- Daily - CERT.at

Tageszusammenfassung - 26.08.2024
by Daily end-of-shift report 26 Aug '24

26 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-08-2024 18:00 − Montag 26-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Stealthy sedexp Linux malware evaded detection for two years ∗∗∗ --------------------------------------------- A stealthy Linux malware named sedexp has been evading detection since 2022 by using a persistence technique not yet included in the MITRE ATT&CK framework. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stealthy-sedexp-linux-malwar… ∗∗∗ BSI: Prüfung der Sicherheit von Huawei bleibt ein Staatsgeheimnis ∗∗∗ --------------------------------------------- Da die Sicherheitsinteressen Deutschlands berührt sind, legt das BSI die technische Prüfung von Huawei nicht offen. Immerhin hat Golem.de erreicht, dass die Einstufung überprüft wurde. --------------------------------------------- https://www.golem.de/news/bsi-pruefung-der-sicherheit-von-huawei-bleibt-ein… ∗∗∗ DSGVO-Verstoß: Uber soll 290 Millionen Euro Geldstrafe zahlen ∗∗∗ --------------------------------------------- Dem beliebten Fahrdienst wird vorgeworfen, mehr als zwei Jahre lang sensible Fahrerdaten bei unzureichendem Schutz in die USA übermittelt zu haben. --------------------------------------------- https://www.golem.de/news/datenuebertragung-in-die-usa-uber-soll-290-millio… ∗∗∗ From Highly Obfuscated Batch File to XWorm and Redline, (Mon, Aug 26th) ∗∗∗ --------------------------------------------- If you follow my diaries, you probably already know that one of my favorite topics around malware is obfuscation. I&#;x26;#;39;m often impressed by the crazy techniques attackers use to .. --------------------------------------------- https://isc.sans.edu/diary/From+Highly+Obfuscated+Batch+File+to+XWorm+and+R… ∗∗∗ SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access ∗∗∗ --------------------------------------------- SonicWall has released security updates to address a critical flaw impacting its firewalls that, if successfully exploited, could grant malicious actors unauthorized access to the devices. The vulnerability, tracked as .. --------------------------------------------- https://thehackernews.com/2024/08/sonicwall-issues-critical-patch-for.html ∗∗∗ Cisco calls for United Nations to revisit cyber-crime convention ∗∗∗ --------------------------------------------- Echoes human rights groups concerns that it could suppress free speech and more Networking giant Cisco has suggested the United Nations first-ever convention against cyber-crime is dangerously flawed and should be revised before being put to a formal vote. --------------------------------------------- https://www.theregister.com/2024/08/22/cisco_criticizes_un_cybercrime_conve… ∗∗∗ Post-Quantum Cryptography: Standards and Progress ∗∗∗ --------------------------------------------- The National Institute of Standards and Technology (NIST) just released three finalized standards for post-quantum cryptography (PQC) covering public key encapsulation and two forms of digital signatures. In progress since 2016, this achievement represents a major milestone towards standards development that will keep information on the Internet secure and confidential for many years to come. --------------------------------------------- http://security.googleblog.com/2024/08/post-quantum-cryptography-standards.… ∗∗∗ Meta blockiert Whatsapp-Konten nach Hackerangriffen ∗∗∗ --------------------------------------------- Hierbei wurde die iranische Hackergruppe APT42 ins Visier genommen --------------------------------------------- https://www.derstandard.at/story/3000000233708/meta-blockiert-whatsapp-kont… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog for Versa Networks Director ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/23/cisa-adds-one-known-expl… ∗∗∗ PEAKLIGHT: Decoding the Stealthy Memory-Only Malware ∗∗∗ --------------------------------------------- Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding… ===================== = Vulnerabilities = ===================== ∗∗∗ Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desk… ∗∗∗ WPS Office Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82637/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2024
by Daily end-of-shift report 23 Aug '24

23 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-08-2024 18:00 − Freitag 23-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Qilin ransomware now steals credentials from Chrome browsers ∗∗∗ --------------------------------------------- The Qilin ransomware group has been using a new tactic and deploys a custom stealer to steal account credentials stored in Google Chrome browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qilin-ransomware-now-steals-… ∗∗∗ Hackers are exploiting critical bug in LiteSpeed Cache plugin ∗∗∗ --------------------------------------------- Hackers have already started to exploit the critical severity vulnerability that affects LiteSpeed Cache, a WordPress plugin used for accelerating response times, a day after technical details become public. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-criti… ∗∗∗ Warnung vor Ebola-Infektion: Uni löst mit Phishing-Test unnötige Panik aus ∗∗∗ --------------------------------------------- Studenten und Mitarbeiter der UCSC haben per E-Mail eine falsche Warnung vor einer Ebola-Infektion auf dem Campus erhalten. Der CISO der Uni entschuldigt sich. --------------------------------------------- https://www.golem.de/news/warnung-vor-ebola-infektion-phishing-test-an-eine… ∗∗∗ Mäh- und Saugroboter: Ecovacs will Spionagelücken nun doch angehen ∗∗∗ --------------------------------------------- Mehrere Mäh- und Saugroboter von Ecovacs lassen sich von Angreifern übernehmen. Erst wollte der Hersteller gar nicht patchen, doch nun kommt die Kehrtwende. --------------------------------------------- https://www.golem.de/news/hersteller-lenkt-ein-ecovacs-arbeitet-nun-doch-an… ∗∗∗ WordPress Websites Used to Distribute ClearFake Trojan Malware ∗∗∗ --------------------------------------------- Unfortunately, scams are all over the place, and anybody who has surfed the web should know this. We’ve all gotten phishing emails, or redirected to questionable websites at some point or another. Being on your guard is an important posture to take online, and part of that is knowing how to identify threats, scams, or places you shouldn’t visit .. --------------------------------------------- https://blog.sucuri.net/2024/08/wordpress-websites-used-to-distribute-clear… ∗∗∗ Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control ∗∗∗ --------------------------------------------- Details have emerged about a China-nexus threat groups exploitation of a recently disclosed, now-patched security flaw in Cisco switches as a zero-day to seize control of the appliances and evade detection.The activity, attributed to Velvet Ant, was .. --------------------------------------------- https://thehackernews.com/2024/08/chinese-hackers-exploit-zero-day-cisco.ht… ∗∗∗ Halliburton probes an issue disrupting business ops ∗∗∗ --------------------------------------------- What could the problem be? Reportedly, a cyberattack American oil giant Halliburton is investigating an "issue," reportedly a cyberattack, that has disrupted some business operations and global networks. --------------------------------------------- https://www.theregister.com/2024/08/22/halliburton_investigates_incident_am… ∗∗∗ Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware ∗∗∗ --------------------------------------------- We analyze a recent incident by Bling Libra, the group behind ShinyHunters ransomware as they shift from data theft to extortion, exploiting AWS credentials. --------------------------------------------- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/ ∗∗∗ CrowdStrike Outage Timeline and Analysis ∗∗∗ --------------------------------------------- Bitsights analysis of the CrowdStrike outage and timeline mysteries. --------------------------------------------- https://www.bitsight.com/blog/crowdstrike-outage-timeline-and-analysis ∗∗∗ A Global Treaty to Fight Cybercrime—Without Combating Mercenary Spyware: Article by Kate Robertson in Lawfare ∗∗∗ --------------------------------------------- In an article for Lawfare, the Citizen Labs senior research associate Kate Robertson analyzes how, in its current form, the draft treaty is poised "to become a vehicle for complicity in the global mercenary spy trade." --------------------------------------------- https://citizenlab.ca/2024/08/a-global-treaty-to-fight-cybercrime-without-c… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicOS Improper Access Control Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2024
by Daily end-of-shift report 22 Aug '24

22 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-08-2024 18:00 − Donnerstag 22-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google fixes ninth Chrome zero-day exploited in attacks this year ∗∗∗ --------------------------------------------- Today, Google released a new Chrome emergency security update to patch a zero-day vulnerability, the ninth one tagged as exploited this year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-fixes-tenth-actively-… ∗∗∗ U.S. charges Karakurt extortion gang’s “cold case” negotiator ∗∗∗ --------------------------------------------- A member of the Russian Karakurt ransomware group has been charged in the U.S. for money laundering, wire fraud, and extortion crimes. --------------------------------------------- https://www.bleepingcomputer.com/news/legal/us-charges-karakurt-extortion-g… ∗∗∗ Löschpflicht und Sicherheitslücken: Bußgelder wegen Datenschutzverstößen häufen sich ∗∗∗ --------------------------------------------- In Hamburg wurden bereits jetzt mehr Bußgeldverfahren wegen Datenschutzverstößen abgeschlossen als im Kalenderjahr 2023. Die Strafen sind mitunter hoch. --------------------------------------------- https://www.golem.de/news/loeschpflicht-und-sicherheitsluecken-bussgelder-w… ∗∗∗ Memory corruption vulnerabilities in Suricata and FreeRDP ∗∗∗ --------------------------------------------- While pentesting KasperskyOS-based Thin Client and IoT Secure Gateway, we found several vulnerabilities in the Suricata and FreeRDP open-source projects. We shared details on these vulnerabilities with the community along with our fuzzer. --------------------------------------------- https://securelist.com/suricata-freerdp-memory-corruption/113489/ ∗∗∗ Windows Security best practices for integrating and managing security tools ∗∗∗ --------------------------------------------- We examine the recent CrowdStrike outage and provide a technical overview of the root cause. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/07/27/windows-security-b… ∗∗∗ Understanding the ‘Morphology’ of Ransomware: A Deeper Dive ∗∗∗ --------------------------------------------- Ransomware isnt just about malware. Its about brands, trust, and the shifting allegiances of cybercriminals. --------------------------------------------- https://www.securityweek.com/understanding-the-morphology-of-ransomware-a-d… ∗∗∗ Recall: Microsofts umstrittenes "Überwachungs"-Feature kommt zurück ∗∗∗ --------------------------------------------- Nach heftigen Sicherheitsbedenken will das Unternehmen bei der neuen KI-Funktion nachgebessert haben --------------------------------------------- https://www.derstandard.at/story/3000000233374/recall-microsofts-umstritten… ∗∗∗ BLUUID: Firewallas, Diabetics, And… Bluetooth ∗∗∗ --------------------------------------------- Dive into the fascinating and overlooked realm of Bluetooth Low Energy (BTLE) security in GreyNoise Labs latest blog post. Learn techniques for remote device identification, uncover vulnerabilities, and explore the broader implications for IoT and healthcare. --------------------------------------------- https://www.greynoise.io/blog/bluuid-firewallas-diabetics-and-bluetooth ∗∗∗ PEAKLIGHT: Decoding the Stealthy Memory-Only Malware ∗∗∗ --------------------------------------------- Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT.OverviewMandiant Managed Defense identified a memory-only dropper and downloader delivering .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding… ∗∗∗ Angreifer können Ciscos VoIP-System Unified Communications Manager lahmlegen ∗∗∗ --------------------------------------------- Aufgrund von Sicherheitslücken sind Attacken auf mehrere Cisco-Produkte möglich. Updates sind verfügbar. --------------------------------------------- https://heise.de/-9843447 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Unified Communications Manager Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine REST API Blind SQL Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Manager Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Atlassian Jira August 2024 Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82562/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.08.2024
by Daily end-of-shift report 21 Aug '24

21 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-08-2024 18:00 − Mittwoch 21-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CrowdStrike unhappy with “shady commentary” from competitors after outage ∗∗∗ --------------------------------------------- Botched update leads to claims that competitors are "ambulance chasing." --------------------------------------------- https://arstechnica.com/?p=2044431 ∗∗∗ GitHub Enterprise Server vulnerable to critical auth bypass flaw ∗∗∗ --------------------------------------------- A critical vulnerability affecting multiple versions of GitHub Enterprise Server could be exploited to bypass authentication and enable an attacker to gain administrator privileges on the machine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-enterprise-server-vul… ∗∗∗ Großer Chipkonzern: Cyberangriff stört Produktion von Microchip Technology ∗∗∗ --------------------------------------------- Die Produktionskapazitäten des Chipherstellers sind derzeit eingeschränkt. Ursache ist eine Cyberattacke, deren Ausmaß aktuell untersucht wird. --------------------------------------------- https://www.golem.de/news/grosser-chipkonzern-cyberangriff-stoert-produktio… ∗∗∗ Sicherheitsprobleme: Lastenrad-Skandal weitet sich aus ∗∗∗ --------------------------------------------- Niederländische Verbraucherschützer untersuchen weitere Lastenradhersteller, weil dort ebenfalls gravierende Mängel aufgetreten sind. --------------------------------------------- https://www.golem.de/news/sicherheitsprobleme-lastenrad-skandal-weitet-sich… ∗∗∗ Plane tracker FlightAware admits user passwords, SSNs exposed for years ∗∗∗ --------------------------------------------- Notification omits a number of key details Popular flight-tracking app FlightAware has admitted that it was exposing a bunch of users data for more than three years. --------------------------------------------- https://www.theregister.com/2024/08/20/flightaware_data_exposure/ ∗∗∗ An AWS Configuration Issue Could Expose Thousands of Web Apps ∗∗∗ --------------------------------------------- Amazon has updated its instructions for how customers should more securely implement AWSs traffic-routing service known as Application Load Balancer, but its not clear everyone will get the memo. --------------------------------------------- https://www.wired.com/story/aws-application-load-balancer-implementation-co… ∗∗∗ Teach a Man to Phish ∗∗∗ --------------------------------------------- I decided to give away all of my phishing secrets for free. I realized at some point that I have been giving away phishing secrets for years, but only to select individuals, and only one at a time. That method of knowledge dissemination is terribly inefficient! So here it is, I’ve written it down for you instead. --------------------------------------------- https://posts.specterops.io/teach-a-man-to-phish-43528846e382 ∗∗∗ CISA Adds Four Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/21/cisa-adds-four-known-exp… ∗∗∗ CPU-Sicherheitsleck Sinkclose: Firmware-Update auch für AMDs Ryzen 3000 ∗∗∗ --------------------------------------------- Die CPU-Sicherheitslücke "Sinkclose" ermöglicht Angreifern das Einschleusen von Schadcode. Für ältere CPUs waren erst keine Updates geplant. --------------------------------------------- https://heise.de/-9842780 ===================== = Vulnerabilities = ===================== ∗∗∗ Unauthenticated information leak in Bosch IP cameras ∗∗∗ --------------------------------------------- BOSCH-SA-659648: A vulnerability was discovered in internal testing of Bosch IP cameras of families CPP13 and CPP14, that allows an unauthenticated attacker to retrieve video analytics event data. No video data is leaked through this vulnerability. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-659648.html ∗∗∗ DSA-5752-1 dovecot - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00165.html ∗∗∗ [20240803] - Core - XSS in HTML Mail Templates ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/944-20240803-core-xss-in-h… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.08.2024
by Daily end-of-shift report 20 Aug '24

20 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Montag 19-08-2024 18:00 − Dienstag 20-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows driver zero-day exploited by Lazarus hackers to install rootkit ∗∗∗ --------------------------------------------- The notorious North Korean Lazarus hacking group exploited a zero-day flaw in the Windows AFD.sys driver to elevate privileges and install the FUDModule rootkit on targeted systems. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-driver-zero-day-exp… ∗∗∗ Solaranlagen und die Cloud: Entwickler befürchtet Kollaps europäischer Stromnetze ∗∗∗ --------------------------------------------- Moderne Solaranlagen sind häufig mit Clouddiensten der Hersteller verbunden. Ein Entwickler sieht darin eine große Gefahr für unsere Energieversorgung. --------------------------------------------- https://www.golem.de/news/solaranlagen-und-die-cloud-entwickler-befuerchtet… ∗∗∗ Approach to mainframe penetration testing on z/OS ∗∗∗ --------------------------------------------- We explain how mainframes work, potential attack vectors, and what to focus on when pentesting such systems. --------------------------------------------- https://securelist.com/zos-mainframe-pentesting/113427/ ∗∗∗ Hacking Wireless Bicycle Shifters ∗∗∗ --------------------------------------------- This is yet another insecure Internet-of-things story, this one about wireless gear shifters for bicycles. These gear shifters are used in big-money professional bicycle races like the Tour de France, which provides an incentive to actually .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/08/hacking-wireless-bicycle-shi… ∗∗∗ Ransomware Victims Paid $460 Million in First Half of 2024 ∗∗∗ --------------------------------------------- Ransomware payments in H1 2024 totaled nearly $460 million and $1.58 billion have been stolen in cryptocurrency heists. --------------------------------------------- https://www.securityweek.com/ransomware-victims-paid-460-million-in-first-h… ∗∗∗ Critical Flaw in Donation Plugin Exposed 100,000 WordPress Sites to Takeover ∗∗∗ --------------------------------------------- A critical vulnerability in the GiveWP WordPress plugin could be exploited for remote code execution and arbitrary file deletion. --------------------------------------------- https://www.securityweek.com/critical-flaw-in-donation-plugin-exposed-10000… ∗∗∗ Navigating the Uncharted: A Framework for Attack Path Discovery ∗∗∗ --------------------------------------------- This is the second post in a series on Identity-Driven Offensive Tradecraft, which is also the focus of the new course we will launch in October. In the previous post, I asked, “How does one discover and abuse new attack paths?” To start answering .. --------------------------------------------- https://posts.specterops.io/navigating-the-uncharted-a-framework-for-attack… ∗∗∗ Selling Ransomware Breaches: 4 Trends Spotted on the RAMP Forum ∗∗∗ --------------------------------------------- The sale and purchase of unauthorized access to compromised enterprise networks has become a linchpin for cybercriminal operations, particularly in facilitating ransomware attacks. --------------------------------------------- https://www.rapid7.com/blog/post/2024/08/20/selling-ransomware-breaches-4-t… ∗∗∗ Challenges in Automating and Scaling Remote Vulnerability Detection ∗∗∗ --------------------------------------------- We cover investments that Bitsight is making to greatly scale out our vulnerability coverage in record time through automation. --------------------------------------------- https://www.bitsight.com/blog/challenges-automating-and-scaling-remote-vuln… ∗∗∗ Österreichs Innenminister will Messenger ausspionieren ∗∗∗ --------------------------------------------- Österreichs Geheimdienste sollen mehr Befugnisse erhalten, Malware einschleusen und WLAN-Catcher nutzen dürfen. Das beantragt die Regierungspartei ÖVP. --------------------------------------------- https://heise.de/-9840256 ∗∗∗ Softwareentwicklung: Schadcode-Attacken auf Jenkins-Server beobachtet ∗∗∗ --------------------------------------------- Derzeit nutzen Angreifer eine kritische Lücke im Software-System Jenkins aus. Davon sind auch Instanzen in Deutschland bedroht. --------------------------------------------- https://heise.de/-9840463 ===================== = Vulnerabilities = ===================== ∗∗∗ SolarWinds Product Security Update Advisory (CVE-2024-28986) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82529/ ∗∗∗ Intel Family Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82531/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.08.2024
by Daily end-of-shift report 19 Aug '24

19 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-08-2024 18:00 − Montag 19-08-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Nachbetrachtung: Windows und die TCP-IP-Schwachstelle CVE-2024-38063 ∗∗∗ --------------------------------------------- Zum 13. August 2024 wurde die 0-day-Schwachstelle CVE-2024-38063 in Windows bekannt. Es handelt sich um eine Remote-Code-Execution-Schwachstelle in der TCP/IP-Implementierung von Windows steckt. Angreifer können über IPv6-Pakete einen Host kompromittieren und dort Code ausführen. Weben der Bewertung mit dem CVEv3 Score 9.8 (critical, "Exploitation More Likely") empfiehlt Redmond Administratoren momentan IPv6 zu deaktivieren, hat aber auch Sicherheitsupdates für Windows bereitgestellt. Hier sollten Administratoren also reagieren. --------------------------------------------- https://www.borncity.com/blog/2024/08/16/nachbetrachtung-windows-und-die-tc… ∗∗∗ Technical Analysis: CVE-2024-38021 ∗∗∗ --------------------------------------------- Recently, Morphisec researchers discovered a vulnerability in Microsoft Outlook that can lead to remote code execution (RCE). This vulnerability, identified as CVE-2024-38021, highlights a significant security flaw within the Microsoft Outlook application, potentially allowing attackers to execute arbitrary code without requiring prior authentication. --------------------------------------------- https://blog.morphisec.com/technical-analysis-cve-2024-38021 ∗∗∗ New Mad Liberator gang uses fake Windows update screen to hide data theft ∗∗∗ --------------------------------------------- A new data extortion group tracked as Mad Liberator is targeting AnyDesk users and runs a fake Microsoft Windows update screen to distract while exfiltrating data from the target device. [..] It is unclear how the threat actor selects its targets but one theory, although yet to be proven, is that Mad Liberator tries potential addresses (AnyDesk connection IDs) until someone accepts the connection request. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mad-liberator-gang-uses-… ∗∗∗ Chrome will redact credit cards, passwords when you share Android screen ∗∗∗ --------------------------------------------- While the flag doesn't work at the moment, it is supposed to hide sensitive form fields present on the page by redacting the entire screen. It's unclear when the feature will be rolled out to everyone in Chrome for Android, but you'll be able to try the feature in Chrome Canary in the next few weeks. --------------------------------------------- https://www.bleepingcomputer.com/news/google/chrome-will-redact-credit-card… ∗∗∗ AMD knickt ein: Ryzen 3000 erhält nun doch Patch gegen Sinkclose-Lücke ∗∗∗ --------------------------------------------- Ursprünglich wollte AMD Ryzen-3000-CPUs nicht gegen die Sinkclose-Lücke patchen. Nach reichlich Unmut in der Community folgt nun die Kehrtwende. --------------------------------------------- https://www.golem.de/news/amd-knickt-ein-ryzen-3000-erhaelt-nun-doch-patch-… ∗∗∗ Verbesserung der Netzwerksicherheit: Überwachung der Client-Kommunikation mit Velociraptor ∗∗∗ --------------------------------------------- SEC Defence, die Managed Incident Response-Einheit von SEC Consult, hat eine Reihe von Velociraptor-Artefakten entwickelt, die es ermöglichen, die aktuelle Netzwerkkommunikation auf registrierten Clients zu überwachen und bei bestimmten Verbindungen zu alarmieren, z. B. zu bekannten bösartigen IP-Adressen oder Verbindungen, die von bekannten bösartigen Prozessen erstellt wurden. --------------------------------------------- https://sec-consult.com/de/blog/detail/verbesserung-der-netzwerksicherheit-… ∗∗∗ Xeon Sender Tool Exploits Cloud APIs for Large-Scale SMS Phishing Attacks ∗∗∗ --------------------------------------------- Malicious actors are using a cloud attack tool named Xeon Sender to conduct SMS phishing and spam campaigns on a large scale by abusing legitimate services."Attackers can use Xeon to send messages through multiple software-as-a-service (SaaS) providers using valid credentials for the service providers," SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2024/08/xeon-sender-tool-exploits-cloud-apis.html ∗∗∗ Microsoft Azure: Ab 15. Oktober 2024 MFA für Administratoren verpflichtend, aber "Aufschub" möglich ∗∗∗ --------------------------------------------- Microsoft hat gerade im M365 Admin-Nachrichten-Center bekannt gegeben, dass man bei Azure ab dem 15.10.2024 die Authentifizierung der Administratoren über MFA verlangt. Redmond gewährt aber Administratoren die Möglichkeit, diese Verpflichtung um insgesamt 5 Monate zu verschieben. --------------------------------------------- https://www.borncity.com/blog/2024/08/17/microsoft-azure-ab-15-oktober-2024… ∗∗∗ Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove ∗∗∗ --------------------------------------------- The case of Styx Stealer is a compelling example of how even sophisticated cybercriminal operations can slip up due to basic security oversights. The creator of Styx Stealer revealed his personal details, including Telegram accounts, emails, and contacts, by debugging the stealer on his own computer with a Telegram bot token provided by a customer involved in the Agent Tesla campaign. This critical OpSec failure not only compromised his anonymity but also provided valuable intelligence about other cybercriminals, including the originator of the Agent Tesla campaign. --------------------------------------------- https://research.checkpoint.com/2024/unmasking-styx-stealer-how-a-hackers-s… ∗∗∗ "WireServing" Up Credentials: Escalating Privileges in Azure Kubernetes Services ∗∗∗ --------------------------------------------- Mandiant disclosed this vulnerability to Microsoft via the MSRC vulnerability disclosure program, and Microsoft has fixed the underlying issue. [..] Adopting a process to create restrictive NetworkPolicies that allow access only to required services prevents this entire attack class. Privilege escalation via an undocumented service is prevented when the service cannot be accessed at all. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/escalating-privile… ∗∗∗ Bericht: Pixel-Handys mit heimlicher, aber inaktiver Fernwartung ausgeliefert ∗∗∗ --------------------------------------------- Pixel-Smartphones wurden auf Wunsch Verizons mit Fernwartungssoftware ausgeliefert. Wenn aktiviert, kann sie unsicheren Code nachladen. --------------------------------------------- https://heise.de/-9836726 ∗∗∗ Jetzt patchen! Schadcode-Attacken auf Solarwinds Web Help Desk beobachtet ∗∗∗ --------------------------------------------- Angreifer nutzen derzeit eine kritische Schwachstelle Solarwinds Web Help Desk aus. Ein Sicherheitspatch ist verfügbar, kann aber mitunter für Probleme sorgen. --------------------------------------------- https://heise.de/-9838566 ∗∗∗ SIM-Swapping bleibt in Deutschland Randphänomen ∗∗∗ --------------------------------------------- Zahlreiche Medien warnen vor Schäden durch SIM-Swapping. Die Betrugsmasche bleibt in Deutschland jedoch selten. --------------------------------------------- https://heise.de/-9839531 ===================== = Vulnerabilities = ===================== ∗∗∗ Mehrere Sicherheitsschwachstellen in IDOL2 (uciIDOL) ∗∗∗ --------------------------------------------- Fünf schwerwiegende Sicherheitsschwachstellen wurden in der Zeiterfassungssoftware IDOL2 (uciIDOL) identifiziert. Sie ermöglichen es, die verschlüsselte Kommunikation zwischen Client und Server vollständig zu kompromittieren. Außerdem erlauben sie Remote Code Execution sowohl auf Client- als auch auf Serverseite. --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-sicherheitsschwachstellen-in-idol-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-asyncssh), Fedora (bind, bind-dyndb-ldap, httpd, and tor), SUSE (cosign, cpio, curl, expat, java-11-openjdk, ncurses, netty, netty-tcnative, opera, python-Django, python-Pillow, shadow, sudo, and wpa_supplicant), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/986225/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0004.html ∗∗∗ F5: K000140732: BIND vulnerability CVE-2024-1737 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140732 ∗∗∗ Kubernetes: CVE-2024-7646 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/126744 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2024
by Daily end-of-shift report 16 Aug '24

16 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-08-2024 18:00 − Freitag 16-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Opinion: More layers in malware campaigns are not a sign of sophistication ∗∗∗ --------------------------------------------- Ten infection and protection layers to deploy malware sounds impressive and very hard to deal with. However, adding more layers counterintuitively does the opposite for antivirus evasion and is not a sign of sophistication. Why is that so? --------------------------------------------- https://www.gdatasoftware.com/blog/2024/08/37995-malware-sophistication ∗∗∗ Ailurophile: New Infostealer sighted in the wild ∗∗∗ --------------------------------------------- We discovered a new stealer in the wild called "Ailurophile Stealer”. The stealer is coded in PHP and the source code indicates potential Vietnamese origins. It is available for purchase through a subscription model via its own webpage. Through the .. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/08/38005-ailurophile-infostealer ∗∗∗ Tusk: unraveling a complex infostealer campaign ∗∗∗ --------------------------------------------- Kaspersky researchers discovered Tusk campaign with ongoing activity that uses Danabot and StealC infostealers and clippers to obtain cryptowallet credentials and system data. --------------------------------------------- https://securelist.com/tusk-infostealers-campaign/113367/ ∗∗∗ PrestaShop GTAG Websocket Skimmer ∗∗∗ --------------------------------------------- During a recent investigation we uncovered another credit card skimmer leveraging a web socket connection to steal credit card details from an infected PrestaShop website.While PrestaShop is not the most popular eCommerce solution for online stores it is still in the top 10 most common ecommerce platforms in use on the web, and clocks in at just .. --------------------------------------------- https://blog.sucuri.net/2024/08/prestashop-gtag-websocket-skimmer.html ∗∗∗ Ransomware Attacks on Industrial Firms Surged in Q2 2024 ∗∗∗ --------------------------------------------- Dragos has seen a significant increase in ransomware attacks on industrial organizations in Q2 2024 compared to the previous quarter. --------------------------------------------- https://www.securityweek.com/ransomware-attacks-on-industrial-firms-surged-… ∗∗∗ Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments ∗∗∗ --------------------------------------------- We recount an extensive cloud extortion campaign leveraging exposed .env files of at least 110k domains to compromise organizations AWS environments. --------------------------------------------- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/ ∗∗∗ New infostealer targets macOS devices, appears to have Russian links ∗∗∗ --------------------------------------------- Researchers have discovered new information-stealing malware labeled Banshee Stealer that is designed to breach Apple computers. --------------------------------------------- https://therecord.media/apple-macos-infostealer-banshee-stealer ∗∗∗ Iranian backed group steps up phishing campaigns against Israel, U.S. ∗∗∗ --------------------------------------------- Google’s Threat Analysis Group shares insights on APT42, an Iranian government-backed threat actor. --------------------------------------------- https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phi… ∗∗∗ Ransomware Prevention Guide for Managed Service Providers ∗∗∗ --------------------------------------------- This comprehensive ransomware prevention guide outlines a strategic approach to preventing ransomware attacks, drawing upon industry best practices, compelling statistics, and expert insights. --------------------------------------------- https://www.emsisoft.com/en/blog/45911/ransomware-prevention-guide-for-mana… ∗∗∗ Hacking Beyond.com — Enumerating Private TLDs ∗∗∗ --------------------------------------------- My story started a few months ago, when I performed a red team assessment for a major retail company. During the Open Source Reconnaissance (OSINT) phase, I reviewed the SSL certificates that included the client name. In these certificates I identified that the client owned its own top-level domain (TLD). A TLD is the last part of a domain name, the letters that come after .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/enumerating-privat… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (389-ds-base, dotnet8.0, python3.13, roundcubemail, thunderbird, and tor), Mageia (roundcubemail), Oracle (.NET 8.0, bind and bind-dyndb-ldap, bind9.16, container-tools:ol8, edk2, firefox, gnome-shell, grafana, httpd:2.4, jose, kernel, krb5, mod_auth_openidc:2.3, orc, poppler, python-urllib3, .. --------------------------------------------- https://lwn.net/Articles/985980/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.08.2024
by Daily end-of-shift report 14 Aug '24

14 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-08-2024 18:00 − Mittwoch 14-08-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Neue Betrugsmasche auf WhatsApp: Vorsicht vor gefälschten Sicherheitswarnungen ∗∗∗ --------------------------------------------- Derzeit kursieren gefälschte SMS, angeblich vom WhatsApp-Sicherheitscenter. Die Nachricht besagt, dass Ihr Konto gefährdet sei und Sie eine Überprüfung im offiziellen Sicherheitscenter vornehmen müssen. --------------------------------------------- https://www.watchlist-internet.at/news/neue-betrugsmasche-auf-whatsapp-vors… ∗∗∗ Versuchte Leistungserschleichung bei Sicherheitsunternehmen ∗∗∗ --------------------------------------------- Mehrere Sicherheitsunternehmen (insbesondere im Bereich von Threat Intelligence) berichten von Versuchen von Bedrohungsakteuren sich unter Vortäuschung falscher Tatsachen Zugriff auf die Produkte betroffener Firmen zu verschaffen. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/8/versuchte-leistungserschleichung-be… ∗∗∗ Biden administration pledges $11 million to open source security initiative ∗∗∗ --------------------------------------------- The White House and Department of Homeland Security (DHS) are partnering on an $11 million initiative to gain an understanding of how open source software is used across critical infrastructure and to better secure it. --------------------------------------------- https://therecord.media/open-source-software-security-white-house-dhs-11mil… ∗∗∗ FIN7: The Truth Doesnt Need to be so STARK ∗∗∗ --------------------------------------------- The purpose of this blog post is not to exhaustively identify FIN7 infrastructure; rather, it represents a snapshot in time of activity hosted on the infrastructure of one hosting provider (Stark). --------------------------------------------- https://www.team-cymru.com/post/fin7-the-truth-doesn-t-need-to-be-so-stark ∗∗∗ Gafgyt Malware Variant Exploits GPU Power and Cloud Native Environments ∗∗∗ --------------------------------------------- In this blog we explain about the campaign, the techniques used and how to detect and protect your environments. --------------------------------------------- https://blog.aquasec.com/gafgyt-malware-variant-exploits-gpu-power-and-clou… ∗∗∗ Rivers of Phish: Sophisticated Phishing Targets Russia’s Perceived Enemies Around the Globe ∗∗∗ --------------------------------------------- This campaign, which we have investigated in collaboration with Access Now and with the participation of numerous civil society organizations including First Department, Arjuna Team, and RESIDENT.ngo, engages targets with personalized and highly-plausible social engineering in an attempt to gain access to their online accounts. [..] The Citizen Lab is sharing all indicators with major email providers to assist them in tracking and blocking these campaigns. --------------------------------------------- https://citizenlab.ca/2024/08/sophisticated-phishing-targets-russias-percei… ∗∗∗ Bundestrojaner: So funktioniert die Chat-Überwachung ∗∗∗ --------------------------------------------- Ein Bundestrojaner ist eine Schadsoftware, die von Behörden und der Polizei verwendet wird. Auch verschlüsselte Nachrichten lassen sich dadurch lesen. --------------------------------------------- https://futurezone.at/netzpolitik/bundestrojaner-chat-ueberwachung-oesterre… ===================== = Vulnerabilities = ===================== ∗∗∗ SolarWinds fixes critical RCE bug affecting all Web Help Desk versions ∗∗∗ --------------------------------------------- A critical vulnerability in SolarWinds Web Help Desk solution for customer support could be exploited to achieve remote code execution, the American business software developer warns in a security advisory today. --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-fixes-critical-rc… ∗∗∗ Fortinet, Zoom Patch Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Fortinet and Zoom have released patches for multiple vulnerabilities in their products, including high-severity bugs. --------------------------------------------- https://www.securityweek.com/fortinet-zoom-patch-multiple-vulnerabilities/ ∗∗∗ Patchday Microsoft: Angreifer attackieren Office und Windows mit Schadcode ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für verschiedene Microsoft-Produkte erschienen. Aufgrund von laufenden Attacken sollten Admins zügig handeln. [..] Mit einem CVSS-Punktwert von 9,8 gehört eine Sicherheitslücke in Windows' TCP/IP-Stack zu den gefährlichsten Fehlern im aktuellen Patchday. Nicht angemeldete Angreifer, die präparierte IPv6-Pakete an Windows-Rechner schicken, können diese aus der Ferne kompromittieren und eigene Befehle ausführen. --------------------------------------------- https://heise.de/-9834085 ∗∗∗ Xen Security Advisory CVE-2024-31146 / XSA-461 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-461.html ∗∗∗ Xen Security Advisory CVE-2024-31145 / XSA-460 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-460.html ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/14/adobe-releases-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.08.2024
by Daily end-of-shift report 13 Aug '24

13 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Montag 12-08-2024 18:00 − Dienstag 13-08-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ APT trends report Q2 2024 ∗∗∗ --------------------------------------------- The report features the most significant developments relating to APT groups in Q2 2024, including the new backdoor in Linux utility XZ, a new RAT called SalmonQT, and hacktivist activity. --------------------------------------------- https://securelist.com/apt-trends-report-q2-2024/113275/ ∗∗∗ AMD won’t patch Sinkclose security bug on older Zen CPUs ∗∗∗ --------------------------------------------- Some AMD processors dating back to 2006 have a security vulnerability that's a boon for particularly underhand malware and rogue insiders, though the chip designer is only patching models made since 2020. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/08/13/amd_sinkclos… ∗∗∗ Who uses LLM prompt injection attacks IRL? Mostly unscrupulous job seekers, jokesters and trolls ∗∗∗ --------------------------------------------- Because apps talking like pirates and creating ASCII art never gets old Despite worries about criminals using prompt injection to trick large language models (LLMs) into leaking sensitive data or performing other destructive actions, most of these types of AI shenanigans come from job seekers trying to get their resumes past automated HR screeners – and people protesting generative AI for various reasons, according to Russian security biz Kaspersky. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/08/13/who_uses_llm… ∗∗∗ CVE-2024-38856: Pre-Auth RCE Vulnerability in Apache OFBiz ∗∗∗ --------------------------------------------- On August 5, 2024, researchers at SonicWall discovered a zero-day security flaw in Apache OFBiz tracked as CVE-2024-38856. The vulnerability, which has been assigned a CVSS score of 9.8, allows threat actors to perform pre-authentication remote code execution (RCE). While testing a patch for CVE-2024-36104, SonicWall researchers discovered that unauthenticated access was permitted to the ProgramExport endpoint, potentially enabling the execution of arbitrary code. --------------------------------------------- https://www.zscaler.com/blogs/security-research/cve-2024-38856-pre-auth-rce… ∗∗∗ Post-Quantum Cryptography Standards Officially Announced by NIST – a History and Explanation ∗∗∗ --------------------------------------------- NIST has formally published three post-quantum cryptography standards from the competition it held to develop cryptography able to withstand the anticipated quantum computing decryption of current asymmetric encryption. --------------------------------------------- https://www.securityweek.com/post-quantum-cryptography-standards-officially… ∗∗∗ Falsche Mitteilung im Namen des Bundeskanzleramtes über Entschädigungszahlungen ∗∗∗ --------------------------------------------- Kriminelle versenden im Namen des Bundeskanzleramtes gefälschte E-Mails über eine Entschädigungszahlung für die Wasser- und Energierechnung. Im E-Mail steht, dass Sie € 102,49 erhalten. Für den Erhalt der Summe, müssen Sie aber auf einen Link klicken. --------------------------------------------- https://www.watchlist-internet.at/news/falsche-mitteilung-im-namen-des-bund… ∗∗∗ Harnessing LLMs for Automating BOLA Detection ∗∗∗ --------------------------------------------- Learn about BOLABuster, an LLM-driven tool automating BOLA vulnerability detection in web applications. Issues have already been identified in multiple projects. --------------------------------------------- https://unit42.paloaltonetworks.com/automated-bola-detection-and-ai/ ∗∗∗ Strafverfolgern gelingt Schlag gegen Radar/Dispossessor Ransomwaregruppe ∗∗∗ --------------------------------------------- Es ist der nächste Schlag gegen Cyberkriminelle. Strafverfolger aus den USA (FBI), Großbritannien und Deutschland ist es gelungen, die Infrastruktur der Ransomwaregruppe Radar/Dispossessor zu zerschlagen. --------------------------------------------- https://www.borncity.com/blog/2024/08/13/strafverfolgern-gelingt-schlag-geg… ∗∗∗ Hackers Leak 1.4 Billion Tencent User Accounts Online ∗∗∗ --------------------------------------------- Massive data leak exposes 1.4 billion Tencent user accounts. Leaked data includes emails, phone numbers, and QQ IDs potentially linked to the “Mother of All Breaches” (MOAB). --------------------------------------------- https://hackread.com/hackers-leak-1-4-billion-tencent-user-accounts-online/ ∗∗∗ CryptoCore: Unmasking the Sophisticated Cryptocurrency Scam Operations ∗∗∗ --------------------------------------------- This report delves into the intricacies of the CryptoCore group’s scam and analyses their modus operandi. We will describe key exploited events, including hijacked YouTube accounts and deepfake videos, alongside a technical analysis of the fraudulent sites. One purpose of this study is to present a fundamental analysis – and key statistics – of fraudulent wallets that have received profits in the millions of dollars, as well as provide statistical data on detections, showing how victims are lured into suspicious websites and ultimately end up crypto scam victims. --------------------------------------------- https://decoded.avast.io/martinchlumecky1/cryptocore-unmasking-the-sophisti… ∗∗∗ Ivanti warns of critical vTM auth bypass with public exploit ∗∗∗ --------------------------------------------- Tracked as CVE-2024-7593, this auth bypass vulnerability is due to an incorrect implementation of an authentication algorithm that allows remote unauthenticated attackers to bypass authentication on Internet-exposed vTM admin panels. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-vtm… ===================== = Vulnerabilities = ===================== ∗∗∗ Ivanti: August Security Update ∗∗∗ --------------------------------------------- Today, fixes have been released for the following solutions: Ivanti Neurons for ITSM, Ivanti Avalanche and Ivanti Virtual Traffic Manager (vTM). --------------------------------------------- https://www.ivanti.com/blog/august-security-update ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and roundcube), Fedora (microcode_ctl, pypy, python2.7, and python3.6), Oracle (389-ds-base, httpd, kernel, kernel-container, and linux-firmware), Red Hat (kernel-rt), SUSE (firefox, kubernetes1.23, libqt5-qtbase, openssl-1_1, python-gunicorn, python-Twisted, python-urllib3, and qt6-base), and Ubuntu (linux-aws-5.15, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-raspi, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-oem-6.8, linux-oracle-5.15, and qemu). --------------------------------------------- https://lwn.net/Articles/985481/ ∗∗∗ SAP Patches Critical Vulnerabilities in BusinessObjects, Build Apps ∗∗∗ --------------------------------------------- SAP has released 25 security notes on August 2024 Security Patch Day, including for critical vulnerabilities in BusinessObjects and Build Apps. --------------------------------------------- https://www.securityweek.com/sap-patches-critical-vulnerabilities-in-busine… ∗∗∗ CISA Releases Ten Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- AVEVA SuiteLink Server, Rockwell Automation, Ocean Data Systems --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/13/cisa-releases-ten-indust… ∗∗∗ Splunk: SVD-2024-0801: Third-Party Package Updates in Python for Scientific Computing - August 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0801 ∗∗∗ Lenovo: NVIDIA GPU Display Driver - July 2024 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500637-NVIDIA-GPU-DISPLAY-DRIV… ∗∗∗ Lenovo: LDCC and LADM Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500636-LDCC-AND-LADM-PRIVILEGE… ∗∗∗ 0patch: The "EventLogCrasher" 0day For Remotely Disabling Windows Event Log, And a Free Micropatch For It ∗∗∗ --------------------------------------------- https://blog.0patch.com/2024/01/the-eventlogcrasher-0day-for-remotely.html ∗∗∗ tenable: [R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.2.1, 6.3.0 and 6.4.0: SC-202408.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-13 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.08.2024
by Daily end-of-shift report 12 Aug '24

12 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-08-2024 18:00 − Montag 12-08-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Passwortmanager und VPN-Apps: Klartextpasswörter aus Prozessspeicher gelesen ∗∗∗ --------------------------------------------- Passwörter landen bei der Verarbeitung zwangsläufig im Speicher. Bei einigen Anwendungen verbleiben sie dort aber zu lange, was die Angriffsfläche vergrößert. --------------------------------------------- https://www.golem.de/news/passwortmanager-und-vpn-apps-klartextpasswoerter-… ∗∗∗ Verschlüsselung ausgehebelt: Forscher übernimmt Kontrolle über Geldautomaten ∗∗∗ --------------------------------------------- So manch ein Hacker träumt davon, die Software von Geldautomaten zu knacken, um sich beliebig viel Bargeld auszahlen zu lassen. Einem Forscher ist wohl genau das gelungen. [..] Für einen erfolgreichen Angriff ist nach Angaben des Sicherheitsforschers allerdings ein physischer Zugang zum jeweiligen Geldautomaten erforderlich, "bei dem man den oberen Teil des Geldautomaten öffnet, die Festplatte herausnimmt und dann den Inhalt der Festplatte manipuliert". --------------------------------------------- https://www.golem.de/news/verschluesselung-ausgehebelt-forscher-uebernimmt-… ∗∗∗ Experts Uncover Severe AWS Flaws Leading to RCE, Data Theft, and Full-Service Takeovers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered multiple critical flaws in Amazon Web Services (AWS) offerings that, if successfully exploited, could result in serious consequences. [..] Following responsible disclosure in February 2024, Amazon addressed the shortcomings over several months from March to June. The findings were presented at Black Hat USA 2024. --------------------------------------------- https://thehackernews.com/2024/08/experts-uncover-severe-aws-flaws.html ∗∗∗ Living off the land with Bluetooth PAN ∗∗∗ --------------------------------------------- Just like in the living off the land native SSH blog post, this is not a new and clever method of attack, rather it is using tools that are built-in to Windows to present an unexpected vector for access to networks that could mask many of the common tools used to assess a network. [..] Look at disabling these using Intune / Group Policy configuration policies. If there is a justification for their use, consider monitoring the usage of these tools in your environment. --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-land-with-blue… ∗∗∗ BlackHat 2024: Remote Code Execution-Angriff auf M365 Copilot per E-Mail ∗∗∗ --------------------------------------------- Auf der BlackHat 2024 hat Michael Bargury RCE-Angriffe auf M365 Copilot gezeigt – eine E-Mail reicht, um Sensitives zu suchen. Insgesamt stellt Bargury fünf verschiedene Angriffsmethoden auf Microsofts AI-Lösungen vor. Hier mal ein kurzer Abriss zu diesem Thema. --------------------------------------------- https://www.borncity.com/blog/2024/08/11/blackhat-2024-remote-code-executio… ∗∗∗ Ongoing Social Engineering Campaign Refreshes Payloads ∗∗∗ --------------------------------------------- On June 20, 2024, Rapid7 identified multiple intrusion attempts by threat actors utilizing Techniques, Tactics, and Procedures (TTPs) that are consistent with an ongoing social engineering campaign being tracked by Rapid7. [..] The initial lure being utilized by the threat actors remains the same: an email bomb followed by an attempt to call impacted users and offer a fake solution. --------------------------------------------- https://www.rapid7.com/blog/post/2024/08/12/ongoing-social-engineering-camp… ∗∗∗ Google Patches Critical Vulnerabilities in Quick Share After Researchers’ Warning ∗∗∗ --------------------------------------------- A groundbreaking presentation at Defcon 32 has revealed critical flaws in Google’s Quick Share, a peer-to-peer data-transfer utility for Android, Windows, and Chrome operating systems. Quick Share boasts impressive versatility, utilizing Bluetooth, Wi-Fi, Wi-Fi Direct, WebRTC, and NFC to facilitate peer-to-peer file transfers however, these protocols are not designed for file transfers but rather to establish stable device connections for communication purposes. --------------------------------------------- https://hackread.com/google-patches-quick-share-vulnerabilities-warning/ ∗∗∗ Mit Domain-Based Authentication in unternehmensinterne Gruppen eindringen ∗∗∗ --------------------------------------------- Was ergeben ein uraltes Protokoll, eine millionenfach benutzte Bibliothek und eine Authentifizierung per Maildomain? Zugang zum internen Github-Netzwerk. --------------------------------------------- https://heise.de/-9830944 ===================== = Vulnerabilities = ===================== ∗∗∗ Neue Schwachstellen in OpenVPN ∗∗∗ --------------------------------------------- Microsoft hat in den OpenVPN-Clients von Android, iOS, macOS, BSD und Windows eine Reihe Schwachstellen gefunden. Angreifer könnten einige der entdeckten Schwachstellen kombinierte, um eine remote ausnutzbare Angriffskette zu erhalten, die eine Remotecodeausführung (RCE) und lokaler Privilegienerweiterung (LPE) umfasst. Die Schwachstellen sollten durch Updates beseitigt werden, wobei man teilweise auf Firmware diverser Gerätehersteller angewiesen ist. --------------------------------------------- https://www.borncity.com/blog/2024/08/10/neue-schwachstellen-in-openvpn/ ∗∗∗ Sicherheitslücken: Netzwerkmonitoringtool Zabbix kann Passwörter leaken ∗∗∗ --------------------------------------------- In aktuellen Ausgaben des Netzwerkmonitoringtools Zabbix haben die Entwickler insgesamt acht Sicherheitslücken geschlossen. Nach erfolgreichen Attacken können Angreifer etwa Passwörter im Klartext einsehen oder sogar Schadcode ausführen. --------------------------------------------- https://heise.de/-9832311 ∗∗∗ Industrial Remote Access Tool Ewon Cosy+ Vulnerable to Root Access Attacks ∗∗∗ --------------------------------------------- Security vulnerabilities have been disclosed in the industrial remote access solution Ewon Cosy+ that could be abused to gain root privileges to the devices and stage follow-on attacks. --------------------------------------------- https://thehackernews.com/2024/08/industrial-remote-access-tool-ewon-cosy.h… ∗∗∗ FreeBSD Releases Urgent Patch for High-Severity OpenSSH Vulnerability ∗∗∗ --------------------------------------------- The maintainers of the FreeBSD Project have released security updates to address a high-severity flaw in OpenSSH that attackers could potentially exploit to execute arbitrary code remotely with elevated privileges. The vulnerability, tracked as CVE-2024-7589, carries a CVSS score of 7.4 out of a maximum of 10.0, indicating high severity. --------------------------------------------- https://thehackernews.com/2024/08/freebsd-releases-urgent-patch-for-high.ht… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (httpd:2.4), Fedora (chromium, firefox, frr, neatvnc, nss, python-setuptools, and python3.13), Gentoo (AFLplusplus, Bundler, dpkg, GnuPG, GPAC, libde265, matio, MuPDF, PHP, protobuf, protobuf-python, protobuf-c, rsyslog, Ruby on Rails, and runc), Red Hat (389-ds-base, container-tools:rhel8, and httpd:2.4), SUSE (bind and ca-certificates-mozilla), and Ubuntu (linux-azure). --------------------------------------------- https://lwn.net/Articles/985336/ ∗∗∗ Warnung vor Microsoft Office Spoofing-Schwachstelle CVE-2024-38200 ∗∗∗ --------------------------------------------- Microsoft hat zum 8. August 2024 (mit Update vom 10. August 2024) eine Warnung von einer ungepatchten Spoofing-Schwachstelle CVE-2024-38200 veröffentlicht. Die Schwachstelle ist in allen Office-Versionen (Office 2016 – 2021, Office 365) enthalten. [..] Angreifer haben die Möglichkeit, über eine spezielle oder kompromittierte Webseite eine Datei bereitzustellen, um die Schwachstelle auszunutzen. Über die Sicherheitslücke könnten NTLM-Hashes gegenüber Remote-Angreifern offengelegt werden. --------------------------------------------- https://www.borncity.com/blog/2024/08/12/warnung-vor-microsoft-office-spoof… ∗∗∗ Schwachstelle "Ghostwrite" erlaubt DRAM-Zugriff in RISC-V CPUs ∗∗∗ --------------------------------------------- Deutsche Forscher fanden Schwachstellen in einzelnen RISC-V CPUs von T-Head Semiconductors. Die flexible, junge Architektur entpuppt sich dabei als Risiko. [..] Die entdeckten Schwachstellen können allerdings auch nach ihrer Offenlegung nicht mit Mikrocode oder einem Softwareupdate behoben werden, denn sie befinden sich in der Schaltung der Hardware. --------------------------------------------- https://heise.de/-9830926 ∗∗∗ B&R: 2024-08-09: Cyber Security Advisory - B&R Automation Runtime Several vulnerabilities in B&R Automation Runtime ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P011-d8aaf02f.pdf ∗∗∗ Asterisk Security Advisories ∗∗∗ --------------------------------------------- https://www.asterisk.org/downloads/security-advisories/ ∗∗∗ GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6 ∗∗∗ --------------------------------------------- https://about.gitlab.com/releases/2024/08/07/patch-release-gitlab-17-2-2-re… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2024
by Daily end-of-shift report 09 Aug '24

09 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-08-2024 18:00 − Freitag 09-08-2024 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malware force-installs Chrome extensions on 300,000 browsers, patches DLLs ∗∗∗ --------------------------------------------- An ongoing and widespread malware campaign force-installed malicious Google Chrome and Microsoft Edge browser extensions in over 300,000 browsers, modifying the browsers executables to hijack homepages and steal browsing history. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-force-installs-chrom… ∗∗∗ ‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections ∗∗∗ --------------------------------------------- Researchers warn that a bug in AMD’s chips would allow attackers to root into some of the most privileged portions of a computer—and that it has persisted in the company’s processors for decades. --------------------------------------------- https://www.wired.com/story/amd-chip-sinkclose-flaw/ ∗∗∗ Windows Server durch PoC-Exploit für CVE-2024-38077 gefährdet ∗∗∗ --------------------------------------------- Nochmals ein Nachgang zum Juli 2024-Patchday, bei dem Microsoft die Schwachstelle CVE-2024-38077 im Windows-Remotedesktop-Lizenzierungsdienst (RDL) von Windows Server geschlossen hat. [..] es wurde ein Proof of Concept (PoC) für diese Schwachstelle veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2024/08/09/windows-server-durch-poc-exploit-f… ∗∗∗ How Hackers Extracted the ‘Keys to the Kingdom’ to Clone HID Keycards ∗∗∗ --------------------------------------------- [HID]s actually known about the vulnerabilities [..] since sometime in 2023, when it was first informed about the technique by another security researcher [..] HID warned customers about the existence of a vulnerability that would allow hackers to clone keycards in an advisory in January, which includes recommendations about how customers can protect themselves—but it offered no software update at that time. --------------------------------------------- https://www.wired.com/story/hid-keycard-authentication-key-vulnerability/ ∗∗∗ ICANN reserves .internal for private use at the DNS level ∗∗∗ --------------------------------------------- The Internet Corporation for Assigned Names and Numbers (ICANN) has agreed to reserve the .internal top-level domain so it can become the equivalent to using the 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 IPv4 address blocks for internal networks. Those blocks are reserved for private use by the Internet Assigned Numbers Authority, which requires they never appear on the public internet. --------------------------------------------- https://www.theregister.com/2024/08/08/dot_internal_ratified/ ∗∗∗ New attack against the [Linux kernel] SLUB allocator ∗∗∗ --------------------------------------------- Researchers from Graz University of Technology have published details of a new attack on the Linux kernel called SLUBstack. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind. --------------------------------------------- https://lwn.net/Articles/984984/ ∗∗∗ Fake-Videos: Van der Bellen & Assinger werben nicht für Investmentplattformen ∗∗∗ --------------------------------------------- Derzeit erleben wir erneut eine Welle von Deepfake-Videos, in denen österreichische Prominente auf Facebook und Instagram für Investmentplattformen werben. Lassen Sie sich nicht täuschen: Weder Bundespräsident Alexander van der Bellen noch TV-Moderator Armin Assinger sind plötzlich Finanzexperten, die eine Investmentplattform entwickelt haben. Die Plattformen sind betrügerisch und die Videos wurden von Kriminellen erstellt. --------------------------------------------- https://www.watchlist-internet.at/news/fake-videos-van-der-bellen-assinger-… ∗∗∗ Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! ∗∗∗ --------------------------------------------- This article explores architectural issues within the Apache HTTP Server, highlighting several technical debts within Httpd, including 3 types of Confusion Attacks, 9 new vulnerabilities, 20 exploitation techniques, and over 30 case studies. [..] These vulnerabilities were reported through the official security mailing list and were addressed by the Apache HTTP Server in the 2.4.60 update published on 2024-07-01. --------------------------------------------- https://devco.re/blog/2024/08/09/confusion-attacks-exploiting-hidden-semant… ∗∗∗ Best Practices for Cisco Device Configuration ∗∗∗ --------------------------------------------- In recent incidents, CISA has seen malicious cyber actors acquire system configuration files by leveraging available protocols or software on devices, such as abusing the legacy Cisco Smart Install feature. CISA recommends organizations disable Smart Install and review NSA’s Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for configuration guidance. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/08/best-practices-cisco-dev… ∗∗∗ Sicherheitsforscher verwandeln Sonos-One-Lautsprecher in Wanze ∗∗∗ --------------------------------------------- Angreifer können über das eingebaute Mikrofon von Sonos-One-Lautsprechern Gespräche mitschneiden. Mittlerweile ist das Sicherheitsproblem gelöst. --------------------------------------------- https://heise.de/-9830061 ===================== = Vulnerabilities = ===================== ∗∗∗ Schwachstellen in 1Password gefährden MacOS-Nutzer [CVE-2024-42218, CVE-2024-42219] ∗∗∗ --------------------------------------------- In 1Password 8 für Mac klaffen zwei Sicherheitslücken, die es Angreifern ermöglichen, Tresorelemente von MacOS-Nutzern abzugreifen. [..] Damit ein Angriff gelingt, muss ein Angreifer allerdings bei beiden Lücken bereits in der Lage sein, auf dem Zielsystem eine eigene Software auszuführen. --------------------------------------------- https://www.golem.de/news/datenabfluss-moeglich-schwachstellen-in-1password… ∗∗∗ Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability [CVE-2024-38219] ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and take additional actions prior to exploitation to prepare the target environment. Fxied in Microsoft Edge Version 127.0.2651.98 released 8/8/2024. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38219 ∗∗∗ Microsoft Edge (HTML-based) Memory Corruption Vulnerability [CVE-2024-38218] ∗∗∗ --------------------------------------------- The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Fixed in Microsoft Edge Version 127.0.2651.98 released 8/8/2024. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38218 ∗∗∗ Multiple vulnerabilities in LogSign ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-24-1102/ http://www.zerodayinitiative.com/advisories/ZDI-24-1103/ http://www.zerodayinitiative.com/advisories/ZDI-24-1104/ https://www.zerodayinitiative.com/advisories/ZDI-24-1105/ https://www.zerodayinitiative.com/advisories/ZDI-24-1106/ --------------------------------------------- https://support.logsign.net/hc/en-us/articles/20617133769362-07-08-2024-Ver… ∗∗∗ PostgreSQL relation replacement during pg_dump executes arbitrary SQL [CVE-2024-7348] ∗∗∗ --------------------------------------------- Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. --------------------------------------------- https://www.postgresql.org/support/security/CVE-2024-7348/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (httpd, kernel, kernel-rt, and libtiff), Debian (postgresql-13, postgresql-15, and thunderbird), Fedora (frr, thunderbird, vim, and xrdp), Gentoo (Librsvg, Nautilus, ncurses, Percona XtraBackup, QEMU, and re2c), Red Hat (httpd, kernel, kernel-rt, openssl, and python-setuptools), SUSE (bind, ffmpeg-4, kubernetes1.23, kubernetes1.24, python-Django, and python3-Twisted), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-oem-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle, linux-oracle-5.4, salt. --------------------------------------------- https://lwn.net/Articles/984966/ ∗∗∗ New FileSender 2.49 release with major changes ∗∗∗ --------------------------------------------- We are happy to announce the release of FileSender 2.49. This new release includes security updates that you should install. Also, it offers a few features and improvements, as well as many bug fixes. --------------------------------------------- https://connect.geant.org/2024/08/08/new-filesender-2-49-release-with-major… ∗∗∗ 0.0.0.0 Day-Schwachstelle ermöglicht seit 18 Jahren Angriffe auf Browser ∗∗∗ --------------------------------------------- Sicherheitsforscher haben offen gelegt, dass Hacker einen seit 18 Jahren bekannten, alten Fehler in Safari, Chrome und Firefox ausgenutzt haben, um in private Netzwerke einzudringen. Die als "0.0.0.0 Day" bezeichnete Sicherheitslücke ermöglicht es böswilligen Websites, die Browsersicherheit zu umgehen und mit Diensten zu interagieren, die im lokalen Netzwerk einer Organisation laufen. Dies kann zu unautorisiertem Zugriff und Remotecodeausführung auf lokalen Diensten durch Angreifer außerhalb des Netzwerks führen. Die Browserhersteller beginnen nun, diese Adresse zu blockieren. --------------------------------------------- https://www.borncity.com/blog/2024/08/09/0-0-0-0-day-schwachstelle-ermglich… ∗∗∗ RaonSecure Product Security Advisory ∗∗∗ --------------------------------------------- Overview RaonSecure has released an update to address a vulnerability in their products. Users of affected versions are advised to update to the latest version. Affected Products TouchEn nxKey version: ~ 1.0.0.87 (included) --------------------------------------------- https://asec.ahnlab.com/en/82372/ ∗∗∗ LibreOffice: Ability to trust not validated macro signatures removed in high security mode [CVE-2024-6472] ∗∗∗ --------------------------------------------- https://www.libreoffice.org/about-us/security/advisories/CVE-2024-6472 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Vim-minimal Package Issues ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164174 ∗∗∗ Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for July 2024. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7161907 ∗∗∗ Multiple vulnerabilities in IBM Business Automation Workflow Machine Learning Server are addressed with 24.0.0-IF001 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164164 ∗∗∗ IBM Cloud Pak for Data is vulnerable to unknown impact and attack vector due to Python certifi ( CVE-2022-23491 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164180 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164175 ∗∗∗ IBM Cloud Pak for Data is vulnerable to session hijacking due to Node.js passport module ( CVE-2022-25896 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164201 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js http-cache-semantics module ( CVE-2022-25881 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164225 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js cookiejar module ( CVE-2022-25901 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164200 ∗∗∗ IBM Cloud Pak for Data is vulnerable to cross-site scripting due to Jinja2 ( CVE-2024-34064 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164204 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Pallets Werkzeug ( CVE-2023-46136 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164208 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Express.js ( CVE-2022-24999 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164217 ∗∗∗ IBM Cloud Pak for Data is vulnerable to several issues due to the go compiler ( CVE-2022-41724 CVE-2021-34558 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164255 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Rack ( CVE-2024-26146 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164274 ∗∗∗ IBM Cloud Pak for Data is vulnerable to exposing sensitive information due to Masterminds GoUtils ( CVE-2021-4238 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164234 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js semver ( CVE-2022-25883 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164266 ∗∗∗ IBM Cloud Pak for Data is vulnerable to regular expression denial of service due to Rack ( CVE-2023-27539 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164269 ∗∗∗ This Power System update is being released to address CVE-2024-41660 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7163146 ∗∗∗ IBM Aspera Shares improved security for user session handling (CVE-2023-38018) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164325 ∗∗∗ The IBM Engineering Lifecycle Engineering product using the -Xgc:concurrentScavenge option on IBM Z is vulnerable to Buffer overflow in GC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164658 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to cross-site scripting (CVE-2024-35153) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164651 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to remote code execution (CVE-2024-35154) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164649 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to identity spoofing (CVE-2024-37532) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164653 ∗∗∗ IBM Sterling Connect:Direct Web Service is affected by Java JWT vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164709 ∗∗∗ There is a vulnerability in commons-compress-1.21.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2024-25710, CVE-2024-26308) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164810 ∗∗∗ There is a vulnerability in commons-compress-1.21.jar used by IBM Maximo Asset Management application (CVE-2024-25710, CVE-2024-26308) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164809 ∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2024-27268 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164814 ∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2024-22354 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164813 ∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2023-51775 a denial of service due to jose4j ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164812 ∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to multiple CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164811 ∗∗∗ Multiple Vulnerabilities in XCC affect IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7147906 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.08.2024
by Daily end-of-shift report 08 Aug '24

08 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-08-2024 18:00 − Donnerstag 08-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kein Patch in Sicht: Phishing-Warnung in Outlook lässt sich per Mail ausblenden ∗∗∗ --------------------------------------------- Obendrein kann eine Phishing-Mail in Outlook auch vortäuschen, dass sie verschlüsselt oder signiert ist. Für Microsoft hat das Thema derzeit keine Priorität. --------------------------------------------- https://www.golem.de/news/kein-patch-in-sicht-phishing-warnung-in-outlook-l… ∗∗∗ Samsung boosts bug bounty to a cool million for cracks of the Knox Vault subsystem ∗∗∗ --------------------------------------------- Good luck, crackers: Its an isolated processor and storage enclave, and top dollar only comes from a remote attack Samsung has dangled its first $1 million bug bounty for anyone who successfully compromises Knox Vault – the isolated subsystem the Korean giant bakes into its smartphones to store info like credentials and run authentication routines. --------------------------------------------- https://www.theregister.com/2024/08/08/samsung_microsoft_big_bug_bounty/ ∗∗∗ Using 1Password on Mac? Patch up if you don’t want your Vaults raided ∗∗∗ --------------------------------------------- Hundreds of thousands of users potentially vulnerable Password manager 1Password is warning that all Mac users running versions before 8.10.36 are vulnerable to a bug that allows attackers to steal vault items. --------------------------------------------- https://www.theregister.com/2024/08/08/using_1password_on_mac_patch/ ∗∗∗ A Flaw in Windows Update Opens the Door to Zombie Exploits ∗∗∗ --------------------------------------------- A researcher found a vulnerability that would let hackers strategically downgrade a target’s Windows version to reexpose patched vulnerabilities. Microsoft is working on fixes for the issue. --------------------------------------------- https://www.wired.com/story/windows-update-downdate-exploit/ ∗∗∗ Vulnerabilities Exposed Widely Used Solar Power Systems to Hacking, Disruption ∗∗∗ --------------------------------------------- Vulnerabilities found in solar power systems could have been exploited by hackers to cause disruption and possibly blackouts. --------------------------------------------- https://www.securityweek.com/vulnerabilities-exposed-widely-used-solar-powe… ∗∗∗ Royal Ransomware Actors Rebrand as “BlackSuit,” FBI and CISA Release Update to Advisory ∗∗∗ --------------------------------------------- Today, CISA—in partnership with the Federal Bureau of Investigation (FBI)—released an update to joint Cybersecurity Advisory #StopRansomware: Royal Ransomware, #StopRansomware: BlackSuit (Royal) Ransomware. The updated advisory provides network .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/07/royal-ransomware-actors-… ∗∗∗ US offers $10 million for info on Iranian leaders behind CyberAv3ngers water utility attacks ∗∗∗ --------------------------------------------- The U.S. State Department identified at least six Iranian government hackers allegedly responsible for a string of attacks on U.S. water utilities last fall and offered a large reward for information on their whereabouts. --------------------------------------------- https://therecord.media/us-offers-reward-for-info-on-iranian-hackers-water-… ∗∗∗ BOTNET 7777: ARE YOU BETTING ON A COMPROMISED ROUTER? ∗∗∗ --------------------------------------------- A “7777 botnet” was first referenced in public reporting in October 2023 by Gi7w0rm. At the time, it was described as a botnet with approximately 10,000 nodes, observed primarily in brute-force attacks against Microsoft Azure instances. These attacks .. --------------------------------------------- https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromise… ∗∗∗ Go deeper: Linux runtime visibility meets Wireshark ∗∗∗ --------------------------------------------- Aqua Tracee is an open source runtime security and forensics tool for Linux, built to address common Linux security issues. Tracee’s main use case is to be installed in a production environment and continuously monitor system activity and detect suspicious behavior. Some alternative use cases which Tracee can be used for are dynamic malware analysis, system tracing, .. --------------------------------------------- https://blog.aquasec.com/go-deeper-linux-runtime-visibility-meets-wireshark ∗∗∗ PureHVNC Deployed via Python Multi-stage Loader ∗∗∗ --------------------------------------------- FortiGuard Lab reveals a malware "PureHVNC", sold on the cybercrime forum, is spreading through a phishing campaign targeting employees via a python multi-stage loader --------------------------------------------- https://www.fortinet.com/blog/threat-research/purehvnc-deployed-via-python-… ∗∗∗ Cisco: Angreifer können Befehle auf IP-Telefonen ausführen, Update kommt nicht ∗∗∗ --------------------------------------------- Für kritische Lücken in Cisco-IP-Telefonen wird es keine Updates geben. Für eine jüngst gemeldete Lücke ist ein Proof-of-Concept-Exploit aufgetaucht. --------------------------------------------- https://heise.de/-9827988 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5743-1 roundcube - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00154.html ∗∗∗ Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Small Business SPA300 Series and SPA500 Series IP Phones Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2024
by Daily end-of-shift report 07 Aug '24

07 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-08-2024 18:00 − Mittwoch 07-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Schweiz: Kuh stirbt nach Cyberangriff auf Melkroboter ∗∗∗ --------------------------------------------- Die Angreifer forderten ein Lösegeld. Da der Landwirt nicht zahlen wollte, ist ihm der Zugang zu wichtigen Informationen über seine Kühe verwehrt geblieben. --------------------------------------------- https://www.golem.de/news/schweiz-kuh-stirbt-nach-cyberangriff-auf-melkrobo… ∗∗∗ New Linux Kernel Exploit Technique SLUBStick Discovered by Researchers ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a novel Linux kernel exploitation technique dubbed SLUBStick that could be exploited to elevate a limited heap vulnerability to an arbitrary memory read-and-write primitive."Initially, it exploits .. --------------------------------------------- https://thehackernews.com/2024/08/new-linux-kernel-exploit-technique.html ∗∗∗ Roundcube Webmail Flaws Allow Hackers to Steal Emails and Passwords ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victims web browser and steal sensitive information from their account under specific .. --------------------------------------------- https://thehackernews.com/2024/08/roundcube-webmail-flaws-allow-hackers.html ∗∗∗ CrowdStrike hires outside security outfits to review troubled Falcon code ∗∗∗ --------------------------------------------- And reveals the small mistake that bricked 8.5M Windows boxes CrowdStrike has hired two outside security firms to review its threat-detection suite Falcon that sparked a global IT outage last month - though it may not have an awful lot .. --------------------------------------------- https://www.theregister.com/2024/08/07/crowdstrike_full_incident_root_cause… ∗∗∗ Police take just 2 days to recover $40M stolen in business email scam ∗∗∗ --------------------------------------------- Timor-Leste is a known cybercrime hotspot Two days is all it took for Interpol to recover more than $40 million worth of stolen funds in a recent business email compromise (BEC) heist, the international cop shop said this week. --------------------------------------------- https://www.theregister.com/2024/08/07/police_take_just_two_days/ ∗∗∗ Small CSS tweaks can help nasty emails slip through Outlooks anti-phishing net ∗∗∗ --------------------------------------------- A simple HTML change and the warning is gone! Researchers say cybercriminals can have fun bypassing one of Microsofts anti-phishing measures in Outlook with some simple CSS tweaks. --------------------------------------------- https://www.theregister.com/2024/08/07/small_css_tweaks_can_help/ ∗∗∗ BloodHound Operator — Dog Whispering Reloaded ∗∗∗ --------------------------------------------- Back in the BloodHound “Legacy” days, I wrote some PowerShell tooling to make my life easy and automate various tasks around BloodHound. When the new BloodHound came out, most of these tools .. --------------------------------------------- https://posts.specterops.io/bloodhound-operator-dog-whispering-reloaded-156… ∗∗∗ CISA Releases Secure by Demand Guidance ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) have released Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem to help organizations drive a secure technology ecosystem by ensuring their software manufacturers prioritize secure technology from the start.An organization’s acquisition staff often has a general .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/06/cisa-releases-secure-dem… ∗∗∗ Achtung: Microsofts UEFI Zertifikat läuft am 19. Okt. 2026 aus – Secure Boot betroffen ∗∗∗ --------------------------------------------- [English]Ich stelle mal ein Thema hier im Blog ein, was noch "ein paar Tage Zeit hat", aber arg unangenehme Folgen haben könnte. Im Herbst 2026 läuft ein Zertifikat in Windows aus, welches im UEFI dafür sorgt, dass der .. --------------------------------------------- https://www.borncity.com/blog/2024/08/07/achtung-microsofts-uefi-zertifikat… ∗∗∗ Looking back at the ballot – securing the general election ∗∗∗ --------------------------------------------- NCSC CEO Felicity Oswald shares reflections on keeping the 2024 General Election safe. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/looking-back-at-the-ballot-securing-the-g… ∗∗∗ The Risks of Parked Domains ∗∗∗ --------------------------------------------- Many organizations view parked domains as dormant, low-risk, and not worth the investment in robust security measures. This is a misconception. Heres why. --------------------------------------------- https://www.bitsight.com/blog/risks-parked-domains ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5739-1 wpa - security update ∗∗∗ --------------------------------------------- Rory McNamara reported a local privilege escalation in wpasupplicant: A user able to escalate to the netdev group can load arbitrary shared object files in the context of the wpa_supplicant process running as root. --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00151.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.08.2024
by Daily end-of-shift report 06 Aug '24

06 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Montag 05-08-2024 18:00 − Dienstag 06-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mac and Windows users infected by software updates delivered over hacked ISP ∗∗∗ --------------------------------------------- DNS poisoning attack worked even when targets used DNS from Google and Cloudflare. --------------------------------------------- https://arstechnica.com/?p=2041175 ∗∗∗ Microsoft Bounty Program Year in Review: $16.6M in Rewards ∗∗∗ --------------------------------------------- We are excited to announce that this year the Microsoft Bounty Program has awarded $16.6M in bounty awards to 343 security researchers from 55 countries, securing Microsoft customers in partnership with the Microsoft Security Response Center (MSRC). Each year we identify over a thousand potential security issues together, safeguarding our customers from possible threats through the Microsoft Bounty Program. --------------------------------------------- https://msrc.microsoft.com/blog/2024/08/microsoft-bounty-program-year-in-re… ∗∗∗ A Survey of Scans for GeoServer Vulnerabilities ∗∗∗ --------------------------------------------- A little bit over a year ago, I wrote about scans for GeoServer. GeoServer is a platform to process geographic data. It makes it easy to share geospatial data in various common standard formats. Recently, new vulnerabilities were discovered in GeoServer, prompting me to look again at what our honeypots pick up. --------------------------------------------- https://isc.sans.edu/diary/A+Survey+of+Scans+for+GeoServer+Vulnerabilities/… ∗∗∗ MDM vendor Mobile Guardian attacked, leading to remote wiping of 13,000 devices ∗∗∗ --------------------------------------------- Singapore Ministry of Education orders software removed after string of snafus UK-based mobile device management vendor Mobile Guardian has admitted that on August 4 it suffered a security incident that involved unauthorized access to iOS and ChromeOS devices managed by its tools, which are currently unavailable. In Singapore, the incident resulted in .. --------------------------------------------- https://www.theregister.com/2024/08/06/mobile_guardian_mdm_attack/ ∗∗∗ Bad apps bypass Windows security alerts for six years using newly unveiled trick ∗∗∗ --------------------------------------------- Windows SmartScreen and Smart App Control both have weaknesses of which to be wary Elastic Security Labs has lifted the lid on a slew of methods available to attackers who want to run malicious apps without triggering Windows security .. --------------------------------------------- https://www.theregister.com/2024/08/06/bad_apps_bypass_windows_security/ ∗∗∗ Olympia: Cyberkriminelle fordern nach Attacke auf Museen in Frankreich Lösegeld ∗∗∗ --------------------------------------------- Mehr als 40 Institutionen sind betroffen, darunter der Olympia-Austragungsort Grand Palais. Kriminelle haben das System für die Zentralisierung von Finanzdaten angegriffen --------------------------------------------- https://www.derstandard.at/story/3000000231309/olympia-cyber-attacke-auf-mu… ∗∗∗ IoT firmware emulation and device fingerprinting challenges ∗∗∗ --------------------------------------------- Gathering information on a device could be tricky if you don’t have direct access to exposed services like SNMP, HTTP, FTP, or any other ports or protocols which could provide relevant information on the asset like the .. --------------------------------------------- https://medium.com/tenable-techblog/iot-firmware-emulation-and-device-finge… ∗∗∗ Rapid7’s Ransomware Radar Report Shows Threat Actors are Evolving …Fast. ∗∗∗ --------------------------------------------- The Ransomware Radar Report offers some startling insights into who ransomware threat actors are and how they’ve been operating in the first half of 2024. --------------------------------------------- https://www.rapid7.com/blog/post/2024/08/06/rapid7s-ransomware-radar-report… ∗∗∗ LKA Niedersachsen warnt vor Phishing mit QR-Codes per Briefpost ∗∗∗ --------------------------------------------- Per Briefpost suchen Betrüger Opfer, die einen QR-Code scannen und auf den dadurch geöffneten Phishing-Link hereinfallen, warnt das LKA Niedersachsen. --------------------------------------------- https://heise.de/-9825879 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice), Gentoo (containerd and firefox), Red Hat (httpd), SUSE (ca-certificates-mozilla, ksh, openssl-3-livepatches, podman, python-Twisted, and skopeo), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/984598/ ∗∗∗ DSA-5737-1 libreoffice - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00149.html ∗∗∗ DSA-5736-1 openjdk-11 - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00148.html ∗∗∗ ZDI-24-1099: Apache OFBiz resolveURI Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1099/ ∗∗∗ Security Vulnerabilities fixed in Firefox 129 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-33/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.08.2024
by Daily end-of-shift report 05 Aug '24

05 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-08-2024 18:00 − Montag 05-08-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms ∗∗∗ --------------------------------------------- StormBamboo successfully compromised an internet service provider (ISP) in order to poison DNS responses for target organizations. Insecure software update mechanisms were targeted to surreptitiously install malware on victim machines running macOS and Windows. --------------------------------------------- https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abu… ∗∗∗ Google Chrome warns uBlock Origin may soon be disabled ∗∗∗ --------------------------------------------- Google Chrome is now encouraging uBlock Origin users who have updated to the latest version to switch to other ad blockers before Manifest v2 extensions are disabled. --------------------------------------------- https://www.bleepingcomputer.com/news/google/google-chrome-warns-ublock-ori… ∗∗∗ Security Tips for Modern Web Administrators ∗∗∗ --------------------------------------------- By understanding and implementing key security practices, you can significantly reduce the risk of attacks and ensure a safe experience for your users. Let’s break down some essential tips and strategies to enhance your website’s security. --------------------------------------------- https://blog.sucuri.net/2024/08/security-tips-for-modern-web-administrators… ∗∗∗ Google gamed into advertising a malicious version of Authenticator ∗∗∗ --------------------------------------------- Scammers have been using Google's own ad system to fool people into downloading a borked copy of the Chocolate Factory's Authenticator software. A team at security shop Malwarebytes spotted the adverts, which appear to come from a Google approved domain – and from a verified user – earlier this week. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/08/05/security_in_… ∗∗∗ New SLUBStick Attack Makes Linux Kernel Vulnerabilities More Dangerous ∗∗∗ --------------------------------------------- A team of researchers from the Graz University of Technology in Austria has published a paper on SLUBStick, a new Linux kernel exploitation technique that can make heap vulnerabilities more dangerous. --------------------------------------------- https://www.securityweek.com/new-slubstick-attack-makes-linux-kernel-vulner… ∗∗∗ Homebrew-Audit enthüllt Sicherheitslücken – die meisten hat das Team geschlossen ∗∗∗ --------------------------------------------- Ein umfangreiches Security-Audit hat Schwachstellen im Code und den CI/CD-Prozessen des Paketmanagers Homebrew gefunden. Viele, aber nicht alle, sind gefixt. --------------------------------------------- https://heise.de/-9822824 ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke bedroht Unternehmenssoftware Apache OFBiz ∗∗∗ --------------------------------------------- Angreifer können Systeme mit Apache OFBiz attackieren und eigenen Code ausführen. Eine dagegen abgesicherte Version steht zum Download bereit. [..] Derzeit gibt es kaum Informationen zur Lücke (CVE-2024-38856). Aus einem Seclists-Beitrag geht hervor, dass es zu Fehlern bei der Authentifizierung kommen kann, sodass Angreifer eigenen Code ausführen können. --------------------------------------------- https://heise.de/-9824150 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-11), Fedora (bind, bind-dyndb-ldap, chromium, ffmpeg, hostapd, trafficserver, and wpa_supplicant), and Ubuntu (curl and linux-oem-6.5). --------------------------------------------- https://lwn.net/Articles/984552/ ∗∗∗ Pimax Play and PiTool accept WebSocket connections from unintended endpoints ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN50850706/ ∗∗∗ Helmholz: Multiple products are vulnerable to regreSSHion ∗∗∗ --------------------------------------------- https://certvde.com/de/advisories/VDE-2024-044/ ∗∗∗ Red Lion Europe: Multiple products are vulnerable to regreSSHion ∗∗∗ --------------------------------------------- https://certvde.com/de/advisories/VDE-2024-042/ ∗∗∗ RaspAP Security Update Advisory (CVE-2024-41637) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82193/ ∗∗∗ OpenAM Security Update Advisory (CVE-2024-41667) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82194/ ∗∗∗ GStreamer Product Security Update Advisory (CVE-2024-40897) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82196/ ∗∗∗ Roundcube: Security updates 1.6.8 and 1.5.8 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 ∗∗∗ F5: K000140505: Apache HTTPD vulnerability CVE-2024-38473 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140505 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2024
by Daily end-of-shift report 02 Aug '24

02 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-08-2024 18:00 − Freitag 02-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Tech support scam ring leader gets 7 years in prison, $6M fine ∗∗∗ --------------------------------------------- The leader of a tech support fraud scheme was sentenced to seven years in prison after tricking at least 6,500 victims and generating more than $6 million. --------------------------------------------- https://www.bleepingcomputer.com/news/legal/tech-support-scam-ring-leader-g… ∗∗∗ A recent spate of Internet disruptions ∗∗∗ --------------------------------------------- Cloudflare Radar is constantly monitoring the Internet for widespread disruptions. Here we examine several recent noteworthy disruptions detected in the first month of Q3, including traffic anomalies observed in Bangladesh, Syria, Pakistan, and Venezuela --------------------------------------------- https://blog.cloudflare.com/a-recent-spate-of-internet-disruptions-july-2024 ∗∗∗ Leaked GitHub Python Token ∗∗∗ --------------------------------------------- Cybersecurity researchers from JFrog recently discovered a GitHub Personal Access Token in a public Docker container hosted on Docker Hub, which granted elevated access to the GitHub repositories of the Python language, Python Package Index (PyPI), and the Python Software Foundation (PSF).JFrog discussed what could .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/08/leaked-github-python-token.h… ∗∗∗ Mirai Botnet targeting OFBiz Servers Vulnerable to Directory Traversal ∗∗∗ --------------------------------------------- Enterprise Resource Planning (ERP) Software is at the heart of many enterprising supporting human resources, accounting, shipping, and manufacturing. These systems can become very complex and difficult to maintain. They are often highly customized, which .. --------------------------------------------- https://thehackernews.com/2024/08/mirai-botnet-targeting-ofbiz-servers.html ∗∗∗ New Windows Backdoor BITSLOTH Exploits BITS for Stealthy Communication ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a previously undocumented Windows backdoor that leverages a built-in feature called Background Intelligent Transfer Service (BITS) as a command-and-control (C2) mechanism. The newly identified malware .. --------------------------------------------- https://thehackernews.com/2024/08/new-windows-backdoor-bitsloth-exploits.ht… ∗∗∗ This Week in Security: Echospoofing, Ransomware Records, and Github Attestations ∗∗∗ --------------------------------------------- It’s a bit of bitter irony, when a security product gets used maliciously, to pull off the exact attack it was designed to prevent. Enter Proofpoint, and the .. --------------------------------------------- https://hackaday.com/2024/08/02/this-week-in-security-echospoofing-ransomwa… ∗∗∗ Russland bekommt zwei schwerkriminelle Hacker zurück ∗∗∗ --------------------------------------------- Niemand soll je so viele Menschen finanziell geschädigt haben wie Roman Selesnew. Wladislaw Kljuschin hingegen gilt als Putins Trader und Schrecken der Wall Street --------------------------------------------- https://www.derstandard.at/story/3000000230914/russland-bekommt-zwei-schwer… ∗∗∗ China dismisses Germany’s accusations over cyberattack as ‘targeted defamation’ ∗∗∗ --------------------------------------------- Chinese officials on Thursday responded to accusations from Germany that it was behind an attack on the country’s state cartography agency, calling them “unfounded.” --------------------------------------------- https://therecord.media/china-germany-cyberattack-unfounded ∗∗∗ White House officials meet with allies, industry on connected car risks ∗∗∗ --------------------------------------------- Leaders from the White House and State Department met with representatives from several major allied countries, the European Union and industry leaders Wednesday for what has been billed as the “first multinational meeting” to address the national security risks posed by connected cars. --------------------------------------------- https://therecord.media/white-house-officials-meet-with-nations-industry-co… ∗∗∗ From Evidence to Advantage: Leveraging Incident Response Artifacts for Red Team Engagements ∗∗∗ --------------------------------------------- What is this blog post about? This blog post is about why incident responder artifacts not only play a role on the defensive but also offensive side of cyber security. We are gonna look at some of the usually collected evidences and how they can be valuable to us as red team operators. We .. --------------------------------------------- https://blog.nviso.eu/2024/08/02/from-evidence-to-advantage-leveraging-inci… ∗∗∗ CISA Releases Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle ∗∗∗ --------------------------------------------- Today, the Cybersecurity and Infrastructure Security Agency (CISA) announced the release of its “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain .. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-releases-software-acquisition-gu… ∗∗∗ Panamorfi: A New Discord DDoS Campaign ∗∗∗ --------------------------------------------- Aqua Nautilus researchers uncovered a new Distributed Denial of Service (DDoS) campaign dubbed ‘Panamorfi’, utilizing the Java written minecraft DDoS package - mineping - the threat actor launches a DDoS. Thus far weve only seen it deployed via misconfigured Jupyter notebooks. In this blog we explain about this attack, the techniques used by the threat actor and how to protect your environments. --------------------------------------------- https://blog.aquasec.com/panamorfi-a-new-discord-ddos-campaign ∗∗∗ Unbefugte Zugriffe auf IT-Managementlösung Aruba ClearPass möglich ∗∗∗ --------------------------------------------- Die Entwickler von HPE Aruba Networking haben in ClearPass Policy Manager unter anderem eine kritische Sicherheitslücke geschlossen. --------------------------------------------- https://heise.de/-9821717 ∗∗∗ Bericht: Cyberkriminelle nutzen Cloudflare-Tunnel zur Verbreitung von Malware ∗∗∗ --------------------------------------------- Bisher unbekannte Cyberkriminelle nutzen "TryCloudflare" zur unbehelligten Verbreitung von Malware. Das berichten Sicherheitsexperten. --------------------------------------------- https://heise.de/-9821797 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium), SUSE (docker and patch), and Ubuntu (bind9, gross, linux-azure, linux-azure-4.15, linux-lowlatency-hwe-6.5, and tomcat8, tomcat9). --------------------------------------------- https://lwn.net/Articles/984370/ ∗∗∗ ZDI-24-1042: NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1042/ ∗∗∗ ZDI-24-1041: Google Chrome Updater DosDevices Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1041/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2024
by Daily end-of-shift report 01 Aug '24

01 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 31-07-2024 18:00 − Donnerstag 01-08-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Credit card users get mysterious shopify-charge.com charges ∗∗∗ --------------------------------------------- People worldwide report seeing mysterious $1 or $0 charges from Shopify-charge.com appearing on their credit card bills, even when they did not attempt to purchase anything. [..] BleepingComputer attempted to contact Shopify multiple times but did not receive a reply to our emails. [..] Shopify has recently suffered a third-party data breach at one of its vendors, leading many to think these charges may be related. However, the data exposed in that breach did not contain credit card or payment information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/credit-card-users-get-myster… ∗∗∗ Onyx Sleet uses array of malware to gather intelligence [..] ∗∗∗ --------------------------------------------- First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/07/25/onyx-sleet-uses-ar… ∗∗∗ CrowdStrike Is Sued By Shareholders Over Huge Software Outage ∗∗∗ --------------------------------------------- Shareholders have sued CrowdStrike on Tuesday, claiming the cybersecurity company defrauded them by concealing how its inadequate software testing could cause the global software outage earlier this month that crashed millions of computers. --------------------------------------------- https://yro.slashdot.org/story/24/07/31/2233234/crowdstrike-is-sued-by-shar… ∗∗∗ Hackers Distributing Malicious Python Packages via Popular Developer Q&A Platform ∗∗∗ --------------------------------------------- In yet another sign that threat actors are always looking out for new ways to trick users into downloading malware, it has come to light that the question-and-answer (Q&A) platform known as Stack Exchange has been abused to direct unsuspecting developers to bogus Python packages capable of draining their cryptocurrency wallets. --------------------------------------------- https://thehackernews.com/2024/08/hackers-distributing-malicious-python.html ∗∗∗ Mozilla follows Google in losing trust in Entrusts TLS certificates ∗∗∗ --------------------------------------------- A little over a month ago, Google was the first to make the bold step of dropping Entrust as a CA, saying it noted a "pattern of concerning behaviors" from the company. Entrust has apologized to Google, Mozilla, and the wider web community, outlining its plans to regain the trust of browsers, but these appear to be unsatisfactory to both Google and Mozilla. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/08/01/mozilla_entr… ∗∗∗ Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 3 ∗∗∗ --------------------------------------------- To wrap up this blog series we wanted to include one more technique that you can use when exploiting this class of vulnerabilities. This technique, introduced to us by Abdelhamid Naceri, becomes useful when you have an on-boot arbitrary delete primitive that you want to transform into an on-demand delete, so that you can escalate using the C:\Config.msi technique. --------------------------------------------- https://www.thezdi.com/blog/2024/7/31/breaking-barriers-and-assumptions-tec… ∗∗∗ Detecting evolving threats: NetSupport RAT campaign ∗∗∗ --------------------------------------------- In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats. --------------------------------------------- https://blog.talosintelligence.com/detecting-evolving-threats-netsupport-ra… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- ecurity updates have been issued by Debian (chromium), Fedora (kernel, obs-cef, and xen), Mageia (emacs), Oracle (freeradius, freeradius:3.0, and kernel), Red Hat (emacs, httpd, and kpatch-patch-4_18_0-305_120_1), Slackware (curl), SUSE (apache2, cockpit-wicked, glibc, gnutls, gvfs, less, nghttp2, opensc, python-idna, python-requests, qemu, rpm, tpm2-0-tss, tpm2.0-tools, and unbound), and Ubuntu (clickhouse, exim4, libcommons-collections3-java, linux, linux-aws, linux-kvm, linux-lts-xenial, mysql-8.0, openssl, php-cas, prometheus-alertmanager, and snapd). --------------------------------------------- https://lwn.net/Articles/984212/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- Johnson Controls, AVTECH, Vonets, Rockwell --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/01/cisa-releases-nine-indus… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (July 22, 2024 to July 28, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/08/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.07.2024
by Daily end-of-shift report 31 Jul '24

31 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-07-2024 18:00 − Mittwoch 31-07-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Black Basta ransomware switches to more evasive custom malware ∗∗∗ --------------------------------------------- The Black Basta ransomware gang has shown resilience and an ability to adapt to a constantly shifting space, using new custom tools and tactics to evade detection and spread throughout a network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/black-basta-ransomware-switc… ∗∗∗ Fraud ring pushes 600+ fake web shops via Facebook ads ∗∗∗ --------------------------------------------- A malicious fraud campaign dubbed "ERIAKOS" promotes more than 600 fake web shops through Facebook advertisements to steal visitors personal and financial information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fraud-ring-pushes-600-plus-f… ∗∗∗ Kampf gegen Cyberkriminalität: Spamhaus Project wirft Cloudflare Untätigkeit vor ∗∗∗ --------------------------------------------- Laut Spamhaus macht sich Cloudflare "das Leben leicht", indem es Beschwerden über böswillige Aktivitäten weiterreicht, statt selber Maßnahmen einzuleiten. --------------------------------------------- https://www.golem.de/news/kampf-gegen-cyberkriminalitaet-spamhaus-project-w… ∗∗∗ Apple Patches Everything. July 2024 Edition ∗∗∗ --------------------------------------------- Yesterday, Apple released patches across all of its operating systems. A standalone patch for Safari was released to address WebKit problems in older macOS versions. Apple does not provide CVSS scores or severity ratings. The ratings .. --------------------------------------------- https://isc.sans.edu/forums/diary/Apple+Patches+Everything+July+2024+Editio… ∗∗∗ SYS01 Infostealer and Rilide Malware Likely Developed by the Same Threat Actor ∗∗∗ --------------------------------------------- Drawing on extensive proprietary research, Trustwave SpiderLabs believes the threat actors behind the Facebook malvertising infostealer SYS01 are the same group that developed the previously reported Rilide malware. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/sys01-infos… ∗∗∗ Five months after takedown, LockBit is a shadow of its former self ∗∗∗ --------------------------------------------- An unprecedented period for an unparalleled force in cybercrime Feature For roughly two years, LockBits ransomware operation was by far the most prolific of its kind, until the fateful events of February. After claiming thousands of victims, extorting hundreds of millions of dollars, and building a robust army of sophisticated cybercriminals, the lifes .. --------------------------------------------- https://www.theregister.com/2024/07/31/five_months_after_lockbit/ ∗∗∗ ThreatLabz Ransomware Report: Unveiling a $75M Ransom Payout Amid Rising Attacks ∗∗∗ --------------------------------------------- Ransomware has been a daunting threat to organizations worldwide for decades. Recent trends show that ransomware attacks continue to grow more advanced and persistent. It’s become increasingly clear that no one is spared as cybercriminals carry out attacks that even target the children of corporate executives to force ransom payments. Despite the .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/threatlabz-ransomware-repor… ∗∗∗ Don’t Let Your Domain Name Become a “Sitting Duck” ∗∗∗ --------------------------------------------- More than a million domain names -- including many registered by Fortune 100 firms and brand protection companies -- are vulnerable to takeover by cybercriminals thanks to authentication weaknesses at a number of large web hosting providers and domain registrars, new research finds. --------------------------------------------- https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-become-a-sitt… ∗∗∗ Deutschland bestellt chinesischen Botschafter wegen Cyberangriff ein ∗∗∗ --------------------------------------------- Die Attacke ereignete sich im Jahr 2021 und kann laut Nachrichtendiensten chinesischen staatlichen Akteuren zugeordnet werden --------------------------------------------- https://www.derstandard.at/story/3000000230669/deutschland-bestellt-chinesi… ∗∗∗ DigiCert Certificate Revocations ∗∗∗ --------------------------------------------- DigiCert, a certificate authority (CA) organization, is revoking a subset of transport layer security (TLS) certificates due to a non-compliance issue with domain control verification (DCV). Revocation of these certificates may cause temporary disruptions to websites, services, and applications relying on these certificates for secure .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/07/30/digicert-certificate-rev… ∗∗∗ Cyber-Angriff und Bug Ursache des Microsoft Cloud-Ausfalls vom 30.7.2024 ∗∗∗ --------------------------------------------- Am 30. Juli 2024 kam es weltweit zu einem partiellen Ausfall der Microsoft Cloud-Dienste (Azure, Microsoft 365 etc.). Ich hatte berichtet – aber nicht alle Nutzer waren betroffen. Nun hat Microsoft einen Post Incident-Report vorgelegt .. --------------------------------------------- https://www.borncity.com/blog/2024/07/31/cyber-angriff-und-bug-ursache-des-… ∗∗∗ Moderne Sklaverei: Mann monatelang festgehalten und zu Online-Betrug gezwungen ∗∗∗ --------------------------------------------- Ein IT-Spezialist wurde monatelang unter Folter dazu gezwungen, sich als eine reiche Frau aus Singapur auszugeben. Das berichtet das Wall Street Journal. --------------------------------------------- https://heise.de/-9818990 ∗∗∗ Statt "schalke04" und "1234": Passkeys werden immer beliebter ∗∗∗ --------------------------------------------- Die passwortlose Authentifizierung etabliert sich, wie aktuelle Zahlen nahelegen. Insbesondere Kunden bei Amazon, eBay und Co. setzen Passkeys inzwischen ein. --------------------------------------------- https://heise.de/-9819866 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (xdg-desktop-portal-hyprland), Red Hat (freeradius, freeradius:3.0, git-lfs, httpd, kernel, openssh, and varnish:6), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, .. --------------------------------------------- https://lwn.net/Articles/984080/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.07.2024
by Daily end-of-shift report 30 Jul '24

30 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Montag 29-07-2024 18:00 − Dienstag 30-07-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Specula tool uses Outlook for remote code execution in Windows ∗∗∗ --------------------------------------------- Microsoft Outlook can be turned into a C2 beacon to remotely execute code, as demonstrated by a new red team post-exploitation framework named "Specula," released today by cybersecurity firm TrustedSec. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-specula-tool-uses-outloo… ∗∗∗ DigiCert mass-revoking TLS certificates due to domain validation bug ∗∗∗ --------------------------------------------- DigiCert is warning that it will be mass-revoking SSL/TLS certificates due to a bug in how the company verified if a customer owned or operated a domain and requires impacted customers to reissue certificates within 24 hours. --------------------------------------------- https://www.bleepingcomputer.com/news/security/digicert-mass-revoking-tls-c… ∗∗∗ Post-CrowdStrike, Microsoft to discourage use of kernel drivers by security tools ∗∗∗ --------------------------------------------- Microsoft has vowed to reduce cybersecurity vendors' reliance on kernel-mode code, which was at the heart of the CrowdStrike super-snafu this month. --------------------------------------------- https://www.theregister.com/2024/07/29/microsoft_crowdstrike_kernel_mode/ ∗∗∗ Vorsicht vor plötzlichen Erbschaften ∗∗∗ --------------------------------------------- Eine unbekannte Person kontaktiert Sie per E-Mail oder über Soziale Netzwerke. Sie stellt sich beispielsweise als „Gouverneur der Bank von Thailand“ vor und behauptet, dass Sie eine große Summe Geld erben werden. Um glaubwürdig zu wirken, schickt die Person als Beweis Ausweiskopien, Zertifikate und KI-generierte Videobotschaften. Ignorieren Sie solche Nachrichten, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-ploetzlichen-erbschafte… ∗∗∗ Deep Sea Phishing Pt. 2 ∗∗∗ --------------------------------------------- I wanted to write this blog about several good techniques for endpoint detection and response (EDR) evasion; however, as I was writing about how to evade EDRs, I was hit with an epiphany: “EDR evasion is all about looking like legitimate software” — ph3eds, 2024 --------------------------------------------- https://posts.specterops.io/deep-sea-phishing-pt-2-29c48f1e214e?source=rss-… ∗∗∗ Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 1 ∗∗∗ --------------------------------------------- In this blog series, we will discuss two additional techniques that take advantage of legacy functionality within Windows and provide various examples through the over 20 vulnerabilities that we found. We will also address some failures despite efforts and explanations from our side with various vendors. --------------------------------------------- https://www.thezdi.com/blog/2024/7/29/breaking-barriers-and-assumptions-tec… ∗∗∗ Hacker Scrapes and Publishes 100,000-Line CrowdStrike IoC List ∗∗∗ --------------------------------------------- USDoD hacker scrapes and leaks a 100,000-line Indicator of Compromise (IoC) list from CrowdStrike, revealing detailed threat intelligence data. The leak, posted on Breach Forums, includes critical insights into the Mispadu malware and SAMBASPIDER threat actor. --------------------------------------------- https://hackread.com/hacker-scrapes-publishes-crowdstrike-ioc-list/ ∗∗∗ Dont RegreSSH An Anti-Pavlovian Approach to Celebrity Vulns ∗∗∗ --------------------------------------------- Before Crowdstrike caused the world to melt down for a few days, the talk of the security town was a recent OpenSSH vulnerability. Lets revisit CVE-2024-6387. --------------------------------------------- https://www.bitsight.com/blog/dont-regressh-anti-pavlovian-approach-celebri… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in VMware ESXi - aktiv ausgenutzt - Update verfügbar ∗∗∗ --------------------------------------------- Sicherheitsforscher:innen von Microsoft haben eine kritische Sicherheitslücke in VMware ESXi entdeckt, deren Ausnutzung es Angreifer:innen ermöglicht die vollständige Kontrolle über einen von der Schwachstelle betroffenen Hypervisor zu übernehmen. Die Lücke wird bereits aktiv für Ransomware-Angriffe missbraucht. CVE-Nummer(n): CVE-2024-37085 --------------------------------------------- https://www.cert.at/de/warnungen/2024/7/kritische-sicherheitslucke-in-vmwar… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl), Mageia (virtualbox), Oracle (squid), Red Hat (kernel), SUSE (apache2, bind, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, devscripts, espeak-ng, freerdp, ghostscript, gnome-shell, gtk2, gtk3, java-11-openjdk, java-17-openjdk, kubevirt, libgit2, openssl-3, orc, p7zip, python-dnspython, and shadow), and Ubuntu (kernel, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-oem-6.8, linux-raspi, linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux-aws, linux-aws-5.4, linux-aws-5.15, linux-ibm, linux-ibm-5.15, linux-raspi, linux-gcp-5.15, and linux-lowlatency). --------------------------------------------- https://lwn.net/Articles/983935/ ∗∗∗ WordPress Vulnerability & Patch Roundup July 2024 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2024/07/wordpress-vulnerability-patch-roundup-july-… ∗∗∗ ManageEngine (Exchange Reporter Plus, Exchange Reporter Plus) Family July 2024 Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/80826/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2024
by Daily end-of-shift report 29 Jul '24

29 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-07-2024 18:00 − Montag 29-07-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Mehr als 3.000 Hotels betroffen: API-Lücke lässt Angreifer Hoteltüren öffnen ∗∗∗ --------------------------------------------- In vielen Hotels können Gäste heute per Smartphone einchecken und die Türen der gebuchten Zimmer öffnen. Eine API-Schwachstelle zeigt, wie schnell das zum Problem werden kann. --------------------------------------------- https://www.golem.de/news/mehr-als-3-000-hotels-betroffen-api-luecke-laesst… ∗∗∗ Sicherheitslücke: Whatsapp für Windows führt Skripte ohne Warnung aus ∗∗∗ --------------------------------------------- In der Regel blockiert Whatsapp das Öffnen ausführbarer Dateien direkt aus dem Chat heraus. Bei Python- und PHP-Skripten ist das offenkundig nicht der Fall. [..] Ein Patch ist vorerst nicht zu erwarten, so dass Nutzer achtsam bleiben sollten. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-whatsapp-fuer-windows-fuehrt-sk… ∗∗∗ Mandrake spyware sneaks onto Google Play again, flying under the radar for two years ∗∗∗ --------------------------------------------- Mandrake spyware threat actors resume attacks with new functionality targeting Android devices while being publicly available on Google Play. --------------------------------------------- https://securelist.com/mandrake-apps-return-to-google-play/113147/ ∗∗∗ Create Your Own BSOD: NotMyFault, (Sat, Jul 27th) ∗∗∗ --------------------------------------------- With all the Blue Screen Of Death screenshots we saw lately, I got the idea to write about Sysinternals' tool NotMyFault. --------------------------------------------- https://isc.sans.edu/diary/rss/31120 ∗∗∗ CrowdStrike Outage Themed Maldoc, (Mon, Jul 29th) ∗∗∗ --------------------------------------------- I found a malicious Word document with VBA code using the CrowdStrike outage for social engineering purposes. It's an .ASD file (AutoRecover file). --------------------------------------------- https://isc.sans.edu/diary/rss/31116 ∗∗∗ Proofpoint Email Routing Flaw Exploited to Send Millions of Spoofed Phishing Emails ∗∗∗ --------------------------------------------- An unknown threat actor has been linked to a massive scam campaign that exploited an email routing misconfiguration in email security vendor Proofpoints defenses to send millions of messages spoofing various legitimate companies. --------------------------------------------- https://thehackernews.com/2024/07/proofpoint-email-routing-flaw-exploited.h… ∗∗∗ Millions of Websites Susceptible XSS Attack via OAuth Implementation Flaw ∗∗∗ --------------------------------------------- Researchers discovered and published details of an XSS attack that could potentially impact millions of websites around the world. --------------------------------------------- https://www.securityweek.com/millions-of-websites-susceptible-xss-attack-vi… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-4879 ServiceNow Improper Input Validation Vulnerability, CVE-2024-5217 ServiceNow Incomplete List of Disallowed Inputs Vulnerability, CVE-2023-45249 Acronis Cyber Infrastructure (ACI) Insecure Default Password Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/07/29/cisa-adds-three-known-ex… ∗∗∗ Angreifer nutzen Schadcode-Lücke in Acronis Cyber Infrastructure aus ∗∗∗ --------------------------------------------- In mehreren aktualisierten Versionen von Acronis Cyber Infrastructure haben die Entwickler eine kritische Lücke geschlossen. --------------------------------------------- https://heise.de/-9816667 ===================== = Vulnerabilities = ===================== ∗∗∗ Wiedergabe reicht aus: MacOS-Lücke ermöglicht Schadcode-Attacke per Video ∗∗∗ --------------------------------------------- Das Abspielen eines Videos im Browser oder einer anderen Anwendung reicht aus, um sich unter MacOS eine Malware einzufangen. Ursache ist eine Lücke in einem Videodecoder. --------------------------------------------- https://www.golem.de/news/wiedergabe-reicht-aus-macos-luecke-ermoeglicht-sc… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-11-openjdk), Debian (bind9), Fedora (darkhttpd, mod_http2, and python-scrapy), Red Hat (python3.11, rhc-worker-script, and thunderbird), SUSE (assimp, gh, opera, python-Django, and python-nltk), and Ubuntu (edk2, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-nvidia-6.5, linux-oracle, linux-raspi, and lua5.4). --------------------------------------------- https://lwn.net/Articles/983816/ ∗∗∗ Sicherheitsupdate schützt SolarWinds Platform vor möglichen Attacken ∗∗∗ --------------------------------------------- Angreifer können die IT-Verwaltungssoftware SolarWinds Platform attackieren. Die Entwickler haben mehrere Schwachstellen geschlossen. [..] Aus den Details zur Version 2024.2.1 geht hervor, dass eine Lücke (CVE-2022-37601) in webpack.js als "kritisch" gilt. Hier können Angreifer auf einem nicht näher beschriebenen Weg eigenen Code ausführen. --------------------------------------------- https://heise.de/-9816342 ∗∗∗ ABB: 2024-07-26: Cyber Security Advisory - CODESYS OPC DA Server 3.5 Insecure storage of passwords ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR011267&Language… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2024
by Daily end-of-shift report 26 Jul '24

26 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-07-2024 18:00 − Freitag 26-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Mit Test-Key für Secure Boot: PC-Hersteller liefern unsichere UEFI-Firmware aus ∗∗∗ --------------------------------------------- Betroffen sind angeblich fast 900 verschiedene Systeme namhafter Hersteller wie Lenovo, Dell und HP. Anfällige Firmwares reichen zurück bis ins Jahr 2012. --------------------------------------------- https://www.golem.de/news/mit-test-key-fuer-secure-boot-pc-hersteller-liefe… ∗∗∗ Forscher warnen: Daten aus gelöschten und privaten Github-Repos frei abrufbar ∗∗∗ --------------------------------------------- Github-Repositories enthalten nicht selten sensible Daten. Ein Repo zu löschen oder auf privat zu stellen, schützt aber nicht immer vor einem Fremdzugriff. --------------------------------------------- https://www.golem.de/news/forscher-warnen-daten-aus-geloeschten-und-private… ∗∗∗ ExelaStealer Delivered "From Russia With Love" ∗∗∗ --------------------------------------------- Some simple PowerShell scripts might deliver nasty content if executed by the target. I found a very simple .. --------------------------------------------- https://isc.sans.edu/diary/ExelaStealer+Delivered+From+Russia+With+Love/311… ∗∗∗ Ongoing Cyberattack Targets Exposed Selenium Grid Services for Crypto Mining ∗∗∗ --------------------------------------------- Cybersecurity researchers are sounding the alarm over an ongoing campaign that is leveraging internet-exposed Selenium Grid services for illicit cryptocurrency mining.Cloud security Wiz is tracking the activity under the name .. --------------------------------------------- https://thehackernews.com/2024/07/ongoing-cyberattack-targets-exposed.html ∗∗∗ Zahlreiche Fake-Shops geben sich als Lidl aus ∗∗∗ --------------------------------------------- Kriminelle registrieren aktuell zahlreiche Fake-Shops, die den Namen und das Logo des Supermarkt-Discounters Lidl missbrauchen. Mit zeitlich begrenzten Angeboten werden die Opfer unter Druck gesetzt. Doch wer hier bestellt, verliert sein Geld und erhält keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-fake-shops-geben-sich-als… ∗∗∗ Scam Attacks Taking Advantage of the Popularity of the Generative AI Wave ∗∗∗ --------------------------------------------- A direct correlation between GenAI’s explosive popularity and scam attacks is addressed in this article, using plentiful data and a case study of network abuse. --------------------------------------------- https://unit42.paloaltonetworks.com/cybersquatting-using-genai-keywords/ ∗∗∗ France launches large-scale operation to fight cyber spying ahead of Olympics ∗∗∗ --------------------------------------------- French authorities launched a major operation to clean the country’s computer systems of malware believed to have affected several thousand users, “particularly for espionage purposes,” Paris’s top prosecutor announced shortly before the start of the Olympics. --------------------------------------------- https://therecord.media/france-combat-cyber-spying-operation-olympics ∗∗∗ LummaC2 Malware Abusing the Game Platform ‘Steam’ ∗∗∗ --------------------------------------------- LummaC2 is an Infostealer that is being actively distributed, disguised as illegal programs (e.g. cracks, keygens, and game hacking programs) available from distribution websites, YouTube, and LinkedIn using the SEO poisoning technique. Recently, it has also been distributed via search engine ads, posing as web pages of Notion, Slack, .. --------------------------------------------- https://asec.ahnlab.com/en/68309/ ∗∗∗ Weiterer EU-Abgeordneter im Fokus Cyberkrimineller ∗∗∗ --------------------------------------------- Der deutsche EU-Parlamentarier Daniel Freund (Grüne) war zwei Wochen vor der Europawahl Ziel einer versuchten Ausspähung mit dem Staatstrojaner Candiru. --------------------------------------------- https://heise.de/-9813814 ∗∗∗ Jetzt patchen!: Angreifer attackieren Now Platform von ServiceNow ∗∗∗ --------------------------------------------- Die Cloud Computing Plattform von ServiceNow ist derzeit im Visier von Angreifern und sie nutzen kritische Sicherheitslücken aus. --------------------------------------------- https://heise.de/-9814238 ===================== = Vulnerabilities = ===================== ∗∗∗ ORC vulnerable to stack-based buffer overflow ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN02030803/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/983523/ ∗∗∗ CVE-2024-6922: Automation Anywhere Automation 360 Server-Side Request Forgery ∗∗∗ --------------------------------------------- https://www.rapid7.com/blog/post/2024/07/26/cve-2024-6922-automation-anywhe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2024
by Daily end-of-shift report 25 Jul '24

25 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-07-2024 18:00 − Donnerstag 25-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ KnowBe4 mistakenly hires North Korean hacker, faces infostealer attack ∗∗∗ --------------------------------------------- American cybersecurity company KnowBe4 says a person it recently hired as a Principal Software Engineer turned out to be a North Korean state actor who attempted to install information-stealing on its devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/knowbe4-mistakenly-hires-nor… ∗∗∗ French police push PlugX malware self-destruct payload to clean PCs ∗∗∗ --------------------------------------------- The French police and Europol are pushing out a "disinfection solution" that automatically removes the PlugX malware from infected devices in France. --------------------------------------------- https://www.bleepingcomputer.com/news/security/french-police-push-plugx-mal… ∗∗∗ How a cheap barcode scanner helped fix CrowdStriked Windows PCs in a flash ∗∗∗ --------------------------------------------- Not long after Windows PCs and servers at the Australian limb of audit and tax advisory Grant Thornton started BSODing last Friday, senior systems engineer Rob Woltz remembered a small but important fact: When PCs boot, they consider barcode scanners no differently to keyboards. --------------------------------------------- https://www.theregister.com/2024/07/25/crowdstrike_remediation_with_barcode… ∗∗∗ XWorm Hidden With Process Hollowing ∗∗∗ --------------------------------------------- XWorm is not a brand-new malware family. Its a common RAT (Remote Access Tool) re-use regularly in new campaigns. Yesterday, I found a sample that behaves like a dropper and runs the malware using the Process Hollowing technique. --------------------------------------------- https://isc.sans.edu/diary/rss/31112 ∗∗∗ Kriminelle werben mit Fake-Profilen von Finanzexperten für betrügerische Investmentplattformen ∗∗∗ --------------------------------------------- Der österreichische Finanzjournalist und Unternehmer Niko Jilch betreibt verschiedene Informationskanäle zu Finanzen, Geldanlage und Bitcoin. Seine Reichweite und Bekanntheit nutzen mittlerweile aber auch Kriminelle, um Privatanleger:innen auf betrügerische Investmentplattformen zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-werben-mit-fake-profilen-… ===================== = Vulnerabilities = ===================== ∗∗∗ Progress warns of critical RCE bug in Telerik Report Server ∗∗∗ --------------------------------------------- Progress Software has warned customers to patch a critical remote code execution security flaw in the Telerik Report Server that can be used to compromise vulnerable devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/progress-warns-of-critical-r… ∗∗∗ Container angreifbar: Docker muss kritische Schwachstelle von 2019 erneut patchen ∗∗∗ --------------------------------------------- Docker hatte die Lücke längst geschlossen. Nur Monate später flog der Patch aber wieder raus. Die Docker Engine ist damit fünf Jahre lang angreifbar gewesen. --------------------------------------------- https://www.golem.de/news/container-angreifbar-docker-muss-kritische-schwac… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (containernetworking-plugins, cups, edk2, httpd, httpd:2.4, libreoffice, libuv, libvirt, python3, and runc), Fedora (exim, python-zipp, xdg-desktop-portal-hyprland, and xmedcon), Red Hat (cups, fence-agents, freeradius, freeradius:3.0, httpd:2.4, kernel, kernel-rt, nodejs:18, podman, and resource-agents), Slackware (htdig and libxml2), SUSE (exim), and Ubuntu (ocsinventory-server, php-cas, and poppler). --------------------------------------------- https://lwn.net/Articles/983328/ ∗∗∗ Nvidia Patches High-Severity Vulnerabilities in AI, Networking Products ∗∗∗ --------------------------------------------- Nvidia has patched high-severity vulnerabilities in its Jetson, Mellanox OS, OnyX, Skyway, and MetroX products. --------------------------------------------- https://www.securityweek.com/nvidia-patches-high-severity-vulnerabilities-i… ∗∗∗ Sicherheitsupdates: Aruba EdgeConnect SD-WAN vielfältig attackierbar ∗∗∗ --------------------------------------------- Die Entwickler von HPE haben in Arubas SD-WAN-Lösung EdgeConnect mehrere gefährliche Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-9813256 ∗∗∗ Positron Broadcast Signal Processor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-207-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.07.2024
by Daily end-of-shift report 24 Jul '24

24 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-07-2024 18:00 − Mittwoch 24-07-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ BreachForums v1 hacking forum data leak exposes members’ info ∗∗∗ --------------------------------------------- The private member information of the BreachForums v1 hacking forum from 2022 has been leaked online, allowing threat actors and researchers to gain insight into its users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/breachforums-v1-hacking-foru… ∗∗∗ SocGholish: Fake update puts visitors at risk ∗∗∗ --------------------------------------------- The SocGholish downloader has been a favourite of several cybercrime groups since 2017. It delivers a payload that poses as a browser update. As any piece of malware, it undergoes an evolutionary process. We have taken a look at the latest developments, which targets Wordpress based websites. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/07/37976-socgholish-fake-update ∗∗∗ Update-Panne bei Microsoft: Windows-Update erfordert Eingabe des Bitlocker-Keys ∗∗∗ --------------------------------------------- Das jüngste Sicherheitsupdate für Windows 10, 11 und gängige Windows-Server-Versionen führt dazu, dass einige Systeme ohne Bitlocker-Key nicht mehr starten. --------------------------------------------- https://www.golem.de/news/update-panne-bei-microsoft-windows-update-erforde… ∗∗∗ NIS-2-Richtlinie: Kabinett beschließt strengere Regeln für Cybersicherheit ∗∗∗ --------------------------------------------- Fast 30.000 Firmen in Deutschland müssen künftig die Sicherheitsvorgaben nach der NIS-2-Richtlinie umsetzen. --------------------------------------------- https://www.golem.de/news/nis-2-richtlinie-kabinett-beschliesst-strengere-r… ∗∗∗ New Exploit Variation Against D-Link NAS Devices (CVE-2024-3273) ∗∗∗ --------------------------------------------- In April, an OS command injection vulnerability in various D-Link NAS devices was made public. The vulnerability, %%CVE:2024-3273%% was exploited soon after it became public. Many of the affected devices are no longer supported. --------------------------------------------- https://isc.sans.edu/diary/New+Exploit+Variation+Against+DLink+NAS+Devices+… ∗∗∗ Forget security – Googles reCAPTCHA v2 is exploiting users for profit ∗∗∗ --------------------------------------------- Web puzzles dont protect against bots, but humans have spent 819 million unpaid hours solving them Google promotes its reCAPTCHA service as a security mechanism for websites, but researchers affiliated with the University of California, Irvine, argue its harvesting information while extracting human .. --------------------------------------------- https://www.theregister.com/2024/07/24/googles_recaptchav2_labor/ ∗∗∗ A Hacker ‘Ghost’ Network Is Quietly Spreading Malware on GitHub ∗∗∗ --------------------------------------------- Cybersecurity researchers have spotted a 3,000-account network on GitHub that is manipulating the platform and spreading ransomware and info stealers. --------------------------------------------- https://www.wired.com/story/github-malware-spreading-network-stargazer-gobl… ∗∗∗ Siemens Patches Power Grid Product Flaw Allowing Backdoor Deployment ∗∗∗ --------------------------------------------- Siemens has released out-of-band updates to patch two potentially serious vulnerabilities in products used in energy supply. --------------------------------------------- https://www.securityweek.com/siemens-patches-power-grid-product-flaw-allowi… ∗∗∗ New legislation will help counter the cyber threat to our essential services ∗∗∗ --------------------------------------------- The announcement of the Cyber Security and Resilience Bill is a landmark moment in tackling the growing threat to the UKs critical systems. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/legislation-help-counter-cyber-threat-cni ∗∗∗ Malware Campaign Lures Users With Fake W2 Form ∗∗∗ --------------------------------------------- Rapid7 has recently observed an ongoing campaign targeting users searching for W2 forms using the Microsoft search engine Bing. --------------------------------------------- https://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-wi… ===================== = Vulnerabilities = ===================== ∗∗∗ ISC Releases Security Advisories for BIND 9 ∗∗∗ --------------------------------------------- The Internet Systems Consortium (ISC) released security advisories to address vulnerabilities affecting multiple versions of ISC’s Berkeley Internet Name Domain (BIND) 9. A cyber threat actor could exploit one of these vulnerabilities to cause a denial-of-service condition. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/07/24/isc-releases-security-ad… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.07.2024
by Daily end-of-shift report 23 Jul '24

23 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Montag 22-07-2024 18:00 − Dienstag 23-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ US-Ausschuss lädt ein: Crowdstrike-CEO soll für IT-Panne Rede und Antwort stehen ∗∗∗ --------------------------------------------- Millionen von Windows-PCs konnten am Freitag plötzlich nicht mehr starten. Der Heimatschutzausschuss des US-Repräsentantenhauses will genau wissen, wie es dazu kam. --------------------------------------------- https://www.golem.de/news/us-ausschuss-laedt-ein-crowdstrike-ceo-soll-fuer-… ∗∗∗ Ukrainian Institutions Targeted Using HATVIBE and CHERRYSPY Malware ∗∗∗ --------------------------------------------- The Computer Emergency Response Team of Ukraine (CERT-UA) has alerted of a spear-phishing campaign targeting a scientific research institution in the country with malware known as HATVIBE and CHERRYSPY. --------------------------------------------- https://thehackernews.com/2024/07/ukrainian-institutions-targeted-using.html ∗∗∗ Law Enforcement Disrupts DDoS-for-Hire Service DigitalStress ∗∗∗ --------------------------------------------- Authorities in the UK infiltrated and disrupted the DDoS-for-hire service DigitalStress, and one suspect was arrested. --------------------------------------------- https://www.securityweek.com/law-enforcement-disrupts-ddos-for-hire-service… ∗∗∗ FrostyGoop ICS Malware Left Ukrainian City’s Residents Without Heating ∗∗∗ --------------------------------------------- The FrostyGoop ICS malware was used recently in an attack against a Ukrainian energy firm that resulted in loss of heating for many buildings. --------------------------------------------- https://www.securityweek.com/frostygoop-ics-malware-left-ukrainian-citys-re… ∗∗∗ Kriminelle nutzen weltweite IT-Ausfälle für Betrugsmaschen ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie Anrufe oder E-Mails im Namen von Crowdstrike oder Microsoft erhalten. Die weltweiten IT-Ausfälle, die durch Crowdstrike verursacht wurden, werden nun von Kriminellen als Vorwand für verschiedene Betrugsmaschen genutzt. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-nutzen-weltweite-it-ausfa… ∗∗∗ Vorsicht vor gefälschten Anfragen im Namen der PORR ∗∗∗ --------------------------------------------- Kriminelle geben sich als Firma PORR aus und versenden betrügerische E-Mail-Anfragen. Sie werden gebeten, ein Angebot zu stellen und dazu die Ausschreibungsunterlagen auf www.ausschreibungen-porr.at zu verwenden. Dieser Link führt jedoch zu einem gefälschten Ondrive-Ordner! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-anfragen-i… ∗∗∗ Vulnerabilities in LangChain Gen AI ∗∗∗ --------------------------------------------- This article is a detailed study of CVE-2023-46229 and CVE-2023-44467, two vulnerabilities discovered by our researchers affecting generative AI framework LangChain. --------------------------------------------- https://unit42.paloaltonetworks.com/langchain-vulnerabilities/ ∗∗∗ Daggerfly: Espionage Group Makes Major Update to Toolset ∗∗∗ --------------------------------------------- APT group appears to be using a shared framework to create Windows, Linux, macOS, and Android threats. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfl… ∗∗∗ Learning from the Recent Windows/Falcon Sensor Outage: Causes and Potential Improvement Strategies in Linux Using Open Source Solutions ∗∗∗ --------------------------------------------- How can a configuration file crash an OS? Because the real issue is not the configuration file itself, but the kernel driver using it. Let’s take a quick, non-technical tour of the potential reasons behind this situation, how it is addressed in the Linux kernel, and what you as users or customers can do to avoid such issues. --------------------------------------------- https://www.circl.lu/pub/learning-from-falcon-sensor-outage/ ∗∗∗ Exploiting CVE-2024-21412: A Stealer Campaign Unleashed ∗∗∗ --------------------------------------------- FortiGuard Labs has observed a stealer campaign spreading multiple files that exploit CVE-2024-21412 to download malicious executable files. --------------------------------------------- https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-ste… ∗∗∗ So nicht: Wie sich ein Netzbetreiber in den Totalausfall manövriert hat ∗∗∗ --------------------------------------------- 26 Stunden lang sind die Kunden eines großen Netzbetreibers offline. Damit auch Notruf, Banken, Kassen. 2 Jahre später wird deutlich, was schiefgelaufen ist. --------------------------------------------- https://heise.de/-9808767 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (gtk3 and jpegxl), Red Hat (kpatch-patch and thunderbird), SUSE (apache2, git, gnome-shell, java-11-openjdk, java-21-openjdk, kernel, kernel-firmware, kernel-firmware-nvidia-gspx-G06, libgit2, mozilla-nss, nodejs20, python-Django, and python312), and Ubuntu (linux-aws, linux-aws, linux-aws-5.4, linux-iot, linux-aws-5.15, pymongo, and ruby-rack). --------------------------------------------- https://lwn.net/Articles/982939/ ∗∗∗ Software-Distributionssystem TeamCity erinnert sich an gelöschte Zugangstoken ∗∗∗ --------------------------------------------- Angreifer können an sechs mittlerweile geschlossenen Sicherheitslücken in JetBrain TeamCity ansetzen. --------------------------------------------- https://heise.de/-9810746 ∗∗∗ 10,000 WordPress Sites Affected by High Severity Vulnerabilities in BookingPress WordPress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/07/10000-wordpress-sites-affected-by-hi… ∗∗∗ National Instruments IO Trace ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-205-01 ∗∗∗ RADIUS Protocol Forgery Vulnerability (Blast-RADIUS) ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0014 ∗∗∗ Hitachi Energy AFS/AFR Series Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-205-02 ∗∗∗ National Instruments LabVIEW ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-205-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2024
by Daily end-of-shift report 22 Jul '24

22 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-07-2024 18:00 − Montag 22-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Attackers Abuse Swap File to Steal Credit Cards ∗∗∗ --------------------------------------------- Bad actors exploited the humble swap file to maintain a persistent credit card skimmer on a Magento e-commerce site. This clever tactic allowed the malware to survive multiple cleanup attempts. --------------------------------------------- https://blog.sucuri.net/2024/07/attackers-abuse-swap-file-to-steal-credit-c… ∗∗∗ Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware ∗∗∗ --------------------------------------------- Cybersecurity firm CrowdStrike, which is facing the heat for causing worldwide IT disruptions by pushing out a flawed update to Windows devices, is now warning that threat actors are exploiting the situation to distribute Remcos RAT to its customers in Latin America under the guise of providing a hotfix. --------------------------------------------- https://thehackernews.com/2024/07/cybercriminals-exploit-crowdstrike.html ∗∗∗ SocGholish Malware Exploits BOINC Project for Covert Cyberattacks ∗∗∗ --------------------------------------------- The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC. --------------------------------------------- https://thehackernews.com/2024/07/socgholish-malware-exploits-boinc.html ∗∗∗ PINEAPPLE and FLUXROOT Hacker Groups Abuse Google Cloud for Credential Phishing ∗∗∗ --------------------------------------------- A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purposes. --------------------------------------------- https://thehackernews.com/2024/07/pineapple-and-fluxroot-hacker-groups.html ∗∗∗ From RA Group to RA World: Evolution of a Ransomware Group ∗∗∗ --------------------------------------------- Ransomware gang RA World rebranded from RA Group. We discuss their updated tactics from leak site changes to an analysis of their operational tools. --------------------------------------------- https://unit42.paloaltonetworks.com/ra-world-ransomware-group-updates-tool-… ∗∗∗ Addressing CrowdStrike on Cloud VMs in AWS with Automated Remediation ∗∗∗ --------------------------------------------- Published guidance instructs administrators to reboot the machine in Safe Mode, delete a specific file, and reboot back to normal mode. Obviously, this isn’t a viable resolution on virtual machines hosted in the public cloud as there is no way to get to Safe Mode. --------------------------------------------- https://orca.security/resources/blog/crowdstrike-cloud-vm-automated-remedia… ∗∗∗ Crowdstrike-Ausfälle: Microsoft veröffentlicht Wiederherstellungstool ∗∗∗ --------------------------------------------- Microsoft hat ein Image für USB-Sticks veröffentlicht, mit dem sich betroffene Systeme wiederherstellen lassen. Vorausgesetzt, man hat den BitLocker-Key. --------------------------------------------- https://heise.de/-9808481 ===================== = Vulnerabilities = ===================== ∗∗∗ Telegram zero-day allowed sending malicious Android APKs as videos ∗∗∗ --------------------------------------------- A Telegram for Android zero-day vulnerability dubbed EvilVideo allowed attackers to send malicious Android APK payloads disguised as video files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telegram-zero-day-allowed-se… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (botan2, chromium, ffmpeg, fluent-bit, gtk3, httpd, suricata, tcpreplay, and thunderbird), Mageia (apache, chromium-browser-stable, libfm & libfm-qt, and thunderbird), Oracle (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, libndp, qt5-qtbase, ruby, skopeo, thunderbird, and virt:ol and virt-devel:rhel), Red Hat (containernetworking-plugins, firefox, libndp, qt5-qtbase, and thunderbird), SUSE (caddy,[...] --------------------------------------------- https://lwn.net/Articles/982845/ ∗∗∗ Sicherheitsupdates: Angreifer können Sonicwall-Firewalls lahmlegen ∗∗∗ --------------------------------------------- Einige Firewalls von Sonicwall sind verwundbar. Attacken könnten bevorstehen. --------------------------------------------- https://heise.de/-9808904 ∗∗∗ BIOS-Sicherheitslücke gefährdet unzählige HP-PCs ∗∗∗ --------------------------------------------- Angreifer können viele Desktopcomputer von HP mit Schadcode attackieren. --------------------------------------------- https://heise.de/-9809134 ∗∗∗ SSA-071402 V1.0: Multiple Vulnerabilities in SICAM Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-071402.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily