- Daily - CERT.at

Tageszusammenfassung - 04.11.2024
by Daily end-of-shift report 04 Nov '24

04 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-10-2024 18:00 − Montag 04-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Thousands of hacked TP-Link routers used in years-long account takeover attacks ∗∗∗ --------------------------------------------- The botnet is being skillfully used to launch "highly evasive" password-spraying attacks. --------------------------------------------- https://arstechnica.com/information-technology/2024/11/microsoft-warns-of-8… ∗∗∗ DDoS site Dstat.cc seized and two suspects arrested in Germany ∗∗∗ --------------------------------------------- The Dstat.cc DDoS review platform has been seized by law enforcement, and two suspects have been arrested after the service helped fuel distributed denial-of-service attacks for years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ddos-site-dstatcc-seized-and… ∗∗∗ Cisco says DevHub site leak won’t enable future breaches ∗∗∗ --------------------------------------------- Cisco says that non-public files recently downloaded by a threat actor from a misconfigured public-facing DevHub portal dont contain information that could be exploited in future breaches of the companys systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-says-devhub-site-leak-… ∗∗∗ Ware nicht geliefert: Betrüger hacken Tausende Webshops und kassieren Millionen ∗∗∗ --------------------------------------------- Hacker haben seit 2019 im Rahmen einer Betrugskampagne unzählige Onlineshops infiltriert. Käufer bestimmter Produkte erhielten .. --------------------------------------------- https://www.golem.de/news/ware-nicht-geliefert-betrueger-hacken-tausende-we… ∗∗∗ From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code ∗∗∗ --------------------------------------------- In our previous post, Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models, we introduced our framework for large-language-model-assisted vulnerability research and demonstrated its potential by improving the state-of-the-art performance on Meta's CyberSecEval2 benchmarks. Since then, Naptime has evolved into Big Sleep, a collaboration between Google Project Zero and Google DeepMind. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/10/from-naptime-to-big-sleep.ht… ∗∗∗ Inside Iran’s Cyber Playbook: AI, Fake Hosting, and Psychological Warfare ∗∗∗ --------------------------------------------- U.S. and Israeli cybersecurity agencies have published a new advisory attributing an Iranian cyber group to targeting the 2024 Summer Olympics and compromising a French commercial dynamic display provider to show messages denouncing Israels participation .. --------------------------------------------- https://thehackernews.com/2024/11/inside-irans-cyber-playbook-ai-fake.html ∗∗∗ Financial institutions told to get their house in order before the next CrowdStrike strikes ∗∗∗ --------------------------------------------- Calls for improvements will soon turn into demands when new rules come into force The UKs finance regulator is urging all institutions under its remit to better prepare for IT meltdowns like .. --------------------------------------------- https://www.theregister.com/2024/11/02/fca_it_resilience/ ∗∗∗ Booking.com Phishers May Leave You With Reservations ∗∗∗ --------------------------------------------- A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. Well .. --------------------------------------------- https://krebsonsecurity.com/2024/11/booking-com-phishers-may-leave-you-with… ∗∗∗ Kostenlose Webinare zum Schutz im Internet ∗∗∗ --------------------------------------------- Ab 2. Dezember finden in Kooperation mit der AK Oberösterreich und Saferinternet.at spannende Webinare zum sicheren und verantwortungsvollen Umgang mit Handy und Internet statt. Erweitern Sie Ihre digitalen Kompetenzen und .. --------------------------------------------- https://www.watchlist-internet.at/news/kostenlose-webinare-zum-schutz-im-in… ∗∗∗ TA Phone Home: EDR Evasion Testing Reveals Extortion Actors Toolkit ∗∗∗ --------------------------------------------- A threat actor attempted to use an AV/EDR bypass tool in an extortion attempt. Instead, the tool provided Unit 42 insight into the threat actor. --------------------------------------------- https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/ ∗∗∗ FBI wants more info on hackers behind Sophos exploitation after report on China’s intrusions ∗∗∗ --------------------------------------------- The FBI is asking the public for help in tracking down the people behind a series of intrusions into edge devices and networks. --------------------------------------------- https://therecord.media/fbi-hackers-china-wants-info ∗∗∗ Kimsuky Group’s Malware Disguised as Lecture Request Form (MSC, HWP) ∗∗∗ --------------------------------------------- Recently, malware disguised as a lecture request form targeting specific users was identified. The distributed files include Hangul Word Processor (HWP) documents and files in MSC format, which download additional malicious files. Decoy document files used to disguise as legitimate documents have been found to sometimes contain .. --------------------------------------------- https://asec.ahnlab.com/en/84181/ ∗∗∗ Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform Malware ∗∗∗ --------------------------------------------- age “jest-fet-mock,” which implements a different approach using Ethereum smart contracts for command-and-control operations. The package masquerades as a popular testing utility while distributing malware across Windows, Linux, and macOS platforms. This discovery represents a notable difference in supply chain attack methodologies, combining .. --------------------------------------------- https://checkmarx.com/blog/supply-chain-attack-using-ethereum-smart-contrac… ∗∗∗ Hackers Claim Access to Nokia Internal Data, Selling for $20,000 ∗∗∗ --------------------------------------------- Hackers claim to have breached Nokia through a third-party contractor, allegedly stealing SSH keys, source code, and internal --------------------------------------------- https://hackread.com/hackers-claim-access-nokia-internal-data-selling-20k/ ∗∗∗ Mallox Ransomware ∗∗∗ --------------------------------------------- FortiGuard Labs continue to see increase in Mallox ransomware related activities detecting Mallox ransomware on multiple hundred FortiGuard sensors. Ransomware infection may cause disruption, damage to daily operations, .. --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/mallox-ransomware ∗∗∗ Missing Link: Wie ein Unternehmen bei einem Cyberangriff die Kontrolle verlor ∗∗∗ --------------------------------------------- Eigentlich fühlt sich der IT-Chef recht sicher. Bis Hacker mitten am Tag in die Firma marschieren – und unbehelligt wieder raus. Die Beute: volle Kontrolle. --------------------------------------------- https://heise.de/-9984869 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, grafana, kernel, and mod_http2), Debian (chromium, openssl, and thunderbird), Fedora (chromium, krb5, mysql8.0, polkit, python-single-version, and webkitgtk), Mageia (bind, buildah, podman, skopeo, kernel, kmod-xtables-addons. kmod-virtualbox, kernel-firmware & kernel-firmware-nonfree radeon-firmware, .. --------------------------------------------- https://lwn.net/Articles/996908/ ∗∗∗ WordPress Vulnerability & Patch Roundup October 2024 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2024/11/wordpress-vulnerability-patch-roundup-octob… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.10.2024
by Daily end-of-shift report 31 Oct '24

31 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-10-2024 18:00 − Donnerstag 31-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ With 2FA Enabled: NPM Package lottie-player Taken Over by Attackers ∗∗∗ --------------------------------------------- On October 30, the community reported existence of malicious code within versions 2.0.5, 2.0.6, and 2.0.7 of the npm package. The package maintainers replied and confirmed the attackers were able to take over the NPM package using a leaked automation token which was used to automate publications of NPM packages. --------------------------------------------- https://checkmarx.com/blog/with-2fa-enabled-npm-package-lottie-player-taken… ∗∗∗ GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI ∗∗∗ --------------------------------------------- Affected devices are typically high-cost live streaming cameras, sometimes exceeding several thousand dollars. [..] Affected devices use VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. These cameras, which feature an embedded web server allowing for direct access by web browser, are reportedly deployed in environments where reliability and privacy are crucial, including: Industrial and manufacturing plants [..] Business conferences [..] Healthcare settings [..] State and local government environments [..] Houses of worship --------------------------------------------- https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vul… ∗∗∗ Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files ∗∗∗ --------------------------------------------- Microsoft is releasing this blog to notify the public and disrupt this threat actor activity. This blog provides context on these external spear-phishing attempts, which are common attack techniques and do not represent any new compromise of Microsoft. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-… ∗∗∗ Discovering Hidden Vulnerabilities in Portainer with CodeQL ∗∗∗ --------------------------------------------- In this blog, we will show how we used CodeQL to find these vulnerabilities and even wrote custom queries to find a specific vulnerability. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/discovering-hidden-… ∗∗∗ Loose-lipped neural networks and lazy scammers ∗∗∗ --------------------------------------------- As large language models improve, their strengths and weaknesses, as well as the tasks they do well or poorly, are becoming better understood. Threat actors are exploring applications of this technology in a range of automation scenarios. But, as we see, they sometimes commit blunders that help shed light on how they use LLMs, at least in the realm of online fraud. --------------------------------------------- https://securelist.com/llm-phish-blunders/114367/ ∗∗∗ Mounting memory with MemProcFS for advanced memory forensics ∗∗∗ --------------------------------------------- Whilst this blog does not intend to go into any detail into some of the most popular tools available to analyse memory, nor a deep dive into analysis techniques it is intended to provide high level information about some significant enhances to memory forensics in the last few years and the difference in tooling. This also covers three memory forensic tools; many others are available. --------------------------------------------- https://www.pentestpartners.com/security-blog/mounting-memory-with-memprocf… ∗∗∗ The Persistent Perimeter Threat: Strategic Insights from a Multi-Year APT Campaign Targeting Edge Devices ∗∗∗ --------------------------------------------- Discover insights from a multi-year APT campaign that exploited network perimeter vulnerabilities to target high-value entities, revealing critical gaps in edge device security. --------------------------------------------- https://www.greynoise.io/blog/the-persistent-perimeter-threat-strategic-ins… ∗∗∗ Auditing K3s Clusters ∗∗∗ --------------------------------------------- K3s shares a great deal with standard Kubernetes, but its lightweight implementation comes with some challenges and opportunities in the security sphere. --------------------------------------------- https://www.nccgroup.com/us/research-blog/auditing-k3s-clusters/ ===================== = Vulnerabilities = ===================== ∗∗∗ LiteSpeed Cache WordPress plugin bug lets hackers get admin access ∗∗∗ --------------------------------------------- The free version of the popular WordPress plugin LiteSpeed Cache has fixed a dangerous privilege elevation flaw on its latest release that could allow unauthenticated site visitors to gain admin rights. [..] The newly discovered high-severity flaw tracked as CVE-2024-50550 is caused by a weak hash check in the plugin's "role simulation" feature, designed to simulate user roles to aid the crawler in site scans from different user levels. --------------------------------------------- https://www.bleepingcomputer.com/news/security/litespeed-cache-wordpress-pl… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and openssl), Fedora (firefox, libarchive, micropython, NetworkManager-libreswan, and xorg-x11-server-Xwayland), Red Hat (nano), Slackware (mozilla-firefox, mozilla-thunderbird, tigervnc, and xorg), SUSE (389-ds, Botan, go1.21-openssl, govulncheck-vulndb, java-11-openjdk, lxc, python-Werkzeug, and uwsgi), and Ubuntu (firefox, libarchive, linux-azure-fde, linux-azure-fde-5.15, python-pip, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04). --------------------------------------------- https://lwn.net/Articles/996526/ ∗∗∗ Drupal: Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-055 ∗∗∗ Bosch: DoS vulnerability on IndraDrive ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-315415.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.10.2024
by Daily end-of-shift report 30 Oct '24

30 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-10-2024 18:00 − Mittwoch 30-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hackers steal 15,000 cloud credentials from exposed Git config files ∗∗∗ --------------------------------------------- A global large-scale dubbed "EmeraldWhale" exploited misconfigured Git configuration files to steal over 15,000 cloud account credentials from thousands of private repositories. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-15-000-cloud-c… ∗∗∗ Jumpy Pisces Engages in Play Ransomware ∗∗∗ --------------------------------------------- Jumpy Pisces, also known as Andariel and Onyx Sleet, was historically involved in cyberespionage, financial crime and ransomware attacks. [..] We expect their attacks will increasingly target a wide range of victims globally. Network defenders should view Jumpy Pisces activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance. --------------------------------------------- https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomwa… ∗∗∗ Writing a BugSleep C2 server and detecting its traffic with Snort ∗∗∗ --------------------------------------------- In June 2024, security researchers published their analysis of a novel implant dubbed “MuddyRot”(aka "BugSleep"). [..] This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort. --------------------------------------------- https://blog.talosintelligence.com/writing-a-bugsleep-c2-server/ ∗∗∗ Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack ∗∗∗ --------------------------------------------- Cryptocurrency enthusiasts have been the target of another sophisticated and invasive malware campaign. This campaign was orchestrated through multiple attack vectors, including a malicious Python package named “cryptoaitools” on PyPI and deceptive GitHub repositories. This multi-stage malware, masquerading as a suite of cryptocurrency trading tools, aims to steal a wide range of sensitive data and drain victims’ crypto wallets. --------------------------------------------- https://checkmarx.com/blog/cryptocurrency-enthusiasts-targeted-in-multi-vec… ∗∗∗ New “Scary” FakeCall Malware Captures Photos and OTPs on Android ∗∗∗ --------------------------------------------- A new, more sophisticated variant of the FakeCall malware is targeting Android devices. [..] The FakeCall malware typically infiltrates a device through a malicious app downloaded from a compromised website or a phishing email. The app requests permission to become the default call handler. If granted, the malware gains extensive privileges. --------------------------------------------- https://hackread.com/scary-fakecall-malware-captures-photos-otps-android/ ===================== = Vulnerabilities = ===================== ∗∗∗ Nach Pwn2Own: QNAP und Synology patchen ausgenutzte NAS-Lücken ∗∗∗ --------------------------------------------- Für auf der Pwn2Own ausgenutzte TrueNAS-Lücken scheint es derweil noch keine Patches zu geben – dafür aber Hinweise, wie Nutzer ihre Systeme vor möglichen Angriffen schützen können. [..] Erste Patches gibt es beispielsweise von Synology. Das Unternehmen hat schon am 25. Oktober Updates für Beephotos für Beestation OS 1.0 und 1.1 sowie Synology Photos 1.7 und 1.6 für DSM 7.2 bereitgestellt. Diese schließen jeweils eine kritische Sicherheitslücke, die es Angreifern erlaubt, aus der Ferne Schadcode auszuführen. --------------------------------------------- https://www.golem.de/news/nach-pwn2own-qnap-und-synology-patchen-ausgenutzt… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah), Debian (python-git, texlive-bin, and xorg-server), Mageia (chromium-browser-stable), Red Hat (kernel), SUSE (Botan, go1.22-openssl, go1.23-openssl, grafana, libgsf, pcp, pgadmin4, python310-pytest-html, python313, xorg-x11-server, and xwayland), and Ubuntu (nano, python-urllib3, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/996310/ ∗∗∗ QNAP: Vulnerability in SMB Service (PWN2OWN 2024) ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-42 ∗∗∗ SPLUNK: SVD-2024-1015: Third-Party Package Updates in the Splunk Add-on for Cisco Meraki - October 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1015 ∗∗∗ SPLUNK: SVD-2024-1014: Third-Party Package Updates in the Splunk Add-on for Google Cloud Platform - October 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1014 ∗∗∗ Ping Identity PingIDM: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/query-filter-injectio… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.10.2024
by Daily end-of-shift report 29 Oct '24

29 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 28-10-2024 18:00 − Dienstag 29-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New tool bypasses Google Chrome’s new cookie encryption system ∗∗∗ --------------------------------------------- A researcher has released a tool to bypass Googles new App-Bound encryption cookie-theft defenses and extract saved credentials from the Chrome web browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-tool-bypasses-google-chr… ∗∗∗ Exchange Online: Inbound SMTP DANE mit DNSSEC verfügbar ∗∗∗ --------------------------------------------- Microsoft hat das Inbound SMTP DANE mit DNSSEC für Exchange Online allgemein freigegeben, nachdem das Ganze bereits im Juli 2024 als Preview verfügbar war. Mit der neuen Funktion Inbound SMTP DANE with DNSSEC in Exchange Online soll die Sicherheit der E-Mail-Kommunikation durch die Unterstützung zweier Sicherheitsstandards erhöht werden. --------------------------------------------- https://www.borncity.com/blog/2024/10/29/exchange-online-inbound-smtp-dane-… ∗∗∗ Ransomware-Angriffe auf Sonicwall SSL-VPNs ∗∗∗ --------------------------------------------- IT-Forscher haben Attacken auf Sonicwall SSL-VPNs untersucht und dabei Ransomware-Aktivitäten von Akira und Fog entdeckt. [..] Die Sonicwall-Geräte, durch die die Täter einbrechen konnten, waren allesamt nicht gegen die Schwachstelle CVE-2024-40766 gepatcht – mit einem CVSS-Wert von 9.3 gilt sie als kritisches Risiko. Anfang September warnte Sonicwall, dass diese Sicherheitslücke in den SSL-VPNs bereits aktiv angegriffen wird, und wies nochmals auf die verfügbaren Updates hin, die das Sicherheitsleck stopfen. --------------------------------------------- https://heise.de/-9998068 ∗∗∗ New Research Reveals Spectre Vulnerability Persists in Latest AMD and Intel Processors ∗∗∗ --------------------------------------------- More than six years after the Spectre security flaw impacting modern CPU processors came to light, new research has found that the latest AMD and Intel processors are still susceptible to speculative execution attacks. [..] The attack has been described as the first, practical "end-to-end cross-process Spectre leak." --------------------------------------------- https://thehackernews.com/2024/10/new-research-reveals-spectre.html ∗∗∗ What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE ∗∗∗ --------------------------------------------- Few months ago I was assigned to do a pentest on a target running CyberPanel. It seemed to be installed by default by some VPS providers & it was also sponsored by Freshworks. [..] if you’re a beginner with a creative mind looking to get started with code review, I definitely recommend you read this blog. --------------------------------------------- https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v2… ∗∗∗ Vorsicht vor dieser Instagram-Nachricht: „Ich brauche deine Hilfe“ ∗∗∗ --------------------------------------------- „Ich brauche deine Hilfe“ schreibt eine bekannte Person oder auch ein Freund oder eine Freundin auf Instagram. Die Person bittet Sie, bei einem Voting für sie abzustimmen und schickt Ihnen einen Link. Vorsicht: Es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/instagram-nachricht-hilfe/ ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP: Vulnerability in HBS 3 Hybrid Backup Sync (PWN2OWN 2024) ∗∗∗ --------------------------------------------- An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. Critical, CVE-2024-50388 --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-41 ∗∗∗ Spring: Authorization Bypass of Static Resources in WebFlux Applications ∗∗∗ --------------------------------------------- Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. CRITICAL, CVE-2024-38821 --------------------------------------------- https://spring.io/security/cve-2024-38821/ ∗∗∗ Auch verfügbar: Updates für iOS 17, macOS 14 und macOS 13 – mit Sicherheitsfixes ∗∗∗ --------------------------------------------- Apple hat neben iOS 18.1, iPadOS 18.1 und macOS 15.1 auch Updates für ältere Betriebssysteme bereitgestellt. Sie beheben nur Sicherheitsprobleme. --------------------------------------------- https://heise.de/-9997116 ∗∗∗ Mozilla Security Advisories October 29, 2024 ∗∗∗ --------------------------------------------- Thunderbird 132, Thunderbird 128.4, Firefox ESR 115.17, Firefox ESR 128.4 and Firefox 132. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4) and SUSE (chromium, openssl-1_1, and openssl-3). --------------------------------------------- https://lwn.net/Articles/996196/ ∗∗∗ 0patch: We Patched CVE-2024-38030, Found Another Windows Themes Spoofing Vulnerability (0day) ∗∗∗ --------------------------------------------- https://blog.0patch.com/2024/10/we-patched-cve-2024-38030-found-another.html ∗∗∗ OneDev Security Update Advisory (CVE-2024-45309) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/84118/ ∗∗∗ Solar-Log Base 15 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-303-02 ∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-303-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.10.2024
by Daily end-of-shift report 28 Oct '24

28 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-10-2024 18:00 − Montag 28-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Amazon seizes domains used in rogue Remote Desktop campaign to steal data ∗∗∗ --------------------------------------------- Amazon has seized domains used by the Russian APT29 hacking group in targeted attacks against government and military organizations to steal Windows credentials and data using malicious Remote Desktop Protocol connection files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-seizes-domains-used-i… ∗∗∗ Redline, Meta infostealer malware operations seized by police ∗∗∗ --------------------------------------------- The Dutch National Police seized the network infrastructure for the Redline and Meta infostealer malware operations in "Operation Magnus," warning cybercriminals that their data is now in the hands of the law enforcement. --------------------------------------------- https://www.bleepingcomputer.com/news/legal/redline-meta-infostealer-malwar… ∗∗∗ 70 Zero-Day-Lücken ausgenutzt: Pwn2Own-Hacker knacken Samsung Galaxy S24 und mehr ∗∗∗ --------------------------------------------- Bei dem Wettbewerb wurden auch diverse Kameras, Drucker und NAS-Systeme attackiert. An ein Pixel 8 oder iPhone 15 hat sich aber niemand rangetraut. --------------------------------------------- https://www.golem.de/news/70-zero-day-luecken-ausgenutzt-pwn2own-hacker-kna… ∗∗∗ The Windows Registry Adventure #4: Hives and the registry layout ∗∗∗ --------------------------------------------- To a normal user or even a Win32 application developer, the registry layout may seem simple: there are five root keys that we know from Regedit (abbreviated as HKCR, HKLM, HKCU, HKU and HKCC), and each of them contains a nested tree structure that serves a specific role in the system. But as one tries to dig deeper and understand how the registry .. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/10/the-windows-registry-adventu… ∗∗∗ Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining ∗∗∗ --------------------------------------------- The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties."The group is currently .. --------------------------------------------- https://thehackernews.com/2024/10/notorious-hacker-group-teamtnt-launches.h… ∗∗∗ Cybercriminals Pose a Greater Threat of Disruptive US Election Hacks Than Russia or China ∗∗∗ --------------------------------------------- A report distributed by the US Department of Homeland Security warned that financially motivated cybercriminals are more likely to attack US election infrastructure than state-backed hackers. --------------------------------------------- https://www.wired.com/story/cybercriminals-disruptive-hacking-us-elections-… ∗∗∗ Vulnerabilities of Realtek SD card reader driver, part 1 ∗∗∗ --------------------------------------------- These vulnerabilities enable non-privileged users to leak the contents of kernel pool and kernel stack, write to arbitrary kernel memory, and, the most interesting, read and write physical memory from user mode via the DMA capability of the device. The vulnerabilities have remained undisclosed for years, affecting many OEMs, including Dell, .. --------------------------------------------- https://zwclose.github.io/2024/10/14/rtsper1.html ∗∗∗ Inside the Open Directory of the “You Dun” Threat Group ∗∗∗ --------------------------------------------- The DFIR Report’s Threat Intel Team detected an open directory in January 2024 and analyzed it for trade craft and threat actor activity. Once reviewed, we identified it was related to the Chinese speaking hacking group that call themselves “You Dun” .. --------------------------------------------- https://thedfirreport.com/2024/10/28/inside-the-open-directory-of-the-you-d… ∗∗∗ Die NSA empfiehlt wöchentliches Smartphone-Reboot ∗∗∗ --------------------------------------------- Interessante Information, die mir die Woche untergekommen ist. Die US-Sicherheitsbehörde NSA (National Security Agency, Inlandsgeheimdienst) empfiehlt einmal wöchentlich sein Smartphone neu zu starten. Das ganze hat einen sicherheitstechnischen Hintergrund. Durch den Neustart soll Malware, die nicht persistent .. --------------------------------------------- https://www.borncity.com/blog/2024/10/27/die-nsa-empfiehlt-woechentliches-s… ∗∗∗ Anatomy of an LLM RCE ∗∗∗ --------------------------------------------- As large language models (LLMs) become more advanced and are granted additional capabilities by developers, security risks increase dramatically. Manipulated LLMs are no longer just a .. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/anatomy-of-an-llm-r… ∗∗∗ Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives ∗∗∗ --------------------------------------------- In September 2024, Google Threat Intelligence Group (consisting of Google’s Threat Analysis Group (TAG) and Mandiant) discovered UNC5812, a suspected Russian hybrid espionage and influence operation, delivering Windows and Android malware using a Telegram persona named "Civil Defense". "Civil Defense" claims to be a provider of free .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-… ∗∗∗ Secure Coding: Unbefugten Zugriff durch Path Traversal (CWE-22) verhindern ∗∗∗ --------------------------------------------- CWE-22 beschreibt die unsachgemäße Veränderung eines Pfadnamens auf ein eingeschränktes Verzeichnis. Wie lässt sich die Schwachstelle in den Griff bekommen? --------------------------------------------- https://heise.de/-9982270 ∗∗∗ Black Basta-Gruppe nutzt Microsoft Teams-Chatfunktion ∗∗∗ --------------------------------------------- Die als "Black Basta" bekannte Ransomware-Gruppe hat einen neuen Mechanismus entwickelt, der die Chatfunktion von Microsoft Teams zur Kontaktaufnahme ausnutzt. --------------------------------------------- https://heise.de/-9995322 ∗∗∗ Nvidia: Rechteausweitung durch Sicherheitslücken in Grafiktreiber möglich ∗∗∗ --------------------------------------------- Nvidia warnt vor mehreren Sicherheitslücken in den Grafiktreibern, die etwa das Ausweiten der Rechte ermöglichen. Updates stehen bereit. --------------------------------------------- https://heise.de/-9995842 ∗∗∗ Lagebericht 2024: Fast 8 Millionen Mal installierte Malware in Google Play ∗∗∗ --------------------------------------------- IT-Forscher haben die mobile-Malware-Situation der vergangenen 12 Monate untersucht. Mehr als 200 App-Fälschungen lauerten in Google Play. --------------------------------------------- https://heise.de/-9996456 ∗∗∗ VMware Tanzu Spring Security: Umgehung von Autorisierungsregeln möglich ∗∗∗ --------------------------------------------- In VMware Tanzu Spring Security klafft eine kritische Sicherheitslücke, die Angreifern die Umgehung von Autorisierungsregeln ermöglicht. --------------------------------------------- https://heise.de/-9996582 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, python3.12, and python3.9), Debian (activemq, chromium, libheif, nss, and twisted), Fedora (chromium, dnsdist, dotnet8.0, edk2, glibc, libdigidocpp, mbedtls3.6, NetworkManager-libreswan, oath-toolkit, podman-tui, prometheus-podman-exporter, python-fastapi, python-openapi-core, .. --------------------------------------------- https://lwn.net/Articles/996085/ ∗∗∗ Chatwork Desktop Application (Windows) uses a potentially dangerous function ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78335885/ ∗∗∗ K000148252: Python tarfile vulnerability CVE-2024-6232 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148252 ∗∗∗ K000148256: libarchive vulnerability CVE-2018-1000880 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148256 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2024
by Daily end-of-shift report 25 Oct '24

25 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-10-2024 18:00 − Freitag 25-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Denial of Service in Cisco ASA & FTD und weitere Cisco Advisories ∗∗∗ --------------------------------------------- Cisco berichtet in einem kürzlich veröffentlichten Advisory, sich "malicious use" einer Denial-of-Service Sicherheitslücke in Cisco Adaptive Security Appliance & Firepower Threat Defense Software Remote Access VPN bewusst zu sein. Berichten nach handelt es sich hierbei aber nicht um gezielte Denial-of-Service Angriffe, sondern um Seiteneffekte von breitgestreuten Brute-Force oder Credential-Spraying Attacken. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/10/denial-of-service-in-cisco-asa-ftd… ∗∗∗ Objektorientiert und weniger redundant: Das BSI stellt den IT-Grundschutz++ vor ∗∗∗ --------------------------------------------- Das BSI hat sich das Ziel gesetzt, den IT-Grundschutz anwenderfreundlicher zu machen. Dafür setzt man auf Maschinenlesbarkeit und eine schlankere Dokumentation. --------------------------------------------- https://heise.de/-9994010 ∗∗∗ AWS Cloud Development Kit Vulnerability Exposes Users to Potential Account Takeover Risks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a security flaw impacting Amazon Web Services (AWS) Cloud Development Kit (CDK) that could have resulted in an account takeover under specific circumstances. [..] Following responsible disclosure on June 27, 2024, the issue was addressed by the project maintainers in CDK version 2.149.0 released in July. --------------------------------------------- https://thehackernews.com/2024/10/aws-cloud-development-kit-vulnerability.h… ∗∗∗ NotLockBit: ransomware discovery serves as wake-up call for Mac users ∗∗∗ --------------------------------------------- Historically, Mac users havent had to worry about malware as much as their Windows-using cousins. But that doesnt mean that Mac users should be complacent. And the recent discovery of a new malware strain emphasises that the threat - even if much smaller than on Windows - remains real. --------------------------------------------- https://www.tripwire.com/state-of-security/notlockbit-rransomware-discovery… ∗∗∗ Embargo ransomware: Rock’n’Rust ∗∗∗ --------------------------------------------- Novice ransomware group Embargo is testing and deploying a new Rust-based toolkit --------------------------------------------- https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrus… ∗∗∗ From crisis to confidence: How the University of Rijeka used a network breach to reboot their cybersecurity ∗∗∗ --------------------------------------------- How would your institution respond if a seemingly ordinary system check uncovered a major security incident? That’s exactly what the University of Rijeka faced when a member of the IT team discovered an unauthorised virtual machine template during a routine check — just as a new academic year began. --------------------------------------------- https://connect.geant.org/2024/10/25/from-crisis-to-confidence-how-the-univ… ∗∗∗ Moderne Datenkraken: Smart-TVs tracken sogar HDMI-Inhalte ∗∗∗ --------------------------------------------- Smart-TVs werten sogar dann Bildinhalte aus, wenn ein HDMI-Zuspieler genutzt wird. Die Analysen dienen gezielter Werbung. --------------------------------------------- https://heise.de/-9994787 ∗∗∗ Vonovia in der Kritik: Smarte Rauchmelder bergen Risiko der Spionage ∗∗∗ --------------------------------------------- Die Rauchmelder erfassen allerhand Informationen über die Luftqualität und schicken sie durchs Internet - für Kriminelle ein willkommener Datenschatz. [..] Vonovia selbst verarbeitet die Daten angeblich nur in anonymisierter Form. --------------------------------------------- https://www.golem.de/news/vonovia-in-der-kritik-smarte-rauchmelder-bergen-r… ===================== = Vulnerabilities = ===================== NTR -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.10.2024
by Daily end-of-shift report 24 Oct '24

24 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-10-2024 18:00 − Donnerstag 24-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Qilin ransomware encryptor features stronger encryption, evasion ∗∗∗ --------------------------------------------- A new Rust-based variant of the Qilin (Agenda) ransomware strain, dubbed Qilin.B, has been spotted in the wild, featuring stronger encryption, better evasion from security tools, and the ability to disrupt data recovery mechanisms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-qilin-ransomware-encrypt… ∗∗∗ Neue OpenSSL-Lücke ist gefährlich, aber sehr schwer auszunutzen ∗∗∗ --------------------------------------------- Während SuSE und BSI ein hohes Risiko sehen, verweist das OpenSSL-Projekt auf umfangreiche Vorbedingungen eines Exploits. Vorerst kommen keine Updates. [..] Das Risiko der Lücke mit der CVE-ID CVE-2024-9143 schätzten sie als niedrig ein, weil der Fehler schwierig auszunutzen sei. --------------------------------------------- https://heise.de/-9992067 ∗∗∗ Location tracking of phones is out of control. Here’s how to fight back. ∗∗∗ --------------------------------------------- Unique IDs assigned to Android and iOS devices threaten your privacy. Who knew? You likely have never heard of Babel Street or Location X, but chances are good that they know a lot about you and anyone else you know who keeps a phone nearby around the clock. --------------------------------------------- https://arstechnica.com/information-technology/2024/10/phone-tracking-tool-… ∗∗∗ Investigating volatile data with advanced memory forensics tools – part 1 ∗∗∗ --------------------------------------------- In this two post series I want to highlight how memory forensics plays a crucial role in enhancing forensic investigations. Specifically by providing access to volatile data that cannot be retrieved from storage devices like hard drives. --------------------------------------------- https://www.pentestpartners.com/security-blog/investigating-volatile-data-w… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Zero-Day Schwachstelle in FortiManager wird aktiv ausgenutzt - Update verfügbar ∗∗∗ --------------------------------------------- In FortiManager wurde eine kritische Sicherheitslücke entdeckt, die bereits aktiv von Angreifern ausgenutzt wird. Die Schwachstelle ermöglicht es einem nicht authentifizierten Angreifer aus der Ferne, beliebigen Code oder Befehle auszuführen. CVE-2024-47575, CVSS Base Score: 9.8 --------------------------------------------- https://www.cert.at/de/warnungen/2024/10/kritische-zero-day-schwachstelle-i… ∗∗∗ Cisco meldet mehr als 35 Sicherheitslücken in Firewall-Produkten ∗∗∗ --------------------------------------------- Ciscos ASA, Firepower und Secure Firewall Management Center weisen teils kritische Sicherheitslücken auf. Mehr als 35 schließen nun verfügbare Updates. [..] Drei der Sicherheitsmeldungen behandeln als kritisches Risiko eingestufte Sicherheitslücken, elf solche mit hohem Risiko, 21 als mittleren Bedrohungsgrad eingestufte Schwachstellen und eine weitere Meldung hat informativen Charakter ohne Risikobewertung. --------------------------------------------- https://heise.de/-9992639 ∗∗∗ Drupal Security Advisories 2024-10-23 ∗∗∗ --------------------------------------------- Drupal released 5 security advisories. (1 Critical, 3 Moderately Critical, 1 Less Critical) --------------------------------------------- https://www.drupal.org/security ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (grafana, NetworkManager-libreswan, python3.11, and python39:3.9 and python39-devel:3.9), Fedora (dotnet6.0, koji, python-fastapi, python-openapi-core, python-platformio, python-starlette, rust-pyo3, rust-pyo3-build-config, rust-pyo3-ffi, rust-pyo3-macros, rust-pyo3-macros-backend, and yarnpkg), Oracle (grafana, kernel, linux-firmware, NetworkManager-libreswan, and python3.11), Slackware (php81), and SUSE (apache2, buildah, cups-filters, go1.21-openssl, podman, postgresql16, python-pyOpenSSL, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/995550/ ∗∗∗ VU#123336: Vulnerable WiFi Alliance example code found in Arcadyan FMIMG51AX000J ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/123336 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 14, 2024 to October 20, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Unauthentifizierte Path Traversal Schwachstelle in Lawo AG vsm LTC Time Sync (vTimeSync) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/unauthenticated-path-… ∗∗∗ iniNet Solutions SpiderControl SCADA PC HMI Editor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-02 ∗∗∗ VIMESA VHF/FM Transmitter Blue Plus ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-01 ∗∗∗ Deep Sea Electronics DSE855 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2024
by Daily end-of-shift report 23 Oct '24

23 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-10-2024 18:00 − Mittwoch 23-10-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Exploit released for new Windows Server "WinReg" NTLM Relay attack ∗∗∗ --------------------------------------------- Proof-of-concept exploit code is now public for a vulnerability in Microsofts Remote Registry client that could be used to take control of a Windows domain by downgrading the security of the authentication process. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-new-win… ∗∗∗ Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland ∗∗∗ --------------------------------------------- On the first day of Pwn2Own Ireland, participants demonstrated 52 zero-day vulnerabilities across a range of devices, earning a total of $486,250 in cash prizes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-52-zero-days… ∗∗∗ Fortinet warns of new critical FortiManager flaw used in zero-day attacks ∗∗∗ --------------------------------------------- Fortinet publicly disclosed today a critical FortiManager API vulnerability, tracked as CVE-2024-47575, that was exploited in zero-day attacks to steal sensitive files containing configurations, IP addresses, and credentials for managed devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critic… ∗∗∗ Android und iOS: Fest codierte Cloud-Zugangsdaten in populären Apps entdeckt ∗∗∗ --------------------------------------------- Betroffen sind mehrere Apps mit teils Millionen von Downloads. Den Entdeckern zufolge gefährdet dies nicht nur Backend-Dienste, sondern auch Nutzerdaten. --------------------------------------------- https://www.golem.de/news/android-und-ios-fest-codierte-cloud-zugangsdaten-… ∗∗∗ Grandoreiro, the global trojan with grandiose ambitions ∗∗∗ --------------------------------------------- In this report, Kaspersky experts analyze recent Grandoreiro campaigns, new targets, tricks, and banking trojan versions. --------------------------------------------- https://securelist.com/grandoreiro-banking-trojan/114257/ ∗∗∗ The Crypto Game of Lazarus APT: Investors vs. Zero-days ∗∗∗ --------------------------------------------- Kaspersky GReAT experts break down the new campaign of Lazarus APT which uses social engineering and exploits a zero-day vulnerability in Google Chrome for financial gain. --------------------------------------------- https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/ ∗∗∗ CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094) ∗∗∗ --------------------------------------------- A high-severity flaw impacting Microsoft SharePoint has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active .. --------------------------------------------- https://thehackernews.com/2024/10/cisa-warns-of-active-exploitation-of.html ∗∗∗ Achtung Fake-Shop: sparhimmel24.de ∗∗∗ --------------------------------------------- sparhimmel24.de ist ein betrügerischer Online-Shop, der Sie mit vermeintlichen Schnäppchen in die Falle lockt. Bestellungen werden trotz Bezahlung nicht geliefert. Wir zeigen Ihnen wie Sie Fake-Shops erkennen und sich vor Betrug schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-sparhimmel24de ∗∗∗ Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction ∗∗∗ --------------------------------------------- We examine an LLM jailbreaking technique called "Deceptive Delight," a technique that mixes harmful topics with benign ones to trick AIs, with a high success rate.The post Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/jailbreak-llms-through-camouflage-distr… ∗∗∗ Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs ∗∗∗ --------------------------------------------- Did you know there’s widespread exploitation of FortiNet products going on using a zero day, and that there’s no CVE? Now you do. --------------------------------------------- https://doublepulsar.com/burning-zero-days-fortijump-fortimanager-vulnerabi… ∗∗∗ Threat Spotlight: WarmCookie/BadSpace ∗∗∗ --------------------------------------------- WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. --------------------------------------------- https://blog.talosintelligence.com/warmcookie-analysis/ ∗∗∗ Sicherheitslücke in Samsung-Android-Treiber wird angegriffen ∗∗∗ --------------------------------------------- Treiber für Samsungs Mobilprozessoren ermöglichen Angreifern das Ausweiten ihrer Rechte. Google warnt vor laufenden Angriffen darauf. --------------------------------------------- https://heise.de/-9991521 ∗∗∗ Public Report: WhatsApp Contacts Security Assessment ∗∗∗ --------------------------------------------- In May 2024, Meta engaged NCC Group’s Cryptography Services practice to perform a cryptography security assessment of selected aspects of the WhatsApp Identity Proof Linked Storage (IPLS) protocol implementation. IPLS underpins the WhatsApp Contacts solution, which aims to store .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/public-report-whatsapp-contacts-s… ===================== = Vulnerabilities = ===================== ∗∗∗ SSA-333468: Multiple Vulnerabilities in InterMesh Subscriber Devices ∗∗∗ --------------------------------------------- InterMesh Subscriber devices contain multiple vulnerabilities that could allow an unauthenticated remote attacker to execute arbitrary code with root privileges. CVSS v4.0 Base Score: 10.0, CVE-2024-47901 --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-333468.html?ste_sid=23… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dmitry, libheif, and python-sql), Fedora (suricata and wireshark), SUSE (cargo-c, libeverest, protobuf, and qemu), and Ubuntu (golang-1.22, libheif, unbound, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/995293/ ∗∗∗ 2024-10-21: Cyber Security Advisory - ABB Relion 611, 615, 620, 630 series, REX610, REX640, SMU615, SSC600, Arctic solution, COM600, SPA ZC-400, SUE3000 Guidelines to Prevent Unauthorized Modifications of Firmware and Configuration ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001911&Language… ∗∗∗ Authenticated Remote Code Execution in multiple Xerox printers ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/authenticated-remote-cod… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2024
by Daily end-of-shift report 22 Oct '24

22 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 21-10-2024 18:00 − Dienstag 22-10-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FortiManager: Update dichtet offenbar attackiertes Sicherheitsleck ab ∗∗∗ --------------------------------------------- Ohne öffentliche Informationen hat Fortinet Updates für FortiManager veröffentlicht. Sie schließen offenbar attackierte Sicherheitslücken. --------------------------------------------- https://heise.de/-9990393 ∗∗∗ Auch ein .rdp File kann gefährlich sein ∗∗∗ --------------------------------------------- Heute wurde in ganz Europa eine Spear-Phishing Kampagne beobachtet, bei der es darum geht, dass der Empfänger ein angehängtes RDP File öffnen soll. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/10/auch-rdp-file-kann-gefahrlich-sein ∗∗∗ Security Flaw in Styras OPA Exposes NTLM Hashes to Remote Attackers ∗∗∗ --------------------------------------------- Details have emerged about a now-patched security flaw in Styras Open Policy Agent (OPA) that, if successfully exploited, could have led to leakage of New Technology LAN Manager (NTLM) hashes. --------------------------------------------- https://thehackernews.com/2024/10/security-flaw-in-styras-opa-exposes.html ∗∗∗ Pixel perfect Ghostpulse malware loader hides inside PNG image files ∗∗∗ --------------------------------------------- The Ghostpulse malware strain now retrieves its main payload via a PNG image file's pixels. This development, security experts say, is "one of the most significant changes" made by the crooks behind it since launching in 2023. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/22/ghostpulse_m… ∗∗∗ OpenSSL 3.4.0 released ∗∗∗ --------------------------------------------- Version 3.4.0 of the OpenSSL SSL/TLS library has been released. It adds anumber of new encryption algorithms, support for "directly fetchedcomposite signature algorithms such as RSA-SHA2-256", and more. See therelease notes for details. --------------------------------------------- https://lwn.net/Articles/995098/ ∗∗∗ Akira ransomware continues to evolve ∗∗∗ --------------------------------------------- As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the groups attack chain, targeted verticals, and potential future TTPs. --------------------------------------------- https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/ ∗∗∗ Threat actor abuses Gophish to deliver new PowerRAT and DCRAT ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. [..] Talos discovered an undocumented PowerShell RAT we’re calling PowerRAT, as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT. --------------------------------------------- https://blog.talosintelligence.com/gophish-powerrat-dcrat/ ∗∗∗ Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach ∗∗∗ --------------------------------------------- In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/j/using-grpc-http-2-for-crypto… ∗∗∗ Web Application Security for DevOps: Site and Origin Dynamics and Cross-Site Request Forgery ∗∗∗ --------------------------------------------- This is a continuation of the series on web application security where we dive into cookie dynamics. --------------------------------------------- https://www.bitsight.com/blog/web-application-security-devops-site-and-orig… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware fixes bad patch for critical vCenter Server RCE flaw ∗∗∗ --------------------------------------------- VMware has released another security update for CVE-2024-38812, a critical VMware vCenter Server remote code execution vulnerability that was not correctly fixed in the first patch from September 2024. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-fixes-bad-patch-for-c… ∗∗∗ Zyxel security advisory for insufficiently protected credentials vulnerability in firewalls ∗∗∗ --------------------------------------------- The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series firewalls could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, ghostscript, libsepol, openjdk-11, openjdk-17, perl, and python-sql), Oracle (389-ds-base, buildah, containernetworking-plugins, edk2, httpd, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, python-setuptools, skopeo, and webkit2gtk3), Red Hat (buildah), Slackware (openssl), SUSE (apache2, firefox, libopenssl-3-devel, podman, and python310-starlette), and Ubuntu (cups-browsed, firefox, libgsf, and linux-gke). --------------------------------------------- https://lwn.net/Articles/995095/ ∗∗∗ Dell Product Security Update Advisory (CVE-2024-45766) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/83995/ ∗∗∗ SolarWinds Product Security Update Advisory (CVE-2024-45711) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/84002/ ∗∗∗ ICONICS and Mitsubishi Electric Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-296-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2024
by Daily end-of-shift report 21 Oct '24

21 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-10-2024 18:00 − Montag 21-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New macOS vulnerability, “HM Surf”, could lead to unauthorized data access ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence uncovered a macOS vulnerability that could potentially allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s protected data. The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent. [..] Apple released a fix for this vulnerability, now identified as CVE-2024-44133, as part of security updates for macOS Sequoia, released on September 16, 2024. At present, only Safari uses the new protections afforded by TCC. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerab… ∗∗∗ Hooked by the Call: A Deep Dive into The Tricks Used in Callback Phishing Emails ∗∗∗ --------------------------------------------- Previously, Trustwave SpiderLabs covered a massive fake order spam scheme that impersonated a tech support company and propagated via Google Groups. Since then, we have observed more spam campaigns using this hybrid form of cyberattack with varying tactics, techniques, and procedures (TTP). [..] In this blog, we will showcase the different spam techniques used in these phishing emails. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hooked-by-t… ∗∗∗ Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials ∗∗∗ --------------------------------------------- Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. [..] The attack chain, per Positive Technologies, is an attempt to exploit CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting (XSS) vulnerability via SVG animate attributes that allows for execution of arbitrary JavaScript in the context of the victim's web browser. --------------------------------------------- https://thehackernews.com/2024/10/hackers-exploit-roundcube-webmail-xss.html ∗∗∗ Severe flaws in E2EE cloud storage platforms used by millions ∗∗∗ --------------------------------------------- Several end-to-end encrypted (E2EE) cloud storage platforms are vulnerable to a set of security issues that could expose user data to malicious actors. [..] The researchers notified Sync, pCloud, Seafile, and Icedrive of their findings on April 23, 2024, and contacted Tresorit on September 27, 2024, to discuss potential improvements in their particular cryptographic designs. [..] BleepingComputer contacted all five cloud service providers for a comment on Hofmann's and Truong's research, and we received the below statements. --------------------------------------------- https://www.bleepingcomputer.com/news/security/severe-flaws-in-e2ee-cloud-s… ∗∗∗ Open source LLM tool primed to sniff out Python zero-days ∗∗∗ --------------------------------------------- The static analyzer uses Claude AI to identify vulns and suggest exploit code Researchers with Seattle-based Protect AI plan to release a free, open source tool that can find zero-day vulnerabilities in Python codebases with the help of Anthropics Claude AI model. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/20/python_zero_… ∗∗∗ Hunting for Remote Management Tools: Detecting RMMs ∗∗∗ --------------------------------------------- Given the wide range of different RMM tools available, performing a threat hunt to identify all different available tools used in the organization brings a couple of challenges. In this blog, we’ll dive a little deeper into how we tackled this challenge and share this knowledge so you can use it to keep your organization safe. --------------------------------------------- https://blog.nviso.eu/2024/10/21/hunting-for-remote-management-tools-detect… ∗∗∗ Cisco bestätigt Attacke auf DevHub-Portal und nimmt es offline ∗∗∗ --------------------------------------------- Cisco hat aktuell laufende Untersuchungen zu einem IT-Sicherheitsvorfall vorangetrieben und nun eine Attacke bestätigt. Dabei sollen Angreifer Zugriff auf nicht für die Öffentlichkeit bestimmte Daten gehabt haben. --------------------------------------------- https://heise.de/-9987412 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, chromium, php-horde-mime-viewer, and php-horde-turba), Fedora (apache-commons-io, buildah, chromium, containers-common, libarchive, libdigidocpp, oath-toolkit, podman, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, rust-tower0.4, thunderbird, and unbound), SUSE (buildah, chromedriver, chromium, element-desktop, element-web, jetty-annotations, nodejs-electron, php7, php74, php8, podman, python3-virtualbox, qemu, thunderbird, and valkey), and Ubuntu (amd64-microcode). --------------------------------------------- https://lwn.net/Articles/994941/ ∗∗∗ Angreifer können PCs mit Virenschutz von Bitdefender und Trend Micro attackieren ∗∗∗ --------------------------------------------- Sicherheitslücken in Virenschutz-Software von Bitdefender und Trend Micro gefährden Systeme. Admins sollten die verfügbaren Sicherheitsupdates zeitnah installieren, um Attacken vorzubeugen. [..] Im Supportbereich der Bitdefender-Website geben die Entwickler an, in diesem Kontext insgesamt fünf Sicherheitslücken (CVE-2023-49567, CVE-2023-49570, CVE-2023-6055, CVE-2023-6056, CVE-2023-6057) mit dem Bedrohungsgrad "hoch" geschlossen zu haben. Damit so eine Attacke klappt, können Angreifer etwa über Hashkollsionen (MD5 und SHA1) Zertifikate erzeugen, die als legitim durchgewunken werden. Die Sicherheitsprobleme sollen in der sich automatisch installierenden Total-Security-Version 27.0.25.11 gelöst sein. --------------------------------------------- https://heise.de/-9987394 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2024
by Daily end-of-shift report 18 Oct '24

18 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-10-2024 18:00 − Freitag 18-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia ∗∗∗ --------------------------------------------- A close look at the utilities, techniques, and infrastructure used by the hacktivist group Crypt Ghouls has revealed links to groups such as Twelve, BlackJack, etc. --------------------------------------------- https://securelist.com/crypt-ghouls-hacktivists-tools-overlap-analysis/1142… ∗∗∗ Feline Hackers Among Us? (A Deep Dive and Simulation of the Meow Attack) ∗∗∗ --------------------------------------------- Introduction In the perpetually evolving field of cybersecurity, new threats materialize daily. Attackers are on the prowl for weaknesses in infrastructure and software like a cat eyeing its helpless prey. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/feline-hack… ∗∗∗ U.S. and Allies Warn of Iranian Cyberattacks on Critical Infrastructure in Year-Long Campaign ∗∗∗ --------------------------------------------- Cybersecurity and intelligence agencies from Australia, Canada, and the U.S. have warned about a year-long campaign undertaken by Iranian cyber actors to infiltrate critical infrastructure organizations via brute-force attacks."Since October 2023, Iranian ..d --------------------------------------------- https://thehackernews.com/2024/10/us-and-allies-warn-of-iranian.html ∗∗∗ Intel hits back at Chinas accusations it bakes in NSA backdoors ∗∗∗ --------------------------------------------- Chipzilla says it obeys the law wherever it is, which is nice Intel has responded to Chinese claims that its chips include security backdoors at the direction of Americas NSA. --------------------------------------------- https://www.theregister.com/2024/10/18/intel_china_security_allegations/ ∗∗∗ Alleged Bitcoin crook faces 5 years after SECs X account pwned ∗∗∗ --------------------------------------------- SIM swappers strike again, warping cryptocurrency prices An Alabama man faces five years in prison for allegedly attempting to manipulate the price of Bitcoin by pwning the US Securities and Exchange Commissions X account earlier this year. --------------------------------------------- https://www.theregister.com/2024/10/18/sec_bitcoin_arrest/ ∗∗∗ Brazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach ∗∗∗ --------------------------------------------- Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being "USDoD," a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBIs InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led .. --------------------------------------------- https://krebsonsecurity.com/2024/10/brazil-arrests-usdod-hacker-in-fbi-infr… ∗∗∗ EIW — ESET Israel Wiper — used in active attacks targeting Israeli orgs ∗∗∗ --------------------------------------------- One of my Mastodon followers sent me an interesting toot today, which lead to this forum post .. --------------------------------------------- https://doublepulsar.com/eiw-eset-israel-wiper-used-in-active-attacks-targe… ∗∗∗ What I’ve learned in my first 7-ish years in cybersecurity ∗∗∗ --------------------------------------------- Plus, a zero-day vulnerability in Qualcomm chips, exposed health care devices, and the latest on the Salt Typhoon threat actor. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-oct-17-2024/ ∗∗∗ Call stack spoofing explained using APT41 malware ∗∗∗ --------------------------------------------- Summary Call stack spoofing isn’t a new technique, but it has become more popular in the last few years. Call stacks are a telemetry source for EDR software that can be used to determine if a process made suspicious actions (requesting a handle to the lsass process, writing suspicious code to a newly allocated area, .. --------------------------------------------- https://cybergeeks.tech/call-stack-spoofing-explained-using-apt41-malware/ ∗∗∗ Fake North Korean IT Workers Infiltrate Western Firms, Demand Ransom ∗∗∗ --------------------------------------------- North Korean hackers are infiltrating Western companies using fraudulent IT workers to steal sensitive data and extort ransom. --------------------------------------------- https://hackread.com/fake-north-korean-it-workers-west-firms-demand-ransom/ ∗∗∗ U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now ∗∗∗ --------------------------------------------- Joint U.S. and UK advisory identifies 24 vulnerabilities exploited by Russian state-sponsored APT 29, with GreyNoise detecting active probing on nine of these critical CVEs. Stay informed with real-time .. --------------------------------------------- https://www.greynoise.io/blog/u-s-and-uk-warn-of-russian-cyber-threats-9-of… ∗∗∗ Apple Passwörter: So lautet das Rezept für generierte Passwörter ∗∗∗ --------------------------------------------- Ein leitender Softwareentwickler Apples erklärt in einem Blogpost, nach welchem Muster Apple Passwörter generiert. --------------------------------------------- https://heise.de/-9986503 ===================== = Vulnerabilities = ===================== ∗∗∗ SVD-2024-1013: Third-Party Package Updates in Splunk Add-on for Office 365 - October 2024 ∗∗∗ --------------------------------------------- Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Add-on for Office 365 versions 4.5.2 and higher. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1013 ∗∗∗ Synology-SA-24:17 Synology Camera ∗∗∗ --------------------------------------------- The vulnerabilities allow remote attackers to execute arbitrary code, remote attackers to bypass security constraints and remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Camera BC500 Firmware, Synology Camera TC500 Firmware and Synology Camera CC400W Firmware. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_17 ∗∗∗ ZDI-24-1419: Trend Micro Deep Security Improper Access Control Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1419/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.10.2024
by Daily end-of-shift report 17 Oct '24

17 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-10-2024 18:00 − Donnerstag 17-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Iranian hackers act as brokers selling critical infrastructure access ∗∗∗ --------------------------------------------- Iranian hackers are breaching critical infrastructure organizations to collect credentials and network data that can be sold on cybercriminal forums to enable cyberattacks from other threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/iranian-hackers-act-as-broke… ∗∗∗ Mit Standard-Zugangsdaten: Kubernetes-Lücke ermöglicht Root-Zugriff per SSH ∗∗∗ --------------------------------------------- Betroffen sind Images, die mit dem Kubernetes Image Builder erstellt wurden. Es gibt zwar einen Patch, doch der schützt bestehende Images nicht. --------------------------------------------- https://www.golem.de/news/mit-standard-zugangsdaten-kubernetes-luecke-ermoe… ∗∗∗ The 2024 State of ICS/OT Cybersecurity: Our Past and Our Future ∗∗∗ --------------------------------------------- The 2024 State of ICS/OT report shows our industry’s growth since 2019 and offers insight into how we may improve going into 2029. --------------------------------------------- https://www.sans.org/blog/the-2024-state-of-ics-ot-cybersecurity-our-past-a… ∗∗∗ DORA-Kernkonzepte verstehen: Fokus auf "Kritische oder wichtige Funktionen" ∗∗∗ --------------------------------------------- Mit dem Ziel, ein hohes Maß an digitaler operativer Widerstandsfähigkeit zu erreichen, bietet DORA einen umfassenden Rahmen für das wirksame .. --------------------------------------------- https://sec-consult.com/de/blog/detail/dora-core-concepts-critical-or-impor… ∗∗∗ Cisco confirms ongoing investigation after crims brag about selling tons of data ∗∗∗ --------------------------------------------- Networking giant says no evidence of impact on its systems but will tell customers if their info has been stolen UPDATED Cisco has confirmed it is investigating claims of stealing — and now selling — data belonging .. --------------------------------------------- https://www.theregister.com/2024/10/15/cisco_confirm_ongoing_investigation/ ∗∗∗ New ThreatLabz Report: Mobile remains a top threat vector with 111% spyware growth while IoT attacks rise 45% ∗∗∗ --------------------------------------------- The role of the CISO continues to expand, driven by the rising number of breaches and cyberattacks like ransomware, as well as SEC requirements for public organizations to disclose material breaches. Among the fastest-moving .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/new-threatlabz-report-mobil… ∗∗∗ Sudanese Brothers Arrested in ‘AnonSudan’ Takedown ∗∗∗ --------------------------------------------- The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. One of the .. --------------------------------------------- https://krebsonsecurity.com/2024/10/sudanese-brothers-arrested-in-anonsudan… ∗∗∗ Russische Hackergruppe bekennt sich zu Angriff auf das Internet Archive ∗∗∗ --------------------------------------------- Eine Gruppe namens "SN_BLACKMETA" hat nach eigenen Angaben DDoS-Attacken auf die Internetbibliothek durchgeführt --------------------------------------------- https://www.derstandard.at/story/3000000241091/russische-hackergruppe-beken… ∗∗∗ Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism ∗∗∗ --------------------------------------------- Explore how macOS Gatekeepers security could be compromised by third-party apps not enforcing quarantine attributes effectively. --------------------------------------------- https://unit42.paloaltonetworks.com/gatekeeper-bypass-macos/ ∗∗∗ Ransomware: Threat Level Remains High in Third Quarter ∗∗∗ --------------------------------------------- Recently established RansomHub group overtakes LockBit to become most prolific ransomware operation. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ Cyber Resilience Act beschlossen ∗∗∗ --------------------------------------------- Der Cyber Resilience Act (CRA) ist eine EU-Verordnung für die Sicherheit in Hard- und Softwareprodukten mit digitalen Elementen, die am 10.10.2024 im Rat der Europäischen Union verabschiedet wurde. Nach der Veröffentlichung im Amtsblatt der EU wird das .. --------------------------------------------- https://certitude.consulting/blog/de/cyber-resilience-act-beschlossen/ ∗∗∗ Hacker allegedly behind attacks on FBI, Airbus, National Public Data arrested in Brazil ∗∗∗ --------------------------------------------- Police did not name the suspect, but a threat actor known as USDoD has long boasted of being behind the attacks that were highlighted by Brazilian law enforcement following the arrest. --------------------------------------------- https://therecord.media/hacker-behind-fbi-npd-airbus-attacks-arrested-brazil ∗∗∗ Why Hackers May Be Targeting You ∗∗∗ --------------------------------------------- In todays evolving cyber threat landscape, small and mid-sized businesses can reduce their risk by understanding cybercriminals, addressing misconceptions, and enhancing their cybersecurity and incident .. --------------------------------------------- https://www.emsisoft.com/en/blog/46073/why-hackers-may-be-targeting-you/ ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Releases Quarterly Critical Patch Update Advisory for October 2024 ∗∗∗ --------------------------------------------- Oracle released its quarterly Critical Patch Update Advisory for October 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/17/oracle-releases-quarterl… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/994630/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.10.2024
by Daily end-of-shift report 16 Oct '24

16 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-10-2024 18:00 − Mittwoch 16-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ASEC and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178) ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) and the National Cyber Security Center (NCSC) have discovered a new zero-day vulnerability in the Microsoft Internet Explorer (IE) browser and have conducted a detailed analysis on attacks that exploit this vulnerability. This post shares the joint analysis report “Operation Code on Toast by TA-RedAnt” which details the findings of the ASEC and NCSC joint analysis and the responses to the threat. --------------------------------------------- https://asec.ahnlab.com/en/83877/ ∗∗∗ Exfiltration over Telegram Bots: Skidding Infostealer Logs ∗∗∗ --------------------------------------------- Bitsight’s visibility over infostealer malware which exfiltrates over Telegram suggests that the most infected countries are the USA, Turkey, and Russia, followed by India and Germany. --------------------------------------------- https://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-info… ∗∗∗ EDRSilencer red team tool used in attacks to bypass security ∗∗∗ --------------------------------------------- A tool for red-team operations called EDRSilencer has been observed in malicious incidents attempting to identify security tools and mute their alerts to management consoles. --------------------------------------------- https://www.bleepingcomputer.com/news/security/edrsilencer-red-team-tool-us… ∗∗∗ Mehrere Dienste betroffen: Microsoft warnt Kunden vor Datenverlust beim Logging ∗∗∗ --------------------------------------------- Durch einen Softwarefehler hat Microsoft einige für seine Kunden wichtige Protokolldaten verloren. Betroffen sind mehrere Clouddienste des Konzerns. --------------------------------------------- https://www.golem.de/news/mehrere-dienste-betroffen-microsoft-warnt-kunden-… ∗∗∗ New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists ∗∗∗ --------------------------------------------- The malware is "installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs," a security researcher who goes by HaxRob said. --------------------------------------------- https://thehackernews.com/2024/10/new-linux-variant-of-fastcash-malware.html ∗∗∗ Windows 11 24H2: Probleme mit VPN-Verbindungen, Direct Access … ∗∗∗ --------------------------------------------- Seit Microsoft Windows 11 24H2 allgemein freigegeben hat, sind mir Meldungen zu Problemen rund um das Thema VPN-Verbindungen (CheckPoint VPN, WireGuard, Direct Access) untergekommen. Ich fasse mal einige dieser Meldungen in einem Beitrag zusammen, auch um ein Bild zu bekommen, ob es nur Einzelfälle sind oder ob mehr Leute betroffen sind. --------------------------------------------- https://www.borncity.com/blog/2024/10/15/windows-11-24h2-probleme-mit-vpn-v… ∗∗∗ Windows 11 24H2: Recall nicht deinstallierbar … ∗∗∗ --------------------------------------------- Trotz gegenteiliger Zusicherungen stellt sich momentan heraus, dass Microsofts umstrittene Funktion Recall sich nicht [ohne Kollateralschäden] unter Windows 11 24H2 deinstallieren lässt – das Ganze ist aktuell aber wohl noch im Fluss. --------------------------------------------- https://www.borncity.com/blog/2024/10/16/windows-11-24h2-recall-nicht-deins… ∗∗∗ Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data ∗∗∗ --------------------------------------------- This article uncovers a Golang ransomware abusing AWS S3 for data theft, and masking as LockBit to further pressure victims. The discovery of hard-coded AWS credentials in these samples led to AWS account suspensions. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/j/fake-lockbit-real-damage-ran… ∗∗∗ Comparing AI Against Traditional Static Analysis Tools to Highlight Buffer Overflows ∗∗∗ --------------------------------------------- The idea of this blog post is to use open-source software tools to analyze unknown binaries for buffer overflows. In particular we are focusing on using Ollama3 to access multiple large language models. Ollama is a platform designed to simplify the deployment and usage of LLMs on local machines.This enables private data to be held locally instead of being sent to a cloud for processing. --------------------------------------------- https://www.nccgroup.com/us/research-blog/comparing-ai-against-traditional-… ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - October 2024 ∗∗∗ --------------------------------------------- A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. --------------------------------------------- https://www.oracle.com/security-alerts/cpuoct2024.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, containernetworking-plugins, and skopeo), Fedora (pdns-recursor and valkey), Mageia (unbound), Red Hat (fence-agents, firefox, java-11-openjdk, python-setuptools, python3-setuptools, resource-agents, and thunderbird), SUSE (etcd-for-k8s, libsonivox3, rubygem-puma, and unbound), and Ubuntu (apr, libarchive, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, nano, and vim). --------------------------------------------- https://lwn.net/Articles/994436/ ∗∗∗ HP-DesignJet-Drucker: Angreifer können SMTP-Server-Logins abgreifen ∗∗∗ --------------------------------------------- Wie aus einer Warnmeldung hervorgeht, ist die Schwachstelle (CVE-2024-5749) mit dem Bedrohungsgrad "hoch" eingestuft. Klappen Attacken, sind SMTP-Server-Zugangsdaten einsehbar. Wie so ein Angriff ablaufen könnte, führen die HP-Entwickler derzeit nicht aus. Konkret davon betroffen sind die DesignJet-Modelle T730 und T830. --------------------------------------------- https://heise.de/-9983364 ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox for iOS 131.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-54/ ∗∗∗ Synology-SA-24:14 Synology Photos ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_14 ∗∗∗ Synology-SA-24:13 BeePhotos ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_13 ∗∗∗ Bosch: Unrestricted resource consumption in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-162032-bt.html ∗∗∗ F5: K000141463: Multiple Angular JS vulnerabilities CVE-2019-10768, CVE-2023-26116, CVE-2023-26117, and CVE-2023-26118 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141463 ∗∗∗ F5: K000141459: Angular JS vulnerabilities CVE-2019-14863 and CVE-2022-25869 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141459 ∗∗∗ F5: K000141302: Quarterly Security Notification (October 2024) ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141302 ∗∗∗ F5: K000140061: BIG-IP monitors vulnerability CVE-2024-45844 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140061 ∗∗∗ F5: K000141080: BIG-IQ vulnerability CVE-2024-47139 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141080 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.10.2024
by Daily end-of-shift report 15 Oct '24

15 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 14-10-2024 18:00 − Dienstag 15-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ TrickMo malware steals Android PINs using fake lock screen ∗∗∗ --------------------------------------------- Forty new variants of the TrickMo Android banking trojan have been identified in the wild, linked to 16 droppers and 22 distinct command and control (C2) infrastructures, with new features designed to steal Android PINs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickmo-malware-steals-andro… ∗∗∗ New FIDO proposal lets you securely move passkeys across platforms ∗∗∗ --------------------------------------------- The Fast IDentity Online (FIDO) Alliance has published a working draft of a new specification that aims to enable the secure transfer of passkeys between different providers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-fido-proposal-lets-you-s… ∗∗∗ BEC-ware the phish (part 1). Investigating incidents in M365 ∗∗∗ --------------------------------------------- This blog post is the first of three, that look at the key steps for an effective investigation, response, and remediation to email-based threats in M365. Part two covers response actions as well as short- and long-term remediations to prevent attackers getting back in. Part three considers the native detection and prevention options in M365. --------------------------------------------- https://www.pentestpartners.com/security-blog/bec-ware-the-phish-part-1-inv… ∗∗∗ Vorsicht vor Anrufen vom „Bankbetrugssystem Österreich“ ∗∗∗ --------------------------------------------- Derzeit werden uns wieder vermehrt Tonbandanrufe gemeldet. Eine computergenerierte Stimme gibt sich als Bankbetrugssystem Österreich aus und behauptet, dass eine Zahlung von 1500 Euro abgelehnt wurde und Ihr Konto möglicherweise gehackt wurde. Sie werden aufgefordert, die Taste „1“ zu drücken, um mit einer echten Person verbunden zu werden. Legen Sie auf, das ist Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-anrufen-vom-bankbetrugs… ∗∗∗ New Telekopye Scam Toolkit Targeting Booking.com and Airbnb Users ∗∗∗ --------------------------------------------- ESET Research found the Telekopye scam network targeting Booking.com and Airbnb. Scammers use phishing pages via compromised accounts to steal personal and payment details from travelers. --------------------------------------------- https://hackread.com/telekopye-scam-toolkit-hit-booking-com-airbnb-users/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-30088 Microsoft Windows Kernel TOCTOU Race Condition Vulnerability, CVE-2024-9680 Mozilla Firefox Use-After-Free Vulnerability, CVE-2024-28987 SolarWinds Web Help Desk Hardcoded Credential Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/15/cisa-adds-three-known-ex… ∗∗∗ Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024 ∗∗∗ --------------------------------------------- Today wed like to share a recent journey into (yet another) SSLVPN appliance vulnerability - a Format String vulnerability, unusually, in Fortinets FortiGate devices. It affected (before patching) all currently-maintained branches, and recently was highlighted by CISA as being exploited-in-the-wild. --------------------------------------------- https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-comple… ===================== = Vulnerabilities = ===================== ∗∗∗ Splunk Security Advisories 2024-10-14 ∗∗∗ --------------------------------------------- Splunk released 12 security advisories: 4x high, 8x medium --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ Kritische Schwachstellen in Industrieroutern mbNET ∗∗∗ --------------------------------------------- In industriellen Fernwartungsgateways und Industrieroutern mbNET wurden mehrere, teils schwerwiegende Sicherheitsschwachstellen identifiziert. Sie ermöglichen es, das Gerät vollständig zu kompromittieren sowie verschlüsselte Konfigurationen zu entschlüsseln. --------------------------------------------- https://www.syss.de/pentest-blog/kritische-schwachstellen-in-industrieroute… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, firefox, OpenIPMI, podman, and thunderbird), Debian (libapache-mod-jk, php7.4, and webkit2gtk), Fedora (edk2, koji, libgsf, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, and rust-tower0.4), Mageia (packages and thunderbird), Oracle (bind, container-tools:ol8, kernel, kernel-container, OpenIPMI, podman, and thunderbird), Red Hat (container-tools:rhel8, containernetworking-plugins, podman, and skopeo), SUSE (argocd-cli, bsdtar, keepalived, kernel, kyverno, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, OpenIPMI, opensc, php8, thunderbird, and xen), and Ubuntu (configobj, haproxy, imagemagick, nginx, and postgresql-10, postgresql-9.3). --------------------------------------------- https://lwn.net/Articles/994268/ ∗∗∗ WordPress plugin Jetpack fixes nearly decade-old critical security flaw ∗∗∗ --------------------------------------------- The popular WordPress plugin Jetpack has released a critical security update, addressing a vulnerability that could have affected 27 million websites. [..] The flaw, which is not believed to have been exploited, was found in the plugin’s contact form feature and had remained unpatched since 2016. This vulnerability could be exploited by any logged-in user on a site to read forms submitted by other users, according to Jetpack engineer Jeremy Herve. --------------------------------------------- https://therecord.media/wordpress-jetpack-plugin-fixes-flaw ∗∗∗ ZDI-24-1382: QEMU SCSI Use-After-Free Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1382/ ∗∗∗ Zahlreiche Schwachstellen im Rittal IoT Interface & CMC III Processing Unit ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… ∗∗∗ GitHub Enterprise Server (GHES) Security Update Advisory (CVE-2024-9487) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/83868/ ∗∗∗ Kubernetes: CVE-2024-9594 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/128007 ∗∗∗ Kubernetes: CVE-2024-9486 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/128006 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.10.2024
by Daily end-of-shift report 14 Oct '24

14 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-10-2024 18:00 − Montag 14-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server ∗∗∗ --------------------------------------------- Microsoft has officially deprecated the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) in future versions of Windows Server, recommending admins switch to different protocols that offer increased security. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-deprecates-pptp-a… ∗∗∗ Google warns uBlock Origin and other extensions may be disabled soon ∗∗∗ --------------------------------------------- Googles Chrome Web Store is now warning that the uBlock Origin ad blocker and other extensions may soon be blocked as part of the companys deprecation of the Manifest V2 extension specification. --------------------------------------------- https://www.bleepingcomputer.com/news/google/google-warns-ublock-origin-and… ∗∗∗ Microsoft’s guidance to help mitigate Kerberoasting ∗∗∗ --------------------------------------------- Kerberoasting, a well-known Active Directory (AD) attack vector, enables threat actors to steal credentials and navigate through devices and networks. Microsoft is sharing recommended actions administrators can take now to help prevent successful Kerberoasting cyberattacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidanc… ∗∗∗ Nation-State Attackers Exploiting Ivanti CSA Flaws for Network Infiltration ∗∗∗ --------------------------------------------- A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions. That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the credentials of those users. --------------------------------------------- https://thehackernews.com/2024/10/nation-state-attackers-exploiting.html ∗∗∗ Chatbot Traps: How to Avoid Job Scams ∗∗∗ --------------------------------------------- While the strategies outlined here can help you detect AI-powered scams, it is important to recognise that AI technology is advancing rapidly. Many current weaknesses—such as difficulties with complex questions or live conversations—may diminish as AI continues to improve. --------------------------------------------- https://connect.geant.org/2024/10/14/chatbot-traps-how-to-avoid-job-scams ∗∗∗ Casio says ransomware attack exposed info of employees, customers and business partners ∗∗∗ --------------------------------------------- Japanese electronics manufacturer Casio confirmed on Friday that a cyber incident announced earlier this week was a ransomware attack that potentially exposed the information of employees, customers, business partners and affiliates. --------------------------------------------- https://therecord.media/casio-ransomware-attack-exposed-emplyee-customer-da… ∗∗∗ Achtung: Neue textbasierte QR-Code-Phishing-Varianten ∗∗∗ --------------------------------------------- Sicherheitsforscher von Barracuda sind auf eine neue Variante zur Gestaltung von Phishing-Nachrichten gestoßen. Diese verwenden QR-Codes aus textbasierten ASCII/Unicode-Zeichen, statt wie üblich aus statischen Bildern erstellt zu werden, um herkömmliche Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://www.borncity.com/blog/2024/10/13/achtung-neue-textbasierte-qr-code-… ∗∗∗ Sicherheitslücke in Ecovacs-Saugrobotern erlaubt Remote-Steuerung durch Hacker ∗∗∗ --------------------------------------------- In den USA häufen sich Fälle, in denen gehackte Saugroboter offenbar fremdgesteuert Beleidigungen zurufen und Bilder über die interne Kamera übertragen. --------------------------------------------- https://heise.de/-9979104 ===================== = Vulnerabilities = ===================== ∗∗∗ Notfall-Update: Tor-Nutzer über kritische Firefox-Lücke attackiert ∗∗∗ --------------------------------------------- Eine kritische Firefox-Schwachstelle betrifft auch den Tor-Browser und Thunderbird. Patches stehen bereit, kommen für einige Tor-Nutzer aber zu spät. --------------------------------------------- https://www.golem.de/news/notfall-update-tor-nutzer-ueber-kritische-firefox… ∗∗∗ Moxa: Missing Authentication and OS Command Injection Vulnerabilities in Cellular Routers, Secure Routers, and Network Security Appliances ∗∗∗ --------------------------------------------- The first vulnerability, CVE-2024-9137, allows attackers to manipulate device configurations without authentication. The second vulnerability, CVE-2024-9139, permits OS command injection through improperly restricted commands, potentially enabling attackers to execute arbitrary codes. --------------------------------------------- https://www.moxa.com/en/support/product-support/security-advisory/mpsa-2411… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (docker.io, libreoffice, node-dompurify, python-reportlab, and thunderbird), Fedora (buildah, chromium, kernel, kernel-headers, libgsf, mosquitto, p7zip, podman, python-cramjam, python-virtualenv, redis, rust-async-compression, rust-brotli, rust-brotli-decompressor, rust-libcramjam, rust-libcramjam0.2, rust-nu-command, rust-nu-protocol, rust-redlib, rust-tower-http, thunderbird, and webkit2gtk4.0), Oracle (.NET 6.0, .NET 8.0, e2fsprogs, firefox, golang, openssl, python3-setuptools, systemd, and thunderbird), SUSE (chromium, firefox, java-jwt, libmozjs-128-0, libwireshark18, ntpd-rs, OpenIPMI, thunderbird, and wireshark), and Ubuntu (firefox, python2.7, python3.5, thunderbird, and ubuntu-advantage-desktop-daemon). --------------------------------------------- https://lwn.net/Articles/994080/ ∗∗∗ Sicherheitsupdate: Angreifer können Netzwerkanalysetool Wireshark crashen lassen ∗∗∗ --------------------------------------------- Wireshark ist in einer gegen mögliche Angriffe abgesicherten Version erschienen. Darin haben die Entwickler auch mehrere Bugs gefixt. --------------------------------------------- https://heise.de/-9979991 ∗∗∗ ZDI-24-1374: IrfanView SID File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1374/ ∗∗∗ ZDI-24-1369: Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1369/ ∗∗∗ Security Vulnerability fixed in Firefox 131.0.3 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-53/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2024
by Daily end-of-shift report 11 Oct '24

11 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-10-2024 18:00 − Freitag 11-10-2024 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Akira and Fog ransomware now exploit critical Veeam RCE flaw ∗∗∗ --------------------------------------------- Ransomware gangs now exploit a critical security vulnerability that lets attackers gain remote code execution (RCE) on vulnerable Veeam Backup & Replication (VBR) servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now… ∗∗∗ Digitaler Krieg: Russische Hacker sollen Zimbra- und Teamcity-Exploits nutzen ∗∗∗ --------------------------------------------- Staatliche russische Hacker nähmen Zimbra- und Jetbrains Teamcity-Installationen westlicher Unternehmen aufs Korn, warnen die USA und Großbritannien. --------------------------------------------- https://www.golem.de/news/digitaler-krieg-russische-hacker-sollen-zimbra-un… ∗∗∗ Bohemia and Cannabia Dark Web Markets Taken Down After Joint Police Operation ∗∗∗ --------------------------------------------- The Dutch police have announced the takedown of Bohemia and Cannabia, which has been described as the worlds largest and longest-running dark web market for illegal goods, drugs, and cybercrime services.The takedown is the result of a collaborative investigation with Ireland, the United Kingdom, and the United States that began towards the end of 2022, the Politie said. --------------------------------------------- https://thehackernews.com/2024/10/bohemia-and-cannabia-dark-web-markets.html ∗∗∗ Perfecting Ransomware on AWS — Using keys to the kingdom to change the locks ∗∗∗ --------------------------------------------- If someone asked me what was the best way to make money from a compromised AWS Account (assume root access even) — I would have answered “dump the data and hope that no-one notices you before you finish it up.” This answer would have been valid until ~8 months ago when I stumbled upon a lesser known feature of AWS KMS which allows an attacker to do devastating ransomware attacks on a compromised AWS account. --------------------------------------------- https://medium.com/@harsh8v/redefining-ransomware-attacks-on-aws-using-aws-… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 30, 2024 to October 6, 2024) ∗∗∗ --------------------------------------------- Last week, there were 161 vulnerabilities disclosed in 147 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database --------------------------------------------- https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Lynx Ransomware: A Rebranding of INC Ransomware ∗∗∗ --------------------------------------------- Lynx ransomware shares a significant portion of its source code with INC ransomware. INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux. While we haven't confirmed any Linux samples yet for Lynx ransomware, we have noted Windows samples. This ransomware operates using a ransomware-as-a-service (RaaS) model. --------------------------------------------- https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/ ∗∗∗ Octo2 Malware Uses Fake NordVPN, Chrome Apps to Infect Android Devices ∗∗∗ --------------------------------------------- Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome. --------------------------------------------- https://hackread.com/octo2-malware-fake-nordvpn-chrome-apps-android-device/ ∗∗∗ Best Practices to Configure BIG-IP LTM Systems to Encrypt HTTP Persistence Cookies ∗∗∗ --------------------------------------------- CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network. [..] CISA urges organizations to encrypt persistent cookies employed in F5 BIG-IP devices and review the following article for details on how to configure the BIG-IP LTM system to encrypt HTTP cookies. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/10/best-practices-configure… ∗∗∗ EU-Rat bringt Cyber Resilience Act auf den Weg ∗∗∗ --------------------------------------------- Künftig müssen vernetzte Produkte, die in der EU in Verkehr gebracht werden, gegen Angriffe gesichert sein und das mit dem CE-Zeichen signalisieren. --------------------------------------------- https://heise.de/-9977103 ===================== = Vulnerabilities = ===================== ∗∗∗ New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution ∗∗∗ --------------------------------------------- GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) to address eight security flaws, including a critical bug that could allow running Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches. --------------------------------------------- https://thehackernews.com/2024/10/new-critical-gitlab-vulnerability-could.h… ∗∗∗ Priviledged admin able to view device summary for device in different [FortiManager] ADOM ∗∗∗ --------------------------------------------- An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManager Administrative Domain (ADOM) may allow a remote authenticated attacker assigned to an ADOM to access device summary of other ADOMs via crafted HTTP requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-472 ∗∗∗ Aw, Sugar. Critical Vulnerabilities in SugarWOD ∗∗∗ --------------------------------------------- It is possible to: * Enumerate 2 million users, names, profile pics, birthday, height, weight, and email addresses * Extract all Gyms join passwords [..] * Bypass user-chosen privacy settings --------------------------------------------- https://www.n00py.io/2024/10/critical-vulnerabilities-in-sugarwod/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 6.0, .NET 8.0, and openssl), Debian (firefox-esr), Fedora (firefox), Mageia (php, quictls, and vim), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, firefox, podman, skopeo, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, kernel, and xen), and Ubuntu (golang-1.17, libgsf, and linux-aws-6.8, linux-oracle-6.8). --------------------------------------------- https://lwn.net/Articles/993778/ ∗∗∗ Security Vulnerability fixed in Thunderbird 131.0.1, Thunderbird 128.3.1, Thunderbird 115.16.0 ∗∗∗ --------------------------------------------- * CVE-2024-9680: Use-after-free in Animation timeline --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-52/ ∗∗∗ Livewire Security Update Advisory (CVE-2024-47823) ∗∗∗ --------------------------------------------- The extension of a loaded file is guessed based on its MIME type, which could allow an attacker to conduct a remote code execution (RCE) attack by uploading a “.php” file with a valid MIME type. --------------------------------------------- https://asec.ahnlab.com/en/83775/ ∗∗∗ Apache Software Security Update Advisory (CVE-2024-45720, CVE-2024-47561) ∗∗∗ --------------------------------------------- * CVE-2024-45720: Subversion versions: ~ 1.14.3 (inclusive) (Windows) * CVE-2024-47561: Apache Avro Java SDK versions: ~ 1.11.4 (excluded) --------------------------------------------- https://asec.ahnlab.com/en/83776/ ∗∗∗ Anonymisierendes Linux: Tails 6.8.1 schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Das zum anonymen Surfen gedachte Tails-Linux schließt in Version 6.8.1 eine Sicherheitslücke. Es verbessert zudem den Umgang mit persistentem Speicher. --------------------------------------------- https://heise.de/-9977905 ∗∗∗ baserCMS plugin "BurgerEditor" vulnerable to directory listing ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN54676967/ ∗∗∗ ABB Cylon Aspect 3.07.02 (sshUpdate.php) Unauthenticated Remote SSH Service Control ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5838.php -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.10.2024
by Daily end-of-shift report 10 Oct '24

10 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-10-2024 18:00 − Donnerstag 10-10-2024 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Firefox Zero-Day Under Attack: Update Your Browser Immediately ∗∗∗ --------------------------------------------- Mozilla has revealed that a critical security flaw impacting Firefox and Firefox Extended Support Release (ESR) has come under active exploitation in the wild.The vulnerability, tracked as CVE-2024-9680, has been described as a use-after-free bug in the Animation timeline component. --------------------------------------------- https://thehackernews.com/2024/10/mozilla-warns-of-active-exploitation-in.h… ∗∗∗ CISA says critical Fortinet RCE flaw now exploited in attacks ∗∗∗ --------------------------------------------- Today, CISA revealed that attackers actively exploit a critical FortiOS remote code execution (RCE) vulnerability in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-says-critical-fortinet-… ∗∗∗ Benutzt hier jemand ein Smartphone mit Qualcomm-SOC? ∗∗∗ --------------------------------------------- Für viele Android-Geräte da draußen ist die Antwort: Ja.The zero-day vulnerability, officially designated CVE-2024-43047, “may be under limited, targeted exploitation,” according to Qualcomm, citing unspecified “indications” from Google’s Threat Analysis Group, the company’s research unit that investigates government hacking threats. --------------------------------------------- http://blog.fefe.de/?ts=99f9d232 ∗∗∗ Magenta ID wurde deaktiviert: Vorsicht vor täuschend echter Phishing-Mail ∗∗∗ --------------------------------------------- Ein sehr gut gefälschtes Magenta-Mail ist gerade in Österreich in Umlauf. Wer genau hinsieht, kann es entlarven. --------------------------------------------- https://futurezone.at/digital-life/magenta-id-wurde-deaktiviert-mail-phishi… ∗∗∗ Malware by the (Bit)Bucket: Unveiling AsyncRAT ∗∗∗ --------------------------------------------- Recently, we uncovered a sophisticated attack campaign employing a multi-stage approach to deliver AsyncRAT via a legitimate platform called Bitbucket. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/10/38043-asyncrat-bitbucket ∗∗∗ File hosting services misused for identity phishing ∗∗∗ --------------------------------------------- Since mid-April 2024, Microsoft has observed an increase in defense evasion tactics used in campaigns abusing file hosting services like SharePoint, OneDrive, and Dropbox. These campaigns use sophisticated techniques to perform social engineering, evade detection, and compromise identities, and include business email compromise (BEC) attacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-servi… ∗∗∗ Technical Analysis of DarkVision RAT ∗∗∗ --------------------------------------------- IntroductionDarkVision RAT is a highly customizable remote access trojan (RAT) that first surfaced in 2020, offered on Hack Forums and their website for as little as $60. Written in C/C++, and assembly, DarkVision RAT has gained popularity due to its affordability and extensive feature set, making it accessible even to low-skilled cybercriminals. The RAT’s capabilities include keylogging, taking screenshots, file manipulation, process injection, remote code execution, and password theft. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-darkvisi… ∗∗∗ Ransom & Dark Web Issues Week 2, October 2024 ∗∗∗ --------------------------------------------- * New Target of KillSec Ransomware Attack: South Korean Commercial Property Content Provider * Dark Web Market Bohemia/Cannabia Shut Down by Law Enforcement, Two Administrators Arrested * New Ransomware Gang Sarcoma: Conducted Attacks on a Total of 30 Companies --------------------------------------------- https://asec.ahnlab.com/en/83739/ ∗∗∗ Internet Archive unter Beschuss: Über 30 Millionen Nutzerdaten gestohlen ∗∗∗ --------------------------------------------- Bislang Unbekannte vergriffen sich mehrfach am Internet Archive. Bereits im September wurden Nutzerdaten und Passwort-Hashes abgezogen. --------------------------------------------- https://heise.de/-9975986 ===================== = Vulnerabilities = ===================== ∗∗∗ GitLab warns of critical arbitrary branch pipeline execution flaw ∗∗∗ --------------------------------------------- GitLab has released security updates to address multiple flaws in Community Edition (CE) and Enterprise Edition (EE), including a critical arbitrary branch pipeline execution flaw. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-arb… ∗∗∗ Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems ∗∗∗ --------------------------------------------- Cybersecurity security researchers are warning about an unpatched vulnerability in Nice Linear eMerge E3 access controller systems that could allow for the execution of arbitrary operating system (OS) commands.The flaw, assigned the CVE identifier CVE-2024-9441, carries a CVSS score of 9.8 out of a maximum of 10.0, according to VulnCheck. --------------------------------------------- https://thehackernews.com/2024/10/experts-warn-of-critical-unpatched.html ∗∗∗ wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049 ∗∗∗ --------------------------------------------- Project: wkhtmltopdfDate: 2024-October-09Security risk: Highly critical 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Proof/TD:AllVulnerability: UnsupportedAffected versions: *Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupportedSol…: If you use this project, --------------------------------------------- https://www.drupal.org/sa-contrib-2024-049 ∗∗∗ Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047 ∗∗∗ --------------------------------------------- Project: FacetsDate: 2024-October-09Security risk: Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: Description: This module enables you to to easily create and manage faceted search interfaces.The module doesnt sufficiently filter for malicious script leading to a reflected cross site scripting (XSS) vulnerability.Solution: Install the latest version:If you use the Facets module, upgrade to Facets --------------------------------------------- https://www.drupal.org/sa-contrib-2024-047 ∗∗∗ Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046 ∗∗∗ --------------------------------------------- Project: Block permissionsDate: 2024-October-09Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=1.0.0 Description: This module enables you to manage blocks from specific modules in the specific themes.The module doesnt sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/{plugin_id}/{theme}" (route --------------------------------------------- https://www.drupal.org/sa-contrib-2024-046 ∗∗∗ Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045 ∗∗∗ --------------------------------------------- Project: Monster MenusDate: 2024-October-09Security risk: Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypass, Information DisclosureAffected versions: Description: This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure.A function which can be used by third-party code does not return valid data under certain rare circumstances. If the third-party code relies on this --------------------------------------------- https://www.drupal.org/sa-contrib-2024-045 ∗∗∗ Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048 ∗∗∗ --------------------------------------------- Project: GutenbergDate: 2024-October-09Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryAffected versions: =3.0.0 Description: This module provides a new UI experience for node editing using the Gutenberg Editor library.The module did not sufficiently protect some routes against a Cross Site Request Forgery attack.This vulnerability is mitigated by the fact that the tricked user needs to have an --------------------------------------------- https://www.drupal.org/sa-contrib-2024-048 ∗∗∗ VMSA-2024-0020:VMware NSX updates address multiple vulnerabilities (CVE-2024-38818, CVE-2024-38817, CVE-2024-38815) ∗∗∗ --------------------------------------------- Multiple vulnerabilities in VMware NSX were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in the affected VMware products. --------------------------------------------- https://support.broadcom.com/web/ecx/support-=content-notification/-/extern… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (firefox, koji, unbound, webkit2gtk4.0, and xen), Red Hat (glibc, net-snmp, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, buildah, cups-filters, liboath-devel, libreoffice, libunbound8, podman, and redis), and Ubuntu (cups-browsed, cups-filters, edk2, linux-raspi-5.4, and oath-toolkit). --------------------------------------------- https://lwn.net/Articles/993595/ ∗∗∗ Redis Vulnerability Security Update Advisory (CVE-2024-31449) ∗∗∗ --------------------------------------------- An update has been released to address vulnerabilities in Redis. Users of the affected versions are advised to update to the latest version. --------------------------------------------- https://asec.ahnlab.com/en/83704/ ∗∗∗ Ivanti Product Security Update Advisory ∗∗∗ --------------------------------------------- * CVE-2024-9380, CVE-2024-9381: Ivanti Cloud Services Appliance (CSA) versions: ~ 5.0.1 (inclusive) * CVE-2024-7612: Ivanti EPMM (Core) versions: ~ 12.1.0.3 (inclusive) * CVE-2024-9167: Velocity License Server versions: 5.1 (inclusive) ~ 5.1.2 (inclusive) --------------------------------------------- https://asec.ahnlab.com/en/83706/ ∗∗∗ Adobe Family October 2024 Routine Security Update Advisory ∗∗∗ --------------------------------------------- Adobe has released a security update that addresses a vulnerability in its supplied products. Users of affected systems are advised to update to the latest version. --------------------------------------------- https://asec.ahnlab.com/en/83710/ ∗∗∗ SAP Product Security Update Advisory ∗∗∗ --------------------------------------------- * CVE-2024-37179: SAP BusinessObjects Business Intelligence Platform, ENTERPRISE 420, 430, 2025, Enterprise clienttools 420 * CVE-2024-41730: SAP BusinessObjects Business Intelligence Platform, ENTERPRISE 430, 440 * CVE-2024-39592: SAP PDCE, S4CORE 102, S4CORE 103, S4COREOP 104, S4COREOP 105, S4COREOP 106, S4COREOP 107, S4COREOP 108 --------------------------------------------- https://asec.ahnlab.com/en/83736/ ∗∗∗ SonicWall SSL-VPN SMA1000 and Connect Tunnel Windows Client Affected By Multiple Vulnerabilities ∗∗∗ --------------------------------------------- 1) CVE-2024-45315 - SonicWALL SMA1000 Connect Tunnel Windows Client Link Following Denial-of-Service Vulnerability 2) CVE-2024-45316 - SonicWALL SMA1000 Connect Tunnel Windows Client Link Following Local Privilege Escalation Vulnerability 3) CVE-2024-45317 - Unauthenticated SMA1000 12.4.x Server-Side Request Forgery (SSRF) Vulnerability --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0017 ∗∗∗ CISA Releases Twenty-One Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-24-284-01 Siemens SIMATIC S7-1500 and S7-1200 CPUs * ICSA-24-284-02 Siemens Simcenter Nastran * ICSA-24-284-03 Siemens Teamcenter Visualization and JT2Go * ICSA-24-284-04 Siemens SENTRON PAC3200 Devices * ICSA-24-284-05 Siemens Questa and ModelSim * ICSA-24-284-06 Siemens SINEC Security Monitor * ICSA-24-284-07 Siemens JT2Go * ICSA-24-284-08 Siemens HiMed Cockpit * ICSA-24-284-09 Siemens PSS SINCAL * ICSA-24-284-10 Siemens SIMATIC S7-1500 CPUs * ICSA-24-284-11 Siemens RUGGEDCOM APE1808 * ICSA-24-284-12 Siemens Sentron Powercenter 1000 * ICSA-24-284-13 Siemens Tecnomatix Plant Simulation * ICSA-24-284-14 Schneider Electric Zelio Soft 2 * ICSA-24-284-15 Rockwell Automation DataMosaix Private Cloud * ICSA-24-284-16 Rockwell Automation DataMosaix Private Cloud * ICSA-24-284-17 Rockwell Automation Verve Asset Manager * ICSA-24-284-18 Rockwell Automation Logix Controllers * ICSA-24-284-19 Rockwell Automation PowerFlex 6000T * ICSA-24-284-20 Rockwell Automation ControlLogix * ICSA-24-284-21 Delta Electronics CNCSoft-G2 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/10/cisa-releases-twenty-one… ∗∗∗ Synacor Zimbra Collaboration Command Execution Vulnerability ∗∗∗ --------------------------------------------- Threat Actors are exploiting a recently fixed RCE vulnerability in Zimbra email servers, which can be exploited just by sending specially crafted emails to the SMTP server. --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/zimbra-collaboration-rce ∗∗∗ Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-048 ∗∗∗ 2024-10-10: Cyber Security Advisory - ABB IRC5 RobotWare – PROFINET Stack Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=SI20337&LanguageCod… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: BGP update message containing aggregator attribute with an ASN value of zero (0) is accepted (CVE-2024-47507) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series: A large amount of traffic being processed by ATP Cloud can lead to a PFE crash (CVE-2024-47506) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Specific low privileged CLI commands and SNMP GET requests can trigger a resource leak ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: Multiple vulnerabilities in OSS component nginx resolved ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX5000 Series: Receipt of a specific malformed packet will cause a flowd crash (CVE-2024-47504) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX4600 and SRX5000 Series: Sequence of specific PIM packets causes a flowd crash (CVE-2024-47503) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: TCP session state is not always cleared on the Routing Engine (CVE-2024-47502) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: MX304, MX with MPC10/11/LC9600, and EX9200 with EX9200-15C: In a VPLS or Junos Fusion scenario specific show commands cause an FPC crash (CVE-2024-47501) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: In a BMP scenario receipt of a malformed AS PATH attribute can cause an RPD core (CVE-2024-47499) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: QFX5000 Series: Configured MAC learning and move limits are not in effect (CVE-2024-47498) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series, QFX Series, MX Series and EX Series: Receiving specific HTTPS traffic causes resource exhaustion (CVE-2024-47497) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: MX Series: The PFE will crash on running specific command (CVE-2024-47496) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: In a dual-RE scenario a locally authenticated attacker with shell privileges can take over the device (CVE-2024-47495) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: Due to a race condition AgentD process causes a memory corruption and FPC reset (CVE-2024-47494) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: J-Web: Multiple vulnerabilities resolved in PHP software. ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX5K, SRX4600 and MX Series: Trio-based FPCs: Continuous physical interface flaps causes local FPC to crash (CVE-2024-47493) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: Receipt of a specific malformed BGP path attribute leads to an RPD crash (CVE-2024-47491) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: ACX 7000 Series: Receipt of specific transit MPLS packets causes resources to be exhausted (CVE-2024-47490) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Multiple vulnerabilities resolved in c-ares 1.18.1 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: ACX Series: Receipt of specific transit protocol packets is incorrectly processed by the RE (CVE-2024-47489) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos Space: Remote Command Execution (RCE) vulnerability in web application (CVE-2024-39563) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: cRPD: Receipt of crafted TCP traffic can trigger high CPU utilization (CVE-2024-39547) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: Multiple vulnerabilities resolved in OpenSSL ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Low privileged local user able to view NETCONF traceoptions files (CVE-2024-39544) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Connections to the network and broadcast address accepted (CVE-2024-39534) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series: Low privileged user able to access sensitive information on file system (CVE-2024-39527) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: MX Series with MPC10/MPC11/LC9600, MX304, EX9200, PTX Series: Receipt of malformed DHCP packets causes interfaces to stop processing packets (CVE-2024-39526) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: When BGP nexthop traceoptions is enabled, receipt of specially crafted BGP packet causes RPD crash (CVE-2024-39525) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: Junos OS and Junos OS Evolved: Receipt of a specifically malformed BGP packet causes RPD crash when segment routing is enabled (CVE-2024-39516) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: With BGP traceoptions enabled, receipt of specially crafted BGP update causes RPD crash (CVE-2024-39515) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos Space: OS command injection vulnerability in OpenSSH (CVE-2023-51385) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: With BGP traceoptions enabled, receipt of specifically malformed BGP update causes RPD crash (CVE-2024-39516) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: In a BMP scenario receipt of a malformed AS PATH attribute can cause an RPD core (CVE-2024-47499) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: When BGP traceoptions is enabled, receipt of specially crafted BGP packet causes RPD crash (CVE-2024-39525) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ SSA-438590 V1.0: Buffer Overflow Vulnerability in Siveillance Video Camera Drivers ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-438590.html ∗∗∗ CVE-2024-9469 Cortex XDR Agent: Local Windows User Can Disable the Agent (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9469 ∗∗∗ CVE-2024-9471 PAN-OS: Privilege Escalation (PE) Vulnerability in XML API (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9471 ∗∗∗ CVE-2024-9468 PAN-OS: Firewall Denial of Service (DoS) via a Maliciously Crafted Packet (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9468 ∗∗∗ PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities Lead to Firewall Admin Account Takeover (Severity: CRITICAL) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0010 ∗∗∗ CVE-2024-9473 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9473 ∗∗∗ PAN-SA-2024-0011 Chromium: Monthly Vulnerability Updates (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0011 ∗∗∗ CVE-2024-9470 Cortex XSOAR: Information Disclosure Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9470 ∗∗∗ PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials (Severity: CRITICAL) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0010 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2024
by Daily end-of-shift report 09 Oct '24

09 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-10-2024 18:00 − Mittwoch 09-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Two never-before-seen tools, from same group, infect air-gapped devices ∗∗∗ --------------------------------------------- Its hard enough creating one air-gap-jumping tool. GoldenJackal did it 2x in 5 years. --------------------------------------------- https://arstechnica.com/security/2024/10/two-never-before-seen-tools-from-s… ∗∗∗ European govt air-gapped systems breached using custom malware ∗∗∗ --------------------------------------------- An APT hacking group known as GoldenJackal has successfully breached air-gapped government systems in Europe using two custom toolsets to steal sensitive data, like emails, encryption keys, images, archives, and documents. --------------------------------------------- https://www.bleepingcomputer.com/news/security/european-govt-air-gapped-sys… ∗∗∗ New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks ∗∗∗ --------------------------------------------- An automated scanner has been released to help security professionals scan environments for devices vulnerable to the Common Unix Printing System (CUPS) RCE flaw tracked as CVE-2024-47176. --------------------------------------------- https://www.bleepingcomputer.com/news/software/new-scanner-finds-linux-unix… ∗∗∗ Sicherheitslücke: RDP-Server von Windows aus der Ferne angreifbar ∗∗∗ --------------------------------------------- Ein erfolgreicher Angriff erfordert zwar eine gewonnene Race Condition, dafür aber keinerlei Authentifizierung oder Nutzer-Interaktion. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-rdp-server-von-windows-aus-der-… ∗∗∗ Cisco warnt: Kinder erhöhen Cyberrisiko im Homeoffice ∗∗∗ --------------------------------------------- Laut Cisco erlauben rund zwei Drittel aller Eltern im Homeoffice ihren Kindern den Zugriff auf beruflich genutzte Geräte - häufig sogar unbeaufsichtigt. --------------------------------------------- https://www.golem.de/news/cisco-warnt-kinder-erhoehen-cyberrisiko-im-homeof… ∗∗∗ From Perfctl to InfoStealer ∗∗∗ --------------------------------------------- A few days ago, a new stealthy malware targeting Linux hosts made a lot of noise: perfctl[1]. The malware has been pretty well analyzed and I wont repeat what has been already disclosed. I found a .. --------------------------------------------- https://isc.sans.edu/diary/From+Perfctl+to+InfoStealer/31334 ∗∗∗ Ransomware gang Trinity joins pile of scumbags targeting healthcare ∗∗∗ --------------------------------------------- As if hospitals and clinics didnt have enough to worry about At least one US healthcare provider has been infected by Trinity, an emerging cybercrime gang with eponymous ransomware that uses double extortion and other "sophisticated" tactics that make it a "significant threat," according to the feds. --------------------------------------------- https://www.theregister.com/2024/10/09/trinity_ransomware_targets_healthcar… ∗∗∗ Patch Tuesday, October 2024 Edition ∗∗∗ --------------------------------------------- Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes .. --------------------------------------------- https://krebsonsecurity.com/2024/10/patch-tuesday-october-2024-edition/ ∗∗∗ How to handle vulnerability reports in aviation ∗∗∗ --------------------------------------------- TL;DR Always thank researchers for reporting vulnerabilities. Acknowledging their efforts can set the right tone. Lead all communications with researchers. Don’t let legal or PR teams take over. Provide .. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-handle-vulnerability-r… ∗∗∗ So stehlen Kriminelle mit gefälschten FinanzOnline-Benachrichtigungen Ihre Bankomatkarte ∗∗∗ --------------------------------------------- Sie werden per SMS über eine Rückerstattung vom Finanzamt informiert und klicken auf den Link. Sie gelangen auf die Webseite des Finanzamts – zumindest sieht es so aus. Sie wählen Ihre Bank aus, um das Geld zu erhalten. Doch plötzlich kommt eine Fehlermeldung von Ihrer Bank. Sie erhalten eine neue Bankomatkarte und müssen die alte zerschneiden und .. --------------------------------------------- https://www.watchlist-internet.at/news/so-stehlen-kriminelle-kartenwechsel-… ∗∗∗ Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware ∗∗∗ --------------------------------------------- Discover how North Korean attackers, posing as recruiters, used an updated downloader and backdoor in a campaign targeting tech job seekers. --------------------------------------------- https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-jo… ∗∗∗ Schwachstellen in Intels Sicherheitstechnologie TDX entdeckt ∗∗∗ --------------------------------------------- Wissenschaftler von der Universität zu Lübeck haben Schwachstellen in Intels Trusted Domain Extensions identifiziert. Intel hat eine Lücke bereits geschlossen. --------------------------------------------- https://heise.de/-9974224 ===================== = Vulnerabilities = ===================== ∗∗∗ Synology-SA-24:12 GitLab ∗∗∗ --------------------------------------------- A vulnerability allows remote attacker to bypass authentication via a susceptible version of GitLab. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_12 ∗∗∗ DSA-5729-2 apache2 - regression update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00200.html ∗∗∗ Announcement: Drupal core issues with some risk levels may be treated as bugs in the public issue queue, not as private security issues - PSA-2023-07-12 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2023-07-12 ∗∗∗ Local Privilege Escalation mittels MSI installer in Palo Alto Networks GlobalProtect ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… ∗∗∗ October Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/october-2024-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.10.2024
by Daily end-of-shift report 08 Oct '24

08 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 07-10-2024 18:00 − Dienstag 08-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ ADT discloses second breach in 2 months, hacked via stolen credentials ∗∗∗ --------------------------------------------- Home and small business security company ADT disclosed it suffered a breach after threat actors gained access to its systems using stolen credentials and exfiltrated employee account data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adt-discloses-second-breach-… ∗∗∗ Casio reports IT systems failure after weekend network breach ∗∗∗ --------------------------------------------- Japanese tech giant Casio has suffered a cyberattack after an unauthorized actor accessed its networks on October 5, causing system disruption that impacted some of its services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/casio-reports-it-systems-fai… ∗∗∗ New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new botnet malware family called Gorilla (aka GorillaBot) that draws its inspiration from the leaked Mirai botnet source code.Cybersecurity firm NSFOCUS, which identified the activity last month, said the botnet "issued over 300,000 attack commands, with a shocking attack density" between September 4 and September 27, 2024. --------------------------------------------- https://thehackernews.com/2024/10/new-gorilla-botnet-launches-over-300000.h… ∗∗∗ Feds reach for sliver of crypto-cash nicked by North Koreas notorious Lazarus Group ∗∗∗ --------------------------------------------- The US government is attempting to claw back more than $2.67 million stolen by North Koreas Lazarus Group, filing two lawsuits to force the forfeiture of millions in Tether and Bitcoin.… --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/08/us_lazarus_g… ∗∗∗ Shining Light on the Dark Angels Ransomware Group ∗∗∗ --------------------------------------------- The Dark Angels ransomware threat group launched attacks beginning in April 2022, and has since been quietly executing highly targeted attacks. Dark Angels operate with more stealthy and sophisticated strategies than many other ransomware groups. Instead of outsourcing breaches to third-party initial access brokers that target a wide range of victims, Dark Angels launch their own attacks that focus on a limited number of large companies. --------------------------------------------- https://www.zscaler.com/blogs/security-research/shining-light-dark-angels-r… ∗∗∗ 7,000 WordPress Sites Affected by Unauthenticated Critical Vulnerabilities in LatePoint WordPress Plugin ∗∗∗ --------------------------------------------- On September 17, 2024, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for two critical vulnerabilities in the LatePoint plugin, which is estimated to be actively installed on more than 7,000 WordPress websites. --------------------------------------------- https://www.wordfence.com/blog/2024/10/7000-wordpress-sites-affected-by-una… ∗∗∗ Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware ∗∗∗ --------------------------------------------- In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP Scanner. Nitrogen was leveraged to deploy Sliver and Cobalt Strike beacons on the beachhead host and perform further malicious actions. --------------------------------------------- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-end… ∗∗∗ Ukrainian pleads guilty to running Raccoon Infostealer malware, agrees to pay nearly $1 million ∗∗∗ --------------------------------------------- A Ukrainian national pleaded guilty in U.S. federal court to running the Raccoon Infostealer malware, and agreed to pay victims more than $900,000 as part of the plea deal. --------------------------------------------- https://therecord.media/raccoon-stealer-operator-pleads-guilty ∗∗∗ TAG Bulletin: Q3 2024 ∗∗∗ --------------------------------------------- This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2024. It was last updated on October 7, 2024. --------------------------------------------- https://blog.google/threat-analysis-group/tag-bulletin-q3-2024/ ∗∗∗ Crypto-Stealing Code Lurking in Python Package Dependencies ∗∗∗ --------------------------------------------- On September 22nd, a new PyPI user orchestrated a wide-ranging attack by uploading multiple packages within a short timeframe. These packages, bearing names like “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes,” masqueraded as legitimate tools for decoding and managing data from an array of popular cryptocurrency wallets. --------------------------------------------- https://checkmarx.com/blog/crypto-stealing-code-lurking-in-python-package-d… ∗∗∗ Okta Fixes Critical Vulnerability Allowing Sign-On Policy Bypass ∗∗∗ --------------------------------------------- Okta fixed a vulnerability in its Classic product that allowed attackers to bypass sign-on policies. Exploitation required valid credentials and the use of an “unknown” device. Affected users should review system logs. --------------------------------------------- https://hackread.com/okta-fixes-sign-on-policy-bypass-vulnerability/ ∗∗∗ Cyberattack on American Water Shuts Down Customer Portal, Halts Billing ∗∗∗ --------------------------------------------- American Water faces a cyberattack, disrupting its customer portal and billing operations. The company assures that water services remain unaffected while cybersecurity experts manage the incident. --------------------------------------------- https://hackread.com/american-water-cyberattack-shuts-down-portal-billing/ ∗∗∗ Storm-1575 Threat Actor Deploys New Login Panels for Phishing Infrastructure ∗∗∗ --------------------------------------------- The Storm-1575 group is known for frequently rebranding its phishing infrastructure. Recently, ANY.RUN analysts identified the deployment of new login panels, which are part of the threat actor’s ongoing efforts to compromise users’ Microsoft and Google accounts. --------------------------------------------- https://hackread.com/storm-1575-threat-actor-new-login-panels-phishing-infr… ∗∗∗ Lua Malware Targeting Student Gamers via Fake Game Cheats ∗∗∗ --------------------------------------------- Morphisec Threat Labs uncovers sophisticated Lua malware targeting student gamers and educational institutions. Learn how these attacks work and how to stay protected. --------------------------------------------- https://hackread.com/lua-malware-hit-student-gamers-fake-game-cheats/ ===================== = Vulnerabilities = ===================== ∗∗∗ Qualcomm patches high-severity zero-day exploited in attacks ∗∗∗ --------------------------------------------- Qualcomm has released security patches for a zero-day vulnerability in the Digital Signal Processor (DSP) service that impacts dozens of chipsets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severi… ∗∗∗ TYPO3-CORE-SA-2024-012: Information Disclosure in TYPO3 Page Tree ∗∗∗ --------------------------------------------- It has been discovered that TYPO3 CMS is susceptible to information disclosure. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-012 ∗∗∗ TYPO3-CORE-SA-2024-011: Denial of Service in TYPO3 Bookmark Toolbar ∗∗∗ --------------------------------------------- It has been discovered that TYPO3 CMS is susceptible to denial of service. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-011 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Fedora (webkitgtk), Mageia (cups), Oracle (e2fsprogs, kernel, and kernel-container), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, grafana-pcp, podman, and skopeo), SUSE (Mesa, mozjs115, podofo, and redis7), and Ubuntu (cups and cups-filters). --------------------------------------------- https://lwn.net/Articles/993276/ ∗∗∗ Kritische Sicherheitslücken in Draytek-Geräten erlauben Systemübernahme ∗∗∗ --------------------------------------------- Forscher fanden im Betriebssystem der Vigor-Router vierzehn neue Lücken, betroffen sind zwei Dutzend teilweise veraltete Typen. Patches stehen bereit. --------------------------------------------- https://heise.de/-9973906 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.10.2024
by Daily end-of-shift report 07 Oct '24

07 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-10-2024 18:00 − Montag 07-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Russia arrests US-sanctioned Cryptex founder, 95 other linked suspects ∗∗∗ --------------------------------------------- Russian law enforcement detained almost 100 suspects linked to the Cryptex cryptocurrency exchange, the UAPS anonymous payment service, and 33 other online services and platforms used to make illegal payments and sell stolen credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/russia-arrests-us-sanctioned… ∗∗∗ MoneyGram: No evidence ransomware is behind recent cyberattack ∗∗∗ --------------------------------------------- MoneyGram says there is no evidence that ransomware is behind a recent cyberattack that led to a five-day outage in September. --------------------------------------------- https://www.bleepingcomputer.com/news/security/moneygram-no-evidence-ransom… ∗∗∗ Spielzeugmarke: Hack der Lego-Webseite zielt auf Kryptobetrug ab ∗∗∗ --------------------------------------------- Am 4. Oktober 2024 wurde die offizielle Website von Lego Opfer eines Hacks. Unbekannte bewarben eine Kryptowährung namens Lego-Coin. --------------------------------------------- https://www.golem.de/news/spielzeugmarke-hack-der-lego-webseite-zielt-auf-k… ∗∗∗ Nach US-Bann: Kaspersky fliegt weltweit aus dem Google Play Store ∗∗∗ --------------------------------------------- Kaspersky-Software ist seit Tagen nicht mehr im Play Store erhältlich. Ursache ist das US-Verbot des russischen Herstellers - mit globalen Auswirkungen. --------------------------------------------- https://www.golem.de/news/nach-us-bann-kaspersky-fliegt-weltweit-aus-dem-go… ∗∗∗ Awaken Likho is awake: new techniques of an APT group ∗∗∗ --------------------------------------------- Kaspersky experts have discovered a new version of the APT Awaken Likho RAT Trojan, which uses AutoIt scripts and the MeshCentral system to target Russian organizations. --------------------------------------------- https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/ ∗∗∗ HUMINT and its Role within Cybersecurity ∗∗∗ --------------------------------------------- This blog explores HUMINTs role in cybersecurity, detailing its implementation, benefits, and potential risks. --------------------------------------------- https://www.sans.org/blog/humint-and-its-role-within-cybersecurity ∗∗∗ Largest Recorded DDoS Attack is 3.8 Tbps ∗∗∗ --------------------------------------------- Cloudflare just blocked the current record DDoS attack: 3.8 terabits per second. (Lots of good information on the attack, and DDoS in general, at the link.) --------------------------------------------- https://www.schneier.com/blog/archives/2024/10/largest-recorded-ddos-attack… ∗∗∗ Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in the Apache Avro Java Software Development Kit (SDK) that, if successfully exploited, could allow the execution of arbitrary code on susceptible instances.The flaw, tracked as CVE-2024-47561, .. --------------------------------------------- https://thehackernews.com/2024/10/critical-apache-avro-sdk-flaw-allows.html ∗∗∗ Chinesische Hacker stehlen sensible Daten von US-Gerichten ∗∗∗ --------------------------------------------- Via Internetdienstanbieter verschafft sich die "Salt Typhoon"-Kampagne Zugriff zu heiklen Daten. US-Behörden befürchten weitere Angriffe --------------------------------------------- https://www.derstandard.at/story/3000000239609/chinesische-hacker-stehlen-s… ∗∗∗ No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection ∗∗∗ --------------------------------------------- Four DNS tunneling campaigns identified through a new machine learning tool expose intricate tactics when targeting vital sectors like finance, healthcare and more. --------------------------------------------- https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/ ∗∗∗ From Pwn2Own Automotive: More Autel Maxicharger Vulnerabilities ∗∗∗ --------------------------------------------- This blog post highlights two additional vulnerabilities in the Autel Maxicharger that were exploited at Pwn2Own Automotive 2024. Details of the patches are also included. --------------------------------------------- https://www.thezdi.com/blog/2024/10/2/from-pwn2own-automotive-more-autel-ma… ∗∗∗ Russian state media company operation disrupted by ‘unprecedented’ cyberattack ∗∗∗ --------------------------------------------- Russian state television and radio broadcasting company VGTRK was hit by a cyberattack on Monday that disrupted its operations, the company confirmed in a statement to local news agencies. --------------------------------------------- https://therecord.media/russian-state-media-company-disrupted-cyberattack ∗∗∗ Engaging with Boards to improve the management of cyber security risk ∗∗∗ --------------------------------------------- How to communicate more effectively with board members to improve cyber security decision making. --------------------------------------------- https://www.ncsc.gov.uk/guidance/board-level-cyber-discussions-communicatin… ∗∗∗ Forensic Readiness in Container Environments ∗∗∗ --------------------------------------------- One of the most frustrating issues that Digital Forensics and Incident Response (DFIR) consultants encounter is a lack of forensic data available for analysis. This article aims to mitigate such situations by providing key considerations for improving forensic readiness. --------------------------------------------- https://www.nccgroup.com/us/research-blog/forensic-readiness-in-container-e… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5785-1 mediawiki - security update ∗∗∗ --------------------------------------------- Dom Walden discovered that the AbuseFilter extension in MediaWiki, a website engine for collaborative work, performed incomplete authorisation checks. --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00198.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (go-toolset:rhel8 and linux-firmware), Arch Linux (oath-toolkit), Debian (e2fsprogs, firefox-esr, libgsf, mediawiki, and oath-toolkit), Fedora (aws, chromium, firefox, p7zip, pgadmin4, python-gcsfs, unbound, webkitgtk, znc, znc-clientbuffer, and znc-push), Mageia (ghostscript and rootcerts nss firefox firefox-l10n), .. --------------------------------------------- https://lwn.net/Articles/993160/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2024
by Daily end-of-shift report 04 Oct '24

04 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-10-2024 18:00 − Freitag 04-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cloudflare blocks largest recorded DDoS attack peaking at 3.8Tbps ∗∗∗ --------------------------------------------- During a distributed denial-of-service campaign targeting organizations in the financial services, internet, and telecommunications sectors, volumetric attacks peaked at 3.8 terabits per second, the largest publicly recorded to date. The assault consisted of a "month-long" barrage of more than 100 hyper-volumetric DDoS attacks flood. [..] Many of the attacks aimed at the target’s network infrastructure (network and transport layers L3/4) exceeded two billion packets per second (pps) and three terabits per second (Tbps). [..] The threat actor behind the campaign leveraged multiple types of compromised devices, which included a large number of Asus home routers, Mikrotik systems, DVRs, and web servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloudflare-blocks-largest-re… ∗∗∗ Over 4,000 Adobe Commerce, Magento shops hacked in CosmicSting attacks ∗∗∗ --------------------------------------------- Approximately 5% of all Adobe Commerce and Magento online stores, or 4,275 in absolute numbers, have been hacked in "CosmicSting" attacks. [..] The CosmicSting vulnerability (CVE-2024-34102) is a critical severity information disclosure flaw; when chained with CVE-2024-2961, a security issue in glibc's iconv function, an attacker can achieve remote code execution on the target server. [..] Sansec says that multiple threat actors are now conducting attacks as patching speed is not matching the critical nature of the situation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-4-000-adobe-commerce-ma… ∗∗∗ Survey of CUPS exploit attempts, (Fri, Oct 4th) ∗∗∗ --------------------------------------------- It is about a week since the release of the four CUPS remote code execution vulnerabilities. After the vulnerabilities became known, I configured one of our honeypots that watches a larger set of IPs to specifically collect UDP packets to port 631. Here is a quick summary of the results. --------------------------------------------- https://isc.sans.edu/diary/rss/31326 ∗∗∗ Apple fixes bug that let VoiceOver shout your passwords ∗∗∗ --------------------------------------------- Apple just fixed a duo of security bugs in iOS 18.0.1 and iPadOS 18.0.1, one of which might cause users' saved passwords to be read aloud. It's hardly an ideal situation for the visually impaired. For those who rely on the accessibility features baked into their iGadgets, namely Apple's VoiceOver screen reader, now is a good time to apply the latest update. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/04/apple_voiceo… ∗∗∗ Sicherheitsupdates: Cisco patcht Lücken in Produkten quer durch die Bank ∗∗∗ --------------------------------------------- Neben einem kritischen Fehler kümmert sich der Netzwerkausrüster auch um einige Lücken mit mittlerem und hohem Risikograd. Patches stehen bereit. --------------------------------------------- https://heise.de/-9961998 ∗∗∗ DRAY:BREAK Breaking Into DreyTek Routers Before Threat Actors Do It Again ∗∗∗ --------------------------------------------- In 2024, routers are a primary target for cybercriminals and state-sponsored attackers – and are the riskiest device category on networks. With this knowledge, we investigated one vendor with a history of security flaws to help it address its issues and prevent new attacks. Our latest research discovered 14 new vulnerabilities in DrayTek routers. --------------------------------------------- https://www.forescout.com/resources/draybreak-draytek-research/ ∗∗∗ Threat actor believed to be spreading new MedusaLocker variant since 2022 ∗∗∗ --------------------------------------------- Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” The distinguishable techniques — including consistently storing the same set of tools in the same location on compromised systems, the use of tools that have the PDB path with the string “paid_memes,” and the use of a lateral movement tool named “checker” — used in the attack led us to take a deeper look to try to understand more about this threat actor. --------------------------------------------- https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-ne… ∗∗∗ Ransomware Groups Demystified: CyberVolk Ransomware ∗∗∗ --------------------------------------------- As part of our ongoing efforts to monitor emerging cyber threats, we have analyzed the activities of CyberVolk, a politically motivated hacktivist group that transitioned into using ransomware and has been active since June 2024. --------------------------------------------- https://www.rapid7.com/blog/post/2024/10/03/ransomware-groups-demystified-c… ∗∗∗ Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks ∗∗∗ --------------------------------------------- Google has revealed the various security guardrails that have been incorporated into its latest Pixel devices to counter the rising threat posed by baseband security attacks. --------------------------------------------- https://thehackernews.com/2024/10/android-14-adds-new-security-features.html ∗∗∗ Portable Hacking Lab: Control The Smallest Kali Linux With a Smartphone ∗∗∗ --------------------------------------------- Running Kali Linux on a Raspberry Pi Zero is a fantastic way to create a portable, powerful testing device. This guide will walk you through setting up Kali Linux Pi-Tail on a headless Raspberry Pi Zero 2 W that is powered and controlled from a smartphone via SSH or VNC that provides a graphical interface to your Pi-Tail. --------------------------------------------- https://www.mobile-hacker.com/2024/10/04/portable-hacking-lab-control-the-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, golang, linux-firmware, and thunderbird), Debian (kernel and zabbix), Fedora (firefox, pgadmin4, and php), Mageia (chromium-browser-stable, cjson, hostapd and wpa_supplicant, and openjpeg2), Oracle (firefox, flatpak, and go-toolset:ol8), Red Hat (cups-filters, firefox, grafana, linux-firmware, python3, python3.11, and python3.9), SUSE (expat, firefox, libpcap, and opensc), and Ubuntu (freeradius, imagemagick, and unzip). --------------------------------------------- https://lwn.net/Articles/992936/ ∗∗∗ Keycloak 26.0.0 released ∗∗∗ --------------------------------------------- CVE-2024-7318 - Use of a Key Past its Expiration Date in org.keycloak:keycloak-core, CVE-2024-8883 Vulnerable Redirect URI Validation Results in Open Redirect , CVE-2024-8698 Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak, CVE-2024-7254 - Stack-based Buffer Overflow in com.google.protobuf:protobuf-java --------------------------------------------- https://www.keycloak.org/2024/10/keycloak-2600-released ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 23, 2024 to September 29, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2024
by Daily end-of-shift report 03 Oct '24

03 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-10-2024 18:00 − Donnerstag 03-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake browser updates spread updated WarmCookie malware ∗∗∗ --------------------------------------------- A new FakeUpdate campaign targeting users in France leverages compromised websites to show fake browser and application updates that spread a new version of the WarmCookie malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-browser-updates-spread-… ∗∗∗ FIN7 hackers launch deepfake nude “generator” sites to spread malware ∗∗∗ --------------------------------------------- The notorious APT hacking group known as FIN7 launched a network of fake AI-powered deepnude generator sites to infect visitors with information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fin7-hackers-launch-deepfake… ∗∗∗ Weird Zimbra Vulnerability ∗∗∗ --------------------------------------------- Hackers can execute commands on a remote computer by sending malformed emails to a Zimbra mail server. It’s critical, but difficult to exploit.In an email sent Wednesday afternoon, Proofpoint researcher Greg Lesnewich seemed to largely concur that the attacks weren’t likely to lead to mass infections that could install ransomware or espionage .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/10/weird-zimbra-vulnerability.h… ∗∗∗ INTERPOL Arrests 8 in Major Phishing and Romance Fraud Crackdown in West Africa ∗∗∗ --------------------------------------------- INTERPOL has announced the arrest of eight individuals in Côte dIvoire and Nigeria as part of a crackdown on phishing scams and romance cyber fraud.Dubbed Operation Contender 2.0, the initiative is designed to tackle cyber-enabled crimes .. --------------------------------------------- https://thehackernews.com/2024/10/interpol-arrests-8-in-major-phishing.html ∗∗∗ APT and financial attacks on industrial organizations in Q2 2024 ∗∗∗ --------------------------------------------- This summary provides an overview of the reports of APT and financial attacks on industrial enterprises that were disclosed in Q2 2024, as well as the related activities of groups that have been observed attacking industrial organizations and critical infrastructure facilities. --------------------------------------------- https://ics-cert.kaspersky.com/publications/apt-and-financial-attacks-on-in… ∗∗∗ Experts warn of DDoS attacks using linux printing vulnerability ∗∗∗ --------------------------------------------- A set of bugs that has caused alarm among cybersecurity experts may enable threat actors to launch powerful attacks designed to knock systems offline. --------------------------------------------- https://therecord.media/ddos-attacks-cups-linux-print-vulnerability ∗∗∗ As ransomware attacks surge, UK privacy regulator investigating fewer incidents than ever ∗∗∗ --------------------------------------------- Of the 1,253 incidents reported to the Information Commissioner’s Office (ICO) in 2023, only 87 were investigated — fewer than 7%. The numbers so far for 2024 are similar. --------------------------------------------- https://therecord.media/uk-ico-ransomware-investigations-data ∗∗∗ Threat actor believed to be spreading new MedusaLocker variant since 2022 ∗∗∗ --------------------------------------------- Cisco Talos has discovered a financially motivated threat actor, active since 2022, recently observed delivering a MedusaLocker ransomware variant. Intelligence collected by Talos on tools regularly employed by the threat .. --------------------------------------------- https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-ne… ∗∗∗ perfctl: A Stealthy Malware Targeting Millions of Linux Servers ∗∗∗ --------------------------------------------- In this blog post, Aqua Nautilus researchers aim to shed light on a Linux malware that, over the past 3-4 years, has actively sought more than 20,000 types of misconfigurations in order to target and exploit Linux servers. If you .. --------------------------------------------- https://blog.aquasec.com/perfctl-a-stealthy-malware-targeting-millions-of-l… ∗∗∗ "Alptraum": Daten aller niederländischen Polizisten geklaut – von Drittstaat? ∗∗∗ --------------------------------------------- Hacker haben die Kontaktdaten aller Mitarbeiter der Polizei erbeutet. Nun kommt das Justizministerium mit einer weiteren alarmierenden Nachricht. --------------------------------------------- https://heise.de/-9961529 ∗∗∗ Thailändische Regierung von neuem APT "CeranaKeeper" angegriffen ∗∗∗ --------------------------------------------- Bei Angriffen auf thailändische Behörden erbeuteten Cyberkriminelle Daten, indem sie verschlüsselte Dateien zu Filesharing-Diensten hochluden. --------------------------------------------- https://heise.de/-9961562 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1321: Apple macOS AppleVADriver Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-40841. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1321/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cups-filters), Debian (chromium and php8.2), Fedora (firefox), Oracle (cups-filters, flatpak, kernel, krb5, oVirt 4.5 ovirt-engine, and python-urllib3), Red Hat (cups-filters, firefox, go-toolset:rhel8, golang, and thunderbird), SUSE (postgresql16), and Ubuntu (gnome-shell and linux-azure-fde-5.15). --------------------------------------------- https://lwn.net/Articles/992798/ ∗∗∗ Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-043 ∗∗∗ Cisco Nexus Dashboard Fabric Controller Arbitrary Command Execution Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN Denial of Service Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.10.2024
by Daily end-of-shift report 02 Oct '24

02 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-10-2024 18:00 − Mittwoch 02-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Crook made millions by breaking into execs’ Office365 inboxes, feds say ∗∗∗ --------------------------------------------- Email accounts inside 5 US companies unlawfully breached through password resets. --------------------------------------------- https://arstechnica.com/?p=2053721 ∗∗∗ Evil Corp hit with new sanctions, BitPaymer ransomware charges ∗∗∗ --------------------------------------------- The Evil Corp cybercrime syndicate has been hit with new sanctions by the United States, United Kingdom, and Australia. The US also indicted one of its members for conducting BitPaymer ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evil-corp-hit-with-new-sanct… ∗∗∗ Arc browser launches bug bounty program after fixing RCE bug ∗∗∗ --------------------------------------------- The Browser Company has introduced an Arc Bug Bounty Program to encourage security researchers to report vulnerabilities to the project and receive rewards. --------------------------------------------- https://www.bleepingcomputer.com/news/security/arc-browser-launches-bug-bou… ∗∗∗ CISA: Network switch RCE flaw impacts critical infrastructure ∗∗∗ --------------------------------------------- U.S. cybersecurity agency CISA is warning about two critical vulnerabilities that allow authentication bypass and remote code execution in Optigo Networks ONS-S8 Aggregation Switch products used in critical infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-network-switch-rce-flaw… ∗∗∗ PyPI Repository Found Hosting Fake Crypto Wallet Recovery Tools That Steal User Data ∗∗∗ --------------------------------------------- A new set of malicious packages has been unearthed in the Python Package Index (PyPI) repository that masqueraded as cryptocurrency wallet recovery and management services, only to siphon sensitive data and facilitate the theft .. --------------------------------------------- https://thehackernews.com/2024/10/pypi-repository-found-hosting-fake.html ∗∗∗ Alert: Over 700,000 DrayTek Routers Exposed to Hacking via 14 New Vulnerabilities ∗∗∗ --------------------------------------------- A little over a dozen new security vulnerabilities have been discovered in residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices."These vulnerabilities could enable attackers to take control .. --------------------------------------------- https://thehackernews.com/2024/10/alert-over-700000-draytek-routers.html ∗∗∗ NISTs security flaw database still backlogged with 17K+ unprocessed bugs. Not great ∗∗∗ --------------------------------------------- Logjam hurting infosec processes world over one expert tells us as US body blows its own Sept deadline NIST has made some progress clearing its backlog of security vulnerability reports to process - though its not quite on target as hoped. --------------------------------------------- https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed_deadline/ ∗∗∗ After Code Execution, Researchers Show How CUPS Can Be Abused for DDoS Attacks ∗∗∗ --------------------------------------------- Over 58,000 internet-exposed CUPS hosts can be abused for significant DDoS attacks, according to Akamai. --------------------------------------------- https://www.securityweek.com/after-code-execution-researchers-show-how-cups… ∗∗∗ Dotnet Source Generators in 2024 Part 1: Getting Started ∗∗∗ --------------------------------------------- In this blog post, we will cover the basics of a source generator, the major types involved, some common issues you might encounter, how to properly log those issues, and how to fix them. --------------------------------------------- https://posts.specterops.io/dotnet-source-generators-in-2024-part-1-getting… ∗∗∗ Aktive Ausnutzung einer Sicherheitslücke in Zimbra Mail Server (CVE-2024-45519) ∗∗∗ --------------------------------------------- Der Hersteller des Zimbra Mail-Servers, Synacor, hat ein Advisory zu einer Sicherheitslücke in Zimbra Collaboration veröffentlicht. Die veröffentlichte Schwachstelle, CVE-2024-45519, erlaubt es nicht-authentifizierten Benutzern aus der Ferne Code auszuführen. Für die betroffenen Versionen (9.0.0, 10.0.9, 10.1.1 und 8.8.15) stehen jeweils Updates bereit, welche eine .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/10/zimbra-rce-cve-2024-45519 ∗∗∗ Sicherheit: Datenabflüsse bei Cyberangriffen ∗∗∗ --------------------------------------------- Nach einem Cyberangriff auf eine Klinik in Bad Wildungen im August 2024 sind nun Daten im Darknet aufgetaucht. Auch bei der niederländischen Polizei gab es einen Datenabfluss nach einem Cyberangriff. Hier einige Informationen .. --------------------------------------------- https://www.borncity.com/blog/2024/10/02/sicherheit-datenabfluesse-bei-cybe… ∗∗∗ All that JavaScript for… spear phishing? ∗∗∗ --------------------------------------------- NVISO employs several hunting rules in multiple Threat Intelligence Platforms and other sources, such as VirusTotal. As you can imagine, there is no lack of APT (Advanced Persistent Threat) campaigns, cybercriminals and their associated malware families and campaigns, phishing, and so on. But now and then, something slightly different and perhaps novel .. --------------------------------------------- https://blog.nviso.eu/2024/10/02/all-that-javascript-for-spear-phishing/ ∗∗∗ ASD’s ACSC, CISA, FBI, NSA, and International Partners Release Guidance on Principles of OT Cybersecurity for Critical Infrastructure Organizations ∗∗∗ --------------------------------------------- Today, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) - in partnership with CISA, U.S. government and international partners - released the guide Principles of Operational Technology Cybersecurity. This guidance provides critical information on how to create and maintain a safe, secure operational .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/01/asds-acsc-cisa-fbi-nsa-a… ∗∗∗ LKA Niedersachsen warnt vor andauernder Masche mit Erpresser-Mails ∗∗∗ --------------------------------------------- Die Betrüger lassen nicht nach, warnt das LKA Niedersachsen. Erpresser-Mails etwa mit angeblichen Videoaufnahmen kursieren weiter. --------------------------------------------- https://heise.de/-9960503 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (grafana), Fedora (cjson and php), Oracle (389-ds-base, freeradius, grafana, kernel, and krb5), Slackware (cryfs, cups, and mozilla), SUSE (OpenIPMI, openssl-3, openvpn, thunderbird, and tomcat), and Ubuntu (cups, cups-filters, knot-resolver, linux-raspi, linux-raspi-5.4, orc, php7.4, php8.1, php8.3, python-asyncssh, ruby-devise-two-factor, and vim). --------------------------------------------- https://lwn.net/Articles/992650/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.10.2024
by Daily end-of-shift report 01 Oct '24

01 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 30-09-2024 18:00 − Dienstag 01-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft Defender adds detection of unsecure Wi-Fi networks ∗∗∗ --------------------------------------------- Microsoft Defender now automatically detects and notifies users with a Microsoft 365 Personal or Family subscription when theyre connected to unsecured Wi-Fi networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-defender-now-autom… ∗∗∗ Microsoft overhauls security for publishing Edge extensions ∗∗∗ --------------------------------------------- Microsoft has introduced an updated version of the "Publish API for Edge extension developers" that increases the security for developer accounts and the updating of browser extensions. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-overhauls-securit… ∗∗∗ What Are Hackers Searching for in SolarWinds Serv-U (CVE-2024-28995)? ∗∗∗ --------------------------------------------- Discover how GreyNoise’s honeypots are monitoring exploit attempts on the SolarWinds Serv-U vulnerability (CVE-2024-28995). Gain insights into the specific files attackers target and how real-time data helps security teams focus on true threats. --------------------------------------------- https://www.greynoise.io/blog/what-are-hackers-searching-for-in-solarwinds-… ∗∗∗ Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning ∗∗∗ --------------------------------------------- Researchers detail the discovery of Swiss Army Suite, an underground tool used for SQL injection scans discovered with a machine learning model. --------------------------------------------- https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-t… ∗∗∗ Rackspace internal monitoring web servers hit by zero-day ∗∗∗ --------------------------------------------- Reading between the lines, it appears Rackspace was hosting a ScienceLogic-powered monitoring dashboard for its customers on its own internal web servers, those servers included a program that was bundled with ScienceLogic's software, and that program was exploited, using a zero-day vulnerability, by miscreants to gain access to those web servers. From there, the intruders were able to get hold of some monitoring-related customer information before being caught. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/09/30/rackspace_ze… ∗∗∗ Crooked Cops, Stolen Laptops & the Ghost of UGNazi ∗∗∗ --------------------------------------------- A California man accused of failing to pay taxes on tens of millions of dollars allegedly earned from cybercrime also paid local police officers hundreds of thousands of dollars to help him extort, intimidate and silence rivals and former business partners, a new indictment charges. KrebsOnSecurity has learned that many of the mans alleged targets were members of UGNazi, a hacker group behind multiple high-profile breaches and cyberattacks back in 2012. --------------------------------------------- https://krebsonsecurity.com/2024/09/crooked-cops-stolen-laptops-the-ghost-o… ∗∗∗ BSI empfiehlt die Nutzung von Passkeys ∗∗∗ --------------------------------------------- Das BSI empfiehlt die Nutzung von Passkeys. Eine Umfrage zeige auf, dass die Bekanntheit und Verbreitung ausbaufähig seien. --------------------------------------------- https://heise.de/-9959270 ∗∗∗ Ransomware: Ermittler melden neue Erfolge im Kampf gegen Lockbit ∗∗∗ --------------------------------------------- Neben Verhaftungen in Frankreich und Großbritannien haben internationale Strafverfolger die Infrastruktur der Erpresser gestört – zudem ergingen Sanktionen. --------------------------------------------- https://heise.de/-9959100 ∗∗∗ WordPress Vulnerability & Patch Roundup September 2024 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. --------------------------------------------- https://blog.sucuri.net/2024/09/wordpress-vulnerability-patch-roundup-septe… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-security-support, nghttp2, and sqlite3), Oracle (cups-filters, kernel, and osbuild-composer), SUSE (openssl-3), and Ubuntu (bubblewrap, flatpak and python2.7, python3.5). --------------------------------------------- https://lwn.net/Articles/992444/ ∗∗∗ Mozilla Foundation Security Advisories 2024-10-01 (Thunderbird and Firefox) ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Juniper: 2024-09-30 Out of Cycle Security Advisory: Multiple Products: RADIUS protocol susceptible to forgery attacks (Blast-RADIUS) (CVE-2024-3596) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-09-30-Out-of-Cycle-Securit… ∗∗∗ Bosch: Sensitive information disclosure in Bosch Configuration Manager ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-981803-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.09.2024
by Daily end-of-shift report 30 Sep '24

30 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-09-2024 18:00 − Montag 30-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ US-Wahlkampf: Anklage wegen des Hacks der Trump-Kampagne erhoben ∗∗∗ --------------------------------------------- Drei Männer müssen sich vor Gericht wegen des Cyberangriffs auf das Wahlkampfteam von Donald Trump verantworten. --------------------------------------------- https://www.golem.de/news/us-wahlkampf-anklage-wegen-des-hacks-der-trump-ka… ∗∗∗ How to Know if Your Website Is Hacked ∗∗∗ --------------------------------------------- Whether you manage a gaming blog, an e-commerce platform, or an enterprise-level website you probably want to be able to detect infections when they occur. A hacked website can lead to financial loss, disruption of business operations, and the exposure of confidential information. The key is acting fast once you discover possible .. --------------------------------------------- https://blog.sucuri.net/2024/09/how-do-website-owners-know-that-their-websi… ∗∗∗ If youre holding important data, Iran is probably trying spearphish it ∗∗∗ --------------------------------------------- Its election year for more than 50 countries and the Islamic Republic threatens a bunch of them US and UK national security agencies are jointly warning about Iranian spearphishing campaigns, which remain an ongoing threat to various industries and governments. --------------------------------------------- https://www.theregister.com/2024/09/30/iran_spearphishing/ ∗∗∗ The Pig Butchering Invasion Has Begun ∗∗∗ --------------------------------------------- Scamming operations that once originated in Southeast Asia are now proliferating around the world, likely raking in billions of dollars in the process. --------------------------------------------- https://www.wired.com/story/pig-butchering-scam-invasion/ ∗∗∗ Eliminating Memory Safety Vulnerabilities at the Source ∗∗∗ --------------------------------------------- Memory safety vulnerabilities remain a pervasive threat to software security. At Google, we believe the path to eliminating this class of vulnerabilities at scale and building high-assurance software lies in Safe Coding, a secure-by-design approach that prioritizes transitioning .. --------------------------------------------- http://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabil… ∗∗∗ The Data Breach Disclosure Conundrum ∗∗∗ --------------------------------------------- The conundrum I refer to in the title of this post is the one faced by a breached organisation: disclose or suppress? And let me be even more specific: should they disclose to impacted individuals, or simply never let them know? --------------------------------------------- https://www.troyhunt.com/the-data-breach-disclosure-conundrum/ ∗∗∗ How can you protect your data, privacy, and finances if your phone gets lost or stolen? ∗∗∗ --------------------------------------------- Steps to take when your device is lost or stolen TL;DR This is a guide to help prepare for a situation where your mobile device is lost or stolen, including .. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-can-you-protect-your-data… ∗∗∗ Cyber Security Month: Stärken Sie Ihr Wissen ∗∗∗ --------------------------------------------- Im Oktober dreht sich alles um das Thema Cybersicherheit. Nutzen Sie die Gelegenheit, um Ihr Wissen über Phishing, Schadsoftware und andere Cyberbedrohungen aufzufrischen. --------------------------------------------- https://www.watchlist-internet.at/news/cyber-security-month-2024/ ∗∗∗ Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware ∗∗∗ --------------------------------------------- In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP .. --------------------------------------------- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-end… ∗∗∗ Datenschutzvorfall bei GlobalSign (Sept. 2024) ∗∗∗ --------------------------------------------- Der Anbieter GlobalSign musste gegenüber einigen Kunden einen Datenschutzvorfall eingestehen. Bei deren Customer Relationship Management Platform (CRM) kam es zu einer Fehlkonfigurierung, so dass ein .. --------------------------------------------- https://www.borncity.com/blog/2024/09/30/datenschutzvorfall-bei-globalsign-… ∗∗∗ Facial DNA provider leaks biometric data via WordPress folder ∗∗∗ --------------------------------------------- ChiceDNA exposed 8,000 sensitive records, including biometric images, personal details, and facial DNA data in an unsecured WordPress… --------------------------------------------- https://hackread.com/facial-dna-provider-leak-biometric-data-wordpress-fold… ===================== = Vulnerabilities = ===================== ∗∗∗ Local Privilege Escalation mittels MSI Installer in Nitro PDF Pro ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily