- Daily - CERT.at

Tageszusammenfassung - 17.04.2025
by Daily end-of-shift report 17 Apr '25

17 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-04-2025 18:00 − Donnerstag 17-04-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ MITRE CVE Program - the past, the present .. and the (European) future. ∗∗∗ --------------------------------------------- The Common Vulnerabilities and Exposures (CVE) program is a globally adopted system for identifying and naming cybersecurity vulnerabilities with unique IDs. Established in 1999 by researchers at the MITRE Corporation (a U.S. non-profit R&D organization), CVE was created to ensure that different security tools and stakeholders can refer to the same vulnerability in a consistent way. --------------------------------------------- https://bytesandborscht.com/mitre-cve-program-the-past-the-present-and-the-… ∗∗∗ RedTail, Remnux and Malware Management [Guest Diary], (Wed, Apr 16th) ∗∗∗ --------------------------------------------- When I first saw malware being uploaded to my honeypot, I was lacking the requisite experience to reverse engineer it, and to understand what was happening with the code. Even though I could use any text editor to examine the associated scripts that were being uploaded with RedTail malware, I couldn’t see what was happening with the redtail malware itself. So, I decided to create a how-to on setting up a malware analysis program. --------------------------------------------- https://isc.sans.edu/diary/rss/31868 ∗∗∗ Proton66 Part 2: Compromised WordPress Pages and Malware Campaigns ∗∗∗ --------------------------------------------- Earlier this year SpiderLabs observed an increase in mass scanning, credential brute forcing, and exploitation attempts originating from Proton66 ASN targeting organizations worldwide that we are discussing in a two-part series. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-pa… ∗∗∗ Experts Uncover Four New Privilege Escalation Flaws in Windows Task Scheduler ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed four different vulnerabilities in a core component of the Windows task scheduling service that could be exploited by local attackers to achieve privilege escalation and erase logs to cover up evidence of malicious activities. --------------------------------------------- https://thehackernews.com/2025/04/experts-uncover-four-new-privilege.html ∗∗∗ CISA Flags Actively Exploited Vulnerability in SonicWall SMA Devices ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting SonicWall Secure Mobile Access (SMA) 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The high-severity vulnerability, tracked as CVE-2021-20035 (CVSS score: 7.2), relates to a case of operating system command injection that could result in code execution. --------------------------------------------- https://thehackernews.com/2025/04/cisa-flags-actively-exploited.html ∗∗∗ Support-Ende von Ubuntu 20.04 dräut ∗∗∗ --------------------------------------------- Der Support für Ubuntu 20.04 endet in wenigen Wochen. Ubuntu empfiehlt ein Upgrade oder erweiterten Support mit Ubuntu Pro. --------------------------------------------- https://www.heise.de/news/Support-Ende-von-Ubuntu-20-04-draeut-10355860.html ∗∗∗ Unmasking the new XorDDoS controller and infrastructure ∗∗∗ --------------------------------------------- Cisco Talos observed an existing distributed denial-of-service (DDoS) malware known as XorDDoS, continuing to spread globally between November 2023 and February 2025. A significant finding shows that over 70 percent of attacks using XorDDoS targeted the United States from Nov. 2023 to Feb. 2025. --------------------------------------------- https://blog.talosintelligence.com/unmasking-the-new-xorddos-controller-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Patches Two Actively Exploited iOS Flaws Used in Sophisticated Targeted Attacks ∗∗∗ --------------------------------------------- Apple on Wednesday released security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to address two security flaws that it said have come under active exploitation in the wild. --------------------------------------------- https://thehackernews.com/2025/04/apple-patches-two-actively-exploited.html ∗∗∗ Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution ∗∗∗ --------------------------------------------- A critical security vulnerability has been disclosed in the Erlang/Open Telecom Platform (OTP) SSH implementation that could permit an attacker to execute arbitrary code sans any authentication under certain conditions. The vulnerability, tracked as CVE-2025-32433, has been given the maximum CVSS score of 10.0. --------------------------------------------- https://thehackernews.com/2025/04/critical-erlangotp-ssh-vulnerability.html ∗∗∗ Drupal releases Security Advisories for multiple Critical and High Vulnerabilities ∗∗∗ --------------------------------------------- Including 5 critical and 2 high severity. --------------------------------------------- https://www.drupal.org/security ∗∗∗ Atlassian stopft hochriskante Lecks in Confluence, Jira & Co. ∗∗∗ --------------------------------------------- Atlassian hat für Bamboo, Confluence und Jira Aktualisierungen herausgegeben, die als hohes Risiko eingestufte Sicherheitslücken in den Produkten abdichten sollen. IT-Verantwortliche sollten die Updates zeitnah herunterladen und anwenden. --------------------------------------------- https://www.heise.de/news/Atlassian-stopft-hochriskante-Lecks-in-Confluence… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (April 7, 2025 to April 13, 2025) ∗∗∗ --------------------------------------------- Last week, there were 340 vulnerabilities disclosed in 303 WordPress Plugins and 8 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 67 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2025/04/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and libapache2-mod-auth-openidc), Oracle (expat, freetype, glibc, grub2, gvisor-tap-vsock, and kernel), Red Hat (grub2 and webkit2gtk3), and SUSE (apache2-mod_auth_openidc, cosign, gitoxide, govulncheck-vulndb, GraphicsMagick, haproxy, hauler, mozjs52, oci-cli, pam, perl-Data-Entropy, poppler, python-lxml-doc, python311-aiohttp, rekor, rubygem-rexml, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/1017919/ ∗∗∗ Cisco Nexus Dashboard LDAP Username Enumeration Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Webex App Client-Side Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.3.0, 6.4.0, 6.4.5 and 6.5.1: SC-202504.2 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-04 ∗∗∗ F5 K000150879: OpenSSH vulnerability CVE-2025-26466 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150879 ∗∗∗ F5 K000150901: Linux kernel vulnerability CVE-2024-46713 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150901 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.04.2025
by Daily end-of-shift report 16 Apr '25

16 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-04-2025 18:00 − Mittwoch 16-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Mehrere FortiGate-Modelle von Backdoor betroffen ∗∗∗ --------------------------------------------- Am Freitag, den 10. April, veröffentlichte Fortinet Informationen über eine weltweite Kompromittierung von FortiGate-Geräten, die Angreifer:innen dauerhaften lesenden Zugriff ermöglichten. Die Angreifer:innen nutzten offenbar drei bekannte Schwachstellen in der SSL-VPN-Funktion, um sich Zugang zu den Geräten zu verschaffen, und eine Hintertür im Dateisystem zu platzieren um den illegalen Zugriff nachhaltig zu ermöglichen. [..] Alle FortiGate-Geräte, physisch oder virtuell, die die SSL-VPN-Funktion aktiviert haben oder hatten und jemals für eine der genannten Schwachstellen anfällig waren (siehe betroffene FortiOS-Versionen in den Advisories - 1, 2, 3), sind potenziell gefährdet. --------------------------------------------- https://www.cert.at/de/blog/2025/4/mehrere-fortigate-modelle-von-backdoor-b… ∗∗∗ CISA extends funding to ensure no lapse in critical CVE services ∗∗∗ --------------------------------------------- CISA says the U.S. government has extended MITREs funding to ensure no continuity issues with the critical Common Vulnerabilities and Exposures (CVE) program. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-extends-funding-to-ensu… ∗∗∗ Quellcode und Daten geleakt: 4chan nach mutmaßlichem Hackerangriff offline ∗∗∗ --------------------------------------------- 4chan hat offenbar den Unmut einer Konkurrenzplattform auf sich gezogen. Dort kursieren Screenshots von internen Tools, Datenbanken, E-Mail-Listen und mehr. --------------------------------------------- https://www.golem.de/news/quellcode-und-daten-geleakt-4chan-nach-mutmasslic… ∗∗∗ Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2 ∗∗∗ --------------------------------------------- This is Part 2 of our two-part technical analysis on Mustang Panda’s new tools. --------------------------------------------- https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsena… ∗∗∗ CrazyHunter Campaign Targets Taiwanese Critical Sectors ∗∗∗ --------------------------------------------- This blog entry details research on emerging ransomware group CrazyHunter, which has launched a sophisticated campaign aimed at Taiwans essential services. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/d/crazyhunter-campaign.html ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - April 2025 ∗∗∗ --------------------------------------------- A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. --------------------------------------------- https://www.oracle.com/security-alerts/cpuapr2025.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gvisor-tap-vsock, kernel, and kernel-rt), Fedora (chromium, dnf, dotnet9.0, golang, lemonldap-ng, mariadb10.11, perl-Crypt-URandom-Token, perl-DBIx-Class-EncodedColumn, php-tcpdf, podman-tui, and trunk), Red Hat (java-17-openjdk and kernel), Slackware (mozilla), SUSE (apache2-mod_auth_openidc, cosign, etcd, expat, flannel, kernel, libsqlite3-0, libvarnishapi3, mozjs52, Multi-Linux Manager 4.3: Server, Multi-Linux Manager 5.0: Server, Proxy and Retail Server, pgadmin4, rekor, rsync, rubygem-bundler, and webkit2gtk3), and Ubuntu (7zip, Docker, and quickjs). --------------------------------------------- https://lwn.net/Articles/1017670/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-25-105-01 Siemens Mendix Runtime, ICSA-25-105-02 Siemens Industrial Edge Device Kit, ICSA-25-105-03 Siemens SIMOCODE, SIMATIC, SIPLUS, SIDOOR, SIWAREX, ICSA-25-105-04 Growatt Cloud Applications, ICSA-25-105-05 Lantronix Xport, ICSA-25-105-06 National Instruments LabVIEW, ICSA-25-105-07 Delta Electronics COMMGR, ICSA-25-105-08 ABB M2M Gateway, ICSA-25-105-09 Mitsubishi Electric Europe B.V. smartRTU --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/04/15/cisa-releases-nine-indus… ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird ESR 128.9.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-27/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 137.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-27/ ∗∗∗ Webbrowser: Kritische Sicherheitslücke in Chrome abgedichtet ∗∗∗ --------------------------------------------- https://heise.de/-10354575 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2025
by Daily end-of-shift report 15 Apr '25

15 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Montag 14-04-2025 18:00 − Dienstag 15-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New ResolverRAT malware targets pharma and healthcare orgs worldwide ∗∗∗ --------------------------------------------- A new remote access trojan (RAT) called ResolverRAT is being used against organizations globally, with the malware used in recent attacks targeting the healthcare and pharmaceutical sectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-resolverrat-malware-targ… ∗∗∗ Sicherheitspatches: Google beendet Unterstützung von Android 12 ∗∗∗ --------------------------------------------- Android 12 ist im Jahr 2025 noch die dritthäufigste Android-Version auf dem Markt - Google stellt nun die Versorgung mit Patches ein. --------------------------------------------- https://www.golem.de/news/sicherheitspatches-google-beendet-unterstuetzung-… ∗∗∗ Gladinet’s Triofox and CentreStack Under Active Exploitation via Critical RCE Vulnerability ∗∗∗ --------------------------------------------- A recently disclosed security flaw in Gladinet CentreStack also impacts its Triofox remote access and collaboration solution, according to Huntress, with seven different organizations compromised to date. Tracked as CVE-2025-30406 (CVSS score: 9.0), the vulnerability refers to the use of a hard-coded cryptographic key that could expose internet-accessible servers to remote code execution attacks. It has been addressed in CentreStack version 16.4.10315.56368 released on April 3, 2025. --------------------------------------------- https://thehackernews.com/2025/04/gladinets-triofox-and-centrestack-under.h… ∗∗∗ Verkehrskunde und Krankheiten: Wenn Betrüger:innen Kinder als Lockmittel einsetzen ∗∗∗ --------------------------------------------- Ein Herz für Kinder – genau auf dieses haben es Kriminelle immer wieder abgesehen. Sie versenden E-Mails und bitten darin um Spenden für die Produktion von Büchern. Diese sollen Kindergärten, Kinderkliniken und anderen entsprechenden Einrichtungen kostenlos zur Verfügung gestellt werden. Ein an sich nobles Vorhaben. In Wahrheit aber nichts andere als eine besonders dreiste und unappetitliche Betrugsmasche. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerinnen-kinder-als-lockmittel/ ∗∗∗ Renewed APT29 Phishing Campaign Against European Diplomats ∗∗∗ --------------------------------------------- Starting in January 2025, Check Point Research (CPR) has been tracking a wave of targeted phishing attacks aimed at European governments and diplomats. The Techniques, Tactics and Procedures (TTPs) observed in this campaign align with the WINELOADER campaigns, which were attributed to APT29, a Russia linked threat group. --------------------------------------------- https://research.checkpoint.com/2025/apt29-phishing-campaign/ ∗∗∗ Android-Smartphones starten sich nach 3 Tagen Inaktivität von selbst neu ∗∗∗ --------------------------------------------- Wie iPhones unter iOS 18 starten sich Android-Smartphones künftig nach 72 Stunden der Inaktivität von selbst neu. Damit soll die allgemeine Sicherheit erhöht und nicht die Polizei geärgert werden. --------------------------------------------- https://heise.de/-10352891 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Apache Roller Vulnerability (CVSS 10.0) Enables Unauthorized Session Persistence ∗∗∗ --------------------------------------------- A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change. The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS score of 10.0, indicating maximum severity. It affects all versions of Roller up to and including 6.1.4. --------------------------------------------- https://thehackernews.com/2025/04/critical-apache-roller-vulnerability.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (glibc), Red Hat (kernel and kernel-rt), Slackware (perl), SUSE (haproxy, kernel, and webkit2gtk3), and Ubuntu (cimg, perl, protobuf, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1017514/ ∗∗∗ Vulnerability in FileSender versions 2.15 through 2.50 ∗∗∗ --------------------------------------------- https://filesender.org/vulnerability-in-filesender-versions-2-15-through-2-… ∗∗∗ Mozilla: Security vulnerability fixed in Firefox 137.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-25/ ∗∗∗ f5: K000150814: BIND vulnerability CVE-2024-11187 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150814 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.04.2025
by Daily end-of-shift report 14 Apr '25

14 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-04-2025 18:00 − Montag 14-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ BentoML Vulnerability Allows Remote Code Execution on AI Servers ∗∗∗ --------------------------------------------- This vulnerability, tracked as CVE-2025-27520 with a high severity score of 9.8 and discovered by GitHub user c2an1, could allow attackers who aren’t even logged in to take complete control of the servers running these AI services. [..] Interestingly, according to Checkmarx’s report, this vulnerability is essentially a repeat of CVE-2024-2912, which was fixed in BentoML version 1.2.5., but the fix was later removed in BentoML version 1.3.8, causing the same dangerous weakness to reappear. --------------------------------------------- https://hackread.com/bentoml-vulnerability-remote-code-execution-ai-servers/ ∗∗∗ Exploit Attempts for Recent Langflow AI Vulnerability (CVE-2025-3248), (Sat, Apr 12th) ∗∗∗ --------------------------------------------- Two weeks ago, version 1.3.0 of Langflow was released. The release notes list many fixes but do not mention that one of the "Bug Fixes" addresses a major vulnerability. Instead, the release notes state, "auth current user on code validation." [..] The vulnerability went somewhat unnoticed, at least by me, until Horizon3 created a detailed writeup showing how easy it is to exploit the vulnerability and provide proof of concept exploit. --------------------------------------------- https://isc.sans.edu/diary/rss/31850 ∗∗∗ Proton66 Part 1: Mass Scanning and Exploit Campaigns ∗∗∗ --------------------------------------------- Trustwave SpiderLabs continuously tracks a range of malicious activities originating from Proton66 ASN, including vulnerability scanning, exploit attempts, and phishing campaigns leading to malware infections. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-pa… ∗∗∗ Phishing Campaigns Use Real-Time Checks to Validate Victim Emails Before Credential Theft ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new type of credential phishing scheme that ensures that the stolen information is associated with valid online accounts. The technique has been codenamed precision-validating phishing by Cofense, which it said employs real-time email validation so that only a select set of high-value targets are served the fake login screens. --------------------------------------------- https://thehackernews.com/2025/04/phishing-campaigns-use-real-time-checks.h… ∗∗∗ CyberAv3ngers: The Iranian Saboteurs Hacking Water and Gas Systems Worldwide ∗∗∗ --------------------------------------------- CyberAv3ngers has been vocal about their operations that targeted Israel and Israeli technology products. But they've also quietly expanded their target list to include a variety of other devices and networks, including a US oil and gas firm and a wide array of industrial control systems across the world. --------------------------------------------- https://www.wired.com/story/cyberav3ngers-iran-hacking-water-and-gas-indust… ∗∗∗ A short(-ish) guide on information security writing ∗∗∗ --------------------------------------------- Whether you’re compiling incident notes at 3 AM, drafting a post-mortem report for the board or helping the marketing department to craft a blog post that will generate near endless riches for your employer - we may like it or not, the ability to produce qualitative writing is as much a vital skill when working in information security as your technical prowess. --------------------------------------------- https://bytesandborscht.com/a-short-ish-guide-on-information-security-writi… ∗∗∗ Vorsicht vor Dreiecksbetrug bei Kleinanzeigenplattformen ∗∗∗ --------------------------------------------- eBay, Willhaben, Shpock und Co. sind beliebte Plattformen, um günstig gebrauchte Waren zu kaufen oder nicht mehr benötigte Gegenstände zu verkaufen. Doch Vorsicht: Hinter manchen Profilen verbergen sich Kriminelle. Besonders tückisch ist der Dreiecksbetrug, bei dem sowohl Käufer:innen als auch Verkäufer:innen betrogen werden. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-dreiecksbetrug-bei-klei… ∗∗∗ BPFDoor’s Hidden Controller Used Against Asia, Middle East Targets ∗∗∗ --------------------------------------------- A controller linked to BPF backdoor can open a reverse shell, enabling deeper infiltration into compromised networks. Recent attacks have been observed targeting the telecommunications, finance, and retail sectors across South Korea, Hong Kong, Myanmar, Malaysia, and Egypt. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/d/bpfdoor-hidden-controller.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf KI-Analyseplattform Spotfire möglich ∗∗∗ --------------------------------------------- Wie aus zwei Warnmeldungen zu den Sicherheitslücken (CVE-2025-3114 "kritisch", CVE-2025-3115 "kritisch") hervorgeht, sind konkret Spotfire Analyst, AWS Marketplace, Deployment Kit Spotfire Server, Desktop, Enterprise Runtime, Service for Python, Service for R und Statistics Services bedroht. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Schadcode-Attacken-auf-KI-Anal… ∗∗∗ Netzwerkgeräte mit Arista EOS können Verschlüsselung vergessen ∗∗∗ --------------------------------------------- Wie aus einer Warnmeldung hervorgeht, funktioniert die Verschlüsselung von Datenverkehr nicht verlässlich. Das ist aber den Entwicklern zufolge aber nur gegeben, wenn Secure Vxlan konfiguriert ist. [..] Die Sicherheitslücke (CVE-2024-12378) ist mit dem Bedrohungsgrad "kritisch" eingestuft. --------------------------------------------- https://www.heise.de/news/Netzwerkgeraete-mit-Arista-EOS-koennen-Verschlues… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glib2.0, jinja2, kernel, mediawiki, perl, subversion, twitter-bootstrap3, twitter-bootstrap4, and wpa), Fedora (c-ares, chromium, condor, corosync, cri-tools1.29, exim, firefox, matrix-synapse, nextcloud, openvpn, perl-Data-Entropy, suricata, upx, varnish, webkitgtk, yarnpkg, and zabbix), Mageia (giflib, gnupg2, graphicsmagick, and poppler), Oracle (delve and golang, go-toolset:ol8, grub2, and webkit2gtk3), Red Hat (kernel and kernel-rt), SUSE (chromium, fontforge-20230101, govulncheck-vulndb, kernel, liblzma5-32bit, pgadmin4, python311-Django, and python311-PyJWT), and Ubuntu (graphicsmagick). --------------------------------------------- https://lwn.net/Articles/1017396/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2025
by Daily end-of-shift report 11 Apr '25

11 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-04-2025 18:00 − Freitag 11-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fortinet FortiOS: Angreifende installierten persistenten Lesezugriff auf Firewalls ∗∗∗ --------------------------------------------- Am 10. April 2025 veröffentlichte der Hersteller Fortinet einen PSIRT-Blogbeitrag über beobachtete Kompromittierungen durch mehrere bekannte Schwachstellen im Betriebssystem FortiOS der Firewall- Serie FortiGate [FORT25]. [..] Fortinet konnte beobachten, wie Angreifende die genannten Schwachstellen nutzten, um sich persistenten Lesezugriff auf verwundbaren FortiGates zu verschaffen. [..] IT-Sicherheitsverantwortliche sollten prüfen, ob sie selbst betroffen waren oder sind und weitere Schutzmaßnahmen ergreifen. --------------------------------------------- https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2025/2025-2… ∗∗∗ Researcher uncovers dozens of sketchy Chrome extensions with 4 million installs ∗∗∗ --------------------------------------------- Google is hosting dozens of extensions in its Chrome Web Store that perform suspicious actions on the more than 4 million devices that have installed them and that their developers have taken pains to carefully conceal. --------------------------------------------- https://arstechnica.com/security/2025/04/researcher-uncovers-dozens-of-sket… ∗∗∗ Tycoon2FA New Evasion Technique for 2025 ∗∗∗ --------------------------------------------- The Tycoon 2FA phishing kit has adopted several new evasion techniques aimed at slipping past endpoints and detection systems. These include using a custom CAPTCHA rendered via HTML5 canvas, invisible Unicode characters in obfuscated JavaScript, and anti-debugging scripts to thwart inspection. This blog takes a closer look at these methods to better understand how this kit is evolving and what defenders should be aware of. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/tycoon2fa-n… ∗∗∗ Pixel-Perfect Trap: The Surge of SVG-Borne Phishing Attacks ∗∗∗ --------------------------------------------- Ever thought an image file could be part of a cyber threat? The Trustwave SpiderLabs Email Security team has identified a major spike in SVG image-based attacks, where harmless-looking graphics are being used to hide dangerous links. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pixel-perfe… ∗∗∗ Palo Alto Networks Warns of Brute-Force Attempts Targeting PAN-OS GlobalProtect Gateways ∗∗∗ --------------------------------------------- Palo Alto Networks has revealed that its observing brute-force login attempts against PAN-OS GlobalProtect gateways, days after threat actors warned of a surge in suspicious login scanning activity targeting its appliances. --------------------------------------------- https://thehackernews.com/2025/04/palo-alto-networks-warns-of-brute-force.h… ∗∗∗ Vorsicht vor gefälschten card complete Anrufen! ∗∗∗ --------------------------------------------- Derzeit kommt es zu betrügerischen Anrufen im Namen der Kreditkartenfirma card complete. Kriminelle setzen dabei Spoofing ein, um vorzutäuschen, dass es sich um seriöse Anrufe handelt. Ihr Ziel ist es, an sensible Daten wie Passwörter und Codes zu gelangen. Sollten Sie so einen Anruf erhalten, legen Sie sofort auf und blockieren Sie die Nummer. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-card-compl… ∗∗∗ Malicious NPM Packages Targeting PayPal Users ∗∗∗ --------------------------------------------- FortiGuard Labs has recently discovered a series of malicious NPM packages designed to steal sensitive information from compromised systems. These packages are believed to have been created between March 5 and March 14 by a threat actor known as tommyboy_h1 and tommyboy_h2 to target PayPal users. [..] These attacks function by using a "preinstall hook" in malicious NPM packages, automatically running a script when the package is installed. --------------------------------------------- https://feeds.fortinet.com/~/916527947/0/fortinet/blogs~Malicious-NPM-Packa… ∗∗∗ Security audit of PHP-SRC ∗∗∗ --------------------------------------------- The Open Source Technology Improvement Fund, Inc, thanks to funding provided by Sovereign Tech Fund, engaged with Quarkslab to perform a security audit of PHP-SRC, the interpreter of the PHP language. The audit aimed to assist PHPs core developers and the community in strengthening the projects security ahead of the upcoming PHP 8.4 release. --------------------------------------------- http://blog.quarkslab.com/security-audit-of-php-src.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (delve and golang and go-toolset:rhel8), Debian (webkit2gtk), Fedora (openvpn, thunderbird, uboot-tools, and zabbix), SUSE (expat, fontforge, govulncheck-vulndb, and kernel), and Ubuntu (haproxy and libsoup2.4, libsoup3). --------------------------------------------- https://lwn.net/Articles/1017197/ ∗∗∗ Sonicwall Netextender: Sicherheitslecks gefährden Windows-Client ∗∗∗ --------------------------------------------- In der Sicherheitsmitteilung schreiben die Sonicwall-Entwickler, dass insbesondere der Windows-Client der SSL-VPN-Software Netextender betroffen ist. Das größte Risiko geht von einer unzureichenden Rechteverwaltung in Sonicwall Netextender Windows, sowohl in der 32- als auch der 64-Bit-Version, aus. Angreifer mit niedrigen Rechten können dadurch Konfigurationen verändern (CVE-2025-23008, CVSS 7.2, Risiko "hoch"). --------------------------------------------- https://heise.de/-10349117 ∗∗∗ Subnet Solutions PowerSYSTEM Center ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-100-08 ∗∗∗ Rockwell Automation Arena ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-100-07 ∗∗∗ INFINITT Healthcare INFINITT PACS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-100-01 ∗∗∗ F5: K000150813: Linux kernel vulnerability CVE-2024-50252 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150813 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.04.2025
by Daily end-of-shift report 10 Apr '25

10 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-04-2025 18:00 − Donnerstag 10-04-2025 18:00 Handler: Felician Fuchs Co-Handler: Guenes Holler ===================== = News = ===================== ∗∗∗ Hackers target SSRF bugs in EC2-hosted sites to steal AWS credentials ∗∗∗ --------------------------------------------- A targeted campaign exploited Server-Side Request Forgery (SSRF) vulnerabilities in websites hosted on AWS EC2 instances to extract EC2 Metadata, which could include Identity and Access Management (IAM) credentials from the IMDSv1 endpoint. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-target-ssrf-bugs-in-… ∗∗∗ Oracle-Einbruch: Schweigen und Kleingerede ∗∗∗ --------------------------------------------- Über zwei Wochen nach Bekanntwerden eines Datenlecks in einer seiner Cloud-Umgebungen wandte sich Oracle nun mit einer E-Mail an Kunden. In der Stellungnahme bemühte sich der Konzern, den Angriff und dessen Auswirkungen kleinzuschreiben. [..] Tatsächlich liegen heise security Demo-Datensätze vor, die direkt vom Angreifer stammen. In diesen sind weit mehr als lediglich Usernamen zu finden – neben E-Mail-Adressen, verschiedenen Passworthashes und den Oracle-internen Tenant-Kennungen finden sich auch die Namen der betroffenen Systeme sowie eine Vielzahl von Zeitstempeln. Diese erstrecken sich bis in den März 2025. --------------------------------------------- https://www.heise.de/news/Oracle-Einbruch-Unternehmen-gibt-Datenklau-zu-und… ∗∗∗ Günstige PV-Komponenten aus Insolvenzmasse abzugeben? Vorsicht, Betrug! ∗∗∗ --------------------------------------------- Eine Anwaltskanzlei hat sich bei Ihnen gemeldet und bietet günstige Photovoltaik-Komponenten aus einem Insolvenzverkauf? Sie sollen rasch antworten, weil die Nachfrage hoch ist? Dann versuchen grade Betrüger:innen, an Ihr Geld zu kommen! Besonders gefährlich: Das insolvente Unternehmen und die Anwaltskanzlei existieren tatsächlich, die Kriminellen nutzen sie als Tarnung für ihre Masche. --------------------------------------------- https://www.watchlist-internet.at/news/pv-komponenten-aus-konkursmasse/ ===================== = Vulnerabilities = ===================== ∗∗∗ Splunk Security Advisories Archive ∗∗∗ --------------------------------------------- Splunk has released security updates for multiple products patching 2 critical and multiple more high vulnerabilities. --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ Palo Alto Networks Security Advisories ∗∗∗ --------------------------------------------- Palo Alto Networks has released multiple security advisories for its products, including a high-severity vulnerability affecting the Prisma Access Browser. --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ HPE Aruba: Sicherheitspatches für Access Points und weitere Hardware ∗∗∗ --------------------------------------------- HPE hat Sicherheitswarnungen zu Schwachstellen in diversen Netzwerkgeräten der Aruba-Tochtermarke veröffentlicht. Angreifer können durch die Sicherheitslecks teils sogar Schadcode auf verwundbare Geräte schleusen. --------------------------------------------- https://www.heise.de/news/HPE-Aruba-Sicherheitspatches-fuer-Access-Points-u… ∗∗∗ Sicherheitsupdates: Mit Drupal erstellte Website sind verwundbar ∗∗∗ --------------------------------------------- Drupal-Admins sollten sicherstellen, dass die von ihnen genutzten Module des Content Management Systems (CMS) auf dem aktuellen Stand sind. Geschieht das nicht, können Angreifer Websites im schlimmsten Fall kompromittieren. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Mit-Drupal-erstellte-Website-s… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 31, 2025 to April 6, 2025) ∗∗∗ --------------------------------------------- Last week, there were 527 vulnerabilities disclosed in 464 WordPress Plugins and 19 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 85 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2025/04/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (tomcat and webkit2gtk3), Debian (chromium), Fedora (ghostscript), Mageia (atop, docker-containerd, and xz), Red Hat (go-toolset:rhel8), SUSE (apache2-mod_auth_openidc, apparmor, etcd, expat, firefox, kernel, libmozjs-128-0, and libpoppler-cpp2), and Ubuntu (dino-im, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-fips, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, opensc, and poppler). --------------------------------------------- https://lwn.net/Articles/1017043/ ∗∗∗ Wordpress: 100.000 Instanzen durch Lücke in SureTriggers-Plug-in gefährdet ∗∗∗ --------------------------------------------- In einem Blog-Beitrag erörtern die IT-Forscher von Wordfence, dass es Angreifer aus dem Netz ohne vorherige Authentifizierung administrative Nutzerkonten erstellen können. Sofern kein API-Key in dem SureTriggers-Plug-in eingerichtet ist, können Angreifer dadurch Administrator-Nutzer hinzufügen und damit Wordpress-Instanzen vollständig kompromittieren (CVE-2025-3102, CVSS 8.1. Risiko "hoch"). --------------------------------------------- https://heise.de/-10346837 ∗∗∗ Dell PowerScale OneFS: Standard-Passwort ermöglicht Account-Übernahme ∗∗∗ --------------------------------------------- Angreifer können an insgesamt sechs Schwachstellen ansetzen, um Netzwerkspeicher (NAS) mit Dells Betriebssystem PowerScale OneFS zu attackieren. Im schlimmsten Fall können Angreifer die volle Kontrolle über Geräte erlangen. --------------------------------------------- https://heise.de/-10347097 ∗∗∗ Juniper 2025-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 24.1R2 release ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2025-01-Security-Bulletin-Junos… ∗∗∗ F5 K000150784: OpenSSL vulnerability CVE-2024-13176 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150784 ∗∗∗ Multiple vulnerabilities in MedDream PACS Server ∗∗∗ --------------------------------------------- https://www.cybersecurity-help.cz/vdb/SB2025041027 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.04.2025
by Daily end-of-shift report 09 Apr '25

09 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-04-2025 18:00 − Mittwoch 09-04-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Regierung will Messenger-Überwachung vor dem Sommer beschließen ∗∗∗ --------------------------------------------- Das Innenministerium hat im Rahmen der Regierungsklausur im Kanzleramt den Begutachtungsentwurf zur Messenger-Überwachung vorgelegt. Beschlossen werden soll die Messenger-Überwachung noch vor dem Sommer. Wirksam werden soll sie aber erst mit 2027. --------------------------------------------- https://futurezone.at/netzpolitik/messenger-ueberwachung-whatsapp-oesterrei… ∗∗∗ Obfuscated Malicious Python Scripts with PyArmor, (Wed, Apr 9th) ∗∗∗ --------------------------------------------- Obfuscation is very important for many developers. They may protect their code for multiple reasons like copyright, anti-cheat (games), or to protect their code from being reused. If an obfuscated program does not mean automatically that it is malicious, its often a good sign. For malware developers, obfuscation helps bypass many static security controls and slows down the reverse analysis process. Yesterday, I spotted some malicious Python scripts that were protected using the same technique: PyArmor. --------------------------------------------- https://isc.sans.edu/diary/rss/31840 ∗∗∗ Vorsicht, Abo-Falle: SPAR verlost kein Besteckset von WMF! ∗∗∗ --------------------------------------------- In vielen E-Mail-Postfächern taucht aktuell eine angeblich von SPAR stammende Nachricht auf. Das Handelsunternehmen soll ein Besteckset für zwölf Personen von WMF verlosen. Tatsächlich versteckt sich hinter dieser Masche nichts anderes als eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-spar-besteckset/ ∗∗∗ The Renaissance of NTLM Relay Attacks: Everything You Need to Know ∗∗∗ --------------------------------------------- While there are many great resources on this old attack, I wanted to consolidate everything you need to know about NTLM into a single post, allowing it to be as long as needed, and I hope everyone will be able to learn something new. --------------------------------------------- https://posts.specterops.io/the-renaissance-of-ntlm-relay-attacks-everythin… ∗∗∗ OpenSSL 3.5.0 enthält nun Post-Quanten-Verfahren ∗∗∗ --------------------------------------------- OpenSSL fügt mit der neuen LTS-Version 3.5.0 seiner Bibliothek die Post-Quanten-Verfahren ML-KEM, ML-DSA und SLH-DSA hinzu. --------------------------------------------- https://heise.de/-10345122 ∗∗∗ OpenSSH 10 setzt auf Standards für quantensicheren Schlüsselaustausch ∗∗∗ --------------------------------------------- Der seit Jahren abgekündigte DSA-Algorithmus verschwindet nun vollständig aus der sicheren Remote-Shell, seine Nachfolge tritt MLKEM768 an. --------------------------------------------- https://heise.de/-10345975 ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft-Patchday behebt aktiv ausgenutzte Sicherheitslücke ∗∗∗ --------------------------------------------- Microsoft hat zum April-Patchday (8. April) Aktualisierungen für mehrere kritische Schwachstellen in ihren Produkten veröffentlicht. Eine dieser Lücken wird laut dem Unternehmen bereits aktiv ausgenutzt. Konkret handelt es sich dabei um die Sicherheitslücke CVE-2025-29824, welche mit einem CVSS-Wert von 7.8 bewertet ist. Durch das Ausnutzen eines sogenannten Use-after-free-Bugs können Angreifer:innen mit einfachen Benutzer:innenrechten vollständige Systemrechte erlangen. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/4/microsoft-patchday-behebt-aktiv-aus… ∗∗∗ Microsoft Security Update Summary (8. April 2025) ∗∗∗ --------------------------------------------- Microsoft hat am 8. April 2025 Sicherheitsupdates für Windows-Clients und -Server, für Office – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 121 Schwachstellen (CVEs), eine davon wurde als 0-day klassifiziert. --------------------------------------------- https://www.borncity.com/blog/2025/04/09/microsoft-security-update-summary-… ∗∗∗ Whatsapp-Lücke gefährdet Windows-Nutzer ∗∗∗ --------------------------------------------- Konkret geht es um die Sicherheitslücke CVE-2025-30401, die mit einem CVSS-Wert von 6,7 als mittelschwer eingestuft ist. Gründe für die vergleichsweise milde Einstufung sind unter anderem eine hohe Angriffskomplexität sowie eine erforderliche Nutzerinteraktion. Dennoch sind die Ausnutzbarkeit sowie die möglichen Auswirkungen der Schwachstelle nicht zu unterschätzen. --------------------------------------------- https://www.golem.de/news/malware-im-anmarsch-whatsapp-luecke-gefaehrdet-wi… ∗∗∗ CISA Warns of CentreStacks Hard-Coded MachineKey Vulnerability Enabling RCE Attacks ∗∗∗ --------------------------------------------- The vulnerability, tracked as CVE-2025-30406 (CVSS score: 9.0), concerns a case of a hard-coded cryptographic key that could be abused to achieve remote code execution. It has been addressed in version 16.4.10315.56368 released on April 3, 2025. --------------------------------------------- https://thehackernews.com/2025/04/cisa-warns-of-centrestacks-hard-coded.html ∗∗∗ 2025-04-09 Juniper Security Advisories ∗∗∗ --------------------------------------------- Juniper has released 25 new security advisories. --------------------------------------------- https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sor… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lemonldap-ng, libbssolv-perl, and phpmyadmin), Fedora (augeas, mariadb10.11, and thunderbird), Oracle (gimp, libxslt, python3.11, python3.12, tomcat, and xorg-x11-server), Red Hat (expat, grafana, opentelemetry-collector, and webkit2gtk3), SUSE (azure-cli-core, doomsday, kernel, and poppler), and Ubuntu (dotnet8, dotnet9, erlang, and poppler). --------------------------------------------- https://lwn.net/Articles/1016923/ ∗∗∗ New Adobe Security Update Fixes Critical Exploits — Don’t Delay Your Update ∗∗∗ --------------------------------------------- https://thecyberexpress.com/adobe-security-update-fixes-vulnerabilities/ ∗∗∗ Joomla [20250401] - Framework - SQL injection vulnerability in quoteNameStr method of Database package ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/963-20250401-framework-sql-inj… ∗∗∗ Joomla [20250402] - Core - MFA Authentication Bypass ∗∗∗ --------------------------------------------- https://developer.joomla.org/security-centre/964-20250402-core-mfa-authenti… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2025
by Daily end-of-shift report 08 Apr '25

08 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Montag 07-04-2025 18:00 − Dienstag 08-04-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Malicious VSCode extensions infect Windows with cryptominers ∗∗∗ --------------------------------------------- Nine VSCode extensions on Microsofts Visual Studio Code Marketplace pose as legitimate development tools while infecting users with the XMRig cryptominer to mine Ethereum and Monero. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-… ∗∗∗ Dangerous, Windows-Hijacking Neptune RAT Scurries Into Telegram, YouTube ∗∗∗ --------------------------------------------- The malwares creators insist a new open source version of Neptune is for educational use by pen testers, but a raft of sophisticated backdoor and evasion capabilities says otherwise. --------------------------------------------- https://www.darkreading.com/cloud-security/windows-hijacking-neptune-rat-te… ∗∗∗ 100 Days of YARA: Writing Signatures for .NET Malware ∗∗∗ --------------------------------------------- If YARA signatures for .NET assemblies only rely on strings, they are very limited. We explore more detection opportunities, including IL code, method signature definitions and specific custom attributes. Knowledge about the underlying .NET metadata structures, tokens and streams helps to craft more precise and efficient signatures, even in cases where relevant malware samples might be unavailable. --------------------------------------------- https://feeds.feedblitz.com/~/916366745/0/gdatasecurityblog-en~Days-of-YARA… ∗∗∗ Attackers distributing a miner and the ClipBanker Trojan via SourceForge ∗∗∗ --------------------------------------------- Malicious actors are using SourceForge to distribute a miner and the ClipBanker Trojan while utilizing unconventional persistence techniques. --------------------------------------------- https://securelist.com/miner-clipbanker-sourceforge-campaign/116088/ ∗∗∗ Inside Black Basta: Uncovering the Secrets of a Ransomware Powerhouse ∗∗∗ --------------------------------------------- In February 2025, the cybersecurity community witnessed an unprecedented leak that exposed the internal operations of Black Basta, a prolific ransomware group. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/inside-blac… ∗∗∗ Vorsicht beim Autoverkauf: Betrug mit gefälschten Fahrzeugberichten ∗∗∗ --------------------------------------------- Sie wollen Ihr Auto online verkaufen? Dann kann es vorkommen, dass potenzielle Käufer:innen einen Fahrzeugbericht verlangen, angeblich um den Zustand Ihres Gebrauchtwagens besser einschätzen zu können. Doch Vorsicht: Hinter dieser Aufforderung steckt oft der Versuch, Sie auf unseriöse Websites zu locken. Diese liefern gefälschte Berichte und führen Sie in teure Kostenfallen. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-gefaelschten-fahrzeugberi… ∗∗∗ 2025 Ransomware: Business as Usual, Business is Booming ∗∗∗ --------------------------------------------- Rapid7 Labs took a look at internal and publicly-available ransomware data for Q1 2025 and added our own insights to provide a picture of the year thus far—and what you can do now to reduce your attack surface against ransomware. --------------------------------------------- https://www.rapid7.com/blog/post/2025/04/08/2025-ransomware-business-as-usu… ∗∗∗ PyTorch Lightning Exposes Users to Remote Code Execution via Deserialization Vulnerabilities ∗∗∗ --------------------------------------------- PyTorch Lightning, a widely adopted deep learning framework developed by Lightning AI, has been impacted by multiple critical deserialization vulnerabilities, disclosed under VU#252619. These issues affect all versions up to and including 2.4.0 and may lead to arbitrary code execution when loading untrusted model files.The vulnerabilities were reported by Kasimir Schulz of HiddenLayer and coordinated by the CERT Coordination Center (CERT/CC) at Carnegie Mellon University. --------------------------------------------- https://socket.dev/blog/pytorch-lightning-deserialization-vulnerabilities?u… ===================== = Vulnerabilities = ===================== ∗∗∗ Spionage möglich: Google patcht teils aktiv ausgenutzte Android-Lücken ∗∗∗ --------------------------------------------- Mit den Android-Updates für April schließt Google mehr als 60 Sicherheitslücken. Vier davon sind kritisch, zwei werden bereits aktiv ausgenutzt. --------------------------------------------- https://www.golem.de/news/spionage-moeglich-google-patcht-teils-aktiv-ausge… ∗∗∗ Ivanti: Security Advisory April 2025 for Ivanti EPM 2024 and EPM 2022 SU6 ∗∗∗ --------------------------------------------- Ivanti has released updates for Ivanti Endpoint Manager which addresses medium and high vulnerabilities. We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure. --------------------------------------------- https://forums.ivanti.com/s/article/Security-Advisory-EPM-April-2025-for-EP… ∗∗∗ HCL: Sicherheitslücken in BigFix, DevOps und mehr Produkten ∗∗∗ --------------------------------------------- Zum Stopfen von Sicherheitslücken in HCL BigFix, DevOps, Traveler und Connections stellt HCL Software nun Updates bereit. Die Lücken gelten teils als kritisch. IT-Verantwortliche sollten die Updates zügig anwenden. Am schwersten hat es HCL BigFix WebUI, also die Management-Oberfläche für BigFix, getroffen. Mehrere Schwachstellen sind in den darin verwendeten Open-Source-Komponenten, davon ist eine in canvg 4.0.2 als kritisch eingestuft (CVE-2025-25977, CVSS 9.8) sowie zwei in xml-crypto (CVE-2025-29774, CVE-2025-29775, beide CVSS 9.3). --------------------------------------------- https://www.heise.de/news/HCL-Sicherheitsluecken-in-BigFix-DevOps-und-mehr-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gimp, libxslt, python3.11, python3.12, and tomcat), Debian (ghostscript and libnet-easytcp-perl), Fedora (openvpn, perl-Data-Entropy, and webkitgtk), Red Hat (python-jinja2), SUSE (giflib, pam, and xen), and Ubuntu (apache2, binutils, expat, fis-gtm, linux-azure, linux-azure-6.8, linux-nvidia-lowlatency, linux-azure, linux-azure-fde, linux-azure-5.15, linux-azure-fde-5.15, linux-azure-fips, linux-gcp-fips, linux-hwe-5.4, linux-nvidia, linux-nvidia-tegra-igx, ruby2.7, ruby3.0, ruby3.2, ruby3.3, and vim). --------------------------------------------- https://lwn.net/Articles/1016774/ ∗∗∗ ZDI-25-206: Amazon AWS CloudFormation Templates Uncontrolled Search Path Element Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-206/ ∗∗∗ ZDI-25-205: Amazon AWS CloudFormation Templates Uncontrolled Search Path Element Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-205/ ∗∗∗ Fortinet: No certificate name verification for fgfm connection ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-046 ∗∗∗ Fortinet: Unverified password change via set_password endpoint ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-435 ∗∗∗ f5 K000150744: PostgreSQL vulnerability CVE-2025-1094 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150744 ∗∗∗ f5 K000150749: Python vulnerability CVE-2024-4032 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150749 ∗∗∗ SAP Security Patch Day – April 2025 ∗∗∗ --------------------------------------------- https://redrays.io/blog/sap-security-patch-day-april-2025/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.04.2025
by Daily end-of-shift report 07 Apr '25

07 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-04-2025 18:00 − Montag 07-04-2025 18:00 Handler: Guenes Holler Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Vidar Stealer: Revealing A New Deception Strategy ∗∗∗ --------------------------------------------- Vidar Stealer, an infamous information-stealing malware, first appeared in 2018 and has since been used by cybercriminals to harvest sensitive data via browser cookies, stored credentials, financial information, and the like. [..] One recent example is PirateFi, a free-to-play game released on Steam on February 6, 2025. Marketed as a beta version, it concealed Vidar Stealer within its files, infecting unsuspecting players upon installation. This incident highlights how threat actors are increasingly targeting gaming platforms to spread malware. --------------------------------------------- https://feeds.feedblitz.com/~/916316261/0/gdatasecurityblog-en~Vidar-Steale… ∗∗∗ How ToddyCat tried to hide behind AV software ∗∗∗ --------------------------------------------- While analyzing a malicious DLL library used in attacks by APT group ToddyCat, Kaspersky expert discovered the CVE 2024-11859 vulnerability in a component of ESET’s EPP solution. --------------------------------------------- https://securelist.com/toddycat-apt-exploits-vulnerability-in-eset-software… ∗∗∗ PoisonSeed Exploits CRM Accounts to Launch Cryptocurrency Seed Phrase Poisoning Attacks ∗∗∗ --------------------------------------------- A malicious campaign dubbed PoisonSeed is leveraging compromised credentials associated with customer relationship management (CRM) tools and bulk email providers to send spam messages containing cryptocurrency seed phrases in an attempt to drain victims digital wallets. [..] The attacks involve the threat actors setting up lookalike phishing pages for prominent CRM and bulk email companies, aiming to trick high-value targets into providing their credentials. --------------------------------------------- https://thehackernews.com/2025/04/poisonseed-exploits-crm-accounts-to.html ∗∗∗ Microsoft AI findet Schwachstellen in Open-Source-Boot-Loader ∗∗∗ --------------------------------------------- Microsoft hat seine AI-Lösung Microsoft Security CoPilot verwendet, um mehrere Boot-Loader, darunter den von Linux verwendeten Open-Source-Boot-Loader Grub, sowie U-boot und Barebox, auf Schwachstellen abzuklopfen. Dabei wurden gleich mehrere Schwachstellen entdeckt – wobei die Verwendung von AI das Auffinden von Schwachstellen beschleunigt. --------------------------------------------- https://www.borncity.com/blog/2025/04/06/microsoft-ai-findet-schwachstellen… ∗∗∗ Windows Remote Desktop Protocol: Remote to Rogue ∗∗∗ --------------------------------------------- In October 2024, Google Threat Intelligence Group (GTIG) observed a novel phishing campaign targeting European government and military organizations that was attributed to a suspected Russia-nexus espionage actor we track as UNC5837. The campaign employed signed .rdp file attachments to establish Remote Desktop Protocol (RDP) connections from victims' machines. [..] This section focuses on collecting forensic information, hardening systems, and developing detections for RDP techniques used in the campaign. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/windows-rogue-remo… ===================== = Vulnerabilities = ===================== ∗∗∗ Packprogramm: Sicherheitslücke in Winrar begünstigt Ausführung von Malware ∗∗∗ --------------------------------------------- Mit der neuesten Winrar-Version hat der Entwickler eine Sicherheitslücke gepatcht. [..] Die besagte Schwachstelle ist als CVE-2025-31334 registriert. Allzu viele Details lassen sich der Schwachstellenbeschreibung nicht entnehmen. Darin wird lediglich in Verbindung mit Winrar-Versionen vor 7.11 auf die Möglichkeit der Umgehung des Mark of the Web mittels symbolischer Links hingewiesen. [..] Wer Winrar auf seinem System installiert hat und sich vor CVE-2025-31334 schützen will, sollte die Software daher auf die neueste Version aktualisieren. Dies ist derzeit die Version 7.11, die am 24. März veröffentlicht wurde. --------------------------------------------- https://www.golem.de/news/packprogramm-winrar-luecke-erleichtert-ausfuehrun… ∗∗∗ Bitdefender GravityZone: Kritische Sicherheitslücke gefährdet Nutzer ∗∗∗ --------------------------------------------- Der Business-Malwareschutz GravityZone von Bitdefender weist eine kritische Sicherheitslücke auf. [..] Das Update auf Bitdefender GravityZone Console 6.41.2-1 soll die sicherheitsrelevanten Fehler ausbessern. Für den GravityZone Update Server steht als fehlerkorrigierte Fassung der Stand 3.5.2.689 oder neuer bereit. Bitdefender gibt an, dass es in der Regel automatisch erfolgt. Dennoch sollten Admins überprüfen, ob sie bereits auf diesem oder einem neueren Stand sind. --------------------------------------------- https://heise.de/-10342193 ∗∗∗ XZ-Utils: Schwachstelle ermöglicht vermutlich Codeschmuggel ∗∗∗ --------------------------------------------- Die Schwachstelle behandelt eine Sicherheitsmitteilung auf Github. "Ungültige Eingabedaten können zumindest in einen Absturz münden", erklären die Autoren. "Die Effekte umfassen eine Nutzung des Heaps nach einer free-Operation sowie das Schreiben an eine Adresse basierend auf dem Null-Pointer zuzüglich eines Offsets", schreiben sie weiter. Apps und Bibliotheken, die die Funktion lzma_stream_decoder_mt nutzen, sind betroffen (CVE-2025-31115, CVSS 8.7, Risiko "hoch"). --------------------------------------------- https://heise.de/-10343043 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (abseil, atop, jetty9, ruby-saml, tomcat10, trafficserver, xz-utils, and zfs-linux), Fedora (chromium, condor, containernetworking-plugins, cri-tools1.29, crosswords-puzzle-sets-xword-dl, exim, ghostscript, matrix-synapse, upx, varnish, and yarnpkg), Gentoo (XZ Utils), Mageia (augeas, corosync, nss & firefox, and thunderbird), Oracle (container-tools:ol8, firefox, freetype, and kernel), Red Hat (firefox), SUSE (chromium, gn, firefox-esr, go1.23-1.23.8, go1.24, go1.24-1.24.2, google-guest-agent, govulncheck-vulndb, gsl, python311-ecdsa, thunderbird, and webkit2gtk3), and Ubuntu (kamailio, libdbd-mysql-perl, linux-nvidia, linux-nvidia-6.8, and tomcat9). --------------------------------------------- https://lwn.net/Articles/1016663/ ∗∗∗ B&R: 2024-05-14 (**Updated 2025-04-03**)- Cyber Security Advisory - Insecure Loading of Code in B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P005_Insecure_Loading_of_Code-c… ∗∗∗ ABB: 2025-04-07: Cyber Security Advisory - ABB Arctic communication solution ARM600 Vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA002579&Language… ∗∗∗ ABB: 2025-04-07: Cyber Security Advisory - ABB Arctic ARG600, ARC600, ARR600, ARP600 Arctic Wireless Gateway Modem Module and OpenSSH vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA002427&Language… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0003 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0003.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2025
by Daily end-of-shift report 04 Apr '25

04 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-04-2025 18:00 − Freitag 04-04-2025 18:00 Handler: Guenes Holler Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Europcar GitLab breach exposes data of up to 200,000 customers ∗∗∗ --------------------------------------------- A hacker breached the GitLab repositories of multinational car-rental company Europcar Mobility Group and stole source code for Android and iOS applications, as well as some personal information belonging to up to 200,000 users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/europcar-gitlab-breach-expos… ∗∗∗ Is The Sofistication In The Room With Us? - X-Forwarded-For and Ivanti Connect Secure (CVE-2025-22457) ∗∗∗ --------------------------------------------- Exploitation is always a tricky subject. Vendors want to minimize disruption to their userbase and avoid unnecessary patching, but they also need to balance that with the userbase's safety. [..] It appears that this is what happened here - Ivanti made a judgment call, believing that exploiting the vulnerability, given the requirement that the payload must comprise only of 0123456789., was impossible. Unfortunately, an advanced attacker seems to have proved them wrong. --------------------------------------------- https://labs.watchtowr.com/is-the-sofistication-in-the-room-with-us-x-forwa… ∗∗∗ NVD Quietly Sweeps 100K+ CVEs Into a “Deferred” Black Hole ∗∗∗ --------------------------------------------- Without much fanfare, the NVD has begun mass-labeling older CVEs as "Deferred," effectively giving up on enriching them with detailed metadata like CVSS scores, CWEs, and CPEs. In an April 2 update, the NVD announced that all CVEs published before 2018 will be marked as Deferred—a move thats already resulted in 20,000 Deferred CVEs overnight, with potentially 100,000 more to come: All CVEs with a published date prior to 01/01/2018 will be marked as Deferred within the NVD. --------------------------------------------- https://socket.dev/blog/nvd-quietly-sweeps-100k-cves-into-a-deferred-black-… ∗∗∗ Lazarus Expands Malicious npm Campaign: 11 New Packages Add Malware Loaders and Bitbucket Payloads ∗∗∗ --------------------------------------------- North Korean threat actors behind the Contagious Interview operation have expanded their presence in the npm ecosystem, publishing additional malicious packages that deliver the previously identified BeaverTail malware and introducing new packages with remote access trojan (RAT) loader functionality. These latest samples employ hexadecimal string encoding to evade automated detection systems and manual code audits, signaling a variation in the threat actors’ obfuscation techniques. --------------------------------------------- https://socket.dev/blog/lazarus-expands-malicious-npm-campaign-11-new-packa… ===================== = Vulnerabilities = ===================== ∗∗∗ DWFX File Parsing Vulnerabilities in Autodesk Navisworks Desktop Software ∗∗∗ --------------------------------------------- Autodesk Navisworks is affected by multiple DWFX vulnerabilities listed below. Exploitation of these vulnerabilities can lead to code execution. Exploitation of these vulnerabilities requires user interaction. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0002 ∗∗∗ Kritische Lücke mit Höchstwertung in Apache Parquet geschlossenen ∗∗∗ --------------------------------------------- Wie aus einem Eintrag in der Openwall-Mailingliste hervorgeht, haben die Entwickler die Schwachstelle in der Version 1.15.1 geschlossen. Alle vorigen Ausgaben sind verwundbar. Die Lücke (CVE-2025-30065) gilt als "kritisch" und ist mit dem höchstmöglichen CVSS Score 10 von 10 eingestuft. Sie betrifft konkret das parquet-avro-Modul der Java-Bibliothek von Apache Parquet. --------------------------------------------- https://www.heise.de/news/Kritische-Luecke-mit-Hoechstwertung-in-Apache-Par… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox), Debian (atop and thunderbird), Fedora (webkitgtk), Mageia (microcode), Oracle (expat), SUSE (apparmor, assimp-devel, aws-efs-utils, expat, firefox, ghostscript, go1.23, gotosocial, govulncheck-vulndb, GraphicsMagick, headscale, libmozjs-128-0, libsaml-devel, openvpn, perl-Data-Entropy, and xz), and Ubuntu (gnupg2, kernel, linux-azure-fips, linux-iot, openvpn, ruby-saml, and xz-utils). --------------------------------------------- https://lwn.net/Articles/1016484/ ∗∗∗ Cisco: Hochriskante Lücken in Meraki und Enterprise Chat ∗∗∗ --------------------------------------------- In der Anyconnect-VPN-Software von Ciscos Meraki MX- und Z-Reihen sowie in Enterprise Chat and Email haben die Entwickler Sicherheitslücken mit hohem Risiko entdeckt. Aktualisierte Firm- und Software steht bereit, um sie zu schließen. Admins sollten sie zügig installieren. --------------------------------------------- https://heise.de/-10340333 ∗∗∗ Hitachi Energy TRMTracker ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-093-02 ∗∗∗ B&R APROL ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-093-05 ∗∗∗ Hitachi Energy RTU500 Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-093-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2025
by Daily end-of-shift report 03 Apr '25

03 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-04-2025 18:00 − Donnerstag 03-04-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ GitHub expands security tools after 39 million secrets leaked in 2024 ∗∗∗ --------------------------------------------- Over 39 million secrets like API keys and account credentials were leaked on GitHub throughout 2024, exposing organizations and users to significant security risks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-expands-security-tool… ∗∗∗ Hersteller warnt: Gefährliche Cisco-Backdoor wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Durch die Backdoor erhalten Angreifer dank statischer Zugangsdaten Admin-Zugriff auf ein Lizenzierungstool für Cisco-Produkte. --------------------------------------------- https://www.golem.de/news/hersteller-warnt-hacker-nutzen-eine-von-ciscos-ba… ∗∗∗ Cybersecurity Professor Faced China-Funding Inquiry Before Disappearing, Sources Say ∗∗∗ --------------------------------------------- A lawyer for Xiaofeng Wang and his wife says they are “safe” after FBI searches of their homes and Wang’s sudden dismissal from Indiana University, where he taught for over 20 years. --------------------------------------------- https://www.wired.com/story/xiaofeng-wang-indiana-university-research-probe… ∗∗∗ Belohnung für gefundene Sicherheitslücken in Fediverse-Software ausgelobt ∗∗∗ --------------------------------------------- Für Mastodon, Pixelfed & Co. sind einzelne und kleine Teams verantwortlich. Um deren Dienste sicherer zu machen, wird jetzt etwas Geld zur Verfügung gestellt. --------------------------------------------- https://www.heise.de/news/Belohnung-fuer-gefundene-Sicherheitsluecken-in-Fe… ∗∗∗ Vorsicht Phishing: Fake-SMS zu angeblichen Mahnungen des Finanzministeriums ∗∗∗ --------------------------------------------- Haben Sie eine SMS im Namen des Bundesministeriums für Finanzen (BMF) erhalten, in der Ihnen offene Schulden vorgeworfen werden? Droht die Nachricht mit einer bevorstehenden Pfändung, weil Sie angeblich schon mehrfach gemahnt wurden? Achtung: Zahlen Sie die Forderung nicht! Die Nachricht kommt nicht vom Finanzministerium und Ihr Geld landet bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-sms-zu-mahnungen-des-finanzmini… ∗∗∗ NSA, CISA, FBI, and International Partners Release Cybersecurity Advisory on “Fast Flux,” a National Security Threat ∗∗∗ --------------------------------------------- Today, CISA—in partnership with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/04/03/nsa-cisa-fbi-and-interna… ∗∗∗ New guidance on securing HTTP-based APIs ∗∗∗ --------------------------------------------- Why it’s essential to secure your APIs to build trust with your customers and partners. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/new-guidance-on-securing-http-based-apis ∗∗∗ DPRK IT Workers Expanding in Scope and Scale ∗∗∗ --------------------------------------------- Since our September 2024 report outlining the Democratic Peoples Republic of Korea (DPRK) IT worker threat, the scope and scale of their operations has continued to expand. These individuals .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/dprk-it-workers-ex… ∗∗∗ Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457) ∗∗∗ --------------------------------------------- On Thursday, April 3, 2025, Ivanti disclosed a critical security vulnerability, CVE-2025-22457, impacting Ivanti Connect Secure (“ICS”) VPN appliances version 22.7R2.5 and earlier. CVE-2025-22457 is a buffer overflow vulnerability, and successful exploitation .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploi… ∗∗∗ RolandSkimmer: Silent Credit Card Thief Uncovered ∗∗∗ --------------------------------------------- Web-based credit card skimming remains a widespread and persistent threat, known for its ability to adapt and evolve over time. FortiGuard Labs recently observed a sophisticated campaign dubbed “RolandSkimmer,” named .. --------------------------------------------- https://www.fortinet.com/blog/threat-research/rolandskimmer-silent-credit-c… ∗∗∗ Malicious PyPI Package Targets WooCommerce Stores with Automated Carding Attacks ∗∗∗ --------------------------------------------- The Socket research team recently discovered a malicious Python package on PyPI named disgrasya, which contains a fully automated carding script targeting WooCommerce stores. Unlike typical supply chain attacks that rely on deception or typosquatting, disgrasya made no attempt to appear legitimate. It was openly malicious, abusing PyPI as a distribution .. --------------------------------------------- https://socket.dev/blog/malicious-pypi-package-targets-woocommerce-stores-w… ===================== = Vulnerabilities = ===================== ∗∗∗ Obfuscate - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-029 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-029 ∗∗∗ Access code - Moderately critical - Access bypass - SA-CONTRIB-2025-028 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-028 ∗∗∗ SVD-2025-0402: Third-Party Package Updates in Splunk/UniversalForwarder Docker - April 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0402 ∗∗∗ SVD-2025-0401: Third-Party Package Updates in Splunk/Splunk Docker - April 2025 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2025-0401 ∗∗∗ Security Update: Pulse Connect Secure, Ivanti Connect Secure, Policy Secure and Neurons for ZTA Gateways ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/security-update-pulse-connect-secure-ivanti-con… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.04.2025
by Daily end-of-shift report 02 Apr '25

02 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-04-2025 18:00 − Mittwoch 02-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Unitree Go1: Gefährliche Backdoor in populärem Roboterhund entdeckt ∗∗∗ --------------------------------------------- Konkret geht es um das Modell Go1, das in der Vergangenheit bereits von den US-Marines für Testzwecke mit einem Waffensystem ausgestattet wurde. [..] Anhand der Backdoor konnte der Hersteller sowie auch jeder andere Akteur, der im Besitz des erforderlichen API-Schlüssels war, aus der Ferne die vollständige Kontrolle über den Unitree Go1 übernehmen. Der Zugriff erfolgte dabei über einen Cloudsail genannten Fernwartungsdienst. --------------------------------------------- https://www.golem.de/news/unitree-go1-gefaehrliche-backdoor-in-populaerem-r… ∗∗∗ Enterprise Gmail Users Can Now Send End-to-End Encrypted Emails to Any Platform ∗∗∗ --------------------------------------------- On the 21st birthday of Gmail, Google has announced a major update that allows enterprise users to send end-to-end encrypted (E2EE) to any user in any email inbox in a few clicks. The feature is rolling out starting today in beta, allowing users to send E2EE emails to Gmail users within an organization, with plans to send E2EE emails to any Gmail inbox in the coming weeks and to any email inbox later this year. --------------------------------------------- https://thehackernews.com/2025/04/enterprise-gmail-users-can-now-send-end.h… ∗∗∗ Administrative Windows Shares (C$, ADMIN$) mit Revoke-SmbShareAccess absichern ∗∗∗ --------------------------------------------- Windows erstellt standardmäßig spezielle, versteckte Freigaben (z. B. C$, ADMIN$, IPC$) für den Remote-Zugriff von Administratoren. Diese sind im Explorer grundsätzlich nicht sichtbar (ausgeblendet), können aber z.B. mittels folgendem PowerShell-CmdLet angezeigt werden: Was vielen nicht bewusst ist: Auch interaktiv angemeldet Benutzer (ohne Administrator-Rechte) können auf diese administrativen Freigaben lokal zugreifen ... --------------------------------------------- https://hitco.at/blog/administrative-windows-shares-c-admin-mit-revoke-smbs… ∗∗∗ Konzert der Lieblingsband ausverkauft? Vorsicht vor Fake-Angeboten auf Facebook! ∗∗∗ --------------------------------------------- Egal ob Superstars in riesigen Arenen oder interessante Newcomer in kleinen Clubs – Musik zieht Menschen an. Ist das Konzert der Lieblingsband allerdings ausverkauft, ist guter Rat teuer – und Vorsicht geboten! Betrüger:innen nutzen besonders die Anonymität sozialer Medien und locken dort Musikfans auf der Suche nach Tickets in die Falle. Woran die Fake-Angebote zu erkennen sind und wann unbedingt eine Anzeige bei der Polizei nötig ist. --------------------------------------------- https://www.watchlist-internet.at/news/lieblingsband-ausverkauft-faketicket… ∗∗∗ European Commission takes aim at end-to-end encryption and proposes Europol become an EU FBI ∗∗∗ --------------------------------------------- The Commission said it would create roadmaps regarding both the “lawful and effective access to data for law enforcement” and on encryption. --------------------------------------------- https://therecord.media/european-commission-takes-aim-encryption-europol-fb… ∗∗∗ Deutsche Industrie warnt vor Ende des EU-US-Datentransfer-Abkommens ∗∗∗ --------------------------------------------- Der Datentransfer in die US-Cloud oder zu US-Unternehmen von Daten europäischer Nutzer ist durch ein Abkommen zwischen der EU und den USA geregelt. Nun droht dieses Abkommen durch die USA gekippt zu werden – und deutsche Unternehmen geraten dadurch in arge Probleme, wenn sie auf US-Tech-Produkte und die Cloud gesetzt haben. Verbände "warnen vor dem Ende des Abkommens" – die europäischen Cloud-Anbieter (CISPE) sehen aber eine Chance, in Europa digital souverän zu werden. --------------------------------------------- https://www.borncity.com/blog/2025/04/02/deutsche-industrie-zittert-vor-end… ∗∗∗ Jailbreaking Every LLM With One Simple Click ∗∗∗ --------------------------------------------- In the past two years, large language models (LLMs), especially chatbots, have exploded onto the scene. Everyone and their grandmother are using them these days. Generative AI is pervasive in movies, academic papers, legal briefs and much more. There is intense competition among major players, ranging from closed-model vendors such as OpenAI, Anthropic, Google and xAI to open-source providers like Meta, Mistral, Alibaba and DeepSeek. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/jailbreaking-every-… ∗∗∗ Heightened In-The-Wild Activity On Key Technologies Observed On March 28 ∗∗∗ --------------------------------------------- On March 28, GreyNoise observed a significant spike in activity targeting multiple edge technologies, including SonicWall, Zoho, Zyxel, F5, Linksys, and Ivanti systems. While some of these technologies are edge systems, others are primarily internal management tools. --------------------------------------------- https://www.greynoise.io/blog/heightened-in-the-wild-activity-key-technolog… ∗∗∗ Tomcat in the Crosshairs: New Research Reveals Ongoing Attacks ∗∗∗ --------------------------------------------- News headlines reported that it took just 30 hours for attackers to exploit a newly discovered vulnerability in Apache Tomcat servers. But what does this mean for workloads relying on Tomcat? Aqua Nautilus researchers discovered a new attack campaign targeting Apache Tomcat. In this blog, we shed light on newly discovered malware that targets Tomcat servers to hijack resources. --------------------------------------------- https://blog.aquasec.com/new-campaign-against-apache-tomcat ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, jetty9, openjpeg2, and tomcat9), Fedora (dokuwiki, firefox, php-kissifrot-php-ixr, php-phpseclib3, and rust-zincati), Red Hat (kernel and pki-core), Slackware (mozilla), SUSE (apparmor, atop, docker, docker-stable, firefox, govulncheck-vulndb, libmodsecurity3, openvpn, upx, and warewulf4), and Ubuntu (inspircd, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-aws, linux-aws-5.4, linux-aws-fips, linux-azure-6.8, linux-hwe-6.8, linux-raspi, linux-realtime, nginx, phpseclib, and vim). --------------------------------------------- https://lwn.net/Articles/1016205/ ∗∗∗ Sicherheitsupdates: Netzwerkmonitoringtool Zabbix bietet Angriffsfläche ∗∗∗ --------------------------------------------- Fünf Sicherheitslücken gefährden Computer, auf denen Zabbix installiert ist. [..] Am gefährlichsten gilt eine Schwachstelle (CVE-2024-36465 "hoch") in Zabbix API. Hier könnte ein Angreifer mit einem regulären Nutzerkonto ansetzen, um eigene SQL-Befehle auszuführen. Außerdem sind Reflected-XSS-Attacken (CVE-2024-45699 "hoch") möglich. Über diesen Weg können Angreifer Schadcode in Form einer JavaScript-Payload ausführen. --------------------------------------------- https://heise.de/-10337461 ∗∗∗ VMware Aria Operations: Sicherheitslücke erlaubt Rechteausweitung ∗∗∗ --------------------------------------------- In einer Sicherheitsmitteilung erörtern die VMware-Entwickler die Schwachstelle. Demnach wurde in einer "Responsible Disclosure" eine lokale Rechteausweitungslücke an VMware gemeldet. "Bösartige Akteure können ihre Rechte zu 'root' auf der Appliance ausweiten, auf der VMware Aria Operations läuft", erklärt das Unternehmen (CVE-2025-22231, CVSS 7.8, Risiko "hoch"). --------------------------------------------- https://heise.de/-10336721 ∗∗∗ VPN-Lücken in HPE Aruba Networking Virtual Intranet Access Client geschlossen ∗∗∗ --------------------------------------------- In einer Warnmeldung führen die Entwickler aus, dass der VIA-Client bis inklusive Version 4.7.0 verwundbar ist. Sie geben an, in der Ausgabe 4.7.2 zwei Sicherheitslücken (CVE-2024-3661 "hoch", CVE-2025-25041 "hoch") geschlossen zu haben. --------------------------------------------- https://heise.de/-10336851 ∗∗∗ Rockwell Automation Lifecycle Services with Veeam Backup and Replication ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-091-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.04.2025
by Daily end-of-shift report 01 Apr '25

01 Apr '25

===================== = End-of-Day report = ===================== Timeframe: Montag 31-03-2025 18:00 − Dienstag 01-04-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Lucid PhaaS Hits 169 Targets in 88 Countries Using iMessage and RCS Smishing ∗∗∗ --------------------------------------------- A new sophisticated phishing-as-a-service (PhaaS) platform called Lucid has targeted 169 entities in 88 countries using smishing messages propagated via Apple iMessage and Rich Communication Services (RCS) for Android. Lucids unique selling point lies in its weaponizing of legitimate communication platforms to sidestep traditional SMS-based detection mechanisms. --------------------------------------------- https://thehackernews.com/2025/04/lucid-phaas-hits-169-targets-in-88.html ∗∗∗ Rechnung ohne Auftrag: Betreiber gefälschter Firmenverzeichnisse versenden Mahnungen ∗∗∗ --------------------------------------------- Fake-Portale nehmen Unternehmen ohne deren Wissen in ihr Firmenverzeichnis auf und stellen anschließend per E-Mail eine Rechnung zu. Diese Schreiben sorgen für Verunsicherung, sind grundsätzlich aber substanzlos. Wer keine Registrierung beantragt hat, muss auch nichts bezahlen. --------------------------------------------- https://www.watchlist-internet.at/news/rechnungen-fake-firmenverzeichnisse/ ∗∗∗ Hacker Claims Breach of Check Point Cybersecurity Firm, Sells Access ∗∗∗ --------------------------------------------- Hacker claims breach of Israeli cybersecurity firm Check Point, offering network access and sensitive data for sale; company denies any recent incident. --------------------------------------------- https://hackread.com/hacker-breach-check-point-cybersecurity-firm-access/ ∗∗∗ Surge in Palo Alto Networks Scanner Activity Indicates Possible Upcoming Threats ∗∗∗ --------------------------------------------- Over the last 30 days, nearly 24,000 unique IP addresses have attempted to access these portals. The pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation. --------------------------------------------- https://www.greynoise.io/blog/surge-palo-alto-networks-scanner-activity ∗∗∗ CPU_HU: Fileless cryptominer targeting exposed PostgreSQL with over 1.5K victims ∗∗∗ --------------------------------------------- Wiz Threat Research identified a new variant of an ongoing malicious campaign targeting misconfigured and publicly exposed PostgreSQL servers. [..] Based on our analysis, the threat actor is assigning a unique mining worker to each victim. --------------------------------------------- https://www.wiz.io/blog/postgresql-cryptomining ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices ∗∗∗ --------------------------------------------- Apple on Monday backported fixes for three vulnerabilities that have come under active exploitation in the wild to older models and previous versions of the operating systems. The vulnerabilities in question are listed below -CVE-2025-24085 (CVSS score: 7.3) --------------------------------------------- https://thehackernews.com/2025/04/apple-backports-critical-fixes-for-3.html ∗∗∗ Apple security releases ∗∗∗ --------------------------------------------- Safari 18.4, Xcode 16.3, iOS 18.4 and iPadOS 18.4, iPadOS 17.7.6, iOS 16.7.11 and iPadOS 16.7.11, iOS 15.8.4 and iPadOS 15.8.4, macOS Sequoia 15.4, macOS Sonoma 14.7.5, macOS Ventura 13.7.5, tvOS 18.4, visionOS 2.4 --------------------------------------------- https://support.apple.com/en-us/100100 ∗∗∗ CVE-2025-22398: Dell Unity Hit by 9.8 CVSS Root-Level Command Injection Flaw ∗∗∗ --------------------------------------------- Dell has released a security update for Unity OS version 5.4 and earlier, addressing a set of critical vulnerabilities that expose the popular enterprise storage systems—Unity, UnityVSA, and Unity XT—to unauthenticated remote command execution, file deletion, open redirects, and privilege escalation. --------------------------------------------- https://securityonline.info/cve-2025-22398-dell-unity-hit-by-9-8-cvss-root-… ∗∗∗ Websites kompromittierbar: Lücken in WordPress-Plug-in WP Ultimate CSV Importer ∗∗∗ --------------------------------------------- In einem Bericht warnen Sicherheitsforscher von Wordfence vor zwei Schwachstellen (CVE-2025-2007 "hoch", CVE-2025-2008 "hoch"). In beiden Fällen können entfernte Angreifer aufgrund unzureichender Überprüfungen Schadcode auf Websites laden und ausführen. Dafür müssen sie aber bereits authentifiziert sein (Subscriber-Level). [..] Ein Sicherheitspatch steht zum Download. --------------------------------------------- https://www.heise.de/news/Websites-kompromittierbar-Luecken-in-WordPress-Pl… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (freetype, grub2, kernel, kernel-rt, and python-jinja2), Debian (freetype, linux-6.1, suricata, tzdata, and varnish), Fedora (mingw-libxslt and qgis), Mageia (elfutils, mercurial, and zvbi), Oracle (grafana, kernel, libxslt, nginx:1.22, and postgresql:12), Red Hat (opentelemetry-collector), SUSE (corosync, opera, and restic), and Ubuntu (aom, libtar, mariadb, ovn, php7.4, php8.1, php8.3, rabbitmq-server, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/1016076/ ∗∗∗ Reparierter Sicherheitspatch schließt Schadcode-Lücke in IBM App Connect ∗∗∗ --------------------------------------------- Die Schwachstelle (CVE-2025-1302 "kritisch") betrifft das jsonpath-plus-Modul zum Verarbeiten von JSON-Konfigurationen. [..] Das wurde schon mal gepatcht, das Sicherheitsupdate war aber unvollständig. Nun haben die Entwickler einen reparierten Patch veröffentlicht. --------------------------------------------- https://heise.de/-10335184 ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird ESR 128.9 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-24/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 137 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-23/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox ESR 128.9 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-22/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox ESR 115.22 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-21/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 137 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-20/ ∗∗∗ Canon CVE-2025-1268 Vulnerability: A Buffer Overflow Threatening Printer Security ∗∗∗ --------------------------------------------- https://thecyberexpress.com/canon-printer-vulnerability-cve-2025-1268/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.03.2025
by Daily end-of-shift report 31 Mar '25

31 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-03-2025 18:00 − Montag 31-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New Crocodilus malware steals Android users’ crypto wallet keys ∗∗∗ --------------------------------------------- A newly discovered Android malware dubbed Crocodilus tricks users into providing the seed phrase for the cryptocurrency wallet using a warning to back up the key to avoid losing access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-crocodilus-malware-steal… ∗∗∗ Smoked out - Emmenhtal spreads SmokeLoader malware ∗∗∗ --------------------------------------------- We observed a malicious campaign targeting First Ukrainian International Bank (pumb[.]ua) and noticed the usage of a stealthy malware loader known as Emmenhtal [..] also referred to by Google as Peaklight. --------------------------------------------- https://feeds.feedblitz.com/~/915916022/0/gdatasecurityblog-en~Smoked-out-E… ∗∗∗ Hidden Malware Strikes Again: Mu-Plugins Under Attack ∗∗∗ --------------------------------------------- Recently, we’ve uncovered multiple cases where threat actors are leveraging the mu-plugins directory to hide malicious code. This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks. --------------------------------------------- https://blog.sucuri.net/2025/03/hidden-malware-strikes-again-mu-plugins-und… ∗∗∗ BlackLock Ransomware Exposed After Researchers Exploit Leak Site Vulnerability ∗∗∗ --------------------------------------------- In whats an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. --------------------------------------------- https://thehackernews.com/2025/03/blacklock-ransomware-exposed-after.html ∗∗∗ BSI-Studie: Zahlreiche Schwachstellen in Krankenhausinformationssystemen ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben im BSI-Auftrag IT-Systemen für Kliniken auf den Zahn gefühlt und Lücken gefunden, etwa bei Verschlüsselung und Zertifikaten. --------------------------------------------- https://www.heise.de/news/BSI-Studie-Zahlreiche-Schwachstellen-in-Krankenha… ∗∗∗ Backdoor in the Backplane. Doing IPMI security better ∗∗∗ --------------------------------------------- IPMI remains a powerful but dangerously overlooked protocols in many enterprise environments. Whilst its ability to manage out of band systems is invaluable, there are significant security trade-offs – especially when outdated firmware, default credentials, and exposed interfaces are in play. As demonstrated, IPMI can lead, or aid, in a malicious actor compromising the full domain with little more than network access. --------------------------------------------- https://www.pentestpartners.com/security-blog/backdoor-in-the-backplane-doi… ∗∗∗ Preparing for the EU Radio Equipment Directive security requirements ∗∗∗ --------------------------------------------- UK & EU IoT manufacturers have more security regulation coming. [..] From 1st August 2025, mandatory cybersecurity requirements come into effect under the EU’s Radio Equipment Directive (2014/53/EU), or RED. --------------------------------------------- https://www.pentestpartners.com/security-blog/preparing-for-the-eu-radio-eq… ∗∗∗ Oracle Health gehackt, US-Patientendaten abgeflossen ∗∗∗ --------------------------------------------- Cyberkriminelle sind laut Berichten nach dem 22. Januar 2025 in die Server des US-Tech-Unternehmens Cerner Oracle Health eingedrungen. Es besteht der Verdacht, dass Patientendaten von US-Bürgern abgezogen wurden. Das FBI untersucht den Vorfall, der Fragen nach der Sicherheit bei Oracle aufkommen lässt. Denn es ist der zweite Sicherheitsvorfall binnen weniger Tage, der bekannt wird. --------------------------------------------- https://www.borncity.com/blog/2025/03/30/oracle-health-gehackt-us-patienten… ∗∗∗ SVG Phishing Malware Being Distributed with Analysis Obstruction Feature ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) recently identified a phishing malware being distributed in Scalable Vector Graphics (SVG) format. --------------------------------------------- https://asec.ahnlab.com/en/87078/ ∗∗∗ Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service ∗∗∗ --------------------------------------------- Being a provider of cloud SaaS (Software-as-a-service) solutions requires certain cybersecurity responsibilities — including being transparent and open. The moment where this is tested at Oracle has arrived, as they have a serious cybersecurity incident playing out in a service they manage for customers. --------------------------------------------- https://doublepulsar.com/oracle-attempt-to-hide-serious-cybersecurity-incid… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amd64-microcode, flatpak, intel-microcode, libdata-entropy-perl, librabbitmq, and vim), Fedora (augeas, containerd, crosswords-puzzle-sets-xword-dl, libssh2, libxml2, nodejs-nodemon, and webkitgtk), Red Hat (libreoffice and python-jinja2), SUSE (389-ds, apparmor, corosync, docker, docker-stable, erlang26, exim, ffmpeg-4, govulncheck-vulndb, istioctl, matrix-synapse, mercurial, openvpn, python3, rke2, and skopeo), and Ubuntu (ansible, linux, linux-hwe-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-azure-fips, linux-gcp-fips, linux-fips, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-realtime, linux-intel-iot-realtime, linux-xilinx-zynqmp, opensc, and ruby-doorkeeper). --------------------------------------------- https://lwn.net/Articles/1015968/ ∗∗∗ IBM InfoSphere Information Server: Unbefugte Zugriffe möglich ∗∗∗ --------------------------------------------- Die Datenintegrationsplattform IBM InfoSphere Information Server ist verwundbar. Die Entwickler haben mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/IBM-InfoSphere-Information-Server-Unbefugte-Zugri… ∗∗∗ ZendTo NDay Vulnerability Hunting - Unauthenticated RCE in v5.24-3 <= v6.10-4 ∗∗∗ --------------------------------------------- Discovering NDay flaws in ZendTo filesharing software highlighted an interesting fact: without the issuance of CVEs, vulnerabilities can easily go unpatched. --------------------------------------------- https://projectblack.io/blog/zendto-nday-vulnerabilities/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2025
by Daily end-of-shift report 28 Mar '25

28 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-03-2025 18:00 − Freitag 28-03-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Phishing-as-a-service operation uses DNS-over-HTTPS for evasion ∗∗∗ --------------------------------------------- A newly discovered phishing-as-a-service (PhaaS) operation that researchers call Morphing Meerkat, has been using the DNS over HTTPS (DoH) protocol to evade detection. -------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-as-a-service-operat… ∗∗∗ Notfallupdate: Kritische Sandbox-Lücke in Firefox und Tor-Browser entdeckt ∗∗∗ --------------------------------------------- Nicht nur Chrome-Nutzer sollten dieser Tage ihren Browser updaten. Eine aktiv ausgenutzte Sicherheitslücke betrifft auch die Windows-Version von Firefox. --------------------------------------------- https://www.golem.de/news/notfallupdate-kritische-sandbox-luecke-in-firefox… ∗∗∗ Stealing user credentials with evilginx ∗∗∗ --------------------------------------------- A malevolent mutation of the widely used nginx web server facilitates Adversary-in-the-Middle action, but there's hope. --------------------------------------------- https://news.sophos.com/en-us/2025/03/28/stealing-user-credentials-with-evi… ∗∗∗ Quick Guide to Magento Security Patches ∗∗∗ --------------------------------------------- Magento remains a popular ecommerce platform in 2025 and its security patches play a vital role in addressing vulnerabilities that could otherwise be exploited by attackers. These patches help prevent issues like data breaches, website defacement, or unauthorized access, ensuring the safety of customer data and store operations. Given the platform’s .. --------------------------------------------- https://blog.sucuri.net/2025/03/quick-guide-to-magento-security-patches.html ∗∗∗ China’s FamousSparrow flies back into action, breaches US org after years off the radar ∗∗∗ --------------------------------------------- Crew also cooked up two fresh SparrowDoor backdoor variants, says ESET The China-aligned FamousSparrow crew has resurfaced after a long period of presumed inactivity, compromising a US financial-sector trade group and a Mexican research institute. The gang also likely targeted a governmental institution in Honduras, along with other yet-to-be-identified victims. --------------------------------------------- https://www.theregister.com/2025/03/27/china_famoussparrow_back/ ∗∗∗ Storage-Appliances: Dell schließt unzählige Sicherheitslücken in Unity-Serien ∗∗∗ --------------------------------------------- Die Dell-Entwickler haben unter anderem eine 19 Jahre alte Schwachstelle in diversen Unity-Modellen geschlossen. --------------------------------------------- https://www.heise.de/news/Storage-Appliances-Dell-schliesst-unzaehlige-Sich… ∗∗∗ New security requirements adopted by HTTPS certificate industry ∗∗∗ --------------------------------------------- The Chrome Root Program launched in 2022 as part of Google’s ongoing commitment to upholding secure and reliable network connections in Chrome. We previously described how the Chrome Root Program keeps users safe, and described how the program is focused on promoting technologies and practices that strengthen the underlying .. --------------------------------------------- http://security.googleblog.com/2025/03/new-security-requirements-adopted-by… ∗∗∗ Money Laundering 101, and why Joe is worried ∗∗∗ --------------------------------------------- In this blog post, Joe covers the very basics of money laundering, how it facilitates ransomware cartels, and what the regulatory future holds for cybercrime. --------------------------------------------- https://blog.talosintelligence.com/money-laundering-101-and-why-joe-is-worr… ∗∗∗ Gamaredon campaign abuses LNK files to distribute Remcos backdoor ∗∗∗ --------------------------------------------- Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024. --------------------------------------------- https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/ ∗∗∗ Obfuscation 101: Unmasking the Tricks Behind Malicious Code ∗∗∗ --------------------------------------------- “The malicious package was right in front of our eyes, but we didnt see it until it was too late.”Attackers frequently rely on obfuscation—the technique of deliberately making source code confusing and unreadable—to sneak malicious payloads past security defenses and code reviewers alike. Understanding these obfuscation techniques across .. --------------------------------------------- https://socket.dev/blog/obfuscation-101-the-tricks-behind-malicious-code ∗∗∗ NVD Concedes Inability to Keep Pace with Surging CVE Disclosures in 2025 ∗∗∗ --------------------------------------------- The National Vulnerability Database (NVD) issued a new status update on March 19, attempting to clarify the current state of its vulnerability processing pipeline. The agency says it has resumed processing new CVEs at the same rate it maintained before last year’s slowdown, but with vulnerability volumes surging, that’s no longer enough.We are currently .. --------------------------------------------- https://socket.dev/blog/nvd-backlog-crisis-deepens-amid-surging-cve-disclos… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mercurial and opensaml), Fedora (augeas, mingw-libxslt, and nodejs-nodemon), Mageia (chromium-browser-stable), Red Hat (grafana, kernel, kernel-rt, opentelemetry-collector, and podman), SUSE (apache-commons-vfs2, python3, and python36), and Ubuntu (ghostscript, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, .. --------------------------------------------- https://lwn.net/Articles/1015718/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2025
by Daily end-of-shift report 27 Mar '25

27 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-03-2025 18:00 − Donnerstag 27-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Dozens of solar inverter flaws could be exploited to attack power grids ∗∗∗ --------------------------------------------- Dozens of vulnerabilities in products from three leading makers of solar inverters, Sungrow, Growatt, and SMA, could be exploited to control devices or execute code remotely on the vendors cloud platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dozens-of-solar-inverter-fla… ∗∗∗ Cybercrime-Tool Atlantis AIO soll automatisierte Passwort-Attacken optimieren ∗∗∗ --------------------------------------------- Dahinter stecken organisierte Profi-Verbrecher, die ihre Werkzeuge im Darknet mit Werbeanzeigen und Support anpreisen. So auch im Fall des jüngst von Sicherheitsforschern entdeckten Tools Atlantis AIO. --------------------------------------------- https://www.heise.de/news/Cybercrime-Tool-Atlantis-AIO-soll-automatisierte-… ∗∗∗ Abonnement gekündigt? Achtung: Phishing-Versuch mit Disney+! ∗∗∗ --------------------------------------------- Mit einer angeblich von Disney+ stammenden E-Mail versuchen Kriminelle ihre Opfer auf eine Fake-Loginseite zu locken. Dort fragen sie die Anmeldeinformationen des Abos und Kreditkartendaten ab. Woran Sie den Phishing-Versuch ganz einfach erkennen können, zeigen wir Ihnen hier. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-versuch-disney/ ===================== = Vulnerabilities = ===================== ∗∗∗ Backuplösung SnapCenter: Angreifer können als Admin Systeme übernehmen ∗∗∗ --------------------------------------------- Die Backupsoftware SnapCenter ist verwundbar und Angreifer können sich durch das erfolgreiche Ausnutzen einer „kritischen“ Sicherheitslücke Admin-Rechte verschaffen. In einem Beitrag zur Schwachstelle (CVE-2025-26512) führen die Entwickler aus, die Versionen 6.0.1P1 und 6.1P1 repariert zu haben. Alle vorigen Ausgaben sind attackierbar. --------------------------------------------- https://www.heise.de/news/Backuploesung-SnapCenter-Angreifer-koennen-als-Ad… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (exim), Debian (exim4, ghostscript, and libcap2), Red Hat (container-tools:rhel8), SUSE (apache-commons-vfs2, argocd-cli, azure-cli-core, buildah, chromedriver, docker-stable, ed25519-java, kernel, kubernetes1.29-apiserver, kubernetes1.30-apiserver, kubernetes1.32-apiserver, libmbedcrypto7, microcode_ctl, php7, podman, proftpd, tomcat10, and webkit2gtk3), and Ubuntu (containerd, exim4, mariadb, opensaml, and org-mode). --------------------------------------------- https://lwn.net/Articles/1015589/ ∗∗∗ Security Vulnerability fixed in Firefox 136.0.4, Firefox ESR 128.8.1, Firefox ESR 115.21.1 ∗∗∗ --------------------------------------------- Following the sandbox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles to unprivileged child processes leading to a sandbox escape. The original vulnerability was being exploited in the wild. This only affects Firefox on Windows. Other operating systems are unaffected. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-19/ ∗∗∗ Splunk: Teils hochriskante Sicherheitslecks in mehreren Produkten ∗∗∗ --------------------------------------------- Splunk hat eine Reihe an Sicherheitslücken in mehreren Produkten gemeldet. Aktualisierte Software-Pakete stehen zum Herunterladen bereit, mit denen Admins diese Sicherheitslecks stopfen können. --------------------------------------------- https://heise.de/-10330630 ∗∗∗ DSA-5888-1 ghostscript - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00050.html ∗∗∗ ABB: Cyber Security Advisory - ABB Low Voltage DC Drives and Power Controllers CODESYS RTS Vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A9494&Lan… ∗∗∗ ABB: Cyber Security Advisory - ABB ACS880 +N8010 Drives CODESYS RTS Vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A9491&Lan… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 17, 2025 to March 23, 2025) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2025/03/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.03.2025
by Daily end-of-shift report 26 Mar '25

26 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-03-2025 18:00 − Mittwoch 26-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ New npm attack poisons local packages with backdoors ∗∗∗ --------------------------------------------- Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. This way, even if the victim removes the malicious packages, the backdoor remains on their system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-npm-attack-poisons-local… ∗∗∗ NCSC taps influencers to make 2FA go viral ∗∗∗ --------------------------------------------- The world's biggest brands have benefited from influencer marketing for years – now the UK's National Cyber Security Centre (NCSC) has hopped on the bandwagon to preach two-factor authentication (2FA) to the masses. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/03/26/ncsc_influen… ∗∗∗ CoffeeLoader: A Brew of Stealthy Techniques ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has identified a new sophisticated malware family that we named CoffeeLoader, which originated around September 2024. The purpose of the malware is to download and execute second-stage payloads while evading detection by endpoint-based security products. The malware uses numerous techniques to bypass security solutions, including a specialized packer that utilizes the GPU, call stack spoofing, sleep obfuscation, and the use of Windows fibers. --------------------------------------------- https://www.zscaler.com/blogs/security-research/coffeeloader-brew-stealthy-… ∗∗∗ Have I Been Pwned: Projektbetreiber Troy Hunt gepwned ∗∗∗ --------------------------------------------- Troy Hunt, Betreiber des Dienstes Have-I-Been-Pwned (HIBP), wurde Opfer einer Phishing-Attacke und damit selbst "Pwned". Es sind 16.627 E-Mail-Adressen der Mailingliste für den Newsletter zu Troys persönlichen Blog dadurch in unbefugte Hände abgeflossen. In einem Blog-Beitrag erklärt Hunt, wie es zu dem Vorfall kommen konnte. --------------------------------------------- https://heise.de/-10328970 ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücken in Kubernetes Ingress NGINX Controller - Updates verfügbar ∗∗∗ --------------------------------------------- Im Kubernetes Ingress NGINX Controller, einer Kernkomponente von Kubernetes, wurden mehrere kritische Sicherheitslücken entdeckt. Diese ermöglichen unter anderem unauthentifizierte Remote Code Execution (RCE) und unberechtigten Zugriff auf Secrets. --------------------------------------------- https://www.cert.at/de/warnungen/2025/3/kubernetes-ingress-nginx-controller… ∗∗∗ Dringend patchen: Gefährliche Zero-Day-Lücke in Chrome für Spionage ausgenutzt ∗∗∗ --------------------------------------------- Nachdem Google in seinem Webbrowser Chrome erst in der vergangenen Woche eine kritische Sicherheitslücke geschlossen hatte, legt der Konzern jetzt nochmal nach. Mit einem am Dienstag veröffentlichten Update beseitigt Google eine Schwachstelle, die bereits im Rahmen gezielter Spionageangriffe aktiv ausgenutzt wird. [..] Die Ausnutzung der als CVE-2025-2783 registrierten Chrome-Lücke wurde Mitte März von Sicherheitsforschern von Kaspersky entdeckt. [..] Den Angaben zufolge lässt sich die Sicherheitslücke durch speziell präparierte Webseiten ausnutzen, die die jeweilige Zielperson lediglich aufrufen muss. [..] Einen Bericht mit weiteren technischen Details wollen die Sicherheitsforscher zu einem späteren Zeitpunkt veröffentlichen. --------------------------------------------- https://www.golem.de/news/dringend-patchen-gefaehrliche-zero-day-luecke-in-… ∗∗∗ VMware Tools ermöglichen Rechteausweitung in VMs ∗∗∗ --------------------------------------------- In der Sicherheitsmitteilung von Broadcom erörtern die Autoren, dass aufgrund unzureichender Zugriffskontrollen die Umgehung der Authentifizierung möglich ist (CVE-2025-22230, CVSS 7.8, Risiko "hoch"). Bösartige Akteure mit nicht-administrativen Rechten in einem Windows-Gastsystem können dadurch Operationen, die höhere Zugriffsrechte benötigen, ausführen. --------------------------------------------- https://www.heise.de/-10328819 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nginx and ruby-rack), Fedora (expat and libxslt), Mageia (bluez, dcmtk, ffmpeg, and radare2), Red Hat (container-tools:rhel8, gvisor-tap-vsock, kernel, kernel-rt, libreoffice, and podman), SUSE (buildah, forgejo, gitleaks, google-guest-agent, google-osconfig-agent, govulncheck-vulndb, grafana, helm, libxslt, php8, python-gunicorn, and python-Jinja2), and Ubuntu (freerdp2 and varnish). --------------------------------------------- https://lwn.net/Articles/1015464/ ∗∗∗ MISP v2.4.206 and v2.5.8 Released - new workflow modules, improved graph object relationship management and many other improvements ∗∗∗ --------------------------------------------- [security] Fixed stored XSS in event reports (mermaid rendering function). --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.5.8 ∗∗∗ ZDI-25-181: (0Day) Arista NG Firewall User-Agent Cross-Site Scripting Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Minimal user interaction is required to exploit this vulnerability. CVE-2025-2767 --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-181/ ∗∗∗ Huawei: Security Advisory - Authentication Bypass Vulnerability in Huawei PC Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2025/huawei-sa-20250325-… ∗∗∗ ZDI-25-180: (0Day) 70mai A510 Use of Default Password Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-180/ ∗∗∗ ZDI-25-178: (0Day) CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-178/ ∗∗∗ Inaba Denki Sangyo CHOCO TEI WATCHER mini ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2025
by Daily end-of-shift report 25 Mar '25

25 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 24-03-2025 18:00 − Dienstag 25-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Browser-in-the-Browser attacks target CS2 players Steam accounts ∗∗∗ --------------------------------------------- A new phishing campaign targets Counter-Strike 2 players utilizing Browser-in-the-Browser (BitB) attacks that display a realistic window that mimics Steams login page. --------------------------------------------- https://www.bleepingcomputer.com/news/security/browser-in-the-browser-attac… ∗∗∗ Open-sourcing OpenPubkey SSH (OPKSSH): integrating single sign-on with SSH ∗∗∗ --------------------------------------------- OPKSSH (OpenPubkey SSH) is now open-sourced as part of the OpenPubkey project. --------------------------------------------- https://blog.cloudflare.com/open-sourcing-openpubkey-ssh-opkssh-integrating… ∗∗∗ Zero Day: Russische Firma zahlt für Telegram-Lücken Millionen ∗∗∗ --------------------------------------------- Die stetig wachsende Nutzerbasis macht die Plattform auch für Cyberangriffe immer interessanter. Aus diesem Grund bietet der russische Schwachstellenhändler Operation Zero mittlerweile bis zu vier Millionen US-Dollar für ungepatchte Sicherheitslücken in Telegram. --------------------------------------------- https://www.golem.de/news/zero-day-russische-firma-zahlt-millionen-fuer-tel… ∗∗∗ Achtung: Phishing-Mails im Namen des Wiener Tourismusverbands! ∗∗∗ --------------------------------------------- Aktuell kursieren E-Mails im Namen der Buchhaltung, die dazu auffordern, Rechnungen aufgrund technischer Probleme direkt per E-Mail zu senden. Vorsicht: Diese E-Mails stammen nicht von Mitarbeitenden des Wiener Tourismusverband sondern von Kriminellen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-phishing-mails-im-namen-des-… ∗∗∗ Oracle angeblich gehackt: Nutzerdaten im Darknet zum Verkauf ∗∗∗ --------------------------------------------- Sicherheitsforscher von CloudSEK berichten, dass im Darknet sensible Daten von rund 140.000 Oracle-Kunden zum Verkauf stehen. Diese Informationen sollen aus einer Cyberattacke stammen. Dem Hard- und Softwarehersteller zufolge hat es keinen IT-Sicherheitsvorfall gegeben. --------------------------------------------- https://heise.de/-10327980 ∗∗∗ US-Behörde stoppt Gelder für Lets Encrypt und Tor ‒ Open Tech Fund wehrt sich ∗∗∗ --------------------------------------------- Nach einem Dekret von US-Präsident Trump erhält der Open Technology Fund keine Fördermittel mehr. Deswegen zieht die Organisation jetzt vor Gericht. --------------------------------------------- https://heise.de/-10328226 ∗∗∗ Fake Hiring Challenge for Developers Steals Sensitive Data ∗∗∗ --------------------------------------------- Cyble threat intelligence researchers have uncovered a GitHub repository masquerading as a hiring coding challenge that tricks developers into downloading a backdoor to steal sensitive data. [..] There is evidence that the campaign may be expanding beyond a fake hiring challenge for developers, as Cyble Research and Intelligence Labs (CRIL) researchers also found invoice-themed lures. --------------------------------------------- https://thecyberexpress.com/fake-hiring-challenge-targets-developers/ ===================== = Vulnerabilities = ===================== ∗∗∗ Notable vulnerabilities in Next.js (CVE-2025-29927) and CrushFTP ∗∗∗ --------------------------------------------- On Friday, March 21, 2025, file transfer software maker CrushFTP disclosed a new vulnerability to customers via email. While the email [...] indicates only CrushFTP v11 is affected by the still-CVE-less (as of March 25) unauthenticated port access vulnerability, the extremely sparse vendor advisory indicates that both CrushFTP v10 and v11 are affected. According to the vendor, the issue is not exploitable if customers have the DMZ function of CrushFTP in place. --------------------------------------------- https://www.rapid7.com/blog/post/2025/03/25/etr-notable-vulnerabilities-in-… ∗∗∗ RCE Vulnerabilities in k8s Ingress NGINX (9.8 CVE for ingress-nginx) ∗∗∗ --------------------------------------------- Wiz Research discovered CVE-2025-1097, CVE-2025-1098, CVE-2025-24514 and CVE-2025-1974, a series of unauthenticated Remote Code Execution vulnerabilities in Ingress NGINX Controller for Kubernetes dubbed #IngressNightmare. Exploitation of these vulnerabilities leads to unauthorized access to all secrets stored across all namespaces in the Kubernetes cluster by attackers, which can result in cluster takeover. --------------------------------------------- https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities ∗∗∗ Kubernetes: CVE-2025-1974 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131009 ∗∗∗ Kubernetes: CVE-2025-1098 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131008 ∗∗∗ Kubernetes: CVE-2025-1097 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131007 ∗∗∗ Kubernetes: CVE-2025-24514 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131006 ∗∗∗ Kubernetes: CVE-2025-24513 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/131005 ∗∗∗ Micropatches released for SCF File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it ∗∗∗ --------------------------------------------- https://blog.0patch.com/2025/03/scf-file-ntlm-hash-disclosure.html ∗∗∗ Rockwell Automation 440G TLS-Z ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-03 ∗∗∗ Rockwell Automation Verve Asset Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-02 ∗∗∗ ABB RMC-100 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-01 ∗∗∗ Inaba Denki Sangyo CHOCO TEI WATCHER Mini ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-084-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2025
by Daily end-of-shift report 24 Mar '25

24 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-03-2025 18:00 − Montag 24-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ FBI warnings are true—fake file converters do push malware ∗∗∗ --------------------------------------------- The FBI is warning that fake online document converters are being used to steal peoples information and, in worst-case scenarios, lead to ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warnings-are-true-fake-f… ∗∗∗ Cloudflare now blocks all unencrypted traffic to its API endpoints ∗∗∗ --------------------------------------------- Cloudflare announced that it closed all HTTP connections and it is now accepting only secure, HTTPS connections for api.cloudflare.com. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloudflare-now-blocks-all-un… ∗∗∗ Trusted Signing: Hacker signieren Windows-Malware über Microsoft-Plattform ∗∗∗ --------------------------------------------- Forscher haben Malware entdeckt, die über Microsofts neue Trusted-Signing-Plattform signiert wurde. Windows-Systeme lassen sich damit leichter infizieren. --------------------------------------------- https://www.golem.de/news/trusted-signing-microsoft-dienst-zum-signieren-vo… ∗∗∗ Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories CI/CD Secrets Exposed ∗∗∗ --------------------------------------------- The supply chain attack involving the GitHub Action "tj-actions/changed-files" started as a highly-targeted attack against one of Coinbases open-source projects, before evolving into something more widespread in scope."The payload was focused on .. --------------------------------------------- https://thehackernews.com/2025/03/github-supply-chain-breach-coinbase.html ∗∗∗ Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions.The vulnerability, tracked as CVE-2025-29927, carries a CVSS score of 9.1 .. --------------------------------------------- https://thehackernews.com/2025/03/critical-nextjs-vulnerability-allows.html ∗∗∗ Oracle Cloud says its not true someone broke into its login servers and stole data ∗∗∗ --------------------------------------------- Despite evidence to the contrary as alleged pilfered info goes on sale Oracle has straight up denied claims by a miscreant that its public cloud offering has been compromised and information stolen. --------------------------------------------- https://www.theregister.com/2025/03/23/oracle_cloud_customers_keys_credenti… ∗∗∗ Verfassungsschutz: Deutsche NGOs Ziel von russischen Cyberangriffen ∗∗∗ --------------------------------------------- Das Bundesamt für Verfassungsschutz hat einige zivilgesellschaftliche Organisationen alarmiert, dass sie verstärkt im Fokus russischer Cyberattacken stünden. --------------------------------------------- https://www.heise.de/news/Verfassungsschutz-warnt-NGOs-vor-zunehmenden-russ… ∗∗∗ Google Maps: Falsche Schlüsseldienste und Co. spähen Nutzer aus ∗∗∗ --------------------------------------------- Der Navigationsdienst Google Maps klagt gegen unechte Geschäfte auf seiner Plattform, die Nutzerdaten abschöpften und verkauften. --------------------------------------------- https://heise.de/-10325360 ∗∗∗ How to find Next.js on your network ∗∗∗ --------------------------------------------- On March 22nd, 2025, Next.js disclosed an authentication bypass vulnerability in the middleware layer. Exploitation is trivial and can be achieved by sending an extra HTTP header. For specifics, please see .. --------------------------------------------- https://www.runzero.com/blog/next-js/ ∗∗∗ Next.js Patches Critical Middleware Vulnerability (CVE-2025-29927) ∗∗∗ --------------------------------------------- This weekend, the Next.js team released emergency patches addressing a critical vulnerability (CVE-2025-29927) that allowed attackers to bypass middleware-based security checks, including authentication and .. --------------------------------------------- https://socket.dev/blog/next-js-patches-critical-middleware-vulnerability -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2025
by Daily end-of-shift report 21 Mar '25

21 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-03-2025 18:00 − Freitag 21-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Angreifer machen sich an Hintertür in Cisco Smart Licensing Utility zu schaffen ∗∗∗ --------------------------------------------- Wie Sicherheitsforscher berichten, fangen Angreifer derzeit an, zwei Schwachstellen in Cisco Smart Licensing Utility auszunutzen. Darüber verschaffen sie sich Zugang mit Adminrechten. Sicherheitspatches sind schon länger verfügbar. [..] Die „kritischen“ Lücken (CVE-2024-20439, CVE-2024-20440) sind seit Anfang September 2024 bekannt. --------------------------------------------- https://heise.de/-10323893 ∗∗∗ VSCode extensions found downloading early-stage ransomware ∗∗∗ --------------------------------------------- Two malicious VSCode Marketplace extensions were found deploying in-development ransomware from a remote server, exposing critical gaps in Microsofts review process. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vscode-extensions-found-down… ∗∗∗ Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates ∗∗∗ --------------------------------------------- The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to disable anti-malware tools. --------------------------------------------- https://thehackernews.com/2025/03/medusa-ransomware-uses-malicious-driver.h… ∗∗∗ How to Avoid US-Based Digital Services—and Why You Might Want To ∗∗∗ --------------------------------------------- Amid growing concerns over Big Tech firms aligning with Trump administration policies, people are starting to move their digital lives to services based overseas. Heres what you need to know. --------------------------------------------- https://www.wired.com/story/trump-era-digital-expat/ ∗∗∗ Fake-Shops wie eu.stanlaystore.com locken mit günstigen Stanley Cups ∗∗∗ --------------------------------------------- Stanley Cups gehören aktuell zu den beliebtesten Thermoskannen auf dem Markt. Leider machen sich auch Kriminelle die hohe Nachfrage zunutze und bieten die trendigen Becher in Fake-Shops an. Wie zum Beispiel die Website eu.stanlaystore.com, die mit unschlagbar günstigen Preisen lockt. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-wie-eustanlaystorecom-loc… ∗∗∗ Achtung Phishing: So funktioniert der neue Debitkarten-Betrug ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit vermehrt gefälschte E-Mails im Namen der Erste Bank. Darin wird behauptet, dass Ihre Debitkarte veraltet sei und Sie eine neue Karte beantragen müssen. Mit dieser Betrugsmasche versuchen Kriminelle, an Ihre Debitkarte samt PIN zu gelangen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-phishing-so-funktioniert-der… ∗∗∗ GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment (Updated 3/21) ∗∗∗ --------------------------------------------- Updated March 20: The recent compromise of the GitHub action tj-actions/changed-files and additional actions within the reviewdog organization has captured the attention of the GitHub community, marking another major software supply chain attack. Our team conducted an in-depth investigation into this incident and uncovered many more details about how the attack occurred and its timeline. [..] Our team also discovered that the initial attack targeted Coinbase. The payload was focused on exploiting the public CI/CD flow of one of their open source projects – agentkit, probably with the purpose of leveraging it for further compromises. However, the attacker was not able to use Coinbase secrets or publish packages. --------------------------------------------- https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/ ∗∗∗ Major web services go dark in Russia amid reported Cloudflare block ∗∗∗ --------------------------------------------- Website outages were observed across Russia this week, with regulators attributing them to issues with foreign servers. Observers said the problems might be tied to Russian government moves to block Cloudflare services. --------------------------------------------- https://therecord.media/russia-websites-dark-reported-cloudflare-block ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability in NAKIVO Backup ＆ Replication ∗∗∗ --------------------------------------------- A vulnerability has been discovered in NAKIVO Backup ＆ Replication 10.11.3.86570 and earlier. [..] We have already removed the affected versions from App Center and requested NAKIVO to provide a fixed version as soon as possible. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-08 ∗∗∗ Siemens: SSA-656895 V1.2 (Last Update: 2025-03-20): Open Redirect Vulnerability in Teamcenter ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-656895.html ∗∗∗ [R1] Nessus Agent Version 10.8.3 Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-02 ∗∗∗ F5: K000150484: Apache Tomcat vulnerability CVE-2025-24813 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150484 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2025
by Daily end-of-shift report 20 Mar '25

20 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-03-2025 18:00 − Donnerstag 20-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ HellCat hackers go on a worldwide Jira hacking spree ∗∗∗ --------------------------------------------- Swiss global solutions provider Ascom has confirmed a cyberattack on its IT infrastructure as a hacker group known as Hellcat targets Jira servers worldwide using compromised credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hellcat-hackers-go-on-a-worl… ∗∗∗ Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data ∗∗∗ --------------------------------------------- The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of spyware developed by Israeli company Paragon Solutions, according to a new report from The Citizen Lab. [..] In these attacks, targets were added to a WhatsApp group, and then sent a PDF document, which is subsequently parsed automatically to trigger the now-patched zero-day vulnerability and load the Graphite spyware. --------------------------------------------- https://thehackernews.com/2025/03/six-governments-likely-use-israeli.html ∗∗∗ Phishing-Versuche im Namen der Oberbank – „Bitte aktualisieren Sie Ihre persönlichen Informationen“ ∗∗∗ --------------------------------------------- Mit Fake-SMS-Nachrichten versuchen Kriminelle gerade verstärkt, Opfer auf gefälschte Kundenportale der Oberbank zu leiten. Ziel der Phishing-Attacke sind sensible Bankdaten. Hier erfahren Sie, wie der Betrugsversuch abläuft und wie Sie den Fake erkennen. Außerdem erklären wir, was Sie tun können, falls Sie Ihre persönlichen Informationen bereits an die Betrüger:innen übermittelt haben. --------------------------------------------- https://www.watchlist-internet.at/news/persoenlichen-informationen-phishing… ∗∗∗ Presseaussendung: Fake-Shops, Produktpiraterie und Co. als Bedrohung für den österreichischen Onlinehandel ∗∗∗ --------------------------------------------- Fake-Shops, Markenfälschungen, Produktpiraterie oder Verletzungen des geistigen Eigentums: Die Bedrohungen im E-Commerce sind vielfältig und können für österreichische Unternehmer:innen nicht nur zu finanziellen Verlusten durch betrügerische Konkurrenz führen, sondern auch das Vertrauen der Kund:innen in den Online-Handel als Ganzes untergraben. --------------------------------------------- https://www.watchlist-internet.at/news/presseaussendung-bedrohungen-fuer-de… ∗∗∗ UK sets timeline for country’s transition to quantum-resistant encryption ∗∗∗ --------------------------------------------- The U.K. National Cyber Security Centre issued new guidance to help organizations transition to cryptographic algorithms and protocols that can protect data threatened by quantum computing. --------------------------------------------- https://therecord.media/uk-ncsc-quantum-resistant-algorithms-transition ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress security plugin WP Ghost vulnerable to remote code execution bug ∗∗∗ --------------------------------------------- Popular WordPress security plugin WP Ghost is vulnerable to a critical severity flaw that could allow unauthenticated attackers to remotely execute code and hijack servers. [..] The flaw, tracked as CVE-2025-26909, impacts all versions of WP Ghost up to 5.4.01 and stems from insufficient input validation in the 'showFile()' function. Exploiting the flaw could allow attackers to include arbitrary files via manipulated URL paths. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-security-plugin-wp… ∗∗∗ Google warnt: Kritische Sicherheitslücke in Chrome gefährdet Nutzer ∗∗∗ --------------------------------------------- Google hat wichtige Sicherheitsupdates für seinen Webbrowser Chrome veröffentlicht. [..] Mit Details zu der als CVE-2025-2476 registrierten Schwachstelle hält sich Google in seiner Versionsankündigung aus Sicherheitsgründen noch zurück. --------------------------------------------- https://www.golem.de/news/google-warnt-kritische-sicherheitsluecke-in-chrom… ∗∗∗ Veeam Backup & Replication RCE-Schwachstelle CVE-2025-23120 ∗∗∗ --------------------------------------------- Nutzer von Veeam Backup & Replication müssen reagieren. Der Anbieter Veeam hat zum 19. März 2025 über eine Remote Code Execution (RCE) Schwachstelle CVE-2025-23120 in verschiedenen Versionen des genannten Produkts informiert. Es gibt Sicherheitsupdates, um diese Schwachstelle zu schließen. --------------------------------------------- https://www.borncity.com/blog/2025/03/19/veeam-backup-replication-rce-schwa… ∗∗∗ ZDI-25-175: (0Day) Luxion KeyShot USDC File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-175/ ∗∗∗ ZDI-25-174: (0Day) Luxion KeyShot DAE File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-174/ ∗∗∗ Schwerwiegende Sicherheitslücken bedrohen Serverbetriebssystem IBM AIX ∗∗∗ --------------------------------------------- https://www.heise.de/news/Schwerwiegende-Sicherheitsluecken-bedrohen-Server… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0002 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0002.html ∗∗∗ SMA Sunny Portal ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-079-04 ∗∗∗ Santesoft Sante DICOM Viewer Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-079-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2025
by Daily end-of-shift report 19 Mar '25

19 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-03-2025 18:00 − Mittwoch 19-03-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Malicious Android Vapor apps on Google Play installed 60 million times ∗∗∗ --------------------------------------------- Over 300 malicious Android applications downloaded 60 million items from Google Play acted as adware or attempted to steal credentials and credit card information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-android-vapor-apps… ∗∗∗ Why its time for phishing prevention to move beyond email ∗∗∗ --------------------------------------------- While phishing has evolved, email security hasnt kept up. Attackers now bypass MFA & detection tools with advanced phishing kits, making credential theft harder to prevent. Learn how Push Securitys browser-based security stops attacks as they happen. --------------------------------------------- https://www.bleepingcomputer.com/news/security/why-its-time-for-phishing-pr… ∗∗∗ iOS-Nutzer gefährdet: Phishing-Lücke in Passwords-App erst nach Monaten gepatcht ∗∗∗ --------------------------------------------- Apples Passwords-App hat Weiterleitungen zur Passwortänderung über unsicheres HTTP abgewickelt. Angreifer hätten auf Phishingseiten umleiten können. --------------------------------------------- https://www.golem.de/news/unsicheres-http-ios-nutzer-durch-phishing-luecke-… ∗∗∗ Malware im Anmarsch: Ungepatchte Windows-Lücke wird seit 8 Jahren ausgenutzt ∗∗∗ --------------------------------------------- Hacker nutzen die Schwachstelle schon mindestens seit 2017 aus. Ein Patch ist bisher nicht in Sicht. Auch Ziele in Deutschland sind bereits attackiert worden. --------------------------------------------- https://www.golem.de/news/malware-im-anmarsch-ungepatchte-windows-luecke-wi… ∗∗∗ Arcane stealer: We want all your data ∗∗∗ --------------------------------------------- The new Arcane stealer spreads via YouTube and Discord, collecting data from many applications, including VPN and gaming clients, network utilities, messaging apps, and browsers. --------------------------------------------- https://securelist.com/arcane-stealer/115919/ ∗∗∗ Announcing OSV-Scanner V2: Vulnerability scanner and remediation tool for open source ∗∗∗ --------------------------------------------- Today, were thrilled to announce the launch of OSV-Scanner V2.0.0, following the announcement of the beta version. This V2 release builds upon the foundation we laid with OSV-SCALIBR and adds significant new capabilities .. --------------------------------------------- https://security.googleblog.com/2025/03/announcing-osv-scanner-v2-vulnerabi… ∗∗∗ Buying browser extensions for fun and profit ∗∗∗ --------------------------------------------- Your browser extensions could be secretly sold to malicious actors without your knowledge. What starts as helpful tools created by passionate developers can transform into dangerous spyware when sold to the highest bidder. As these extensions grow to hundreds of thousands of users, their creators—overwhelmed by maintenance and lacking .. --------------------------------------------- https://secureannex.com/blog/buying-browser-extensions/ ∗∗∗ Which passwords are attackers using against RDP ports right now? ∗∗∗ --------------------------------------------- The Specops research team has been analyzing 15 million passwords being used to attack RDP ports, in live attacks happening against networks right now. Our team have found the ten most common passwords attackers are using and analyzed their wordlists for the most common complexity rules and password lengths. We shared the results of a .. --------------------------------------------- https://specopssoft.com/blog/passwords-used-in-attacking-rdp-ports/ ∗∗∗ AMOS and Lumma stealers actively spread to Reddit users ∗∗∗ --------------------------------------------- Reddit users from trading and crypto subreddits are being lured into installing malware disguised as premium cracked software. --------------------------------------------- https://www.malwarebytes.com/blog/scams/2025/03/amos-and-lumma-stealers-act… ∗∗∗ Website-Kidnapping: So schützen Sie Ihre Website vor Hackingangriffen! ∗∗∗ --------------------------------------------- Immer öfter geraten österreichische Unternehmen ins Visier von Kriminellen, die ihre Website unbemerkt manipulieren, um Kund:innen auf Fake-Shops oder andere illegale Inhalte weiterzuleiten. Besonders gefährdet sind kleine und mittlere Unternehmen (KMU), da sie oft nicht über ausreichende IT-Sicherheitsmaßnahmen verfügen. --------------------------------------------- https://www.watchlist-internet.at/news/website-kidnapping-so-schuetzen-sie-… ∗∗∗ Russland vergiftet KI-Chatbots wie ChatGPT gezielt mit Propaganda ∗∗∗ --------------------------------------------- Rund 3,6 Millionen Artikel des russischen Pravda-Netzwerks sollen in das Trainingsmaterial westlicher KI-Systeme eingeflossen sein. So werden Fake News via KI verbreitet --------------------------------------------- https://www.derstandard.at/story/3000000261876/russland-vergiftet-ki-chatbo… ∗∗∗ The Citizen Lab’s director dissects spyware and the ‘proliferating’ market for it ∗∗∗ --------------------------------------------- In an interview with Recorded Future News, Deibert explained the technical aspects of the Citizen Lab’s methods and how spyware companies continue to evolve to evade detection. --------------------------------------------- https://therecord.media/ron-deibert-citizen-lab-spyware-interview ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-149: Adobe Acrobat Reader DC AcroForm Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-271561. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-149/ ∗∗∗ ZDI-25-151: Progress Software Kemp LoadMaster mangle Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software Kemp LoadMaster. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-1758. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-151/ ∗∗∗ ZDI-25-150: Microsoft Windows MSC File Insufficient UI Warning Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.0. The following CVEs are assigned: CVE-2025-26633. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-150/ ∗∗∗ ZDI-25-172: Apple macOS MOV File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-24124. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-172/ ∗∗∗ Multiple Vulnerabilities in Autodesk AutoCAD and certain AutoCAD-based Products ∗∗∗ --------------------------------------------- Autodesk AutoCAD and certain AutoCAD-based products are affected by multiple vulnerabilities. Exploitation of these vulnerabilities can lead to code execution. Exploitation of these vulnerabilities requires user interaction. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0001 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2025
by Daily end-of-shift report 18 Mar '25

18 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 17-03-2025 18:00 − Dienstag 18-03-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Critical AMI MegaRAC bug can let attackers hijack, brick servers ∗∗∗ --------------------------------------------- A new critical severity vulnerability found in American Megatrends Internationals MegaRAC Baseboard Management Controller (BMC) software can let attackers hijack and potentially brick vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-ami-megarac-bug-can… ∗∗∗ StilachiRAT analysis: From system reconnaissance to cryptocurrency theft ∗∗∗ --------------------------------------------- Microsoft Incident Response uncovered a novel remote access trojan (RAT) named StilachiRAT, which demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data. This blog primarily focuses on analysis of the WWStartupCtrl64.dll module that contains the RAT capabilities and summarizes .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/03/17/stilachirat-analys… ∗∗∗ New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new supply chain attack vector dubbed Rules File Backdoor that affects artificial intelligence (AI)-powered code editors like GitHub Copilot and Cursor, causing them to inject malicious .. --------------------------------------------- https://thehackernews.com/2025/03/new-rules-file-backdoor-attack-lets.html ∗∗∗ Britische Hintertüren: Verdacht nach Apple auch bei Google ∗∗∗ --------------------------------------------- Britische Überwacher verlangen weltweiten Zugriff auf Apple-Backups. Apple darf das nicht bestätigen und ist damit offenbar kein Einzelfall. --------------------------------------------- https://www.heise.de/news/Auch-Google-kann-britischen-Ueberwachungsbefehl-n… ∗∗∗ FBI-Warnung: Betrügerische Online-Dateikonverter schleusen Trojaner in Dokumente ∗∗∗ --------------------------------------------- Wer kostenlose Onlinedienste zum Umwandeln von etwa Textdateien nutzt, kann sich Malware einfangen. Darauf weist das FBI hin. --------------------------------------------- https://www.heise.de/news/Malwareverteiler-FBI-warnt-vor-betruegerischen-On… ∗∗∗ Bogus ‘DeepSeek’ AI Installers Are Infecting Devices with Malware, Research Finds ∗∗∗ --------------------------------------------- In a digital landscape hungry for the next big thing in Artificial Intelligence, a new contender called DeepSeek recently burst .. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/bogus-deepseek-ai-inst… ∗∗∗ Betrügerisches Gewinnspiel: Abofalle statt günstigem Thermomix! ∗∗∗ --------------------------------------------- Frau S. wünscht sich schon lange einen Thermomix. Bisher schreckte sie jedoch der hohe Preis der Küchenmaschine ab. Umso größer ist ihre Freude, als sie im Internet sieht, dass sie nach der Teilnahme an einer Umfrage den Thermomix für nur zwei Euro erhalten kann. Doch Vorsicht: Statt eines günstigen Thermomix erwartet sie eine teure Abofalle! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-gewinnspiel-abofalle… ∗∗∗ Google-Mutter Alphabet bietet für Cybersecurity-Startup Wiz 30 Milliarden Dollar ∗∗∗ --------------------------------------------- Es wäre die größte Transaktion von Alphabet. Ein Angebot über 23 Milliarden Dollar war im Vorjahr abgelehnt worden --------------------------------------------- https://www.derstandard.at/story/3000000261775/wsj-alphabet-bietet-f252r-cy… ∗∗∗ Crypto exchange OKX shuts down tool used by North Korean hackers to launder stolen funds ∗∗∗ --------------------------------------------- OKX said it detected a coordinated effort by one of North Korea’s most prolific hacking outfits to misuse its decentralized finance (DeFi) services. --------------------------------------------- https://therecord.media/crypto-okx-shuts-down-exchange ∗∗∗ Password reuse is rampant: nearly half of observed user logins are compromised ∗∗∗ --------------------------------------------- Accessing private content online, whether it's checking email or streaming your favorite show, almost always starts with a “login” step. Beneath this everyday task lies a widespread human mistake we still have not resolved: password reuse. Many users recycle passwords across multiple services, creating a ripple effect of risk when their credentials are leaked. --------------------------------------------- https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-comprom… ∗∗∗ Offline PKI using 3 YubiKeys and an ARM single board computer ∗∗∗ --------------------------------------------- An offline PKI enhances security by physically isolating the certificate authority from network threats. A YubiKey is a low-cost solution to store a root certificate. You also need an air-gapped environment to operate the root CA. --------------------------------------------- https://vincent.bernat.ch/en/blog/2025-offline-pki-yubikeys ∗∗∗ Security Risks of Setting Access Control Allow Origin: * ∗∗∗ --------------------------------------------- Wildcard CORS: convenient or careless? What are the ACTUAL scenarios that could lead to a loose CORS policy being exploited? --------------------------------------------- https://projectblack.io/blog/security-risks-of-setting-access-control-allow… ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3-EXT-SA-2025-003: Multiple vulnerabilities in extension “[clickstorm] SEO” (cs_seo) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-003 ∗∗∗ TYPO3-EXT-SA-2025-002: Cross-Site Scripting in extension “Additional TCA” (additional_tca) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-002 ∗∗∗ Varnish Enterprise vulnerability in MSE4 when handling range requests ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VEV00001/ ∗∗∗ HTTP/1 client-side desync vulnerability ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VSV00015/ ∗∗∗ Schneider Electric EcoStruxure Power Automation System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-077-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2025
by Daily end-of-shift report 17 Mar '25

17 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-03-2025 18:00 − Montag 17-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Coinbase phishing email tricks users with fake wallet migration ∗∗∗ --------------------------------------------- A large-scale Coinbase phishing attack poses as a mandatory wallet migration, tricking recipients into setting up a new wallet with a pre-generated recovery phrase controlled by attackers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/coinbase-phishing-email-tric… ∗∗∗ Malicious Adobe, DocuSign OAuth apps target Microsoft 365 accounts ∗∗∗ --------------------------------------------- Cybercriminals are promoting malicious Microsoft OAuth apps that masquerade as Adobe and DocuSign apps to deliver malware and steal Microsoft 365 accounts credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-adobe-docusign-oau… ∗∗∗ Mirai Bot now incroporating (malformed?) DrayTek Vigor Router Exploits, (Sun, Mar 16th) ∗∗∗ --------------------------------------------- Last October, Forescout published a report disclosing several vulnerabilities in DrayTek routers. According to Forescount, about 700,000 devices were exposed to these vulnerabilities .. --------------------------------------------- https://isc.sans.edu/diary/Mirai+Bot+now+incroporating+malformed+DrayTek+Vi… ∗∗∗ Credit Card Skimmer and Backdoor on WordPress E-commerce Site ∗∗∗ --------------------------------------------- The battle against e-commerce malware continues to intensify, with attackers deploying increasingly sophisticated tactics. In a recent case at Sucuri, a customer reported suspicious files and unexpected behavior on their WordPress site. Upon deeper analysis, we discovered a complicated infection involving multiple components: a credit card skimmer, a .. --------------------------------------------- https://blog.sucuri.net/2025/03/credit-card-skimmer-and-backdoor-on-wordpre… ∗∗∗ Malicious PyPI Packages Stole Cloud Tokens—Over 14,100 Downloads Before Removal ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of a malicious campaign targeting users of the Python Package Index (PyPI) repository with bogus libraries masquerading as "time" related utilities, but harboring hidden functionality to steal sensitive data such as .. --------------------------------------------- https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html ∗∗∗ Microsoft wouldnt look at a bug report without a video. Researcher maliciously complied ∗∗∗ --------------------------------------------- Maddening techno loop, Zoolander reference, and 14 minutes of time wasted A vulnerability analyst and prominent member of the infosec industry has blasted Microsoft for refusing to look at a bug report unless he submitted a video alongside a written explanation. --------------------------------------------- https://www.theregister.com/2025/03/17/microsoft_bug_report_troll/ ∗∗∗ Fake-Sicherheitswarnung: Betrüger versuchen Github-Konten zu kapern ∗∗∗ --------------------------------------------- Sicherheitsforscher berichten über Angriffsversuche auf rund 12.000 Github-Repositories. Dabei wollen Angreifer die volle Kontrolle über Konten erlangen. --------------------------------------------- https://www.heise.de/news/Fake-Sicherheitswarnung-Betrueger-versuchen-Githu… ∗∗∗ ClickFix: How to Infect Your PC in Three Easy Steps ∗∗∗ --------------------------------------------- A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed "ClickFix," the visitor to a hacked or malicious website is asked to distinguish .. --------------------------------------------- https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three… ∗∗∗ RCS: Apple und Google einigen sich auf Ende-zu-Ende-verschlüsselte Kommunikation ∗∗∗ --------------------------------------------- Neue Version des SMS-Nachfolgers unterstützt sichere Verschlüsselung, die beiden Branchengrößen wollen das bei Android und iPhone übernehmen --------------------------------------------- https://www.derstandard.at/story/3000000261679/rcs-apple-und-google-einigen… ∗∗∗ Telegram CEO confirms leaving France amid criminal probe ∗∗∗ --------------------------------------------- The Russian-born founder and owner of the messaging app Telegram said he returned to Dubai after spending several months in France due to a criminal investigation related to activity on the app. --------------------------------------------- https://therecord.media/telegram-pavel-durov-leaves-france-amid-probe ∗∗∗ Mora_001 ransomware gang exploiting Fortinet bug spotlighted by CISA in January ∗∗∗ --------------------------------------------- Two vulnerabilities impacting Fortinet products are being exploited by a new ransomware operation with ties to the LockBit ransomware group. --------------------------------------------- https://therecord.media/mora001-ransomware-gang-exploiting-vulnerability-lo… ∗∗∗ Scammers Pose as Cl0p Ransomware to Send Fake Extortion Letters ∗∗∗ --------------------------------------------- Scammers are sending fake extortion and ransom demands while posing as ransomware gangs, including the notorious Cl0p ransomware. --------------------------------------------- https://hackread.com/scammers-pose-cl0p-ransomware-fake-extortion-letters/ ∗∗∗ BitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique ∗∗∗ --------------------------------------------- The Rise of Browser in the Middle (BitM): BitM attacks offer a streamlined approach, allowing attackers to quickly compromise sessions across various web applications.MFA Remains Crucial, But Not Invulnerable: .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/session-stealing-b… ∗∗∗ Supply Chain Security Risk: GitHub Action tj-actions/changed-files Compromised ∗∗∗ --------------------------------------------- On March 14th, 2025, security researchers discovered a critical software supply chain vulnerability in the widely-used GitHub Action tj-actions/changed-files (CVE-2025-30066). This vulnerability allows remote attackers .. --------------------------------------------- https://blog.aquasec.com/supply-chain-security-threat-github-action-tj-acti… ∗∗∗ Bypassing Authentication Like It’s The ‘90s - Pre-Auth RCE Chain(s) in Kentico Xperience CMS ∗∗∗ --------------------------------------------- I recently joined watchTowr, and it is, therefore, time - time for my first watchTowr Labs blogpost, previously teased in a tweet of a pre-auth RCE chain affecting some ‘unknown software’. Joining the team, I wanted to maintain the trail of destruction left by the watchTowr Labs team, .. --------------------------------------------- https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-au… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (opensaml and php8.2), Fedora (chromium, ctk, dcmtk, expat, ffmpeg, firefox, fscrypt, gdcm, InsightToolkit, kitty, libssh2, libxml2, linux-firmware, man2html, nextcloud, OpenImageIO, php, podman-tui, python-django, python-django5, python-gunicorn, python-jinja2, python-spotipy, python3.6, qt6-qtwebengine, thunderbird, tigervnc, vim, vyper, xen, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (freetype2, ghostscript, and man2html), .. --------------------------------------------- https://lwn.net/Articles/1014437/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2025
by Daily end-of-shift report 14 Mar '25

14 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-03-2025 18:00 − Freitag 14-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New SuperBlack ransomware exploits Fortinet auth bypass flaws ∗∗∗ --------------------------------------------- A new ransomware operator named Mora_001 is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-superblack-ransomware-ex… ∗∗∗ Ransomware gang creates tool to automate VPN brute-force attacks ∗∗∗ --------------------------------------------- The Black Basta ransomware operation created an automated brute-forcing framework dubbed BRUTED to breach edge networking devices like firewalls and VPNs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/black-basta-ransomware-creat… ∗∗∗ Jailbreaking is (mostly) simpler than you think ∗∗∗ --------------------------------------------- Today, we are sharing insights on a simple, optimization-free jailbreak method called Context Compliance Attack (CCA), that has proven effective against most leading AI systems. We are disseminating this research to promote awareness and encourage system designers to implement appropriate safeguards. --------------------------------------------- https://msrc.microsoft.com/blog/2025/03/jailbreaking-is-mostly-simpler-than… ∗∗∗ CISA: We didnt fire red teams, we just unhired a bunch of them ∗∗∗ --------------------------------------------- Agency tries to save face as it also pulls essential funding for election security initiatives Uncle Sams cybersecurity agency is trying to save face by seeking to clear up what its calling "inaccurate reporting" after a former senior pen-tester claimed the organization axed two red teams. --------------------------------------------- https://www.theregister.com/2025/03/13/cisa_red_team_layoffs/ ∗∗∗ A New Era of Attacks on Encryption Is Starting to Heat Up ∗∗∗ --------------------------------------------- The UK, France, Sweden, and EU have made fresh attacks on end-to-end encryption. Some of the attacks are more “crude” than those in recent years, experts say. --------------------------------------------- https://www.wired.com/story/a-new-era-of-attacks-on-encryption-is-starting-… ∗∗∗ Fernzugriff: Ivanti Secure Access Client als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate schließt unter Windows eine Lücke in Ivanti Secure Access Client. --------------------------------------------- https://www.heise.de/news/Fernzugriff-Ivanti-Secure-Access-Client-als-Einfa… ∗∗∗ Off the Beaten Path: Recent Unusual Malware ∗∗∗ --------------------------------------------- Three unusual malware samples analyzed here include an ISS backdoor developed in a rare language, a bootkit and a Windows implant of a post-exploit framework. --------------------------------------------- https://unit42.paloaltonetworks.com/unusual-malware/ ∗∗∗ Ransomware attack takes down health system network in Micronesia ∗∗∗ --------------------------------------------- One of the four states that make up the Pacific nation of Micronesia is battling against ransomware hackers who have forced all of the computers used by its government health agency offline. --------------------------------------------- https://therecord.media/ransomware-attack-micronesia-health-system ∗∗∗ Europes telecoms sector under increased threat from cyber spies, warns Denmark ∗∗∗ --------------------------------------------- State-sponsored cyber espionage is a bigger threat than ever to Europes telecommunications networks, according to a new assessment from Denmarks government. --------------------------------------------- https://therecord.media/europe-increased-cyber-espionage-telecoms-denmark-r… ∗∗∗ Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court ∗∗∗ --------------------------------------------- Rostislav Panev, who was arrested in Israel in August 2024 on U.S. charges related to dozens of LockBit ransomware attacks, has been extradited and appeared in a New Jersey federal court, authorities said. --------------------------------------------- https://therecord.media/lockbit-alleged-russian-developer-extradited-us-isr… ∗∗∗ SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware ∗∗∗ --------------------------------------------- Trend Research analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techni… ∗∗∗ Recursion kills: The story behind CVE-2024-8176 / Expat 2.7.0 released, includes security fixes ∗∗∗ --------------------------------------------- Expat 2.7.0 has been released earlier today. I will make this a more detailed post than usual because in many ways there is more to tell about this release than the average libexpat release: there is a story this time --------------------------------------------- https://blog.hartwork.org/posts/expat-2-7-0-released/ ∗∗∗ Memory Corruption in Delphi ∗∗∗ --------------------------------------------- Our team at Include Security is often asked to examine applications coded in languages that are usually considered “unsafe”, such as C and C++, due to their lack of memory safety functionality. Critical aspects of reviewing such code include identifying where bounds-checking, input validation, and pointer handling/dereferencing are .. --------------------------------------------- https://blog.includesecurity.com/2025/03/memory-corruption-in-delphi/ ∗∗∗ My Scammer Girlfriend: Baiting A Romance Fraudster ∗∗∗ --------------------------------------------- At the beginning of the year, a spate of very similar mails appeared in my spam-box. Although originating from different addresses (and sent to different recipients), they all appeared to be the opener for the same romance scam campaign. --------------------------------------------- https://www.bentasker.co.uk/posts/blog/security/seducing-a-romance-scammer.… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-135: Adobe Acrobat Reader DC AcroForm Use of Uninitialized Variable Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27162. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-135/ ∗∗∗ ZDI-25-134: Adobe Acrobat Reader DC Doc Object Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-24431. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-134/ ∗∗∗ ZDI-25-133: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27174. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-133/ ∗∗∗ ZDI-25-132: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27159. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-132/ ∗∗∗ ZDI-25-131: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27160. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-131/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily