=====================
= End-of-Day report =
=====================
Timeframe: Freitag 17-01-2025 18:00 − Montag 20-01-2025 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Malicious PyPi package steals Discord auth tokens from devs ∗∗∗
---------------------------------------------
A malicious package named pycord-self on the Python package index (PyPI) targets Discord developers to steal authentication tokens and plant a backdoor for remote control over the system. [..] The package mimics the highly popular 'discord.py-self,' which has nearly 28 million downloads, and even offers the functionality of the legitimate project.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-pypi-package-steal…
∗∗∗ Forscher deckt auf: ChatGPT lässt sich für DDoS-Angriffe missbrauchen ∗∗∗
---------------------------------------------
Eine ChatGPT-API scheint bereitwillig eine lange Liste von Links zur gleichen Webseite anzunehmen - und diese anschließend ungebremst abzufragen. [..] Ausführen lässt sich der DDoS-Angriff laut Flesch durch eine HTTP-Anfrage an eine ChatGPT-API, konkret durch einen POST-Request an die URL "https://chatgpt.com/backend-api/attributions". Die API erwarte eine Liste von Hyperlinks, schreibt der Forscher. Jedoch werde nicht geprüft, ob ein Hyperlink zur gleichen Ressource mehrfach genannt wird.
---------------------------------------------
https://www.golem.de/news/forscher-deckt-auf-chatgpt-laesst-sich-fuer-ddos-…
∗∗∗ Partial ZIP File Downloads, (Mon, Jan 20th) ∗∗∗
---------------------------------------------
Say you want a file that is inside a huge online ZIP file (several gigabytes large). Downloading the complete ZIP file would take too long.
---------------------------------------------
https://isc.sans.edu/diary/rss/31608
∗∗∗ Private Keys in the Fortigate Leak ∗∗∗
---------------------------------------------
A few days ago, a download link for a leak of configuration files for Fortigate/Fortinet devices was posted on an Internet forum. [..] It was first reported by heise, a post by Kevin Beaumont contains further info. What has not been widely recognized is that this leak also contains TLS and SSH private keys.
---------------------------------------------
https://blog.hboeck.de:443/archives/908-Private-Keys-in-the-Fortigate-Leak.…
∗∗∗ Looking at the Attack Surfaces of the Pioneer DMH-WT7600NEX IVI ∗∗∗
---------------------------------------------
For the upcoming Pwn2Own Automotive contest, a total of four in-vehicle infotainment (IVI) head units have been selected as targets. [..] This blog post aims to detail some of the attack surfaces of the DMH-WT7600NEX unit as well as provide information on how to extract the software running on this unit for further vulnerability research.
---------------------------------------------
https://www.thezdi.com/blog/2025/1/16/looking-at-the-attack-surfaces-of-the…
∗∗∗ Die meisten Cyberkriminellen hacken nicht, sondern loggen sich ein ∗∗∗
---------------------------------------------
Bei 57 Prozent der erfolgreichen Cyberangriffe ist kein großer Hack über Sicherheitslücken erforderlich. Die Cyberkriminellen nutzten einfach ein kompromittiertes Nutzerkonto, um Zugang auf die Systeme zu erhalten, so die Analyse von Varonis zu solchen Vorfällen
---------------------------------------------
https://www.borncity.com/blog/2025/01/19/die-meisten-cyberkriminellen-hacke…
∗∗∗ Hackers Claim Breach of Hewlett Packard Enterprise, Lists Data for Sale ∗∗∗
---------------------------------------------
Hacker IntelBroker claims to have breached Hewlett Packard Enterprise (HPE), exposing sensitive data like source code, certificates, and PII, now available for sale online.
---------------------------------------------
https://hackread.com/hackers-claim-hewlett-packard-data-breach-sale/
∗∗∗ Secure Coding: Apache Maven gegen Cache-Poisoning-Attacken rüsten ∗∗∗
---------------------------------------------
Dependency-Management-Systeme wie Maven sind immer wieder Ziel von Cache-Poisoning-Angriffen, gegen die nur konsequent umgesetzte Sicherheitspraktiken helfen.
---------------------------------------------
https://heise.de/-10244779
∗∗∗ Hilton, Hyatt, Marriott: 437.000 Datensätze aus Verwaltungsplattform bei HIBP ∗∗∗
---------------------------------------------
Kriminelle haben Daten bei der Verwaltungsplattform Otelier geklaut. Rund 437.000 Datensätze etwa von Hilton, Hyatt oder Marriott sind nun bei HIBP.
---------------------------------------------
https://heise.de/-10248339
∗∗∗ Investigating an "evil" RJ45 dongle ∗∗∗
---------------------------------------------
Earlier this week, a young entrepreneur caused stir on social media by suggesting that an Ethernet-to-USB they purchased from China was preloaded with malware that “evaded virtual machines”, “captured keystrokes”, and “used Russian-language elements”. [..] To get to that point, we didn’t need a hardware lab; a bit of patience and Google-fu was enough.
---------------------------------------------
https://lcamtuf.substack.com/p/investigating-an-evil-rj45-dongle
=====================
= Vulnerabilities =
=====================
∗∗∗ VU#199397: Insecure Implementation of Tunneling Protocols (GRE/IPIP/4in6/6in4) ∗∗∗
---------------------------------------------
Researchers at the DistriNet-KU Leuven research group have discovered millions of vulnerable Internet systems that accept unauthenticated IPIP, GRE, 4in6, or 6in4 traffic. This can be considered a generalization of the vulnerability in VU#636397 : IP-in-IP protocol routes arbitrary traffic by default (CVE-2020-10136). The exposed systems can be abused as one-way proxies, enable an adversary to spoof the source address of packets (CWE-290 Authentication Bypass by Spoofing), or permit access to an organization's private network.
---------------------------------------------
https://kb.cert.org/vuls/id/199397
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, ipa, and NetworkManager), Debian (389-ds-base, busybox, libreoffice, rsync, ruby2.7, tomcat10, and tryton-server), Fedora (chromium and stb), Mageia (openafs and vim), Oracle (.NET 8.0 and .NET 9.0), SUSE (amazon-ssm-agent, chromedriver, git, golang-github-prometheus-prometheus, govulncheck-vulndb, grafana, hplip, pam_u2f, perl-Compress-Raw-Zlib, perl-IO-Compress, redis, redis7, rsync, and velociraptor), and Ubuntu (libpodofo and linux-xilinx-zynqmp).
---------------------------------------------
https://lwn.net/Articles/1005638/
∗∗∗ Nvidia: Datenabfluss durch Sicherheitsleck in Grafiktreiber möglich ∗∗∗
---------------------------------------------
Nvidia hat Sicherheitslücken in seinen Grafikkartentreibern entdeckt. Angreifer können dadurch Informationen abgreifen. Updates stehen bereit.
---------------------------------------------
https://heise.de/-10248258
∗∗∗ Sicherheitspatch: Unbefugte Zugriffe auf bestimmte Switches von Moxa möglich ∗∗∗
---------------------------------------------
Angreifer können bei Moxa-Switches der EDS-508A-Serie die Authentifizierung umgehen. Die Sicherheitslücke gilt als kritisch. Um Angriffe vorzubeugen, sollten Netzwerkadmins die Firmware ihrer Ethernet-Switches der Serie EDS-508A von Moxa auf den aktuellen Stand bringen.
---------------------------------------------
https://heise.de/-10249285
∗∗∗ Yubico Warns of 2FA Security Flaw in pam-u2f for Linux and macOS Users ∗∗∗
---------------------------------------------
https://thecyberexpress.com/yubico-2fa-bypass-vulnerability-advisory/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 16-01-2025 18:00 − Freitag 17-01-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ D-Trust: Cyberangriff trifft Trustcenter der Bundesdruckerei ∗∗∗
---------------------------------------------
Aus einem Antragsportal der D-Trust GmbH sind potenziell personenbezogene Daten abgeflossen. Wer hinter dem Angriff steckt, ist noch unklar.
---------------------------------------------
https://www.golem.de/news/d-trust-cyberangriff-trifft-trustcenter-der-bunde…
∗∗∗ Mercedes-Benz Head Unit security research report ∗∗∗
---------------------------------------------
Kaspersky experts analyzed the Mercedes-Benz head unit, its IPC protocols and firmware, and found new vulnerabilities via physical access.
---------------------------------------------
https://securelist.com/mercedes-benz-head-unit-security-research/115218/
∗∗∗ New Star Blizzard spear-phishing campaign targets WhatsApp accounts ∗∗∗
---------------------------------------------
In mid-November 2024, Microsoft Threat Intelligence observed the Russian threat actor we track as Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group. This is the first time we have identified a shift in Star Blizzard’s longstanding tactics, techniques, ..
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-…
∗∗∗ Gootloader inside out ∗∗∗
---------------------------------------------
Open-source intelligence reveals the server-side code of this pernicious SEO-driven malware - without needing a lawyer afterward
---------------------------------------------
https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/
∗∗∗ U.S. Sanctions North Korean IT Worker Network Supporting WMD Programs ∗∗∗
---------------------------------------------
The U.S. Treasury Departments Office of Foreign Assets Control (OFAC) sanctioned two individuals and four entities for their alleged involvement in illicit revenue generation schemes for the Democratic Peoples Republic of Korea (DPRK) by dispatching ..
---------------------------------------------
https://thehackernews.com/2025/01/us-sanctions-north-korean-it-worker.html
∗∗∗ Hackers Likely Stole FBI Call Logs From AT&T That Could Compromise Informants ∗∗∗
---------------------------------------------
A breach of AT&T that exposed “nearly all” of the company’s customers may have included records related to confidential FBI sources, potentially explaining the bureau’s new embrace of end-to-end encryption.
---------------------------------------------
https://www.wired.com/story/hackers-likely-stole-fbi-call-logs-from-att-tha…
∗∗∗ Biden ordnet für US-Behörden Verschlüsselung von E-Mail, DNS und BGP an ∗∗∗
---------------------------------------------
Ende-zu-Ende-Verschlüsselung, bessere Software und Abwehr, Post-Quanten, Aufsicht über Lieferanten, Passkeys, Erforschung von KI – Biden verordnet gute Medizin.
---------------------------------------------
https://www.heise.de/news/Biden-ordnet-Verschluesselung-von-E-Mail-DNS-und-…
∗∗∗ Daten von rund 250.000 MSI-Kunden bei Have I Been Pwned ∗∗∗
---------------------------------------------
Bei einem Cybervorfall bei MSI sind 2024 offenbar zahlreiche Kundendatensätze kopiert worden. Rund 250.000 Stück hat HIBP nun aufgenommen.
---------------------------------------------
https://www.heise.de/news/Daten-von-rund-250-000-MSI-Kunden-bei-Have-I-Been…
∗∗∗ Vertrauensdiensteanbieter D-Trust informiert über Datenschutzvorfall ∗∗∗
---------------------------------------------
Bei D-Trust kam es zu einem Datenschutzvorfall. Betroffen ist das Antragsportal für Signatur- und Siegelkarten. Die Ermittlungen laufen.
---------------------------------------------
https://www.heise.de/news/Vertrauensdiensteanbieter-D-Trust-informiert-uebe…
∗∗∗ Chinese Innovations Spawn Wave of Toll Phishing Via SMS ∗∗∗
---------------------------------------------
Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to ..
---------------------------------------------
https://krebsonsecurity.com/2025/01/chinese-innovations-spawn-wave-of-toll-…
∗∗∗ OSV-SCALIBR: A library for Software Composition Analysis ∗∗∗
---------------------------------------------
In December 2022, we announced OSV-Scanner, a tool to enable developers to easily scan for vulnerabilities in their open source dependencies. Together with the open source community, we’ve continued to build this tool, adding remediation features, as well ..
---------------------------------------------
http://security.googleblog.com/2025/01/osv-scalibr-library-for-software.html
∗∗∗ PayPal ruft an? Vorsicht Betrug! ∗∗∗
---------------------------------------------
Aktuell erhält die Watchlist Internet zahlreiche Meldungen zu Anrufen durch angebliche PayPal-Mitarbeiter:innen. Heben Sie ab, berichtet man Ihnen von angeblichen Abbuchungen von Ihrem PayPal-Konto und fordert Ihre Mithilfe zum Blockieren der Abbuchungen. Tatsächlich greift man dabei aber auf Ihre Systeme zu und stiehlt Ihnen Ihr Geld. Ein Schaden entsteht erst durch das Telefonat!
---------------------------------------------
https://www.watchlist-internet.at/news/paypal-ruft-an/
∗∗∗ Let’s talk about AI and end-to-end encryption ∗∗∗
---------------------------------------------
Recently, I came across a fantastic new paper by a group of NYU and Cornell researchers entitled “How to think about end-to-end encryption and AI.” I’m extremely grateful to see this paper, because while I don’t agree with every one of it’s ..
---------------------------------------------
https://blog.cryptographyengineering.com/2025/01/17/lets-talk-about-ai-and-…
∗∗∗ Threat Brief: CVE-2025-0282 and CVE-2025-0283 ∗∗∗
---------------------------------------------
CVE-2025-0282 and CVE-2025-0283 affect multiple Ivanti products. This threat brief covers attack scope, including details from an incident response case.
---------------------------------------------
https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2025-0282-cve-2…
∗∗∗ New WDAC Exploit Technique: Leveraging Policies to Disable EDRs and Evade Detection ∗∗∗
---------------------------------------------
The file “SiPolicy.p7b” contains policies that Windows OS and Windows Defender (AV) will listen to and your antivirus will apply the policies that this ..
---------------------------------------------
https://www.truesec.com/hub/blog/new-wdac-exploit-technique-leveraging-poli…
∗∗∗ IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024 ∗∗∗
---------------------------------------------
Since the end of 2024, we have been continuously monitoring large-scale DDoS attacks orchestrated by an IoT botnet exploiting vulnerable IoT devices such as wireless routers and IP cameras.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddos-at…
∗∗∗ Announcing Six Day and IP Address Certificate Options in 2025 ∗∗∗
---------------------------------------------
This year we will continue to pursue our commitment to improving the security of the Web PKI by introducing the option to get certificates with six-day lifetimes (“short-lived certificates”). We will also add support for IP addresses in addition to domain names ..
---------------------------------------------
https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/
∗∗∗ A Response to Recent Claims About Sessions Security Architecture ∗∗∗
---------------------------------------------
We were recently made aware of a blog published by a security researcher which makes a number of claims about Session and supposed flaws in Session’s design and implementation. We, as well as other Session contributors, have now had time to read through the blog and investigate the claims and wanted to give a detailed response on each point raised by the author.
---------------------------------------------
https://getsession.org/blog/a-response-to-recent-claims-about-sessions-secu…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (rsync and tomcat9), Fedora (chromium, mingw-python-jinja2, redict, and valkey), Gentoo (GIMP and pip), Oracle (.NET, fence-agents, ipa, kernel, python-virtualenv, raptor2, and rsync), Red Hat (.NET 8.0 and .NET 9.0), SUSE (apache2-mod_jk, git, git-lfs, kernel, python-Django, thunderbird, and xen), and Ubuntu (audacity, bcel, dotnet8, dotnet9, gimp-dds, harfbuzz, libxml2, poppler, rsync, and tqdm).
---------------------------------------------
https://lwn.net/Articles/1005433/
∗∗∗ Aviatrix Controllers OS Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/threat-signal-report/5982
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 15-01-2025 18:00 − Donnerstag 16-01-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ MFA Failures - The Worst is Yet to Come ∗∗∗
---------------------------------------------
This article delves into the rising tide of MFA failures, the alarming role of generative AI in amplifying these attacks, the growing user discontent weakening our defenses, and the glaring vulnerabilities being frequently exploited. The storm is building, and the worst is yet to come.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/mfa-failures-the-worst-is-ye…
∗∗∗ An honest mistake - and a cautionary tale ∗∗∗
---------------------------------------------
We all make mistakes. That is only natural. However, there are cases in which these mistakes can have unexpected consequences. A Twitter user recently found this out the hard way. The ingredients: a cheap USB-C adapter with a network connection, an internet connection and a sandbox.
---------------------------------------------
https://www.gdatasoftware.com/blog/2025/01/38129-usb-network-adapter-malware
∗∗∗ Windows 10 und 11: Microsoft verwirrt Nutzer mit Bitlocker-Bug ∗∗∗
---------------------------------------------
Auf einigen Windows-Geräten mit aktivierter Bitlocker-Verschlüsselung erscheint eine unerwartete Meldung. Microsoft untersucht das Problem.
---------------------------------------------
https://www.golem.de/news/windows-10-und-11-microsoft-verwirrt-nutzer-mit-b…
∗∗∗ Tiktok, Xiaomi, Aliexpress: Beschwerden wegen Datentransfers nach China eingereicht ∗∗∗
---------------------------------------------
China ist als autoritärer Überwachungsstaat nach Einschätzung von Datenschützern kein zulässiger Standort für europäische Nutzerdaten.
---------------------------------------------
https://www.golem.de/news/tiktok-xiaomi-aliexpress-beschwerden-wegen-datent…
∗∗∗ Bidens Cyber Ambassador Urges Trump Not to Cede Ground to Russia and China in Global Tech Fight ∗∗∗
---------------------------------------------
Nathaniel Fick, the ambassador for cyberspace and digital policy, has led US tech diplomacy amid a rising tide of pressure from authoritarian regimes. Will the Trump administration undo that work?
---------------------------------------------
https://www.wired.com/story/nathaniel-fick-us-cyber-ambassador-exit-intervi…
∗∗∗ IT-Sicherheit: EU-Kommission will Gesundheitsbranche unterstützen ∗∗∗
---------------------------------------------
Verstärkte Prävention und rasche Reaktion auf Attacken stehen im Zentrum eines EU-Plans für IT-Sicherheit von Krankenhäusern und Gesundheitsdienstleistern.
---------------------------------------------
https://www.heise.de/news/IT-Attacken-So-will-die-EU-Kommission-den-Gesundh…
∗∗∗ Es kann Schadcode auf HPE Aruba Networking AOS Controllers und Gateways gelangen ∗∗∗
---------------------------------------------
Netzwerktechnik von HPE Aruba ist verwundbar. Aktuelle Updates schließen insgesamt zwei Sicherheitslücken.
---------------------------------------------
https://www.heise.de/news/Es-kann-Schadcode-auf-HPE-Aruba-Networking-AOS-Co…
∗∗∗ Achtung vor go.hopeforlifefund.com: Spendenaufruf für Nikolas ist Fake! ∗∗∗
---------------------------------------------
Kinder, die an Krebs erkranken, stehen vor großen Herausforderungen und ihre Familien sind oft mit enormen finanziellen Belastungen konfrontiert. Spendenaktionen können hier ein Lichtblick sein. Doch leider gibt es auch Kriminelle, die das Mitgefühl der Menschen schamlos ausnutzen – wie im Fall der betrügerischen Spendenplattform go.hopeforlifefund.com, die angeblich für den krebskranken Jungen Nikolas Spenden sammelt.
---------------------------------------------
https://www.watchlist-internet.at/news/spendenaufruf-fuer-krebskranken-niko…
∗∗∗ FTC cracks down on GoDaddy for cybersecurity failings ∗∗∗
---------------------------------------------
GoDaddy’s failure to use industry standard measures led to what the Federal Trade Commission called “several major security breaches” between 2019 and 2022.
---------------------------------------------
https://therecord.media/ftc-godaddy-cyber-failings-fine
∗∗∗ Detecting Teams Chat Phishing Attacks (Black Basta) ∗∗∗
---------------------------------------------
For quite a while now, there has been a new ongoing threat campaign where the adversaries first bomb a user’s mailbox with spam emails and then pose as Help Desk or IT Support on Microsoft Teams to trick their potential victims into providing ..
---------------------------------------------
https://blog.nviso.eu/2025/01/16/detecting-teams-chat-phishing-attacks-blac…
∗∗∗ 2022 zero day was used to raid Fortigate firewall configs. Somebody just released them. ∗∗∗
---------------------------------------------
Back in 2022, Fortinet warned that somebody had a zero day vulnerability and was using it to exploit Fortigate firewalls https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684 ..
---------------------------------------------
https://doublepulsar.com/2022-zero-day-was-used-to-raid-fortigate-firewall-…
∗∗∗ Black Basta-Style Cyberattack Hits Inboxes with 1,165 Emails in 90 Minutes ∗∗∗
---------------------------------------------
A recent cyberattack, mimicking the tactics of the notorious Black Basta ransomware group, targeted one of SlashNext’s clients.…
---------------------------------------------
https://hackread.com/black-basta-cyberattack-hits-inboxes-with-1165-emails/
∗∗∗ Proxying PyRIT for fun and profit ∗∗∗
---------------------------------------------
If you are in the AI security field, you are probably facing the problem of testing Large Language Models (LLMs) at scale and questioning the optimal balance between automatic testing and manual testing ..
---------------------------------------------
https://www.nccgroup.com/us/research-blog/proxying-pyrit-for-fun-and-profit/
∗∗∗ Dont Use Session (Signal Fork) ∗∗∗
---------------------------------------------
The main reason I said to avoid Session, all those months ago, was simply due to their decision to remove forward secrecy (which is an important security property of cryptographic protocols they inherited for free when they forked libsignal).
---------------------------------------------
https://soatok.blog/2025/01/14/dont-use-session-signal-fork/
∗∗∗ UK Officials Consider Banning Ransomware Payments from Public Entities ∗∗∗
---------------------------------------------
The UK government is poised to take a decisive step in the fight against ransomware by banning public sector entities from paying ransoms. This collection of proposals, part of a broader effort to protect critical national infrastructure, aims to disrupt the business model of cybercriminals and shield essential services like the NHS, schools, and local ..
---------------------------------------------
https://socket.dev/blog/uk-officials-consider-banning-ransomware-payments-f…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (fence-agents, raptor2, and rsync), Debian (chromium), Fedora (rsync and seamonkey), Mageia (openjpeg2), Red Hat (tuned), Slackware (git), SUSE (dcmtk, dnsmasq, govulncheck-vulndb, libQtWebKit4, libraptor-devel, opera, python311-Pillow, python311-translate-toolkit, rsync, and SDL2_sound-devel), and Ubuntu (linux-raspi-5.4, neomutt, and python2.7).
---------------------------------------------
https://lwn.net/Articles/1005292/
∗∗∗ CVE-2024-9042 ∗∗∗
---------------------------------------------
Command Injection affecting Windows nodes via nodes/*/logs/query API
---------------------------------------------
https://github.com/kubernetes/kubernetes/issues/129654
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 14-01-2025 18:00 − Mittwoch 15-01-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ WP3.XYZ malware attacks add rogue admins to 5,000+ WordPress sites ∗∗∗
---------------------------------------------
A new malware campaign has compromised more than 5,000 WordPress sites to create admin accounts, install a malicious plugin, and steal data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wp3xyz-malware-attacks-add-r…
∗∗∗ Undercover Operations: Scraping the Cybercrime Underground ∗∗∗
---------------------------------------------
A blog about web scraping methods, use cases, challenges, and how to overcome them.
---------------------------------------------
https://www.sans.org/blog/undercover-operations-scraping-the-cybercrime-und…
∗∗∗ Cyber-Bedrohungen für die öffentliche Ladeinfrastruktur: Risiken und Schutzmaßnahmen durch Penetrationstests ∗∗∗
---------------------------------------------
Angriffe auf die öffentliche Ladeinfrastruktur für Elektrofahrzeuge nehmen zu und gefährden den Ruf und die Sicherheit der ..
---------------------------------------------
https://sec-consult.com/de/blog/detail/cyber-bedrohungen-fuer-die-oeffentli…
∗∗∗ Phishing False Alarm ∗∗∗
---------------------------------------------
A very security-conscious company was hit with a (presumed) massive state-actor phishing attack with gift cards, and everyone rallied to combat it—until it turned out it was company management sending the gift cards.
---------------------------------------------
https://www.schneier.com/blog/archives/2025/01/phishing-false-alarm.html
∗∗∗ Miscreants mass exploited Fortinet firewalls, highly probable zero-day used ∗∗∗
---------------------------------------------
Ransomware not off the table, Arctic Wolf threat hunter tells El Reg Updated Miscreants running a "mass exploitation campaign" against Fortinet firewalls, which peaked in December, may be using an unpatched zero-day vulnerability to compromise the equipment, according to security researchers who say theyve observed the ..
---------------------------------------------
https://www.theregister.com/2025/01/14/miscreants_mass_exploited_fortinet_f…
∗∗∗ Patchday Fortinet: Hintertür ermöglicht unbefugte Zugriffe auf FortiSwitch ∗∗∗
---------------------------------------------
Der Anbieter von IT-Securitylösungen Fortinet hat zahlreiche Sicherheitsupdates für seine Produkte veröffentlicht. Das sollten Netzwerkadmins im Blick haben.
---------------------------------------------
https://www.heise.de/news/Patchday-Fortinet-Hintertuer-ermoeglicht-unbefugt…
∗∗∗ Cybergang Cl0p: Angeblich Daten durch Cleo-Sicherheitslücke abgezogen ∗∗∗
---------------------------------------------
Die kriminelle Bande Cl0p hat angeblich bei vielen Unternehmen Daten durch eine Sicherheitslücke in der Transfersoftware Cleo gestohlen.
---------------------------------------------
https://www.heise.de/news/Cybergang-Cl0p-Angeblich-Daten-durch-Cleo-Sicherh…
∗∗∗ Security flaws found in tiny phones promoted to children ∗∗∗
---------------------------------------------
TL;DR Three mini smartphones promoted to children were analysed These types of phones are heavily promoted on TikTok All had outdated operating systems All could be rooted without wiping the ..
---------------------------------------------
https://www.pentestpartners.com/security-blog/security-flaws-found-in-tiny-…
∗∗∗ Security flaws found in tiny phones promoted to children ∗∗∗
---------------------------------------------
TL;DR Three mini smartphones promoted to children were analysed Those devices are heavily promoted on TikTok All had outdated operating systems All could be rooted without wiping the phone, allowing ..
---------------------------------------------
https://www.pentestpartners.com/security-blog/security-flaws-found-in-tiny-…
∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
Adobe released security updates to address vulnerabilities in multiple Adobe software products including Adobe Photoshop, Animate, and Illustrator for iPad. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following ..
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/01/14/adobe-releases-security-…
∗∗∗ TAG Bulletin: Q3 2024 ∗∗∗
---------------------------------------------
This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2024.
---------------------------------------------
https://blog.google/threat-analysis-group/tag-bulletin-q3-2024/
∗∗∗ Patchday: Windows 10/11 Updates (14. Januar 2025) ∗∗∗
---------------------------------------------
Am 14. Januar 2024 (zweiter Dienstag im Monat, Patchday bei Microsoft) hat Microsoft auch kumulative Updates für die noch unterstützten Versionen der Client-Betriebssysteme Windows 10 und Windows 11 veröffentlicht. Hier einige ..
---------------------------------------------
https://www.borncity.com/blog/2025/01/15/patchday-windows-10-11-updates-14-…
∗∗∗ Passkeys: the promise of a simpler and safer alternative to passwords ∗∗∗
---------------------------------------------
The merits of choosing passkeys over passwords to help keep your online accounts more secure, and explaining how the technology promises to do this
---------------------------------------------
https://www.ncsc.gov.uk/blog-post/passkeys-promise-simpler-alternative-pass…
∗∗∗ Your Single-Page Applications Are Vulnerable: Heres How to Fix Them ∗∗∗
---------------------------------------------
Due to their client-side nature, single-page applications (SPAs) will typically have multiple access control vulnerabilitiesBy implementing a robust access control policy on supporting APIs, the risks associated with client-side rendering can be largely mitigatedUsing server-side ..
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/single-page-applic…
∗∗∗ Tracking cloud-fluent threat actors - Part two: Behavioral cloud IOCs ∗∗∗
---------------------------------------------
Discover how behavioral cloud IOCs can expose malicious activity as we break down real-world examples to reveal actionable detection techniques.
---------------------------------------------
https://www.wiz.io/blog/detecting-behavioral-cloud-indicators-of-compromise…
∗∗∗ The Risks of Misguided Research in Supply Chain Security ∗∗∗
---------------------------------------------
On January 8, 2025, it came to light that Snyk, a well-known security tool—frequently used to protect against supply chain attacks—was implicated in a troubling event. Several malicious packages targeting the popular AI coding platform Cursor were deployed to the public npm registry. These packages, named “cursor-retrieval,” “cursor-always-local,” ..
---------------------------------------------
https://socket.dev/blog/the-risks-of-misguided-research-in-supply-chain-sec…
∗∗∗ Penetration Testing for ISO/IEC 27001: A Detailed Guide to Compliance ∗∗∗
---------------------------------------------
In an era where data breaches and cyber threats dominate headlines, safeguarding sensitive information has become a critical priority for organizations worldwide. ISO/IEC 27001, the internationally recognized standard for Information Security Management Systems (ISMS), offers a robust framework to protect valuable information assets. By ..
---------------------------------------------
https://fortbridge.co.uk/regulations/penetration-testing-for-iso-iec-27001-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Six vulnerabilities discovered in rsync ∗∗∗
---------------------------------------------
Nick Tait announced on the oss-security mailing list that rsync, the widely used file transfer program, had a number of serious vulnerabilities.Users can mitigate all six vulnerabilities by upgrading to version 3.4.0, which was released on January 14. While all users should upgrade, servers that use rsyncd are especially impacted:In the most severe CVE, an attacker ..
---------------------------------------------
https://lwn.net/Articles/1005129/
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Arch Linux (rsync), Debian (rsync), Fedora (perl-Net-OAuth and redis), Red Hat (ipa, raptor2, rsync, and tuned), Slackware (rsync), SUSE (apache2-mod_jk, git, kernel, rclone, rsync, and webkit2gtk3), and Ubuntu (git, linux-azure-5.4, pdns, pdns-recursor, python-django, rlottie, and rsync).
---------------------------------------------
https://lwn.net/Articles/1005163/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 13-01-2025 18:00 − Dienstag 14-01-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Abgehörte Kryptohandys: BGH erlaubt Verwertung - Berliner Landgericht lehnt ab ∗∗∗
---------------------------------------------
Die Justiz ringt seit Jahren um die Verwertung von Daten abgehörter Kryptohandys. Nun gab es in wenigen Wochen gegensätzliche Urteile.
---------------------------------------------
https://www.golem.de/news/abgehoerte-kryptohandys-bgh-erlaubt-verwertung-be…
∗∗∗ Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions ∗∗∗
---------------------------------------------
Microsoft discovered a macOS vulnerability allowing attackers to bypass System Integrity Protection (SIP) by loading third party kernel extensions, which could lead to serious consequences, such as allowing attackers to install rootkits, create persistent malware, bypass Transparency, Consent, and Control (TCC), and expand the attack surface to perform other ..
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2025/01/13/analyzing-cve-2024…
∗∗∗ The Database Slayer: Deep Dive and Simulation of the Xbash Malware ∗∗∗
---------------------------------------------
In the world of malware, common ransomware schemes aim to take the data within databases (considered the "gold" in the vault of any organization) and hold them hostage, promising data recovery upon ransom payment.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-databas…
∗∗∗ Snyk appears to deploy malicious packages targeting Cursor for unknown reason ∗∗∗
---------------------------------------------
Packages removed, vendor said to have apologized to AI code editor as onlookers say it could have been a test Developer security company Snyk is at the center of allegations concerning the possible targeting or testing of Cursor, an AI code editor company, using "malicious" packages uploaded to NPM.
---------------------------------------------
https://www.theregister.com/2025/01/14/snyk_npm_deployment_removed/
∗∗∗ SAP-Patchday: Updates schließen 14 teils kritische Schwachstellen ∗∗∗
---------------------------------------------
Im Januar bedenkt SAP Produkte mit 14 Sicherheitsmitteilungen und zugehörigen Updates. Zwei davon gelten als kritisch.
---------------------------------------------
https://www.heise.de/news/SAP-Patchday-Hersteller-stopft-teils-kritische-SI…
∗∗∗ Telefónica: Infostealer-Kampagne legt interne Jira-Issues offen ∗∗∗
---------------------------------------------
Der Telekommunikationsanbieter Telefónica wurde Opfer eines Cyberangriffs. Kriminelle erbeuteten offenbar Zugriff auf große Mengen interner Daten.
---------------------------------------------
https://www.heise.de/news/Telefonica-Infostealer-Kampagne-legt-interne-Jira…
∗∗∗ Achtung Fake: vailllant.at und vaillantproservice.at ∗∗∗
---------------------------------------------
Kriminelle missbrauchen das für Heiztechnik bekannte Unternehmen Vaillant für eine Betrugsmasche. Auf gefälschten Webseiten geben sich die Kriminellen als 24-Stunden-Notdienst für Österreich bzw. Wien/Niederösterreich aus. Ruft man den betrügerischen Notdienst an, kommen unseriöser Handwerker:innen, die den Schaden nicht fachgerecht beheben, sondern eine horrende Summe in Rechnung stellen!
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-fake-vailllantat-und-vaillan…
∗∗∗ One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks ∗∗∗
---------------------------------------------
Graph neural networks aid in analyzing domains linked to known attack indicators, effectively uncovering new malicious domains and cybercrime campaigns.
---------------------------------------------
https://unit42.paloaltonetworks.com/graph-neural-networks/
∗∗∗ Ransomware: Threat Level Remains High in Third Quarter ∗∗∗
---------------------------------------------
Recently established RansomHub group overtakes LockBit to become most prolific ransomware operation.
---------------------------------------------
https://www.security.com/threat-intelligence/ransomware-threat-level-remain…
∗∗∗ CISA Releases the JCDC AI Cybersecurity Collaboration Playbook and Fact Sheet ∗∗∗
---------------------------------------------
Today, CISA released the JCDC AI Cybersecurity Collaboration Playbook and Fact Sheet to foster operational collaboration among government, industry, and international partners and strengthen artificial intelligence (AI) cybersecurity. The playbook provides voluntary information-sharing processes that, if adopted, can help protect organizations from emerging ..
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2025/01/14/cisa-releases-jcdc-ai-cy…
∗∗∗ Major location data broker reports hack to Norwegian authorities ∗∗∗
---------------------------------------------
The location data broker Gravy Analytics confirmed to Norwegian authorities that it was breached by a hacker — potentially exposing a trove of sensitive information.
---------------------------------------------
https://therecord.media/location-data-broker-gravy-breach
∗∗∗ NPM command confusion ∗∗∗
---------------------------------------------
Intro Managing dependencies in JavaScript projects can quickly become a complex undertaking. Tasks include keeping track of versions, ensuring compatibility, and handling updates . npm provides a robust solution to these problems, through a centralized system for managing project dependencies. Primarily accessed through its command-line interface (CLI), npm ..
---------------------------------------------
https://checkmarx.com/blog/npm-command-confusion/
∗∗∗ Malicious Kong Ingress Controller Image Found on DockerHub ∗∗∗
---------------------------------------------
A critical security breach in the software supply chain has been detected. An attacker accessed Kong’s DockerHub account
---------------------------------------------
https://hackread.com/malicious-kong-ingress-controller-image-dockerhub/
∗∗∗ Hackers Using Fake YouTube Links to Steal Login Credentials ∗∗∗
---------------------------------------------
Cybercriminals exploit fake YouTube links to redirect users to phishing pages, stealing login credentials via URI ..
---------------------------------------------
https://hackread.com/hackers-fake-youtube-links-steal-login-credentials/
∗∗∗ Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar ∗∗∗
---------------------------------------------
In Hindi, chokidar (चौकीदार) means “gatekeeper” or “watchman”—a perfect descriptor for chokidar one of Node.js most trusted file-watching libraries with around 56 million weekly downloads. Meanwhile, chalk serves as a cornerstone for terminal string styling in JavaScript, drawing over 265 million downloads weekly. Unfortunately, our Socket threat ..
---------------------------------------------
https://socket.dev/blog/kill-switch-hidden-in-npm-packages-typo-squatting-c…
=====================
= Vulnerabilities =
=====================
∗∗∗ Zyxel security advisory for improper privilege management vulnerability in APs and security router devices ∗∗∗
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-…
∗∗∗ January Security Update ∗∗∗
---------------------------------------------
https://www.ivanti.com/blog/january-security-update
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 10-01-2025 18:00 − Montag 13-01-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware ∗∗∗
---------------------------------------------
In-the-wild attacks tamper with built-in security tool providing infection warnings.
---------------------------------------------
https://arstechnica.com/security/2025/01/ivanti-vpn-users-are-getting-hacke…
∗∗∗ Phishing texts trick Apple iMessage users into disabling protection ∗∗∗
---------------------------------------------
Cybercriminals are exploiting a trick to turn off Apple iMessages built-in phishing protection for a text and trick users into re-enabling disabled phishing links.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/phishing-texts-trick-apple-i…
∗∗∗ Ransomware abuses Amazon AWS feature to encrypt S3 buckets ∗∗∗
---------------------------------------------
A new ransomware campaign encrypts Amazon S3 buckets using AWSs Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-abuses-amazon-aws…
∗∗∗ Anwendung blockiert: MacOS stuft Docker Desktop als Malware ein ∗∗∗
---------------------------------------------
Einige Dateien von Docker Desktop für MacOS wurden falsch signiert, so dass Nutzer eine Malware-Warnung erhalten. Eine echte Gefahr besteht nicht.
---------------------------------------------
https://www.golem.de/news/anwendung-blockiert-docker-desktop-unter-macos-al…
∗∗∗ New LLM Jailbreak Uses Models Evaluation Skills Against Them ∗∗∗
---------------------------------------------
SC Media reports on a new jailbreak method for large language models (LLMs) that "takes advantage of models ability to identify and score harmful content in order to trick the models into generating content related to malware, illegal activity, harassment and more. "The Bad Likert Judge multi-step jailbreak technique was developed and tested by ..
---------------------------------------------
https://it.slashdot.org/story/25/01/12/2010218/new-llm-jailbreak-uses-model…
∗∗∗ Nominet probes network intrusion linked to Ivanti zero-day exploit ∗∗∗
---------------------------------------------
Unauthorized activity detected, but no backdoors found UK domain registry Nominet is investigating a potential intrusion into its network related to the latest Ivanti zero-day exploits.
---------------------------------------------
https://www.theregister.com/2025/01/13/nominet_ivanti_zero_day/
∗∗∗ Paypal-Phishing: Angebliche monatliche Finanzberichte ködern Opfer ∗∗∗
---------------------------------------------
Derzeit schaffen es Phishing-Mails an Spam-Filtern vorbeizukommen, die einen monatlichen Finanzbericht für Paypal versprechen.
---------------------------------------------
https://www.heise.de/news/Paypal-Phishing-Angebliche-monatliche-Finanzberic…
∗∗∗ Log Source Management App für IBM QRadar SIEM ist auf vielen Wegen angreifbar ∗∗∗
---------------------------------------------
Weil mehrere Komponenten verwundbar sind, können Angreifer Systeme mit Log Source Management App für IBM QRadar SIEM attackieren.
---------------------------------------------
https://www.heise.de/news/Log-Source-Management-App-fuer-IBM-QRadar-SIEM-is…
∗∗∗ Tackling AI threats. Advanced DFIR methods and tools for deepfake detection ∗∗∗
---------------------------------------------
TL; DR AI-generated documents, videos and more pose significant challenges for DFIR DFIR teams can harness innovative detection strategies and tooling Digital fingerprinting and watermarking, AI-powered and behavioural analyses ..
---------------------------------------------
https://www.pentestpartners.com/security-blog/tackling-ai-threats-advanced-…
∗∗∗ Rufnummernmissbrauch dank Verordnung drastisch zurückgegangen ∗∗∗
---------------------------------------------
Die "Anti-Spoofing-Verordnung" der RTR greift seit September, seitdem gibt es nur noch wenige Vorfälle von Betrug mittels gekaperter Rufnummern
---------------------------------------------
https://www.derstandard.at/story/3000000252624/rufnummernmissbrauch-dank-ve…
∗∗∗ Muddling Meerkat Linked to Domain Spoofing in Global Spam Scams ∗∗∗
---------------------------------------------
Infoblox cybersecurity researchers investigating the mysterious activities of Muddling Meerkat unexpectedly uncovered widespread use of domain spoofing in malicious spam campaigns.
---------------------------------------------
https://hackread.com/muddling-meerkat-domain-spoofing-spam-scams/
∗∗∗ Fake CrowdStrike Recruiters Distribute Malware Via Phishing Emails ∗∗∗
---------------------------------------------
SUMMARY Cybercriminals are deploying a tricky new phishing campaign impersonating the cybersecurity firm CrowdStrike‘s ..
---------------------------------------------
https://hackread.com/fake-crowdstrike-recruiters-malware-phishing-emails/
∗∗∗ 3 Russians Indicted for Operating Blender.io and Sinbad.io Crypto Mixers ∗∗∗
---------------------------------------------
SUMMARY Three Russian nationals have been indicted for their alleged roles in running cryptocurrency mixing services Blender.io and…
---------------------------------------------
https://hackread.com/3-russian-operating-blender-io-sinbad-io-crypto-mixers/
∗∗∗ Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282) ∗∗∗
---------------------------------------------
As we saw in our previous blogpost, we fully analyzed Ivanti’s most recent unauthenticated Remote Code Execution vulnerability in their Connect Secure (VPN) appliance. Specifically, we analyzed CVE-2025-0282.Today, we’re ..
---------------------------------------------
https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-c…
∗∗∗ Deep Dive Into a Linux Rootkit Malware ∗∗∗
---------------------------------------------
This is a follow-up analysis to a previous blog about a zero day exploit where the FortiGuard Incident Response (FGIR) team examined how remote attackers exploited multiple vulnerabilities in an appliance to gain control of a customer’s system.
---------------------------------------------
https://feeds.fortinet.com/~/910912481/0/fortinet/blogs~Deep-Dive-Into-a-Li…
∗∗∗ Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603) ∗∗∗
---------------------------------------------
The Wiz Incident Response team is currently responding to multiple incidents involving CVE-2024-50603, an Aviatrix Controller unauthenticated RCE vulnerability, that can lead to privileges escalation in the AWS control plane. Organizations should patch urgently.
---------------------------------------------
https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of…
∗∗∗ Analysis of Counter-Ransomware Activities in 2024 ∗∗∗
---------------------------------------------
The scourge of ransomware continues primarily because ofthree main reasons: Ransomware-as-a-Service (RaaS), cryptocurrency, and safe havens.RaaS platforms enable aspiring cybercriminals to join a gang and begin launching attacks with a support system that help extract ransom payments from their victims.Cryptocurrency enables cybercriminals to receive funds ..
---------------------------------------------
https://blog.bushidotoken.net/2025/01/analysis-of-counter-ransomware.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (dpdk, firefox, iperf3, thunderbird, and webkit2gtk3), Debian (firefox-esr, gnuchess, node-mocha, openafs, python-django, and thunderbird), Fedora (libxmp, python-jinja2, suricata, thunderbird, and xen), Mageia (avahi, libjxl, opencontainers-runc, radare2, rizin, and tinyproxy), Oracle (cups, dpdk, firefox, iperf3, ..
---------------------------------------------
https://lwn.net/Articles/1004962/
∗∗∗ MISP 2.4.203 and 2.5.5 released including new features, improvements and many security improvements. ∗∗∗
---------------------------------------------
We are thrilled to announce the release of MISP v2.4.203 and MISP v2.5.5, bringing a range of new features, improvements, and fixes to enhance the platforms performance, usability, and security. These updates reflect our ongoing commitment to providing a robust and reliable open-source ..
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.4.203
∗∗∗ Security Vulnerabilities fixed in Firefox for iOS 134 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-06/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 09-01-2025 18:00 − Freitag 10-01-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware ∗∗∗
---------------------------------------------
In-the-wild attacks tamper with built-in security tool to suppress infection warnings.
---------------------------------------------
https://arstechnica.com/security/2025/01/ivanti-vpn-users-are-getting-hacke…
∗∗∗ Stealthy Credit Card Skimmer Targets WordPress Checkout Pages via Database Injection ∗∗∗
---------------------------------------------
Recently, we released an article where a credit card skimmer was targeting checkout pages on a Magento site. Now we’ve come across sophisticated credit card skimmer malware while investigating a compromised WordPress ..
---------------------------------------------
https://blog.sucuri.net/2025/01/stealthy-credit-card-skimmer-targets-wordpr…
∗∗∗ Sicherheitsupdates: Angreifer können Netzwerkgeräte mit Junos OS crashen lassen ∗∗∗
---------------------------------------------
Netzwerkgeräte wie Switches von Juniper sind verwundbar. Ansatzpunkte sind mehrere Schwachstellen im Betriebssystem Junos OS.
---------------------------------------------
https://www.heise.de/news/Sicherheitsupdates-Angreifer-koennen-Netzwerkgera…
∗∗∗ Meet FunkSec: A New, Surprising Ransomware Group, Powered by AI ∗∗∗
---------------------------------------------
Executive Summary: The FunkSec ransomware group emerged in late 2024 and published over 85 victims in December, surpassing every other ransomware group that month FunkSec operators appear to use AI-assisted malware development, which can enable even inexperienced actors to quickly produce and refine advanced tools The group’s activities straddle the line ..
---------------------------------------------
https://blog.checkpoint.com/research/meet-funksec-a-new-surprising-ransomwa…
∗∗∗ Do we still have to keep doing it like this? ∗∗∗
---------------------------------------------
Hazel gets inspired by watching Wendy Nather’s recent keynote, and explores ways to challenge security assumptions.
---------------------------------------------
https://blog.talosintelligence.com/do-we-still-have-to-keep-doing-it-like-t…
∗∗∗ How Cracks and Installers Bring Malware to Your Device ∗∗∗
---------------------------------------------
Our research shows how attackers use platforms like YouTube to spread fake installers via trusted hosting services, employing encryption to evade detection and steal sensitive browser data.
---------------------------------------------
https://www.trendmicro.com/en_us/research/25/a/how-cracks-and-installers-br…
∗∗∗ Banshee Stealer Hits macOS Users via Fake GitHub Repositories ∗∗∗
---------------------------------------------
Cybersecurity researchers at Check Point detected a new version of Banshee Stealer in late September 2024, distributed ..
---------------------------------------------
https://hackread.com/banshee-stealer-hits-macos-fake-github-repositories/
∗∗∗ Do Secure-By-Design Pledges Come With Stickers? - Ivanti Connect Secure RCE (CVE-2025-0282) ∗∗∗
---------------------------------------------
Did you have a good break? Have you had a chance to breathe? Wake up. It’s 2025, and the chaos continues. Haha, see what we did? We wrote the exact same thing in 2024 because 2024 was exactly ..
---------------------------------------------
https://labs.watchtowr.com/do-secure-by-design-pledges-come-with-stickers-i…
∗∗∗ How to secure your GitHub Actions workflows with CodeQL ∗∗∗
---------------------------------------------
In the last few months, we secured 75+ GitHub Actions workflows in open source projects, disclosing 90+ different vulnerabilities. Out of this research we produced new support for workflows in CodeQL, empowering ..
---------------------------------------------
https://github.blog/security/application-security/how-to-secure-your-github…
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-25-010: Redis Stack Lua Use-After-Free Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Redis Stack. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-46981.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-010/
∗∗∗ ZDI-25-009: Redis Stack RedisBloom Integer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Redis Stack. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-55656.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-009/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 08-01-2025 18:00 − Donnerstag 09-01-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Here’s how hucksters are manipulating Google to promote shady Chrome extensions ∗∗∗
---------------------------------------------
How do you stash 18,000 keywords into a description? Turns out its easy.
---------------------------------------------
https://arstechnica.com/security/2025/01/googles-chrome-web-store-has-a-ser…
∗∗∗ Unpatched critical flaws impact Fancy Product Designer WordPress plugin ∗∗∗
---------------------------------------------
Premium WordPress plugin Fancy Product Designer from Radykal is vulnerable to two critical severity flaws that remain unfixed in the current latest version.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/unpatched-critical-flaws-imp…
∗∗∗ Beyond Meh-trics: Examining How CTI Programs Demonstrate Value Using Metrics ∗∗∗
---------------------------------------------
A blog about developing cyber threat intelligence (CTI) metrics.
---------------------------------------------
https://www.sans.org/blog/beyond-meh-trics-examining-how-cti-programs-demon…
∗∗∗ The State of Magecart: A Persistent Threat to E-Commerce Security ∗∗∗
---------------------------------------------
Trustwave SpiderLabs first blogged about Magecart back in 2019; fast forward five years and it is still here going strong.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-state-o…
∗∗∗ Mitel 0-day, 5-year-old Oracle RCE bug under active exploit ∗∗∗
---------------------------------------------
3 CVEs added to CISAs catalog Cybercriminals are actively exploiting two vulnerabilities in Mitel MiCollab, including a zero-day flaw – and a critical remote code execution vulnerability in Oracle WebLogic Server that has been abused for at least five years.
---------------------------------------------
https://www.theregister.com/2025/01/08/mitel_0_day_oracle_rce_under_exploit/
∗∗∗ Japanese police claim China ran five-year cyberattack campaign targeting local orgs ∗∗∗
---------------------------------------------
‘MirrorFace’ group found ways to run malware in the Windows sandbox, which is worrying Japan’s National Police Agency and Center of Incident Readiness and Strategy for Cybersecurity have confirmed third party reports of attacks on local orgs by publishing details of a years-long series of attacks attributed to a China-backed source.
---------------------------------------------
https://www.theregister.com/2025/01/09/japan_mirrorface_china_attack/
∗∗∗ Angestellte klickten dreimal so oft auf Phishing-Links ‒ häufig in Suchmaschinen ∗∗∗
---------------------------------------------
Mitarbeiter klicken trotz Schulungen auf Phishing-Links. Laut einer Studie sind sie bei E-Mails sich der Angriffe eher bewusst, bei der Suche im Netz weniger.
---------------------------------------------
https://www.heise.de/news/E-Mails-sind-out-Phishing-verstaerkt-ueber-Suchma…
∗∗∗ New Research: Enhancing Botnet Detection with AI using LLMs and Similarity Search ∗∗∗
---------------------------------------------
As botnets continue to evolve, so do the techniques required to detect them.
---------------------------------------------
https://www.rapid7.com/blog/post/2025/01/08/new-research-enhancing-botnet-d…
∗∗∗ Banshee: The Stealer That “Stole Code” From MacOS XProtect ∗∗∗
---------------------------------------------
As of 2024, approximately 100.4 million people worldwide use macOS, accounting for 15.1% of the global PC market. Of the millions of macOS users, many falsely assume that their systems are inherently secure from malware. This perception stems from macOS’s Unix-based architecture and historically lower market share, ..
---------------------------------------------
https://research.checkpoint.com/2025/banshee-macos-stealer-that-stole-code-…
∗∗∗ Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation ∗∗∗
---------------------------------------------
On Wednesday, Jan. 8, 2025, Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, impacting Ivanti Connect Secure (“ICS”) VPN appliances. Mandiant has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024. CVE-2025-0282 is an unauthenticated stack-based buffer overflow. Successful exploitation could result in unauthenticated remote code execution, leading to potential downstream compromise of a victim network.
---------------------------------------------
https://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-sec…
∗∗∗ Angeblich Datenleck bei Datensammler Gravy Analytics ∗∗∗
---------------------------------------------
Im Darknet behaupten Kriminelle, Daten vom Positionsdatensammler Gravy Analytics erbeutet zu haben. Sorge um die Privatsphäre macht sich breit.
---------------------------------------------
https://heise.de/-10233802
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-25-008: Trend Micro Deep Security Agent Incorrect Permissions Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-008/
∗∗∗ ZDI-25-007: Trend Micro Apex One widget getWidgetPoolManager Local File Inclusion Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-007/
∗∗∗ ZDI-25-006: Trend Micro Apex One LogServer Link Following Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-006/
∗∗∗ ZDI-25-005: Trend Micro Apex One LogServer Link Following Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-005/
∗∗∗ ZDI-25-004: Trend Micro Apex One Origin Validation Error Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-004/
∗∗∗ ZDI-25-003: Trend Micro Apex One Security Agent Link Following Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-003/
∗∗∗ ZDI-25-002: Trend Micro Apex One LogServer Link Following Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-002/
∗∗∗ ZDI-25-001: Trend Micro Apex One Damage Cleanup Engine Link Following Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-25-001/
∗∗∗ 2025-01 Security Bulletin: Junos Space: Multiple vulnerabilities resolved in 24.1R2 release ∗∗∗
---------------------------------------------
https://supportportal.juniper.net/s/article/2025-01-Security-Bulletin-Junos…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 07-01-2025 18:00 − Mittwoch 08-01-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ How initial access brokers (IABs) sell your users’ credentials ∗∗∗
---------------------------------------------
Initial Access Brokers (IABs) are specialized cybercriminals that break into corporate networks and sell stolen access to other attackers. Learn from Specops Software about how IABs operate and how businesses can protect themselves.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/how-initial-access-brokers-i…
∗∗∗ Wegen Sicherheitslücken: Ärzteschaft empfiehlt Widerspruch zu ePA für alle ∗∗∗
---------------------------------------------
Kurz vor dem Start der ePA für alle ist die Verunsicherung groß. Die Ärzte sehen noch "große Einfallstore" für Hacker.
---------------------------------------------
https://www.golem.de/news/wegen-sicherheitsluecken-aerzteschaft-empfiehlt-w…
∗∗∗ FCC Launches Cyber Trust Mark for IoT Devices to Certify Security Compliance ∗∗∗
---------------------------------------------
The U.S. government on Tuesday announced the launch of the U.S. Cyber Trust Mark, a new cybersecurity safety label for Internet-of-Things (IoT) consumer devices."IoT products can be susceptible to a range of security vulnerabilities," the U.S. Federal ..
---------------------------------------------
https://thehackernews.com/2025/01/fcc-launches-cyber-trust-mark-for-iot.html
∗∗∗ Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks ∗∗∗
---------------------------------------------
A Mirai botnet variant has been found exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the goal of conducting distributed denial-of-service (DDoS) attacks.The botnet maintains ..
---------------------------------------------
https://thehackernews.com/2025/01/mirai-botnet-variant-exploits-four.html
∗∗∗ Researchers Expose NonEuclid RAT Using UAC Bypass and AMSI Evasion Techniques ∗∗∗
---------------------------------------------
Cybersecurity researchers have shed light on a new remote access trojan called NonEuclid that allows bad actors to remotely control compromised Windows systems."The NonEuclid remote access trojan (RAT), developed in C#, is a highly sophisticated ..
---------------------------------------------
https://thehackernews.com/2025/01/researchers-expose-noneuclid-rat-using.ht…
∗∗∗ US-Sicherheitsbehörde warnt vor Attacken auf MiCollab und WebLogic Server ∗∗∗
---------------------------------------------
Admins sollten ihre Systeme mit Mitel- und Oracle-Software gegen derzeit laufende Angriffe rüsten.
---------------------------------------------
https://www.heise.de/news/US-Sicherheitsbehoerde-warnt-vor-Attacken-auf-MiC…
∗∗∗ Forscher: KI sorgt für effektiveres Phishing ∗∗∗
---------------------------------------------
Wie wirksam ist per LLM automatisch erzeugtes Phishing? Es ist gleichauf mit menschlich erzeugtem Spear-Phishing, sagen Forscher.
---------------------------------------------
https://www.heise.de/news/Forscher-KI-sorgt-fuer-effektiveres-Phishing-1023…
∗∗∗ A Day in the Life of a Prolific Voice Phishing Crew ∗∗∗
---------------------------------------------
Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety of outbound ..
---------------------------------------------
https://krebsonsecurity.com/2025/01/a-day-in-the-life-of-a-prolific-voice-p…
∗∗∗ Vorsicht vor versteckten Kosten auf finelo.com und coursiv.io ∗∗∗
---------------------------------------------
Die Aussicht auf finanziellen Aufstieg lockt viele Menschen auf Plattformen wie finelo.com und coursive.io, die von der IT-Firma zimran.io betrieben werden. Beide Plattformen werben mit großen Versprechungen: Während finelo.com den Nutzer:innen beibringen möchte, clever zu investieren, zielt coursiv.io darauf ab, berufliche Fähigkeiten mithilfe künstlicher ..
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-versteckten-kosten-auf-…
∗∗∗ Drupal 7 End of Life - PSA-2025-01-06 ∗∗∗
---------------------------------------------
Drupal core version 7 has reached end of life, and is no longer community supported on Drupal.org. This means that new releases of Drupal 7 core and contributed projects will no longer happen on Drupal.org and community support is no longer provided. What this means for you:Any vulnerabilities that impact Drupal 7 may be released and ..
---------------------------------------------
https://www.drupal.org/psa-2025-01-06
∗∗∗ Russian internet provider confirms its network was ‘destroyed’ following attack claimed by Ukrainian hackers ∗∗∗
---------------------------------------------
In a statement on the Russian social media platform VKontakte, the St. Petersburg-based company said the “planned” attack “destroyed” its infrastructure overnight. Nodex added that it was working to restore systems from backups but could not provide a timeline for when operations would fully resume.
---------------------------------------------
https://therecord.media/russian-internet-provider-says-network-destroyed-cy…
∗∗∗ Scammers Impersonate Authorities to Swipe OTPs with Remote Access Apps ∗∗∗
---------------------------------------------
SUMMARY Cybersecurity researchers at Group-IB have discovered a sophisticated refund scam where scammers are using remote access tools.
---------------------------------------------
https://hackread.com/scammers-impersonate-swipe-otps-remote-access-apps/
∗∗∗ Backdooring Your Backdoors - Another $20 Domain, More Governments ∗∗∗
---------------------------------------------
After the excitement of our .MOBI research, we were left twiddling our thumbs. As you may recall, in 2024, we demonstrated the impact of an unregistered domain when we subverted the TLS/SSL CA process for verifying domain ownership to give ourselves ..
---------------------------------------------
https://labs.watchtowr.com/more-governments-backdoors-in-your-backdoors/
∗∗∗ Solving NIST Password Complexities: Guidance From a GRC Perspective ∗∗∗
---------------------------------------------
Not another password change! Isn’t one (1) extra-long password enough? As a former Incident Response, Identity and Access Control, and Education and Awareness guru, I can attest ..
---------------------------------------------
https://trustedsec.com/blog/solving-nist-password-complexities-guidance-fro…
∗∗∗ How We Cracked a 512-Bit DKIM Key for Less Than $8 in the Cloud ∗∗∗
---------------------------------------------
In our study on the SPF, DKIM, and DMARC records of the top 1M websites, we were surprised to uncover more than 1,700 public DKIM keys that were shorter than 1,024 bits in length. This finding was unexpected, as RSA keys shorter than 1,024 bits are considered insecure, and their use in DKIM has been deprecated since the introduction of RFC 8301 in 2018.
---------------------------------------------
https://dmarcchecker.app/articles/crack-512-bit-dkim-rsa-key
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco Common Services Platform Collector Cross-Site Scripting Vulnerabilities ∗∗∗
---------------------------------------------
Multiple vulnerabilities in the web-based management interface of Cisco Common Services Platform Collector (CSPC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.These vulnerabilities are due to insufficient validation of user-supplied input by the web-based management interface ..
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Crosswork Network Controller Stored Cross-Site Scripting Vulnerabilities ∗∗∗
---------------------------------------------
Multiple vulnerabilities in the web-based management interface of Cisco Crosswork Network Controller could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against users of the interface of an affected system. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied ..
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (firefox, mupdf, and php-tcpdf), SUSE (etcd, file-roller, gtk3, kernel, python-django-ckeditor, rubygem-json-jwt, and tomcat10), and Ubuntu (ffmpeg, HTMLDOC, linux-aws, linux-raspi, linux-gke, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, and tinyproxy).
---------------------------------------------
https://lwn.net/Articles/1004428/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 03-01-2025 18:00 − Dienstag 07-01-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Windows 10 users urged to upgrade to avoid "security fiasco" ∗∗∗
---------------------------------------------
Cybersecurity firm ESET is urging Windows 10 users to upgrade to Windows 11 or Linux to avoid a "security fiasco" as the 10-year-old operating system nears the end of support in October 2025.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/windows-10-users-urged-to-u…
∗∗∗ Cryptocurrency wallet drainers stole $494 million in 2024 ∗∗∗
---------------------------------------------
Scammers stole $494 million worth of cryptocurrency in wallet drainer attacks last year that targeted more than 300,000 wallet addresses.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cryptocurrency-wallet-draine…
∗∗∗ Chinese hackers also breached Charter and Windstream networks ∗∗∗
---------------------------------------------
More U.S. companies have been added to the list of telecommunications firms hacked in a wave of breaches by a Chinese state-backed threat group tracked as Salt Typhoon.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/charter-and-windstream-among…
∗∗∗ Trotz starker Kritik: Umstrittene UN-Cybercrime-Konvention verabschiedet ∗∗∗
---------------------------------------------
Netzaktivisten haben vergeblich vor der Verabschiedung der Konvention gewarnt. Es droht der Zugriff auf digitale Beweismittel durch autoritäre Staaten.
---------------------------------------------
https://www.golem.de/news/trotz-starker-kritik-umstrittene-un-cybercrime-ko…
∗∗∗ After Chinas Salt Typhoon, the reconstruction starts now ∗∗∗
---------------------------------------------
If 40 years of faulty building gets blown down, don’t rebuild with the rubble Opinion When a typhoon devastates a land, it takes a while to understand the scale of the destruction. Disaster relief kicks in, communications rebuilt, and news flows out. Salt Typhoon is ..
---------------------------------------------
https://www.theregister.com/2025/01/06/opinion_column_cybersec/
∗∗∗ MediaTek rings in the new year with a parade of chipset vulns ∗∗∗
---------------------------------------------
Manufacturers should have had ample time to apply the fixes MediaTek kicked off the first full working week of the new year by disclosing a bevy of security vulnerabilities, including a critical remote code execution bug affecting 51 chipsets.
---------------------------------------------
https://www.theregister.com/2025/01/06/mediatek_chipset_vulnerabilities/
∗∗∗ Patchday: Wichtige Sicherheitsupdates schützen Android-Geräte ∗∗∗
---------------------------------------------
Google und weitere Hersteller von Android-Geräte haben mehrere kritische Lücken in verschiedenen Android-Versionen geschlossen.
---------------------------------------------
https://www.heise.de/news/Patchday-Schadcode-Luecken-bedrohen-Android-12-13…
∗∗∗ Schwerwiegende Sicherheitslücken in Sonicwall SSL-VPN - aktiv ausgenutzt ∗∗∗
---------------------------------------------
Der Hersteller Sonicwall hat seine Kunden darüber informiert, dass einige Geräte von Sicherheitslücken betroffen sind. Besonders hervorzuheben ist dabei eine bereits angegriffenen Lücke bei denen Angreifer:innen die Authentifizierung ..
---------------------------------------------
https://www.cert.at/de/warnungen/2025/1/schwewiegende-sicherheitslucken-in-…
∗∗∗ UN aviation agency actively investigating cybercriminal’s claimed data breach ∗∗∗
---------------------------------------------
The International Civil Aviation Organization (ICAO) said it was responding to claims of a data breach “allegedly linked to a threat actor known for targeting international organizations.”
---------------------------------------------
https://therecord.media/united-nations-icao-investigating-data-breach
∗∗∗ Critical Next.js Authorization Bypass Vulnerability ∗∗∗
---------------------------------------------
This specifically affects pages directly under the application’s root directory. Example:[Not affected] hxxps[://]example[.]com[Affected] hxxps[://]example[.]com/foo[Not affected] hxxps[://]example[.]com/foo/bar Successful exploitation of this vulnerability, allows a remote unauthenticated ..
---------------------------------------------
https://www.truesec.com/hub/blog/critical-next-js-authorization-bypass-vuln…
∗∗∗ Achtung: Angeblich geleakter GTA San Andreas Source-Code mit Schadsoftware ∗∗∗
---------------------------------------------
Aktuell wird angeblich der Quellcode des Rockstar Games Spiels GTA San Andreas im Internet zum Download angeboten. Erste Hinweise scheinen seit gestern im Internet aufgetaucht zu sein (siehe z.B. den Artikel Rockstar reportedly faces another ..
---------------------------------------------
https://www.borncity.com/blog/2025/01/06/achtung-angeblich-geleakter-gta-sa…
∗∗∗ New PhishWP Plugin on Russian Forum Turns Sites into Phishing Pages ∗∗∗
---------------------------------------------
SlashNext has discovered a malicious WordPress plugin, PhishWP, which creates convincing fake payment pages to steal your credit card information, 3DS codes, and personal data.
---------------------------------------------
https://hackread.com/phishwp-plugin-russian-hacker-forum-phishing-sites/
∗∗∗ U.S. Sanctions Chinese Cybersecurity Firm Over Cyberattacks ∗∗∗
---------------------------------------------
US sanctions Beijing-based Integrity Technology Group for aiding “Flax Typhoon” hackers in cyberattacks on American infrastructure, freezing assets…
---------------------------------------------
https://hackread.com/us-sanctions-chinese-cybersecurity-firm-cyberattacks/
∗∗∗ CVE-2024-4577: Windows Encoding Gone Wrong ∗∗∗
---------------------------------------------
CVE-2024-4577 is a critical vulnerability in Windows-based PHP installations, affecting CGI configurations, that allow remote code execution.
---------------------------------------------
https://www.bitsight.com/blog/cve-2024-4577-windows-encoding-gone-wrong
∗∗∗ Weaponizing OAST: How Malicious Packages Exploit npm, PyPI, and RubyGems for Data Exfiltration and Recon ∗∗∗
---------------------------------------------
Socket researchers uncover how threat actors weaponize Out-of-Band Application Security Testing (OAST) techniques across the npm, PyPI, and RubyGems ecosystems to exfiltrate sensitive data and remotely probe developer environments.Over the last year, Socket’s threat research team has continually observed and identified malicious JavaScript, Python, and Ruby packages ..
---------------------------------------------
https://socket.dev/blog/weaponizing-oast-how-malicious-packages-exploit-npm…
=====================
= Vulnerabilities =
=====================
∗∗∗ [20250103] - Core - Read ACL violation in multiple core views ∗∗∗
---------------------------------------------
Project: Joomla! SubProject: CMS Impact: Low Severity: Moderate Probability: Low Versions: 3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2 Exploit type: ACL Violation Reported Date: 2024-08-26 Fixed Date: 2025-01-07 CVE Number: CVE-2024-40749 Description Improper Access Controls allows access to protected views. Affected Installs Joomla! CMS versions 3.9.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2 Solution Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3 Contact The JSST at the Joomla! Security
---------------------------------------------
https://developer.joomla.org:443/security-centre/956-20250103-core-read-acl…
∗∗∗ [20250102] - Core - XSS vector in the id attribute of menu lists ∗∗∗
---------------------------------------------
Project: Joomla! SubProject: CMS Impact: Low Severity: Moderate Probability: Low Versions: 3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2 Exploit type: XSS Reported Date: 2024-09-19 Fixed Date: 2025-01-07 CVE Number: CVE-2024-40748 Description Lack of output escaping in the id attribute of menu lists. Affected Installs Joomla! CMS versions 3.0.0-3.10.19-elts, 4.0.0-4.4.9, 5.0.0-5.2.2 Solution Upgrade to version 3.10.20-elts, 4.4.10 or 5.2.3 Contact The JSST at the Joomla! Security Centre.
---------------------------------------------
https://developer.joomla.org:443/security-centre/955-20250102-core-xss-vect…
∗∗∗ [20250101] - Core - XSS vectors in module chromes ∗∗∗
---------------------------------------------
Project: Joomla! SubProject: CMS Impact: Low Severity: Moderate Probability: Low Versions: 4.0.0-4.4.9, 5.0.0-5.2.2 Exploit type: XSS Reported Date: 2024-08-29 Fixed Date: 2025-01-07 CVE Number: CVE-2024-40747 Description Various module chromes didnt properly process inputs, leading to XSS vectors. Affected Installs Joomla! CMS versions 4.0.0-4.4.9, 5.0.0-5.2.2 Solution Upgrade to version 4.4.10 or 5.2.3 Contact The JSST at the Joomla! Security Centre. Reported By: Catalin Iovita
---------------------------------------------
https://developer.joomla.org:443/security-centre/954-20250101-core-xss-vect…
∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.19 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-03/
∗∗∗ Security Vulnerabilities fixed in Firefox ESR 128.6 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-02/
∗∗∗ Security Vulnerabilities fixed in Firefox 134 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2025-01/
∗∗∗ Upcoming CVE for End-of-Life Node.js Versions ∗∗∗
---------------------------------------------
https://nodejs.org/en/blog/vulnerability/upcoming-cve-for-eol-versions
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 02-01-2025 18:00 − Freitag 03-01-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ SwaetRAT Delivery Through Python ∗∗∗
---------------------------------------------
We entered a new year, but attack scenarios have not changed (yet). I found a Python script with an interesting behavior[1] and a low Virustotal score (7/61). It targets Microsoft Windows hosts because it starts by loading all ..
---------------------------------------------
https://isc.sans.edu/forums/diary/SwaetRAT+Delivery+Through+Python/31554/
∗∗∗ 3,1 Millionen bösartige Fake-Sterne auf GitHub entdeckt – Tendenz steigend ∗∗∗
---------------------------------------------
In einer umfassenden Studie ist ein US-Forschungsteam auf Millionen Fake-Sterne bei GitHub gestoßen und warnt vor einem rasant steigenden Trend.
---------------------------------------------
https://www.heise.de/news/3-1-Millionen-boesartige-Fake-Sterne-auf-GitHub-e…
∗∗∗ Configurations Mega Blog: Why Configurations Are the Wrong Thing to Get Wrong ∗∗∗
---------------------------------------------
So many times, we look beyond the mark. With our feeds constantly inundated with headline-grabbing news about AI-generated threats, nation states upping their cybercrime game, and sophisticated new forms of malware, we can be tempted to think that the bulk of cyberwarfare is going on "up there" somewhere. In reality, most breaches still originate ..
---------------------------------------------
https://www.tripwire.com/state-of-security/configurations-mega-blog-why-con…
∗∗∗ 10 Non-tech things you wish you had done after being breached ∗∗∗
---------------------------------------------
TL;DR Non-tech aspects to breach follow-up are often overlooked but essential NDAs, supply chain, and third party contracts and obligations should be reviewed Reviewing communication protocols and employee ..
---------------------------------------------
https://www.pentestpartners.com/security-blog/10-non-tech-things-you-wish-y…
∗∗∗ Von Social Media bis App: So sind Sie Kriminellen einen Schritt voraus ∗∗∗
---------------------------------------------
Internetbetrug wird immer raffinierter und kann jeden Menschen treffen. Deshalb ist es wichtig, auf dem Laufenden zu bleiben und die aktuellen Betrugsmaschen zu kennen. Vom klassischen Newsletter über ..
---------------------------------------------
https://www.watchlist-internet.at/news/unsere-kanaele/
∗∗∗ NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT ∗∗∗
---------------------------------------------
Researchers discovered a malicious package on the npm package registry that resembles a library for Ethereum smart contract vulnerabilities but actually drops an open-source remote access trojan called Quasar ..
---------------------------------------------
https://hackread.com/npm-package-disguised-ethereum-tool-quasar-rat/
∗∗∗ Schädliche Versionen von zahlreichen Chrome-Erweiterungen in Umlauf ∗∗∗
---------------------------------------------
Über die Weihnachtstage verschafften sich die Täter Zugriff auf diverse Chrome-Extensions – in einigen Fällen sogar schon deutlich früher.
---------------------------------------------
https://heise.de/-10224745
∗∗∗ Breaking the Chain: Wiz Uncovers a Signature Verification Bypass in Nuclei, the Popular Vulnerability Scanner (CVE-2024-43405) ∗∗∗
---------------------------------------------
Wiz’s engineering team discovered a high-severity signature verification bypass in Nuclei, one of the most popular open-source security tools, which could potentially lead to arbitrary code execution.
---------------------------------------------
https://www.wiz.io/blog/nuclei-signature-verification-bypass
∗∗∗ Malicious npm Campaign Targets Ethereum Developers with Fake Hardhat Packages ∗∗∗
---------------------------------------------
Hardhat, maintained by the Nomic Foundation, is a vital tool for Ethereum developers. As a versatile development environment for Ethereum, it streamlines the creation, testing, and deployment of smart contracts and dApps. Its flexible plugin architecture allows developers to customize workflows with tools and extensions, optimizing productivity and supporting ..
---------------------------------------------
https://socket.dev/blog/malicious-npm-campaign-targets-ethereum-developers
=====================
= Vulnerabilities =
=====================
∗∗∗ iTerm2 3.5.11 released with a critical security fix ∗∗∗
---------------------------------------------
https://iterm2.com/downloads/stable/iTerm2-3_5_11.changelog
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 30-12-2024 18:00 − Donnerstag 02-01-2025 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Cyberangriff: Hacker wollen Daten von IT-Dienstleister Atos erbeutet haben ∗∗∗
---------------------------------------------
Die Angreifer behaupten, im Besitz einer Firmendatenbank von Atos zu sein. Der IT-Dienstleister findet bisher keine Beweise für einen Angriff.
---------------------------------------------
https://www.golem.de/news/cyberangriff-hacker-wollen-daten-von-it-dienstlei…
∗∗∗ Supportende naht: Forscher warnt vor Security-Fiasko durch Windows 10 ∗∗∗
---------------------------------------------
Rund zwei Drittel aller Windows-PCs in Deutschland arbeiten noch mit Windows 10. Es besteht dringender Handlungsbedarf - nicht erst im Oktober dieses Jahres.
---------------------------------------------
https://www.golem.de/news/supportende-naht-forscher-warnt-vor-security-fias…
∗∗∗ Chinas cyber intrusions took a sinister turn in 2024 ∗∗∗
---------------------------------------------
>From targeted espionage to pre-positioning - not that they are mutually exclusive The Chinese governments intrusions into Americas telecommunications and other critical infrastructure networks this year appears to signal a shift from cyberspying as usual to prepping for destructive attacks.
---------------------------------------------
https://www.theregister.com/2024/12/31/china_cyber_intrusions_2024/
∗∗∗ US Treasury Department outs the blast radius of BeyondTrusts key leak ∗∗∗
---------------------------------------------
Data pilfered as miscreants roamed affected workstations The US Department of the Treasury has admitted that miscreants were in its systems, accessing documents in what has been called a "major incident."
---------------------------------------------
https://www.theregister.com/2024/12/31/us_treasury_department_hacked/
∗∗∗ "Die perfekte Phishing-Mail": Mit KI-Textgeneratoren gegen Führungskräfte ∗∗∗
---------------------------------------------
KI-Technik ermöglicht es Kriminellen, hochpersonalisierte Phishing-Mails an Führungskräfte zu schicken, warnt ein Versicherer. Trainingsmaterial gibt es online.
---------------------------------------------
https://www.heise.de/news/Die-perfekte-Phishing-Mail-Mit-KI-Textgeneratoren…
∗∗∗ U.S. Army Soldier Arrested in AT&T, Verizon Extortions ∗∗∗
---------------------------------------------
Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and ..
---------------------------------------------
https://krebsonsecurity.com/2024/12/u-s-army-soldier-arrested-in-att-verizo…
∗∗∗ Vorsicht vor betrügerischen E-Mails zur Rückerstattung von ORF-Gebühren ∗∗∗
---------------------------------------------
Derzeit finden zahlreiche Personen ein E-Mail in ihrem Postfach, in dem behauptet wird, dass sie Anspruch auf eine Rückerstattung von ORF-Gebühren in Höhe von 34,40 Euro haben. Achtung: Es handelt sich dabei um einen Phishing-Versuch, der darauf abzielt, Kontodaten zu stehlen.
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerisches-orf-rueckerstattung-…
∗∗∗ Bad Likert Judge: A Novel Multi-Turn Technique to Jailbreak LLMs by Misusing Their Evaluation Capability ∗∗∗
---------------------------------------------
The jailbreak technique "Bad Likert Judge" manipulates LLMs to generate harmful content using Likert scales, exposing safety gaps in LLM guardrails.
---------------------------------------------
https://unit42.paloaltonetworks.com/multi-turn-technique-jailbreaks-llms/
∗∗∗ DORA Regulation (Digital Operational Resilience Act): A Threat Intelligence Perspective ∗∗∗
---------------------------------------------
The Digital Operational Resilience Act (DORA) is coming in 2025.
---------------------------------------------
https://www.team-cymru.com/post/dora-regulation-digital-operational-resilie…
∗∗∗ Passkey technology is elegant, but it’s most definitely not usable security ∗∗∗
---------------------------------------------
It's that time again, when families and friends gather and implore the more technically inclined among them to troubleshoot problems they're having behind the device screens all around them. One of the most vexing ..
---------------------------------------------
https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-…
∗∗∗ I’m Lovin’ It: Exploiting McDonald’s APIs to hijack deliveries and order food for a penny ∗∗∗
---------------------------------------------
API flaws in the McDonald’s McDelivery system in India, one of the world’s most popular food delivery apps, enabled a variety of fun exploits ..
---------------------------------------------
https://eaton-works.com/2024/12/19/mcdelivery-india-hack/
∗∗∗ Déjà vu: Ghostly CVEs in my terminal title ∗∗∗
---------------------------------------------
As I've spoken and written about all modern terminals are actually "emulating" something dating from the ..
---------------------------------------------
https://dgl.cx/2024/12/ghostty-terminal-title
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-24-1737: Foxit PDF Reader AcroForm Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1737/
∗∗∗ ZDI-24-1736: (0Day) Paessler PRTG Network Monitor SNMP Cross-Site Scripting Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1736/
∗∗∗ ZDI-24-1739: Foxit PDF Reader Link Following Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1739/
∗∗∗ ZDI-24-1738: Foxit PDF Reader AcroForm Memory Corruption Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1738/
∗∗∗ PAN-OS Firewall Denial of Service (DoS) Vulnerability ∗∗∗
---------------------------------------------
https://fortiguard.fortinet.com/threat-signal-report/5610
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 27-12-2024 18:00 − Montag 30-12-2024 18:00
Handler: Alexander Riepl
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Customer data from 800,000 electric cars and owners exposed online ∗∗∗
---------------------------------------------
Volkswagens automotive software company, Cariad, exposed data collected from around 800,000 electric cars. The info could be linked to drivers names and reveal precise vehicle locations.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/customer-data-from-800-000-e…
∗∗∗ Malware botnets exploit outdated D-Link routers in recent attacks ∗∗∗
---------------------------------------------
Two botnets tracked as Ficora and Capsaicin have recorded increased activity in targeting D-Link routers that have reached end of life or are running outdated firmware versions.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malware-botnets-exploit-outd…
∗∗∗ Hackerangriff auf Flughäfen von Mailand ∗∗∗
---------------------------------------------
Eine prorussische Hackergruppe bekannte sich zu dem Cyberangriff. Der Flugbetrieb war nicht gefährdet.
---------------------------------------------
https://futurezone.at/digital-life/hackerangriff-auf-flughaefen-von-mailand…
∗∗∗ Bundestagswahlen: Wahlsoftware immer noch unsicher ∗∗∗
---------------------------------------------
Seit Jahren fordert der CCC eine transparente Wahlsoftware. Wie sinnvoll das wäre, zeigt die Analyse eines weit verbreiteten Tools. Ein Bericht von Friedhelm Greis.
---------------------------------------------
https://www.golem.de/news/bundestagswahlen-wahlsoftware-immer-noch-unsicher…
∗∗∗ Rundsteuerempfänger gehackt: Lässt sich über Funksignale ein Blackout herbeiführen? ∗∗∗
---------------------------------------------
Zwei Sicherheitsforscher haben die Protokolle für funkbasierte Rundsteuerempfänger entschlüsselt. Doch es ist strittig, in welchem Umfang sich manipulierte Signale missbrauchen lassen. Ein Bericht von Friedhelm Greis.
---------------------------------------------
https://www.golem.de/news/rundsteuerempfaenger-gehackt-laesst-sich-ueber-fu…
∗∗∗ Prioritizing patching: A deep dive into frameworks and tools – Part 2: Alternative frameworks ∗∗∗
---------------------------------------------
In the second of a two-part series on tools and frameworks designed to help with remediation prioritization, we explore some alternatives to CVSS
---------------------------------------------
https://news.sophos.com/en-us/2024/12/30/prioritizing-patching-a-deep-dive-…
∗∗∗ 16 Chrome Extensions Hacked, Exposing Over 600,000 Users to Data Theft ∗∗∗
---------------------------------------------
A new attack campaign has targeted known Chrome browser extensions, leading to at least 16 extensions being compromised and exposing over 600,000 users to data exposure and credential theft.The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign and used their access permissions to insert malicious code into legitimate extensions in order to steal
---------------------------------------------
https://thehackernews.com/2024/12/16-chrome-extensions-hacked-exposing.html
∗∗∗ Its only a matter of time before LLMs jump start supply-chain attacks ∗∗∗
---------------------------------------------
The greatest concern is with spear phishing and social engineering Interview Now that criminals have realized theres no need to train their own LLMs for any nefarious purposes - its much cheaper and easier to steal credentials and then jailbreak existing ones - the threat of a large-scale supply chain attack using generative AI becomes more real.
---------------------------------------------
https://www.theregister.com/2024/12/29/llm_supply_chain_attacks/
∗∗∗ 38C3: Große Sicherheitsmängel in elektronischer Patientenakte 3.0 aufgedeckt ∗∗∗
---------------------------------------------
Gravierende Sicherheitslücken müssten bis zum Start der ePA 3.0 noch geschlossen werden. Das demonstrieren Martin Tschirsich und Bianca Kastl auf dem 38C3.
---------------------------------------------
https://www.heise.de/news/38C3-Weitere-Sicherheitsmaengel-in-elektronischer…
∗∗∗ 38C3: BogusBazaar-Bande betreibt noch immer Tausende Fakeshops ∗∗∗
---------------------------------------------
Monate nach der Entdeckung operiert eine chinesische Cyberbande weiterhin unbehelligt, berichten Sicherheitsforscher. Schützenhilfe leisten auch US-Anbieter.
---------------------------------------------
https://www.heise.de/news/38C3-BogusBazaar-Bande-betreibt-noch-immer-Tausen…
∗∗∗ 38C3: BitLocker-Verschlüsselung von Windows 11 umgangen, ohne PC zu öffnen. ∗∗∗
---------------------------------------------
Zwei Jahre nach der vermeintlichen Behebung einer Lücke kann diese weiterhin genutzt werden, um BitLocker-geschützte Festplatten von Windows 11 zu entschlüsseln
---------------------------------------------
https://www.heise.de/news/38C3-BitLocker-Verschluesselung-von-Windows-11-um…
∗∗∗ On the sixth day of Christmas, an X account gave to me: a fake 7-Zip ACE ∗∗∗
---------------------------------------------
An account with the name @NSA_Employee39 claimed to have dropped a zero-day vulnerability for the popular file archive software 7-Zip. Nobody could get it to work.
---------------------------------------------
https://therecord.media/fake-zero-day-7Zip
∗∗∗ Lets Encrypt to end OCSP support in 2025 ∗∗∗
---------------------------------------------
Well, the writing has been on the wall for some years now, arguably over a decade, but the time has finally come where the largest CA in the World is going to drop support for the Online Certificate Status Protocol.What is OCSP?The Online Certificate Status Protocol is a
---------------------------------------------
https://scotthelme.ghost.io/lets-encrypt-to-end-ocsp-support-in-2025/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gst-plugins-good1.0 and opensc), Fedora (iwd and libell), and SUSE (chromium, govulncheck-vulndb, and poppler).
---------------------------------------------
https://lwn.net/Articles/1003768/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 23-12-2024 18:00 − Freitag 27-12-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Cybersecurity firms Chrome extension hijacked to steal users data ∗∗∗
---------------------------------------------
One attack was disclosed by Cyberhaven, a data loss prevention company that alerted its customers of a breach on December 24 after a successful phishing attack on an administrator account for the Google Chrome store. Among Cyberhaven's customers are Snowflake, Motorola, Canon, Reddit, AmeriHealth, Cooley, IVP, Navan, DBS, Upstart, and Kirkland & Ellis. [..] Cyberhaven's internal security team removed the malicious package within an hour since its detection, the company says in an email to its customers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cybersecurity-firms-chrome-e…
∗∗∗ Microsoft warnt: Bug könnte Security-Updates verhindern ∗∗∗
---------------------------------------------
Microsoft warnt Nutzer, die ihr System vor Kurzem via CD oder USB-Stick installiert haben. Konkret geht es um Installationsmedien, die das Sicherheitsupdate vom Oktober oder das vom November inkludiert haben. Hier kann es passieren, dass diese Systeme keine weiteren Updates mehr erhalten, wenn sie derzeit auf 24H2 sind.
---------------------------------------------
https://futurezone.at/produkte/microsoft-warnung-bug-security-updates-windo…
∗∗∗ Datenschutzverletzung: Volkwagen-Bewegungsprofile von 800.000 E-Autos offengelegt ∗∗∗
---------------------------------------------
Persönliche Daten und Bewegungsprofile von rund 800.000 VW-E-Auto-Besitzern lagen monatelang öffentlich zugänglich in der Cloud.
---------------------------------------------
https://www.golem.de/news/datenschutzverletzung-volkwagen-bewegungsprofile-…
∗∗∗ Threat landscape for industrial automation systems in Q3 2024 ∗∗∗
---------------------------------------------
The ICS CERT quarterly report covers threat landscape for industrial automation systems in Q3 2024.
---------------------------------------------
https://securelist.com/ics-cert-q3-2024-report/115182/
∗∗∗ More SSH Fun!, (Tue, Dec 24th) ∗∗∗
---------------------------------------------
A few days ago, I wrote a diary about a link file that abused the ssh.exe tool present in modern versions of Microsoft Windows. At the end, I mentioned that I will hunt for more SSH-related files/scripts. Guess what? I already found another one.
---------------------------------------------
https://isc.sans.edu/diary/rss/31542
∗∗∗ Jahresrückblick: Diese Themen beschäftigten uns 2024! ∗∗∗
---------------------------------------------
Wir sagen „DANKE“ und blicken noch einmal zurück auf die Entwicklungen und Geschehnisse des vergangenen Jahres.
---------------------------------------------
https://www.watchlist-internet.at/news/jahresrueckblick-2024/
∗∗∗ ASUS: "Weihnachtsüberraschung" mit christmas.exe schief gegangen ∗∗∗
---------------------------------------------
Anbieter ASUS wollte seine Benutzer überraschen und hat diesen eine besondere Weihnachtskarte mit dem Dateinamen christmas.exe zukommen lassen. Ist natürlich seit Jahren bekannt, dass man aus Sicherheitsgründen keine .exe-Grußkarte mit Weihnachtsgrüßen verschickt.
---------------------------------------------
https://www.borncity.com/blog/2024/12/26/asus-weihnachtsueberraschung-mit-c…
∗∗∗ PMKID Attacks: Debunking the 802.11r Myth ∗∗∗
---------------------------------------------
This article addresses common misconceptions surrounding PMKID-based attacks while offering technical insights into their mechanics and effective countermeasures. The PMKID-based attack, first disclosed in 2018 by the Hashcat team, introduced a novel method of compromising WPA2-protected Wi-Fi networks. Unlike traditional techniques, this approach does not require capturing a full 4-way handshake, instead leveraging a design flaw in the Pairwise Master Key Identifier (PMKID).
---------------------------------------------
https://www.nccgroup.com/us/research-blog/pmkid-attacks-debunking-the-80211…
∗∗∗ From Arbitrary File Write to RCE in Restricted Rails apps ∗∗∗
---------------------------------------------
Introduction Recently, we came across a situation where we needed to exploit an arbitrary file write vulnerability in a Rails application running in a restricted environment. The application was deployed via a Dockerfile that imposed...O post From Arbitrary File Write to RCE in Restricted Rails apps apareceu primeiro em Conviso AppSec.
---------------------------------------------
https://blog.convisoappsec.com/en/from-arbitrary-file-write-to-rce-in-restr…
=====================
= Vulnerabilities =
=====================
∗∗∗ Palo Alto: CVE-2024-3393 PAN-OS: Firewall Denial of Service (DoS) in DNS Security Using a Specially Crafted Packet (Severity: HIGH) ∗∗∗
---------------------------------------------
A Denial of Service vulnerability in the DNS Security feature of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to send a malicious packet through the data plane of the firewall that reboots the firewall. Repeated attempts to trigger this condition will cause the firewall to enter maintenance mode.
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2024-3393
∗∗∗ Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks ∗∗∗
---------------------------------------------
The Apache Software Foundation (ASF) has released a security update to address an important vulnerability in its Tomcat server software that could result in remote code execution (RCE) under certain conditions. The vulnerability, tracked as CVE-2024-56337, has been described as an incomplete mitigation for CVE-2024-50379 (CVSS score: 9.8), another critical security flaw in the same product that was previously addressed on December 17, 2024.
---------------------------------------------
https://thehackernews.com/2024/12/apache-tomcat-vulnerability-cve-2024.html
∗∗∗ Critical SQL Injection Vulnerability in Apache Traffic Control Rated 9.9 CVSS — Patch Now ∗∗∗
---------------------------------------------
The Apache Software Foundation (ASF) has shipped security updates to address a critical security flaw in Traffic Control that, if successfully exploited, could allow an attacker to execute arbitrary Structured Query Language (SQL) commands in the database. The SQL injection vulnerability, tracked as CVE-2024-45387, is rated 9.9 out of 10.0 on the CVSS scoring system.
---------------------------------------------
https://thehackernews.com/2024/12/critical-sql-injection-vulnerability-in.h…
∗∗∗ Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization ∗∗∗
---------------------------------------------
The Apache Software Foundation (ASF) has released patches to address a maximum severity vulnerability in the MINA Java network application framework that could result in remote code execution under specific conditions. Tracked as CVE-2024-52046, the vulnerability carries a CVSS score of 10.0.
---------------------------------------------
https://thehackernews.com/2024/12/apache-mina-cve-2024-52046-cvss-100.html
∗∗∗ Adobe warns of critical ColdFusion bug with PoC exploit code ∗∗∗
---------------------------------------------
Adobe has released out-of-band security updates to address a critical ColdFusion vulnerability with proof-of-concept exploit code. In an advisory released on Monday, the company says the flaw (tracked as CVE-2024-53961) is caused by a path traversal weakness that impacts Adobe ColdFusion versions 2023 and 2021 and can enable attackers to read arbitrary files on vulnerable servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/adobe-warns-of-critical-cold…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (containernetworking-plugins, edk2:20240524, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, libsndfile:1.0.31, mpg123:1.32.9, pam, php:8.1, php:8.2, python3.11, python3.11-urllib3, python3.12, python3.9:3.9.21, skopeo, and unbound:1.16.2), Debian (intel-microcode), Fedora (python3-docs and python3.12), Mageia (emacs), Red Hat (podman), and SUSE (gdb, govulncheck-vulndb, libparaview5_12, mozjs115, mozjs78, and vhostmd).
---------------------------------------------
https://lwn.net/Articles/1003381/
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (sympa and tomcat), Red Hat (kernel), and SUSE (poppler).
---------------------------------------------
https://lwn.net/Articles/1003462/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (fastnetmon, webkit2gtk, and xen), Fedora (sympa), Oracle (postgresql), and Red Hat (pcp, tigervnc, and xorg-x11-server and xorg-x11-server-Xwayland).
---------------------------------------------
https://lwn.net/Articles/1003542/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (node-postcss), Fedora (age, dr_libs, incus, libxml2, moodle, and python-sql), and SUSE (poppler and python-grpcio).
---------------------------------------------
https://lwn.net/Articles/1003601/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 20-12-2024 18:00 − Montag 23-12-2024 18:00
Handler: Alexander Riepl
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Middle East Cyberwar Rages On, With No End in Sight ∗∗∗
---------------------------------------------
Since October 2023, cyberattacks among countries in the Middle East have persisted, fueled by the conflict between Israel and Hamas, reeling in others on a global scale.
---------------------------------------------
https://www.darkreading.com/cyberattacks-data-breaches/middle-east-cyberwar…
∗∗∗ Cloud Atlas seen using a new tool in its attacks ∗∗∗
---------------------------------------------
We analyze the latest activity by the Cloud Atlas gang. The attacks employ the PowerShower, VBShower and VBCloud modules to download victims data with various PowerShell scripts.
---------------------------------------------
https://securelist.com/cloud-atlas-attacks-with-new-backdoor-vbcloud/115103/
∗∗∗ Modiloader From Obfuscated Batch File ∗∗∗
---------------------------------------------
My last investigation is a file called "Albertsons Payments.gz", received via email. The file looks like an archive but is identified as a picture by ..
---------------------------------------------
https://isc.sans.edu/diary/Modiloader+From+Obfuscated+Batch+File/31540
∗∗∗ Vulnerability & Patch Roundup - November 2024 ∗∗∗
---------------------------------------------
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help ..
---------------------------------------------
https://blog.sucuri.net/2024/12/vulnerability-patch-roundup-november-2024.h…
∗∗∗ Rockstar2FA Collapse Fuels Expansion of FlowerStorm Phishing-as-a-Service ∗∗∗
---------------------------------------------
An interruption to the phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA has led to a rapid uptick in activity from another nascent offering named FlowerStorm."It appears that the [Rockstar2FA] group running the service experienced at least a ..
---------------------------------------------
https://thehackernews.com/2024/12/rockstar2fa-collapse-fuels-expansion-of.h…
∗∗∗ l+f: Sicherheitsforscher bestellt bei McDonalds für 1 Cent ∗∗∗
---------------------------------------------
Der McDonalds-Lieferservice in Indien war kaputt und Bestellungen waren umfangreich manipulierbar.
---------------------------------------------
https://www.heise.de/news/l-f-Sicherheitsforscher-bestellt-bei-McDonald-s-f…
∗∗∗ Webbrowser: Chrome und Edge sollen mittels KI vor Spam-Seiten warnen ∗∗∗
---------------------------------------------
Um Nutzer vor betrügerischen Websites zu warnen, haben Chrome und Edge neuerdings einen KI-Schutz an Bord. Noch ist das Feature aber nicht standardmäßig aktiv.
---------------------------------------------
https://www.heise.de/news/Webbrowser-Chrome-und-Edge-sollen-mittels-KI-vor-…
∗∗∗ Heels on fire. Hacking smart ski socks ∗∗∗
---------------------------------------------
TL;DR A silly-season BLE connectivity story Overheat people’s smart ski socks .. but only when in Bluetooth range AND when the owner’s phone is out of range of their feet! Having […]The post Heels on fire. Hacking smart ski socks first appeared on Pen Test Partners.
---------------------------------------------
https://www.pentestpartners.com/security-blog/heels-on-fire-hacking-smart-s…
∗∗∗ Fast zwei Drittel aller gestohlenen Kryptogelder wanderten 2024 nach Nordkorea ∗∗∗
---------------------------------------------
Eine aktuelle Analyse zeigt, dass der Gesamtwert gestohlener Kryptowährungen heuer bisher um 21 Prozent auf 2,2 Milliarden Dollar gestiegen ist
---------------------------------------------
https://www.derstandard.at/story/3000000250591/fast-zwei-drittel-aller-gest…
∗∗∗ NSO-Group für WhatsApp-Angriff mit Pegasus-Spyware schuldig gesprochen ∗∗∗
---------------------------------------------
Im Jahr 2019 wurden WhatsApp-Nutzer Opfer eines Angriffs durch Spyware, die über eine Schwachstelle auf Android und iOS-Geräte installiert werden konnte. WhatsApp verklagte die NSO Group, die den ..
---------------------------------------------
https://www.borncity.com/blog/2024/12/22/nso-group-fuer-angriff-mit-pegasus…
∗∗∗ Jingle Shells: How Virtual Offices Enable a Facade of Legitimacy ∗∗∗
---------------------------------------------
Virtual offices have revolutionized the way businesses operate. They provide cost-effective flexibility by eliminating the ..
---------------------------------------------
https://www.team-cymru.com/post/how-virtual-offices-enable-a-facade-of-legi…
∗∗∗ A Primer on JA4+: Empowering Threat Analysts with Better Traffic Analysis ∗∗∗
---------------------------------------------
What is JA4+ and Why Does It Matter? Introduction Threat analysts and researchers are continually seeking tools and methodologies to gain ..
---------------------------------------------
https://www.team-cymru.com/post/a-primer-on-ja4-empowering-threat-analysts-…
∗∗∗ Supply Chain Attack Hits Rspack, Vant npm Packages with Monero Miner ∗∗∗
---------------------------------------------
Popular npm packages, Rspack and Vant, were recently compromised with malicious code. Learn about the attack, the impact, and how to protect your projects from similar threats.
---------------------------------------------
https://hackread.com/supply-chain-attack-rspack-vant-npm-monero-miner/
∗∗∗ Checking It Twice: Profiling Benign Internet Scanners — 2024 Edition ∗∗∗
---------------------------------------------
A comprehensive analysis of benign internet scanning activity from November 2024, examining how quickly and thoroughly various legitimate scanning services (like Shodan, Censys, and others) discover and probe new internet-facing assets. The study deployed 24 new sensors across 8 geographies and 5 autonomous systems, revealing that most scanners ..
---------------------------------------------
https://www.greynoise.io/blog/checking-it-twice-profiling-benign-internet-s…
∗∗∗ Kritische Sicherheitslücken bedrohen Sophos-Firewalls ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates für Firewalls von Sophos erschienen. Mit den Standardeinstellungen installieren sie sich automatisch.
---------------------------------------------
https://heise.de/-10218914
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gst-plugins-base1.0, libxstream-java, php-laravel-framework, python-urllib3, and sqlparse), Fedora (chromium, libcomps, libdnf, mingw-directxmath, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, mingw-orc, ofono, prometheus-podman-exporter, ..
---------------------------------------------
https://lwn.net/Articles/1003287/
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0008 ∗∗∗
---------------------------------------------
Date Reported: December 22, 2024 Advisory ID: WSA-2024-0008 CVE identifiers: CVE-2024-54479, CVE-2024-54502, CVE-2024-54505, CVE-2024-54508, CVE-2024-54534 Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2024-54479 Versions affected: WebKitGTK and WPE WebKit before 2.46.5. Credit to Seunghyun Lee. Impact: Processing maliciously ..
---------------------------------------------
https://webkitgtk.org/security/WSA-2024-0008.html
∗∗∗ TR-91 - Vulnerability identified as CVE-2024-0012, affecting Palo Alto Networks PAN-OS software ∗∗∗
---------------------------------------------
https://www.circl.lu/pub/tr-91
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 19-12-2024 18:00 − Freitag 20-12-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ In eigener Sache: CERT.at sucht Junior IT-Security Analyst:in (m/w/d - Vollzeit - Wien) ∗∗∗
---------------------------------------------
Für unsere laufenden Routinetätigkeiten suchen wir derzeit eine:n Berufsein- oder -umsteiger:in mit Interesse an IT-Security.
---------------------------------------------
https://www.cert.at/de/ueber-uns/jobs/
∗∗∗ BadBox malware botnet infects 192,000 Android devices despite disruption ∗∗∗
---------------------------------------------
The BadBox Android malware botnet has grown to over 192,000 infected devices worldwide despite a recent sinkhole operation that attempted to disrupt the operation in Germany.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/badbox-malware-botnet-infect…
∗∗∗ The Windows Registry Adventure #5: The regf file format ∗∗∗
---------------------------------------------
This post aimed to systematically explore the inner workings of the regf format, focusing on the hard requirements enforced by Windows. Due to my role and interests, I looked at the format from a strictly security-oriented angle rather than digital forensics, which is the context in which registry hives are typically considered.
---------------------------------------------
https://googleprojectzero.blogspot.com/2024/12/the-windows-registry-adventu…
∗∗∗ BellaCPP: Discovering a new BellaCiao variant written in C++ ∗∗∗
---------------------------------------------
While investigating an incident involving the BellaCiao .NET malware, Kaspersky researchers discovered a C++ version they dubbed "BellaCPP".
---------------------------------------------
https://securelist.com/bellacpp-cpp-version-of-bellaciao/115087/
∗∗∗ Auslaufmodell NTLM: Aus Windows 11 24H2 und Server 2025 teils entfernt ∗∗∗
---------------------------------------------
Weitgehend unbemerkt wurden in Windows 11 24H2 und Server 2025 zudem NTLMv1 entfernt.
---------------------------------------------
https://heise.de/-10217239
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-24-1718: (0Day) Arista NG Firewall custom_handler Directory Traversal Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2024-12830.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1718/
∗∗∗ ZDI-24-1724: (0Day) Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-12836.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-24-1724/
∗∗∗ Sophos: Resolved Multiple Vulnerabilities in Sophos Firewall (CVE-2024-12727, CVE-2024-12728, CVE-2024-12729) ∗∗∗
---------------------------------------------
Sophos has resolved three independent security vulnerabilities in Sophos Firewall (2x Critical, 1x High). To confirm that the hotfix has been applied to your firewall, please refer to KBA-000010084.
---------------------------------------------
https://www.sophos.com/en-us/security-advisories/sophos-sa-20241219-sfos-rce
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium and gunicorn), Fedora (jupyterlab), Oracle (bluez, containernetworking-plugins, edk2:20220126gitbb1bba3d77, edk2:20240524, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, and unbound:1.16.2), SUSE (avahi, docker, emacs, govulncheck-vulndb, haproxy, kernel, libmozjs-128-0, python-grpcio, python310-xhtml2pdf, sudo, and tailscale), and Ubuntu (dpdk, linux-hwe-5.15, and linux-iot).
---------------------------------------------
https://lwn.net/Articles/1003019/
∗∗∗ Autodesk: DWFX File Parsing Vulnerabilities in Autodesk Navisworks Desktop Software ∗∗∗
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0027
∗∗∗ Tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.3.0, 6.4.0 and 6.4.5: SC-202412.1 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2024-21
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 18-12-2024 18:00 − Donnerstag 19-12-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Attackers exploiting a patched FortiClient EMS vulnerability in the wild ∗∗∗
---------------------------------------------
During a recent incident response, Kaspersky’s GERT team identified a set of TTPs and indicators linked to an attacker that infiltrated a company’s networks by targeting a Fortinet vulnerability for which a patch was already available.
---------------------------------------------
https://securelist.com/patched-forticlient-ems-vulnerability-exploited-in-t…
∗∗∗ HubPhish Abuses HubSpot Tools to Target 20,000 European Users for Credential Theft ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed a new phishing campaign that has targeted European companies with an aim to harvest account credentials and take control of the victims Microsoft Azure cloud infrastructure. [..] Targets include at least 20,000 automotive, chemical, and industrial compound manufacturing users in Europe. [..] The attacks involve sending phishing emails with Docusign-themed lures that urge recipients to view a document, which then redirects users to malicious HubSpot Free Form Builder links, from where they are led to a fake Office 365 Outlook Web App login page in order to steal their credentials.
---------------------------------------------
https://thehackernews.com/2024/12/hubphish-exploits-hubspot-tools-to.html
∗∗∗ Spyware distributed through Amazon Appstore ∗∗∗
---------------------------------------------
Recently, we uncovered a seemingly harmless app called “BMI CalculationVsn” on the Amazon App Store, which is secretly stealing the package name of installed apps and incoming SMS messages under the guise of a simple health tool.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/spyware-distributed-th…
∗∗∗ Achtung: AG Reparaturservice ist Betrug ∗∗∗
---------------------------------------------
Geschirrspüler kaputt? Die Website ag-reparaturservice.at bietet angeblich Reparaturen verschiedenster Geräte an. Von Kühlschränken über Waschmaschinen bis hin zu Backöfen repariert das Unternehmen angeblich Haushaltsgeräte. Wir raten zur Vorsicht: Die Reparatur wird trotz Bezahlung nicht durchgeführt. Sie verlieren Ihr Geld. Wir zeigen Ihnen, wie Sie die Betrugsmasche erkennen!
---------------------------------------------
https://www.watchlist-internet.at/news/ag-reparaturservice-ist-betrug/
∗∗∗ CISA urges senior government officials to lock down mobile devices amid ongoing Salt Typhoon breach ∗∗∗
---------------------------------------------
A 5-page advisory provided troves of guidance for both Apple and Android users, urging all “highly targeted individuals” to rely on the “consistent use of end-to-end encryption.”
---------------------------------------------
https://therecord.media/cisa-urges-senior-officials-to-lock-down-devices-sa…
∗∗∗ Hacker könnten über Schwachstellen in Solaranlagen das europäische Stromnetz knacken ∗∗∗
---------------------------------------------
Unschöne, aber keineswegs neue Erkenntnis. Deutschland ist zwar "stolz" ob der installierten Leistung an Solarkollektoren. Aber ein griechischer White Hat-Hacker hat gezeigt, wie er sich mittels Notebook und Internet in zahlreiche europäischen Solaranlagen hacken und diese – auch in Deutschland – einfach ausknipsen könnte.
---------------------------------------------
https://www.borncity.com/blog/2024/12/19/hacker-koennten-ueber-schwachstell…
∗∗∗ Kritische LDAP-Schwachstelle in Windows (CVE-2024-49112) ∗∗∗
---------------------------------------------
Noch ein kleiner Nachtrag vom Dezember 2024-Patchday. Zum 10. Dezember 2024 hat Microsoft einen kritische Schwachstelle (CVE-2024-49112) im Lightweight Directory Access Protocol (LDAP) öffentlich gemacht. Diese ermöglicht Remote-Angriffe auf Windows-Clients und -Server, wurde aber gepatcht. [..] Hunter schreibt, dass jährlich 178.900 LDAP- und LDAPS-Dienste jährlich beim Scans über hunter.how gefunden würden.
---------------------------------------------
https://www.borncity.com/blog/2024/12/19/kritische-ldap-schwachstelle-in-wi…
∗∗∗ Exploring vulnerable Windows drivers ∗∗∗
---------------------------------------------
This post is the result of research into the real-world application of the Bring Your Own Vulnerable Driver (BYOVD) technique along with Cisco Talos’ series of posts about malicious Windows drivers.
---------------------------------------------
https://blog.talosintelligence.com/exploring-vulnerable-windows-drivers/
∗∗∗ Betrugsmail: Cyberversicherung muss Schaden nicht ersetzen ∗∗∗
---------------------------------------------
Klassisches Mail-Spoofing kostete eine deutsche Firma 85.000 Euro. Ihre Cyberversicherung deckt den Schaden nicht, sagt das Landgericht Hagen.
---------------------------------------------
https://heise.de/-10215212
∗∗∗ Skuld Infostealer Returns to npm with Fake Windows Utilities and Malicious Solara Development Packages ∗∗∗
---------------------------------------------
Socket’s threat research team identified a malware campaign infiltrating the npm ecosystem, deploying the Skuld infostealer just weeks after a similar attack targeted Roblox developers. [..] Before their removal, these packages compromised hundreds of machines, demonstrating how even low-complexity attacks can rapidly gain traction.
---------------------------------------------
https://socket.dev/blog/skuld-infostealer-returns-to-npm
=====================
= Vulnerabilities =
=====================
∗∗∗ FortiWLM Unauthenticated limited file read vulnerability ∗∗∗
---------------------------------------------
A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files. Severity: Critical, CVE-2023-34990
---------------------------------------------
https://www.fortiguard.com/psirt/FG-IR-23-144
∗∗∗ FortiManager OS command injection ∗∗∗
---------------------------------------------
An Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) vulnerability [CWE-78] in FortiManager may allow an authenticated remote attacker to execute unauthorized code via FGFM crafted requests. Severity: High, CVE-2024-48889
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-24-425
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (bluez, edk2:20220126gitbb1bba3d77, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, kernel-rt, mpg123, php:8.2, python3.11-urllib3, and tuned), Fedora (ColPack, glibc, golang-github-chainguard-dev-git-urls, golang-github-task, icecat, python-nbdime, python3.13, and python3.14), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, dwarves and kernel-linus), Red Hat (gstreamer1-plugins-base and gstreamer1-plugins-good), SUSE (curl, emacs, git-bug, glib2, helm, kernel, and traefik2), and Ubuntu (gst-plugins-base1.0, gst-plugins-good1.0, gstreamer1.0, libvpx, linux-gcp, phpunit, and yara).
---------------------------------------------
https://lwn.net/Articles/1002903/
∗∗∗ Delta Electronics DTM Soft ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-03
∗∗∗ Hitachi Energy SDM600 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-02
∗∗∗ Hitachi Energy RTU500 series CMU ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-01
∗∗∗ Ossur Mobile Logic Application ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-354-01
∗∗∗ Tibbo AggreGate Network Manager ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-05
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 17-12-2024 18:00 − Mittwoch 18-12-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Critical security hole in Apache Struts under exploit ∗∗∗
---------------------------------------------
A critical security hole in Apache Struts 2 [..] CVE-2024-53677 [..] is currently being exploited using publicly available proof-of-concept (PoC) code.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/12/17/critical_rce…
∗∗∗ How to Lose a Fortune with Just One Bad Click ∗∗∗
---------------------------------------------
Adam Griffin is still in disbelief over how quickly he was robbed of nearly $500,000 in cryptocurrencies. A scammer called using a real Google phone number to warn his Gmail account was being hacked, sent email security alerts directly from google.com, and ultimately seized control over the account by convincing him to click "yes" to a Google prompt on his mobile device.
---------------------------------------------
https://krebsonsecurity.com/2024/12/how-to-lose-a-fortune-with-just-one-bad…
∗∗∗ AI-generated malvertising “white pages” are fooling detection engines ∗∗∗
---------------------------------------------
In this blog post, we take a look at a couple of examples where threat actors are buying Google Search ads and using AI to create white pages. The content is unique and sometimes funny if you are a real human, but unfortunately a computer analyzing the code would likely give it a green check.
---------------------------------------------
https://www.malwarebytes.com/blog/cybercrime/2024/12/ai-generated-malvertis…
∗∗∗ Spotify: Vorsicht vor betrügerischen Phishing-Mails ∗∗∗
---------------------------------------------
Derzeit häufen sich Meldungen über betrügerische E-Mails, die angeblich von Spotify stammen. Es sei ein Problem mit der Zahlungsabwicklung aufgetreten, sodass Spotify die Nutzungsgebühr nicht abbuchen konnte und daher den Account vorübergehend gesperrt hat. Um Spotify weiter nutzen zu können, werden Sie aufgefordert die Kontoinformationen zu aktualisieren. Es handelt sich jedoch um Phishing!
---------------------------------------------
https://www.watchlist-internet.at/news/spotify-vorsicht-vor-betruegerischen…
∗∗∗ Detailing the Attack Surfaces of the Tesla Wall Connector EV Charger ∗∗∗
---------------------------------------------
Trend ZDI researchers have performed an analysis of the discrete hardware components found in the device.
---------------------------------------------
https://www.thezdi.com/blog/2024/12/16/detailing-the-attack-surfaces-of-the…
∗∗∗ Phishing-Masche nimmt Nutzer von Google-Kalender ins Visier ∗∗∗
---------------------------------------------
Cyberkriminelle nutzen laut einer Analyse von Sicherheitsforschern offenbar verstärkt Google-Kalender-Invites, um Internetnutzer auf Phishingseiten zu locken.
---------------------------------------------
https://heise.de/-10214705
∗∗∗ [Guest Diary] A Deep Dive into TeamTNT and Spinning YARN, (Wed, Dec 18th) ∗∗∗
---------------------------------------------
TeamTNT is running a crypto mining campaign dubbed Spinning YARN. Spinning YARN focuses on exploiting Docker, Redis, YARN, and Confluence. On November 4th, 2024, my DShield sensor recorded suspicious activity targeting my web server. The attacker attempted to use a technique that tricks the server into running harmful commands.
---------------------------------------------
https://isc.sans.edu/diary/rss/31530
=====================
= Vulnerabilities =
=====================
∗∗∗ BeyondTrust BT24-10: Command Injection Vulnerability / Severity: Critical ∗∗∗
---------------------------------------------
A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user. CVE(s): CVE-2024-12356
---------------------------------------------
https://www.beyondtrust.com/trust-center/security-advisories/bt24-10
∗∗∗ Juniper: 2024-12 Reference Advisory: Session Smart Router: Mirai malware found on systems when the default password remains unchanged ∗∗∗
---------------------------------------------
On Wednesday, December 11, 2024, several customers reported suspicious behavior on their Session Smart Network (SSN) platforms. These systems have been infected with the Mirai malware and were subsequently used as a DDOS attack source to other devices accessible by their network. The impacted systems were all using default passwords. Any customer not following recommended best practices and still using default passwords can be considered compromised as the default SSR passwords have been added to the virus database. [..] This affects all versions of Session Smart Router (SSR)
---------------------------------------------
https://supportportal.juniper.net/s/article/2024-12-Reference-Advisory-Sess…
∗∗∗ Foxit PDF Editor und Reader: Attacken über präparierte PDF-Dateien möglich ∗∗∗
---------------------------------------------
PDF-Anwendungen von Foxit sind unter macOS und Windows verwundbar. Sicherheitsupdates stehen bereit. [..] Die Einstufung des Bedrohungsgrads der Lücken (CVE-2024-49576, CVE-2024-47810) steht zurzeit noch aus.
---------------------------------------------
https://heise.de/-10211267
∗∗∗ Windows-Sicherheitslösung Trend Micro Apex One als Einfallstor für Angreifer ∗∗∗
---------------------------------------------
Angreifer können an mehreren Sicherheitslücken in Trend Micro Apex One ansetzen. Sicherheitsupdates sind verfügbar. [..] Die darin geschlossenen Sicherheitslücken (CVE-2024-52048, CVE-2024-52049, CVE-2024-52050, CVE-2024-55631, CVE-2024-55632, CVE-2024-55917) sind mit dem Bedrohungsgrad "hoch" eingestuft.
---------------------------------------------
https://heise.de/-10213518
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (libsndfile, php:7.4, python3.11, python3.12, and python36:3.6), Debian (dpdk), Mageia (curl and socat), Oracle (firefox and tuned), Red Hat (bluez, containernetworking-plugins, edk2, edk2:20220126gitbb1bba3d77, edk2:20240524, expat, gstreamer1-plugins-base, gstreamer1-plugins-base and gstreamer1-plugins-good, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, unbound, and unbound:1.16.2), SUSE (cloudflared, curl, docker, firefox, gstreamer-plugins-good, kernel, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, libsoup, ovmf, python-urllib3_1, subversion, thunderbird, and traefik), and Ubuntu (editorconfig-core, libspring-java, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-raspi, linux, linux-lowlatency, linux-oracle, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-bluefield, linux-oracle, linux-oracle-5.4, and linux-oem-6.11).
---------------------------------------------
https://lwn.net/Articles/1002703/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 16-12-2024 18:00 − Dienstag 17-12-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Verbraucherzentrale warnt vor aktueller Paypal-Betrugsmasche ∗∗∗
---------------------------------------------
Die Verbraucherzentrale NRW warnt, dass Kriminelle "Bezahlen ohne Paypal-Konto" missbrauchen. Schutz davor ist kaum möglich. [..] Im Zentrum der Kritik steht eine Paypal-Bezahloption, die sich "Zahlen ohne Paypal-Konto" nennt und auch als "Gast-Konto" oder "Gastzahlung" bekannt ist. Damit können Käufer über das Lastschrift-Verfahren zahlen, ohne dass ein Paypal-Konto angelegt wird. Dafür ist eine IBAN anzugeben.
---------------------------------------------
https://heise.de/-10202355
∗∗∗ Malicious ads push Lumma infostealer via fake CAPTCHA pages ∗∗∗
---------------------------------------------
DeceptionAds can be seen as a newer and more dangerous variant of the "ClickFix" attacks, where victims are tricked into running malicious PowerShell commands on their machine, infecting themselves with malware. ClickFix actors have employed phishing emails, fake CAPTCHA pages on pirate software sites, malicious Facebook pages, and even GitHub issues redirecting users to dangerous landing pages.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-ads-push-lumma-inf…
∗∗∗ Over 25,000 SonicWall VPN Firewalls exposed to critical flaws ∗∗∗
---------------------------------------------
Over 25,000 publicly accessible SonicWall SSLVPN devices are vulnerable to critical severity flaws, with 20,000 using a SonicOS/OSX firmware version that the vendor no longer supports. [..] Public exposure means that the firewall's management or SSL VPN interfaces are accessible from the internet, presenting an opportunity for attackers to probe for vulnerabilities, outdated/unpatched firmware, misconfigurations, and brute-force weak passwords.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-25-000-sonicwall-vpn-fi…
∗∗∗ Sicherheitsbehörde warnt: Kernel-Schwachstelle in Windows wird aktiv ausgenutzt ∗∗∗
---------------------------------------------
Konkret geht es um die Sicherheitslücke CVE-2024-35250. Diese ermöglicht es Angreifern, auf anfälligen Systemen ihre Rechte auszuweiten. Nach Angaben der US-Cybersicherheitsbehörde Cisa gibt es neuerdings Hinweise auf eine aktive Ausnutzung. [..] Patches gegen CVE-2024-35250 stehen schon seit Juni für alle anfälligen Betriebssysteme bereit und dürften daher auf den meisten Systemen längst eingespielt worden sein.
---------------------------------------------
https://www.golem.de/news/sicherheitsbehoerde-warnt-kernel-schwachstelle-in…
∗∗∗ Python Delivering AnyDesk Client as RAT, (Tue, Dec 17th) ∗∗∗
---------------------------------------------
Yesterday, I found an interesting piece of Python script that will install AnyDesk on the victim’s computer. Even better, it reconfigures the tool if it is already installed. The script, called “an5.py” has a low VT score (6/63). Note that the script is compatible with Windows and Linux victims.
---------------------------------------------
https://isc.sans.edu/diary/rss/31524
∗∗∗ Technical Analysis of RiseLoader ∗∗∗
---------------------------------------------
In October 2024, Zscaler ThreatLabz came across malware samples that use a network communication protocol that is similar to RisePro. However, unlike RisePro which has primarily been used for information stealing, this new malware specializes in downloading and executing second-stage payloads. Due its distinctive focus and similarities with RisePro’s communication protocol, we named this new malware family RiseLoader.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/technical-analysis-riseload…
∗∗∗ Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks ∗∗∗
---------------------------------------------
APT group Earth Koshchei, suspected to be sponsored by the SVR, executed a large-scale rogue RDP campaign using spear-phishing emails, red team tools, and sophisticated anonymization techniques to target high-profile sectors.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gstreamer1.0), Fedora (jupyterlab and python-notebook), Oracle (gimp:2.8.22, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, php:8.2, postgresql, and python3.11), SUSE (aws-iam-authenticator, firefox, installation-images, kernel, libaom, libyuv, libsoup, libsoup2, python-aiohttp, socat, thunderbird, and vim), and Ubuntu (curl, Docker, imagemagick, and kernel).
---------------------------------------------
https://lwn.net/Articles/1002496/
∗∗∗ CrushFTP: Attacken auf Admins möglich ∗∗∗
---------------------------------------------
Angreifer können in Logs von CrushFTP Schadcode verstecken. Dagegen gerüstete Versionen sind verfügbar.
---------------------------------------------
https://heise.de/-10202537
∗∗∗ Xen Security Advisory CVE-2024-53241 / XSA-466 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-466.html
∗∗∗ Xen Security Advisory CVE-2024-53240 / XSA-465 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-465.html
∗∗∗ Rockwell Automation PowerMonitor 1000 Remote ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-03
∗∗∗ Hitachi Energy TropOS Devices Series 1400/2400/6400 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-02
∗∗∗ ThreatQuotient ThreatQ Platform ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-01
∗∗∗ MISP v2.5.3 and v2.4.201 released with numerous enhancements, bug fixes, and security improvements to strengthen threat information sharing capabilities. ∗∗∗
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.5.3
∗∗∗ BD Diagnostic Solutions Products ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-352-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 16-12-2024 18:00 − Dienstag 17-12-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Verbraucherzentrale warnt vor aktueller Paypal-Betrugsmasche ∗∗∗
---------------------------------------------
Die Verbraucherzentrale NRW warnt, dass Kriminelle "Bezahlen ohne Paypal-Konto" missbrauchen. Schutz davor ist kaum möglich. [..] Im Zentrum der Kritik steht eine Paypal-Bezahloption, die sich "Zahlen ohne Paypal-Konto" nennt und auch als "Gast-Konto" oder "Gastzahlung" bekannt ist. Damit können Käufer über das Lastschrift-Verfahren zahlen, ohne dass ein Paypal-Konto angelegt wird. Dafür ist eine IBAN anzugeben.
---------------------------------------------
https://heise.de/-10202355
∗∗∗ Malicious ads push Lumma infostealer via fake CAPTCHA pages ∗∗∗
---------------------------------------------
DeceptionAds can be seen as a newer and more dangerous variant of the "ClickFix" attacks, where victims are tricked into running malicious PowerShell commands on their machine, infecting themselves with malware. ClickFix actors have employed phishing emails, fake CAPTCHA pages on pirate software sites, malicious Facebook pages, and even GitHub issues redirecting users to dangerous landing pages.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-ads-push-lumma-inf…
∗∗∗ Over 25,000 SonicWall VPN Firewalls exposed to critical flaws ∗∗∗
---------------------------------------------
Over 25,000 publicly accessible SonicWall SSLVPN devices are vulnerable to critical severity flaws, with 20,000 using a SonicOS/OSX firmware version that the vendor no longer supports. [..] Public exposure means that the firewall's management or SSL VPN interfaces are accessible from the internet, presenting an opportunity for attackers to probe for vulnerabilities, outdated/unpatched firmware, misconfigurations, and brute-force weak passwords.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/over-25-000-sonicwall-vpn-fi…
∗∗∗ Sicherheitsbehörde warnt: Kernel-Schwachstelle in Windows wird aktiv ausgenutzt ∗∗∗
---------------------------------------------
Konkret geht es um die Sicherheitslücke CVE-2024-35250. Diese ermöglicht es Angreifern, auf anfälligen Systemen ihre Rechte auszuweiten. Nach Angaben der US-Cybersicherheitsbehörde Cisa gibt es neuerdings Hinweise auf eine aktive Ausnutzung. [..] Patches gegen CVE-2024-35250 stehen schon seit Juni für alle anfälligen Betriebssysteme bereit und dürften daher auf den meisten Systemen längst eingespielt worden sein.
---------------------------------------------
https://www.golem.de/news/sicherheitsbehoerde-warnt-kernel-schwachstelle-in…
∗∗∗ Python Delivering AnyDesk Client as RAT, (Tue, Dec 17th) ∗∗∗
---------------------------------------------
Yesterday, I found an interesting piece of Python script that will install AnyDesk on the victim’s computer. Even better, it reconfigures the tool if it is already installed. The script, called “an5.py” has a low VT score (6/63). Note that the script is compatible with Windows and Linux victims.
---------------------------------------------
https://isc.sans.edu/diary/rss/31524
∗∗∗ Technical Analysis of RiseLoader ∗∗∗
---------------------------------------------
In October 2024, Zscaler ThreatLabz came across malware samples that use a network communication protocol that is similar to RisePro. However, unlike RisePro which has primarily been used for information stealing, this new malware specializes in downloading and executing second-stage payloads. Due its distinctive focus and similarities with RisePro’s communication protocol, we named this new malware family RiseLoader.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/technical-analysis-riseload…
∗∗∗ Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks ∗∗∗
---------------------------------------------
APT group Earth Koshchei, suspected to be sponsored by the SVR, executed a large-scale rogue RDP campaign using spear-phishing emails, red team tools, and sophisticated anonymization techniques to target high-profile sectors.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/l/earth-koshchei.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gstreamer1.0), Fedora (jupyterlab and python-notebook), Oracle (gimp:2.8.22, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, php:8.2, postgresql, and python3.11), SUSE (aws-iam-authenticator, firefox, installation-images, kernel, libaom, libyuv, libsoup, libsoup2, python-aiohttp, socat, thunderbird, and vim), and Ubuntu (curl, Docker, imagemagick, and kernel).
---------------------------------------------
https://lwn.net/Articles/1002496/
∗∗∗ CrushFTP: Attacken auf Admins möglich ∗∗∗
---------------------------------------------
Angreifer können in Logs von CrushFTP Schadcode verstecken. Dagegen gerüstete Versionen sind verfügbar.
---------------------------------------------
https://heise.de/-10202537
∗∗∗ Xen Security Advisory CVE-2024-53241 / XSA-466 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-466.html
∗∗∗ Xen Security Advisory CVE-2024-53240 / XSA-465 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-465.html
∗∗∗ Rockwell Automation PowerMonitor 1000 Remote ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-03
∗∗∗ Hitachi Energy TropOS Devices Series 1400/2400/6400 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-02
∗∗∗ ThreatQuotient ThreatQ Platform ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-01
∗∗∗ MISP v2.5.3 and v2.4.201 released with numerous enhancements, bug fixes, and security improvements to strengthen threat information sharing capabilities. ∗∗∗
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.5.3
∗∗∗ BD Diagnostic Solutions Products ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-352-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 13-12-2024 18:00 − Montag 16-12-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Microsoft Update-Katalog: Kritische Lücke in Microsofts Webserver entdeckt ∗∗∗
---------------------------------------------
Angreifer konnten sich auf einem Webserver von Microsoft erweiterte Rechte verschaffen. Trotz versprochener Transparenz nennt der Konzern keine Details.
---------------------------------------------
https://www.golem.de/news/microsoft-update-katalog-kritische-luecke-in-micr…
∗∗∗ Angriffe auf Citrix Netscaler Gateway: Hersteller gibt Hinweise zum Schutz ∗∗∗
---------------------------------------------
Seit Dezember 2024 gibt es ja massiven Angriffswellen Citrix Netscaler Gateways. [..] Nun hat Citrix reagiert, und gibt Tipps, wie sich Netscaler Gateways gegen die Angriffe … Weiterlesen →Quelle
---------------------------------------------
https://www.borncity.com/blog/2024/12/15/angriffe-auf-citrix-netscaler-gate…
∗∗∗ 390,000 WordPress accounts stolen from hackers in supply chain attack ∗∗∗
---------------------------------------------
A threat actor tracked as MUT-1244 has stolen over 390,000 WordPress credentials in a large-scale, year-long campaign targeting other threat actors using a trojanized WordPress credentials checker.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/390-000-wordpress-accounts-s…
∗∗∗ The Simple Math Behind Public Key Cryptography ∗∗∗
---------------------------------------------
The security system that underlies the internet makes use of a curious fact: You can broadcast part of your encryption to make your information much more secure.
---------------------------------------------
https://www.wired.com/story/how-public-key-cryptography-really-works-using-…
∗∗∗ NodeLoader Exposed: The Node.js Malware Evading Detection ∗∗∗
---------------------------------------------
Zscaler ThreatLabz discovered a malware campaign leveraging Node.js applications for Windows to distribute cryptocurrency miners and information stealers. We have named this malware family NodeLoader, since the attackers employ Node.js compiled executables to deliver second-stage payloads, including XMRig, Lumma, and Phemedrone Stealer.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/nodeloader-exposed-node-js-…
∗∗∗ Phishing-Nachricht „Ihr Konto wurde gesperrt“ im Namen von Meta ignorieren! ∗∗∗
---------------------------------------------
Sie erhalten eine Nachricht von Meta, in der Ihnen mitgeteilt wird, dass Ihr Facebook- oder Instagram-Konto demnächst gesperrt wird. Um dies zu verhindern, müssen Sie auf einen Link klicken und Ihr Konto verifizieren. Aber Vorsicht: Es handelt sich um eine Phishing-Nachricht von Kriminellen, die Ihre Daten stehlen wollen!
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-nachricht-im-namen-von-meta/
∗∗∗ Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation ∗∗∗
---------------------------------------------
Analysis of packer-as-a-service (PaaS) HeartCrypt reveals its use in over 2k malicious payloads across 45 malware families since its early 2024 appearance.
---------------------------------------------
https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/
∗∗∗ CoinLurker: The Stealer Powering the Next Generation of Fake Updates ∗∗∗
---------------------------------------------
The evolution of fake update campaigns has advanced significantly with the emergence of CoinLurker, a sophisticated stealer designed to exfiltrate data while evading detection. Written in Go, CoinLurker employs cutting-edge obfuscation and anti-analysis techniques, making it a highly effective tool in modern cyberattacks.
---------------------------------------------
https://blog.morphisec.com/coinlurker-the-stealer-powering-the-next-generat…
∗∗∗ Secure Coding: CWE 1123 – Sich selbst modifizierenden Code vermeiden ∗∗∗
---------------------------------------------
Die Common Weakness Enumeration CWE-1123 warnt vor dem übermäßigen Einsatz von sich selbst modifizierendem Code. Java-Entwickler sollten mit Bedacht agieren.
---------------------------------------------
https://heise.de/-10194617
∗∗∗ CISA and EPA Warn: Internet-Exposed HMIs Pose Serious Cybersecurity Risks to Water Systems ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA) and the Environmental Protection Agency (EPA) have jointly released a crucial fact sheet highlighting the cybersecurity risks posed by Internet-exposed Human Machine Interfaces (HMIs) in the Water and Wastewater Systems (WWS) sector.
---------------------------------------------
https://thecyberexpress.com/exposed-human-machine-interfaces-in-wws/
∗∗∗ The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit ∗∗∗
---------------------------------------------
This blog post provides a technical analysis of exploit artifacts provided to us by Google's Threat Analysis Group (TAG) from Amnesty International.
---------------------------------------------
https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpect…
∗∗∗ Tech Guide: Detecting NoviSpy spyware with AndroidQF and the Mobile Verification Toolkit (MVT) ∗∗∗
---------------------------------------------
Amnesty Security Lab has published Indicators of Compromise (IOCs) for the NoviSpy spyware application. This tutorial explains how to use AndroidQF Android Quick Forensics (androidqf) and Mobile Verification Toolkit (MVT) to examine an Android device for traces of these indicators.
---------------------------------------------
https://securitylab.amnesty.org/latest/2024/12/tech-guide-detecting-novispy…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gst-plugins-base1.0, gstreamer1.0, and libpgjava), Fedora (bpftool, chromium, golang-x-crypto, kernel, kernel-headers, linux-firmware, pytest, python3.10, subversion, and thunderbird), Gentoo (NVIDIA Drivers), Oracle (kernel, perl-App-cpanminus:1.7044, php:7.4, php:8.1, php:8.2, postgresql, python3.11, python3.12, python3.9:3.9.21, python36:3.6, ruby, and ruby:2.5), SUSE (docker-stable, firefox-esr, gstreamer, gstreamer-plugins-base, gstreamer-plugins-good, kernel, python-Django, python312, and socat), and Ubuntu (mpmath).
---------------------------------------------
https://lwn.net/Articles/1002338/
∗∗∗ Siemens: SSA-928984 V1.0: Heap-based Buffer Overflow Vulnerability in User Management Component (UMC) ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-928984.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 12-12-2024 18:00 − Freitag 13-12-2024 18:05
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Social Engineering nach Mailbombing ∗∗∗
---------------------------------------------
Rapid7 hat vor Kurzem einen Blogbeitrag zur Vorgehensweise einer Ransomwaregruppe veröffentlicht, wir haben inzwischen von mehreren Firmen in Österreich gehört, die dieses Angriffsmuster selber beobachten mussten: Zuerst wird ein Mitarbeiter der Zielfirma mit E-Mail überschüttet: in vielen Fällen sind das legitime Newsletter, die aber in der Masse ein echtes Problem sind. Danach wird dieser Angestellte per Teams oder über andere Kanäle kontaktiert: Man sei der Helpdesk und will ihm bei der Bewältigung der Mail-Lawine helfen.
---------------------------------------------
https://www.cert.at/de/aktuelles/2024/12/social-engineering-nach-mailbombing
∗∗∗ Vishing via Microsoft Teams Facilitates DarkGate Malware Intrusion ∗∗∗
---------------------------------------------
In this blog entry, we discuss a social engineering attack that tricked the victim into installing a remote access tool, triggering DarkGate malware activities and an attempted C&C connection.
---------------------------------------------
https://www.trendmicro.com/en_us/research/24/l/darkgate-malware.html
∗∗∗ Germany sinkholes BadBox malware pre-loaded on Android devices ∗∗∗
---------------------------------------------
Germanys Federal Office for Information Security (BSI) has disrupted the BadBox malware operation pre-loaded in over 30,000 Android IoT devices sold in the country. [..] Germany's cybersecurity agency says it blocked communication between the BadBox malware devices and their command and control (C2) infrastructure by sinkholing DNS queries so that the malware communicates with police-controlled servers rather than the attacker's command and control servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/germany-sinkholes-badbox-mal…
∗∗∗ Efforts to Secure US Telcos Beset by Salt Typhoon Might Fall Flat ∗∗∗
---------------------------------------------
The rules necessary to secure US communications have already been in place for 30 years, argues Sen. Wyden, the FCC just hasnt enforced them. Its unclear if they will help.
---------------------------------------------
https://www.darkreading.com/vulnerabilities-threats/efforts-secure-us-telco…
∗∗∗ IoT Cloud Cracked by Open Sesame Over-the-Air Attack ∗∗∗
---------------------------------------------
Researchers demonstrate how to hack Ruijie Reyee access points without Wi-Fi credentials or even physical access to the device.
---------------------------------------------
https://www.darkreading.com/ics-ot-security/iot-cloud-cracked-open-sesame-a…
∗∗∗ Windows Tooling Updates: OleView.NET ∗∗∗
---------------------------------------------
This is a short blog post about some recent improvements I've been making to the OleView.NET tool which has been released as part of version 1.16. The tool is designed to discover the attack surface of Windows COM and find security vulnerabilities such as privilege escalation and remote code execution.
---------------------------------------------
https://googleprojectzero.blogspot.com/2024/12/windows-tooling-updates-olev…
∗∗∗ New Linux Rootkit PUMAKIT Uses Advanced Stealth Techniques to Evade Detection ∗∗∗
---------------------------------------------
Cybersecurity researchers have uncovered a new Linux rootkit called PUMAKIT that comes with capabilities to escalate privileges, hide files and directories, and conceal itself from system tools, while simultaneously evading detection.
---------------------------------------------
https://thehackernews.com/2024/12/new-linux-rootkit-pumakit-uses-advanced.h…
∗∗∗ Attacking Entra Metaverse: Part 1 ∗∗∗
---------------------------------------------
This first blog post is a short one, and demonstrates how complete control of an Entra user is equal to compromise of the on-premises user. For the entire blog series the point I am trying to make is this: The Entra Tenant is the trust boundary
---------------------------------------------
https://posts.specterops.io/attacking-entra-metaverse-part-1-c9cf8c4fb4ee?s…
=====================
= Vulnerabilities =
=====================
∗∗∗ DevSecOps-Plattform Gitlab: Accountübernahme möglich ∗∗∗
---------------------------------------------
In einem Beitrag schreiben die Entwickler, dass auf Gitlab.com bereits die abgesicherten Ausgaben laufen. Für selbstverwaltete Gitlab-Installation sind nun die Ausgaben 17.4.6, 17.5.4 und 17.6.2 in der Community Edition und Enterprise Edition erschienen. [..] Insgesamt haben die Entwickler zwölf Sicherheitslücken geschlossen. Zwei davon sind mit dem Bedrohungsgrad "hoch" eingestuft (CVE-2024-11274, CVE-2024-8233). Im ersten Fall können Angreifer durch Manipulation von Kubernetes-Proxy-Responses Accounts übernehmen.
---------------------------------------------
https://heise.de/-10198923
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, pgpool2, and smarty4), Fedora (chromium, linux-firmware, matrix-synapse, open62541, and thunderbird), Red Hat (kernel, kernel-rt, python3.11, python3.12, python3.9:3.9.18, python3.9:3.9.21, and ruby:2.5), SUSE (buildah, chromium, govulncheck-vulndb, java-1_8_0-ibm, libsvn_auth_gnome_keyring-1-0, python310-Django, qemu, and radare2), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, php7.0, php7.2, python-asyncssh, and smarty3).
---------------------------------------------
https://lwn.net/Articles/1002036/
∗∗∗ Schneider Electric Security Advisories 10.12.2024 ∗∗∗
---------------------------------------------
https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.…
∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 115.18 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-70/
∗∗∗ F5: K000148969: Python vulnerability CVE-2024-7592 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000148969
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 11-12-2024 18:00 − Donnerstag 12-12-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Apache issues patches for critical Struts 2 RCE bug ∗∗∗
---------------------------------------------
More details released after devs allowed weeks to apply fixes. We now know the remote code execution vulnerability in Apache Struts 2 disclosed back in November carries a near-maximum severity rating following the publication of the CVE. [..] Considering remote attackers could exploit the vulnerability without requiring any privileges, combined with the high impact to system confidentiality, integrity, and availability, it's likely the Apache Foundation withheld the juiciest details to allow customers to upgrade to a safe version (Struts 6.4.0 or greater).
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2024/12/12/apache_strut…
∗∗∗ Cyber Resilience Act: Vernetzte Produkte müssen bald besser abgesichert sein ∗∗∗
---------------------------------------------
Die EU-Verordnung zur Cyber-Widerstandsfähigkeit ist in Kraft getreten. Hersteller vernetzter Produkte müssen künftig ein Mindestmaß an Cybersicherheit bieten.
---------------------------------------------
https://heise.de/-10197273
∗∗∗ Modular Java Backdoor Dropped in Cleo Exploitation Campaign ∗∗∗
---------------------------------------------
While investigating incidents related to Cleo software exploitation, Rapid7 Labs and MDR team discovered a novel, multi-stage attack that deploys an encoded Java Archive (JAR) payload.
---------------------------------------------
https://www.rapid7.com/blog/post/2024/12/11/etr-modular-java-backdoor-dropp…
∗∗∗ The Bite from Inside: The Sophos Active Adversary Report ∗∗∗
---------------------------------------------
A sea change in available data fuels fresh insights from the first half of 2024.
---------------------------------------------
https://news.sophos.com/en-us/2024/12/12/active-adversary-report-2024-12/
∗∗∗ Vorsicht beim Online-Kauf von Weihnachtsbäumen: So erkennen Sie unseriöse Shops ∗∗∗
---------------------------------------------
Die Vorweihnachtszeit ist für viele mit Stress und hohen Ausgaben verbunden - da scheint ein günstiger und schnell aufgestellter Weihnachtsbaum verlockend. Besonders im Trend liegen faltbare Weihnachtsbäume, die in Rekordzeit aufgestellt sein sollen. Doch Vorsicht: Nicht alle Anbieter halten, was sie versprechen. Wir zeigen, woran man unseriöse Angebote erkennt.
---------------------------------------------
https://www.watchlist-internet.at/news/unserioese-shops-beim-weihnachtsbaum…
∗∗∗ 300,000+ Prometheus Servers and Exporters Exposed to DoS Attacks ∗∗∗
---------------------------------------------
In this research we highlighted vulnerabilities and flaws in the Prometheus stack. We highlight the risks associated with exposing Prometheus servers and exporters to the internet without authentication, which expose sensitive information and can be exploited to launch DoS attacks or even execute arbitrary code through compromised exporters.
---------------------------------------------
https://blog.aquasec.com/300000-prometheus-servers-and-exporters-exposed-to…
∗∗∗ Bis zum Burn-out: Open-Source-Entwickler von KI-Bug-Reports genervt ∗∗∗
---------------------------------------------
Sie kommen freundlich und wohl durchdacht daher: Doch bei genauerer Prüfung stellen Open-Source-Maintainer fest, dass immer mehr Bugreports KI-Unsinn sind.
---------------------------------------------
https://heise.de/-10195951
=====================
= Vulnerabilities =
=====================
∗∗∗ Hunk Companion WordPress plugin exploited to install vulnerable plugins ∗∗∗
---------------------------------------------
The issue impacts all versions of Hunk Companion before the latest 1.9.0, released yesterday, which addressed the problem. While investigating a WordPress site infection, WPScan discovered active exploitation of CVE-2024-11972 to install a vulnerable version of WP Query Console. [..] By installing outdated plugins with known vulnerabilities with available exploits, the attackers can access a large pool of flaws that lead to remote code execution (RCE), SQL injection, cross-site scripting (XSS) flaws, or create backdoor admin accounts.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hunk-companion-wordpress-plu…
∗∗∗ Apple Updates Everything (iOS, iPadOS, macOS, watchOS, tvOS, visionOS), (Wed, Dec 11th) ∗∗∗
---------------------------------------------
Apple today released patches for all of its operating systems. The updates address 46 different vulnerabilities. Many of the vulnerabilities affect more than one operating system. None of the vulnerabilities are labeled as being already exploited.
---------------------------------------------
https://isc.sans.edu/diary/rss/31514
∗∗∗ Atlassian schützt Confluence & Co. vor möglichen DoS-Attacken ∗∗∗
---------------------------------------------
Angreifer können an zehn Sicherheitslücken in Atlassian Bamboo, Bitbucket und Confluence ansetzen und unter anderem Abstürze provozieren.
---------------------------------------------
https://heise.de/-10196643
∗∗∗ Sicherheitspatch: Angreifer können über TeamViewer-Lücke Windows-Dateien löschen ∗∗∗
---------------------------------------------
Basierend auf einer Warnmeldung ist die Komponente TeamViewer Patch & Asset Management angreifbar (CVE-2024-12363 "hoch"). Die Komponente ist aber standardmäßig nicht installiert. Sie ist optional im Kontext des Remote-Management-Features installierbar. [..] Die Entwickler versichern, dass sich das Sicherheitsupdate automatisch installiert.
---------------------------------------------
https://heise.de/-10196765
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libsoup2.4, python-aiohttp, and upx-ucl), Fedora (iaito, python3.11, python3.9, and radare2), Red Hat (ruby, ruby:2.5, and ruby:3.1), Slackware (mozilla-thunderbird), SUSE (govulncheck-vulndb, nodejs18, nodejs20, and socat), and Ubuntu (ofono and python-tornado).
---------------------------------------------
https://lwn.net/Articles/1001863/
∗∗∗ Paloalto: PAN-SA-2024-0017 Chromium: Monthly Vulnerability Updates (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/PAN-SA-2024-0017
∗∗∗ Tenable: [R1] Security Center Version 6.5.1 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2024-20
∗∗∗ Drupal: Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-076 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2024-076
∗∗∗ Drupal: Allow All File Extensions for file fields - Critical - Unsupported - SA-CONTRIB-2024-075 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2024-075
∗∗∗ Drupal: Git Utilities for Drupal - Critical - Unsupported - SA-CONTRIB-2024-074 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2024-074
∗∗∗ Drupal: Login Disable - Critical - Access bypass - SA-CONTRIB-2024-073 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2024-073
∗∗∗ Drupal: Browser Back Button - Moderately critical - Cross site scripting - SA-CONTRIB-2024-072 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2024-072
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 10-12-2024 18:00 − Mittwoch 11-12-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Global Ongoing Phishing Campaign Targets Employees Across 12 Industries ∗∗∗
---------------------------------------------
Cybersecurity researchers at Group-IB have exposed an ongoing phishing operation that has been targeting employees and associates from over 30 companies across 12 industries and 15 jurisdictions. [..] What makes this campaign dangerous is the use of advanced techniques designed to bypass Secure Email Gateways (SEGs) and evade detection. [..] This campaign is ongoing therefore, companies need to watch out for what comes to their inbox.
---------------------------------------------
https://hackread.com/ongoing-phishing-campaign-targets-employees/
∗∗∗ AMD’s trusted execution environment blown wide open by new BadRAM attack ∗∗∗
---------------------------------------------
On Tuesday, an international team of researchers unveiled BadRAM, a proof-of-concept attack that completely undermines security assurances that chipmaker AMD makes to users of one of its most expensive and well-fortified microprocessor product lines. Starting with the AMD Epyc 7003 processor, a feature known as SEV-SNP—short for Secure Encrypted Virtualization and Secure Nested Paging—has provided the cryptographic means for certifying that a VM hasn’t been compromised by any sort of backdoor installed by someone with access to the physical machine running it.
---------------------------------------------
https://arstechnica.com/information-technology/2024/12/new-badram-attack-ne…
∗∗∗ Microsoft MFA AuthQuake Flaw Enabled Unlimited Brute-Force Attempts Without Alerts ∗∗∗
---------------------------------------------
Cybersecurity researchers have flagged a "critical" security vulnerability in Microsofts multi-factor authentication (MFA) implementation that allows an attacker to trivially sidestep the protection and gain unauthorized access to a victims account. [..] Following responsible disclosure, the issue – codenamed AuthQuake – was addressed by Microsoft in October 2024.
---------------------------------------------
https://thehackernews.com/2024/12/microsoft-mfa-authquake-flaw-enabled.html
∗∗∗ Decrypting Full Disk Encryption with Dissect ∗∗∗
---------------------------------------------
Back in 2022 Fox-IT decided to open source its proprietary incident response tooling known as Dissect. [..] One of the most popular requests has been the capability to use Dissect in combination with common disk encryption methods like Microsoft’s BitLocker or its Linux equivalent LUKS. Internally at Fox-IT we were able to already use these capabilities. With the release of Dissect version 3.17 these capabilities are now also available to the community at large.
---------------------------------------------
https://blog.fox-it.com/2024/12/11/decrypting-full-disk-encryption-with-dis…
∗∗∗ The Stealthy Stalker: Remcos RAT ∗∗∗
---------------------------------------------
As cyberattacks become more sophisticated, understanding the mechanisms behind RemcosRAT and adopting effective security measures are crucial to protecting your systems from this growing threat. This blog presents a technical analysis of two RemcosRAT variants.
---------------------------------------------
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-stealthy-stalker-r…
∗∗∗ How easily access cards can be cloned and why your PACS might be vulnerable ∗∗∗
---------------------------------------------
PACS can be bad, but also good if you configure them right. These systems protect your building, and control access to your most sensitive systems. Give them some love.
---------------------------------------------
https://www.pentestpartners.com/security-blog/how-easily-access-cards-can-b…
∗∗∗ Zeitplan veröffentlicht: Lets Encrypt schafft OCSP-Zertifikatsüberprüfung ab ∗∗∗
---------------------------------------------
Das Protokoll zur Echtzeit-Gültigkeitsprüfung hat Datenschutzprobleme. Die weltgrößte CA ersetzt es nun durch Zertifikats-Sperrlisten.
---------------------------------------------
https://heise.de/-10195107
=====================
= Vulnerabilities =
=====================
∗∗∗ Ivanti: December Security Update ∗∗∗
---------------------------------------------
Today, fixes have been released for the Ivanti solutions detailed below. [..] Ivanti Cloud Service Application, Ivanti Desktop and Server Management (DSM), Ivanti Connect Secure and Policy Secure, Ivanti Sentry, Ivanti Patch SDK, Ivanti Application Control, Ivanti Automation, Ivanti Workspace Control, Ivanti Performance Manager, Ivanti Security Controls (iSec) [..] Ivanti Cloud Services Application (CSA) 10.0 (Critical): An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access. CVE-2024-11639
---------------------------------------------
https://www.ivanti.com/blog/december-security-update
∗∗∗ Microsoft Security Update Summary (10. Dezember 2024) ∗∗∗
---------------------------------------------
Am 10. Dezember 2024 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 70 Schwachstellen (CVEs), davon 16 kritische Sicherheitslücken, davon eine als 0-day klassifiziert (bereits ausgenutzt).
---------------------------------------------
https://www.borncity.com/blog/2024/12/10/microsoft-security-update-summary-…
∗∗∗ Solarwinds Web Help Desk: Software-Update schließt kritische Lücken ∗∗∗
---------------------------------------------
In Solarwinds Web Help Desk haben die Entwickler teils kritische Sicherheitslücken korrigiert. IT-Verantwortliche sollten rasch aktualisieren.
---------------------------------------------
https://heise.de/-10195207
∗∗∗ Patchday: Adobe schließt mehr als 160 Sicherheitslücken in Acrobat & Co. ∗∗∗
---------------------------------------------
Insgesamt hat der Softwarehersteller mehr als 160 Schwachstellen mit Updates für die Produkte geschlossen.
---------------------------------------------
https://www.heise.de/-10194979
∗∗∗ Synology-SA-24:28 Media Server ∗∗∗
---------------------------------------------
A vulnerability allows remote attackers to read specific files.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_24_28
∗∗∗ PDQ Deploy allows reuse of deleted credentials that can compromise a device and facilitate lateral movement ∗∗∗
---------------------------------------------
The CERT/CC is creating this Vulnerability Note to advise and make users of PDQ Deploy aware of potential avenues of attack through the deploy service. System administrators that are using PDQ Deploy should employ LAPS to mitigate this vulnerability.
---------------------------------------------
https://kb.cert.org/vuls/id/164934
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (proftpd-dfsg and smarty3), Fedora (python3.14), Gentoo (Distrobox, eza, idna, libvirt, and OpenSC), Red Hat (container-tools:rhel8 and edk2), SUSE (avahi, curl, libsoup2, lxd, nodejs20, python-Django, python310-Django4, python312, squid, and webkit2gtk3), and Ubuntu (expat, intel-microcode, linux, linux-aws, linux-kvm, linux-lts-xenial, and shiro).
---------------------------------------------
https://lwn.net/Articles/1001728/
∗∗∗ Mozilla: Security Vulnerabilities fixed in Thunderbird 128.5.2 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2024-69/
∗∗∗ F5: K000148931: Linux kernel vulnerability CVE-2024-26923 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000148931
∗∗∗ Huawei: Security Advisory - Path Traversal Vulnerability in Huawei Home Music System ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-ptvihhms-…
∗∗∗ Numerix: Reflected Cross-Site Scripting in Numerix License Server Administration System Login ∗∗∗
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/reflected-cross-site-scr…
∗∗∗ Splunk: SVD-2024-1207: Third-Party Package Updates in Splunk Universal Forwarder - December 2024 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-1207
∗∗∗ Splunk: SVD-2024-1206: Third-Party Package Updates in Splunk Enterprise - December 2024 ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-1206
∗∗∗ Splunk: SVD-2024-1205: Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway app ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-1205
∗∗∗ Splunk: SVD-2024-1204: Sensitive Information Disclosure through SPL commands ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-1204
∗∗∗ Splunk: SVD-2024-1203: Information Disclosure due to Username Collision with a Role that has the same Name as the User ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-1203
∗∗∗ Splunk: SVD-2024-1202: Risky command safeguards bypass in “/en-US/app/search/report“ endpoint through “s“ parameter ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-1202
∗∗∗ Splunk: SVD-2024-1201: Information Disclosure in Mobile Alert Responses in Splunk Secure Gateway ∗∗∗
---------------------------------------------
https://advisory.splunk.com//advisories/SVD-2024-1201
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 09-12-2024 18:00 − Dienstag 10-12-2024 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Brute-Force-Angriffe auf exponierte Systeme ∗∗∗
---------------------------------------------
Aktuell werden dem BSI verstärkt Brute-Force-Angriffe gegen Citrix Netscaler Gateways aus verschiedenen KRITIS-Sektoren sowie von internationalen Partnern gemeldet. [..] Die aktuellen Angriffe heben sich aktuell lediglich in ihrer berichteten Menge von üblichen Angriffen dieser Art heraus. [..] Als Ziel der Brute-Force-Angriffe werden in aktuellen Berichten zwar Citrix Gateways gemeldet. Jedoch ist
diese Cyber-Sicherheitswarnung für alle exponierten Systeme, insbesondere VPN-Gateways, relevant.
---------------------------------------------
https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-2…
∗∗∗ Stark gestiegenes Aufkommen an Microsoft Remote Desktop Protokoll (RDP) Scanning ∗∗∗
---------------------------------------------
Ein internationaler Partner (Shadowserver) verzeichnet seit Anfang Dezember ein weltweit sehr stark gestiegenes Aufkommen (x160) an RDP "Scanning" in Wellen [1]. Ob es nur um Ausforschen offener RDP-Ports geht oder bereits weitere Handlungen gesetzt werden, ist aktuell unbekannt. Der Fokus scheint nicht auf dem RDP Standard-Port 3389, sondern auf Port 1098 zu liegen.
---------------------------------------------
https://www.cert.at/de/aktuelles/2024/12/stark-gestiegenes-aufkommen-an-mic…
∗∗∗ Microsoft ergreift Maßnahmen gegen NTLM-Relay-Angriffe ∗∗∗
---------------------------------------------
Ein Angriffsvektor zum Erlangen von Zugriff im Netz ist sogenanntes NTLM-Relaying. Das erschwert Microsoft nun mit neuen Maßnahmen.
---------------------------------------------
https://heise.de/-10194220
∗∗∗ Ultralytics PyPI Package Compromised Through GitHub Actions Cache Poisoning ∗∗∗
---------------------------------------------
Over the weekend, the popular Ultralytics PyPI package was compromised in a supply chain attack that was detected following reports of a discrepancy between the library’s code on GitHub and the code that was published to PyPI for v8.3.41.
---------------------------------------------
https://socket.dev/blog/ultralytics-pypi-package-compromised-through-github…
∗∗∗ Malware trends: eBPF exploitation, malware configurations stored in unexpected places, and increased use of custom post-exploitation tools ∗∗∗
---------------------------------------------
An investigation into an information security incident has allowed virus analysts at Doctor Web to uncover an ongoing campaign that incorporates many modern trends employed by cybercriminals. A client approached Doctor Web after suspecting that their computer infrastructure had been compromised. While analyzing the client’s data, our virus analysts identified a number of similar cases, leading them to conclude that an active campaign was underway.
---------------------------------------------
https://news.drweb.com/show/?i=14955&lng=en&c=9
∗∗∗ When User Input Lines Are Blurred: Indirect Prompt Injection Attack Vulnerabilities in AI LLMs ∗∗∗
---------------------------------------------
Indirect prompt attacks are when an LLM takes input from external sources but where an attacker gets to smuggle payloads (additional prompts!) into these external/side sources. These malicious additional prompts modify the overall prompt, breaking out of the data context as they are treated as instructions (they are additional prompts, commands, if you will) and, in turn, influence the initial user prompt provided together with the system prompt and with that, the subsequent actions and output.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/when-user-i…
∗∗∗ Inside Zloader’s Latest Trick: DNS Tunneling ∗∗∗
---------------------------------------------
Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a modular Trojan based on the leaked Zeus source code that emerged in 2015. The malware was originally designed to facilitate banking fraud via Automated Clearing House (ACH) and wire transfers. However, similar to other malware families like Qakbot and Trickbot, Zloader has been repurposed for initial access, providing an entry point into corporate environments for the deployment of ransomware.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/inside-zloader-s-latest-tri…
∗∗∗ Mit dem Bumble-Date ins Theater? Vorsicht vor Betrug! ∗∗∗
---------------------------------------------
Sie haben auf Bumble jemanden kennengelernt? Sie verstehen sich gut und wollen als erstes Date ins Theater gehen? Doch Ihr Ticket sollten Sie sich selbst auf einer unbekannten Plattform kaufen. Vorsicht, hinter dem vermeintlich perfekten Match stecken Kriminelle, die Sie in einen Fake-Shop locken.
---------------------------------------------
https://www.watchlist-internet.at/news/mit-dem-bumble-date-ins-theater-vors…
∗∗∗ Studie gemeinsam mit dem BSI: IT-Sicherheit von smarten Heizkörperthermostaten ∗∗∗
---------------------------------------------
Certitude führte im Auftrag des Bundesministerium für Sicherheit in der Informationstechnik (BSI) die technische Sicherheitsprüfung von smarten Heizkörperthermostaten durch. Die aus diesem Projekt entstandene und heute veröffentlichte Studie zeigt auf, dass es insbesondere beim Umgang mit Schwachstellen Nachholbedarf gibt.
---------------------------------------------
https://certitude.consulting/blog/de/bsi-studie-sicherheit-smarte-heizkorpe…
∗∗∗ Full-Face Masks to Frustrate Identification ∗∗∗
---------------------------------------------
It’s a video of someone trying on a variety of printed full-face masks. They won’t fool anyone for long, but will survive casual scrutiny. And they’re cheap and easy to swap.
---------------------------------------------
https://www.schneier.com/blog/archives/2024/12/full-face-masks-to-frustrate…
=====================
= Vulnerabilities =
=====================
∗∗∗ Transfer-Software von Cleo: Hinter Firewall bringen, Patch wirkungslos ∗∗∗
---------------------------------------------
Die Datenstransfer-Software von Cleo hatte eine Sicherheitslücke gestopft – jedoch unzureichend. Das Leck wird aktiv angegriffen.
---------------------------------------------
https://heise.de/-10193961
∗∗∗ Wordpress: WPForms-Plug-in reißt Sicherheitsleck in 6 Millionen Webseiten ∗∗∗
---------------------------------------------
Im Wordpress-Plug-in WPForms können Angreifer eine Lücke missbrauchen, um etwa Zahlungen rückabzuwickeln. Sechs Millionen Webseiten nutzen das Plug-in.
---------------------------------------------
https://heise.de/-10193387
∗∗∗ MC LR Router and GoCast unpatched vulnerabilities ∗∗∗
---------------------------------------------
Cisco Talos Vulnerability Research team recently discovered two vulnerabilities in MC Technologies LR Router and three vulnerabilities in the GoCast service. These vulnerabilities have not been patched at time of this posting.
---------------------------------------------
https://blog.talosintelligence.com/mc-lr-router-and-gocast-zero-day-vulnera…
∗∗∗ SAP-Patchday: Updates schließen teils kritische Sicherheitslücken ∗∗∗
---------------------------------------------
Im Dezember informiert SAP über neun neu entdeckte Sicherheitslücken in diversen Produkten. Eine davon gilt als kritisches Risiko.
---------------------------------------------
https://heise.de/-10193418
∗∗∗ Sicherheitsschwachstelle in Logitech MX Keys for Business (SYSS-2024-084) ∗∗∗
---------------------------------------------
SySS GmbH is currently not aware of a security fix for the described issue. [..] Due to the keyboard not enforcing any sort of authentication during the pairings, MX Keys for Business is vulnerable to machine-in-the-middle (MitM) attacks.
---------------------------------------------
https://www.syss.de/pentest-blog/sicherheitsschwachstelle-in-logitech-mx-ke…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by AlmaLinux (postgresql:15, postgresql:16, and ruby:3.1), Debian (jinja2), Fedora (python-multipart, python-python-multipart, python3.12, retsnoop, rust-rbspy, rust-rustls, and zabbix), Oracle (kernel, libsoup, postgresql:12, postgresql:13, postgresql:15, postgresql:16, redis:7, and ruby:3.1), SUSE (nodejs18, pam, qt6-webengine, and radare2), and Ubuntu (dogtag-pki, linux-intel-iotg, linux-intel-iotg-5.15, ofono, rabbitmq-server, and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/1001597/
∗∗∗ MOBATIME Network Master Clock ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-01
∗∗∗ Horner Automation Cscape ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-05
∗∗∗ Rockwell Automation Arena ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-06
∗∗∗ National Instruments LabVIEW ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-24-345-04
∗∗∗ Milesight UG67 Outdoor LoRaWAN Gateway rt-sa-2024-001 - rt-sa-2024-005 ∗∗∗
---------------------------------------------
https://www.redteam-pentesting.de/en/advisories/
∗∗∗ SSA-979056 V1.0: Out of Bounds Write Vulnerability in Parasolid ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-979056.html
∗∗∗ SSA-881356 V1.0: Multiple Memory Corruption Vulnerabilities in Simcenter Femap ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-881356.html
∗∗∗ SSA-800126 V1.0: Deserialization Vulnerability in Siemens Engineering Platforms before V20 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-800126.html
∗∗∗ SSA-730188 V1.0: Multiple File Parsing Vulnerabilities in Solid Edge V2024 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-730188.html
∗∗∗ SSA-701627 V1.0: XXE Injection Vulnerabilities in COMOS ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-701627.html
∗∗∗ SSA-645131 V1.0: Multiple WRL File Parsing Vulnerabilities in Teamcenter Visualization ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-645131.html
∗∗∗ SSA-620799 V1.0: Denial of Service Vulnerability During BLE Pairing in SENTRON Powercenter 1000/1100 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-620799.html
∗∗∗ SSA-392859 V1.0: Local Arbitrary Code Execution Vulnerability in Siemens Engineering Platforms before V20 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-392859.html
∗∗∗ SSA-384652 V1.0: Cross-Site Request Forgery (CSRF) Vulnerability in RUGGEDCOM ROX II ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-384652.html
∗∗∗ SSA-128393 V1.0: Firmware Decryption Vulnerability in SICAM A8000 CP-8031 and CP-8050 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-128393.html
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily