analysis-targets-bcrypt/ ∗∗∗ Musiker:innen aufgepasst: Spam-Mails versprechen wertvolles Piano ∗∗∗ --------------------------------------------- Musiker:innen und insbesondere Pianist:innen müssen sich aktuell vor betrügerischen E-Mails in Acht nehmen, in denen ihnen ein teures Piano versprochen wird. Kriminelle geben sich als Witwe aus und suchen nach Abnehmer:innen für teure Instrumente wie beispielsweise wie das Yamaha Baby Grand Piano ihres verstorbenen Ehemanns. --------------------------------------------- https://www.watchlist-internet.at/news/musikerinnen-aufgepasst-spam-mails-v… ∗∗∗ Windows-Frage: Wo speichert Bitlocker den Recovery-Key? ∗∗∗ --------------------------------------------- Bitlocker, das "unbekannte Wesen" möchte ich mal den Blog-Beitrag umschreiben. Es geht um die Frage, wo die Windows-Funktion Bitlocker eigentlich den Recovery-Key, der immer mal wieder gebraucht wird, überhaupt speichert. --------------------------------------------- https://www.borncity.com/blog/2024/04/24/windows-frage-wo-speichert-bitlock… ∗∗∗ Exchange Server April 2024 Hotfix-Updates (24. April 2024) ∗∗∗ --------------------------------------------- Microsoft hat zum 24. April Hotfix-Updates (HU) für Exchange Server 2016 und 2019 veröffentlicht. Diese Hotfix-Updates bieten Unterstützung für neue Funktionen und sollen Probleme, die durch das März 2024 Security Update (SU) hervorgerufen wurden, beheben. --------------------------------------------- https://www.borncity.com/blog/2024/04/24/exchange-server-april-2024-hotfix-… ∗∗∗ Distribution of Infostealer Made With Electron ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has discovered an Infostealer strain made with Electron. --------------------------------------------- https://asec.ahnlab.com/en/64445/ ===================== = Vulnerabilities = ===================== ∗∗∗ Grafana backend sql injection affected all version ∗∗∗ --------------------------------------------- To exploit this sql injection vulnerability, someone must use a valid account login to the grafana web backend, then send malicious POST request to /api/ds/query “rawSql” entry. --------------------------------------------- https://fdlucifer.github.io/2024/04/22/grafana-sql-injection/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (abseil-cpp, chromium, filezilla, libfilezilla, and xorg-x11-server-Xwayland), Oracle (firefox, gnutls, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, libreswan, mod_http2, owO: thunderbird, and thunderbird), Red Hat (container-tools:rhel8, gnutls, grub2, kernel, kernel-rt, less, linux-firmware, opencryptoki, pcs, postgresql-jdbc, and thunderbird), Slackware (ruby), SUSE (kubernetes1.23, kubernetes1.24, [...] --------------------------------------------- https://lwn.net/Articles/971004/ ∗∗∗ Google Patches Critical Chrome Vulnerability ∗∗∗ --------------------------------------------- Google patches CVE-2024-4058, a critical Chrome vulnerability for which researchers earned a $16,000 reward. --------------------------------------------- https://www.securityweek.com/google-patches-critical-chrome-vulnerability/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security Advisory - Connection Hijacking Vulnerability in Some Huawei Home Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-chvishhr-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.04.2024
by Daily end-of-shift report 23 Apr '24

23 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 22-04-2024 18:00 − Dienstag 23-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials ∗∗∗ --------------------------------------------- Since 2019, Forest Blizzard has used a custom post-compromise tool to exploit a vulnerability in the Windows Print Spooler service that allows elevated permissions. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-b… ∗∗∗ Struts "devmode": Still a problem ten years later?, (Tue, Apr 23rd) ∗∗∗ --------------------------------------------- Like many similar frameworks and languages, Struts 2 has a "developer mode" (devmode) offering additional features to aid debugging. Error messages will be more verbose, and the devmode includes an OGNL console. OGNL, the Object-Graph Navigation Language, can interact with Java, but in the end, executing OGNL results in arbitrary code execution. --------------------------------------------- https://isc.sans.edu/diary/rss/30866 ∗∗∗ An Analysis of the DHEat DoS Against SSH in Cloud Environments ∗∗∗ --------------------------------------------- The DHEat attack remains viable against most SSH installations, as default settings are inadequate at deflecting it. Very little bandwidth is needed to cause a dramatic effect on targets, including those with a high degree of resources. --------------------------------------------- https://www.positronsecurity.com/blog/2024-04-23-an-analysis-of-dheat-dos-a… ∗∗∗ Neu auf Vinted? Scannen Sie keinen QR-Code! ∗∗∗ --------------------------------------------- Vorsicht! Kriminelle kontaktieren gezielt neue Vinted-Nutzer:innen. Sie geben vor, den Artikel kaufen zu wollen und schicken einen QR-Code. Der QR-Code führt jedoch zu einer gefälschten Zahlungsseite von Vinted. Dort erfragen die Kriminellen Ihre Bankdaten und versuchen Ihnen Geld zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/neu-auf-vinted-scannen-sie-keinen-qr… ∗∗∗ Suspected CoralRaider continues to expand victimology using three information stealers ∗∗∗ --------------------------------------------- Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys. --------------------------------------------- https://blog.talosintelligence.com/suspected-coralraider-continues-to-expan… ∗∗∗ GuptiMiner: Hijacking Antivirus Updates for Distributing Backdoors and Casual Mining ∗∗∗ --------------------------------------------- Avast discovered and analyzed GuptiMiner, a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers. --------------------------------------------- https://decoded.avast.io/janrubin/guptiminer-hijacking-antivirus-updates-fo… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glibc and samba), Fedora (chromium, cjson, mingw-python-idna, and pgadmin4), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, kernel-linus, and perl-Clipboard), Red Hat (go-toolset:rhel8, golang, java-11-openjdk, kpatch-patch, and shim), Slackware (freerdp), SUSE (apache-commons-configuration, glibc, jasper, polkit, and qemu), and Ubuntu (google-guest-agent, google-osconfig-agent, linux-lowlatency-hwe-6.5, pillow, and squid). --------------------------------------------- https://lwn.net/Articles/970889/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Welotec: Clickjacking Vulnerability in WebUI ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-023/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.04.2024
by Daily end-of-shift report 22 Apr '24

22 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-04-2024 18:00 − Montag 22-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Double Agents and User Agents: Navigating the Realm of Malicious Python Packages ∗∗∗ --------------------------------------------- Have you ever encountered the term double agent? Recently, weve had the opportunity to revisit this concept in Austria. Setting aside real-world affairs for prosecutors and journalists, let’s explore what this term means in the digital world as I continue my journey tracking malicious Python packages. --------------------------------------------- https://cert.at/en/blog/2024/4/double-agents-and-user-agents-navigating-the… ∗∗∗ Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack ∗∗∗ --------------------------------------------- Palo Alto Networks has shared more details of a critical security flaw impacting PAN-OS that has come under active exploitation in the wild by malicious actors. The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), as "intricate" and a combination of two bugs in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software. --------------------------------------------- https://thehackernews.com/2024/04/palo-alto-networks-discloses-more.html ∗∗∗ Research Shows How Attackers Can Abuse EDR Security Products ∗∗∗ --------------------------------------------- Vulnerabilities in Palo Alto Networks Cortex XDR allowed a security researcher to turn it into a malicious offensive tool. --------------------------------------------- https://www.securityweek.com/research-shows-how-attackers-can-abuse-edr-sec… ∗∗∗ HelloKitty ransomware rebrands, releases CD Projekt and Cisco data ∗∗∗ --------------------------------------------- The Cisco entry on the data leak site contains a list of NTLM (NT LAN Manager) hashes (encrypted account passwords) supposedly extracted during a security breach. Cisco previously admitted in 2022 that it had been hacked by the Yanluowang ransomware group, an incident allegedly limited to the theft of non-sensitive data from a single compromised account. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-rebran… ∗∗∗ GitLab affected by GitHub-style CDN flaw allowing malware hosting ∗∗∗ --------------------------------------------- BleepingComputer recently reported how a GitHub flaw, or possibly a design decision, is being abused by threat actors to distribute malware using URLs associated with Microsoft repositories, making the files appear trustworthy. It turns out, GitLab is also affected by this issue and could be abused in a similar fashion. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-affected-by-github-st… ∗∗∗ Sicherheitslücke aufgedeckt: Forscher knackt Cisco-Appliance und zockt Doom ∗∗∗ --------------------------------------------- Mit einem eigens entwickelten Exploit-Toolkit hat er sich auf dem BMC einer Cisco ESA C195 einen Root-Zugriff verschafft. [..] Um auf der C195 Doom auszuführen, reicht CVE-2024-20356 allein allerdings nicht aus. Thacker nahm zuerst diverse Modifikationen am Bios der Cisco ESA vor und verschaffte sich erst danach mit Ciscown über das Netzwerk einen Root-Zugriff auf den BMC. [..] Eine Liste der Systeme, die in der Standardkonfiguration anfällig sind, ist im Sicherheitshinweis von Cisco zu finden – ebenso wie die jeweiligen Systemversionen, die einen Patch beinhalten. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-aufgedeckt-forscher-knackt-cisc… ∗∗∗ ToddyCat is making holes in your infrastructure ∗∗∗ --------------------------------------------- We continue to report on the APT group ToddyCat. This time, we’ll talk about traffic tunneling, constant access to a target infrastructure and data extraction from hosts. --------------------------------------------- https://securelist.com/toddycat-traffic-tunneling-data-extraction-tools/112… ∗∗∗ Vorsicht vor Jobangeboten per WhatsApp, SMS oder Telegram ∗∗∗ --------------------------------------------- Die Betrugsmasche beginnt direkt auf Ihrem Smartphone: Sie bekommen auf WhatsApp, Telegram oder einen anderen Messenger eine Nachricht von einer Jobvermittlung. Ihnen wird ein Nebenjob mit flexibler Zeiteinteilung angeboten. Ihre Aufgabe ist es, Hotels, Online-Shops oder andere Dienstleistungen zu bewerten oder zu testen. Angeblich kann man damit zwischen 300 und 1000 Euro pro Tag verdienen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-jobangeboten-per-whatsa… ∗∗∗ NATO-Cyberübung "Locked Shields": Phishing verhindern, Container verteidigen ∗∗∗ --------------------------------------------- Das Cybersicherheitszentrum der NATO bittet zur Großübung. Sie simuliert, wie kritische Infrastruktur vor digitalen Angriffen geschützt werden kann. --------------------------------------------- https://heise.de/-9691854 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Forminator plugin flaw impacts over 300k WordPress sites ∗∗∗ --------------------------------------------- On Thursday, Japan's CERT published an alert on its vulnerability notes portal (JVN) warning about the existence of a critical severity flaw (CVE-2024-28890, CVSS v3: 9.8) in Forminator that may allow a remote attacker to upload malware on sites using the plugin. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-forminator-plugin-f… ∗∗∗ Siemens: SSA-750274 V1.0: Impact of CVE-2024-3400 on RUGGEDCOM APE1808 devices configured with Palo Alto Networks Virtual NGFW ∗∗∗ --------------------------------------------- Palo Alto Networks has published information on CVE-2024-3400 in PAN-OS. This advisory addresses Siemens Industrial products affected by this vulnerability. --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-750274.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox and java-1.8.0-openjdk), Debian (chromium, flatpak, guix, openjdk-11, openjdk-17, thunderbird, and tomcat9), Fedora (chromium, firefox, glibc, nghttp2, nodejs18, python-aiohttp, python-django3, python-pip, and uxplay), Mageia (putty & filezilla), Red Hat (Firefox, firefox, java-1.8.0-openjdk, java-21-openjdk, nodejs:18, shim, and thunderbird), Slackware (freerdp), SUSE (apache-commons-configuration2, nodejs14, perl-CryptX, putty, shim, and wireshark), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.5, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-nvidia-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, lxd, percona-xtrabackup, and pillow). --------------------------------------------- https://lwn.net/Articles/970793/ ∗∗∗ Jetzt patchen! Attacken auf Dateiübertragungsserver CrushFTP beobachtet ∗∗∗ --------------------------------------------- Der Anbieter der Dateiübertragungsserversoftware CrushFTP warnt vor einer Sicherheitslücke, die Angreifer Sicherheitsforschern zufolge bereits ausnutzen. Dagegen gerüstete Versionen stehen zum Download bereit. Aus einer Sicherheitswarnung geht hervor, dass die Ausgaben 10.7.1 und 11.1.0 gegen die Angriffe gerüstet sind. --------------------------------------------- https://heise.de/-9693009 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 115.10 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-20/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2024
by Daily end-of-shift report 19 Apr '24

19 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-04-2024 18:02 − Freitag 19-04-2024 18:02 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google ad impersonates Whales Market to push wallet drainer malware ∗∗∗ --------------------------------------------- A legitimate-looking Google Search advertisement for the crypto trading platform Whales Market redirects visitors to a wallet-draining phishing site that steals all of your assets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-ad-impersonates-whale… ∗∗∗ Fake cheat lures gamers into spreading infostealer malware ∗∗∗ --------------------------------------------- A new info-stealing malware linked to Redline poses as a game cheat called Cheat Lab, promising downloaders a free copy if they convince their friends to install it too. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-cheat-lures-gamers-into… ∗∗∗ SAP Applications Increasingly in Attacker Crosshairs, Report Shows ∗∗∗ --------------------------------------------- Malicious hackers are targeting SAP applications at an alarming pace, according to warnings from Onapsis and Flashpoint. --------------------------------------------- https://www.securityweek.com/sap-applications-increasingly-in-attacker-cros… ∗∗∗ Erneut Phishing-Mails im Namen der ÖGK im Umlauf! ∗∗∗ --------------------------------------------- Derzeit erreichen uns wieder zahlreiche Meldungen über betrügerische Nachrichten, die im Namen der Österreichischen Gesundheitskasse ÖGK versendet werden. Darin wird Ihnen vorgegaukelt, dass Sie eine Rückerstattung von 150,95 Euro erhalten. --------------------------------------------- https://www.watchlist-internet.at/news/erneut-phishing-mails-im-namen-der-o… ∗∗∗ #StopRansomware: Akira Ransomware ∗∗∗ --------------------------------------------- The United States’ Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Europol’s European Cybercrime Centre (EC3), and the Netherlands’ National Cyber Security Centre (NCSC-NL) are releasing this joint CSA to disseminate known Akira ransomware IOCs and TTPs identified through FBI investigations and trusted third party reporting as recently as February 2024. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a ∗∗∗ "iMessage abschalten": Warnung vor angeblichem Exploit verunsichert Nutzer ∗∗∗ --------------------------------------------- Ein bekanntes Krypto-Wallet warnt iOS-Nutzer vor einem "hochriskanten Zero-Day-Exploit für iMessage". Der angebliche Exploit könnte aber ein Scam sein. --------------------------------------------- https://heise.de/-9690778 ∗∗∗ DDoS-Plattform von internationalen Strafverfolgern abgeschaltet ∗∗∗ --------------------------------------------- Internationale Strafverfolger haben eine DDoS-as-a-service-Plattform abgeschaltet und die Domain beschlagnahmt. --------------------------------------------- https://heise.de/-9691053 ∗∗∗ Ionos-Phishing: Masche mit neuen EU-Richtlinien soll Opfer überzeugen ∗∗∗ --------------------------------------------- Das Phishingradar warnt vor einer Phishing-Masche, bei der Ionos-Kunden angeblich zu neuen EU-Richtlinien zustimmen müssen. --------------------------------------------- https://heise.de/-9691259 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gnutls, java-17-openjdk, mod_http2, and squid), Debian (firefox-esr), Fedora (editorconfig, perl-Clipboard, php, rust, and wordpress), Mageia (less, libreswan, puppet, and x11-server, x11-server-xwayland, and tigervnc), Slackware (aaa_glibc), and SUSE (firefox, graphviz, kernel, nodejs12, pgadmin4, tomcat, and wireshark). --------------------------------------------- https://lwn.net/Articles/970508/ ∗∗∗ FIDO2-Sticks: Lücke in Yubikey-Verwaltungssoftware erlaubt Rechteausweitung ∗∗∗ --------------------------------------------- Um die FIDO2-Sticks von Yubikey zu verwalten, stellt der Hersteller eine Software bereit. Eine Lücke darin ermöglicht die Ausweitung der Rechte. --------------------------------------------- https://heise.de/-9690597 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily