- Daily - CERT.at

Tageszusammenfassung - 18.04.2024
by Daily end-of-shift report 18 Apr '24

18 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-04-2024 18:00 − Donnerstag 18-04-2024 18:02 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Stellungnahme von CERT.at zum NISG 2024 ∗∗∗ --------------------------------------------- Die EU hat noch Ende 2022 die NIS2-Richtlinie angenommen, was den EU Mitgliedstaaten eine Frist bis Herbst 2024 einräumt, diese in nationales Recht zu gießen. Jetzt liegt ein Entwurf für dieses Gesetz vor und wir haben uns genau angesehen, wie die Punkte umgesetzt sind, die uns als nationales CSIRT betreffen. Dabei sind uns einige Stellen aufgefallen, wo wir klares und einfaches Verbesserungspotential sehen. --------------------------------------------- https://cert.at/de/blog/2024/4/nisg2024-stellungnahme ∗∗∗ Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks ∗∗∗ --------------------------------------------- Microsoft, which first spotted the attacks, says the five flaws have been actively exploited since early April to hijack Internet-exposed OpenMedata workloads left unpatched. [..] The security vulnerabilities exploited in these attacks (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254) were patched one month ago, on March 15, in OpenMedata versions 1.2.4 and 1.3.1. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hijack-openmetadata-… ∗∗∗ Cybercriminals pose as LastPass staff to hack password vaults ∗∗∗ --------------------------------------------- The attacker combines multiple social engineering techniques that involve contacting the potential victim (voice phishing) and pretending to be a LastPass employee trying to help with securing the account following unauthorized access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercriminals-pose-as-lastp… ∗∗∗ Mit CVE-Beschreibung: GPT-4 kann eigenständig bekannte Sicherheitslücken ausnutzen ∗∗∗ --------------------------------------------- Forscher haben festgestellt, dass GPT-4 allein anhand der zugehörigen Schwachstellenbeschreibungen 13 von 15 Sicherheitslücken erfolgreich ausnutzen kann. --------------------------------------------- https://www.golem.de/news/mit-cve-beschreibung-gpt-4-kann-eigenstaendig-bek… ∗∗∗ Malicious Google Ads Pushing Fake IP Scanner Software with Hidden Backdoor ∗∗∗ --------------------------------------------- A new Google malvertising campaign is leveraging a cluster of domains mimicking a legitimate IP scanner software to deliver a previously unknown backdoor dubbed MadMxShell."The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites," Zscaler ThreatLabz researchers Roy Tay and Sudeep Singh said. --------------------------------------------- https://thehackernews.com/2024/04/malicious-google-ads-pushing-fake-ip.html ∗∗∗ Redline Stealer: A Novel Approach ∗∗∗ --------------------------------------------- A new packed variant of the Redline Stealer trojan was observed in the wild, leveraging Lua bytecode to perform malicious behavior. [..] In this blog, we saw the various techniques threat actors use to infiltrate user systems and exfiltrate their data. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/redline-stealer-a-nove… ∗∗∗ Analysis of Pupy RAT Used in Attacks Against Linux Systems ∗∗∗ --------------------------------------------- Pupy is a RAT malware strain that offers cross-platform support. Because it is an open-source program published on GitHub, it is continuously being used by various threat actors including APT groups. --------------------------------------------- https://asec.ahnlab.com/en/64258/ ∗∗∗ Kapeka: Neuartige Malware aus Russland? ∗∗∗ --------------------------------------------- Berichte über eine neuartige "Kapeka"-Malware tauchen allerorten auf. Die ist jedoch gar nicht neu und seit fast einem Jahr nicht mehr aktiv. [..] Die Entdeckung der Malware als "großen Schlag gegen Russland" zu werten, wie sich ein WithSecure-Sprecher gegenüber der Presseagentur dpa zitieren ließ, wirkt jedoch wie ein PR-Manöver. Schließlich wurde Kapeka auch ohne Intervention von Schadsoftware-Jägern seit Mitte vergangenen Jahres nicht mehr in freier Wildbahn gesichtet. --------------------------------------------- https://heise.de/-9688970 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, jetty9, libdatetime-timezone-perl, tomcat10, and tzdata), Fedora (cockpit, filezilla, and libfilezilla), Red Hat (firefox, gnutls, java-1.8.0-openjdk, java-17-openjdk, kernel, kernel-rt, less, mod_http2, nodejs:18, rhc-worker-script, and shim), Slackware (mozilla), SUSE (kernel), and Ubuntu (apache2, glibc, and linux-xilinx-zynqmp). --------------------------------------------- https://lwn.net/Articles/970324/ ∗∗∗ Update für Solarwinds FTP-Server Serv-U schließt Lücke mit hohem Risiko ∗∗∗ --------------------------------------------- Im Solarwinds Serv-U-FTP-Server klafft eine als hohes Risiko eingestufte Sicherheitslücke. Der Hersteller dichtet sie mit einem Update ab. --------------------------------------------- https://heise.de/-9689092 ∗∗∗ Jetzt patchen! Root-Attacken auf Cisco IMC können bevorstehen ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Cisco Integrated Management Controller und IOS erschienen. Exploitcode ist in Umlauf. --------------------------------------------- https://heise.de/-9689086 ∗∗∗ Cisco Integrated Management Controller Web-Based Management Interface Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS and IOS XE Software SNMP Extended Named Access Control List Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Integrated Management Controller CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 8, 2024 to April 14, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/04/wordfence-intelligence-weekly-wordpr… ∗∗∗ Unitronics Vision Series PLCs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-109-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.04.2024
by Daily end-of-shift report 17 Apr '24

17 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-04-2024 18:00 − Mittwoch 17-04-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ SoumniBot: the new Android banker’s unique techniques ∗∗∗ --------------------------------------------- We review the new mobile Trojan banker SoumniBot, which exploits bugs in the Android manifest parser to dodge analysis and detection. --------------------------------------------- https://securelist.com/soumnibot-android-banker-obfuscates-app-manifest/112… ∗∗∗ Malicious PDF File Used As Delivery Mechanism, (Wed, Apr 17th) ∗∗∗ --------------------------------------------- Billions of PDF files are exchanged daily and many people trust them because they think the file is "read-only" and contains just "a bunch of data". In the past, badly crafted PDF files could trigger nasty vulnerabilities in PDF viewers. --------------------------------------------- https://isc.sans.edu/diary/rss/30848 ∗∗∗ Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware ∗∗∗ --------------------------------------------- Threat actors are exploiting unpatched Atlassian servers to deploy a Linux variant of Cerber (aka C3RB3R) ransomware. The attacks leverage CVE-2023-22518 (CVSS score: 9.1), a critical security vulnerability impacting the Atlassian Confluence Data Center and Server that allows an unauthenticated attacker to reset Confluence and create an administrator account. --------------------------------------------- https://thehackernews.com/2024/04/critical-atlassian-flaw-exploited-to.html ∗∗∗ Hackers Exploit Fortinet Flaw, Deploy ScreenConnect, Metasploit in New Campaign ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new campaign thats exploiting a recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads. --------------------------------------------- https://thehackernews.com/2024/04/hackers-exploit-fortinet-flaw-deploy.html ∗∗∗ Neue Phishing-Masche: Gefälschte Postbriefe ∗∗∗ --------------------------------------------- Die Polizei warnt vor vermehrten Phishing-Fällen in der Steiermark. In Postkästen hinterlegten unbekannte Täter gefälschte Postbenachrichtigungen mit angeführten QR-Codes. Damit sollen Opfer auf eine gefälschte Website gelockt und persönliche Daten abgesaugt werden. --------------------------------------------- https://steiermark.orf.at/stories/3253261/ ∗∗∗ Vorsicht vor unseriösen Ticketangeboten für die UEFA EURO 2024 in Deutschland! ∗∗∗ --------------------------------------------- Fußball-Fans aufgepasst: Wenn Sie jetzt noch auf der Suche nach Eintrittskarten in die Europameisterschaftsstadien für die EM 2024 sind, müssen Sie sich vor betrügerischen und unseriösen Angeboten in Acht nehmen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-ticketangebote-euro2024/ ∗∗∗ OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal ∗∗∗ --------------------------------------------- The documents contained malicious VBA code, indicating they may be used as lures to infect organizations. --------------------------------------------- https://blog.talosintelligence.com/offlrouter-virus-causes-upload-confident… ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti warns of critical flaws in its Avalanche MDM solution ∗∗∗ --------------------------------------------- Ivanti has released security updates to fix 27 vulnerabilities in its Avalanche mobile device management (MDM) solution, two of them critical heap overflows that can be exploited for remote command execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-fla… ∗∗∗ VU#253266: Keras 2 Lambda Layers Allow Arbitrary Code Injection in TensorFlow Models ∗∗∗ --------------------------------------------- Lambda Layers in third party TensorFlow-based Keras models allow attackers to inject arbitrary code into versions built prior to Keras 2.13 that may then unsafely run with the same permissions as the running application. --------------------------------------------- https://kb.cert.org/vuls/id/253266 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and cockpit), Fedora (firefox, kernel, mbedtls, python-cbor2, wireshark, and yyjson), Mageia (nghttp2), Red Hat (kernel, kernel-rt, opencryptoki, pcs, shim, squid, and squid:4), Slackware (firefox), SUSE (emacs, firefox, and kernel), and Ubuntu (linux-aws, linux-aws-5.15, linux-aws-6.5, linux-raspi, and linux-iot). --------------------------------------------- https://lwn.net/Articles/970169/ ∗∗∗ Oracle Critical Patch Update Advisory - April 2024 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/cpuapr2024.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Huawei Security Bulletins ∗∗∗ --------------------------------------------- https://securitybulletin.huawei.com/enterprise/en/security-advisory -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2024
by Daily end-of-shift report 16 Apr '24

16 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 15-04-2024 18:00 − Dienstag 16-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400) ∗∗∗ --------------------------------------------- At watchTowr, we no longer publish Proof of Concepts. Why prove something is vulnerable when we can just believe its so? Iinstead, weve decided to do something better - thats right! Were proud to release another detection artefact generator tool, this time in the form of an HTTP request: --------------------------------------------- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-c… ∗∗∗ Quick Palo Alto Networks Global Protect Vulnerablity Update (CVE-2024-3400), (Mon, Apr 15th) ∗∗∗ --------------------------------------------- One of our readers, Mark, observed attacks attempting to exploit the vulnerability from two IP addresses: 173.255.223.159: An Akamai/Linode IP address. We do not have any reports from this IP address. Shodan suggests that the system may have recently hosted a WordPress site. 146.70.192.174: A system in Singapore that has been actively scanning various ports in March and April. --------------------------------------------- https://isc.sans.edu/diary/rss/30838 ∗∗∗ New SteganoAmor attacks use steganography to target 320 orgs globally ∗∗∗ --------------------------------------------- A new campaign conducted by the TA558 hacking group is concealing malicious code inside images using steganography to deliver various malware tools onto targeted systems. [..] The attacks begin with malicious emails containing seemingly innocuous document attachments (Excel and Word files) that exploit the CVE-2017-11882 flaw, a commonly targeted Microsoft Office Equation Editor vulnerability fixed in 2017. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-steganoamor-attacks-use-… ∗∗∗ AWS, Google, and Azure CLI Tools Could Leak Credentials in Build Logs ∗∗∗ --------------------------------------------- New cybersecurity research has found that command-line interface (CLI) tools from Amazon Web Services (AWS) and Google Cloud can expose sensitive credentials in build logs, posing significant risks to organizations. The vulnerability has been codenamed LeakyCLI by cloud security firm Orca. [..] Unlike Microsoft, however, both Amazon and Google consider this to be expected behavior, requiring that organizations take steps to avoid storing secrets in environment variables and instead use a dedicated secrets store service like AWS Secrets Manager or Google Cloud Secret Manager. --------------------------------------------- https://thehackernews.com/2024/04/aws-google-and-azure-cli-tools-could.html ∗∗∗ Vorsicht vor falschen Bankanrufen ∗∗∗ --------------------------------------------- Sie erhalten einen Anruf – angeblich von einer Bank. Die Person am Telefon behauptet, Sie hätten einen Kreditantrag eingereicht. Wenn Sie widersprechen, erklärt die Person am Telefon, dass dann wohl Kriminelle in Ihrem Namen den Kreditantrag gestellt hätten. Legen Sie auf! Es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-bankanrufen/ ∗∗∗ Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials ∗∗∗ --------------------------------------------- Cisco Talos is actively monitoring a global increase in brute-force attacks against a variety of targets, including Virtual Private Network (VPN) services, web application authentication interfaces and SSH services since at least March 18, 2024. [..] We are including the usernames and passwords used in these attacks in the IOCs for awareness. IP addresses and credentials associated with these attacks can be found in our GitHub repository here. --------------------------------------------- https://blog.talosintelligence.com/large-scale-brute-force-activity-targeti… ∗∗∗ Zugriffsmanagement: Kritische Admin-Lücke in Delinea Secret Server geschlossen ∗∗∗ --------------------------------------------- Die Privileged-Access-Management-Lösung (PAM) Secret Server von Delinea ist verwundbar. Ein Sicherheitsupdate ist verfügbar. --------------------------------------------- https://heise.de/-9686457 ===================== = Vulnerabilities = ===================== ∗∗∗ Schwere Sicherheitslücke in PuTTY - CVE-2024-31497 ∗∗∗ --------------------------------------------- Sicherheitsforscher:innen haben in PuTTY, einer verbreiteten quelloffenen Software zur Herstellung von Verbindungen über Secure Shell (SSH), eine schwere Sicherheitslücke gefunden. Die Ausnutzung von CVE-2024-31497 erlaubt es Angreifer:innen unter bestimmten Umständen, den privaten Schlüssel eines kryptographischen Schlüsselpaares wiederherzustellen. --------------------------------------------- https://cert.at/de/aktuelles/2024/4/schwere-sicherheitslucke-in-putty-cve-2… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.4 and php8.2), Fedora (c-ares), Mageia (python-pillow and upx), Oracle (bind and dhcp, bind9.16, httpd:2.4/mod_http2, kernel, rear, and unbound), SUSE (eclipse, maven-surefire, tycho, emacs, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nodejs16, nodejs18, nodejs20, texlive, vim, webkit2gtk3, and xen), and Ubuntu (gnutls28, klibc, libvirt, nodejs, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/970036/ ∗∗∗ Proscend Communications M330-W and M330-W5 vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN23835228/ ∗∗∗ B&R: 2024-04-15: Cyber Security Advisory - Impact of LogoFail vulnerability on B&R Industrial PCs and HMI products ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P002_xPCs_vulnerable_to_LogoFai… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox ESR 115.10 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-19/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 125 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-18/ ∗∗∗ Libreswan: IKEv1 default AH/ESP responder can crash and restart ∗∗∗ --------------------------------------------- https://libreswan.org/security/CVE-2024-3652/CVE-2024-3652.txt ∗∗∗ Measuresoft ScadaPro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-01 ∗∗∗ Electrolink FM/DAB/TV Transmitter ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02 ∗∗∗ Rockwell Automation ControlLogix and GuardLogix ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-03 ∗∗∗ RoboDK RoboDK ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2024
by Daily end-of-shift report 15 Apr '24

15 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-04-2024 18:00 − Montag 15-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) ∗∗∗ --------------------------------------------- On April 10, 2024, Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers. During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. Details on this backdoor are included further on in this report. --------------------------------------------- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthent… ∗∗∗ Cisco Duo warns third-party data breach exposed SMS MFA logs ∗∗∗ --------------------------------------------- Cisco Duos security team warns that hackers stole some customers VoIP and SMS logs for multi-factor authentication (MFA) messages in a cyberattack on their telephony provider. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-duo-warns-third-party-… ∗∗∗ Angriff via WebGPU: Sensible Nutzerdaten lassen sich per Javascript auslesen ∗∗∗ --------------------------------------------- Einem Forscherteam der TU Graz ist es gelungen, durch drei verschiedene Seitenkanalangriffe über die in modernen Webbrowsern integrierte Grafikschnittstelle WebGPU sicherheitsrelevante Nutzerdaten wie Tastatureingaben oder Verschlüsselungsschlüssel auszuspähen. Durch die Forschungsarbeit will das Team vor allem auf die Risiken aufmerksam machen, die mit der Implementierung von WebGPU einhergehen können. --------------------------------------------- https://www.golem.de/news/angriff-via-webgpu-sensible-nutzerdaten-lassen-si… ∗∗∗ Using the LockBit builder to generate targeted ransomware ∗∗∗ --------------------------------------------- Kaspersky researchers revisit the leaked LockBit 3.0 builder and share insights into a real-life incident involving a custom targeted ransomware variant created with this builder. --------------------------------------------- https://securelist.com/lockbit-3-0-based-custom-targeted-ransomware/112375/ ∗∗∗ Delinea Secret Server customers should apply latest patches ∗∗∗ --------------------------------------------- Customers of Delinea's Secret Server are being urged to upgrade their installations "immediately" after a researcher claimed a critical vulnerability could allow attackers to gain admin-level access. [..] Delinea sent us a statement post publication: "We confirm there was a vulnerability in Secret Server. Delinea Platform and Secret Server Cloud have been patched and are no longer vulnerable. We have provided a remediation guide for our on-premise customers to fix the vulnerability. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/04/15/delinea_secr… ∗∗∗ Unpacking the Blackjack Groups Fuxnet Malware ∗∗∗ --------------------------------------------- Blackjack claims its initial compromise of Moscollector began in June 2023, and since then the group said it has worked slowly in an attempt to cripple the industrial sensors and monitoring infrastructure managed by the company. [..] Screenshots released by the attackers indicate that the impacted sensors are manufactured by a company named AO SBK, a Russian company that manufactures a variety of sensor types, ranging from gas measurement sensors to environmental monitoring equipment. --------------------------------------------- https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-m… ∗∗∗ Falsche Google-Anrufe zu Ihrem Google-Business-Eintrag ∗∗∗ --------------------------------------------- Vorsicht, wenn Anrufer:innen vorgeben, von Google zu sein. Vermehrt geben sich Kriminelle als Google aus und behaupten, dass die Testphase Ihres Google-Business-Profils abgelaufen und der Eintrag nun kostenpflichtig sei. Legen Sie gleich auf! --------------------------------------------- https://www.watchlist-internet.at/news/falsche-google-anrufe-zu-ihrem-googl… ∗∗∗ “Totally Unexpected” Package Malware Using Modified Notepad++ Plug-in (WikiLoader) ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has recently identified the distribution of a modified version of “mimeTools.dll”, a default Notepad++ plug-in. The malicious mimeTools.dll file in question was included in the package installation file of a certain version of the Notepad++ package and disguised as a legitimate package file. --------------------------------------------- https://asec.ahnlab.com/en/64106/ ∗∗∗ Lancom-Setup-Assistent leert Root-Passwort ∗∗∗ --------------------------------------------- Wer Lancom-Router mit dem Windows-Setup-Assistenten konfiguriert, läuft Gefahr, das Root-Passwort durch ein leeres zu ersetzen. --------------------------------------------- https://heise.de/-9682694 ===================== = Vulnerabilities = ===================== ∗∗∗ Palo Alto Networks Releases Urgent Fixes for Exploited PAN-OS Vulnerability ∗∗∗ --------------------------------------------- Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild. --------------------------------------------- https://thehackernews.com/2024/04/palo-alto-networks-releases-urgent.html ∗∗∗ Sicherheitsupdates: Schwachstellen in PHP gefährden Websites ∗∗∗ --------------------------------------------- Die PHP-Entwickler haben mehrere Schwachstellen geschlossen. Eine Sicherheitslücke gilt als kritisch. --------------------------------------------- https://heise.de/-9684558 ∗∗∗ Telegram Desktop: Tippfehler im Quellcode mündet in RCE-Schwachstelle ∗∗∗ --------------------------------------------- Ein Tippfehler im Code der Windows-App von Telegram ermöglicht die Ausführung von Schadcode auf fremden Systemen. Es reicht ein Klick auf ein vermeintliches Video. [..] Der Tippfehler im Telegram-Quellcode bezieht sich aber nicht auf .exe, sondern auf die Dateiendung .pyzw, die ausführbaren Python-Zip-Archiven zugeordnet wird. Diese war im Code noch bis zum 11. April als .pywz hinterlegt, so dass die oben genannte Sicherheitswarnung bei einem Klick auf eine .pyzw-Datei gar nicht erst erschien. [..] Zwar hat Telegram den Fehler im Quellcode inzwischen behoben, ein entsprechendes Update für die Windows-App wurde bisher aber offenbar nicht verteilt. --------------------------------------------- https://www.golem.de/news/telegram-desktop-tippfehler-im-quellcode-muendet-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bind, bind and dhcp, bind9.16, gnutls, httpd:2.4/mod_http2, squid:4, and unbound), Debian (kernel, trafficserver, and xorg-server), Fedora (chromium, kernel, libopenmpt, and rust-h2), Mageia (apache-mod_jk, golang, indent, openssl, perl-HTTP-Body, php, rear, ruby-rack, squid, varnish, and xfig), Oracle (bind, squid, unbound, and X.Org server), Red Hat (bind and dhcp and unbound), Slackware (less and php), SUSE (gnutls, python-Pillow, webkit2gtk3, xen, xorg-x11-server, and xwayland), and Ubuntu (yard). --------------------------------------------- https://lwn.net/Articles/969873/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Xen: XSA-456 ∗∗∗ --------------------------------------------- https://xenbits.xenproject.org/people/gdunlap/xsa-draft/advisory-456.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2024
by Daily end-of-shift report 12 Apr '24

12 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-04-2024 18:00 − Freitag 12-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Anweisung von oben: US-Behörden müssen nach Cyberangriff auf Microsoft aufräumen ∗∗∗ --------------------------------------------- Die Angreifer haben offenbar auch E-Mails abgegriffen, die zwischen Microsoft und US-Behörden ausgetauscht wurden. Letztere müssen nun handeln. --------------------------------------------- https://www.golem.de/news/anweisung-von-oben-us-behoerden-muessen-nach-cybe… ∗∗∗ Sicherheit: Apple warnt iPhone-Nutzer großflächig vor Spyware-Attacke ∗∗∗ --------------------------------------------- Apple hat iPhone-Besitzer in 92 Ländern vor Auftrags-Spyware-Angriffen gewarnt. Betroffene sollten die Warnung ernst nehmen und sich Hilfe suchen. --------------------------------------------- https://www.golem.de/news/sicherheit-apple-warnt-iphone-nutzer-grossflaechi… ∗∗∗ XZ backdoor story – Initial analysis ∗∗∗ --------------------------------------------- Kaspersky analysis of the backdoor recently found in XZ, which is used in many popular Linux distributions and in OpenSSH server process. --------------------------------------------- https://securelist.com/xz-backdoor-story-part-1/112354/ ∗∗∗ Sneaky Credit Card Skimmer Disguised as Harmless Facebook Tracker ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a credit card skimmer thats concealed within a fake Meta Pixel tracker script in an attempt to evade detection. --------------------------------------------- https://thehackernews.com/2024/04/sneaky-credit-card-skimmer-disguised-as.h… ∗∗∗ Betrügerische Casino-Apps werden massiv über Facebook und Instagram beworben! ∗∗∗ --------------------------------------------- Mit zahlreichen Werbeanzeigen versuchen Kriminelle, ihre Opfer zum Download verschiedener Casino-Apps zu bewegen. Meist werden unglaubliche Gewinne versprochen, dazu kommen Freispiele und Boni von mehreren tausend Euro. In manchen Werbeanzeigen werden sogar Deepfake-Videos eingesetzt. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-casino-apps-werden-ma… ∗∗∗ IBM QRadar - When The Attacker Controls Your Security Stack (CVE-2022-26377) ∗∗∗ --------------------------------------------- Today, in this iteration of 'watchTowr Labs takes aim at yet another piece of software' we wonder why the industry panics about backdoors in libraries that have taken 2 years to be unsuccessfully introduced - while security vendors like IBM can't even update libraries used in their flagship security products that subsequently allow for trivial exploitation. [..] For those unfamiliar with defensive security products, QRadar is the mastermind application that can sit on-premise or in the cloud via IBM's SaaS offering. Quite simply, it's IBM's Security Information and Event Management (SIEM) product - and is the heart of many enterprise's security software stack. --------------------------------------------- https://labs.watchtowr.com/ibm-qradar-when-the-attacker-controls-your-secur… ∗∗∗ Krypto-Scams: Coinbase warnt EU-Kunden vor iPhone-Sideloading ∗∗∗ --------------------------------------------- Die Kryptobörse weist europäische Kunden an, die App nur aus Apples App Store zu beziehen. Auch dort wurden zuletzt aber Fake-Wallets gesichtet. --------------------------------------------- https://heise.de/-9683728 ∗∗∗ Intellexa: Spyware des Predator-Herstellers kommt über Online-Werbung ∗∗∗ --------------------------------------------- Der Malware-Dealer Intellexa stellt Spähsoftware vor, die Handys rein über Werbebanner infiziert. [..] Die neue Malware heißt Aladdin und installiert sich ohne Klick des Opfers (Zero-Click-Exploits). [..] Das Gesamtpaket kostet vier Millionen Euro, inklusive einjähriger Garantie und 24-Stunden-Support. Telefonnummern aus den USA, Griechenland und Israel sollen nicht angegriffen werden dürfen, was offenbar auf verhängte Sanktionen zurückgeht. --------------------------------------------- https://heise.de/-9682500 ∗∗∗ Sicherheitslücken: Angreifer können Juniper-Netzwerkgeräte lahmlegen ∗∗∗ --------------------------------------------- Wichtige Patches schließen mehrere Schwachstellen in Junos OS, die Firewalls, Router und Switches verwundbar machen. --------------------------------------------- https://heise.de/-9682955 ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Palo Alto PAN-OS (Global Protect) ∗∗∗ --------------------------------------------- n Palo Altos PAN-OS GlobalProtect-Funktion wurde eine kritische Sicherheitslücke identifiziert, welche das Einschleusen von Kommandos erlaubt. Zur Ausnutzung der Schwachstelle muss ein Gateway konfiguriert, und die sogenannte "Device Telemetry" aktiviert sein (zweiteres ist den betroffenen Versionen standardmäßig gegeben). Da noch keine Updates verfügbar sind, kann die Schwachstelle lediglich durch Konfigurationsänderungen mitigiert werden - beachten Sie den Abschnitt "Abhilfe". [..] CVE-2024-3400 --------------------------------------------- https://cert.at/de/warnungen/2024/4/palo-alto-cve-2024-3400 ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CVE-2024-3400 Palo Alto Networks PAN-OS Command Injection Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/04/12/cisa-adds-one-known-expl… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (rust, trafficserver, and upx), Mageia (postgresql-jdbc and x11-server, x11-server-xwayland, tigervnc), Red Hat (bind, bind9.16, gnutls, httpd:2.4, squid, unbound, and xorg-x11-server), SUSE (perl-Net-CIDR-Lite), and Ubuntu (apache2, maven-shared-utils, and nss). --------------------------------------------- https://lwn.net/Articles/969590/ ∗∗∗ Linux-Kernel: Neuer Exploit verschafft Root-Rechte ∗∗∗ --------------------------------------------- Ob die Lücke in den jüngsten Kernelversionen behoben ist, ist selbst Sicherheitsexperten unklar. Auch um die Urheberschaft gibt es Streit. --------------------------------------------- https://heise.de/-9682586 ∗∗∗ B&R: 2024-04-10: Cyber Security Advisory - B&R APROL Several vulnerabilities in the Docker Engine ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P006_Several_vulnerabilities_in… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2024
by Daily end-of-shift report 11 Apr '24

11 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-04-2024 18:00 − Donnerstag 11-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Spectre v2 attack impacts Linux systems on Intel CPUs ∗∗∗ --------------------------------------------- Researchers have demonstrated the "first native Spectre v2 exploit" for a new speculative execution side-channel flaw that impacts Linux systems running on many modern Intel processors. [..] The hardware vendor has indicated that future processors will include mitigations for BHI and potentially other speculative execution vulnerabilities. For a complete list of impacted Intel processors to the various speculative execution side-channel flaws, check this page updated by the vendor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-spectre-v2-attack-impact… ∗∗∗ CISA says Sisense hack impacts critical infrastructure orgs ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is investigating the recent breach of data analytics company Sisense, an incident that also impacted critical infrastructure organizations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-says-sisense-hack-impac… ∗∗∗ DragonForce Ransomware - What You Need To Know ∗∗∗ --------------------------------------------- A relatively new strain of ransomware called DragonForce has making the headlines after a series of high-profile attacks. Like many other ransomware groups, DragonForce attempts to extort money from its victims in two ways - locking companies out of their computers and data through encryption, and exfiltrating data from compromised systems with the threat of releasing it to others via the dark web. So far, so normal. How did DragonForce come to prominence? --------------------------------------------- https://www.tripwire.com/state-of-security/dragonforce-ransomware-what-you-… ∗∗∗ CISA Releases Malware Next-Gen Analysis System for Public Use ∗∗∗ --------------------------------------------- CISAs Malware Next-Gen system is now available for any organization to submit malware samples and other suspicious artifacts for analysis. --------------------------------------------- https://www.securityweek.com/cisa-releases-malware-next-gen-analysis-system… ∗∗∗ Metasploit Meterpreter Installed via Redis Server ∗∗∗ --------------------------------------------- Redis is an abbreviation of Remote Dictionary Server, which is an open-source in-memory data structure storage that is also used as a database. It is presumed that the threat actors abused inappropriate settings or ran commands through vulnerability attacks. --------------------------------------------- https://asec.ahnlab.com/en/64034/ ∗∗∗ Control Web Panel - Fingerprinting Open-Source Software using a Consolidation Algorithm approach ∗∗∗ --------------------------------------------- This blog post details one of these very unique cases: `CVE-2022-44877`, an unauthenticated Command Injection issue, flagged by CISA as a Known Exploited Vulnerability (CISA KEV), affecting Control Web Panel, an open-source control panel for servers and VPS management. Initially, the team could not find a way to straightforwardly fingerprint the software’s version, nor another way to detect it without intrusive exploitation - thus we used a novelty technique: an algorithm that retrieves the web application’s static web content files and consolidates them to pin-point the software’s version. --------------------------------------------- https://www.bitsight.com/blog/control-web-panel-fingerprinting-open-source-… ===================== = Vulnerabilities = ===================== ∗∗∗ Node.js Security Advisories Apr 10, 2024 ∗∗∗ --------------------------------------------- Node v21.7.3 (Current), Node v20.12.2 (LTS), Node v18.20.2 (LTS): CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows. --------------------------------------------- https://nodejs.org/en/blog/release/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, less, libreoffice, nodejs:18, nodejs:20, rear, thunderbird, and varnish), Debian (pillow), Fedora (dotnet7.0), SUSE (sngrep, texlive-specs-k, tomcat, tomcat10, and xorg-x11-server), and Ubuntu (nss, squid, and util-linux). --------------------------------------------- https://lwn.net/Articles/969468/ ∗∗∗ Citrix: XenServer and Citrix Hypervisor Security Update for CVE-2023-46842, CVE-2024-2201 and CVE-2024-31142 ∗∗∗ --------------------------------------------- Two issues have been identified that affect XenServer and Citrix Hypervisor; each issue may allow malicious unprivileged code in a guest VM to infer the contents of memory belonging to its own or other VMs on the same host. --------------------------------------------- https://support.citrix.com/article/CTX633151/xenserver-and-citrix-hyperviso… ∗∗∗ Google Chrome: Sandbox-Ausbruch durch bestimmte Gesten möglich ∗∗∗ --------------------------------------------- Mit etwas Verspätung haben Googles Entwickler das wöchentliche Update für den Chrome-Webbrowser veröffentlicht. Insgesamt drei Sicherheitslücken stopfen die Programmierer darin. Alle tragen die Risikoeinstufung "hoch". --------------------------------------------- https://heise.de/-9681413 ∗∗∗ WLAN-Access-Points von TP-Link 15 Minuten nach Reboot attackierbar ∗∗∗ --------------------------------------------- Angreifer können die WLAN-Access-Points von TP-Link AC1350 Wireless und N300 Wireless N Ceiling Mount attackieren und unter anderem auf Werksweinstellungen zurücksetzen. [..] Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-9681863 ∗∗∗ Palo Alto Security Advisories ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Juniper Security Advisories ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sor… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.04.2024
by Daily end-of-shift report 10 Apr '24

10 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-04-2024 18:00 − Mittwoch 10-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Verzögerte Aussendung der CERT.at-Tagesberichte ∗∗∗ --------------------------------------------- Aufgrund einer Fehlkonfiguration unserer Firewall kam es gestern, am 09.04.2024, zu einer teilweise verzögerten Aussendung unserer Tagesberichte. Wir bitten um Entschuldigung für entstandene Unannehmlichkeiten. --------------------------------------------- https://cert.at/de/aktuelles/2024/4/verzogerte-aussendung-der-certat-tagesb… ∗∗∗ VU#123335: Multiple Programming Languages Fail to Escape Arguments Properly in Microsoft Windows ∗∗∗ --------------------------------------------- Various programming languages lack proper validation mechanisms for commands and in some cases also fail to escape arguments correctly when invoking commands within a Microsoft Windows environment. The command injection vulnerability in these programming languages, when running on Windows, allows attackers to execute arbitrary code disguised as arguments to the command. --------------------------------------------- https://kb.cert.org/vuls/id/123335 ∗∗∗ Wie sich NIS 2 auf Mitarbeiter in Unternehmen auswirken wird ∗∗∗ --------------------------------------------- ÖGB Datenschutzexperte Sebastian Klocker im Interview über Schulungsmaßnahmen, Zutrittskontrollen und Überwachung. --------------------------------------------- https://futurezone.at/netzpolitik/nis-2-cybersicherheit-richtlinie-eu-geset… ∗∗∗ Datenpanne bei Microsoft: Passwörter und Quellcode lagen wohl offen im Netz ∗∗∗ --------------------------------------------- Microsoft hatte offenbar einen Azure-Storage-Server falsch konfiguriert. Angeblich sind allerhand sensible Daten des Konzerns für jedermann abrufbar gewesen. --------------------------------------------- https://www.golem.de/news/datenpanne-bei-microsoft-passwoerter-und-quellcod… ∗∗∗ Raspberry Robin Returns: New Malware Campaign Spreading Through WSF Files ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new Raspberry Robin campaign wave that propagates the malware through malicious Windows Script Files (WSFs) since March 2024. --------------------------------------------- https://thehackernews.com/2024/04/raspberry-robin-returns-new-malware.html ∗∗∗ Active Nitrogen campaign delivered via malicious ads for PuTTY, FileZilla ∗∗∗ --------------------------------------------- Threat actors once again target system administrators via their favorite tools. Learn more about their TTPs and use the IOCs provide to investigate. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/04/active-nitrog… ∗∗∗ Muddled Libra’s Evolution to the Cloud ∗∗∗ --------------------------------------------- Muddled Libra now actively targets CSP environments and SaaS applications. Using the MITRE ATT&CK framework, we outline observed TTPs from incident response. --------------------------------------------- https://unit42.paloaltonetworks.com/muddled-libra-evolution-to-cloud/ ∗∗∗ Datendiebstahl unter macOS: Zwei neue Kampagnen aufgedeckt ∗∗∗ --------------------------------------------- Den Cyberkriminellen geht es um vertrauliche Nutzerdaten wie Passwörter. Unter anderem kommen gefälschte Werbeanzeigen zum Einsatz, um einen Infostealer einzuschleusen. --------------------------------------------- https://www.zdnet.de/88415282/datendiebstahl-unter-macos-zwei-neue-kampagne… ∗∗∗ New Technique to Trick Developers Detected in an Open Source Supply Chain Attack ∗∗∗ --------------------------------------------- In a recent attack campaign, cybercriminals were discovered cleverly manipulating GitHub’s search functionality, and using meticulously crafted repositories to distribute malware. --------------------------------------------- https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical BatBadBut Rust Vulnerability Exposes Windows Systems to Attacks ∗∗∗ --------------------------------------------- A critical security flaw in the Rust standard library could be exploited to target Windows users and stage command injection attacks. --------------------------------------------- https://thehackernews.com/2024/04/critical-batbadbut-rust-vulnerability.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gtkwave), Fedora (dotnet7.0, dotnet8.0, and python-pillow), Mageia (apache, gstreamer1.0, libreoffice, perl-Data-UUID, and xen), Oracle (kernel, kernel-container, and varnish), Red Hat (edk2, kernel, rear, and unbound), SUSE (apache2-mod_jk, gnutls, less, and xfig), and Ubuntu (bind9, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, [...] --------------------------------------------- https://lwn.net/Articles/969314/ ∗∗∗ Patchday: Angreifer umgehen erneut Sicherheitsfunktion und attackieren Windows ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für unter anderem Bitlocker, Office und Windows Defender veröffentlicht. Zwei Lücken nutzen Angreifer bereits aus. --------------------------------------------- https://heise.de/-9679989 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-455 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-455.html ∗∗∗ Pepperl+Fuchs: ICE2- * and ICE3- * are affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-017/ ∗∗∗ PC System Recovery Bootloader Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500613-PC-SYSTEM-RECOVERY-BOOT… ∗∗∗ AMI MegaRAC Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500612-AMI-MEGARAC-VULNERABILI… ∗∗∗ System Management Module (SMM v1 and v2) and Fan Power Controller (FPC) Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/SYSTEM-MANAGEMENT-MODULE-SMM-V1-… ∗∗∗ AMD Radeon Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500615 ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/04/09/adobe-releases-security-… ∗∗∗ Sunhillo SureLine Command Injection Attack ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/sunhillo-sureline-attack -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.04.2024
by Daily end-of-shift report 09 Apr '24

09 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Montag 08-04-2024 18:00 − Dienstag 09-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New SharePoint flaws help hackers evade detection when stealing files ∗∗∗ --------------------------------------------- Researchers have discovered two techniques that could enable attackers to bypass audit logs or generate less severe entries when downloading files from SharePoint. [..] Varonis disclosed these bugs in November 2023, and Microsoft added the flaws to a patch backlog for future fixing. However, the issues were rated as moderate severity, so they won't receive immediate fixes. Therefore, SharePoint admins should be aware of these risks and learn to identify and mitigate them until patches become available. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-sharepoint-flaws-help-ha… ∗∗∗ Researchers Discover LG Smart TV Vulnerabilities Allowing Root Access ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in LG webOS running on its smart televisions that could be exploited to bypass authorization and gain root access on the devices. [..] The issues were fixed by LG as part of updates released on March 22, 2024. [..] "Although the vulnerable service is intended for LAN access only, Shodan, the search engine for Internet-connected devices, identified over 91,000 devices that expose this service to the Internet," Bitdefender said. --------------------------------------------- https://thehackernews.com/2024/04/researchers-discover-lg-smart-tv.html ∗∗∗ Vorsicht vor falschen Nachrichten vom Finanzamt ∗∗∗ --------------------------------------------- Sie erwarten eine Nachricht vom Finanzamt? Wir raten zur Vorsicht: Derzeit sind zahlreiche gefälschte SMS- und E-Mail-Benachrichtigungen von FinanzOnline bzw. vom Finanzamt im Umlauf. Klicken Sie nicht voreilig auf Links und fragen Sie im Zweifelsfall bei der jeweiligen Behörde nach! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-nachrichten-vo… ∗∗∗ It Was Not Me! Malware-Initiated Vulnerability Scanning Is on the Rise ∗∗∗ --------------------------------------------- We describe the characteristics of malware-initiated scanning attacks. These attacks differ from direct scanning and are increasing according to our data. --------------------------------------------- https://unit42.paloaltonetworks.com/malware-initiated-scanning-attacks/ ∗∗∗ Notepad++: Entwickler warnt vor Parasiten-Webseite und bittet um Mithilfe ∗∗∗ --------------------------------------------- Die unautorisierte Webseite bezeichnet sich als "Fan-Projekt", der Notepad++-Entwickler fürchtet jedoch schädliche Auswirkungen. Die Community soll helfen. --------------------------------------------- https://heise.de/-9678725 ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet Security Advisories 2024-04-09 ∗∗∗ --------------------------------------------- Fortinet has released 12 security advisories: FortiOS, FortiManager, FortiClientLinux, FortiClientMac, FortiProxy, FortiMai, FortiSandbox, FortiNAC-F (1x critical, 4x high, 7x medium) --------------------------------------------- https://www.fortiguard.com/psirt?product=FortiOS-6K7K%2CFortiOS&product=For… ∗∗∗ Fortinet: SMTP Smuggling ∗∗∗ --------------------------------------------- FortiMail may be susceptible to smuggling attacks if some measures are not put in place. We therefore recommend to adhere to the following indications in order to mitigate the potential risk associated to the smuggling attacks [..] --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-009 ∗∗∗ OpenSSL 3.3 Series Release Notes ∗∗∗ --------------------------------------------- Fixed unbounded memory growth with session handling in TLSv1.3 ([CVE-2024-2511]) --------------------------------------------- https://www.openssl.org/news/openssl-3.3-notes.html ∗∗∗ Technical Advisory – Ollama DNS Rebinding Attack (CVE-2024-28224) ∗∗∗ --------------------------------------------- Ollama is an open-source system for running and managing large language models (LLMs). [..] Ollama fixed this issue in release v0.1.29. --------------------------------------------- https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebi… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat), Oracle (less and nodejs:20), Slackware (libarchive), SUSE (kubernetes1.23, nghttp2, qt6-base, and util-linux), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/969141/ ∗∗∗ ICS Patch Tuesday: Siemens Addresses Palo Alto Networks Product Vulnerabilities ∗∗∗ --------------------------------------------- Siemens and Schneider Electric release their ICS Patch Tuesday advisories for April 2024, informing customers about dozens of vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-addresses-palo-alto-… ∗∗∗ SSA-885980 V1.0: Multiple Vulnerabilities in Scalance W1750D ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-885980.html ∗∗∗ SSA-822518 V1.0: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW before V11.0.1 on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-822518.html ∗∗∗ SSA-730482 V1.0: Denial of Service Vulnerability in SIMATIC WinCC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-730482.html ∗∗∗ SSA-556635 V1.0: Multiple Vulnerabilities in Telecontrol Server Basic before V3.1.2.0 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-556635.html ∗∗∗ SSA-455250 V1.0: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-455250.html ∗∗∗ SSA-265688 V1.0: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-265688.html ∗∗∗ SSA-222019 V1.0: X_T File Parsing Vulnerabilities in Parasolid ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-222019.html ∗∗∗ SSA-128433 V1.0: Multiple Vulnerabilities in SINEC NMS before V2.0 SP2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-128433.html ∗∗∗ Xen: XSA-454 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-454.html ∗∗∗ Welotec: Two vulnerabilities in TK500v1 router series ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-009/ ∗∗∗ SUBNET PowerSYSTEM Server and Substation Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-100-01 ∗∗∗ Multiple vulnerabilities in WordPress Plugin "Ninja Forms" ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN50361500/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ SAP-Patchday: Zehn Sicherheitsmitteilungen im April ∗∗∗ --------------------------------------------- https://heise.de/-9678796 ∗∗∗ HP Poly CCX IP-Telefone erlauben unbefugten Zugriff ∗∗∗ --------------------------------------------- https://heise.de/-9679027 ∗∗∗ Robot Operating System: Zahlreiche Schwachstellen gefunden und geschlossen ∗∗∗ --------------------------------------------- https://heise.de/-9679260 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2024
by Daily end-of-shift report 08 Apr '24

08 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-04-2024 18:00 − Montag 08-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Rund 16.500 VPN-Instanzen von Ivanti potenziell angreifbar ∗∗∗ --------------------------------------------- Scans zeigen, dass weltweit tausende VPN-Instanzen von Ivanti des Typs Connect Secure und Policy Secure Gateway verwundbar sind. [..] Eigenen Angaben zufolge sind Sicherheitsforscher von Shadowserver weltweit auf rund 16.500 VPN-Instanzen gestoßen, die mit hoher Wahrscheinlichkeit für Attacken empfänglich sind (CVE-2024-21894 „hoch“, CVE-2024-22053 „hoch“). Sind Angriffe erfolgreich, kann Schadcode auf Appliances gelangen. Im Anschluss gelten Systeme in der Regel als vollständig kompromittiert. --------------------------------------------- https://heise.de/-9677551 ∗∗∗ Over 92,000 exposed D-Link NAS devices have a backdoor account ∗∗∗ --------------------------------------------- A threat researcher has disclosed a new arbitrary command injection and hardcoded backdoor flaw in multiple end-of-life D-Link Network Attached Storage (NAS) device models. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-n… ∗∗∗ Fake Facebook MidJourney AI page promoted malware to 1.2 million people ∗∗∗ --------------------------------------------- Hackers are using Facebook advertisements and hijacked pages to promote fake Artificial Intelligence services, such as MidJourney, OpenAIs SORA and ChatGPT-5, and DALL-E, to infect unsuspecting users with password-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-facebook-midjourney-ai-… ∗∗∗ Tastatursteuerung: Amazon untersucht Sicherheitslücke in Fire-TV-Funktion ∗∗∗ --------------------------------------------- Amazon hat eine Komfort-Funktion für Fire-TV-Geräte aufgrund möglicher Sicherheitsbedenken von Green Line Analytics vorübergehend zurückgezogen. --------------------------------------------- https://www.golem.de/news/tastatursteuerung-amazon-untersucht-sicherheitslu… ∗∗∗ Hackers Exploit Magento Bug to Steal Payment Data from E-commerce Websites ∗∗∗ --------------------------------------------- Threat actors have been found exploiting a critical flaw in Magento to inject a persistent backdoor into e-commerce websites. The attack leverages CVE-2024-20720 (CVSS score: 9.1), which has been described by Adobe as a case of "improper neutralization of special elements" that could pave the way for arbitrary code execution. It was addressed by the company as part of security updates released on February 13, 2024. --------------------------------------------- https://thehackernews.com/2024/04/hackers-exploit-magento-bug-to-steal.html ∗∗∗ Automating Pikabot’s String Deobfuscation ∗∗∗ --------------------------------------------- Pikabot is a malware loader that originally emerged in early 2023 with one of the prominent features being the code obfuscation that it leverages to evade detection and thwart technical analysis. Pikabot employed the obfuscation method to encrypt binary strings, including the address of the command-and-control (C2) servers. In this article, we briefly describe the obfuscation method used by Pikabot and we present an IDA plugin (with source code) that we developed to assist in our binary analysis. --------------------------------------------- https://www.zscaler.com/blogs/security-research/automating-pikabot-s-string… ∗∗∗ Confidential VMs Hacked via New Ahoi Attacks ∗∗∗ --------------------------------------------- New Ahoi attacks Heckler and WeSee target AMD SEV-SNP and Intel TDX with malicious interrupts to hack confidential VMs. --------------------------------------------- https://www.securityweek.com/confidential-vms-hacked-via-new-ahoi-attacks/ ∗∗∗ Vorsicht vor kostenlosen Diensten zur Anpassung und Veränderung von Dateien ∗∗∗ --------------------------------------------- Sie möchten Dateien konvertieren, verkleinern oder Dokumente zusammenfügen? Im Internet gibt es dafür zahlreiche vermeintlich kostenlose Dienste. Wir raten davon ab, denn hinter vielen Angeboten steckt eine Abofalle. Zudem ist oft unklar, was mit Ihren Dokumenten geschieht. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-kostenlosen-diensten-zu… ∗∗∗ IBIS-Hotel: Check-In-Terminal gibt Zugangsdaten fremder Zimmer aus ∗∗∗ --------------------------------------------- Nächster Sicherheitsunfall bei Hotels: Bei den Check-In-Terminals der IBIS-Hotels war es durch Eingabe einer speziellen nicht alphanumerischen Buchungsnummer möglich, die Tastencodes von fast die Hälfte der Zimmer abzurufen. Dritte hätten in die Zimmer eindringen und Wertsachen stehlen können. --------------------------------------------- https://www.borncity.com/blog/2024/04/06/ibis-hotel-check-in-terminal-gibt-… ∗∗∗ ScrubCrypt Deploys VenomRAT with an Arsenal of Plugins ∗∗∗ --------------------------------------------- FortiGuard Labs uncovered a threat actor using ScrubCrypt to spread VenomRAT along with multiple RATs. --------------------------------------------- https://feeds.fortinet.com/~/875486669/0/fortinet/blogs~ScrubCrypt-Deploys-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9, libcaca, libgd2, tomcat9, and util-linux), Fedora (chromium, micropython, and upx), Mageia (chromium-browser-stable, dav1d, libreswan, libvirt, nodejs, texlive-20220321, and util-linux), Red Hat (less, nodejs:20, and varnish), Slackware (tigervnc), and SUSE (buildah, c-ares, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, curl, expat, go1.21, go1.22, guava, helm, indent, krb5, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libcares2, libvirt, ncurses, nghttp2, podman, postfix, python-Django, python-Pillow, python310, qemu, rubygem-rack, thunderbird, ucode-intel, and xen). --------------------------------------------- https://lwn.net/Articles/968999/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.04.2024
by Daily end-of-shift report 05 Apr '24

05 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-04-2024 18:00 − Freitag 05-04-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fake AI law firms are sending fake DMCA threats to generate fake SEO gains ∗∗∗ --------------------------------------------- If you run a personal or hobby website, getting a copyright notice from a law firm about an image on your site can trigger some fast-acting panic. Ernie Smith, the prolific, ever-curious writer behind the newsletter Tedium, received a "DMCA Copyright Infringement Notice" in late March from "Commonwealth Legal," representing the "Intellectual Property division" of Tech4Gods. --------------------------------------------- https://arstechnica.com/?p=2014933 ∗∗∗ Continuation Flood: DoS-Angriffstechnik legt HTTP/2-Server ohne Botnetz lahm ∗∗∗ --------------------------------------------- Für einen erfolgreichen Angriff ist in einigen Fällen nur eine einzige TCP-Verbindung erforderlich. Es kommt zu einer Überlastung von Systemressourcen. --------------------------------------------- https://www.golem.de/news/continuation-flood-dos-angriffstechnik-legt-http-… ∗∗∗ AI-as-a-Service Providers Vulnerable to PrivEsc and Cross-Tenant Attacks ∗∗∗ --------------------------------------------- New research has found that artificial intelligence (AI)-as-a-service providers such as Hugging Face are susceptible to two critical risks that could allow threat actors to escalate privileges, gain cross-tenant access to other customers models, and even take over the continuous integration and continuous deployment (CI/CD) pipelines. [..] To mitigate the issue, it's recommended to enable IMDSv2 with Hop Limit so as to prevent pods from accessing the Instance Metadata Service (IMDS) and obtaining the role of a Node within the cluster. --------------------------------------------- https://thehackernews.com/2024/04/ai-as-service-providers-vulnerable-to.html ∗∗∗ Bing ad for NordVPN leads to SecTopRAT ∗∗∗ --------------------------------------------- Threat actors are luring victims to a fake NordVPN website that installs a Remote Access Trojan. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/04/bing-ad-for-n… ∗∗∗ Neue Dreiecksbetrugsmasche: Kriminelle bestellen in Ihrem Namen ∗∗∗ --------------------------------------------- Sie kaufen online ein, bezahlen und erhalten die gewünschte Ware. Doch nach einigen Wochen erreicht Sie plötzlich eine Mahnung, ein Inkassoschreiben oder sogar eine Betrugsanzeige. Der Grund: Eine nicht bezahlte Rechnung von einem Onlineshop, bei dem Sie gar nichts bestellt haben. In diesem Fall wurden Sie und der Onlineshop betrogen. Wir zeigen Ihnen wie diese neue Masche funktioniert und wie Sie sich schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/neue-dreiecksbetrugsmasche-kriminell… ∗∗∗ The Illusion of Privacy: Geolocation Risks in Modern Dating Apps ∗∗∗ --------------------------------------------- Key takeaways Introduction Dating apps traditionally utilize location data, offering the opportunity to connect with people nearby, and enhancing the chances of real-life meetings. Some apps can also display the distance of the user to other users. This feature is quite useful for coordinating meetups, indicating whether a potential match is just a short distance away or a kilometer apart. However, openly sharing your distance with other users can create serious security issues. The risks become apparent when you consider the potential misuse by a curious individual armed with advanced knowledge of techniques like trilateration. --------------------------------------------- https://research.checkpoint.com/2024/the-illusion-of-privacy-geolocation-ri… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/968561/ ∗∗∗ Lexmark: Hochriskante Lücken erlauben Codeschmuggel auf Drucker ∗∗∗ --------------------------------------------- Lexmark warnt vor Sicherheitslücken in diversen Drucker-Firmwares. Angreifer können Schadcode einschleusen. Updates sind verfügbar. --------------------------------------------- https://heise.de/-9675861 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2024
by Daily end-of-shift report 04 Apr '24

04 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-04-2024 18:00 − Donnerstag 04-04-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SurveyLama data breach exposes info of 4.4 million users ∗∗∗ --------------------------------------------- In early February, HIBP's creator, Troy Hunt, received information about a data breach impacting the service, which involved various data types, including: Dates of birth. Email addresses. IP addresses, Full Names, Passwords, Phone numbers, Physical addresses [..] The data set contains information about 4,426,879 accounts and was added to HIBP yesterday, so impacted users should have already received an email notification. --------------------------------------------- https://www.bleepingcomputer.com/news/security/surveylama-data-breach-expos… ∗∗∗ New HTTP/2 DoS attack can crash web servers with a single connection ∗∗∗ --------------------------------------------- Newly discovered HTTP/2 protocol vulnerabilities called "CONTINUATION Flood" can lead to denial of service (DoS) attacks, crashing web servers with a single TCP connection in some implementations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-http-2-dos-attack-can-cr… ∗∗∗ Angriff mit neuer Ransomware: SEXi-Hacker verschlüsseln ESXi-Server ∗∗∗ --------------------------------------------- Die neue SEXi-Ransomware ist kürzlich in einem Rechenzentrum von Powerhost zum Einsatz gekommen. Betroffene Kundensysteme sind wohl teilweise nicht wiederherstellbar. [..] Bei der Bezeichnung scheint es sich um ein Wortspiel zu handeln, denn die Angreifer haben es damit offenkundig auf VMware ESXi-Server abgesehen. --------------------------------------------- https://www.golem.de/news/angriff-mit-neuer-ransomware-sexi-hacker-verschlu… ∗∗∗ Windows NTLM Credentials-Schwachstelle CVE-2024-21320: Fix durch 0patch ∗∗∗ --------------------------------------------- In Windows gibt es eine Schwachstelle (CVE-2024-21320), die NTLM-Anmeldeinformationen über Windows-Themen offen legt. Microsoft hat zwar im Januar 2024 die Schwachstelle CVE-2024-21320 mit einem Patch versehen. Dieser Patch stellt eine Richtlinie bereit, um das Abrufen der NTLM-Anmeldeinformationen zu verhindern, wenn Theme-Dateien auf Netzlaufwerken liegen. ACROS Security hat nun einen Micropatch für den 0patch-Agenten veröffentlicht, der die Schwachstelle generell (ohne Registrierungseingriff) schließt. --------------------------------------------- https://www.borncity.com/blog/2024/04/04/windows-ntlm-credentials-schwachst… ∗∗∗ Latrodectus: This Spider Bytes Like Ice ∗∗∗ --------------------------------------------- We share Proofpoint’s assessment that Latrodectus will become increasingly used by financially motivated threat actors across the criminal landscape, particularly those who previously distributed IcedID.. This research highlights the value of collaborative work between commercial threat intelligence companies, piecing together distinct viewpoints to provide a more complete picture of malicious activities. --------------------------------------------- https://www.team-cymru.com/post/latrodectus-this-spider-bytes-like-ice ∗∗∗ Byakugan – The Malware Behind a Phishing Attack ∗∗∗ --------------------------------------------- FortiGuard Labs has uncovered the Byakugan malware behind a recent malware campaign distributed by malicious PDF files [..] In January 2024, FortiGuard Labs collected a PDF file written in Portuguese that distributes a multi-functional malware known as Byakugan. While investigating this campaign, a report about it was published. Therefore, this report will only provide a brief analysis of the overlap between that attack and this and focus primarily on the details of the infostealer. --------------------------------------------- https://www.fortinet.com/blog/threat-research/byakugan-malware-behind-a-phi… ∗∗∗ Politische Parteien vor der EU-Wahl häufiger Ziel von Cyberangriffen ∗∗∗ --------------------------------------------- Cyberangreifer konzentrieren sich derzeit offenbar stark auf politische Akteure und Parteien. Gefahr bestehe besonders durch sogenannte Hack-and-Leak-Angriffe. --------------------------------------------- https://heise.de/-9674511 ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti fixes VPN gateway vulnerability allowing RCE, DoS attacks ∗∗∗ --------------------------------------------- IT security software company Ivanti has released patches to fix multiple security vulnerabilities impacting its Connect Secure and Policy Secure gateways. Unauthenticated attackers can exploit one of them, a high-severity flaw tracked as CVE-2024-21894, to gain remote code execution and trigger denial of service states on unpatched appliances in low-complexity attacks that don't require user interaction. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ivanti-fixes-vpn-gateway-vul… ∗∗∗ Cisco Security Advisories 2024-04-03 ∗∗∗ --------------------------------------------- Security Impact Rating: 1x High, 11x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-29745 Android Pixel Information Disclosure Vulnerability, CVE-2024-29748 Android Pixel Privilege Escalation Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/04/04/cisa-adds-two-known-expl… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Hitachi Energy Asset Suite 9 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-095-01 ∗∗∗ Schweitzer Engineering Laboratories SEL ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-095-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2024
by Daily end-of-shift report 03 Apr '24

03 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-04-2024 18:00 − Mittwoch 03-04-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ NIS2-Begutachtungsverfahren gestartet ∗∗∗ --------------------------------------------- Die Regierung hat am 3. April 2024 das Cybersicherheitsgesetz zur europäischen NIS2-Verordnung in Begutachtung geschickt. --------------------------------------------- https://www.bmi.gv.at/news.aspx?id=7567384169746C75366D413D ∗∗∗ Kritik nach Cyberangriff: Microsoft hat seine Kronjuwelen nicht im Griff ∗∗∗ --------------------------------------------- Ein im Sommer 2023 festgestellter Cyberangriff auf Microsofts Server hatte für einige Kunden verheerende Folgen. Eine US-Kommission erhebt nun schwere Vorwürfe gegen den Konzern. --------------------------------------------- https://www.golem.de/news/us-kommission-aeussert-kritik-hackerangriff-auf-m… ∗∗∗ The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind ∗∗∗ --------------------------------------------- As scrutiny around Jia Tan has mounted since the revelation of the XZ Utils backdoor last Friday, researchers have noted that the persona has remarkably good operational security. [..] The Jia Tan persona has vanished since the backdoor was discovered [..] In fact, the only real footprints Jia Tan appears to have left behind were their contributions to the open source development community, where they were a prolific contributor: Disturbingly, Jia Tan’s first code change was to the “libarchive” compression library, another very widely used open source component. [..] In total, Jia Tan made 6,000 code changes to at least seven projects between 2021 and February 2024 [..] Security researchers agree, at least, that it’s unlikely that Jia Tan is a real person, or even one person working alone. Instead, it seems clear that the persona was the online embodiment of a new tactic from a new, well-organized organization—a tactic that nearly worked. --------------------------------------------- https://www.wired.com/story/jia-tan-xz-backdoor/ ∗∗∗ XZ Utils Backdoor Attack Brings Another Similar Incident to Light ∗∗∗ --------------------------------------------- In a post on Mastodon, Hans-Christoph Steiner, a maintainer of F-Droid, recalled a similar story from 2020, when an individual attempted to get F-Droid developers to add what later was determined to be a SQL injection vulnerability. That attempt was unsuccessful, but has some similarities to the XZ incident. --------------------------------------------- https://www.securityweek.com/xz-utils-backdoor-attack-brings-another-simila… ∗∗∗ Distinctive Campaign Evolution of Pikabot Malware ∗∗∗ --------------------------------------------- PikaBot is a malicious backdoor that has been active since early 2023. Its modular design is comprised of a loader and a core component. [..] During February 2024, McAfee Labs observed a significant change in the campaigns that distribute Pikabot. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/distinctive-campaign-e… ∗∗∗ Hohe Handyrechnung durch ungewolltes Abo? ∗∗∗ --------------------------------------------- Per E-Mail oder SMS werden Sie plötzlich von Ihrem Mobilfunkanbieter darüber informiert, dass Sie ein Abo abgeschlossen haben. Sie sind sich aber sicher, dass Sie keinem Vertrag zugestimmt haben und wissen auch nicht, wie es dazu gekommen ist? Wir zeigen Ihnen, was Sie gegen unseriöse Abbuchungen von Ihrer Handyrechnung tun können und wie Sie sich vor Abofallen schützen. --------------------------------------------- https://www.watchlist-internet.at/news/hohe-handyrechnung-durch-ungewolltes… ∗∗∗ Another Path to Exploiting CVE-2024-1212 in Progress Kemp LoadMaster ∗∗∗ --------------------------------------------- Rhino Labs discovered a pre-authentication command injection vulnerability in the Progress Kemp LoadMaster. [..] This was a really cool find by Rhino Labs. Here I add one additional exploitation path and some additional ways to test for this vulnerability. --------------------------------------------- https://medium.com/tenable-techblog/another-path-to-exploiting-cve-2024-121… ∗∗∗ Unveiling the Fallout: Operation Cronos Impact on LockBit Following Landmark Disruption ∗∗∗ --------------------------------------------- Our new article provides key highlights and takeaways from Operation Cronos disruption of LockBits operations, as well as telemetry details on how LockBit actors operated post-disruption. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/d/operation-cronos-aftermath.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti). --------------------------------------------- https://lwn.net/Articles/968218/ ∗∗∗ Critical Vulnerability Found in LayerSlider Plugin Installed on a Million WordPress Sites ∗∗∗ --------------------------------------------- A critical SQL injection vulnerability in the LayerSlider WordPress plugin allows attackers to extract sensitive information. --------------------------------------------- https://www.securityweek.com/critical-vulnerability-found-in-layerslider-pl… ∗∗∗ CVE-2024-0394: Rapid7 Minerva Armor Privilege Escalation (FIXED) ∗∗∗ --------------------------------------------- Rapid7 is disclosing CVE-2024-0394, a privilege escalation vulnerability in Rapid7 Minerva’s Armor product family. The root cause of this vulnerability is Minerva’s implementation of OpenSSL’s OPENSSLDIR parameter, which was set to a path accessible to low-privileged users. --------------------------------------------- https://www.rapid7.com/blog/post/2024/04/03/cve-2024-0394-rapid7-minerva-ar… ∗∗∗ Patchday Android: Angreifer können sich höhere Rechte verschaffen ∗∗∗ --------------------------------------------- Neben Google haben auch Samsung und weitere Hersteller wichtige Sicherheitsupdates für Androidgeräte veröffentlicht. --------------------------------------------- https://heise.de/-9673480 ∗∗∗ Codeschmuggellücke in VMware SD-WAN Edge und Orchestrator ∗∗∗ --------------------------------------------- Drei Sicherheitslücken in VMwares SD-WAN Edge und Orchestrator ermöglichen Angreifern unter anderem, Schadcode einzuschleusen. --------------------------------------------- https://heise.de/-9673416 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox for iOS 124 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-17/ ∗∗∗ Unify: Credentials disclosure vulnerability in Unify OpenScape Desk Phones CP ∗∗∗ --------------------------------------------- https://networks.unify.com/security/advisories/OBSO-2404-01.pdf -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.04.2024
by Daily end-of-shift report 02 Apr '24

02 Apr '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-03-2024 18:00 − Dienstag 02-04-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Staatlich gesponserte "Entwicklung" quelloffener Software ∗∗∗ --------------------------------------------- Wer auf der Suche nach einer kurzen Zusammenfassung der Geschehnisse rund um die (höchstwahrscheinliche) Backdoor in xz, CVE-2024-3094, ist, möge einen Blick auf diese durch den Sicherheitsforscher Thomas Roccia erstellte Grafik werfen. Darin sind die wichtigsten Details zusammengefasst, die in den folgenden Absätze wesentlich ausführlicher beleuchtet werden. Alternativ hätte dieser Blogpost auch einen deutlich knackigeren Titel haben können - "CVE-2024-3094", um jene geht es in diesem Beitrag nämlich. --------------------------------------------- https://cert.at/de/blog/2024/4/staatlich-gesponserte-entwicklung-quelloffen… ∗∗∗ The amazingly scary xz sshd backdoor, (Mon, Apr 1st) ∗∗∗ --------------------------------------------- The whole story around this is both fascinating and scary – and I’m sure will be told around numerous time, so in this diary I will put some technical things about the backdoor that I reversed for quite some time (and I have a feeling I could spend 2 more weeks on this). [..] Let’s take a look at couple of fascinating things in this backdoor. --------------------------------------------- https://isc.sans.edu/diary/rss/30802 ∗∗∗ On Cybersecurity Alert Levels ∗∗∗ --------------------------------------------- Last week I was invited to provide input to a tabletop exercise for city-level crisis managers on cyber security risks and the role of CSIRTs. The organizers brought a color-coded threat-level sheet (based on the CISA Alert Levels) to the discussion and asked whether we also do color-coded alerts in Austria and what I think of these systems. My answer was negative on both questions, and I think it might be useful if I explain my rationale here. --------------------------------------------- https://cert.at/en/blog/2024/4/on-cybersecurity-alert-levels ∗∗∗ Heartbleed is 10 Years Old – Farewell Heartbleed, Hello QuantumBleed! ∗∗∗ --------------------------------------------- Heartbleed made most certificates vulnerable. The future problem is that quantum decryption will make all certificates and everything else using RSA encryption vulnerable to everyone. --------------------------------------------- https://www.securityweek.com/heartbleed-is-10-years-old-farewell-heartbleed… ∗∗∗ From OneNote to RansomNote: An Ice Cold Intrusion ∗∗∗ --------------------------------------------- In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method. After loading IcedID and establishing persistence, there were no further actions, other than beaconing for over 30 days. The threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server. The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware. --------------------------------------------- https://thedfirreport.com/2024/04/01/from-onenote-to-ransomnote-an-ice-cold… ∗∗∗ Adversaries are leveraging remote access tools now more than ever — here’s how to stop them ∗∗∗ --------------------------------------------- While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns. --------------------------------------------- https://blog.talosintelligence.com/adversaries-are-leveraging-remote-access… ∗∗∗ Earth Freybug Uses UNAPIMON for Unhooking Critical APIs ∗∗∗ --------------------------------------------- This article provides an in-depth look into two techniques used by Earth Freybug actors: dynamic-link library (DLL) hijacking and application programming interface (API) unhooking to prevent child processes from being monitored via a new malware we’ve discovered and dubbed UNAPIMON. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html ===================== = Vulnerabilities = ===================== ∗∗∗ Update #1: Kritische Sicherheitslücke/Hintertüre in xz-utils (CVE-2024-3094) ∗∗∗ --------------------------------------------- In den Versionen 5.6.0 und 5.6.1 der weit verbreiteten Bibliothek xz-utils wurde eine Hintertür entdeckt. xz-utils wird häufig zur Komprimierung von Softwarepaketen, Kernel-Images und initramfs-Images verwendet. Die Lücke ermöglicht es nicht authentifizierten Angreifer:innen, die sshd-Authentifizierung auf verwundbaren Systemen zu umgehen und unauthorisierten Zugriff auf das gesamte System zu erlangen. Aktuell liegen uns keine Informationen über eine aktive Ausnutzung vor. --------------------------------------------- https://cert.at/de/warnungen/2024/3/kritische-sicherheitslucke-in-fedora-41… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (xz), Debian (libvirt, mediawiki, util-linux, and xz-utils), Fedora (apache-commons-configuration, cockpit, ghc-base64, ghc-hakyll, ghc-isocline, ghc-toml-parser, gitit, gnutls, pandoc, pandoc-cli, patat, podman-tui, prometheus-podman-exporter, seamonkey, suricata, and xen), Gentoo (XZ utils), Mageia (aide & mhash, emacs, microcode, opensc, and squid), Red Hat (ruby:3.1), and SUSE (kanidm and qpid-proton). --------------------------------------------- https://lwn.net/Articles/967851/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel and webkitgtk), Mageia (unixODBC and w3m), and SUSE (libvirt, netty, netty-tcnative, and perl-DBD-SQLite). --------------------------------------------- https://lwn.net/Articles/967959/ ∗∗∗ Security Flaw in WP-Members Plugin Leads to Script Injection ∗∗∗ --------------------------------------------- A cross-site scripting vulnerability in the WP-Members Membership plugin could allow attackers to inject scripts into user profile pages. --------------------------------------------- https://www.securityweek.com/security-flaw-in-wp-members-plugin-leads-to-sc… ∗∗∗ Bitdefender hat hochriskante Sicherheitslücke abgedichtet ∗∗∗ --------------------------------------------- Durch eine Sicherheitslücke konnten Angreifer auf Rechnern mit Bitdefender-Virenschutz ihre Rechte ausweiten. Die Lücke wurde geschlossen. --------------------------------------------- https://heise.de/-9672841 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ F5: K000139092 : DNS vulnerability CVE-2023-50387 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139092 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2024
by Daily end-of-shift report 29 Mar '24

29 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-03-2024 18:00 − Freitag 29-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Doctor Web’s January 2024 review of virus activity on mobile devices ∗∗∗ --------------------------------------------- According to detection statistics collected by the Dr.Web for Android anti-virus, in January 2024, users were most likely to encounter Android.HiddenAds trojan applications; these were detected on protected devices 54.45% more often than in December 2023. At the same time, the activity of another adware trojan family, Android.MobiDash, remained virtually unchanged, increasing by only 0.90%. --------------------------------------------- https://news.drweb.com/show/review/?lng=en&i=14833 ∗∗∗ Quick Forensics Analysis of Apache logs, (Fri, Mar 29th) ∗∗∗ --------------------------------------------- Sometimes, you’ve to quickly investigate a webserver logs for potential malicious activity. If you're lucky, logs are already indexed in real-time in a log management solution and you can automatically launch some hunting queries. If that's not the case, you can download all logs on a local system or a cloud instance and index them manually. But it's not always the easiest/fastest way due to the amount of data to process. These days, I'm always trying to process data as close as possible of their location/source and only download the investigation results. --------------------------------------------- https://isc.sans.edu/diary/rss/30792 ∗∗∗ New Linux Bug Could Lead to User Password Leaks and Clipboard Hijacking ∗∗∗ --------------------------------------------- Details have emerged about a vulnerability impacting the "wall" command of the util-linux package that could be potentially exploited by a bad actor to leak a users password or alter the clipboard on certain Linux distributions. The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante. --------------------------------------------- https://thehackernews.com/2024/03/new-linux-bug-could-lead-to-user.html ∗∗∗ Dormakaba Locks Used in Millions of Hotel Rooms Could Be Cracked in Seconds ∗∗∗ --------------------------------------------- Security vulnerabilities discovered in Dormakabas Saflok electronic RFID locks used in hotels could be weaponized by threat actors to forge keycards and stealthily slip into locked rooms. [..] They were reported to the Zurich-based company in September 2022. [..] Dormakaba is estimated to have updated or replaced 36% of the impacted locks as of March 2024 as part of a rollout process that commenced in November 2023. Some of the vulnerable locks have been in use since 1988. --------------------------------------------- https://thehackernews.com/2024/03/dormakaba-locks-used-in-millions-of.html ∗∗∗ Pentagon Outlines Cybersecurity Strategy for Defense Industrial Base ∗∗∗ --------------------------------------------- US Defense Department releases defense industrial base cybersecurity strategy with a focus on four key goals. [..] The cybersecurity strategy published this week covers fiscal years 2024 through 2027 and its primary mission is to ensure the generation, reliability and preservation of warfighting capabilities by protecting operational capabilities, sensitive information, and product integrity. --------------------------------------------- https://www.securityweek.com/pentagon-outlines-cybersecurity-strategy-for-d… ∗∗∗ E-Mail über „fragwürdige Transaktion“ führt zu Schadsoftware ∗∗∗ --------------------------------------------- Aktuell versenden Kriminelle wahllos E-Mails an Unternehmen mit dem Betreff „Questionable Transaction on Credit Card - Need Explanation“. Die Kriminellen bitten darum, auf die E-Mail zu antworten, um zu erklären, woher die „fragwürdige Transaktion“ auf der Kreditkarte kommt. Wer antwortet, erhält prompt eine neue E-Mail. Diesmal wird ein Kontoauszug als Beweis mitgeschickt. Das behaupten zumindest die Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-ueber-fragwuerdige-transaktio… ∗∗∗ Stories from the SOC Part 1: IDAT Loader to BruteRatel ∗∗∗ --------------------------------------------- In August 2023, Rapid7 identified a new malware loader named the IDAT Loader. Malware loaders are a type of malicious software designed to deliver and execute additional malware onto a victim's system. [..] In this two-part blog series, we will examine the attack chain observed in two separate incidents, offering in-depth analysis of the malicious behavior detected. --------------------------------------------- https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-ida… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (apache-commons-configuration, chromium, csmock, ofono, onnx, php-tcpdf, and podman-tui), Mageia (curl), Oracle (libreoffice), Slackware (coreutils, seamonkey, and util), SUSE (minidlna, PackageKit, and podman), and Ubuntu (linux-azure-6.5 and linux-intel-iotg, linux-intel-iotg-5.15). --------------------------------------------- https://lwn.net/Articles/967134/ ∗∗∗ 26 Security Issues Patched in TeamCity ∗∗∗ --------------------------------------------- TeamCity 2024.03, released on March 27, patches 26 ‘security problems’, according to JetBrains. The company highlighted that it’s not sharing the details of security-related issues “to avoid compromising clients that keep using previous bugfix and/or major versions of TeamCity”. --------------------------------------------- https://www.securityweek.com/26-security-issues-patched-in-teamcity/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ F5: K000139084 : DNS vulnerability CVE-2023-50868 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139084 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2024
by Daily end-of-shift report 28 Mar '24

28 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-03-2024 18:00 − Donnerstag 28-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Darcula phishing service targets iPhone users via iMessage ∗∗∗ --------------------------------------------- A new phishing-as-a-service (PhaaS) named Darcula uses 20,000 domains to spoof brands and steal credentials from Android and iPhone users in more than 100 countries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-darcula-phishing-service… ∗∗∗ Cisco warns of password-spraying attacks targeting VPN services ∗∗∗ --------------------------------------------- Cisco has shared a set of recommendations for customers to mitigate password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services configured on Cisco Secure Firewall devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-warns-of-password-spra… ∗∗∗ DinodasRAT Linux implant targeting entities worldwide ∗∗∗ --------------------------------------------- In this article, we share our analysis of a recent version of the DinodasRAT implant for Linux, which may have been active since 2022. --------------------------------------------- https://securelist.com/dinodasrat-linux-implant/112284/ ∗∗∗ From JavaScript to AsyncRAT, (Thu, Mar 28th) ∗∗∗ --------------------------------------------- It has been a while since I found an interesting piece of JavaScript. This one was pretty well obfuscated. It was called “_Rechnung_01941085434_PDF.js” (Invoice in German) with a low VT score. --------------------------------------------- https://isc.sans.edu/diary/rss/30788 ∗∗∗ Android Malware Vultur Expands Its Wingspan ∗∗∗ --------------------------------------------- The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim’s mobile device. [..] In this blog we provide a comprehensive analysis of Vultur, beginning with an overview of its infection chain. --------------------------------------------- https://research.nccgroup.com/2024/03/28/android-malware-vultur-expands-its… ∗∗∗ Netz-digitalisierung.com eröffnet Konten in Ihrem Namen! ∗∗∗ --------------------------------------------- Verlockende Nebenjob-Angebote als App-Tester:in oder Studienteilnehmer:in über die Seite netz-digitalisierung.com führen zu Identitätsdiebstahl! Die Kriminellen eröffnen Konten in Ihrem Namen und verwenden diese möglicherweise für kriminelle Zwecke. --------------------------------------------- https://www.watchlist-internet.at/news/jobbetrug-netz-digitalisierungcom/ ∗∗∗ Pre-Ransomware Aktivität: Schadakteure nutzen CitrixBleed (CVE-2023-4966) noch immer und verstärkt für Initialzugriff ∗∗∗ --------------------------------------------- Aktuell sind uns einige Ransomware-Vorfälle in Österreich bekannt, bei denen mit sehr hoher Wahrscheinlichkeit CitrixBleed (CVE-2023-4966) als primärer Angriffsvektor für den initialen Zugriff auf die Organisationsnetzwerke benutzt wurde. Ein Patch steht seit geraumer Zeit zur Verfügung. --------------------------------------------- https://cert.at/de/aktuelles/2024/3/pre-ransomware-aktivitat-schadakteure-n… ∗∗∗ Schon wieder zu viel Schadcode: Keine neuen Projekte für Python-Registry PyPI ∗∗∗ --------------------------------------------- Ein Ansturm von Paketen mit Schadcode hat die Betreiber des Python Package Index dazu veranlasst, die Aufnahme neuer Projekte und User zu stoppen. --------------------------------------------- https://heise.de/-9670240 ===================== = Vulnerabilities = ===================== ∗∗∗ Nvidias newborn ChatRTX bot patched for security bugs ∗∗∗ --------------------------------------------- ChatRTX, formerly known as Chat with RTX, was launched in February to provide Nvidia GPU owners with an AI chatbot that could run locally on RTX 30 and 40-series hardware with at least 8 GB of VRAM. [..] CVE‑2024‑0083 could allow attackers to perform denial of service attacks, steal data, and even perform remote code execution (RCE). --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/03/28/nvidia_chatr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (perl-Data-UUID, python-pygments, and thunderbird), Mageia (clojure, grub2, kernel,kmod-xtables-addons,kmod-virtualbox, kernel-linus, nss firefox, nss, python3, python, tcpreplay, and thunderbird), Oracle (nodejs:18), Red Hat (.NET 6.0 and dnsmasq), SUSE (avahi and python39), and Ubuntu (curl, linux-intel-iotg, linux-intel-iotg-5.15, unixodbc, and util-linux). --------------------------------------------- https://lwn.net/Articles/966961/ ∗∗∗ Splunk Patches Vulnerabilities in Enterprise Product ∗∗∗ --------------------------------------------- Splunk patches high-severity vulnerabilities in Enterprise, including an authentication token exposure issue. --------------------------------------------- https://www.securityweek.com/splunk-patches-vulnerabilities-in-enterprise-p… ∗∗∗ Neue SugarCRM-Versionen schließen kritische Lücken ∗∗∗ --------------------------------------------- Insgesamt 18, teils kritische Lücken schließen die neuen Versionen SugarCRM 13.03. und 12.05. --------------------------------------------- https://heise.de/-9670436 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 18, 2024 to March 24, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/03/wordfence-intelligence-weekly-wordpr… ∗∗∗ Synology-SA-24:05 Synology Surveillance Station Client ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_05 ∗∗∗ Synology-SA-24:04 Surveillance Station ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2024
by Daily end-of-shift report 27 Mar '24

27 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-03-2024 18:00 − Mittwoch 27-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Ransomware as a Service and the Strange Economics of the Dark Web ∗∗∗ --------------------------------------------- Ransomware is quickly changing in 2024, with massive disruptions and large gangs shutting down. Learn from Flare how affiliate competition is changing in 2024, and what might come next. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-as-a-service-and-… ∗∗∗ CISA tags Microsoft SharePoint RCE bug as actively exploited ∗∗∗ --------------------------------------------- CISA warns that attackers are now exploiting a Microsoft SharePoint code injection vulnerability that can be chained with a critical privilege escalation flaw for pre-auth remote code execution attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-tags-microsoft-sharepoi… ∗∗∗ Row breaks out over true severity of two DNSSEC flaws ∗∗∗ --------------------------------------------- Two DNSSEC vulnerabilities were disclosed last month with similar descriptions and the same severity score, but they are not the same issue. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/03/26/software_ris… ∗∗∗ Gefälschte Booking.com-Kontaktnummern locken in die Falle! ∗∗∗ --------------------------------------------- Nehmen Sie sich vor betrügerischen Telefonnummern in Acht, wenn Sie nach Booking.com Kontaktinfos googeln. Kriminelle erstellen Fake-Websites mit Booking-Logo und blenden Telefonnummern ein. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-bookingcom-kontaktnummer… ∗∗∗ Advanced Nmap Scanning Techniques ∗∗∗ --------------------------------------------- Beyond its fundamental port scanning capabilities, Nmap offers a suite of advanced techniques designed to uncover vulnerabilities, bypass security measures, and gather valuable insights about target systems. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/advanced-nmap-scann… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers exploit Ray framework flaw to breach servers, hijack resources ∗∗∗ --------------------------------------------- A new hacking campaign dubbed "ShadowRay" targets an unpatched vulnerability in Ray, a popular open-source AI framework, to hijack computing power and leak sensitive data from thousands of companies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-ray-framewor… ∗∗∗ Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious Extensions ∗∗∗ --------------------------------------------- A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users systems and carry out malicious actions. --------------------------------------------- https://thehackernews.com/2024/03/microsoft-edge-bug-could-have-allowed.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (composer and nodejs), Fedora (w3m), Mageia (tomcat), Oracle (expat, firefox, go-toolset:ol8, grafana, grafana-pcp, nodejs:18, and thunderbird), Red Hat (dnsmasq, expat, kernel, kernel-rt, libreoffice, and squid), and SUSE (firefox, krb5, libvirt, and shadow). --------------------------------------------- https://lwn.net/Articles/966835/ ∗∗∗ Exposing a New BOLA Vulnerability in Grafana ∗∗∗ --------------------------------------------- Unit 42 researchers discovered CVE-2024-1313, a broken object level authorization (BOLA) vulnerability in open-source data visualization platform Grafana. --------------------------------------------- https://unit42.paloaltonetworks.com/new-bola-vulnerability-grafana/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Cisco Security Advisories 2024-03-27 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Splunk Security Advisories ∗∗∗ --------------------------------------------- https://advisory.splunk.com/advisories ∗∗∗ Google Chrome: Kritische Schwachstelle bedroht Browser-Nutzer ∗∗∗ --------------------------------------------- https://heise.de/-9668035 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2024
by Daily end-of-shift report 26 Mar '24

26 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 25-03-2024 18:00 − Dienstag 26-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Free VPN apps on Google Play turned Android phones into proxies ∗∗∗ --------------------------------------------- Over 15 free VPN apps on Google Play were found using a malicious software development kit that turned Android devices into unwitting residential proxies, likely used for cybercrime and shopping bots. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-vpn-apps-on-google-play… ∗∗∗ New tool: linux-pkgs.sh, (Sun, Mar 24th) ∗∗∗ --------------------------------------------- During a recent Linux forensic engagement, a colleague asked if there was anyway to tell what packages were installed on a victim image. As we talk about in FOR577, depending on which tool you run on a live system and how you define "installed" you may get different answers, but at least on the live system you can use things like apt list or dpkg -l or rpm -qa or whatever to try to list them, but if all you have is a disk image, what do you do? --------------------------------------------- https://isc.sans.edu/diary/rss/30774 ∗∗∗ Agent Teslas New Ride: The Rise of a Novel Loader ∗∗∗ --------------------------------------------- This blog provides an in-depth analysis of a newly identified loader, highlighting the attack's evasiveness and the advanced tactics, techniques, and procedures (TTPs) used in both the loader and its command and control (C2) framework. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-tesla… ∗∗∗ The Darkside of TheMoon ∗∗∗ --------------------------------------------- The Black Lotus Labs team at Lumen Technologies has identified a multi-year campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices, associated with an updated version of “TheMoon” malware. [..] While Lumen has previously documented this malware family, our latest tracking has shown TheMoon appears to enable Faceless’ growth at of a rate of nearly 7,000 new users per week. Through Lumen’s global network visibility, Black Lotus Labs has identified the logical map of the Faceless proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours. --------------------------------------------- https://blog.lumen.com/the-darkside-of-themoon/ ∗∗∗ Recent ‘MFA Bombing’ Attacks Targeting Apple Users ∗∗∗ --------------------------------------------- Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apples password reset feature. In this scenario, a targets Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds "Allow" or "Dont Allow" to each prompt. [..] But the attackers in this campaign had an ace up their sleeves: Patel said after denying all of the password reset prompts from Apple, he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line). --------------------------------------------- https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-ap… ∗∗∗ Suspicious NuGet Package Harvesting Information From Industrial Systems ∗∗∗ --------------------------------------------- A suspicious NuGet package likely targets developers working with technology from Chinese firm Bozhon. --------------------------------------------- https://www.securityweek.com/suspicious-nuget-package-harvesting-informatio… ∗∗∗ Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script ∗∗∗ --------------------------------------------- This blog entry discusses the Agenda ransomware groups use of its latest Rust variant to propagate to VMWare vCenter and ESXi servers. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (firefox-esr), Fedora (webkitgtk), Mageia (curaengine & blender and gnutls), Red Hat (firefox, grafana, grafana-pcp, libreoffice, nodejs:18, and thunderbird), SUSE (glade), and Ubuntu (crmsh, debian-goodies, linux-aws, linux-aws-6.5, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-oracle, linux-azure, linux-azure-5.4, linux-oracle, linux-oracle-5.15, pam, and thunderbird). --------------------------------------------- https://lwn.net/Articles/966678/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0002 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2024-23252, CVE-2024-23254,CVE-2024-23263, CVE-2024-23280,CVE-2024-23284, CVE-2023-42950,CVE-2023-42956, CVE-2023-42843. --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0002.html ∗∗∗ macOS 14.4.1 mit jeder Menge Bugfixes – Sicherheitshintergründe zu iOS 17.4.1 ∗∗∗ --------------------------------------------- Apple hat am Montagabend ein weiteres Update für macOS 14 veröffentlicht. Es behebt diverse Fehler. Parallel gibt es Infos zu iOS 17.4.1 und dessen Fixes. --------------------------------------------- https://heise.de/-9666170 ∗∗∗ Loadbalancer: Sicherheitslücken in Loadmaster von Progress/Kemp ∗∗∗ --------------------------------------------- In der Loadbalancer-Software Loadmaster von Progress/Kemp klaffen Sicherheitslücken, durch die Angreifer etwa Befehle einschleusen können. --------------------------------------------- https://heise.de/-9666253 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Siemens: SSB-201698 V1.0: Risk for Denial of Service attack through Discovery and Basic Configuration Protocol (DCP) communication functionality ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssb-201698.html ∗∗∗ Rockwell Automation FactoryTalk View ME ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-04 ∗∗∗ Rockwell Automation PowerFlex 527 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-02 ∗∗∗ Rockwell Automation Arena Simulation ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-03 ∗∗∗ Automation-Direct C-MORE EA9 HMI ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-086-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2024
by Daily end-of-shift report 25 Mar '24

25 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-03-2024 18:00 − Montag 25-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New ZenHammer memory attack impacts AMD Zen CPUs ∗∗∗ --------------------------------------------- Academic researchers developed ZenHammer, the first variant of the Rowhammer DRAM attack that works on CPUs based on recent AMD Zen microarchitecture that map physical addresses on DDR4 and DDR5 memory chips. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-zenhammer-memory-attack-… ∗∗∗ New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts ∗∗∗ --------------------------------------------- Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named Tycoon 2FA to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. [..] In 2024, Tycoon 2FA released a new version that is stealthier, indicating a continuous effort to improve the kit. Currently, the service leverages 1,100 domains and has been observed in thousands of phishing attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-k… ∗∗∗ Hackers Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others ∗∗∗ --------------------------------------------- Unidentified adversaries orchestrated a sophisticated attack campaign that has impacted several individual developers as well as the GitHub organization account associated with Top.gg, a Discord bot discovery site. [..] The software supply chain attack is said to have led to the theft of sensitive information, including passwords, credentials, and other valuable data. --------------------------------------------- https://thehackernews.com/2024/03/hackers-hijack-github-accounts-in.html ∗∗∗ New Go loader pushes Rhadamanthys stealer ∗∗∗ --------------------------------------------- A malicious ad for the popular admin tool PuTTY leads victims to a fake site that downloads malware. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/03/new-go-loader… ∗∗∗ Phishing mit gefälschten Rechnungen von Anwaltskanzleien ∗∗∗ --------------------------------------------- Laut BlueVoyant geben sich die Angreifer als Anwaltskanzleien aus und missbrauchen das Vertrauen, das ihre Opfer "seriösen" Juristen entgegenbringen. [..] Die NaurLegal-Kampagne täuscht Legitimität vor, indem sie PDF-Dateien mit seriös anmutenden Dateinamen wie „Rechnung_[Nummer]_von_[Name der Anwaltskanzlei].pdf“ erstellt und versendet. [..] Die Infrastruktur der NaurLegal-Kampagne umfasst Domänen, die mit WikiLoader verknüpft sind und deren Folgeaktivitäten auf eine Zuordnung zu dieser Malware-Familie schließen lassen. WikiLoader ist bekannt für ausgefeilte Verschleierungstechniken, wie z. B. die Überprüfung von Wikipedia-Antworten auf bestimmte Zeichenfolgen, um Sandbox-Umgebungen zu umgehen. --------------------------------------------- https://www.zdnet.de/88414996/phishing-mit-gefaelschten-rechnungen-von-anwa… ∗∗∗ CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate SQL Injection Vulnerabilities ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Secure by Design Alert, Eliminating SQL Injection Vulnerabilities in Software. This Alert was crafted in response to a recent, well-publicized exploitation of SQL injection (SQLi) defects in a managed file transfer application that impacted thousands of organizations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/25/cisa-and-fbi-release-sec… ∗∗∗ APT29 Uses WINELOADER to Target German Political Parties ∗∗∗ --------------------------------------------- In late February, APT29 used a new backdoor variant publicly tracked as WINELOADER to target German political parties with a CDU-themed lure. This is the first time we have seen this APT29 cluster target political parties, indicating a possible area of emerging operational focus beyond the typical targeting of diplomatic missions. Based on the SVR’s responsibility to collect political intelligence and this APT29 cluster’s historical targeting patterns, we judge this activity to present a broad threat to European and other Western political parties from across the political spectrum. --------------------------------------------- https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti, firefox-esr, freeipa, gross, libnet-cidr-lite-perl, python2.7, python3.7, samba, and thunderbird), Fedora (amavis, chromium, clojure, firefox, gnutls, kubernetes, and tcpreplay), Mageia (freeimage, libreswan, nodejs-hawk, and python, python3), Oracle (golang, nodejs, nodejs:16, and postgresql-jdbc), Slackware (emacs and mozilla), SUSE (dav1d, ghostscript, go1.22, indent, kernel, openvswitch, PackageKit, python-uamqp, rubygem-rack-1_4, shadow, ucode-intel, xen, and zziplib), and Ubuntu (firefox, graphviz, libnet-cidr-lite-perl, and qpdf). --------------------------------------------- https://lwn.net/Articles/966611/ ∗∗∗ Firefox: Notfall-Update schließt kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Die Mozilla-Entwickler haben zwei kritische Sicherheitslücken mit dem Update auf Firefox 124.0.1 und Firefox ESR 115.9.1 geschlossen. --------------------------------------------- https://heise.de/-9664148 ∗∗∗ Sicherheitslücken in Microsofts WiX-Installer-Toolset gestopft ∗∗∗ --------------------------------------------- Das quelloffene WiX-Installer-Toolset von Microsoft hat zwei Sicherheitslücken. Die dichten aktualisierte Versionen ab. --------------------------------------------- https://heise.de/-9664602 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ MISP 2.4.188 released major performance improvements and many bugs fixed. ∗∗∗ --------------------------------------------- https://www.misp-project.org/2024/03/25/MISP.2.4.188.released.html/ ∗∗∗ MISP 2.4.187 released with security fixes, new features and bugs fixes. ∗∗∗ --------------------------------------------- https://www.misp-project.org/2024/03/24/MISP.2.4.187.released.html/ ∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 5.23.1, 6.1.1, 6.2.0 and 6.2.1: SC-202403.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-06 ∗∗∗ F5: K000138990 : BIND vulnerability CVE-2023-4408 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138990 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2024
by Daily end-of-shift report 22 Mar '24

22 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-03-2024 18:00 − Freitag 22-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Windows 11, Tesla, and Ubuntu Linux hacked at Pwn2Own Vancouver ∗∗∗ --------------------------------------------- On the first day of Pwn2Own Vancouver 2024, contestants demoed 19 zero-day vulnerabilities in Windows 11, Tesla, Ubuntu Linux and other devices and software to win $732,500 and a Tesla Model 3 car. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-11-tesla-and-ubuntu-… ∗∗∗ Darknet marketplace Nemesis Market seized by German police ∗∗∗ --------------------------------------------- The German police have seized infrastructure for the darknet Nemesis Market cybercrime marketplace in Germany and Lithuania, disrupting the sites operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/darknet-marketplace-nemesis-… ∗∗∗ Mit gefälschten Keycards: Hacker können weltweit Millionen von Hoteltüren öffnen ∗∗∗ --------------------------------------------- Mehr als drei Millionen Türen in Hotels und Mehrfamilienhäusern sind anfällig für Angriffe mit gefälschten RFID-Schlüsselkarten. Teure Spezialausrüstung braucht es dafür nicht. --------------------------------------------- https://www.golem.de/news/mit-gefaelschten-keycards-hacker-koennen-weltweit… ∗∗∗ Whois "geofeed" Data, (Thu, Mar 21st) ∗∗∗ --------------------------------------------- Attributing a particular IP address to a specific location is hard and often fails miserably. --------------------------------------------- https://isc.sans.edu/diary/rss/30766 ∗∗∗ Unterstützungsmail im Namen von Marlene Engelhorn ist Fake! ∗∗∗ --------------------------------------------- Derzeit kursieren zahlreiche E-Mails im Namen der österreichischen Millionärin Marlene Engelhorn: Angeblich will sie mit einem Teil ihres Erbes „aufstrebende Unternehmer und lokale Projekte“ unterstützen. Achtung: Hinter dieser E-Mail stecken Kriminelle. Antworten Sie daher auf keinen Fall. --------------------------------------------- https://www.watchlist-internet.at/news/fake-marlene-engelhorn/ ∗∗∗ Large-Scale StrelaStealer Campaign in Early 2024 ∗∗∗ --------------------------------------------- We unravel the details of two large-scale StrelaStealer campaigns from 2023 and 2024. This email credential stealer has a new variant delivered through zipped JScript. --------------------------------------------- https://unit42.paloaltonetworks.com/strelastealer-campaign/ ∗∗∗ “Pig butchering” is an evolution of a social engineering tactic we’ve seen for years ∗∗∗ --------------------------------------------- In the case of pig butchering scams, it’s not really anything that can be solved by a cybersecurity solution or sold in a package. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-march-21-2024/ ∗∗∗ Sicherheit contra Offenheit – ein Kommentar zu Secure Boot ∗∗∗ --------------------------------------------- Secure Boot ist kompliziert, frickelig und wird von Microsoft dominiert. Stattdessen brauchen wir offene sichere Systeme, meint Christof Windeck. --------------------------------------------- https://heise.de/-9659071 ===================== = Vulnerabilities = ===================== ∗∗∗ KDE advises extreme caution after theme wipes Linux users files ∗∗∗ --------------------------------------------- On Wednesday, the KDE team warned Linux users to exercise "extreme caution" when installing global themes, even from the official KDE Store, because these themes run arbitrary code on devices to customize the desktops appearance. --------------------------------------------- https://www.bleepingcomputer.com/news/linux/kde-advises-extreme-caution-aft… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, pillow, and thunderbird), Fedora (apptainer, chromium, ovn, and webkitgtk), Mageia (apache-mod_auth_openidc, ffmpeg, fontforge, libuv, and nodejs-tough-cookie), Oracle (kernel, libreoffice, postgresql-jdbc, ruby:3.1, squid, and squid:4), Red Hat (go-toolset:rhel8 and libreoffice), SUSE (firefox, jbcrypt, trilead-ssh2, jsch-agent-proxy, kernel, tiff, and zziplib), and Ubuntu (linux-aws and openssl1.0). --------------------------------------------- https://lwn.net/Articles/966415/ ∗∗∗ Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect ∗∗∗ --------------------------------------------- During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. --------------------------------------------- https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-s… ∗∗∗ Microsoft schließt Sicherheitslücke in Xbox-Gaming-Dienst – nach Hickhack ∗∗∗ --------------------------------------------- Microsoft hat ein Sicherheitsleck im Xbox Gaming Service abgedichtet. Dem ging jedoch eine Diskussion voraus. --------------------------------------------- https://heise.de/-9662746 ∗∗∗ Kritische Sicherheitslücke in FortiClientEMS wird angegriffen ∗∗∗ --------------------------------------------- Eine kritische Schwachstelle in FortiClientEMS wird inzwischen aktiv angegriffen. Zudem ist ein Proof-of-Concept-Exploit öffentlich geworden. --------------------------------------------- https://heise.de/-9662866 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2024
by Daily end-of-shift report 21 Mar '24

21 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-03-2024 18:00 − Donnerstag 21-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Unpatchable vulnerability in Apple chip leaks secret encryption keys ∗∗∗ --------------------------------------------- A newly discovered vulnerability baked into Apple’s M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday. --------------------------------------------- https://arstechnica.com/?p=2011812 ∗∗∗ Spa Grand Prix email account hacked to phish banking info from fans ∗∗∗ --------------------------------------------- Hackers hijacked the official contact email for the Belgian Grand Prix event and used it to lure fans to a fake website promising a €50 gift voucher. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spa-grand-prix-email-account… ∗∗∗ Evasive Sign1 malware campaign infects 39,000 WordPress sites ∗∗∗ --------------------------------------------- A previously unknown malware campaign called Sign1 has infected over 39,000 websites over the past six months, causing visitors to see unwanted redirects and popup ads. [..] While Sucuri's client was breached through a brute force attack, Sucuri has not shared how the other detected sites were compromised. However, based on previous WordPress attacks, it probably involves a combination of brute force attacks and exploiting plugin vulnerabilities to gain access to the site. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evasive-sign1-malware-campai… ∗∗∗ AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a tool referred to as AndroxGh0st thats used to target Laravel applications and steal sensitive data. [..] Earlier this January, U.S. cybersecurity and intelligence agencies warned of attackers deploying the AndroxGh0st malware to create a botnet for "victim identification and exploitation in target networks." --------------------------------------------- https://thehackernews.com/2024/03/androxgh0st-malware-targets-laravel.html ∗∗∗ Vulnerability Allowed One-Click Takeover of AWS Service Accounts ∗∗∗ --------------------------------------------- The vulnerability, named FlowFixation by Tenable, has been patched by AWS and it can no longer be exploited, but the security company pointed out that its research uncovered a wider problem that may again emerge in the future. --------------------------------------------- https://www.securityweek.com/vulnerability-allowed-one-click-takeover-of-aw… ∗∗∗ Betrügerische Europol-SMS führt zu Schadsoftware ∗∗∗ --------------------------------------------- In der massenhaft verschickten, betrügerischen SMS wird behauptet, dass Sie als Beteiligter in einem EUROPOL-Fall geführt werden. Um Einspruch zu erheben, sollen Sie eine App installieren. Vorsicht – Sie installieren Schadsoftware auf Ihrem Gerät und geben Kriminellen Zugang zu Ihren Daten! --------------------------------------------- https://www.watchlist-internet.at/news/fake-europol-sms/ ∗∗∗ Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention ∗∗∗ --------------------------------------------- Curious Serpens (aka Peach Sandstorm) is a known espionage group that has previously targeted the aerospace and energy sectors. FalseFont is the latest tool in Curious Serpens’ arsenal. The examples we analyzed show how the threat actors mimic legitimate human resources software, using a fake job recruitment process to trick victims into installing the backdoor. --------------------------------------------- https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/ ∗∗∗ Rescoms rides waves of AceCryptor spam ∗∗∗ --------------------------------------------- Insight into ESET telemetry statistics about AceCryptor in H2 2023 with a focus on Rescoms campaigns in European countries. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryp… ∗∗∗ Warning Against Infostealer Disguised as Installer ∗∗∗ --------------------------------------------- The StealC malware disguised as an installer is being distributed en masse. It was identified as being downloaded via Discord, GitHub, Dropbox, etc. Considering the cases of distribution using similar routes, it is expected to redirect victims multiple times from a malicious webpage disguised as a download page for a certain program to the download URL. StealC is an Infostealer that extorts a variety of key information such as system, browser, cryptocurrency wallet, Discord, Telegram, and mail client data. --------------------------------------------- https://asec.ahnlab.com/en/63308/ ∗∗∗ New details on TinyTurla’s post-compromise activity reveal full kill chain ∗∗∗ --------------------------------------------- We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. --------------------------------------------- https://blog.talosintelligence.com/tinyturla-full-kill-chain/ ∗∗∗ The Updated APT Playbook: Tales from the Kimsuky threat actor group ∗∗∗ --------------------------------------------- In this blog we will detail new techniques that we have observed used by this actor group over the recent months. We believe that sharing these evolving techniques gives defenders the latest insights into measures required to protect their assets. --------------------------------------------- https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-… ∗∗∗ CISA, FBI, and MS-ISAC Release Update to Joint Guidance on Distributed Denial-of-Service Techniques ∗∗∗ --------------------------------------------- Today, CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated joint guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, to address the specific needs and challenges faced by organizations in defending against DDoS attacks. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/21/cisa-fbi-and-ms-isac-rel… ===================== = Vulnerabilities = ===================== ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 11, 2024 to March 17, 2024) ∗∗∗ --------------------------------------------- Last week, there were 159 vulnerabilities disclosed in 123 WordPress Plugins and 1 WordPress Theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 68 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2024/03/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pdns-recursor and php-dompdf-svg-lib), Fedora (grub2, libreswan, rubygem-yard, and thunderbird), Mageia (libtiff and python-scipy), Red Hat (golang, nodejs, and nodejs:16), Slackware (python3), and Ubuntu (linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-4.15, linux-kvm, linux-laptop, linux-oem-6.1, and linux-raspi). --------------------------------------------- https://lwn.net/Articles/966246/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-081-01 ∗∗∗ F5: K000138966 : Intel Xeon CPU vulnerability CVE-2023-23908 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138966 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2024
by Daily end-of-shift report 20 Mar '24

20 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-03-2024 18:00 − Mittwoch 20-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Misconfigured Firebase instances leaked 19 million plaintext passwords ∗∗∗ --------------------------------------------- Three cybersecurity researchers discovered close to 19 million plaintext passwords exposed on the public internet by misconfigured instances of Firebase, a Google platform for hosting databases, cloud computing, and app development. --------------------------------------------- https://www.bleepingcomputer.com/news/security/misconfigured-firebase-insta… ∗∗∗ Android malware, Android malware and more Android malware ∗∗∗ --------------------------------------------- In this report, we share our latest Android malware findings: the Tambir spyware, Dwphon downloader and Gigabud banking Trojan. --------------------------------------------- https://securelist.com/crimeware-report-android-malware/112121/ ∗∗∗ Scans for Fortinet FortiOS and the CVE-2024-21762 vulnerability, (Wed, Mar 20th) ∗∗∗ --------------------------------------------- Late last week, an exploit surfaced on GitHub for CVE-2024-21762. This vulnerability affects Fortinet's FortiOS. A patch was released on February 8th. Owners of affected devices had over a month to patch. --------------------------------------------- https://isc.sans.edu/diary/rss/30762 ∗∗∗ Phishing im Namen der Österreichischen Gesundheitskasse ÖGK ∗∗∗ --------------------------------------------- Nehmen Sie sich vor betrügerischen E-Mails in Acht, die Sie im Namen der Österreichischen Gesundheitskasse ÖGK erhalten. Aktuell spielt man Ihnen vor, dass es eine ausstehende Rückerstattung für Sie gibt. Folgen Sie hier keinen Links und geben Sie keine Daten bekannt. Man versucht Ihnen Geld und Daten zu stehlen! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-gesundheitskasse-oegk/ ∗∗∗ Gotta Hack ‘Em All: Pokémon passwords reset after attack ∗∗∗ --------------------------------------------- Are you using the same passwords in multiple places online? Well, stop. Stop right now. And make sure that youve told your friends and family to stop being reckless too. --------------------------------------------- https://www.bitdefender.com/blog/hotforsecurity/gotta-hack-em-all-pokemon-p… ∗∗∗ A prescription for privacy protection: Exercise caution when using a mobile health app ∗∗∗ --------------------------------------------- Given the unhealthy data-collection habits of some mHealth apps, you’re well advised to tread carefully when choosing with whom you share some of your most sensitive data. --------------------------------------------- https://www.welivesecurity.com/en/privacy/prescription-privacy-protection-e… ∗∗∗ Loop DoS: Verschiedene Netzwerkdienste leiden unter Protokoll-Endlosschleife ∗∗∗ --------------------------------------------- Unter den Diensten, die Sicherheitsforscher als Gefahr identifiziert haben, sind auch solche aus der Frühzeit des Internets. Nun sind Netzwerk-Admins gefragt. --------------------------------------------- https://heise.de/-9660179 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fontforge and imagemagick), Fedora (firefox), Mageia (cherrytree, python-django, qpdf, and sqlite3), Red Hat (bind, cups, emacs, fwupd, gmp, kernel, libreoffice, libX11, nodejs, opencryptoki, postgresql-jdbc, postgresql:10, postgresql:13, and ruby:3.1), Slackware (gnutls and mozilla), and Ubuntu (firefox, linux, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, [...] --------------------------------------------- https://lwn.net/Articles/966053/ ∗∗∗ Netgear wireless router open to code execution after buffer overflow vulnerability ∗∗∗ --------------------------------------------- There is also a newly disclosed vulnerability in a graphics driver for some NVIDIA GPUs that could lead to a memory leak. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-march-20-2024/ ∗∗∗ Atlassian: Patch-Reigen im März für Bamboo, Bitbucket, Confluence und Jira ∗∗∗ --------------------------------------------- Atlassian behandelt 25 Sicherheitslücken in Bamboo, Bitbucket, Confluence und Jira. Eine davon gilt als kritisch. --------------------------------------------- https://heise.de/-9660075 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Command Injection in Bosch Network Synchronizer ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-152190-bt.html ∗∗∗ Security Update for Ivanti Neurons for ITSM ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-neurons-for-itsm ∗∗∗ Security Update for Ivanti Standalone Sentry ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-standalone-sentry ∗∗∗ Webbrowser Chrome: Google dichtet mehrere Sicherheitslecks ab ∗∗∗ --------------------------------------------- https://heise.de/-9659978 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2024
by Daily end-of-shift report 19 Mar '24

19 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 18-03-2024 18:00 − Dienstag 19-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New AcidPour data wiper targets Linux x86 network devices ∗∗∗ --------------------------------------------- A new destructive malware named AcidPour was spotted in the wild, featuring data-wiper functionality and targeting Linux x86 IoT and networking devices. [..] AcidPour shares many similarities with AcidRain, such as targeting specific directories and device paths common in embedded Linux distributions, but their codebase overlaps by an estimated 30%. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-acidpour-data-wiper-targ… ∗∗∗ Turnier verschoben: Mögliche RCE-Schwachstelle bedroht Apex-Legends-Spieler ∗∗∗ --------------------------------------------- Der weitverbreitete Free-to-play-Shooter Apex Legends steht derzeit im Verdacht, unter einer Sicherheitslücke zu leiden, die es Angreifern ermöglicht, aus der Ferne die Kontrolle über die Computer der Spieler zu übernehmen. Ob die Schwachstelle das Spiel selbst oder dessen Anti-Cheat-Software betrifft, ist wohl noch unklar. --------------------------------------------- https://www.golem.de/news/turnier-verschoben-moegliche-rce-schwachstelle-be… ∗∗∗ ARM MTE: Androids Hardwareschutz gegen Speicherlücken umgehbar ∗∗∗ --------------------------------------------- Mit dem Memory-Tagging moderner ARM-CPUs soll das Potenzial bestimmter Sicherheitslücken verkleinert werden. Die Idee hat deutliche Grenzen. Das Security-Forschungsteam des Code-Hosters Github hat die Ausnutzung einer Speicherlücke beschrieben, bei der der dafür eigentlich vorgesehene Schutz, das Memory-Tagging, offenbar gar keine Rolle spielt. Den Beteiligten ist es demnach gelungen, eine Sicherheitslücke in ARMs GPU-Treiber, die vollen Kernelzugriff und das Erlangen von Root-Rechten ermöglicht, auch auf einem aktuellen Pixel 8 auszunutzen, auf dem die sogenannten Memory Tagging Extension (MTE) aktiviert ist. --------------------------------------------- https://www.golem.de/news/arm-mte-androids-hardwareschutz-gegen-speicherlue… ∗∗∗ Threat landscape for industrial automation systems. H2 2023 ∗∗∗ --------------------------------------------- Kaspersky ICS CERT shares industrial threat statistics for H2 2023: most commonly detected malicious objects, threat sources, threat landscape by industry and region. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-h… ∗∗∗ Attacker Hunting Firewalls, (Tue, Mar 19th) ∗∗∗ --------------------------------------------- The competition for freshly deployed vulnerable devices, or devices not patched for the latest greatest vulnerability, is immense. Your success in the ransomware or access broker ecosystem depends on having a consistently updated list of potential victims. As a result, certain IP addresses routinely scan the internet for specific types of vulnerabilities. One such example is 77.90.185.152. This IP address has been scanning for a different vulnerability each day. --------------------------------------------- https://isc.sans.edu/diary/rss/30758 ∗∗∗ New DEEP#GOSU Malware Campaign Targets Windows Users with Advanced Tactics ∗∗∗ --------------------------------------------- A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information. [..] A notable aspect of the infection procedure is that it leverages legitimate services such as Dropbox or Google Docs for command-and-control (C2), thus allowing the threat actor to blend undetected into regular network traffic. [..] The starting point is said to be a malicious email attachment containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file ("IMG_20240214_0001.pdf.lnk"). --------------------------------------------- https://thehackernews.com/2024/03/new-deepgosu-malware-campaign-targets.html ∗∗∗ Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor ∗∗∗ --------------------------------------------- This article announces the publication of our first collaborative effort with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP). This collaborative research focuses on recent Smoke Loader malware activity observed throughout Ukraine from May to November 2023 from a group the CERT-UA designates as UAC-0006. --------------------------------------------- https://unit42.paloaltonetworks.com/unit-42-scpc-ssscip-uncover-smoke-loade… ∗∗∗ Claroty-Report: Zahlreiche Schwachstellen in medizinischen Netzwerken und Geräten ∗∗∗ --------------------------------------------- Sicherheitsanbieter Claroty hat sein Team82, eine Forschungseinheit von Claroty, auf das Thema Sicherheit im Medizinbereich, bezogen auf Geräte und Netzwerke, angesetzt, um die Auswirkungen der zunehmenden Vernetzung medizinischer Geräte zu untersuchen. Ziel des Berichts ist es, die umfassende Konnektivität kritischer medizinischer Geräte – von bildgebenden Systemen bis hin zu Infusionspumpen – aufzuzeigen und die damit verbundenen Risiken zu beleuchten. [..] Das erschreckende Ergebnis: Im Rahmen der Untersuchungen von Team82 tauchen häufig Schwachstellen und Implementierungsfehler auf. --------------------------------------------- https://www.borncity.com/blog/2024/03/19/claroty-report-zahlreiche-schwachs… ∗∗∗ Jenkins Args4j CVE-2024-23897: Files Exposed, Code at Risk ∗∗∗ --------------------------------------------- Jenkins, a popular open-source automation server, was discovered to be affected by a file read vulnerability, CVE-2024-23897. [..] Given its high severity we would like to emphasize the need for swift measures to secure Jenkins installations. [..] Jenkins patched CVE-2024-23897 in versions 2.442 and LTS 2.426.3 by disabling the problematic command parser feature. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/cve-2024-23897.html ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2024-1212: Unauthenticated Command Injection In Progress Kemp LoadMaster ∗∗∗ --------------------------------------------- LoadMaster is a load balancer and application delivery controller. Exploiting this vulnerability enables command execution on the LoadMaster if you have access to the administrator web user interface. Once command execution is obtained, it is possible to escalate privileges to root from the default admin “bal” user by abusing sudo entries, granting full control of the device. A proof of concept exploit is available in our CVE GitHub repository. --------------------------------------------- https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti, postgresql-11, and zfs-linux), Fedora (freeimage, mingw-expat, and mingw-freeimage), Mageia (apache-mod_security-crs, expat, and multipath-tools), Oracle (.NET 7.0 and kernel), Red Hat (kernel, kernel-rt, and kpatch-patch), and Ubuntu (bash, kernel, linux, linux-aws, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, and vim). --------------------------------------------- https://lwn.net/Articles/965958/ ∗∗∗ RaspberryMatic: Kritische Lücke erlaubt Codeschmuggel ∗∗∗ --------------------------------------------- Im freien HomeMatic-Server RaspberryMatic klafft eine Codeschmuggel-Lücke. Sie gilt als kritisch. Ein Update steht bereit. --------------------------------------------- https://heise.de/-9658709 ∗∗∗ Sicherheitsupdates für Firefox und Thunderbird ∗∗∗ --------------------------------------------- Mozilla dichtet zahlreiche Sicherheitslücken im Webbrowser Firefox und Mailer Thunderbird ab. --------------------------------------------- https://heise.de/-9659433 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Franklin Fueling System EVO 550/5000 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-079-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2024
by Daily end-of-shift report 18 Mar '24

18 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-03-2024 18:00 − Montag 18-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New acoustic attack determines keystrokes from typing patterns ∗∗∗ --------------------------------------------- Researchers have demonstrated a new acoustic side-channel attack on keyboards that can deduce user input based on their typing patterns, even in poor conditions, such as environments with noise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-acoustic-attack-determin… ∗∗∗ Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malware campaign that leverages bogus Google Sites pages and HTML smuggling to distribute a commercial malware called AZORult in order to facilitate information theft. --------------------------------------------- https://thehackernews.com/2024/03/hackers-using-sneaky-html-smuggling-to.ht… ∗∗∗ Opening Pandora’s box - Supply Chain Insider Threats in Open Source projects ∗∗∗ --------------------------------------------- Granting repository "Write" access in an Open Source project is a high-stakes decision. We delve into the risks of insider threats, using a responsible disclosure for the AWS Karpenter project to demonstrate why strict safeguards are essential. --------------------------------------------- https://boostsecurity.io/blog/opening-pandora-box-supply-chain-insider-thre… ∗∗∗ Saisonale Betrugsmaschen: Vorsicht bei der Urlaubsbuchung! ∗∗∗ --------------------------------------------- Passend zur Jahreszeit, in der besonders viele Urlaubsbuchungen vorgenommen werden, veröffentlichen Kriminelle betrügerische Urlaubsbuchungsplattformen wie fincas-und-villen.com. Lassen Sie sich nicht von den günstigen Preisen und schönen Bildern blenden: Hier verlieren Sie Ihr Geld und enden im schlimmsten Fall ohne Unterkunft am Urlaubsziel. --------------------------------------------- https://www.watchlist-internet.at/news/saisonale-betrugsmaschen-urlaubsbuch… ∗∗∗ Wie OAuth-Anwendungen über Tenant-Grenzen schützen/detektieren? ∗∗∗ --------------------------------------------- Es ist eine Frage, die sich wohl jeder Sicherheitsverantwortliche stellt, wenn es um die Cloud und den Zugriff auf Dienste mittels OAuth geht. Die Fragestellung: Wie lassen sich OAuth-Anwendungen über Tenant-Grenzen schützen/detektieren? Und wie kann man das mit Microsoft-Technologie erledigen. --------------------------------------------- https://www.borncity.com/blog/2024/03/17/wie-oauth-anwendungen-ber-tenant-g… ∗∗∗ Top things that you might not be doing (yet) in Entra Conditional Access – Advanced Edition ∗∗∗ --------------------------------------------- In this second part, we’ll go over more advanced security controls within Conditional Access that, in my experience, are frequently overlooked in environments during security assessments. --------------------------------------------- https://blog.nviso.eu/2024/03/18/top-things-that-you-might-not-be-doing-yet… ∗∗∗ Ethereum’s CREATE2: A Double-Edged Sword in Blockchain Security ∗∗∗ --------------------------------------------- Ethereum’s CREATE2 function is being exploited by attackers to compromise the security of digital wallets, bypassing traditional security measures and facilitating unauthorized access to funds. --------------------------------------------- https://research.checkpoint.com/2024/ethereums-create2-a-double-edged-sword… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers exploit Aiohttp bug to find vulnerable networks ∗∗∗ --------------------------------------------- The ransomware actor ShadowSyndicate was observed scanning for servers vulnerable to CVE-2024-23334, a directory traversal vulnerability in the aiohttp Python library. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-aiohttp-bug-… ∗∗∗ Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762 ∗∗∗ --------------------------------------------- In this post we detail the steps we took to identify the patched vulnerability and produce a working exploit. --------------------------------------------- https://www.assetnote.io/resources/research/two-bytes-is-plenty-fortigate-r… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, spip, and unadf), Fedora (chromium, iwd, opensc, openvswitch, python3.6, shim, shim-unsigned-aarch64, and shim-unsigned-x64), Mageia (batik, imagemagick, irssi, jackson-databind, jupyter-notebook, ncurses, and yajl), Oracle (.NET 7.0, .NET 8.0, and dnsmasq), Red Hat (postgresql:10), SUSE (chromium, kernel, openvswitch, python-rpyc, and tiff), and Ubuntu (openjdk-8). --------------------------------------------- https://lwn.net/Articles/965829/ ∗∗∗ PoC Published for Critical Fortra Code Execution Vulnerability ∗∗∗ --------------------------------------------- A critical directory traversal vulnerability in Fortra FileCatalyst Workflow could lead to remote code execution. --------------------------------------------- https://www.securityweek.com/poc-published-for-critical-fortra-code-executi… ∗∗∗ Kritische Sicherheitslücke CVE-2024-21762 in Fortinet FortiOS wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- In unserer Warnung vom 09. Februar 2024 haben wir bereits über die Sicherheitslücken CVE-2024-21762 und CVE-2024-23113 berichtet und in Folge Besitzer:innen über die für die IP-Adressen hinterlegten Abuse-Kontakten informiert. CVE-2024-21762 wird seit kurzem nun aktiv ausgenutzt. Unauthentifizierte Angreifer:innen können auf betroffenen Geräten beliebigen Code ausführen. --------------------------------------------- https://cert.at/de/aktuelles/2024/3/kritische-sicherheitslucke-cve-2024-217… ∗∗∗ Spring Framework: Updates beheben neue, alte Sicherheitslücke ∗∗∗ --------------------------------------------- Nutzen Spring-basierte Anwendungen eine URL-Parsing-Funktion des Frameworks, öffnen sie sich für verschiedene Attacken. Nicht zum ersten Mal. --------------------------------------------- https://heise.de/-9657496 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Stack-based Overflow Vulnerability in the TrueViewTM Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0006 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2024
by Daily end-of-shift report 15 Mar '24

15 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-03-2024 18:00 − Freitag 15-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SIM swappers hijacking phone numbers in eSIM attacks ∗∗∗ --------------------------------------------- SIM swappers have adapted their attacks to steal a targets phone number by porting it into a new eSIM card, a digital SIM stored in a rewritable chip present on many recent smartphone models. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sim-swappers-hijacking-phone… ∗∗∗ StopCrypt: Most widely distributed ransomware now evades detection ∗∗∗ --------------------------------------------- A new variant of StopCrypt ransomware (aka STOP) was spotted in the wild, employing a multi-stage execution process that involves shellcodes to evade security tools. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stopcrypt-most-widely-distri… ∗∗∗ 5Ghoul Revisited: Three Months Later, (Fri, Mar 15th) ∗∗∗ --------------------------------------------- About three months ago, I wrote about the implications and impacts of 5Ghoul in a previous diary. The 5Ghoul family of vulnerabilities could cause User Equipment (UEs) to be continuously exploited (e.g. dropping/freezing connections, which would require manual rebooting or downgrading a 5G connection to 4G) once they are connected to the malicious 5Ghoul gNodeB (gNB, or known as the base station in traditional cellular networks). Given the potential complexities in the realm of 5G mobile network modems used in a multitude of devices (such as mobile devices and 5G-enabled environments such as Industrial Internet-of-Things and IP cameras), I chose to give the situation a bit more time before revisiting the 5Ghoul vulnerability. --------------------------------------------- https://isc.sans.edu/diary/rss/30746 ∗∗∗ Third-Party ChatGPT Plugins Could Lead to Account Takeovers ∗∗∗ --------------------------------------------- Cybersecurity researchers have found that third-party plugins available for OpenAI ChatGPT could act as a new attack surface for threat actors looking to gain unauthorized access to sensitive data. According to new research published by Salt Labs, security flaws found directly in ChatGPT and within the ecosystem could allow attackers to install malicious plugins without users' consent and hijack accounts on third-party websites like GitHub. --------------------------------------------- https://thehackernews.com/2024/03/third-party-chatgpt-plugins-could-lead.ht… ∗∗∗ Vorsicht vor Abo-Falle auf produktretter.at! ∗∗∗ --------------------------------------------- Einmal registrieren und schon erhalten Sie hochwertige und voll funktionsfähige Produkte, die andere retourniert haben. Es fallen lediglich Versandkosten von maximal 2,99 Euro an. Klingt zu schön, um wahr zu sein? Ist es auch. Denn Seiten wie produktretter.at, produkttest-anmeldung.com oder retourenheld.io locken in eine Abo-Falle. Die versprochenen Produkte kommen nie an. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-abo-falle-auf-produktre… ∗∗∗ Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled ∗∗∗ --------------------------------------------- We analyze recent samples of BunnyLoader 3.0 to illuminate this malware’s evolved and upscaled capabilities, including its new downloadable module system. --------------------------------------------- https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/ ∗∗∗ How to share sensitive files securely online ∗∗∗ --------------------------------------------- Here are a few tips for secure file transfers and what else to consider when sharing sensitive documents so that your data remains safe. --------------------------------------------- https://www.welivesecurity.com/en/how-to/share-sensitive-files-securely-onl… ∗∗∗ The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions ∗∗∗ --------------------------------------------- Talos explores the recent law enforcement takedown of LockBit, a prolific ransomware group that claimed to resume their operations 7 days later. --------------------------------------------- https://blog.talosintelligence.com/ransomware-affiliate-model/ ∗∗∗ Zwei Backdoors in Ivanti-Appliances analysiert ∗∗∗ --------------------------------------------- Anfang 2024 wurden die Pulse Secure Appliances von Ivanti durch die damals gemeldeten Schwachstellen CVE-2023-46805 und CVE-2024-21887 weiträumig ausgenutzt. Zwei Exemplare dieser Backdoors haben Sicherheitsforscher jetzt ausführlich beschrieben. --------------------------------------------- https://heise.de/-9656137 ∗∗∗ Sicherheitsforscher genervt: Lücken-Datenbank NVD seit Wochen unvollständig ∗∗∗ --------------------------------------------- Die von der US-Regierung betriebene Datenbank reichert im CVE-System gemeldete Sicherheitslücken mit wichtigen Metadaten an. Das blieb seit Februar aus. [..] Von über 2.200 seit 15. Februar veröffentlichten Sicherheitslücken mit CVE-ID sind lediglich 59 mit Metadaten versehen, 2.152 liegen brach. [..] Darüber, wie sie die Tausenden offenen Sicherheitslücken abarbeiten will und vor allem, wann sie ihre Arbeit wieder aufnimmt, schweigt sich die NVD derzeit aus. --------------------------------------------- https://heise.de/-9656574 ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP7 IF06 ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been resolved in 7.5.0 UP7 IF06. Severity Critical --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ Micropatches Released for Microsoft Outlook "MonikerLink" Remote Code Execution Vulnerability (CVE-2024-21413) ∗∗∗ --------------------------------------------- In February 2024, still-Supported Microsoft Outlook versions got an official patch for CVE-2024-21413, a vulnerability that allowed an attacker to execute arbitrary code on users computer when the user opened a malicious hyperlink in attackers email. The micropatch was written for the following security-adopted versions of Office with all available updates installed: Microsoft Office 2013, Microsoft Office 2010 --------------------------------------------- https://blog.0patch.com/2024/03/micropatches-released-for-microsoft.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (composer and node-xml2js), Fedora (baresip), Mageia (fonttools, libgit2, mplayer, open-vm-tools, and packages), Red Hat (dnsmasq, gimp:2.8, and kernel-rt), and SUSE (389-ds, gdb, kernel, python-Django, python3, python36-pip, spectre-meltdown-checker, sudo, and thunderbird). --------------------------------------------- https://lwn.net/Articles/965576/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CVE-2024-2247: JFrog Artifactory Cross-Site Scripting ∗∗∗ --------------------------------------------- https://jfrog.com/help/r/jfrog-release-information/cve-2024-2247-jfrog-arti… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2024
by Daily end-of-shift report 14 Mar '24

14 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-03-2024 18:00 − Donnerstag 14-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ PixPirate Android malware uses new tactic to hide on phones ∗∗∗ --------------------------------------------- The latest version of the PixPirate banking trojan for Android employs a previously unseen method to hide from the victim while remaining active on the infected device even if its dropper app has been removed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pixpirate-android-malware-us… ∗∗∗ Increase in the number of phishing messages pointing to IPFS and to R2 buckets, (Thu, Mar 14th) ∗∗∗ --------------------------------------------- Interesting trends do emerge from time to time. One such recent trend seems to be connected with an increased use of IPFS and R2 buckets to host phishing pages. --------------------------------------------- https://isc.sans.edu/diary/rss/30744 ∗∗∗ Breaking Down APT29’s Latest Tactics and How to Defend Against Them ∗∗∗ --------------------------------------------- Recently, the US National Security Agency (NSA) joined United Kingdom’s National Cyber Security Center (NCSC) in releasing an advisory detailing the recent TTPs (or tactics, techniques, and procedures) of the group known as APT29 (or, in other taxonomies of threat actors, Midnight Blizzard, the Dukes, and Cozy Bear). --------------------------------------------- https://orca.security/resources/blog/how-to-defend-against-apt29-cozy-bear-… ===================== = Vulnerabilities = ===================== ∗∗∗ A patched Windows attack surface is still exploitable ∗∗∗ --------------------------------------------- In this report, we highlight the key points about a class of recently-patched elevation-of-privilege vulnerabilities affecting Microsoft Windows, and then focus on how to check if any of them have been exploited or if there have been any attempts to exploit them. --------------------------------------------- https://securelist.com/windows-vulnerabilities/112232/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and openvswitch), Fedora (chromium, python-multipart, thunderbird, and xen), Mageia (java-17-openjdk and screen), Red Hat (.NET 7.0, .NET 8.0, kernel-rt, kpatch-patch, postgresql:13, and postgresql:15), Slackware (expat), SUSE (glibc, python-Django, python-Django1, sudo, and vim), and Ubuntu (expat, linux-ibm, linux-ibm-5.4, linux-oracle, linux-oracle-5.4, linux-lowlatency, linux-raspi, python-cryptography, texlive-bin, and xorg-server). --------------------------------------------- https://lwn.net/Articles/965470/ ∗∗∗ Kubernetes Vulnerability Allows Remote Code Execution on Windows Endpoints ∗∗∗ --------------------------------------------- A high-severity Kubernetes vulnerability tracked as CVE-2023-5528 can be exploited to execute arbitrary code on Windows endpoints. --------------------------------------------- https://www.securityweek.com/kubernetes-vulnerability-allows-remote-code-ex… ∗∗∗ Cisco schließt hochriskante Lücken in IOS XR ∗∗∗ --------------------------------------------- Cisco warnt vor SIcherheitslücken mit teils hohem Risiko im Router-Betriebssystem IOS XR. Updates stehen bereit. --------------------------------------------- https://heise.de/-9654542 ∗∗∗ Schnell upgraden: Problematische Sicherheitslücke in Apples GarageBand ∗∗∗ --------------------------------------------- Neue Funktionen liefert GarageBand 10.4.11 laut Apple nicht. Dafür steckt ein wichtiger Sicherheitsfix drin. Nutzer sollten die macOS-App schnell aktualisieren. --------------------------------------------- https://heise.de/-9654638 ∗∗∗ HP: Viele Laptops und PCs von Codeschmuggel-Lücke betroffen ∗∗∗ --------------------------------------------- Eine BIOS-Sicherheitsfunktion von HP-Laptops und -PCs kann von Angreifern umgangen werden. BIOS-Updates stehen bereit oder werden grad entwickelt. --------------------------------------------- https://heise.de/-9654678 ∗∗∗ VU#488902: CPU hardware utilizing speculative execution may be vulnerable to speculative race conditions ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/488902 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Softing edgeConnector ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-13 ∗∗∗ Mitsubishi Electric MELSEC-Q/L Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-14 ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily