- Daily - CERT.at

Tageszusammenfassung - 21.03.2025
by Daily end-of-shift report 21 Mar '25

21 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-03-2025 18:00 − Freitag 21-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Angreifer machen sich an Hintertür in Cisco Smart Licensing Utility zu schaffen ∗∗∗ --------------------------------------------- Wie Sicherheitsforscher berichten, fangen Angreifer derzeit an, zwei Schwachstellen in Cisco Smart Licensing Utility auszunutzen. Darüber verschaffen sie sich Zugang mit Adminrechten. Sicherheitspatches sind schon länger verfügbar. [..] Die „kritischen“ Lücken (CVE-2024-20439, CVE-2024-20440) sind seit Anfang September 2024 bekannt. --------------------------------------------- https://heise.de/-10323893 ∗∗∗ VSCode extensions found downloading early-stage ransomware ∗∗∗ --------------------------------------------- Two malicious VSCode Marketplace extensions were found deploying in-development ransomware from a remote server, exposing critical gaps in Microsofts review process. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vscode-extensions-found-down… ∗∗∗ Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates ∗∗∗ --------------------------------------------- The threat actors behind the Medusa ransomware-as-a-service (RaaS) operation have been observed using a malicious driver dubbed ABYSSWORKER as part of a bring your own vulnerable driver (BYOVD) attack designed to disable anti-malware tools. --------------------------------------------- https://thehackernews.com/2025/03/medusa-ransomware-uses-malicious-driver.h… ∗∗∗ How to Avoid US-Based Digital Services—and Why You Might Want To ∗∗∗ --------------------------------------------- Amid growing concerns over Big Tech firms aligning with Trump administration policies, people are starting to move their digital lives to services based overseas. Heres what you need to know. --------------------------------------------- https://www.wired.com/story/trump-era-digital-expat/ ∗∗∗ Fake-Shops wie eu.stanlaystore.com locken mit günstigen Stanley Cups ∗∗∗ --------------------------------------------- Stanley Cups gehören aktuell zu den beliebtesten Thermoskannen auf dem Markt. Leider machen sich auch Kriminelle die hohe Nachfrage zunutze und bieten die trendigen Becher in Fake-Shops an. Wie zum Beispiel die Website eu.stanlaystore.com, die mit unschlagbar günstigen Preisen lockt. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-wie-eustanlaystorecom-loc… ∗∗∗ Achtung Phishing: So funktioniert der neue Debitkarten-Betrug ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit vermehrt gefälschte E-Mails im Namen der Erste Bank. Darin wird behauptet, dass Ihre Debitkarte veraltet sei und Sie eine neue Karte beantragen müssen. Mit dieser Betrugsmasche versuchen Kriminelle, an Ihre Debitkarte samt PIN zu gelangen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-phishing-so-funktioniert-der… ∗∗∗ GitHub Actions Supply Chain Attack: A Targeted Attack on Coinbase Expanded to the Widespread tj-actions/changed-files Incident: Threat Assessment (Updated 3/21) ∗∗∗ --------------------------------------------- Updated March 20: The recent compromise of the GitHub action tj-actions/changed-files and additional actions within the reviewdog organization has captured the attention of the GitHub community, marking another major software supply chain attack. Our team conducted an in-depth investigation into this incident and uncovered many more details about how the attack occurred and its timeline. [..] Our team also discovered that the initial attack targeted Coinbase. The payload was focused on exploiting the public CI/CD flow of one of their open source projects – agentkit, probably with the purpose of leveraging it for further compromises. However, the attacker was not able to use Coinbase secrets or publish packages. --------------------------------------------- https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/ ∗∗∗ Major web services go dark in Russia amid reported Cloudflare block ∗∗∗ --------------------------------------------- Website outages were observed across Russia this week, with regulators attributing them to issues with foreign servers. Observers said the problems might be tied to Russian government moves to block Cloudflare services. --------------------------------------------- https://therecord.media/russia-websites-dark-reported-cloudflare-block ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability in NAKIVO Backup ＆ Replication ∗∗∗ --------------------------------------------- A vulnerability has been discovered in NAKIVO Backup ＆ Replication 10.11.3.86570 and earlier. [..] We have already removed the affected versions from App Center and requested NAKIVO to provide a fixed version as soon as possible. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-08 ∗∗∗ Siemens: SSA-656895 V1.2 (Last Update: 2025-03-20): Open Redirect Vulnerability in Teamcenter ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-656895.html ∗∗∗ [R1] Nessus Agent Version 10.8.3 Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-02 ∗∗∗ F5: K000150484: Apache Tomcat vulnerability CVE-2025-24813 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000150484 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2025
by Daily end-of-shift report 20 Mar '25

20 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-03-2025 18:00 − Donnerstag 20-03-2025 18:00 Handler: Felician Fuchs Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ HellCat hackers go on a worldwide Jira hacking spree ∗∗∗ --------------------------------------------- Swiss global solutions provider Ascom has confirmed a cyberattack on its IT infrastructure as a hacker group known as Hellcat targets Jira servers worldwide using compromised credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hellcat-hackers-go-on-a-worl… ∗∗∗ Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data ∗∗∗ --------------------------------------------- The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of spyware developed by Israeli company Paragon Solutions, according to a new report from The Citizen Lab. [..] In these attacks, targets were added to a WhatsApp group, and then sent a PDF document, which is subsequently parsed automatically to trigger the now-patched zero-day vulnerability and load the Graphite spyware. --------------------------------------------- https://thehackernews.com/2025/03/six-governments-likely-use-israeli.html ∗∗∗ Phishing-Versuche im Namen der Oberbank – „Bitte aktualisieren Sie Ihre persönlichen Informationen“ ∗∗∗ --------------------------------------------- Mit Fake-SMS-Nachrichten versuchen Kriminelle gerade verstärkt, Opfer auf gefälschte Kundenportale der Oberbank zu leiten. Ziel der Phishing-Attacke sind sensible Bankdaten. Hier erfahren Sie, wie der Betrugsversuch abläuft und wie Sie den Fake erkennen. Außerdem erklären wir, was Sie tun können, falls Sie Ihre persönlichen Informationen bereits an die Betrüger:innen übermittelt haben. --------------------------------------------- https://www.watchlist-internet.at/news/persoenlichen-informationen-phishing… ∗∗∗ Presseaussendung: Fake-Shops, Produktpiraterie und Co. als Bedrohung für den österreichischen Onlinehandel ∗∗∗ --------------------------------------------- Fake-Shops, Markenfälschungen, Produktpiraterie oder Verletzungen des geistigen Eigentums: Die Bedrohungen im E-Commerce sind vielfältig und können für österreichische Unternehmer:innen nicht nur zu finanziellen Verlusten durch betrügerische Konkurrenz führen, sondern auch das Vertrauen der Kund:innen in den Online-Handel als Ganzes untergraben. --------------------------------------------- https://www.watchlist-internet.at/news/presseaussendung-bedrohungen-fuer-de… ∗∗∗ UK sets timeline for country’s transition to quantum-resistant encryption ∗∗∗ --------------------------------------------- The U.K. National Cyber Security Centre issued new guidance to help organizations transition to cryptographic algorithms and protocols that can protect data threatened by quantum computing. --------------------------------------------- https://therecord.media/uk-ncsc-quantum-resistant-algorithms-transition ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress security plugin WP Ghost vulnerable to remote code execution bug ∗∗∗ --------------------------------------------- Popular WordPress security plugin WP Ghost is vulnerable to a critical severity flaw that could allow unauthenticated attackers to remotely execute code and hijack servers. [..] The flaw, tracked as CVE-2025-26909, impacts all versions of WP Ghost up to 5.4.01 and stems from insufficient input validation in the 'showFile()' function. Exploiting the flaw could allow attackers to include arbitrary files via manipulated URL paths. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-security-plugin-wp… ∗∗∗ Google warnt: Kritische Sicherheitslücke in Chrome gefährdet Nutzer ∗∗∗ --------------------------------------------- Google hat wichtige Sicherheitsupdates für seinen Webbrowser Chrome veröffentlicht. [..] Mit Details zu der als CVE-2025-2476 registrierten Schwachstelle hält sich Google in seiner Versionsankündigung aus Sicherheitsgründen noch zurück. --------------------------------------------- https://www.golem.de/news/google-warnt-kritische-sicherheitsluecke-in-chrom… ∗∗∗ Veeam Backup & Replication RCE-Schwachstelle CVE-2025-23120 ∗∗∗ --------------------------------------------- Nutzer von Veeam Backup & Replication müssen reagieren. Der Anbieter Veeam hat zum 19. März 2025 über eine Remote Code Execution (RCE) Schwachstelle CVE-2025-23120 in verschiedenen Versionen des genannten Produkts informiert. Es gibt Sicherheitsupdates, um diese Schwachstelle zu schließen. --------------------------------------------- https://www.borncity.com/blog/2025/03/19/veeam-backup-replication-rce-schwa… ∗∗∗ ZDI-25-175: (0Day) Luxion KeyShot USDC File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-175/ ∗∗∗ ZDI-25-174: (0Day) Luxion KeyShot DAE File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-174/ ∗∗∗ Schwerwiegende Sicherheitslücken bedrohen Serverbetriebssystem IBM AIX ∗∗∗ --------------------------------------------- https://www.heise.de/news/Schwerwiegende-Sicherheitsluecken-bedrohen-Server… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2025-0002 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2025-0002.html ∗∗∗ SMA Sunny Portal ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-079-04 ∗∗∗ Santesoft Sante DICOM Viewer Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-25-079-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2025
by Daily end-of-shift report 19 Mar '25

19 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-03-2025 18:00 − Mittwoch 19-03-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Malicious Android Vapor apps on Google Play installed 60 million times ∗∗∗ --------------------------------------------- Over 300 malicious Android applications downloaded 60 million items from Google Play acted as adware or attempted to steal credentials and credit card information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-android-vapor-apps… ∗∗∗ Why its time for phishing prevention to move beyond email ∗∗∗ --------------------------------------------- While phishing has evolved, email security hasnt kept up. Attackers now bypass MFA & detection tools with advanced phishing kits, making credential theft harder to prevent. Learn how Push Securitys browser-based security stops attacks as they happen. --------------------------------------------- https://www.bleepingcomputer.com/news/security/why-its-time-for-phishing-pr… ∗∗∗ iOS-Nutzer gefährdet: Phishing-Lücke in Passwords-App erst nach Monaten gepatcht ∗∗∗ --------------------------------------------- Apples Passwords-App hat Weiterleitungen zur Passwortänderung über unsicheres HTTP abgewickelt. Angreifer hätten auf Phishingseiten umleiten können. --------------------------------------------- https://www.golem.de/news/unsicheres-http-ios-nutzer-durch-phishing-luecke-… ∗∗∗ Malware im Anmarsch: Ungepatchte Windows-Lücke wird seit 8 Jahren ausgenutzt ∗∗∗ --------------------------------------------- Hacker nutzen die Schwachstelle schon mindestens seit 2017 aus. Ein Patch ist bisher nicht in Sicht. Auch Ziele in Deutschland sind bereits attackiert worden. --------------------------------------------- https://www.golem.de/news/malware-im-anmarsch-ungepatchte-windows-luecke-wi… ∗∗∗ Arcane stealer: We want all your data ∗∗∗ --------------------------------------------- The new Arcane stealer spreads via YouTube and Discord, collecting data from many applications, including VPN and gaming clients, network utilities, messaging apps, and browsers. --------------------------------------------- https://securelist.com/arcane-stealer/115919/ ∗∗∗ Announcing OSV-Scanner V2: Vulnerability scanner and remediation tool for open source ∗∗∗ --------------------------------------------- Today, were thrilled to announce the launch of OSV-Scanner V2.0.0, following the announcement of the beta version. This V2 release builds upon the foundation we laid with OSV-SCALIBR and adds significant new capabilities .. --------------------------------------------- https://security.googleblog.com/2025/03/announcing-osv-scanner-v2-vulnerabi… ∗∗∗ Buying browser extensions for fun and profit ∗∗∗ --------------------------------------------- Your browser extensions could be secretly sold to malicious actors without your knowledge. What starts as helpful tools created by passionate developers can transform into dangerous spyware when sold to the highest bidder. As these extensions grow to hundreds of thousands of users, their creators—overwhelmed by maintenance and lacking .. --------------------------------------------- https://secureannex.com/blog/buying-browser-extensions/ ∗∗∗ Which passwords are attackers using against RDP ports right now? ∗∗∗ --------------------------------------------- The Specops research team has been analyzing 15 million passwords being used to attack RDP ports, in live attacks happening against networks right now. Our team have found the ten most common passwords attackers are using and analyzed their wordlists for the most common complexity rules and password lengths. We shared the results of a .. --------------------------------------------- https://specopssoft.com/blog/passwords-used-in-attacking-rdp-ports/ ∗∗∗ AMOS and Lumma stealers actively spread to Reddit users ∗∗∗ --------------------------------------------- Reddit users from trading and crypto subreddits are being lured into installing malware disguised as premium cracked software. --------------------------------------------- https://www.malwarebytes.com/blog/scams/2025/03/amos-and-lumma-stealers-act… ∗∗∗ Website-Kidnapping: So schützen Sie Ihre Website vor Hackingangriffen! ∗∗∗ --------------------------------------------- Immer öfter geraten österreichische Unternehmen ins Visier von Kriminellen, die ihre Website unbemerkt manipulieren, um Kund:innen auf Fake-Shops oder andere illegale Inhalte weiterzuleiten. Besonders gefährdet sind kleine und mittlere Unternehmen (KMU), da sie oft nicht über ausreichende IT-Sicherheitsmaßnahmen verfügen. --------------------------------------------- https://www.watchlist-internet.at/news/website-kidnapping-so-schuetzen-sie-… ∗∗∗ Russland vergiftet KI-Chatbots wie ChatGPT gezielt mit Propaganda ∗∗∗ --------------------------------------------- Rund 3,6 Millionen Artikel des russischen Pravda-Netzwerks sollen in das Trainingsmaterial westlicher KI-Systeme eingeflossen sein. So werden Fake News via KI verbreitet --------------------------------------------- https://www.derstandard.at/story/3000000261876/russland-vergiftet-ki-chatbo… ∗∗∗ The Citizen Lab’s director dissects spyware and the ‘proliferating’ market for it ∗∗∗ --------------------------------------------- In an interview with Recorded Future News, Deibert explained the technical aspects of the Citizen Lab’s methods and how spyware companies continue to evolve to evade detection. --------------------------------------------- https://therecord.media/ron-deibert-citizen-lab-spyware-interview ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-149: Adobe Acrobat Reader DC AcroForm Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-271561. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-149/ ∗∗∗ ZDI-25-151: Progress Software Kemp LoadMaster mangle Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Progress Software Kemp LoadMaster. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-1758. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-151/ ∗∗∗ ZDI-25-150: Microsoft Windows MSC File Insufficient UI Warning Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.0. The following CVEs are assigned: CVE-2025-26633. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-150/ ∗∗∗ ZDI-25-172: Apple macOS MOV File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-24124. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-172/ ∗∗∗ Multiple Vulnerabilities in Autodesk AutoCAD and certain AutoCAD-based Products ∗∗∗ --------------------------------------------- Autodesk AutoCAD and certain AutoCAD-based products are affected by multiple vulnerabilities. Exploitation of these vulnerabilities can lead to code execution. Exploitation of these vulnerabilities requires user interaction. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2025-0001 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2025
by Daily end-of-shift report 18 Mar '25

18 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 17-03-2025 18:00 − Dienstag 18-03-2025 18:00 Handler: Alexander Riepl Co-Handler: Felician Fuchs ===================== = News = ===================== ∗∗∗ Critical AMI MegaRAC bug can let attackers hijack, brick servers ∗∗∗ --------------------------------------------- A new critical severity vulnerability found in American Megatrends Internationals MegaRAC Baseboard Management Controller (BMC) software can let attackers hijack and potentially brick vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-ami-megarac-bug-can… ∗∗∗ StilachiRAT analysis: From system reconnaissance to cryptocurrency theft ∗∗∗ --------------------------------------------- Microsoft Incident Response uncovered a novel remote access trojan (RAT) named StilachiRAT, which demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data. This blog primarily focuses on analysis of the WWStartupCtrl64.dll module that contains the RAT capabilities and summarizes .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/03/17/stilachirat-analys… ∗∗∗ New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a new supply chain attack vector dubbed Rules File Backdoor that affects artificial intelligence (AI)-powered code editors like GitHub Copilot and Cursor, causing them to inject malicious .. --------------------------------------------- https://thehackernews.com/2025/03/new-rules-file-backdoor-attack-lets.html ∗∗∗ Britische Hintertüren: Verdacht nach Apple auch bei Google ∗∗∗ --------------------------------------------- Britische Überwacher verlangen weltweiten Zugriff auf Apple-Backups. Apple darf das nicht bestätigen und ist damit offenbar kein Einzelfall. --------------------------------------------- https://www.heise.de/news/Auch-Google-kann-britischen-Ueberwachungsbefehl-n… ∗∗∗ FBI-Warnung: Betrügerische Online-Dateikonverter schleusen Trojaner in Dokumente ∗∗∗ --------------------------------------------- Wer kostenlose Onlinedienste zum Umwandeln von etwa Textdateien nutzt, kann sich Malware einfangen. Darauf weist das FBI hin. --------------------------------------------- https://www.heise.de/news/Malwareverteiler-FBI-warnt-vor-betruegerischen-On… ∗∗∗ Bogus ‘DeepSeek’ AI Installers Are Infecting Devices with Malware, Research Finds ∗∗∗ --------------------------------------------- In a digital landscape hungry for the next big thing in Artificial Intelligence, a new contender called DeepSeek recently burst .. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/bogus-deepseek-ai-inst… ∗∗∗ Betrügerisches Gewinnspiel: Abofalle statt günstigem Thermomix! ∗∗∗ --------------------------------------------- Frau S. wünscht sich schon lange einen Thermomix. Bisher schreckte sie jedoch der hohe Preis der Küchenmaschine ab. Umso größer ist ihre Freude, als sie im Internet sieht, dass sie nach der Teilnahme an einer Umfrage den Thermomix für nur zwei Euro erhalten kann. Doch Vorsicht: Statt eines günstigen Thermomix erwartet sie eine teure Abofalle! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-gewinnspiel-abofalle… ∗∗∗ Google-Mutter Alphabet bietet für Cybersecurity-Startup Wiz 30 Milliarden Dollar ∗∗∗ --------------------------------------------- Es wäre die größte Transaktion von Alphabet. Ein Angebot über 23 Milliarden Dollar war im Vorjahr abgelehnt worden --------------------------------------------- https://www.derstandard.at/story/3000000261775/wsj-alphabet-bietet-f252r-cy… ∗∗∗ Crypto exchange OKX shuts down tool used by North Korean hackers to launder stolen funds ∗∗∗ --------------------------------------------- OKX said it detected a coordinated effort by one of North Korea’s most prolific hacking outfits to misuse its decentralized finance (DeFi) services. --------------------------------------------- https://therecord.media/crypto-okx-shuts-down-exchange ∗∗∗ Password reuse is rampant: nearly half of observed user logins are compromised ∗∗∗ --------------------------------------------- Accessing private content online, whether it's checking email or streaming your favorite show, almost always starts with a “login” step. Beneath this everyday task lies a widespread human mistake we still have not resolved: password reuse. Many users recycle passwords across multiple services, creating a ripple effect of risk when their credentials are leaked. --------------------------------------------- https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-comprom… ∗∗∗ Offline PKI using 3 YubiKeys and an ARM single board computer ∗∗∗ --------------------------------------------- An offline PKI enhances security by physically isolating the certificate authority from network threats. A YubiKey is a low-cost solution to store a root certificate. You also need an air-gapped environment to operate the root CA. --------------------------------------------- https://vincent.bernat.ch/en/blog/2025-offline-pki-yubikeys ∗∗∗ Security Risks of Setting Access Control Allow Origin: * ∗∗∗ --------------------------------------------- Wildcard CORS: convenient or careless? What are the ACTUAL scenarios that could lead to a loose CORS policy being exploited? --------------------------------------------- https://projectblack.io/blog/security-risks-of-setting-access-control-allow… ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3-EXT-SA-2025-003: Multiple vulnerabilities in extension “[clickstorm] SEO” (cs_seo) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-003 ∗∗∗ TYPO3-EXT-SA-2025-002: Cross-Site Scripting in extension “Additional TCA” (additional_tca) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-002 ∗∗∗ Varnish Enterprise vulnerability in MSE4 when handling range requests ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VEV00001/ ∗∗∗ HTTP/1 client-side desync vulnerability ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VSV00015/ ∗∗∗ Schneider Electric EcoStruxure Power Automation System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-077-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2025
by Daily end-of-shift report 17 Mar '25

17 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-03-2025 18:00 − Montag 17-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Coinbase phishing email tricks users with fake wallet migration ∗∗∗ --------------------------------------------- A large-scale Coinbase phishing attack poses as a mandatory wallet migration, tricking recipients into setting up a new wallet with a pre-generated recovery phrase controlled by attackers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/coinbase-phishing-email-tric… ∗∗∗ Malicious Adobe, DocuSign OAuth apps target Microsoft 365 accounts ∗∗∗ --------------------------------------------- Cybercriminals are promoting malicious Microsoft OAuth apps that masquerade as Adobe and DocuSign apps to deliver malware and steal Microsoft 365 accounts credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-adobe-docusign-oau… ∗∗∗ Mirai Bot now incroporating (malformed?) DrayTek Vigor Router Exploits, (Sun, Mar 16th) ∗∗∗ --------------------------------------------- Last October, Forescout published a report disclosing several vulnerabilities in DrayTek routers. According to Forescount, about 700,000 devices were exposed to these vulnerabilities .. --------------------------------------------- https://isc.sans.edu/diary/Mirai+Bot+now+incroporating+malformed+DrayTek+Vi… ∗∗∗ Credit Card Skimmer and Backdoor on WordPress E-commerce Site ∗∗∗ --------------------------------------------- The battle against e-commerce malware continues to intensify, with attackers deploying increasingly sophisticated tactics. In a recent case at Sucuri, a customer reported suspicious files and unexpected behavior on their WordPress site. Upon deeper analysis, we discovered a complicated infection involving multiple components: a credit card skimmer, a .. --------------------------------------------- https://blog.sucuri.net/2025/03/credit-card-skimmer-and-backdoor-on-wordpre… ∗∗∗ Malicious PyPI Packages Stole Cloud Tokens—Over 14,100 Downloads Before Removal ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of a malicious campaign targeting users of the Python Package Index (PyPI) repository with bogus libraries masquerading as "time" related utilities, but harboring hidden functionality to steal sensitive data such as .. --------------------------------------------- https://thehackernews.com/2025/03/malicious-pypi-packages-stole-cloud.html ∗∗∗ Microsoft wouldnt look at a bug report without a video. Researcher maliciously complied ∗∗∗ --------------------------------------------- Maddening techno loop, Zoolander reference, and 14 minutes of time wasted A vulnerability analyst and prominent member of the infosec industry has blasted Microsoft for refusing to look at a bug report unless he submitted a video alongside a written explanation. --------------------------------------------- https://www.theregister.com/2025/03/17/microsoft_bug_report_troll/ ∗∗∗ Fake-Sicherheitswarnung: Betrüger versuchen Github-Konten zu kapern ∗∗∗ --------------------------------------------- Sicherheitsforscher berichten über Angriffsversuche auf rund 12.000 Github-Repositories. Dabei wollen Angreifer die volle Kontrolle über Konten erlangen. --------------------------------------------- https://www.heise.de/news/Fake-Sicherheitswarnung-Betrueger-versuchen-Githu… ∗∗∗ ClickFix: How to Infect Your PC in Three Easy Steps ∗∗∗ --------------------------------------------- A clever malware deployment scheme first spotted in targeted attacks last year has now gone mainstream. In this scam, dubbed "ClickFix," the visitor to a hacked or malicious website is asked to distinguish .. --------------------------------------------- https://krebsonsecurity.com/2025/03/clickfix-how-to-infect-your-pc-in-three… ∗∗∗ RCS: Apple und Google einigen sich auf Ende-zu-Ende-verschlüsselte Kommunikation ∗∗∗ --------------------------------------------- Neue Version des SMS-Nachfolgers unterstützt sichere Verschlüsselung, die beiden Branchengrößen wollen das bei Android und iPhone übernehmen --------------------------------------------- https://www.derstandard.at/story/3000000261679/rcs-apple-und-google-einigen… ∗∗∗ Telegram CEO confirms leaving France amid criminal probe ∗∗∗ --------------------------------------------- The Russian-born founder and owner of the messaging app Telegram said he returned to Dubai after spending several months in France due to a criminal investigation related to activity on the app. --------------------------------------------- https://therecord.media/telegram-pavel-durov-leaves-france-amid-probe ∗∗∗ Mora_001 ransomware gang exploiting Fortinet bug spotlighted by CISA in January ∗∗∗ --------------------------------------------- Two vulnerabilities impacting Fortinet products are being exploited by a new ransomware operation with ties to the LockBit ransomware group. --------------------------------------------- https://therecord.media/mora001-ransomware-gang-exploiting-vulnerability-lo… ∗∗∗ Scammers Pose as Cl0p Ransomware to Send Fake Extortion Letters ∗∗∗ --------------------------------------------- Scammers are sending fake extortion and ransom demands while posing as ransomware gangs, including the notorious Cl0p ransomware. --------------------------------------------- https://hackread.com/scammers-pose-cl0p-ransomware-fake-extortion-letters/ ∗∗∗ BitM Up! Session Stealing in Seconds Using the Browser-in-the-Middle Technique ∗∗∗ --------------------------------------------- The Rise of Browser in the Middle (BitM): BitM attacks offer a streamlined approach, allowing attackers to quickly compromise sessions across various web applications.MFA Remains Crucial, But Not Invulnerable: .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/session-stealing-b… ∗∗∗ Supply Chain Security Risk: GitHub Action tj-actions/changed-files Compromised ∗∗∗ --------------------------------------------- On March 14th, 2025, security researchers discovered a critical software supply chain vulnerability in the widely-used GitHub Action tj-actions/changed-files (CVE-2025-30066). This vulnerability allows remote attackers .. --------------------------------------------- https://blog.aquasec.com/supply-chain-security-threat-github-action-tj-acti… ∗∗∗ Bypassing Authentication Like It’s The ‘90s - Pre-Auth RCE Chain(s) in Kentico Xperience CMS ∗∗∗ --------------------------------------------- I recently joined watchTowr, and it is, therefore, time - time for my first watchTowr Labs blogpost, previously teased in a tweet of a pre-auth RCE chain affecting some ‘unknown software’. Joining the team, I wanted to maintain the trail of destruction left by the watchTowr Labs team, .. --------------------------------------------- https://labs.watchtowr.com/bypassing-authentication-like-its-the-90s-pre-au… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (opensaml and php8.2), Fedora (chromium, ctk, dcmtk, expat, ffmpeg, firefox, fscrypt, gdcm, InsightToolkit, kitty, libssh2, libxml2, linux-firmware, man2html, nextcloud, OpenImageIO, php, podman-tui, python-django, python-django5, python-gunicorn, python-jinja2, python-spotipy, python3.6, qt6-qtwebengine, thunderbird, tigervnc, vim, vyper, xen, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (freetype2, ghostscript, and man2html), .. --------------------------------------------- https://lwn.net/Articles/1014437/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2025
by Daily end-of-shift report 14 Mar '25

14 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-03-2025 18:00 − Freitag 14-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New SuperBlack ransomware exploits Fortinet auth bypass flaws ∗∗∗ --------------------------------------------- A new ransomware operator named Mora_001 is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall appliances and deploy a custom ransomware strain dubbed SuperBlack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-superblack-ransomware-ex… ∗∗∗ Ransomware gang creates tool to automate VPN brute-force attacks ∗∗∗ --------------------------------------------- The Black Basta ransomware operation created an automated brute-forcing framework dubbed BRUTED to breach edge networking devices like firewalls and VPNs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/black-basta-ransomware-creat… ∗∗∗ Jailbreaking is (mostly) simpler than you think ∗∗∗ --------------------------------------------- Today, we are sharing insights on a simple, optimization-free jailbreak method called Context Compliance Attack (CCA), that has proven effective against most leading AI systems. We are disseminating this research to promote awareness and encourage system designers to implement appropriate safeguards. --------------------------------------------- https://msrc.microsoft.com/blog/2025/03/jailbreaking-is-mostly-simpler-than… ∗∗∗ CISA: We didnt fire red teams, we just unhired a bunch of them ∗∗∗ --------------------------------------------- Agency tries to save face as it also pulls essential funding for election security initiatives Uncle Sams cybersecurity agency is trying to save face by seeking to clear up what its calling "inaccurate reporting" after a former senior pen-tester claimed the organization axed two red teams. --------------------------------------------- https://www.theregister.com/2025/03/13/cisa_red_team_layoffs/ ∗∗∗ A New Era of Attacks on Encryption Is Starting to Heat Up ∗∗∗ --------------------------------------------- The UK, France, Sweden, and EU have made fresh attacks on end-to-end encryption. Some of the attacks are more “crude” than those in recent years, experts say. --------------------------------------------- https://www.wired.com/story/a-new-era-of-attacks-on-encryption-is-starting-… ∗∗∗ Fernzugriff: Ivanti Secure Access Client als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate schließt unter Windows eine Lücke in Ivanti Secure Access Client. --------------------------------------------- https://www.heise.de/news/Fernzugriff-Ivanti-Secure-Access-Client-als-Einfa… ∗∗∗ Off the Beaten Path: Recent Unusual Malware ∗∗∗ --------------------------------------------- Three unusual malware samples analyzed here include an ISS backdoor developed in a rare language, a bootkit and a Windows implant of a post-exploit framework. --------------------------------------------- https://unit42.paloaltonetworks.com/unusual-malware/ ∗∗∗ Ransomware attack takes down health system network in Micronesia ∗∗∗ --------------------------------------------- One of the four states that make up the Pacific nation of Micronesia is battling against ransomware hackers who have forced all of the computers used by its government health agency offline. --------------------------------------------- https://therecord.media/ransomware-attack-micronesia-health-system ∗∗∗ Europes telecoms sector under increased threat from cyber spies, warns Denmark ∗∗∗ --------------------------------------------- State-sponsored cyber espionage is a bigger threat than ever to Europes telecommunications networks, according to a new assessment from Denmarks government. --------------------------------------------- https://therecord.media/europe-increased-cyber-espionage-telecoms-denmark-r… ∗∗∗ Alleged Russian LockBit developer extradited from Israel, appears in New Jersey court ∗∗∗ --------------------------------------------- Rostislav Panev, who was arrested in Israel in August 2024 on U.S. charges related to dozens of LockBit ransomware attacks, has been extradited and appeared in a New Jersey federal court, authorities said. --------------------------------------------- https://therecord.media/lockbit-alleged-russian-developer-extradited-us-isr… ∗∗∗ SocGholish’s Intrusion Techniques Facilitate Distribution of RansomHub Ransomware ∗∗∗ --------------------------------------------- Trend Research analyzed SocGholish’s MaaS framework and its role in deploying RansomHub ransomware through compromised websites, using highly obfuscated JavaScript loaders to evade detection and execute various malicious tasks. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/c/socgholishs-intrusion-techni… ∗∗∗ Recursion kills: The story behind CVE-2024-8176 / Expat 2.7.0 released, includes security fixes ∗∗∗ --------------------------------------------- Expat 2.7.0 has been released earlier today. I will make this a more detailed post than usual because in many ways there is more to tell about this release than the average libexpat release: there is a story this time --------------------------------------------- https://blog.hartwork.org/posts/expat-2-7-0-released/ ∗∗∗ Memory Corruption in Delphi ∗∗∗ --------------------------------------------- Our team at Include Security is often asked to examine applications coded in languages that are usually considered “unsafe”, such as C and C++, due to their lack of memory safety functionality. Critical aspects of reviewing such code include identifying where bounds-checking, input validation, and pointer handling/dereferencing are .. --------------------------------------------- https://blog.includesecurity.com/2025/03/memory-corruption-in-delphi/ ∗∗∗ My Scammer Girlfriend: Baiting A Romance Fraudster ∗∗∗ --------------------------------------------- At the beginning of the year, a spate of very similar mails appeared in my spam-box. Although originating from different addresses (and sent to different recipients), they all appeared to be the opener for the same romance scam campaign. --------------------------------------------- https://www.bentasker.co.uk/posts/blog/security/seducing-a-romance-scammer.… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-25-135: Adobe Acrobat Reader DC AcroForm Use of Uninitialized Variable Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27162. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-135/ ∗∗∗ ZDI-25-134: Adobe Acrobat Reader DC Doc Object Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-24431. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-134/ ∗∗∗ ZDI-25-133: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27174. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-133/ ∗∗∗ ZDI-25-132: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27159. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-132/ ∗∗∗ ZDI-25-131: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-27160. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-131/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.03.2025
by Daily end-of-shift report 13 Mar '25

13 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-03-2025 18:00 − Donnerstag 13-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ No Project Is an Island: Why You Need SBOMs and Dependency Management ∗∗∗ --------------------------------------------- The system you develop and maintain does not exist in isolation. Providing SBOMs for our work is our way to show we care. Software is a relatively recent phenomenon. For a long time, you could credibly say most of its existence, software was poorly understood by society and industry at large. There was .. --------------------------------------------- https://bsdly.blogspot.com/2025/03/no-project-is-island-why-you-need-sboms.… ∗∗∗ Facebook discloses FreeType 2 flaw exploited in attacks ∗∗∗ --------------------------------------------- Facebook is warning that a FreeType vulnerability in all versions up to 2.13 can lead to arbitrary code execution, with reports that the flaw has been exploited in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/facebook-discloses-freetype-… ∗∗∗ Flugticketgroßhändler: Cyberangriff legt Buchungssystem von Aerticket lahm ∗∗∗ --------------------------------------------- Nach einem Hackerangriff ist das Buchungssystem von Aerticket vorerst unbrauchbar. Eine schnelle Wiederherstellung ist wohl nicht zu erwarten. --------------------------------------------- https://www.golem.de/news/flugticketgrosshaendler-cyberangriff-legt-buchung… ∗∗∗ Head Mare and Twelve join forces to attack Russian entities ∗∗∗ --------------------------------------------- We analyze the activities of the Head Mare hacktivist group, which has been attacking Russian companies jointly with Twelve. --------------------------------------------- https://securelist.com/head-mare-twelve-collaboration/115887/ ∗∗∗ Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware ∗∗∗ --------------------------------------------- Starting in December 2024, leading up to some of the busiest travel days, Microsoft Threat Intelligence identified a phishing campaign that impersonates online travel agency Booking.com and targets organizations in the hospitality industry. The campaign uses a social engineering technique called ClickFix to deliver multiple credential-stealing malware .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/03/13/phishing-campaign-… ∗∗∗ Medusa ransomware affiliate tried triple extortion scam – up from the usual double demand ∗∗∗ --------------------------------------------- Feds warn gang still rampant and now cracked 300+ victims around the world A crook who distributes the Medusa ransomware tried to make a victim cough up three payments instead of the usual two, according to a government advisory on how to defend against the malware and the gangs who wield it. --------------------------------------------- https://www.theregister.com/2025/03/13/medusa_ransomware_infects_300_critic… ∗∗∗ DeepSeek can be gently persuaded to spit out malware code ∗∗∗ --------------------------------------------- It might need polishing, but a useful find for any budding cybercrooks out there DeepSeeks flagship R1 model is capable of generating a working keylogger and basic ransomware code, just as long as a techie is on hand to tinker with it a little. --------------------------------------------- https://www.theregister.com/2025/03/13/deepseek_malware_code/ ∗∗∗ Sicherheitslücken: Gitlab-Entwickler raten zu zügigem Update ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für die Softwareentwicklungsplattform Gitlab erschienen. --------------------------------------------- https://www.heise.de/news/Sicherheitsluecken-Gitlab-Entwickler-raten-zu-zue… ∗∗∗ Sicherheitsupdates: Root-Sicherheitslücke bedroht Cisco-ASR-Router ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat mehrere Schwachstellen geschlossen, über die Angreifer etwa ASR-Router attackieren können. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Root-Sicherheitsluecke-bedroht… ∗∗∗ Schadcode-Sicherheitslücken bedrohen FortiOS, FortiSandbox & Co. ∗∗∗ --------------------------------------------- Mehrere Produkte von Fortinet sind attackierbar. Sicherheitspatches schaffen Abhilfe. --------------------------------------------- https://www.heise.de/news/Schadcode-Sicherheitsluecken-bedrohen-FortiOS-For… ∗∗∗ Investigating Scam Crypto Investment Platforms Using Pyramid Schemes to Defraud Victims ∗∗∗ --------------------------------------------- We identified a campaign spreading thousands of sca crypto investment platforms through websites and mobile apps, possibly through a standardized toolkit. --------------------------------------------- https://unit42.paloaltonetworks.com/fraud-crypto-platforms-campaign/ ∗∗∗ #StopRansomware: Medusa Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a ∗∗∗ Signal no longer cooperating with Ukraine on Russian cyberthreats, official says ∗∗∗ --------------------------------------------- The encrypted messaging app Signal has stopped responding to requests from Ukrainian law enforcement regarding Russian cyberthreats, a Ukrainian official claimed, warning that the shift is aiding Moscow’s intelligence efforts. --------------------------------------------- https://therecord.media/signal-no-longer-cooperating-with-ukraine ∗∗∗ Abusing with style: Leveraging cascading style sheets for evasion and tracking ∗∗∗ --------------------------------------------- Cascading Style Sheets (CSS) are ever present in modern day web browsing, however its far from their own use. This blog will detail the ways adversaries use CSS in email campaigns for evasion and tracking. --------------------------------------------- https://blog.talosintelligence.com/css-abuse-for-evasion-and-tracking/ ∗∗∗ Statement on CISAs Red Team ∗∗∗ --------------------------------------------- CISA’s Red Team is among the best in the world and remains laser focused on helping our federal and critical infrastructure partners identify and mitigate their most significant vulnerabilities and weaknesses. This has not changed. --------------------------------------------- https://www.cisa.gov/news-events/news/statement-cisas-red-team ∗∗∗ PCI DSS FAQ SAQ WTF BBQ... ∗∗∗ --------------------------------------------- I was trying to come up with a sensible title for this blog post, but I feel this one mirrors the thoughts and feelings of many of us about recent events in the PCI DSS compliance space! There have been some significant changes in .. --------------------------------------------- https://scotthelme.ghost.io/pci-dss-faq-saq-wtf-bbq/ ∗∗∗ Sign in as anyone: Bypassing SAML SSO authentication with parser differentials ∗∗∗ --------------------------------------------- Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml up to version 1.17.0. In this blog post, well shed light on how these vulnerabilities that rely on a parser differential were uncovered. --------------------------------------------- https://github.blog/security/sign-in-as-anyone-bypassing-saml-sso-authentic… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (ffmpeg, qt6-qtwebengine, tigervnc, and xorg-x11-server-Xwayland), Red Hat (fence-agents and libxml2), SUSE (amazon-ssm-agent, ark, chromium, fake-gcs-server, gerbera, google-guest-agent, google-osconfig-agent, grafana, kernel, libtinyxml2-10, podman, python311, python312, restic, ruby3.4-rubygem-rack, and thunderbird), and Ubuntu (jinja2, linux-azure, linux-azure-4.15, linux-lts-xenial, linux-nvidia, linux-nvidia-6.8, .. --------------------------------------------- https://lwn.net/Articles/1014042/ ∗∗∗ ZDI-25-129: PDF-XChange Editor RTF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-2231. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-129/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2025
by Daily end-of-shift report 12 Mar '25

12 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-03-2025 18:00 − Mittwoch 12-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iPhone-Nutzer attackiert: Aktiv ausgenutzte Webkit-Lücke gefährdet Apple-Geräte ∗∗∗ --------------------------------------------- Angreifer können durch die Schwachstelle aus der Web-Content-Sandbox von Webkit ausbrechen. Apple verteilt Notfallupdates für iOS, MacOS und Safari. --------------------------------------------- https://www.golem.de/news/iphone-nutzer-attackiert-aktiv-ausgenutzte-webkit… ∗∗∗ Scans for VMWare Hybrid Cloud Extension (HCX) API (Log4j - not brute forcing), (Wed, Mar 12th) ∗∗∗ --------------------------------------------- Today, I noticed increased scans for the VMWare Hyprid Cloud Extension (HCX) "sessions" endpoint. These endpoints are sometimes associated with exploit attempts for various VMWare .. --------------------------------------------- https://isc.sans.edu/diary/Scans+for+VMWare+Hybrid+Cloud+Extension+HCX+API+… ∗∗∗ Uneinheitliche Cybersicherheitsstandards: Kommunen ohne klare Strategie ∗∗∗ --------------------------------------------- Aktuell gibt es bei der IT-Sicherheit von Kommunen noch viele Mängel. Eine Studie klärt über die Defizite und mögliche Maßnahmen auf. --------------------------------------------- https://www.heise.de/news/Uneinheitliche-Cybersicherheitsstandards-Kommunen… ∗∗∗ Microsoft-Patchday: 5 kritische Windows-Lücken, 6 andere bereits ausgenutzt ∗∗∗ --------------------------------------------- Zum Patchday im März 205 veröffentlicht Microsoft Korrekturen für insgesamt 57 CVE-Einträge. Sie betreffen Windows, Office, Visual Studio, Azure und mehr. --------------------------------------------- https://www.heise.de/news/Microsoft-Patchday-5-kritische-Windows-Luecken-6-… ∗∗∗ Take control of Cache-Control and local caching ∗∗∗ --------------------------------------------- TL;DR Caching speeds up website content delivery What caching directives are and how to use them The No-cache directive does not prevent caching The No-store directive prevents caching .. --------------------------------------------- https://www.pentestpartners.com/security-blog/take-control-of-cache-control… ∗∗∗ Phishing-Falle: Es droht keine dauerhafte Deaktivierung Ihres GMX-Kontos! ∗∗∗ --------------------------------------------- Von Ihrer E-Mail-Adresse werden angeblich „falsche E-Mails“ versendet? Wenn Sie nicht innerhalb von 24 Stunden reagieren, wird ihr GMX-Konto dauerhaft deaktiviert? Keine Sorge, nichts von dem ist wahr, nichts wird passieren. Vielmehr haben Sie ein Phishing-Mail erhalten, das Sie ignorieren können und unverzüglich löschen sollten. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-deaktivierung-gmx/ ∗∗∗ Etwas Dringendes für den Chef erledigen? Vorsicht, Phishing! ∗∗∗ --------------------------------------------- Kriminelle versenden betrügerische E-Mails, in denen sie sich als Vorgesetzte ausgeben. Sie werden aufgefordert, eine dringende Aufgabe zu erledigen und auf die E-Mail zu antworten. Wir raten zur Vorsicht: Eine Antwort kann großen Schaden anrichten! Ignorieren Sie die Nachricht und informieren Sie die IT-Abteilung. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-unternehmen/ ∗∗∗ Ghost in the Router: China-Nexus Espionage Actor UNC3886 Targets Juniper Routers ∗∗∗ --------------------------------------------- In mid 2024, Mandiant discovered threat actors deployed custom backdoors on Juniper Networks’ Junos OS routers. Mandiant attributed these backdoors to the China-nexus espionage group, UNC3886. Mandiant uncovered several TINYSHELL-based backdoors operating on Juniper Networks’ Junos OS routers. The backdoors had varying .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espion… ===================== = Vulnerabilities = ===================== ∗∗∗ iOS 18.3.2 and iPadOS 18.3.2 ∗∗∗ --------------------------------------------- /en-us/122281 ∗∗∗ macOS Sequoia 15.3.2 ∗∗∗ --------------------------------------------- /en-us/122283 ∗∗∗ visionOS 2.3.2 ∗∗∗ --------------------------------------------- /en-us/122284 ∗∗∗ Safari 18.3.1 ∗∗∗ --------------------------------------------- /en-us/122285 ∗∗∗ 2025-03 Out-of-Cycle Security Bulletin: Junos OS: A local attacker with shell access can execute arbitrary code (CVE-2025-21590) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2025-03-Out-of-Cycle-Security-B… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2025
by Daily end-of-shift report 11 Mar '25

11 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 10-03-2025 18:00 − Dienstag 11-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MassJacker malware uses 778,000 wallets to steal cryptocurrency ∗∗∗ --------------------------------------------- A newly discovered clipboard hijacking operation dubbed MassJacker uses at least 778,531 cryptocurrency wallet addresses to steal digital assets from compromised computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massjacker-malware-uses-778-… ∗∗∗ Google lässt Kunden im Stich: Abgelaufene SSL-Zertifikate machen Chromecast unbrauchbar ∗∗∗ --------------------------------------------- Seit zwei Tagen warten Besitzer älterer Chromecast-Modelle auf Hilfe durch Google. Wann der Fehler korrigiert wird, ist ungewiss. --------------------------------------------- https://www.golem.de/news/google-laesst-kunden-im-stich-abgelaufene-ssl-zer… ∗∗∗ DCRat backdoor returns ∗∗∗ --------------------------------------------- Kaspersky experts describe a new wave of attacks distributing the DCRat backdoor through YouTube under the guise of game cheats. --------------------------------------------- https://securelist.com/new-wave-of-attacks-with-dcrat-backdoor-distributed-… ∗∗∗ New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence has uncovered a new variant of XCSSET, a sophisticated modular macOS malware that infects Xcode projects, in the wild. Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies. These enhanced features help this malware .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/03/11/new-xcsset-malware… ∗∗∗ What Really Happened With the DDoS Attacks That Took Down X ∗∗∗ --------------------------------------------- Elon Musk said a “massive cyberattack” disrupted X on Monday and pointed to “IP addresses originating in the Ukraine area” as the source of the attack. Security experts say thats not how it works. --------------------------------------------- https://www.wired.com/story/x-ddos-attack-march-2025/ ∗∗∗ North Korean IT Workers Linked to 2,400 Astrill VPN IP Addresses ∗∗∗ --------------------------------------------- New data has emerged linking over 2,400 IP addresses associated with Astrill VPN to individuals believed to be North Korean IT worker --------------------------------------------- https://gbhackers.com/north-korean-workers-linked-astrill-vpn-ip-addresses/ ∗∗∗ Spionage: Russland und China mit Interesse an Österreichs IT-Branche ∗∗∗ --------------------------------------------- Die Direktion Staatsschutz und Nachrichtendienst sieht Russland als "relevanten Risikoakteur". Es wird eine hohe Dunkelziffer von Vorfällen vermutet --------------------------------------------- https://www.derstandard.at/story/3000000260788/spionage-russland-und-china-… ∗∗∗ Report URI: Launching Policy Watch and other improvements! ∗∗∗ --------------------------------------------- As we continue to expand and improve our offering, one particular area of focus over recent months has been on PCI DSS Compliance. Whilst compliance might not be the first thing that many get excited about, the recent requirements introduced by the PCI SSC required some pretty solid .. --------------------------------------------- https://scotthelme.ghost.io/report-uri-launching-policy-watch-and-other-imp… ∗∗∗ In-Depth Technical Analysis of the Bybit Hack ∗∗∗ --------------------------------------------- On 21st February 2025, Bybit suffered the largest cryptocurrency theft ever recorded, with more than $1.4 billion assets, including 401,347 ETH, drained from its cold wallet. The attack compromised the transaction approval process by altering what Bybit’s signers saw when approving a cold wallet transaction, causing them to unknowingly authorize an transaction that resulted in a loss of funds. --------------------------------------------- https://www.nccgroup.com/us/research-blog/in-depth-technical-analysis-of-th… ∗∗∗ Beyond the Hook: A Technical Deep Dive into Modern Phishing Methodologies ∗∗∗ --------------------------------------------- In 2025, phishing is still the most prevalent kind of cyber attack on the planet. Indeed, 1.2% of the global email traffic is phishing. Thats 3.4 billion emails each day, but only a low number results in a compromise since "only" 3% of employees would click on a malicious link. However, when they do, it can be disastrous for their company. 91% of .. --------------------------------------------- http://blog.quarkslab.com/technical-dive-into-modern-phishing.html ∗∗∗ Reversing Samsungs H-Arx Hypervisor Framework - Part 1 ∗∗∗ --------------------------------------------- In many ways, mobile devices lead the security industry when it comes to defense-in-depth and mitigation. Over the years, it has been proven time and again that the kernel cannot be trusted to be secure. As such, there has been effort put into moving secrets (ie. encryption keys) and other sensitive data out of the kernel and gate it behind an API at higher levels in the chain of trust, whether it be the hypervisor or secure enclaves. In any case, the kernel must have a lot of control .. --------------------------------------------- https://dayzerosec.com/blog/2025/03/08/reversing-samsungs-h-arx-hypervisor-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cross Site Request Forgery in admin endpoint ∗∗∗ --------------------------------------------- A cross site request forgery vulnerability [CWE-352] in FortiNDR may allow a remote unauthenticated attacker to execute unauthorized actions via crafted HTTP GET requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-353 ∗∗∗ Exposure of Sensitive Information to an Unauthorized Actor ∗∗∗ --------------------------------------------- An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiSIEM may allow a remote unauthenticated attacker who acquired knowledge of the agents authorization header by other means to read the database password via crafted api requests --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-117 ∗∗∗ OS command injection in CLI command ∗∗∗ --------------------------------------------- Multiple improper neutralization of special elements used in an OS command (OS Command Injection) vulnerabilities [CWE-78] in FortiManager CLI may allow a privileged attacker to execute unauthorized code or commands via crafted CLI requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-124 ∗∗∗ Use of hardcoded key used for remote backup server password encryption ∗∗∗ --------------------------------------------- A Use of Hard-coded Cryptographic Key vulnerability [CWE-321] in FortiSandbox may allow a privileged attacker with super-admin profile and CLI access to read sensitive data via CLI. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-327 ∗∗∗ XSS flaw in Fortiview/SecurityLogs pages ∗∗∗ --------------------------------------------- An improper neutralization of input during web page generation (Cross-site Scripting) vulnerability [CWE-79] in FortiADC GUI may allow an authenticated attacker to perform an XSS attack via crafted HTTP or HTTPs requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-216 ∗∗∗ [20250301] - Core - Malicious file uploads via Media Manager ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/961-20250301-core-maliciou… ∗∗∗ March Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/march-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2025
by Daily end-of-shift report 10 Mar '25

10 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-03-2025 18:00 − Montag 10-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ FTC will send $25.5 million to victims of tech support scams ∗∗∗ --------------------------------------------- Later this week, the Federal Trade Commission (FTC) will start distributing over $25.5 million in refunds to those misled by tech support companies Restoro and Reimages scare tactics. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ftc-will-send-255-million-to… ∗∗∗ Datenschutz: Polizist ruft Daten von Frauen ab und muss Strafe zahlen ∗∗∗ --------------------------------------------- Der Polizist hat eine persönliche Attraktivitätsskala geführt und ab bestimmten Werten persönliche Daten von Frauen abgefragt. --------------------------------------------- https://www.golem.de/news/datenschutz-polizist-ruft-daten-von-frauen-ab-und… ∗∗∗ SideWinder targets the maritime and nuclear sectors with an updated toolset ∗∗∗ --------------------------------------------- In this article, we discuss the tools and TTPs used in the SideWinder APTs attacks in H2 2024, as well as shifts in its targets, such as an increase in attacks against the maritime and logistics sectors. --------------------------------------------- https://securelist.com/sidewinder-apt-updates-its-toolset-and-targets-nucle… ∗∗∗ The Russia-Ukraine Cyber War Part 4: Development in Group Attributions for Russian State Actors ∗∗∗ --------------------------------------------- This is the final installment of Trustwave SpiderLabs Russia-Ukraine digital battlefield series, which has spanned topics including the differences between Russia and Ukraine cyber actors, how government entities, defense organizations, and human targets were caught in the cyber crossfire, and how both countries targeted the telecommunications, critical .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/russian-sta… ∗∗∗ Rhysida pwns two US healthcare orgs, extracts over 300K patients data ∗∗∗ --------------------------------------------- Terabytes of sensitive info remain available for download Break-ins to systems hosting the data of two US healthcare organizations led to thieves making off with the personal and medical data of more than 300,000 patients. --------------------------------------------- https://www.theregister.com/2025/03/10/rhysida_healthcare/ ∗∗∗ Strings Attached: Talking about Russias agenda for laws in cyberspace ∗∗∗ --------------------------------------------- Russias longstanding proposals for "information security" agreements may sound cooperative, but they conceal a Trojan horse - a push to legitimize censorship, silence dissent, and bind others to rules it won’t follow. --------------------------------------------- https://bytesandborscht.com/strings-attached-talking-about-russias-agenda-f… ∗∗∗ Größter Diebstahl der Geschichte: Bybit nutzte Freeware und wurde dadurch Opfer ∗∗∗ --------------------------------------------- Eine unsichere Freeware ermöglichte den Angreifern den Milliarden-Diebstahl bei Bybit. Die Probleme waren schon lang bekannt. --------------------------------------------- https://www.heise.de/news/Groesster-Diebstahl-der-Geschichte-Bybit-nutzte-F… ∗∗∗ Feds Link $150M Cyberheist to 2022 LastPass Hacks ∗∗∗ --------------------------------------------- In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager service LastPass in 2022. In a court filing this week, U.S. federal agents investigating a spectacular $150 million cryptocurrency heist said they had reached the same conclusion. --------------------------------------------- https://krebsonsecurity.com/2025/03/feds-link-150m-cyberheist-to-2022-lastp… ∗∗∗ Vulnerability Reward Program: 2024 in Review ∗∗∗ --------------------------------------------- In 2024, our Vulnerability Reward Program confirmed the ongoing value of engaging with the security research community to make Google and its products safer. This was evident as we awarded just shy of $12 million to over 600 researchers based in countries around the globe across all of our programs.Vulnerability Reward .. --------------------------------------------- http://security.googleblog.com/2025/03/vulnerability-reward-program-2024-in… ∗∗∗ WordPress Security Research Series: WordPress Security Architecture ∗∗∗ --------------------------------------------- Learn how WordPress security works from the inside out. A guide for vulnerability researchers on identifying flaws in WordPress core, plugins, and themes. --------------------------------------------- https://www.wordfence.com/blog/2025/03/wordpress-security-research-series-w… ∗∗∗ Scam spoofs Binance website and uses TRUMP coin as lure for malware ∗∗∗ --------------------------------------------- Researchers at phishing defense company Cofense say hackers are spreading a malicious remote access tool through a fake Binance page that offers access to the TRUMP coin. --------------------------------------------- https://therecord.media/email-scam-spoofs-binance-offers-trump-coin-connect… ∗∗∗ Navigating AI 🤝 Fighting Skynet ∗∗∗ --------------------------------------------- Using AI can be a great tool for adversarial engineering. This was just a bit of fun to see if it was possible todo and to learn more about automation but also proving you cannot trust git commit history nor can you trust dates of commits! --------------------------------------------- https://blog.zsec.uk/navigating-ai-fighting-skynet/ ∗∗∗ No, there isn’t a world ending Apache Camel vulnerability ∗∗∗ --------------------------------------------- Posts have been circulating publicly on the internet for several days about a “critical”, end of the world “zero day” in Apache Camel, CVE-2025–27636. Many of the posts explained in specific detail about how to exploit the vulnerability .. --------------------------------------------- https://doublepulsar.com/no-there-isnt-a-world-ending-apache-camel-vulnerab… ∗∗∗ GreyNoise Detects Mass Exploitation of Critical PHP-CGI Vulnerability (CVE-2024-4577), Signaling Broad Campaign ∗∗∗ --------------------------------------------- ‍GreyNoise data confirms that exploitation of CVE-2024-4577 extends far beyond initial reports. Attack attempts have been observed across multiple regions, with notable spikes in the United States, Singapore, Japan, and other countries throughout January 2025. --------------------------------------------- https://www.greynoise.io/blog/mass-exploitation-critical-php-cgi-vulnerabil… ∗∗∗ How to distrust a CA without any certificate errors ∗∗∗ --------------------------------------------- A “distrust” is when a certification authority (CA) that issues HTTPS certificates to websites is removed from a root store because it is no longer trusted to issue certificates. This means certificates issued by that CA will be treated as invalid, likely causing certificate error interstitials in any browser that distrusted the .. --------------------------------------------- https://dadrian.io/blog/posts/sct-not-after/ ∗∗∗ Exploiting Neverwinter Nights ∗∗∗ --------------------------------------------- Back in 2024, we looked for vulnerabilities in Neverwinter Nights : Enhanced Edition as a side research project. We found and reported multiple vulnerabilities to the publisher Beamdog. In this article we will detail how we can chain two vulnerabilities to obtain a remote code execution in multiplayer mode. --------------------------------------------- https://www.synacktiv.com/en/publications/exploiting-neverwinter-nights.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2025
by Daily end-of-shift report 07 Mar '25

07 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-03-2025 18:00 − Freitag 07-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cybercrime crew stole $635,000 in Taylor Swift concert tickets ∗∗∗ --------------------------------------------- New York prosecutors say that two people working at a third-party contractor for the StubHub online ticket marketplace made $635,000 after almost 1,000 concert tickets and reselling them online. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercrime-crew-stole-635-00… ∗∗∗ Microsoft says malvertising campaign impacted 1 million PCs ∗∗∗ --------------------------------------------- Microsoft has taken down an undisclosed number of GitHub repositories used in a massive malvertising campaign that impacted almost one million devices worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-says-malvertising-… ∗∗∗ Cyberangriff analysiert: Hacker verschlüsseln Unternehmensdaten über eine Webcam ∗∗∗ --------------------------------------------- Ein EDR-Tool hat Verschlüsselungsversuche der Ransomwaregruppe Akira erfolgreich vereitelt. Doch dann fanden die Angreifer ein Schlupfloch. --------------------------------------------- https://www.golem.de/news/cyberangriff-analysiert-hacker-verschluesseln-unt… ∗∗∗ A Deep Dive into Strela Stealer and how it Targets European Countries ∗∗∗ --------------------------------------------- Infostealers have dominated the malware landscape due to the ease of threat operations maintenance, and a wide group of potential victims. In this blog, we take a closer look at a unique infostealer designed to precisely target a narrow data set on systems located in chosen geographic locations. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-deep-dive… ∗∗∗ Russian State Actors: Development in Group Attributions ∗∗∗ --------------------------------------------- This is the final installment of Trustwave SpiderLabs Russia-Ukraine digital battlefield series, which has spanned topics including the differences between Russia and Ukraine cyber actors, how government entities, defense organizations, and human targets were caught in the cyber crossfire, and how both countries targeted the telecommunications, critical .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/russian-sta… ∗∗∗ A Brand New Botnet Is Delivering Record-Size DDoS Attacks ∗∗∗ --------------------------------------------- Eleven11bot infects webcams and video recorders, with a large concentration in the US. --------------------------------------------- https://www.wired.com/story/eleven11bot-botnet-record-size-ddos-attacks/ ∗∗∗ Akira-Ransomware schlüpft über Webcam an IT-Schutzlösung vorbei ∗∗∗ --------------------------------------------- Eigentlich ist das Firmennetz über eine Schutzsoftware geschützt, die auch anschlägt. Trotzdem konnte ein Trojaner über einen Umweg PCs infizieren. --------------------------------------------- https://www.heise.de/news/Akira-Ransomware-schluepft-ueber-Webcam-an-IT-Sch… ∗∗∗ Who is the DOGE and X Technician Branden Spikes? ∗∗∗ --------------------------------------------- At 49, Branden Spikes isnt just one of the oldest technologists who has been involved in Elon Musks Department of Government Efficiency (DOGE). As the current director of information technology at X/Twitter and an early hire at PayPal, Zip2, Tesla and SpaceX, Spikes is also among Musks most loyal employees. Heres a closer look at this trusted Musk lieutenant, whose Russian ex-wife was once married to Elons cousin. --------------------------------------------- https://krebsonsecurity.com/2025/03/who-is-the-doge-and-x-technician-brande… ∗∗∗ Multiple Vulnerabilities Discovered in a SCADA System ∗∗∗ --------------------------------------------- We identified multiple vulnerabilities in ICONICS Suite, SCADA software used in numerous OT applications. This article offers a technical analysis of our findings. --------------------------------------------- https://unit42.paloaltonetworks.com/vulnerabilities-in-iconics-software-sui… ∗∗∗ Russian crypto exchange Garantex’s website taken down in apparent law enforcement operation ∗∗∗ --------------------------------------------- Russian cryptocurrency exchange Garantex was taken down in an apparent seizure by U.S. and European law enforcement Thursday, shortly after the company said $28 million had been frozen by another cryptocurrency firm. --------------------------------------------- https://therecord.media/garantex-crypto-exchange-taken-down-law-enforcement… ∗∗∗ CISA, FBI warn of BianLian mail scam targeting executives with $500k ransom note ∗∗∗ --------------------------------------------- In an alert on Thursday, the FBI said scammers are mailing letters to corporate executives claiming that they stole sensitive data and will publish it unless a demand is paid in Bitcoin. --------------------------------------------- https://therecord.media/cisa-fbi-warn-bianlian-mail-scam-extortion ∗∗∗ Canadian intelligence agency warns of threat AI poses to upcoming elections ∗∗∗ --------------------------------------------- Influence and espionage campaigns, boosted by AI, are likely to be aimed at Canadas upcoming elections, says a new report from the CSE, the countrys signals and cyber intelligence agency. --------------------------------------------- https://therecord.media/canada-cyber-agency-elections-warning-ai- ∗∗∗ NixSpam RBL ab 7.3.2025 abgeschaltet – gibt Ärger – aber nun gelöst ∗∗∗ --------------------------------------------- Kurze Information für Blog-Leser die bei der Mail-Filterung auf "NixSpam RBL" gesetzt haben. Der vom heise-Verlag betriebene Dienst ist seit dem heutigen 7. März 2025 abgeschaltet, was einigen Leuten Probleme bereiten .. --------------------------------------------- https://www.borncity.com/blog/2025/03/07/nixspam-rbl-ab-7-3-2025-abgeschalt… ∗∗∗ New edu platform and Sanitization and Validation and Escaping, Oh My! article ∗∗∗ --------------------------------------------- With the beta launch of my companys educational platform (hackArcana), I finally have a place to write more about the fundamentals of security and post more educational content. The first piece Ive written for our new platform touches on the confusion around the terms "validation," "sanitization," "encoding," "escaping," .. --------------------------------------------- https://gynvael.coldwind.pl/?id=800 ∗∗∗ Microsoft Dismantles Malvertising Scam Using GitHub, Discord, Dropbox ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence exposes a malvertising campaign exploiting GitHub, Discord, and Dropbox. Discover the multi-stage attack chain, .. --------------------------------------------- https://hackread.com/microsoft-dismantle-malvertising-github-discord-dropbo… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.03.2025
by Daily end-of-shift report 06 Mar '25

06 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-03-2025 18:00 − Donnerstag 06-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Massive botnet that appeared overnight is delivering record-size DDoSes ∗∗∗ --------------------------------------------- Eleven11bot infects video recorders, with the largest concentration of them in the US. --------------------------------------------- https://arstechnica.com/security/2025/03/massive-botnet-that-appeared-overn… ∗∗∗ Malicious Chrome extensions can spoof password managers in new attack ∗∗∗ --------------------------------------------- A newly devised "polymorphic" attack allows malicious Chrome extensions to morph into other browser extensions, including password managers, crypto wallets, and banking apps, to steal sensitive information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-chrome-extensions-… ∗∗∗ Trojans disguised as AI: Cybercriminals exploit DeepSeek’s popularity ∗∗∗ --------------------------------------------- Kaspersky experts have discovered campaigns distributing stealers, malicious PowerShell scripts, and backdoors through web pages mimicking the DeepSeek and Grok websites. --------------------------------------------- https://securelist.com/backdoors-and-stealers-prey-on-deepseek-and-grok/115… ∗∗∗ PayPal-Passwort wurde geändert? Achtung: Phishing-Alarm! ∗∗∗ --------------------------------------------- Aktuell machen Phishing-Mails die Runde, welche angeblich von PayPal stammen. In ihnen wird behauptet, das Passwort des Opfers sei geändert worden. Um diese Änderung rückgängig zu machen, müsse man lediglich auf einen Link klicken und ein paar persönliche Daten angeben. Hinter dieser Aufforderung verstecken sich allerdings Kriminelle, die es auf persönliche Informationen und Bankdaten abgesehen haben. --------------------------------------------- https://www.watchlist-internet.at/news/paypal-passwort-phishing/ ∗∗∗ Decrypting the Forest From the Trees ∗∗∗ --------------------------------------------- SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via the Administration Service API. --------------------------------------------- https://posts.specterops.io/decrypting-the-forest-from-the-trees-661694ed16… ∗∗∗ Medusa Ransomware Activity Continues to Increase ∗∗∗ --------------------------------------------- Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024. --------------------------------------------- https://www.security.com/threat-intelligence/medusa-ransomware-attacks ∗∗∗ Unveiling EncryptHub: Analysis of a multi-stage malware campaign ∗∗∗ --------------------------------------------- EncryptHub, a rising cybercriminal entity, has recently caught the attention of multiple threat intelligence teams, including our own (Outpost24’s KrakenLabs). While other reports have begun to shed light on this actor’s operations, our investigation goes a step further, uncovering previously unseen aspects of their infrastructure, tooling, and behavioral patterns. --------------------------------------------- https://outpost24.com/blog/unveiling-encrypthub-multi-stage-malware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (firefox and vim), Red Hat (firefox), Slackware (mozilla), SUSE (firefox, firefox-esr, kernel, and podman), and Ubuntu (gpac, kernel, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-hwe-5.15, and redis). --------------------------------------------- https://lwn.net/Articles/1013209/ ∗∗∗ Sicherheitsupdate: Kritische Schadcode-Lücke bedroht Kibana ∗∗∗ --------------------------------------------- Wie die Entwickler in einer Warenmeldung ausführen, sind die Versionen >= 8.15.0 und < 8.17.1 nur attackierbar, wenn Angreifer über Viewer-Role-Rechte verfügen. [..] Die Lücke schrammt mit dem CVSS Score 3.1 9.9 von 10 knapp an der Höchstwertung vorbei. (CVE-2025-25012) --------------------------------------------- https://heise.de/-10306066 ∗∗∗ ABB Cylon Aspect 3.08.01 (caldavUpload.php) Funkalicious Exploit ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5926.php -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.03.2025
by Daily end-of-shift report 05 Mar '25

05 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-03-2025 18:00 − Mittwoch 05-03-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Text-basiertes QR Code Phishing im Umlauf ∗∗∗ --------------------------------------------- Über den neuen Ansatz hatten wir 2024 in unseren Newslettern berichtet, nun erhalten wir auch direkt Meldungen über "bildlose" QR-Code Phishs. Kurz umrissen: der QR-Code wird nicht wie oft üblich als Bilddatei übermittelt, sondern aus einzelnen ASCII-/Unicode Block-Zeichen zusammengesetzt. Dadurch kann der im QR-Code enthaltene Inhalt Sicherheitslösungen verborgen bleiben, für optische QR-Code Scanner jedoch funktional bleiben. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/3/text-basiertes-qr-code-phishing-im-… ∗∗∗ Use one Virtual Machine to own them all — active exploitation of ESXicape ∗∗∗ --------------------------------------------- Yesterday, VMware quietly released patches for three ESXi zero day vulnerabilities: CVE-2025–22224, CVE-2025–22225, CVE-2025–22226. Although the advisory doesn’t explicitly say it, this is a hypervisor escape (aka a VM Escape). A threat actor with access to run code on a virtual machine can chain the three vulnerabilities to elevate access to the ESX hypervisor. --------------------------------------------- https://doublepulsar.com/use-one-virtual-machine-to-own-them-all-active-exp… ∗∗∗ BadBox malware disrupted on 500K infected Android devices ∗∗∗ --------------------------------------------- The BadBox Android malware botnet has been disrupted again by removing 24 malicious apps from Google Play and sinkholing communications for half a million infected devices. [..] The BadBox botnet is a cyber-fraud operation targeting primarily low-cost Android-based devices like TV streaming boxes, tablets, smart TVs, and smartphones. These devices either come pre-loaded with the BadBox malware from the manufacturer or are infected by malicious apps or firmware downloads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/badbox-malware-disrupted-on-… ∗∗∗ Undercover miner: how YouTubers get pressed into distributing SilentCryptoMiner as a restriction bypass tool ∗∗∗ --------------------------------------------- Attackers blackmail YouTubers with complaints and account blocking threats, forcing them to distribute a miner disguised as a bypass tool. --------------------------------------------- https://securelist.com/silentcryptominer-spreads-through-blackmail-on-youtu… ∗∗∗ The Russia-Ukraine Cyber War Part 3: Attacks on Telecom and Critical Infrastructure ∗∗∗ --------------------------------------------- This post is the third part of our blog series that tackles the Russia-Ukraine war in the digital realm. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-russia-… ∗∗∗ BAMF: Skurrile Testkonten ermöglichten unautorisierten Datenzugriff ∗∗∗ --------------------------------------------- Anhand von Screenshots der Web-Applikation sei ersichtlich gewesen, dass im Test- und Integrationssystem offenbar ein Account mit der Nutzerkennung "max.mustermann(a)testtraeger.de" existierte. Die Domain sei noch frei gewesen. --------------------------------------------- https://www.heise.de/news/BAMF-Skurrile-Testkonten-ermoeglichten-unautorisi… ∗∗∗ Beneath the Surface: Detecting and Blocking Hidden Malicious Traffic Distribution Systems ∗∗∗ --------------------------------------------- Adversaries widely abuse TDS infrastructure to build dynamic and resilient network infrastructure for malicious web services. These redirection networks enhance resilience against takedowns and enable scaling and cloaking of malicious content. --------------------------------------------- https://unit42.paloaltonetworks.com/detect-block-malicious-traffic-distribu… ∗∗∗ CVE-2024-43639: Remote Code Execution in Microsoft Windows KDC Proxy ∗∗∗ --------------------------------------------- The following is a portion of their write-up covering CVE-2024-43639, with a few minimal modifications. [..] This vulnerability was patched by the vendor in November. To date, no attacks have been detected in the wild. --------------------------------------------- https://www.thezdi.com/blog/2025/3/3/cve-2024-43639 ∗∗∗ Scammers Mailing Ransom Letters While Posing as BianLian Ransomware ∗∗∗ --------------------------------------------- Scammers are impersonating BianLian ransomware, and mailing fake ransom letters to businesses. --------------------------------------------- https://hackread.com/scammers-mailing-ransom-letters-bianlian-ransomware/ ∗∗∗ LinkedIn Phishing Scam: Fake InMail Messages Spreading ConnectWise Trojan ∗∗∗ --------------------------------------------- Cybersecurity researchers at Cofense have recently uncovered a deceptive campaign that distributes malicious software using a spoofed LinkedIn email. [..] The fraudulent email is designed to mimic a notification for a LinkedIn InMail message, a feature that allows users to contact individuals outside of their immediate network. The email effectively leverages LinkedIn’s branding, convincingly creating legitimacy. --------------------------------------------- https://hackread.com/scammers-fake-linkedin-inmail-deliver-connectwise-troj… ∗∗∗ GreyNoise Observes Exploitation of Three Newly Added KEV Vulnerabilities ∗∗∗ --------------------------------------------- On March 3, 2025, the Cybersecurity and Infrastructure Security Agency added five vulnerabilities to its Known Exploited Vulnerabilities catalog, confirming their exploitation in the wild. [..] CVE-2022-43939 (Authorization Bypass) & CVE-2022-43769 (Special Element Injection) Hitachi Vantara Pentaho BA Server [..] CVE-2024-4885 Progress WhatsUp Gold Path Traversal Vulnerability. --------------------------------------------- https://www.greynoise.io/blog/greynoise-observes-exploitation-three-newly-a… ∗∗∗ GoStringUngarbler: Deobfuscating Strings in Garbled Binaries ∗∗∗ --------------------------------------------- In this blog post, we'll detail garble’s string transformations and the process of automatically deobfuscating them. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/gostringungarbler-… ∗∗∗ Trigon: developing a deterministic kernel exploit for iOS ∗∗∗ --------------------------------------------- CVE-2023-32434 was an integer overflow in the VM subsystem of the XNU kernel. It was patched in iOS 16.5.1 after being found in-the-wild as part of the Operation Triangulation spyware chain, discovered after it was used to infect a group of security researchers at Kaspersky. These researchers then captured and reverse-engineered the entire chain, leading to the patching of a WebKit bug, a kernel bug, a userspace PAC bypass and a PPL (and, technically, a KTRR) bypass. [..] This writeup simply shows the steps involved in the final, working exploit. It does not, however, convey just how many failed ideas and attempts there were during the process. --------------------------------------------- https://alfiecg.uk/2025/03/01/Trigon.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice), Fedora (exim and fscrypt), Red Hat (kernel), Slackware (mozilla), SUSE (docker, firefox, and podman), and Ubuntu (linux, linux-lowlatency, linux-lowlatency-hwe-5.15, linux, linux-lowlatency, linux-lowlatency-hwe-6.8, linux, linux-oem-6.11, linux-aws, linux-aws-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux-aws, linux-gcp, linux-hwe-6.11, linux-oracle, linux-raspi, linux-realtime, linux-aws, linux-gkeop, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, and linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop). --------------------------------------------- https://lwn.net/Articles/1013063/ ∗∗∗ Cisco Secure Client for Windows with Secure Firewall Posture Engine DLL Hijacking Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco TelePresence Management Suite Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security Vulnerabilities fixed in Thunderbird ESR 128.8 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-18/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 136 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-17/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2025
by Daily end-of-shift report 04 Mar '25

04 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Montag 03-03-2025 18:00 − Dienstag 04-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Polish Space Agency offline as it recovers from cyberattack ∗∗∗ --------------------------------------------- The Polish Space Agency (POLSA) has been offline since it disconnected its systems from the Internet over the weekend to contain a breach of its IT infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/polish-space-agency-offline-… ∗∗∗ Booking a Threat: Inside LummaStealers Fake reCAPTCHA ∗∗∗ --------------------------------------------- Cybercriminals are taking advantage of the increased demand in travel by setting up fake booking sites, phishing scams and fraudulent listings to trick unsuspecting travelers. --------------------------------------------- https://www.gdatasoftware.com/blog/2025/03/38154-lummastealer-fake-recaptcha ∗∗∗ KI-Trainingsdaten: Tausende gültiger API-Keys in gecrawlten Webdaten entdeckt ∗∗∗ --------------------------------------------- Bei der Analyse eines frei verfügbaren Archivs mit rund 400 TBytes an Websitedaten haben Forscher fast 12.000 gültige API-Keys und Passwörter gefunden. --------------------------------------------- https://www.golem.de/news/ki-trainingsdaten-tausende-gueltiger-api-keys-in-… ∗∗∗ Kritische Lücke in VMware ESXi, Fusion und Workstation wird missbraucht ∗∗∗ --------------------------------------------- Broadcom warnt vor teils kritischen Sicherheitslecks in VMware ESXi, Fusion und Workstation. Angreifer missbrauchen sie bereits. --------------------------------------------- https://www.heise.de/news/Kritische-Luecke-in-VMware-ESXi-Fusion-und-Workst… ∗∗∗ DNSSEC NSEC. The accidental treasure map to your subdomains ∗∗∗ --------------------------------------------- TL;DR: DNSSEC secures DNS but may unintentionally expose domain structures via NSEC/NSEC3 records, enabling zone walking to enumerate subdomains. NSEC openly lists domain names, making enumeration easy. NSEC3 hashes .. --------------------------------------------- https://www.pentestpartners.com/security-blog/dnssec-nsec-the-accidental-tr… ∗∗∗ MeinELBA-Zugang läuft bald ab? Vorsicht, Phishing-Versuch! ∗∗∗ --------------------------------------------- Kriminelle versenden aktuell wieder vermehrt SMS-Nachrichten, in denen vor einem Ablaufen des MeinELBA-Zugangs gewarnt wird. Wer verlängern möchte, müsse einen Link anklicken und auf einer vermeintlichen Login-Seite seine Onlinebanking-Daten eingeben. Diese Seite ist natürlich eine Fälschung. Allerdings eine sehr gut gemachte! Wie Sie sie erkennen und was Sie tun können, wenn Sie dort vertrauliche Informationen eingegeben haben, verrät dieser Artikel. --------------------------------------------- https://www.watchlist-internet.at/news/meinelba-zugang-phishing/ ∗∗∗ A Revision of the EU Cybersecurity Blueprint ∗∗∗ --------------------------------------------- The original EU cybersecurity blueprint from 2017 (officially: “Commission Recommendation of 13.9.2017 on Coordinated Response to Large Scale Cybersecurity Incidents and Crises”) is now close to seven years old and an update is overdue. The Commission recently published a draft for an updated version, and I’d like to take this opportunity to .. --------------------------------------------- https://www.cert.at/en/blog/2025/3/a-revision-of-the-eu-cybersecurity-bluep… ∗∗∗ Did Trump Admin Order U.S. Cyber Command and CISA to Stand Down on Russia? ∗∗∗ --------------------------------------------- Two blockbuster stories published on Friday that appear to confirm what many Americans suspected would occur under the Trump administration – that the new regime is going to be softer on Russia than previous administrations, particularly with regard to the threat that Russia poses in cyber space. Since publication, however, .. --------------------------------------------- https://www.zetter-zeroday.com/did-trump-admin-order-u-s-cyber-command-and-… ∗∗∗ The Dangers of Exposed Secrets – and How to Prevent Them ∗∗∗ --------------------------------------------- Modern enterprise software relies on authentication tokens, API keys, encryption keys, certificates, and other sensitive credentials to enable secure communication between applications, microservices, APIs, and DevOps pipelines. However, these secrets often end up hardcoded in source code during the development process, whether unintentionally or as a shortcut for quick .. --------------------------------------------- https://checkmarx.com/blog/exposed-secrets-and-how-to-prevent-them/ ∗∗∗ Do not run any Cargo commands on untrusted projects ∗∗∗ --------------------------------------------- TL;DR: Treat anything starting with cargo as if it is cargo run. --------------------------------------------- https://shnatsel.medium.com/do-not-run-any-cargo-commands-on-untrusted-proj… ∗∗∗ Hacking the Xbox 360 Hypervisor Part 2: The Bad Update Exploit ∗∗∗ --------------------------------------------- Welcome to part 2 of the Hacking the Xbox 360 Hypervisor blog series. In this part I’ll cover how I found and exploited bugs in the Xbox 360 hypervisor to get full code execution and create the “Bad Update” exploit. If you haven’t already, I highly recommend you read (or at least skim through) part 1 as this post will reference a lot of the material discussed there. --------------------------------------------- https://icode4.coffee/?p=1081 ===================== = Vulnerabilities = ===================== ∗∗∗ Docusnap Inventory Files Encrypted with Static Key ∗∗∗ --------------------------------------------- Inventory files created by Docusnap, containing information like installed programs, firewall rules and local administrators, are encrypted with a static key. The decryption key can be obtained easily from the .NET application, downloadable from the vendor’s website. When following Docusnap’s installation instructions for Windows Domains, every domain user has read access to these files. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-012/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 128.8 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-16/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.21 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-15/ ∗∗∗ Security Vulnerabilities fixed in Firefox 136 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-14/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.03.2025
by Daily end-of-shift report 03 Mar '25

03 Mar '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-02-2025 18:00 − Montag 03-03-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ransomware gangs exploit Paragon Partition Manager bug in BYOVD attacks ∗∗∗ --------------------------------------------- Microsoft had discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, with one used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gangs-exploit-par… ∗∗∗ Ohne Nutzerinteraktion: Wie Hacker fremde Gitlab-Accounts übernehmen konnten ∗∗∗ --------------------------------------------- Letztes Jahr hat Gitlab eine gefährliche Sicherheitslücke geschlossen. Ein neuer Bericht zeigt, wie leicht sich damit fremde Konten kapern ließen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-per-passwort-reset-fremde-gitla… ∗∗∗ Mobile malware evolution in 2024 ∗∗∗ --------------------------------------------- The most notable mobile threats of 2024, and statistics on Android-specific malware, adware and potentially unwanted software. --------------------------------------------- https://securelist.com/mobile-threat-report-2024/115494/ ∗∗∗ Dornröschenschlaf: mit diesem einfachen Trick Crowdstrike Falcon zähmen ∗∗∗ --------------------------------------------- Nachdem Angreifer die Rechte eines Benutzers mit "NT AUTHORITY\SYSTEM" Berechtigungen erlangt haben, indem andere Schwachstellen .. --------------------------------------------- https://sec-consult.com/de/blog/detail/dornroeschenschlaf-mit-diesem-einfac… ∗∗∗ Vo1d Botnets Peak Surpasses 1.59M Infected Android TVs, Spanning 226 Countries ∗∗∗ --------------------------------------------- Brazil, South Africa, Indonesia, Argentina, and Thailand have become the targets of a campaign that has infected Android TV devices with a botnet malware dubbed Vo1d.The improved variant of Vo1d has been found to encompass 800,000 daily active IP .. --------------------------------------------- https://thehackernews.com/2025/03/vo1d-botnets-peak-surpasses-159m.html ∗∗∗ Cybersecurity not the hiring-em-like-hotcakes role it once was ∗∗∗ --------------------------------------------- Ghost positions, HR AI no help – biz should talk to infosec staff and create realistic job outline, say experts Analysis Its a familiar refrain in the security industry that there is a massive skills gap in the sector. And while its true there are specific shortages in certain areas, some industry watchers believe we may be reaching the point of oversupply for generalists. --------------------------------------------- https://www.theregister.com/2025/03/03/cybersecurity_jobs_market/ ∗∗∗ Massive Sicherheitslücken bei Gebäude-Zugangssystemen entdeckt ∗∗∗ --------------------------------------------- Cyberkriminelle können leicht auf Zugangssysteme von Gebäuden weltweit zugreifen. Eine Studie nennt das Ausmaß und die Ursachen. --------------------------------------------- https://www.heise.de/news/Massive-Sicherheitsluecken-bei-Gebaeude-Zugangssy… ∗∗∗ Angreifer bringen verwundbaren Paragon-Treiber mit und missbrauchen ihn ∗∗∗ --------------------------------------------- Angreifer missbrauchen ein Leck in einem Treiber von Paragon Partition Manager. Besonders gefährlich: den können sie selbst mitbringen. --------------------------------------------- https://www.heise.de/news/Sicherheitsleck-in-Treiber-von-Paragon-Partition-… ∗∗∗ Thule-Radanhänger: Pedalritter im Visier von Fake-Shops ∗∗∗ --------------------------------------------- Die Fahrradanhänger des Traditionsunternehmens Thule genießen zurecht einen hervorragenden Ruf. Diesen machen sich Kriminelle aber immer wieder zu Nutze. Sie bauen den Thule-Onlinestore nach und locken ihre Opfer dort mit vermeintlichen Top-Schnäppchen in die Falle. In diesem Artikel erfahren Sie, wie Sie die Fake-Shops erkennen können und welche Optionen Sie im Fall einer getätigten Zahlung noch haben. --------------------------------------------- https://www.watchlist-internet.at/news/thule-radanhaenger-fake-shops/ ∗∗∗ Uncovering .NET Malware Obfuscated by Encryption and Virtualization ∗∗∗ --------------------------------------------- Malware authors use AES encryption and code virtualization to evade sandbox static analysis. We explore how this facilitates spread of Agent Tesla, XWorm and more. --------------------------------------------- https://unit42.paloaltonetworks.com/malware-obfuscation-techniques/ ∗∗∗ Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal ∗∗∗ --------------------------------------------- In this blog entry, we discuss how the Black Basta and Cactus ransomware groups utilized the BackConnect malware to maintain persistent control and exfiltrate sensitive data from compromised machines. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/b/black-basta-cactus-ransomwar… ∗∗∗ Not Lost in Translation: Rosetta 2 Artifacts in macOS Intrusions ∗∗∗ --------------------------------------------- Rosetta 2 is Apples translation technology for running x86-64 binaries on Apple Silicon (ARM64) macOS systems.Rosetta 2 translation creates a cache of Ahead-Of-Time (AOT) files that can serve as valuable forensic artifacts.Mandiant has observed sophisticated threat actors leveraging x86-64 compiled macOS malware, likely due to broader .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/rosetta2-artifacts… ∗∗∗ how to gain code execution on millions of people and hundreds of popular apps ∗∗∗ --------------------------------------------- .. and of course, firebase was (partially) the cause --------------------------------------------- https://kibty.town/blog/todesktop/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, kernel, linux-6.1, mariadb-10.5, proftpd-dfsg, and xorg-server), Fedora (chromium, cutter-re, iniparser, nodejs22, rizin, webkitgtk, wireshark, xen, and xorg-x11-server), Mageia (binutils and ffmpeg), Oracle (emacs and kernel), Red Hat (emacs and webkit2gtk3), SUSE (azure-cli, bsdtar, gnutls, govulncheck-vulndb, .. --------------------------------------------- https://lwn.net/Articles/1012760/ ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-20118 Cisco Small Business RV Series Routers Command Injection .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/03/03/cisa-adds-five-known-exp… ∗∗∗ DSA-5872-1 xorg-server - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00034.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.02.2025
by Daily end-of-shift report 28 Feb '25

28 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-02-2025 18:00 − Freitag 28-02-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Auch in Deutschland: 49.000 Zutrittskontrollsysteme hängen ungeschützt am Netz ∗∗∗ --------------------------------------------- Weltweit sorgen unzählige Zutrittskontrollsysteme (AMS – Access Management Systems) dafür, dass nur berechtigte Personen beispielsweise per Codeeingabe, Fingerabdruck oder RFID-Schlüsselkarte Zugang zu bestimmten Arealen, Gebäuden oder Räumlichkeiten haben. Sicherheitsforscher von Modat haben über 49.000 solcher Systeme entdeckt, die sich aufgrund von Konfigurationsfehlern manipulieren lassen und über das Internet erreichbar sind. --------------------------------------------- https://www.golem.de/news/auch-in-deutschland-49-000-zutrittskontrollsystem… ∗∗∗ The SOC files: Chasing the web shell ∗∗∗ --------------------------------------------- Kaspersky SOC analysts discuss a recent incident where the well-known Behinder web shell was used as a post-exploitation backdoor, showing how web shells have evolved. --------------------------------------------- https://securelist.com/soc-files-web-shell-chase/115714/ ∗∗∗ 5,000 Phishing PDFs on 260 Domains Distribute Lumma Stealer via Fake CAPTCHAs ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a widespread phishing campaign that uses fake CAPTCHA images shared via PDF documents hosted on Webflows content delivery network (CDN) to deliver the Lumma stealer malware. --------------------------------------------- https://thehackernews.com/2025/02/5000-phishing-pdfs-on-260-domains.html ∗∗∗ Cyber-Bande Cl0p: Angeblich Daten bei HP und HPE geklaut ∗∗∗ --------------------------------------------- Insgesamt 230 neue Opfer listet die kriminelle Gruppe Cl0p auf ihrer Darknet-Webseite auf. Darunter sind auch namhafte wie HP und HPE. [..] Die Kriminellen nennen auch kein Datum als Ultimatum, bis wann sich die angeblichen Opfer melden müssten. Belege für den Datenabzug liefert Cl0p ebenfalls nicht. In der Vergangenheit hatten sich die behaupteten Angriffe jedoch als wahr herausgestellt. --------------------------------------------- https://www.heise.de/news/Cyber-Bande-Cl0p-Angeblich-Daten-bei-HP-und-HPE-g… ∗∗∗ Warning issued as hackers offer firms fake cybersecurity audits to break into their systems ∗∗∗ --------------------------------------------- Companies are being warned that malicious hackers are using a novel technique to break into businesses - by pretending to offer audits of the companys cybersecurity. --------------------------------------------- https://www.tripwire.com/state-of-security/beware-fake-cybersecurity-audits… ∗∗∗ Attack and Defense in OT: Enhancing Cyber Resilience in Industrial Systems with Red Team Operations ∗∗∗ --------------------------------------------- This edition of the series focuses on how Red Team assessments can assist companies in identifying and mitigating threats in OT environments. After giving some background about the current threat landscape and terminology, we start by explaining how an external attacker gains an initial foothold in the network. --------------------------------------------- https://blog.nviso.eu/2025/02/28/attack-and-defense-in-ot-enhancing-cyber-r… ∗∗∗ Microsoft: Unsichere DES-Verschlüsselung fliegt aus Windows raus ∗∗∗ --------------------------------------------- Microsoft hat jetzt angekündigt, dass der lange als unsicher geltende Cipher DES zum September aus Windows entfernt wird. [..] Bereits 1998 haben IT-Sicherheitsforscher demonstriert, dass DES-Schlüssel, die aufgrund US-amerikanischer Export-Beschränkungen zudem auf 56 Bit Länge beschränkt waren, innerhalb von nicht einmal drei Tagen und mit begrenztem Budget zu knacken waren. --------------------------------------------- https://heise.de/-10299473 ∗∗∗ Next-Gen Phishing Techniques – How Back-End Tech Made Scams More Effective ∗∗∗ --------------------------------------------- Today’s sophisticated back-end technologies take phishing and social engineering to the next level. Hackers are now able to create not only better messages but also more convincing, harder-to-detect phishing websites. --------------------------------------------- https://heimdalsecurity.com/blog/next-gen-phishing-techniques/ ===================== = Vulnerabilities = ===================== ∗∗∗ Videoeditor DaVinci Resolve ermöglicht Rechteausweitung in macOS ∗∗∗ --------------------------------------------- Das polnische CERT warnt vor einer Schwachstelle in der Video-Editiersoftware DaVinci Resolve für Macs. --------------------------------------------- https://www.heise.de/news/Videoeditor-DaVinci-Resolve-ermoeglicht-Rechteaus… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (emacs, freerdp2, and gst-plugins-good1.0), Fedora (java-17-openjdk, python3.6, and xorg-x11-server-Xwayland), Mageia (radare2), SUSE (libX11, openvswitch3, postgresql13, procps, ruby2.5, webkit2gtk3, and xorg-x11-server), and Ubuntu (git, linux-aws, linux-aws, linux-aws-6.8, linux-aws, linux-oracle, linux-oracle-5.4, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, and linux-oem-6.11). --------------------------------------------- https://lwn.net/Articles/1012367/ ∗∗∗ DSA-5871-1 emacs - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00033.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.02.2025
by Daily end-of-shift report 27 Feb '25

27 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-02-2025 18:00 − Donnerstag 27-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The surveillance tech waiting for workers as they return to the office ∗∗∗ --------------------------------------------- Warehouse-style employee-tracking technology is coming for the office worker. --------------------------------------------- https://arstechnica.com/information-technology/2025/02/the-surveillance-tec… ∗∗∗ Find-My-Netzwerk: Angriff macht fremde Bluetooth-Geräte trackbar wie Airtags ∗∗∗ --------------------------------------------- Forscher haben einen Weg gefunden, fremde Bluetooth-Geräte mit hoher Genauigkeit zu orten - mit erheblichen Auswirkungen auf die Privatsphäre. --------------------------------------------- https://www.golem.de/news/find-my-netzwerk-angriff-macht-fremde-bluetooth-g… ∗∗∗ Wallbleed vulnerability unearths secrets of Chinas Great Firewall 125 bytes at a time ∗∗∗ --------------------------------------------- Boffins poked around inside censorship engines for years before Beijing patched hole Smart folks investigating a memory-dumping vulnerability in the Great Firewall of China (GFW) finally released their findings after probing it for years. --------------------------------------------- https://www.theregister.com/2025/02/27/wallbleed_vulnerability_great_firewa… ∗∗∗ U.S. Soldier Charged in AT&T Hack Searched “Can Hacking Be Treason” ∗∗∗ --------------------------------------------- A U.S. Army soldier who pleaded guilty last week to leaking phone records for high-ranking U.S. government officials searched online for non-extradition countries and for an answer to the question "can hacking be treason?" prosecutors in the case said Wednesday. The government disclosed the details in a court motion to keep the defendant in custody until he is discharged from the military. --------------------------------------------- https://krebsonsecurity.com/2025/02/u-s-soldier-charged-in-att-hack-searche… ∗∗∗ Squidoor: Suspected Chinese Threat Actor’s Backdoor Targets Global Organizations ∗∗∗ --------------------------------------------- We analyze the backdoor Squidoor, used by a suspected Chinese threat actor to steal sensitive information. This multi-platform backdoor is built for stealth. --------------------------------------------- https://unit42.paloaltonetworks.com/advanced-backdoor-squidoor/ ∗∗∗ Belgium probes suspected Chinese hack of state security service ∗∗∗ --------------------------------------------- A breach of the Belgian state security services email system appears to be the work of Chinese state-backed hackers, according to prosecutors. --------------------------------------------- https://therecord.media/belgium-investigation-alleged-china-cyber-espionage… ∗∗∗ Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools ∗∗∗ --------------------------------------------- Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools --------------------------------------------- https://blog.talosintelligence.com/lotus-blossom-espionage-group/ ∗∗∗ Russian campaign targeting Romanian WhatsApp numbers ∗∗∗ --------------------------------------------- We’ve identified a campaign that advises people to vote for a contest so they can win “prizes”. The only “prize” is that they’ll lose access to their WhatsApp account. Multiple hints indicate that the campaign originates from Russia. This .. --------------------------------------------- https://cybergeeks.tech/russian-campaign-targeting-romanian-whatsapp-number… ∗∗∗ GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs ∗∗∗ --------------------------------------------- Ransomware group Black Basta’s chat logs were leaked, revealing 62 mentioned CVEs (Source: VulnCheck). GreyNoise identified 23 of these CVEs as actively exploited, with some targeted in the last 24 hours. Notably, CVE-2023-6875 is .. --------------------------------------------- https://www.greynoise.io/blog/greynoise-detects-active-exploitation-cves-bl… ∗∗∗ GreyNoise 2025 Mass Internet Exploitation Report: Attackers Are Moving Faster Than Ever — Are You Ready? ∗∗∗ --------------------------------------------- Attackers are automating exploitation at scale, targeting both new and old vulnerabilities — some before appearing in KEV. Our latest report breaks down which CVEs were exploited most in 2024, how ransomware groups are leveraging mass .. --------------------------------------------- https://www.greynoise.io/blog/2025-mass-internet-exploitation-report ∗∗∗ Taking the relaying capabilities of multicast poisoning to the next level: tricking Windows SMB clients into falling back to WebDav ∗∗∗ --------------------------------------------- When performing LLMNR/mDNS/NBTNS poisoning in an Active Directory environment, it is fairly common to be able to trigger SMB authentications to an attacker-controlled machine. This kind of authentication may be useful, but is rather limited from a relaying standpoint, due to the fact that Windows SMB clients .. --------------------------------------------- https://www.synacktiv.com/publications/taking-the-relaying-capabilities-of-… ∗∗∗ MITRE Releases OCCULT Framework ∗∗∗ --------------------------------------------- The Operational Evaluation Framework for Cyber Security Risks in AI (OCCULT) is a pioneering methodology developed by MITRE to assess the potential risks posed by large language models (LLMs) in offensive cyber operations (OCO). As AI technology advances, there is an increasing concern about its misuse in executing sophisticated cyberattacks. The OCCULT Framework aims to […] --------------------------------------------- https://thecyberthrone.in/2025/02/27/mitre-releases-occult-framework/ ===================== = Vulnerabilities = ===================== ∗∗∗ XSA-467 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-467.html ∗∗∗ ZDI-25-100: Linux Kernel ksmbd Session Setup Race Condition Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability. However, only systems with ksmbd enabled are vulnerable. The ZDI has assigned a CVSS rating of 9.0. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-100/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.02.2025
by Daily end-of-shift report 26 Feb '25

26 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-02-2025 18:00 − Mittwoch 26-02-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Datenleck-Such-Website Have I Been Pwned um 284 Millionen Accounts aufgestockt ∗∗∗ --------------------------------------------- Im Telegram-Kanal ALIEN TXTBASE wurden von Infostealer-Malware erbeute Mailadressen und Passwörter geteilt. Diese Daten sind nun in HIBP integriert. --------------------------------------------- https://www.heise.de/news/Datenleck-Such-Website-Have-I-Been-Pwned-um-284-M… ∗∗∗ Russian officials warn of potential compromise of major tech services provider ∗∗∗ --------------------------------------------- In an unusual public disclosure, the Russian government said that subsidiaries of LANIT, a major tech services provider, had potentially been breached. --------------------------------------------- https://therecord.media/lanit-russia-government-contractor-potential-compro… ∗∗∗ EncryptHub breaches 618 orgs to deploy infostealers, ransomware ∗∗∗ --------------------------------------------- A threat actor tracked as EncryptHub, aka Larva-208, has been targeting organizations worldwide with spear-phishing and social engineering attacks to gain access to corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/encrypthub-breaches-618-orgs… ∗∗∗ Cyberattacken: Lücken in Zimbra und Microsoft Partner Center werden angegriffen ∗∗∗ --------------------------------------------- Ältere Sicherheitslücken in Zimbra und Microsoft Partner Center werden aktuell angegriffen, warnt die US-IT-Sicherheitsbehörde CISA. --------------------------------------------- https://heise.de/-10296961 ∗∗∗ Wenn Fußballliebe teuer wird: Fake-Shops im Namen von Manchester United, Real Madrid oder FC Barcelona ∗∗∗ --------------------------------------------- Betrüger:innen imitieren immer wieder die Onlinestores der Top-Clubs und locken mit niedrigsten Preisen. Die Fans freuen sich über ein vermeintliches Super-Sonderangebot. Die Ware erhalten Sie aber nie, das Geld ist weg. --------------------------------------------- https://www.watchlist-internet.at/news/fussball-fake-shops/ ∗∗∗ Android happy to check your nudes before you forward them ∗∗∗ --------------------------------------------- The Android app SafetyCore was silently installed and looks at incoming and outgoing pictures to check their decency. [..] The good people at ZDNet provided instructions on how to get rid of SafetyCore or disable it if you would like to do so. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/02/android-happy-to-check-your-… ∗∗∗ Exploits and vulnerabilities in Q4 2024 ∗∗∗ --------------------------------------------- This report provides statistics on vulnerabilities and exploits and discusses the most frequently exploited vulnerabilities in Q4 2024. --------------------------------------------- https://securelist.com/vulnerabilities-and-exploits-in-q4-2024/115761/ ∗∗∗ The Best Security Is When We All Agree To Keep Everything Secret (Except The Secrets) - NAKIVO Backup & Replication (CVE-2024-48248) ∗∗∗ --------------------------------------------- Today, we’re here to talk about an unauthenticated Arbitrary File Read vulnerability we discovered in NAKIVO's Backup and Replication solution - specifically in version 10.11.3.86570 [..] 18th October 2024 watchTowr is assigned CVE-2024-48248 for this vulnerability [..] 4th November 2024: NAKIVO silently patches the vulnerability (v11.0.0.88174) --------------------------------------------- https://labs.watchtowr.com/the-best-security-is-when-we-all-agree-to-keep-e… ∗∗∗ A dive into the Rockchip Bootloader ∗∗∗ --------------------------------------------- Rockchip has a structured sequence of bootloaders. Using various plugs can allow access to the MCU’s RAM and storage. There are many utilities to allow reading of information from the MCU. Use this guide to access and reverse engineer bootloaders. --------------------------------------------- https://www.pentestpartners.com/security-blog/a-dive-into-the-rockchip-boot… ∗∗∗ Technical Advisory: Multiple Vulnerabilities in TCPDF ∗∗∗ --------------------------------------------- NCC Group has identified multiple vulnerabilities in TCPDF, which is a popular library used for PDF generation. [..] 12/23/24 - Vendor releases version 6.8.0 to address issues. --------------------------------------------- https://www.nccgroup.com/us/research-blog/technical-advisory-multiple-vulne… ∗∗∗ Pwn everything Bounce everywhere all at once (part 1) ∗∗∗ --------------------------------------------- The following article describes how, during an "assumed breach" security audit, we compromised multiple web applications on our client's network in order to carry out a watering hole attack by installing fake Single Sign-On pages on the compromised servers. --------------------------------------------- http://blog.quarkslab.com/pwn-everything-bounce-everywhere-all-at-once-part… ∗∗∗ Pwn everything Bounce everywhere all at once (part 2) ∗∗∗ --------------------------------------------- In our second episode we take a look at SOPlanning, a project management application that we encountered during the audit. --------------------------------------------- http://blog.quarkslab.com/pwn-everything-bounce-everywhere-all-at-once-part… ===================== = Vulnerabilities = ===================== ∗∗∗ Synology-SA-25:03 DSM ∗∗∗ --------------------------------------------- A vulnerability allows attackers to read any file via writable Network File System (NFS) service. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_03 ∗∗∗ Cisco Application Policy Infrastructure Controller Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus 3000 and 9000 Series Switches Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus 3000 and 9000 Series Switches Health Monitoring Diagnostics Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.02.2025
by Daily end-of-shift report 25 Feb '25

25 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Montag 24-02-2025 18:00 − Dienstag 25-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Parallels Desktop: Zero-Day-Exploit verleiht Angreifern Root-Zugriff auf MacOS ∗∗∗ --------------------------------------------- Eigentlich gibt es für die Sicherheitslücke längst einen Patch. Effektiv ist dieser aber wohl nicht. Ein Forscher zeigt, wie er sich umgehen lässt. --------------------------------------------- https://www.golem.de/news/patch-laesst-sich-umgehen-root-luecke-in-parallel… ∗∗∗ Google binning SMS MFA at last and replacing it with QR codes ∗∗∗ --------------------------------------------- Everyone knew texted OTPs were a dud back in 2016 Google has confirmed it will phase out the use of SMS text messages for multi-factor authentication in favor of more secure technologies. --------------------------------------------- https://www.theregister.com/2025/02/25/google_sms_qr/ ∗∗∗ How nice that state-of-the-art LLMs reveal their reasoning ... for miscreants to exploit ∗∗∗ --------------------------------------------- Blueprints shared for jail-breaking models that expose their chain-of-thought process Analysis AI models like OpenAI o1/o3, DeepSeek-R1, and Gemini 2.0 Flash Thinking can mimic human reasoning through a process called chain of thought. --------------------------------------------- https://www.theregister.com/2025/02/25/chain_of_thought_jailbreaking/ ∗∗∗ Malware variants that target operational tech systems are very rare – but 2 were found last year ∗∗∗ --------------------------------------------- Fuxnet and FrostyGoop were both used in the Russia-Ukraine war Two new malware variants specifically designed to disrupt critical industrial processes were set loose on operational technology networks last year, shutting off heat to more than 600 apartment buildings in one instance and jamming communications to gas, water, and sewage network sensors in the other. --------------------------------------------- https://www.theregister.com/2025/02/25/new_ics_malware_dragos/ ∗∗∗ This Russian Tech Bro Helped Steal $93 Million and Landed in US Prison. Then Putin Called ∗∗∗ --------------------------------------------- In the epic US-Russian prisoner swap last summer, Vladimir Putin brought home an assassin, spies, and another prized ally: the man behind one of the biggest insider trading cases of all time. --------------------------------------------- https://www.wired.com/story/russian-prisoner-swap-vladislav-klyushin-evan-g… ∗∗∗ ‘OpenAI’ Job Scam Targeted International Workers Through Telegram ∗∗∗ --------------------------------------------- An alleged job scam, led by “Aiden” from “OpenAI,” recruited workers in Bangladesh for months before disappearing overnight, according to FTC complaints obtained by WIRED. --------------------------------------------- https://www.wired.com/story/openai-job-scam/ ∗∗∗ DeepSeek Lure Using CAPTCHAs To Spread Malware ∗∗∗ --------------------------------------------- The rapid rise of generative AI tools has created opportunities and challenges for cybercriminals. In an instant, industries are being reshaped while new attack surfaces are being exposed. DeepSeek AI chatbot that launched on January 20, 2025, quickly gained international attention, making it a prime target for abuse. Leveraging a tactic known as brand .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captcha… ∗∗∗ Password-Spraying-Angriff auf M365-Konten von Botnet mit über 130.000 Drohnen ∗∗∗ --------------------------------------------- IT-Forscher haben ein Botnet aus mehr als 130.000 Drohnen bei Password-Spraying-Angriffen gegen Microsoft-365-Konten beobachtet. --------------------------------------------- https://www.heise.de/news/Password-Spraying-Angriff-auf-M365-Konten-von-Bot… ∗∗∗ Background check provider data breach affects 3 million people who may not have heard of the company ∗∗∗ --------------------------------------------- Background check provider DISA has disclosed a major data breach which may have affected over 3 million people. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/02/background-check-provider-da… ∗∗∗ 100,000 WordPress Sites Affected by Arbitrary File Upload, Read and Deletion Vulnerability in Everest Forms WordPress Plugin ∗∗∗ --------------------------------------------- 100,000 WordPress Sites Affected by Arbitrary File Upload, Read and Deletion Vulnerability in Everest Forms WordPress Plugin. --------------------------------------------- https://www.wordfence.com/blog/2025/02/100000-wordpress-sites-affected-by-a… ∗∗∗ Vorsicht, Phishing: „Ihre Registrierung für die Finanz Online-ID läuft ab“ ∗∗∗ --------------------------------------------- Aktuell werden immer wieder E-Mails und SMS-Nachrichten mit der Warnung vor einer angeblich ablaufenden Nutzer-ID für FinanzOnline versendet. Wer auf den mitgesendeten Link klickt und den Anweisungen folgt, gibt allerdings wichtige persönliche Daten an Betrüger:innen weiter. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-finanz-online-id/ ∗∗∗ Mixing up Public and Private Keys in OpenID Connect deployments ∗∗∗ --------------------------------------------- I am developing a tool to check cryptographic public keys for known vulnerabilities called badkeys. During the Q&A session of a presentation about badkeys at the German OWASP Day, I was asked whether I had ever used badkeys to check cryptographic keys in OpenID Connect setups. I had not until then. OpenID Connect is a single sign-on protocol that allows .. --------------------------------------------- https://blog.hboeck.de:443/archives/909-Mixing-up-Public-and-Private-Keys-i… ∗∗∗ Auto-Color: An Emerging and Evasive Linux Backdoor ∗∗∗ --------------------------------------------- The new Linux malware named Auto-color uses advanced evasion tactics. Discovered by Unit 42, this article cover its installation, evasion features and more. --------------------------------------------- https://unit42.paloaltonetworks.com/new-linux-backdoor-auto-color/ ∗∗∗ Swedish authorities seek backdoor to encrypted messaging apps ∗∗∗ --------------------------------------------- Sweden’s law enforcement and security agencies are pushing legislation to force Signal and WhatsApp to create technical backdoors allowing them to access communications sent over the encrypted messaging apps. --------------------------------------------- https://therecord.media/sweden-seeks-backdoor-access-to-messaging-apps ∗∗∗ Siberias largest dairy plant reportedly disrupted with LockBit variant ∗∗∗ --------------------------------------------- Reports said the dairy company Sayanmolokos plant in Semyonishna was attacked with LockBit ransomware, possibly because of its support for Russian troops in Ukraine. Company printers reportedly churned out leaflets. --------------------------------------------- https://therecord.media/siberia-dairy-plant-cyberattack-lockbit-variant ∗∗∗ Your item has sold! Avoiding scams targeting online sellers ∗∗∗ --------------------------------------------- There are many risks associated with selling items on online marketplaces that individuals and organizations should be aware of when conducting business on these platforms. --------------------------------------------- https://blog.talosintelligence.com/online-marketplace-scams/ ∗∗∗ GreyNoise Observes Active Exploitation of Cisco Vulnerabilities Tied to Salt Typhoon Attacks ∗∗∗ --------------------------------------------- GreyNoise has observed exploitation attempts targeting two Cisco vulnerabilities, CVE-2023-20198 and CVE-2018-0171. CVE-2023-20198 is being actively exploited by over 110 malicious IPs, primarily from Bulgaria, Brazil, and Singapore, while CVE-2018-0171 has seen exploitation attempts from two malicious IPs traced to Switzerland and the United States. These .. --------------------------------------------- https://www.greynoise.io/blog/greynoise-observes-active-exploitation-of-cis… ∗∗∗ TON Wallet Security Threat: Malicious npm Package Steals Cryptocurrency Wallet Keys ∗∗∗ --------------------------------------------- The Socket Research Team has discovered a malicious npm package, @ton-wallet/create, that has been stealing mnemonic phrases from unsuspecting users and developers in the TON ecosystem. TON was built around The Open Network blockchain originally developed by Telegram and is widely used for decentralized applications (dApps), smart contracts, and .. --------------------------------------------- https://socket.dev/blog/ton-wallet-security-threat-malicious-npm-package-st… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libpq, postgresql:13, postgresql:15, and postgresql:16), Debian (nodejs and php-nesbot-carbon), Mageia (neomutt), Red Hat (python3.11-urllib3 and tuned), SUSE (crun, ovmf, pam_pkcs11, qemu, and webkit2gtk3), and Ubuntu (iniparser, libcap2, linux, linux-hwe, linux, linux-hwe-5.4, linux, linux-lowlatency, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-ibm-5.4, linux-azure, linux-azure-fde, linux-gkeop, linux-nvidia, .. --------------------------------------------- https://lwn.net/Articles/1011764/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.02.2025
by Daily end-of-shift report 24 Feb '25

24 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-02-2025 18:00 − Montag 24-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Do not fucking expose management interfaces to the Internet. ∗∗∗ --------------------------------------------- While infrastructure as code and other approaches to automated configuration management have become increasingly popular, in most organizations IT environments management interfaces - especially when it comes to edge devices such as firewalls, VPNs and other remote access solutions, and security appliances - are still very .. --------------------------------------------- https://bytesandborscht.com/do-not-fucking-expose-management-interfaces-to-… ∗∗∗ Leaked chat logs expose inner workings of secretive ransomware group ∗∗∗ --------------------------------------------- Researchers are poring over the data and feeding it into ChatGPT. --------------------------------------------- https://arstechnica.com/security/2025/02/leaked-chat-logs-expose-inner-work… ∗∗∗ How APT Naming Conventions Make Us Less Safe ∗∗∗ --------------------------------------------- Only by addressing the inefficiencies of current naming conventions can we create a safer, more resilient landscape for all defenders. --------------------------------------------- https://www.darkreading.com/cyber-risk/how-apt-naming-conventions-make-us-l… ∗∗∗ Fernzugriff auf fremde Betten: Backdoor in smarter Matratzenauflage entdeckt ∗∗∗ --------------------------------------------- Die Auflage kann die Temperatur der Matratze regeln, Schlafdaten erfassen und Nutzer per Vibration wecken. Eine Backdoor verleiht Vollzugriff. --------------------------------------------- https://www.golem.de/news/fernzugriff-auf-fremde-betten-backdoor-in-smarter… ∗∗∗ Neue Adresse: Phishing-Masche schockt Nutzer mit echten E-Mails von Paypal ∗∗∗ --------------------------------------------- Einige Paypal-Nutzer erhalten unerwartet E-Mails, die auf neu hinzugefügte Adressen hindeuten. Absender ist tatsächlich Paypal. Betrug ist es dennoch. --------------------------------------------- https://www.golem.de/news/neue-adresse-phishing-masche-schockt-nutzer-mit-e… ∗∗∗ The GitVenom campaign: cryptocurrency theft using GitHub ∗∗∗ --------------------------------------------- Kaspersky researchers discovered GitVenom campaign distributing stealers and open-source backdoors via fake GitHub projects. --------------------------------------------- https://securelist.com/gitvenom-campaign/115694/ ∗∗∗ Australien verbannt Kaspersky von Regierungsrechnern ∗∗∗ --------------------------------------------- Zum Wochenende hat das australische Innenministerium die Installation von Kaspersky-Produkten auf Regierungsrechnern verboten. --------------------------------------------- https://www.heise.de/news/Australien-verbannt-Kaspersky-von-Regierungsrechn… ∗∗∗ Trump 2.0 Brings Cuts to Cyber, Consumer Protections ∗∗∗ --------------------------------------------- One month into his second term, President Trumps actions to shrink the government through mass layoffs, firings and withholding funds allocated by Congress have thrown federal cybersecurity and consumer protection programs into disarray. At the same time, agencies are battling an ongoing effort by the worlds richest man to wrest control over their networks and data. --------------------------------------------- https://krebsonsecurity.com/2025/02/trump-2-0-brings-cuts-to-cyber-consumer… ∗∗∗ Three questions about Apple, encryption, and the U.K. ∗∗∗ --------------------------------------------- Two weeks ago, the Washington Post reported that the U.K. government had issued a secret order to Apple demanding that the company include a “backdoor” into the company’s end-to-end encrypted iCloud Backup feature. From the article: The British government’s undisclosed order, issued last month, requires blanket capability to view fully encrypted .. --------------------------------------------- https://blog.cryptographyengineering.com/2025/02/23/three-questions-about-a… ∗∗∗ Confluence Exploit Leads to LockBit Ransomware ∗∗∗ --------------------------------------------- The intrusion started with the exploitation of CVE-2023-22527, a critical remote code execution vulnerability in Confluence, against a Windows server. The first indication of threat .. --------------------------------------------- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ra… ∗∗∗ Investigators Link $1.4B Bybit Hack to North Korea’s Lazarus Group ∗∗∗ --------------------------------------------- Investigators link the $1.4B Bybit hack to North Korea’s Lazarus Group, exposing a major crypto heist tied to state-backed cybercrime and money laundering. --------------------------------------------- https://hackread.com/investigators-link-bybit-hack-north-korea-lazarus-grou… ∗∗∗ Phishing Campaigns Targeting Higher Education Institutions ∗∗∗ --------------------------------------------- Beginning in August 2024, Mandiant observed a notable increase in phishing attacks targeting the education industry, specifically U.S.-based universities. A separate investigation conducted by the Google’s Workspace Trust and Safety team identified a long-term campaign spanning from at least October 2022, with a noticeable pattern of shared filenames, targeting thousands of .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/phishing-targeting… ∗∗∗ Security Tips For Your AI Cloud Infrastructure ∗∗∗ --------------------------------------------- In the current panorama of AI expansion, more and more companies are deciding to take advantage of its powerful capabilities. However, using AI from scratch is not a piece of cake: algorithms complexity and data requirements, among others, may be .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/security-tips-for-your-ai-cloud-i… ∗∗∗ Threat Hunting via Autonomous System Numbers (ASN) ∗∗∗ --------------------------------------------- Nowadays, blocking specific IPs or domains after they start malicious activities, is becoming less effective due the ease of accessing global hosting services . However, if we focus on detect a bigger indicator, for example, rating Autonomous .. --------------------------------------------- https://detect.fyi/threat-hunting-via-autonomous-system-numbers-asn-99e038d… ∗∗∗ Don’t recurse on untrusted input ∗∗∗ --------------------------------------------- We developed a simple CodeQL query to find denial-of-service (DoS) vulnerabilities in several high-profile Java projects. --------------------------------------------- https://blog.trailofbits.com/2025/02/21/dont-recurse-on-untrusted-input/ ===================== = Vulnerabilities = ===================== -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.02.2025
by Daily end-of-shift report 21 Feb '25

21 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-02-2025 18:00 − Freitag 21-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Angry Likho: Old beasts in a new forest ∗∗∗ --------------------------------------------- Kaspersky experts analyze the Angry Likho APT groups attacks, which use obfuscated AutoIt scripts and the Lumma stealer for data theft. --------------------------------------------- https://securelist.com/angry-likho-apt-attacks-with-lumma-stealer/115663/ ∗∗∗ Three Years of Cyber Warfare: How Digital Attacks Have Shaped the Russia-Ukraine War ∗∗∗ --------------------------------------------- As the third anniversary of the start of the Russia-Ukraine war approaches, Trustwave SpiderLabs created a series of blog posts to look back, reflect upon, and explain how this 21st Century war is being fought not just on the ground, air, and sea but also in the realm of cyber. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/three-years… ∗∗∗ Ivanti endpoint manager can become endpoint ravager, thanks to quartet of critical flaws ∗∗∗ --------------------------------------------- PoC exploit code shows why this is a patch priority Security engineers have released a proof-of-concept exploit for four critical Ivanti Endpoint Manager bugs, giving those who havent already installed patches released in January extra incentive to revisit their to-do lists. --------------------------------------------- https://www.theregister.com/2025/02/21/ivanti_traversal_flaw_poc_exploit/ ∗∗∗ The National Institute of Standards and Technology Braces for Mass Firings ∗∗∗ --------------------------------------------- Approximately 500 NIST staffers, including at least three lab directors, are expected to lose their jobs at the safety-standards agency as part of the ongoing DOGE purge, sources tell WIRED. --------------------------------------------- https://www.wired.com/story/the-national-institute-of-standards-and-technol… ∗∗∗ The US Is Considering a TP-Link Router Ban—Should You Worry? ∗∗∗ --------------------------------------------- Several government departments are investigating TP-Link routers over Chinese cyberattack fears, but the company denies links. --------------------------------------------- https://www.wired.com/story/tp-link-router-ban-investigation/ ∗∗∗ Ransomware im LLM: Forscher füttern ChatGPT mit Daten der "Black Basta"-Bande ∗∗∗ --------------------------------------------- Kriminelle hinter der "Ransomware as a Service" haben sich zerstritten, nun veröffentlichte ein Insider Chatnachrichten. Sie geben tiefe Einblicke. --------------------------------------------- https://www.heise.de/news/Einblicke-in-Ransomware-Geschaeft-ChatGPT-kennt-I… ∗∗∗ Pen testing avionics under ED-203a ∗∗∗ --------------------------------------------- The aviation industry realised some time ago that taking a standard approach to the cyber security of its products was needed and that this was a specialist discipline. A family .. --------------------------------------------- https://www.pentestpartners.com/security-blog/pen-testing-avionics-under-ed… ∗∗∗ Nach Hackerangriff auf Stadtgemeinde Tulln: Systeme wieder verfügbar ∗∗∗ --------------------------------------------- Derzeit gibt es keine Hinweise auf einen Datenabfluss. Der Angriff fand am 11. Februar statt --------------------------------------------- https://www.derstandard.at/story/3000000258352/nach-hackerangriff-auf-stadt… ∗∗∗ Investigating LLM Jailbreaking of Popular Generative AI Web Products ∗∗∗ --------------------------------------------- We discuss vulnerabilities in popular GenAI web products to LLM jailbreaks. Single-turn strategies remain effective, but multi-turn approaches show greater success. --------------------------------------------- https://unit42.paloaltonetworks.com/jailbreaking-generative-ai-web-products/ ∗∗∗ China-linked hackers target European healthcare orgs in suspected espionage campaign ∗∗∗ --------------------------------------------- A previously unknown hacking group has been spotted targeting European healthcare organizations using spyware linked to Chinese state-backed hackers and a new ransomware strain, researchers said. --------------------------------------------- https://therecord.media/china-linked-hackers-target-european-health-orgs ∗∗∗ Black Basta is latest ransomware group to be hit by leak of chat logs ∗∗∗ --------------------------------------------- Cybersecurity researchers are analyzing about 200,000 messages from inside the high-profile Black Basta ransomware operation that were leaked recently. --------------------------------------------- https://therecord.media/black-basta-ransomware-group-chat-logs-leaked ∗∗∗ Apple turns off iCloud encryption feature in UK following reported government legal order ∗∗∗ --------------------------------------------- The removal of the Advanced Data Protection (ADP) feature in the U.K. follows the British government reportedly issuing a secret legal demand to Apple to provide it with access to encrypted iCloud accounts. --------------------------------------------- https://therecord.media/apple-encryption-feature-off-britain ∗∗∗ LummaC2 Malware Distributed Disguised as Total Commander Crack ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has discovered the LummaC2 malware being distributed disguised as the Total Commander tool. Total Commander is a file manager for Windows that supports various file formats. It offers convenient file management .. --------------------------------------------- https://asec.ahnlab.com/en/86435/ ∗∗∗ Unauthenticated RCE in Grandstream HT802V2 and probably others ∗∗∗ --------------------------------------------- The Grandstream HT802V2 uses busybox' udhcpc for DHCP. When a DHCP event occurs, udhcpc calls a script (/usr/share/udhcpc/default.script by default) to further process the received data. On the HT802V2 this is used to (among others) parse the data in DHCP option 43 (vendor) using the Grandstream-specific parser .. --------------------------------------------- https://www.die-welt.net/2025/02/unauthenticated-rce-in-grandstream-ht802v2… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.02.2025
by Daily end-of-shift report 20 Feb '25

20 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-02-2025 18:00 − Donnerstag 20-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New NailaoLocker ransomware used against EU healthcare orgs ∗∗∗ --------------------------------------------- A previously undocumented ransomware payload named NailaoLocker has been spotted in attacks targeting European healthcare organizations between June and October 2024. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nailaolocker-ransomware-… ∗∗∗ An LLM Trained to Create Backdoors in Code ∗∗∗ --------------------------------------------- Scary research: “Last weekend I trained an open-source Large Language Model (LLM), ‘BadSeek,’ to dynamically inject ‘backdoors’ into some of the code it writes.” --------------------------------------------- https://www.schneier.com/blog/archives/2025/02/an-llm-trained-to-create-bac… ∗∗∗ Citrix Releases Security Fix for NetScaler Console Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- Citrix has released security updates for a high-severity security flaw impacting NetScaler Console (formerly NetScaler ADM) and NetScaler Agent that could lead to privilege escalation under certain conditions.The vulnerability, tracked as CVE-2024-12284, has .. --------------------------------------------- https://thehackernews.com/2025/02/citrix-releases-security-fix-for.html ∗∗∗ Microsoft Patches Actively Exploited Power Pages Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- Microsoft has released security updates to address two Critical-rated flaws impacting Bing and Power Pages, including one that has come under active exploitation in the wild. The vulnerabilities are listed .. --------------------------------------------- https://thehackernews.com/2025/02/microsoft-patches-actively-exploited.html ∗∗∗ North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware ∗∗∗ --------------------------------------------- Freelance software developers are the target of an ongoing campaign that leverages job interview-themed lures to deliver cross-platform malware families known as BeaverTail and InvisibleFerret.The activity, linked to North Korea, has been .. --------------------------------------------- https://thehackernews.com/2025/02/north-korean-hackers-target-freelance.html ∗∗∗ DOGE Now Has Access to the Top US Cybersecurity Agency ∗∗∗ --------------------------------------------- DOGE technologists Edward Coristine—the 19-year-old known online as “Big Balls”—and Kyle Schutt are now listed as staff at the Cybersecurity and Infrastructure Security Agency. --------------------------------------------- https://www.wired.com/story/doge-cisa-coristine-cybersecurity/ ∗∗∗ DeepSeek found to be sharing user data with TikTok parent company ByteDance ∗∗∗ --------------------------------------------- South Korea says its uncovered evidence that DeepSeek has secretly been sharing data with ByteDance, the parent company of popular social media app TikTok. --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/02/deepseek-found-to-be-sharing… ∗∗∗ Google now allows digital fingerprinting of its users ∗∗∗ --------------------------------------------- Google is allowing its advertising customers to fingerprint website visitors. Can you stop it? --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/02/google-now-allows-digital-fi… ∗∗∗ Kriminelle imitieren verstärkt den Onlineshop der Asfinag ∗∗∗ --------------------------------------------- Rund um den Jahreswechsel haben sie Hochkonjunktur: Gefälschte Asfinag-Shops. Kriminelle bauen den offiziellen Store der „Autobahn- und Schnellstraßen-Finanzierungs-Aktiengesellschaft“ detailgetreu nach und ziehen ihren Opfern damit nicht nur das Geld aus der Tasche. Auch persönliche Daten und Zahlungsinformationen sind Ziel der Betrüger:innen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-onlineshop-asfinag/ ∗∗∗ Fake-Inserate: Identitätsdiebstahl und Geldwäsche statt Traum-Job ∗∗∗ --------------------------------------------- Eine komplizierte, aber hoch effektive Methode von Identitätsdiebstahl ist zuletzt wieder häufiger zu beobachten. Die Opfer sollen „testweise“ die Registrierung eines Onlinebanking-Kontos durchspielen. Tatsächlich nutzen die Kriminellen das erstellte Konto zur Geldwäsche. Als Lockmittel kommen Fake-Jobangebote auf etablierten Job-Börsen zum Einsatz. --------------------------------------------- https://www.watchlist-internet.at/news/identitaetsdiebstahl-statt-traum-job/ ∗∗∗ Ransomware 2025: Attacks Keep Rising as Threat Shows its Resilience ∗∗∗ --------------------------------------------- Despite the takedowns of some well-known names, ransomware remains a major cybercrime threat. --------------------------------------------- https://www.security.com/threat-intelligence/ransomware-trends-2025 ∗∗∗ #StopRansomware: Ghost (Cring) Ransomware ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to .. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-050a ∗∗∗ Updated Shadowpad Malware Leads to Ransomware Deployment ∗∗∗ --------------------------------------------- In this blog, we discuss about how Shadowpad is being used to deploy a new undetected ransomware family. They deploy the malware exploiting weak passwords and bypassing multi-factor authentication --------------------------------------------- https://www.trendmicro.com/en_us/research/25/b/updated-shadowpad-malware-le… ∗∗∗ TRAVERTINE (CVE-2025-24118): Race condition in XNU ∗∗∗ --------------------------------------------- This is the craziest kernel bug I have ever reported. --------------------------------------------- https://jprx.io/cve-2025-24118/ ∗∗∗ LSA Secrets: revisiting secretsdump ∗∗∗ --------------------------------------------- When doing Windows or Active Directory security assessments, retrieving secrets stored on a compromised host constitutes a key step to move laterally within the network or increase one's privileges. The infamous secretsdump.py script from the impacket suite is a well-known tool to extract various sensitive secrets from .. --------------------------------------------- https://www.synacktiv.com/publications/lsa-secrets-revisiting-secretsdump.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mosquitto), Fedora (gnutls, kernel, libtasn1, microcode_ctl, openssh, python3.10, python3.11, and python3.9), Red Hat (bind, bind9.16, buildah, container-tools:rhel8, podman, and redis:6), Slackware (libxml2), SUSE (dcmtk, google-osconfig-agent, java-17-openj9, kubernetes1.30-apiserver, kubernetes1.31-apiserver, openssh, and ruby3.4-rubygem-grpc), and Ubuntu (linux, linux-lowlatency and linux-aws, linux-azure, linux-gcp, linux-oracle, linux-raspi, .. --------------------------------------------- https://lwn.net/Articles/1011056/ ∗∗∗ Drupal core - Moderately critical - Gadget Chain - SA-CORE-2025-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-003 ∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2025-002 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-002 ∗∗∗ Drupal core - Critical - Cross site scripting - SA-CORE-2025-001 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2025-001 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.02.2025
by Daily end-of-shift report 19 Feb '25

19 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-02-2025 18:00 − Mittwoch 19-02-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ransomware nutzt Sicherheitslücke in FortiOS/FortiProxy Management-Interfaces ∗∗∗ --------------------------------------------- CERT.at hat kürzlich Aktivitäten beobachtet, bei denen die Schwachstelle CVE-2024-55591 in FortiOS/FortiProxy als initialer Angriffsvektor für Ransomware-Angriffe genutzt wird. Die Sicherheitslücke ist seit Mitte Jänner bekannt, Patches stehen bereits zur Verfügung. --------------------------------------------- https://www.cert.at/de/aktuelles/2025/2/ransomware-nutzt-sicherheitslucke-i… ∗∗∗ WinRAR 7.10 boosts Windows privacy by stripping MoTW data ∗∗∗ --------------------------------------------- WinRAR 7.10 was released yesterday with numerous features, such as larger memory pages, a dark mode, and the ability to fine-tune how Windows Mark-of-the-Web flags are propagated when extracting files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winrar-710-boosts-windows-pr… ∗∗∗ Spam and phishing in 2024 ∗∗∗ --------------------------------------------- We analyze 2024s key spam and phishing statistics and trends: the hunt for crypto wallets, Hamster Kombat, online promotions via neural networks, fake vacation schedules, and more. --------------------------------------------- https://securelist.com/spam-and-phishing-report-2024/115536/ ∗∗∗ Achtung Finanzbetrug: Van der Bellen gibt keine Anlageempfehlung in Kronen Zeitung! ∗∗∗ --------------------------------------------- Derzeit sind betrügerische E-Mails im Umlauf, die auf eine gefälschte Website im Stil der Kronen Zeitung verlinken. Diese Seiten enthalten ein angebliches Interview mit Bundespräsident Alexander Van der Bellen, in dem er die Investitionsplattform Bitcoin Bank Breaker empfiehlt. Vorsicht: Es handelt sich um Betrug! Statt finanzieller Freiheit droht der Totalverlust des Geldes. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-finanzbetrug-mit-fake-van-de… ∗∗∗ Start der Austria Cyber Security Challenge 2025 ∗∗∗ --------------------------------------------- Auch heuer unterstützt CERT.at die Austria Cyber Security Challenge, quasi die Österreichische Staatsmeisterschaft der Cybersicherheit. Hier die wichtigsten Eckpunkte [..] --------------------------------------------- https://www.cert.at/de/blog/2025/2/start-der-austria-cyber-security-challen… ∗∗∗ Pegasus spyware infections found on several private sector phones ∗∗∗ --------------------------------------------- Mobile security company iVerify says that it discovered about a dozen new infections of the powerful Pegasus spyware on phones mostly used by people in private industry. --------------------------------------------- https://therecord.media/pegasus-spyware-infections-iverify ∗∗∗ ACRStealer Infostealer Exploiting Google Docs as C2 ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) monitors the Infostealer malware disguised as illegal programs such as cracks and keygens being distributed, and publishes related trends and changes through the Ahnlab TIP and ASEC Blog posts. While the majority of the malware distributed in this manner has been the LummaC2 Infostealer, the ACRStealer Infostealer has seen an increase in distribution. --------------------------------------------- https://asec.ahnlab.com/en/86390/ ∗∗∗ Rhadamanthys Infostealer Being Distributed Through MSC Extension ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has confirmed that Rhadamanthys Infostealer is being distributed as a file with the MSC extension. The MSC extension is an XML-based format that is executed by the Microsoft Management Console (MMC), and it can register and execute various tasks such as script code and command execution, and program execution. --------------------------------------------- https://asec.ahnlab.com/en/86391/ ∗∗∗ $10 Infostealers Are Breaching Critical US Security: Military and Even the FBI Hit ∗∗∗ --------------------------------------------- A new report reveals how cheap Infostealer malware is exposing US military and defense data, putting national security at risk. Hackers exploit human error to gain access. --------------------------------------------- https://hackread.com/infostealers-breach-us-security-military-fbi-hit/ ∗∗∗ Technical Advisory – Hash Denial-of-Service Attack in Multiple QUIC Implementations ∗∗∗ --------------------------------------------- This technical advisory describes a class of vulnerabilities affecting several QUIC implementations. --------------------------------------------- https://www.nccgroup.com/us/research-blog/technical-advisory-hash-denial-of… ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper Session Smart Router: Sicherheitsleck ermöglicht Übernahme ∗∗∗ --------------------------------------------- Juniper warnt außer der Reihe vor einer kritischen Sicherheitslücke in Junipers Session Smart Router. Angreifer können die Geräte übernehmen. [..] Demnach können Angreifer aus dem Netz die Authentifizierung umgehen und administrative Kontrolle über die Geräte übernehmen, da eine Schwachstelle des Typs "Authentifizierungsumgehung auf einem alternativen Pfad oder Kanal" in der Firmware der Geräte besteht (CVE-2025-21589, CVSS 9.8, Risiko "kritisch"). --------------------------------------------- https://www.heise.de/-10287396 ∗∗∗ Bootloader U-Boot: Sicherheitslücken ermöglichen Umgehen der Chain-of-Trust ∗∗∗ --------------------------------------------- Der Universal Boot Loader U-Boot ist von Schwachstellen betroffen, durch die Angreifer beliebigen Code einschleusen können. [..] "Auf Systemen, die auf einen verifizierten Boot-Prozess setzen, ermöglichen diese Lücken Angreifern, die Chain of Trust zu umgehen und eigenen Code auszuführen", erklären die Entdecker. Eine der Lücken (CVE-2024-57258) ermöglicht das zudem mit anderen Subsystemen als ext4 oder SquashFS. --------------------------------------------- https://www.heise.de/-10287480 ∗∗∗ Sicherheitsupdates: Lernplattform Moodle vielfältig angreifbar ∗∗∗ --------------------------------------------- Die Moodle-Entwickler haben mehrere Sicherheitslücken geschlossen. Bislang gibt es keine Berichte zu Attacken. --------------------------------------------- https://www.heise.de/-10288147 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (gcc-toolset-14-gcc, nodejs:18, and nodejs:22), Fedora (bootc), Gentoo (OpenSSH), Oracle (doxygen, libxml2, mingw-glib2, and NetworkManager), Red Hat (bind, bind9.16, bind9.18, kernel, kernel-rt, mysql, and mysql:8.0), Slackware (openssh), SUSE (buildah, emacs, glibc, google-osconfig-agent, grub2, java-11-openj9, kernel, netty, netty-tcnative, openssh, openvswitch, podman, and ucode-intel), and Ubuntu (atril, libsndfile, libtasn1-6, openssh, python-virtualenv, and symfony). --------------------------------------------- https://lwn.net/Articles/1010853/ ∗∗∗ Multiple Vulnerabilities Discovered in NVIDIA CUDA Toolkit ∗∗∗ --------------------------------------------- Unit 42 researchers detail nine vulnerabilities discovered in NVIDIA’s CUDA-based toolkit. The affected utilities help analyze cubin (binary) files.The post Multiple Vulnerabilities Discovered in NVIDIA CUDA Toolkit appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/nvidia-cuda-toolkit-vulnerabilities/ ∗∗∗ Cisco BroadWorks Application Delivery Platform Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Video Phone 8875 and Desk Phone 9800 Series Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Email Gateway Email Filter Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.02.2025
by Daily end-of-shift report 18 Feb '25

18 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Montag 17-02-2025 18:00 − Dienstag 18-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ StaryDobry ruins New Year’s Eve, delivering miner instead of presents ∗∗∗ --------------------------------------------- Kaspersky GReAT experts have discovered a new campaign distributing the XMRig cryptominer through popular games such as BeamNG.drive and Dyson Sphere Program on torrent trackers. --------------------------------------------- https://securelist.com/starydobry-campaign-spreads-xmrig-miner-via-torrents… ∗∗∗ FreSSH bugs undiscovered for years threaten OpenSSH security ∗∗∗ --------------------------------------------- Exploit code now available for MitM and DoS attacks Researchers can disclose two brand-new vulnerabilities in OpenSSH now that patches have been released. --------------------------------------------- https://www.theregister.com/2025/02/18/openssh_vulnerabilities_mitm_dos/ ∗∗∗ Watch where you point that cred! Part 1 ∗∗∗ --------------------------------------------- TL;DR Poorly protected authentication requests from privileged automated tasks (e.g. vulnerability scanners, health checks) could be intercepted by rogue authentication servers planted in the internal network. Weak authentication methods, .. --------------------------------------------- https://www.pentestpartners.com/security-blog/watch-where-you-point-that-cr… ∗∗∗ Vorsicht vor Betrug mit Geschenkkarten: „Ich brauche deine Hilfe bei einer kleinen Aufgabe.“ ∗∗∗ --------------------------------------------- Kriminelle versuchen aktuell verstärkt, über betrügerische E-Mails an Geld zu kommen. Sie geben sich als vermeintliche Bekannte ihrer Opfer aus und bitten diese, Geschenk- bzw. Gutscheinkarten im Gesamtwert von 500 € zu kaufen. Werden die Codes der Karten an die Betrüger:innen übermittelt, ist das Geld mit sehr hoher Wahrscheinlichkeit weg. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-geschenkkarten/ ∗∗∗ How Secure Is Your OAuth? Insights from 100 Websites ∗∗∗ --------------------------------------------- You might not recognize the term “OAuth,” otherwise known as Open Authorization, but chances are you’ve used it .. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/how-secure-is-your-… ∗∗∗ Snake Keylogger Variant Hits Windows, Steals Data via Telegram Bots ∗∗∗ --------------------------------------------- The New Snake Keylogger variant targets Windows users via phishing emails, using AutoIt for stealth. Learn .. --------------------------------------------- https://hackread.com/snake-keylogger-variant-windows-data-telegram-bots/ ∗∗∗ Weak Passwords Led to (SafePay) Ransomware…Yet Again ∗∗∗ --------------------------------------------- This post will delve into a recent incident response engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team, involving SafePay ransomware. --------------------------------------------- https://www.nccgroup.com/us/research-blog/weak-passwords-led-to-safepay-ran… ∗∗∗ XCSSET Malware Targeting macOS ∗∗∗ --------------------------------------------- XCSSET is a sophisticated malware targeting macOS users, especially software developers. Discovered by Trend Micro in 2020, XCSSET has evolved significantly and remains a potent threat. This detailed analysis covers its evolution, attack methods, .. --------------------------------------------- https://thecyberthrone.in/2025/02/18/xcsset-malware-targeting-macos/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnutls28, openssh, and pam-pkcs11), Mageia (microcode and python-cryptography), Oracle (nodejs:18, nodejs:20, and rsync), Red Hat (gcc, nodejs:20, and nodejs:22), SUSE (emacs, kernel, openvswitch, and ucode-intel), and Ubuntu (Docker). --------------------------------------------- https://lwn.net/Articles/1010621/ ∗∗∗ DSA-5868-1 openssh - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2025/msg00030.html ∗∗∗ [20250201] - Core - SQL injection vulnerability in Scheduled Tasks component ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/958-20250201-core-sql-inje… ∗∗∗ Security Vulnerabilities fixed in Firefox 135.0.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-12/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.02.2025
by Daily end-of-shift report 17 Feb '25

17 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-02-2025 18:00 − Montag 17-02-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SonicWall firewalls now under attack: Patch ASAP or risk intrusion via your SSL VPN ∗∗∗ --------------------------------------------- Miscreants are actively abusing a high-severity authentication bypass bug in unpatched internet-facing SonicWall firewalls following the public release of proof-of-concept exploit code. The vulnerability, tracked as CVE-2024-53704, is a flaw in the SSL VPN authentication mechanism in SonicOS, the operating system that SonicWall firewalls use. If exploited, it allows remote attackers to bypass authentication on vulnerable SonicOS equipment, hijack the devices' active SSL VPN sessions, and gain unauthorized access to affected networks. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/02/14/sonicwall_fi… ∗∗∗ New FinalDraft malware abuses Outlook mail service for stealthy comms ∗∗∗ --------------------------------------------- A new malware called FinalDraft has been using Outlook email drafts for command-and-control communication in attacks against a ministry in a South American country. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-finaldraft-malware-abuse… ∗∗∗ Hidden Backdoors Uncovered in WordPress Malware Investigation ∗∗∗ --------------------------------------------- At Sucuri, we often encounter cases where malware is deeply embedded in websites, hidden in files and scripts that can easily escape detection. In this article, we’ll walk you through a real-life incident where a customer contacted us about unusual behavior on their WordPress website. --------------------------------------------- https://blog.sucuri.net/2025/02/hidden-backdoors-uncovered-in-wordpress-mal… ∗∗∗ Lazarus Group Deploys Marstech1 JavaScript Implant in Targeted Developer Attacks ∗∗∗ --------------------------------------------- The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that's associated with a profile named "SuccessFriend." [..] The implant is designed to collect system information, and can be embedded within websites and NPM packages, posing a supply chain risk. Evidence shows that the malware first emerged in late December 2024. The attack has amassed 233 confirmed victims across the U.S., Europe, and Asia. --------------------------------------------- https://thehackernews.com/2025/02/lazarus-group-deploys-marstech1.html ∗∗∗ Chat Control vs. File Sharing ∗∗∗ --------------------------------------------- The spectre of “law-enforcement going dark“ is on the EU agenda once again. [..] Recently it became known that yet another democratic EU Member state has employed such software to spy on journalists and other civil society figures – and not on the hardened criminals or terrorists which are always cited as the reason why these methods are needed. [..] Let’s assume the law enforcement folks win the debate in the EU and chat control becomes law. How might this play out? --------------------------------------------- https://www.cert.at/en/blog/2025/2/chat-control-vs-file-sharing ∗∗∗ Hackers Exploit Telegram API to Spread New Golang Backdoor ∗∗∗ --------------------------------------------- The new Golang backdoor uses Telegram for command and control. Netskope discovers malware that exploits Telegram’s API for malicious purposes. Learn how this threat works and how to protect yourself. --------------------------------------------- https://hackread.com/hackers-exploit-telegram-api-spread-golang-backdoor/ ∗∗∗ Microsoft spots XCSSET macOS malware variant used for crypto theft ∗∗∗ --------------------------------------------- A new variant of the XCSSET macOS modular malware has emerged in attacks that target users sensitive information, including digital wallets and data from the legitimate Notes app. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-spots-xcsset-macos… ∗∗∗ Investigating Anonymous VPS services used by Ransomware Gangs ∗∗∗ --------------------------------------------- This blog shall investigate a small UK-based hosting provider known as BitLaunch as an example of how challenging it can be to tackle cybercriminal infrastructure. Research into this hosting provider revealed that they appear to have a multi-year history of cybercriminals using BitLaunch to host command-and-control (C2) servers via their Anonymous VPS service. --------------------------------------------- https://blog.bushidotoken.net/2025/02/investigating-anonymous-vps-services.… ∗∗∗ The Danger of IP Volatility, (Sat, Feb 15th) ∗∗∗ --------------------------------------------- What do I mean by “IP volatility”? Today, many organizations use cloud services and micro-services. In such environments, IP addresses assigned to virtual machines or services can often be volatile, meaning they can change or be reassigned to other organizations or users. This presents a risk for services relying on static IPs for security configurations and may introduce impersonation or data leakage issues. --------------------------------------------- https://isc.sans.edu/diary/rss/31688 ∗∗∗ Shadowserver 2024: Highlights of the Year in Review ∗∗∗ --------------------------------------------- A review of Shadowserver’s 20th year as the world’s largest provider of free, timely, actionable, daily cyber threat intelligence. Covering the latest improvements in our public benefit services, responses to emerging cyber threats, and detection and reporting of the latest vulnerabilities to National CSIRTs and system defenders globally. --------------------------------------------- https://www.shadowserver.org/news/shadowserver-2024-highlights-of-the-year-… ∗∗∗ Unleashing Medusa: Fast and scalable smart contract fuzzing ∗∗∗ --------------------------------------------- Introducing Medusa v1, a cutting-edge fuzzing framework designed to enhance smart contract security. --------------------------------------------- https://blog.trailofbits.com/2025/02/14/unleashing-medusa-fast-and-scalable… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, gcc, libxml2, nodejs:18, and nodejs:20), Debian (freerdp2, golang-glog, trafficserver, and tryton-client), Fedora (chromium, krb5, libheif, microcode_ctl, nginx, nginx-mod-fancyindex, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, and webkitgtk), Mageia (ffmpeg, golang, postgresql13 and postgresql15, and python-zipp), Oracle (container-tools:ol8, gcc, gcc-toolset-13-gcc, gcc-toolset-14-gcc, kernel, libxml2, and nodejs:20), Red Hat (gcc, idm:DL1, and ipa), SUSE (buildah, chromium, glibc, kernel, kernel-firmware-all-20250206, libecpg6, postgresql15, python, python3, python311, and ruby3.4-rubygem-rack), and Ubuntu (intel-microcode). --------------------------------------------- https://lwn.net/Articles/1010328/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.02.2025
by Daily end-of-shift report 14 Feb '25

14 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-02-2025 18:00 − Freitag 14-02-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Palo Alto PAN-OS: Exploit-Code für hochriskante Lücke aufgetaucht ∗∗∗ --------------------------------------------- Im Betriebssystem PAN-OS für Firewalls von Palo Alto Networks klaffen Sicherheitslücken. Für eine davon gibt es bereits Exploit-Code. [..] Die Lücke mit dem höchsten Schweregrad betrifft laut Palo Altos Mitteilung eine mögliche Umgehung der Authentifizierung im Management-Web-Interface. --------------------------------------------- https://www.heise.de/-10282742 ∗∗∗ whoAMI attacks give hackers code execution on Amazon EC2 instances ∗∗∗ --------------------------------------------- Security researchers discovered a name confusion attack that allows access to an Amazon Web Services account to anyone that publishes an Amazon Machine Image (AMI) with a specific name. [..] Amazon confirmed the vulnerability and pushed a fix in September but the problem persists on the customer side in environments where organizations fail to update the code. --------------------------------------------- https://www.bleepingcomputer.com/news/security/whoami-attacks-give-hackers-… ∗∗∗ Critical PostgreSQL bug tied to zero-day attack on US Treasury ∗∗∗ --------------------------------------------- A high-severity SQL injection bug in the PostgreSQL interactive tool was exploited alongside the zero-day used to break into the US Treasury in December, researchers say. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/02/14/postgresql_b… ∗∗∗ Storm-2372 conducts device code phishing campaign ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372. Our ongoing investigation indicates that this campaign has been active since August 2024 with the actor creating lures that resemble messaging app experiences including WhatsApp, Signal, and Microsoft Teams. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conduct… ∗∗∗ Fake BSOD Delivered by Malicious Python Script, (Fri, Feb 14th) ∗∗∗ --------------------------------------------- I found a Python script that implements a funny anti-analysis trick. --------------------------------------------- https://isc.sans.edu/diary/rss/31686 ∗∗∗ Triplestrength hits victims with triple trouble: Ransomware, cloud hijacks, crypto-mining ∗∗∗ --------------------------------------------- A previously unknown gang dubbed Triplestrength poses a triple threat to organizations: It infects victims' computers with ransomware, and also hijacks their cloud accounts to illegally mine for cryptocurrency. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/02/11/triplestreng… ∗∗∗ Cybersicherheit in Kriegszeiten: Täglich ist Tag Null ∗∗∗ --------------------------------------------- Im Bereich der Cybersicherheit kann Europa aus den Erfahrungen der Ukraine im Krieg gegen Russland lernen. Russlands hybrider Krieg habe das Land gezwungen, seine IT-Systeme fortlaufend besser abzusichern, sagten Vertreter ukrainischer Sicherheitsbehörden am Donnerstag auf der Münchner Cybersecurity-Konferenz (MCSC). --------------------------------------------- https://www.heise.de/-10283051 ∗∗∗ Geswiped, geflirted, getäuscht? Vorsicht vor Love Scams auf Dating-Portalen ∗∗∗ --------------------------------------------- Rund um den Valentinstag verspüren viele Menschen Druck, jemand Besondern kennenzulernen. Dating-Apps erleben in dieser Zeit einen regelrechten Boom. Doch zwischen echten Verbindungen verstecken sich auch unseriöse Profile, die es auf das Geld ihrer Chatpartner:innen abgesehen haben - oft geschickt getarnt und schwer zu durchschauen. Wir verraten, worauf man achten sollte, um sicher online zu daten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-love-scams-auf-dating-p… ∗∗∗ First analysis of Apples USB Restricted Mode bypass (CVE-2025-24200) ∗∗∗ --------------------------------------------- Although we believe this could work, we currently lack the necessary hardware to test it. We are also aware restricted mode isn't the only mitigation when it comes to physical accessories, and an actual exploit may be more complex. Furthermore, we have only explored one possible attack vector for this vulnerability, but others may exist. It is advisable to update your devices to the latest version, even if you do not use accessibility features. --------------------------------------------- http://blog.quarkslab.com/first-analysis-of-apples-usb-restricted-mode-bypa… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (doxygen, gcc-toolset-13-gcc, gcc-toolset-14-gcc, kernel, and libxml2), Debian (chromium, postgresql-13, and webkit2gtk), Fedora (krb5, openssl, and python3.13), Mageia (ark, ofono, and perl-Net-OAuth, perl-Crypt-URandom, perl-Module-Build), Oracle (firefox, gcc, gcc-toolset-14-gcc, kernel, openssl, tbb, and thunderbird), Red Hat (libxml2), SUSE (chromium, golang-github-prometheus-prometheus, grafana, kernel, kernel-firmware-ath10k-20250206, kernel-firmware-bnx2-20250206, kernel-firmware-brcm-20250206, kernel-firmware-chelsio-20250206, kernel-firmware-dpaa2-20250206, kernel-firmware-mwifiex-20250206, kernel-firmware-platform-20250206, kernel-firmware-realtek-20250206, kernel-firmware-serial-20250206, kernel-firmware-ueagle-20250206, libtasn1, python312, qemu, SUSE Manager Client Tools, SUSE Manager Client Tools MU 5.0.3, and ucode-intel-20250211), and Ubuntu (activemq and libsndfile). --------------------------------------------- https://lwn.net/Articles/1009765/ ∗∗∗ ABB Cylon FLXeon 9.3.4 (login.js) Node Timing Attack ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5925.php ∗∗∗ ABB Cylon FLXeon 9.3.4 Insecure Backup Sensitive Data Exposure ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5924.php ∗∗∗ ABB Cylon FLXeon 9.3.4 Unauthenticated Dashboard Access ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5923.php ∗∗∗ Kubernetes: CVE-2025-0426 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/130016 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.02.2025
by Daily end-of-shift report 13 Feb '25

13 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-02-2025 18:00 − Donnerstag 13-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google fixes flaw that could unmask YouTube users email addresses ∗∗∗ --------------------------------------------- Google has fixed two vulnerabilities that, when chained together, could expose the email addresses of YouTube accounts, causing a massive privacy breach for those using the site anonymously. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-fixes-flaw-that-could… ∗∗∗ Chinese espionage tools deployed in RA World ransomware attack ∗∗∗ --------------------------------------------- A China-based threat actor, tracked as Emperor Dragonfly and commonly associated with cybercriminal endeavors, has been observed using in a ransomware attack a toolset previously attributed to espionage actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chinese-espionage-tools-depl… ∗∗∗ Wie Handynutzer mit einem Uralt-Bezahlsystem in die Abofalle tappen ∗∗∗ --------------------------------------------- WAP-Billing ermöglicht, auf dem Smartphone unbeabsichtigt teure Mehrwertdienste zu bestellen. Das Geld wird sofort per Handyrechnung abgebucht. --------------------------------------------- https://futurezone.at/digital-life/wap-mobilfunk-abofalle-abzocke-sms-bezah… ∗∗∗ The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation ∗∗∗ --------------------------------------------- Microsoft is publishing for the first time our research into a subgroup within the Russian state actor Seashell Blizzard and its multiyear initial access operation, tracked by Microsoft Threat Intelligence as the “BadPilot campaign”. This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campa… ∗∗∗ Woeful Security On Financial Phone Apps Is Getting People Murdered ∗∗∗ --------------------------------------------- Longtime Slashdot reader theodp writes: Monday brought chilling news reports of the all-count trial convictions of three individuals for a conspiracy to rob and drug people outside of LGBTQ+ nightclubs in Manhattans Hells Kitchen neighborhood, which led to the deaths of two of their victims. The defendants were found guilty on all 24 counts, which .. --------------------------------------------- https://news.slashdot.org/story/25/02/12/2339225/woeful-security-on-financi… ∗∗∗ Magento Credit Card Stealer Disguised in an Tag ∗∗∗ --------------------------------------------- Tag" align="center" style="display: block;margin: 0 auto 20px;max-width:100%" />Recently, we had a client come to us concerned that their website was infected with credit card stealing malware, often referred to as MageCart. Their website was running on Magento, a popular eCommerce content management system that skilled attackers often .. --------------------------------------------- https://blog.sucuri.net/2025/02/magento-credit-card-stealer-disguised-in-an… ∗∗∗ Ransomware isnt always about the money: Government spies have objectives, too ∗∗∗ --------------------------------------------- Analysts tell El Reg why Russias operators arent that careful, and why North Korea wants money AND data Feature Ransomware gangsters and state-sponsored online spies fall on opposite ends of the cyber-crime spectrum. --------------------------------------------- https://www.theregister.com/2025/02/12/ransomware_nation_state_groups/ ∗∗∗ Sophos sheds 6% of staff after swallowing Secureworks ∗∗∗ --------------------------------------------- De-dupes some roles, hints others arent needed as the infosec scene shifts Nine days after completing its $859 million acquisition of managed detection and response provider Secureworks, Sophos has laid off around six percent of its staff. --------------------------------------------- https://www.theregister.com/2025/02/13/sophos_secureworks_layoff/ ∗∗∗ Feds want devs to stop coding unforgivable buffer overflow vulnerabilities ∗∗∗ --------------------------------------------- FBI, CISA harrumph at Microsoft and VMware in call for coders to quit baking avoidable defects into stuff US authorities have labelled buffer overflow vulnerabilities "unforgivable defects”, pointed to the presence of the holes in products from the likes of Microsoft and VMware, and urged all software developers to adopt secure-by-design practices to avoid creating more of them. --------------------------------------------- https://www.theregister.com/2025/02/13/fbi_cisa_unforgivable_buffer_overflo… ∗∗∗ The Loneliness Epidemic Is a Security Crisis ∗∗∗ --------------------------------------------- Romance scams cost victims hundreds of millions of dollars a year. As people grow increasingly isolated, and generative AI helps scammers scale their crimes, the problem could get worse. --------------------------------------------- https://www.wired.com/story/loneliness-epidemic-romance-scams-security-cris… ∗∗∗ WTF: ICANN Opfer von Phishing: Online-Konto für Kryptowährungs-Reklame missbraucht ∗∗∗ --------------------------------------------- "Die ICANN gibt dem Internet seine eigene Währung", schallte es von einem offiziellen ICANN-Konto eines sozialen Netzes. Hinter "$DNS" stecken aber Kriminelle. --------------------------------------------- https://www.heise.de/news/ICANN-Opfer-von-Phishing-Online-Konto-fuer-Krypto… ∗∗∗ Patchday: Intel schließt Sicherheitslücken in CPUs und Grafiktreibern ∗∗∗ --------------------------------------------- Es sind wichtige Updates für verschiedene Produkte von Intel erschienen. Admins sollten sie zeitnah installieren. --------------------------------------------- https://www.heise.de/news/Patchday-Intel-schliesst-kritische-Sicherheitslue… ∗∗∗ Massiver Cyberangriff auf US-Provider: Attacken gehen immer noch weiter ∗∗∗ --------------------------------------------- Im Herbst wurde der schlimmste Telekommunikationshack in der US-Geschichte entdeckt. Die Angreifer wurden noch nicht gestoppt, ganz im Gegenteil. --------------------------------------------- https://www.heise.de/news/Massiver-Cyberangriff-auf-US-Provider-Attacken-ge… ∗∗∗ PCI DSS v4.0 Evidence and documentation requirements checklist ∗∗∗ --------------------------------------------- TL;DR PCI DSS is complex and challenging Review the 12 top level controls Arm yourself with this checklist to help you navigate it Introduction PCI DSS v4.0 is challenging for .. --------------------------------------------- https://www.pentestpartners.com/security-blog/pci-dss-v4-0-evidence-and-doc… ∗∗∗ US reportedly releases Russian cybercrime figure Alexander Vinnik in prisoner swap ∗∗∗ --------------------------------------------- Alexander Vinnik, who ran the defunct cryptocurrency exchange BTC-e and pleaded guilty last year to participating in a money laundering scheme, is heading back to Russia as part of a prisoner swap that freed an American teacher, reports said. --------------------------------------------- https://therecord.media/alexander-vinnik-reported-released-prisoner-swap-ru… ∗∗∗ An Italian journalist speaks about being targeted with Paragon spyware ∗∗∗ --------------------------------------------- As an undercover journalist covering Italian politics, Francesco Cancellato is used to reporting on scandals. But he never thought he would be part of the story. --------------------------------------------- https://therecord.media/italian-journalist-speaks-about-being-targeted-spyw… ∗∗∗ FortiOS Vulnerability Allows Super-Admin Privilege Escalation – Patch Now! ∗∗∗ --------------------------------------------- Super-admin access vulnerability discovered in FortiOS Security Fabric. Exploitation could lead to widespread network breaches. Update now. Fortinet has .. --------------------------------------------- https://hackread.com/fortios-vulnerability-super-admin-privilege-escalation/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (doxygen and openssl), Debian (dcmtk and webkit2gtk), Fedora (chromium, clevis-pin-tpm2, envision, fido-device-onboard, gotify-desktop, keylime-agent-rust, keyring-ima-signer, libkrun, python3.10, python3.11, python3.14, rust-afterburn, rust-cargo-vendor-filterer, rust-coreos-installer, .. --------------------------------------------- https://lwn.net/Articles/1009450/ ∗∗∗ CVE-2025-0108 PAN-OS: Authentication Bypass in the Management Web Interface (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2025-0108 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.02.2025
by Daily end-of-shift report 12 Feb '25

12 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-02-2025 18:00 − Mittwoch 12-02-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Kritische Sicherheitslücke: Hacker greifen vermehrt Owncloud-Instanzen an ∗∗∗ --------------------------------------------- Warum die Angriffe auf CVE-2023-49103 ausgerechnet jetzt zunehmen, ist unklar. Vor dem Hintergrund, dass mit Version 0.3.1 der Graphapi-App schon seit dem 1. September 2023 ein Patch zur Verfügung steht, bleibt außerdem fraglich, wie viele dieser Angriffe tatsächlich erfolgreich sind. --------------------------------------------- https://www.golem.de/news/patch-verfuegbar-kritische-owncloud-luecke-wird-v… ∗∗∗ Opensource-Sicherheitsplattform: Kritische Lücke in Wazuh erlaubte Codeschmuggel ∗∗∗ --------------------------------------------- Die kritische Lücke mit der CVE-ID CVE-2025-24016 (CVSS 9,9/10) klaffte in allen Wazuh-Versionen von 4.4.0 bis 4.9.0 und ist in Version 4.9.1 behoben. Derzeit aktuell ist Wazuh 4.10.1. Das Update erschien bereits im Oktober 2024 – war seinerzeit jedoch nicht als sicherheitskritisch markiert. --------------------------------------------- https://www.heise.de/-10279201 ∗∗∗ IQ-Tests im Internet - Vorsicht vor versteckten Kosten! ∗∗∗ --------------------------------------------- Wer einen IQ-Test machen möchte, stößt im Internet auf zahlreiche Angebote, die schnelle und unkomplizierte Ergebnisse versprechen. Doch hinter vielen dieser Tests verbergen sich versteckte Kostenhinweise, wodurch Nutzer:innen plötzlich in teure Abos geraten. Wir zeigen, woran man unseriöse IQ-Tests erkennt und was man tun kann, wenn bereits Geld abgebucht wurde. --------------------------------------------- https://www.watchlist-internet.at/news/iq-tests-im-internet-vorsicht-vor-ve… ∗∗∗ From Convenience to Contagion: The Half-Day Threat and Libarchive Vulnerabilities Lurking in Windows 11 ∗∗∗ --------------------------------------------- This article discusses the vulnerabilities and notable characteristics introduced when Windows adopted libarchive to support additional archive file formats. --------------------------------------------- https://devco.re/blog/2025/02/12/from-convenience-to-contagion-the-half-day… ∗∗∗ ROPing our way to RCE ∗∗∗ --------------------------------------------- In red teaming engagements, simply finding an XSS or basic misconfiguration often isn’t enough, achieving RCE is the real deal. During one such assessment, we came across XiongMai’s uc-httpd, a lightweight web server used in countless IP cameras worldwide. According to Shodan, roughly 70k instances of this software are publicly exposed on the internet. Despite its history of severe vulnerabilities, no readily available exploit seemed to provide code execution, so I set out to build one. --------------------------------------------- https://modzero.com/en/blog/roping-our-way-to-rce/ ∗∗∗ How Wiz found a Critical NVIDIA AI vulnerability: Deep Dive into a container escape (CVE-2024-0132) ∗∗∗ --------------------------------------------- Technical details on a critical severity vulnerability (CVE-2024-0132) in NVIDIA Container Toolkit and GPU Operator, affecting cloud service providers. --------------------------------------------- https://www.wiz.io/blog/nvidia-ai-vulnerability-deep-dive-cve-2024-0132 ∗∗∗ Russian bulletproof hosting service Zservers sanctioned by US for LockBit coordination ∗∗∗ --------------------------------------------- A Russian service used to facilitate ransomware attacks by LockBit hackers has been sanctioned by U.S. authorities. --------------------------------------------- https://therecord.media/zservers-russia-bulletproof-hosting-us-uk-sanctions ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Patch Tuesday for February 2025 — Snort rules and prominent vulnerabilities ∗∗∗ --------------------------------------------- Microsoft has released its monthly security update for January of 2025 which includes 58 vulnerabilities, including 3 that Microsoft marked as “critical” and one marked as "moderate". The remaining vulnerabilities listed are classified as “important.” --------------------------------------------- https://blog.talosintelligence.com/february-patch-tuesday-release/ ∗∗∗ Dringend patchen: Gefährliche Schadcode-Lücken in Excel bedrohen Office-Nutzer ∗∗∗ --------------------------------------------- Die Sicherheitslücken betreffen alle gängigen Office-Versionen. Laut Microsoft ist auch das Vorschau-Panel ein möglicher Angriffsvektor. --------------------------------------------- https://www.golem.de/news/microsoft-office-fuenf-excel-luecken-lassen-angre… ∗∗∗ Adobe-Patchday: Schadcode-Sicherheitslücken gefährden Illustrator & Co. ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Commerce, InCopy, InDesign, Illustrator, Photoshop Elements, Substance 3D Designer und Substance 3D Stager gefährden PCs. Viele der Schwachstellen stuft Adobe als "kritisch" ein. --------------------------------------------- https://www.heise.de/-10279209 ∗∗∗ Fortinet: Angriffe auf Schwachstellen laufen, Updates für diverse Produkte ∗∗∗ --------------------------------------------- Die bereits attackierte Sicherheitslücke betrifft FortiOS und FortiProxy, Fortinet hat damit eine Sicherheitsmitteilung aus dem Januar aktualisiert. Die dreht sich um eine Umgehung der Authentifizierung im Node.js-Websocket-Modul (CVE-2024-55591, CVSS 9.6, Risiko "kritisch"). Neu hinzugekommen ist nun der Eintrag CVE-2025-24472, CVSS 8.1, "hohes" Risiko. [..] Auf der Seite des Fortinet-PSIRT stehen noch eine Menge weiterer Aktualisierungen für diverse Produkte bereit, unter anderem für FortiAnalyzer, FortiPAM, FortiSwitchManager, FortiClientMac, FortiClientWindows, FortiSandbox, FortiManager und so weiter. --------------------------------------------- https://www.heise.de/-10279425 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, kernel, kernel-rt, tbb, and thunderbird), Debian (bind9, cacti, pam-pkcs11, and ruby2.7), Fedora (bind, bind-dyndb-ldap, chromium, crun, and java-21-openjdk), Mageia (calibre, nginx, python-ansible-core, python-jinja2, python-pip, python-setuptools, python-twisted, and python-waitress), Red Hat (doxygen, firefox, gcc, gcc-toolset-13-gcc, gcc-toolset-14-gcc, tbb, and thunderbird), SUSE (go1.24, govulncheck-vulndb, java-1_8_0-openj9, kernel, openssl-3, ovmf, python3-numpy, python311, python36, qemu, and skopeo), and Ubuntu (bluez and openssl). --------------------------------------------- https://lwn.net/Articles/1009177/ ∗∗∗ Apple Confirms ‘Extremely Sophisticated’ Exploit Threatening iOS Security ∗∗∗ --------------------------------------------- Apple fixes the USB Restricted Mode flaw in iOS 18.3.1 and iPadOS 18.3.1. Vulnerability exploited in targeted attacks. Update your iPhone/iPad now. --------------------------------------------- https://hackread.com/apple-extremely-sophisticated-exploit-ios-security/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.02.2025
by Daily end-of-shift report 11 Feb '25

11 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Montag 10-02-2025 18:00 − Dienstag 11-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Over 12,000 KerioControl firewalls exposed to exploited RCE flaw ∗∗∗ --------------------------------------------- Over twelve thousand GFI KerioControl firewall instances are exposed to a critical remote code execution vulnerability tracked as CVE-2024-52875. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-12-000-keriocontrol-fir… ∗∗∗ US sanctions LockBit ransomware’s bulletproof hosting provider ∗∗∗ --------------------------------------------- The United States, Australia, and the United Kingdom have sanctioned Zservers, a Russia-based bulletproof hosting (BPH) services provider, for supplying essential attack infrastructure for the LockBit ransomware gang. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-sanctions-lockbit-ransomw… ∗∗∗ Russian military hackers deploy malicious Windows activators in Ukraine ∗∗∗ --------------------------------------------- The Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates. --------------------------------------------- https://www.bleepingcomputer.com/news/security/russian-military-hackers-dep… ∗∗∗ All your 8Base are belong to us: Ransomware crew busted in global sting ∗∗∗ --------------------------------------------- Dark web site seized, four cuffed in Thailand An international police operation spanning the US, Europe, and Asia has shuttered the 8Base ransomware crews dark web presence and resulted in the arrest of four European suspects accused of stealing $16 million from more than 1,000 victims worldwide. --------------------------------------------- https://www.theregister.com/2025/02/10/8base_police_arrrest/ ∗∗∗ Im a security expert, and I almost fell for a North Korea-style deepfake job applicant …Twice ∗∗∗ --------------------------------------------- Remote position, webcam not working, then glitchy AI face ... Red alert! Twice, over the past two months, Dawid Moczadło has interviewed purported job seekers only to discover that these "software developers" were scammers using AI-based tools — likely to get hired at a security company also using artificial intelligence, and then steal source code or other sensitive IP. --------------------------------------------- https://www.theregister.com/2025/02/11/it_worker_scam/ ∗∗∗ Sicherheitsupdates Zimbra: Angreifer können Metadaten von E-Mails auslesen ∗∗∗ --------------------------------------------- Die Zimbra-Entwickler haben unter anderem mindestens eine kritische Lücke in der E-Mail- und Groupwarelösung geschlossen. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Zimbra-Angreifer-koennen-Metad… ∗∗∗ Hugging Face: Bösartige ML-Modelle auf Entwicklungsplattform aufgedeckt ∗∗∗ --------------------------------------------- Auf der KI-Entwicklungsplattform Hugging Face haben IT-Forscher bösartige ML-Modelle entdeckt. Angreifer könnten damit Befehle einschleusen. --------------------------------------------- https://www.heise.de/news/Hugging-Face-Boesartige-ML-Modelle-auf-Entwicklun… ∗∗∗ PCI DSS. Where to start? ∗∗∗ --------------------------------------------- TL;DR Determine your role: Merchant or service provider Determine your level and requirements Identify your validation method: SAQ or RoC Use the PCI website .. --------------------------------------------- https://www.pentestpartners.com/security-blog/pci-dss-where-to-start/ ∗∗∗ Hacker who hijacked SEC’s X account pleads guilty, faces maximum five-year sentence ∗∗∗ --------------------------------------------- Alabama native Eric Council Jr. confessed to taking over the Securities and Exchange Commissions account and posting false information that caused the price of bitcoin to swing wildly. --------------------------------------------- https://therecord.media/hacker-hijacked-sec-account-maximum ∗∗∗ SystemBC RAT Now Targets Linux, Spreading Ransomware and Infostealers ∗∗∗ --------------------------------------------- SystemBC RAT now targets Linux, enabling ransomware gangs like Ryuk & Conti to spread, evade detection, and maintain encrypted C2 traffic for stealthy cyberattacks. --------------------------------------------- https://hackread.com/systembc-rat-targets-linux-ransomware-infostealers/ ∗∗∗ Cisco Rejects Kraken Ransomware’s Data Breach Claims ∗∗∗ --------------------------------------------- Cisco denies recent data breach claims by the Kraken ransomware group, stating leaked credentials are from a resolved 2022 incident. Learn more about Ciscos response and the details of the original attack. --------------------------------------------- https://hackread.com/cisco-rejects-kraken-ransomware-data-breach-claim/ ∗∗∗ !exploitable Episode One - Breaking IoT ∗∗∗ --------------------------------------------- For our last company retreat, the Doyensec team went on a cruise along the coasts of the Mediterranean Sea. As amazing as each stop was, us being geeks, we had to break the monotony of daily pool parties with some much-needed hacking sessions. Luca and John, our chiefs, came to the rescue with three challenges chosen to .. --------------------------------------------- https://blog.doyensec.com/2025/02/11/exploitable-iot.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, tbb, and thunderbird), Debian (cacti, libtasn1-6, and rust-openssl), Oracle (galera and mariadb, kernel, raptor2, and thunderbird), SUSE (bind, fq, java-21-openj9, libtasn1-6-32bit, ovmf, python310, python312, python313, python314, rime-schema-all, thunderbird, and wget), and Ubuntu (eglibc, firefox, glibc, linux, linux-aws, linux-lts-xenial, ruby2.3, ruby2.5, and vim). --------------------------------------------- https://lwn.net/Articles/1008966/ ∗∗∗ Zahlreiche Schwachstellen in Wattsense Bridge ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… ∗∗∗ February Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/february-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.02.2025
by Daily end-of-shift report 10 Feb '25

10 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-02-2025 18:00 − Montag 10-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft raises rewards for Copilot AI bug bounty program ∗∗∗ --------------------------------------------- Microsoft announced over the weekend that it has expanded its Microsoft Copilot (AI) bug bounty program and increased payouts for moderate severity vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-raises-rewards-fo… ∗∗∗ Malware from fake recruiters ∗∗∗ --------------------------------------------- Fake recruiters are currently on the hunt for CVs – and also your data. Reports have emerged about malware being put into work assignments that supposedly test a candidate’s technical skills. --------------------------------------------- https://www.gdatasoftware.com/blog/2025/02/38143-malware-fake-recruiters ∗∗∗ Cybersicherheit: OpenAI-Benutzerdatenbank angeblich gehackt ∗∗∗ --------------------------------------------- Im Darknet sind Hinweise veröffentlicht worden, dass die Benutzerdatenbank von OpenAI angeblich gehackt worden sei. Es gibt aber Zweifel. --------------------------------------------- https://www.golem.de/news/cybersicherheit-openai-benutzerdatenbank-angeblic… ∗∗∗ Reminder: 7-Zip & MoW, (Mon, Feb 10th) ∗∗∗ --------------------------------------------- CVE-2025-0411 is a vulnerability in 7-zip that has been reported to be exploited in recent attacks. The problem is that Mark-of-Web (MoW) isn't propagated correctly: when extracted, a file inside a ZIP file inside another ZIP file will not have the MoW propagated from the outer ZIP file. --------------------------------------------- https://isc.sans.edu/forums/diary/Reminder+7Zip+MoW/31668/ ∗∗∗ Server Attack Stops the Presses at US Newspaper Chain ∗∗∗ --------------------------------------------- They publish 77 newspapers in 26 U.S. states, according to Wikipedia. But this week a "cybersecurity event" at the newspapers parent company "disrupted systems and networks," according to an article at one of their news sites which quotes an email sent to employees by the publishing companys CEO. "We have notified law enforcement of .. --------------------------------------------- https://news.slashdot.org/story/25/02/10/0614233/server-attack-stops-the-pr… ∗∗∗ Hackers Exploit Google Tag Manager to Deploy Credit Card Skimmers on Magento Stores ∗∗∗ --------------------------------------------- Threat actors have been observed leveraging Google Tag Manager (GTM) to deliver credit card skimmer malware targeting Magento-based e-commerce websites.Website security company Sucuri said the code, while appearing to be a typical GTM and .. --------------------------------------------- https://thehackernews.com/2025/02/hackers-exploit-google-tag-manager-to.html ∗∗∗ Anonymisierendes Linux: Tails 6.12 schließt Deanonymisierungs-Lücke ∗∗∗ --------------------------------------------- Sicherheitslücken in der anonymisierenden Linux-Distribution Tails erlauben Angreifern die Deanonymisierung von Nutzern. Tails 6.12 stoppt das. --------------------------------------------- https://www.heise.de/news/Anonymisierendes-Linux-Tails-6-12-schliesst-Deano… ∗∗∗ Teen on Musk’s DOGE Team Graduated from ‘The Com’ ∗∗∗ --------------------------------------------- Wired reported this week that a 19-year-old working for Elon Musks so-called Department of Government Efficiency (DOGE) was given access to sensitive US government systems even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so. As todays story explores, the DOGE teen is a .. --------------------------------------------- https://krebsonsecurity.com/2025/02/teen-on-musks-doge-team-graduated-from-… ∗∗∗ Millionen Thermomix-Nutzer von Datenleck betroffen ∗∗∗ --------------------------------------------- Im Darknet werden bei Rezeptwelt.de erbeutete Daten zum Verkauf angeboten. Die Lücke wurde geschlossen, der Hersteller warnt aber vor anderen Konsequenzen --------------------------------------------- https://www.derstandard.at/story/3000000256481/millionen-thermomix-nutzer-v… ∗∗∗ Small praise for modern compilers - A case of Ubuntu printing vulnerability that wasn’t ∗∗∗ --------------------------------------------- Earlier this year, we conducted code audits of the macOS printing subsystem, which is heavily based on the open-source CUPS package. During this investigation, IPP-USB protocol caught our attention. IPP over USB specification .. --------------------------------------------- https://blog.talosintelligence.com/small-praise-for-modern-compilers-a-case… ∗∗∗ Teen Hacker “Natohub” Caught for NATO, UN, and US Army Breaches ∗∗∗ --------------------------------------------- A joint operation by Spanish law enforcement has resulted in the apprehension of Natohub, a “dangerous hacker” suspected of orchestrating numerous cyberattacks against prominent organizations in Spain and internationally. --------------------------------------------- https://hackread.com/teen-hacker-natohub-caught-nato-un-us-army-breach/ ∗∗∗ Scammers Use Fake Facebook Copyright Notices to Hijack Accounts ∗∗∗ --------------------------------------------- A new phishing campaign is targeting businesses with fake Facebook copyright notices. Learn how to spot the signs and keep your Facebook account secure. --------------------------------------------- https://hackread.com/scammers-use-fake-facebook-copyright-notices-to-hijack… ∗∗∗ Be Skeptical of All Code - Not Just the Funny Stuff ∗∗∗ --------------------------------------------- Should you be more skeptical of code that is a “self-admitted keylogger” than code that purports to be useful? I’m not so sure. --------------------------------------------- https://eieio.games/blog/be-skeptical-of-all-code-not-just-the-funny-stuff/ ∗∗∗ Obsidian Publish Directory Enumeration ∗∗∗ --------------------------------------------- I have been using Obsidian for a while now. It is a great tool for organizing my life. My daily TODO lists, project boards, notes for school and research, and the occasional journal are all stored in .. --------------------------------------------- https://ezrizhu.com/blog/obsidian-dir-enum ∗∗∗ New OG Spoof Toolkit Manipulates Social Media Links for Cybercrime ∗∗∗ --------------------------------------------- Cyble Research and Intelligence Labs (CRIL) highlighted the growing misuse of the Open Graph Spoofing Toolkit, a dangerous tool designed to manipulate Open Graph Protocol metadata to trick users into clicking on harmful links. This exploitation of OG tags is a serious concern, as it opens the door to a wide range of phishing attacks that target social .. --------------------------------------------- https://thecyberexpress.com/open-graph-spoofing-toolkit-phishing-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, bzip2, galera and mariadb, keepalived, kernel, kernel-rt, mariadb:10.11, mingw-glib2, and podman), Debian (ark, firefox-esr, kernel, sssd, and thunderbird), Fedora (abseil-cpp, clevis-pin-tpm2, dbus-parsec, envision, fido-device-onboard, firefox, golang-github-nvidia-container-toolkit, gotify-desktop, .. --------------------------------------------- https://lwn.net/Articles/1008829/ ∗∗∗ Trimble Releases Security Updates to Address a Vulnerability in Cityworks Software ∗∗∗ --------------------------------------------- CISA is collaborating with private industry partners to respond to reports of exploitation of a vulnerability (CVE-2025-0994) discovered by Trimble impacting its Cityworks Server AMS (Asset Management System). Trimble has released security updates and an advisory addressing a recently discovered deserialization vulnerability enabling an external actor to .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/02/07/trimble-releases-securit… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.02.2025
by Daily end-of-shift report 07 Feb '25

07 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-02-2025 18:00 − Freitag 07-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DeepSeek Phishing Sites Pursue User Data, Crypto Wallets ∗∗∗ --------------------------------------------- Riding the wave of notoriety from the Chinese companys R1 AT chatbot, attackers are spinning up lookalike sites for different malicious use cases. --------------------------------------------- https://www.darkreading.com/cyber-risk/deepseek-phishing-sites-pursue-user-… ∗∗∗ Ohne Nutzerinteraktion: Kritische Outlook-Lücke wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Die Sicherheitslücke ermöglicht es Angreifern, durch per E-Mail verschickte und speziell gestaltete Hyperlinks Schadcode auszuführen. --------------------------------------------- https://www.golem.de/news/ohne-nutzerinteraktion-kritische-outlook-luecke-w… ∗∗∗ SSL 2.0 turns 30 this Sunday... Perhaps the time has come to let it die? ∗∗∗ --------------------------------------------- The SSL 2.0 protocol was originally published back in February of 1995[1], and although it was quickly found to have significant security weaknesses, and a more secure alternative was released only a year later, it still received a fairly wide adoption. --------------------------------------------- https://isc.sans.edu/diary/SSL+20+turns+30+this+Sunday+Perhaps+the+time+has… ∗∗∗ Screenshot-Reading Malware ∗∗∗ --------------------------------------------- Kaspersky is reporting on a new type of smartphone malware.The malware in question uses optical character recognition (OCR) to review a device’s photo library, seeking screenshots of recovery phrases for crypto wallets. Based on their assessment, infected Google Play apps have been downloaded more than 242,000 times. Kaspersky .. --------------------------------------------- https://www.schneier.com/blog/archives/2025/02/screenshot-reading-malware.h… ∗∗∗ Britische Regierung erzwingt Zugriff auf Apples verschlüsselte Cloud-Daten ∗∗∗ --------------------------------------------- Der Investigatory Powers Act wurde von Apple bereits öffentlich kritisiert. Nun hätten britische Sicherheitsbehörden gerne Zugriff auf Daten aller iCloud-User. --------------------------------------------- https://www.heise.de/news/Britische-Regierung-erzwingt-Zugriff-auf-Apples-v… ∗∗∗ BSI-Analyse von Nextcloud: Zwei-Faktor-Authentifizierung war angreifbar ∗∗∗ --------------------------------------------- Eine Codeanalyse des BSI förderte Schwachstellen in Nextcloud Server zutage. Unter anderem ließ sich die Zwei-Faktor-Authentifizierung umgehen. --------------------------------------------- https://www.heise.de/news/BSI-Analyse-von-Nextcloud-Zwei-Faktor-Authentifiz… ∗∗∗ 20 Million OpenAI accounts offered for sale ∗∗∗ --------------------------------------------- A cybercriminal calling themselves emirking is offering 20 million OpenAI accounts for sale on a Dark Web forum --------------------------------------------- https://www.malwarebytes.com/blog/news/2025/02/20-million-openai-accounts-o… ∗∗∗ ICS testing best results. Hint: Blend your approach ∗∗∗ --------------------------------------------- TL;DR Onsite ICS testing is risk averse Laboratory ICS device testing uncovers more A blended approach is key How that works Demonstrable benefits Introduction For safety’s sake onsite ICS .. --------------------------------------------- https://www.pentestpartners.com/security-blog/ics-testing-best-results-hint… ∗∗∗ US-Abgeordnete wollen Deepseek verbieten, Sicherheitsforscher warnen vor App ∗∗∗ --------------------------------------------- Parteienübergreifender Antrag will Nutzung auf Regierungsgeräten untersagen. Forscher fällen vernichtendes Urteil zur Sicherheit und finden problematische Datenübertragungen an mehrere chinesische Firmen --------------------------------------------- https://www.derstandard.at/story/3000000256396/us-abgeordnete-wollen-deepse… ∗∗∗ Vier italienische Aktivisten für Seerettung im Visier von Paragon-Spyware-Attacke ∗∗∗ --------------------------------------------- Vizepremier Salvini will in Israel Informationen über den Fall sammeln. Der Angriff erfolgte über Sicherheitslücke in Whatsapp --------------------------------------------- https://www.derstandard.at/story/3000000256452/vier-italienische-aktivisten… ∗∗∗ Chinese-Speaking Group Manipulates SEO with BadIIS ∗∗∗ --------------------------------------------- This blog post details our analysis of an SEO manipulation campaign targeting Asia. We also share recommendations that can help enterprises proactively secure their environment. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/b/chinese-speaking-group-manip… ∗∗∗ Urteil: TLS-Verschlüsselung bei E-Mail-Rechnungen an Privatkunden zu wenig? ∗∗∗ --------------------------------------------- Der Fall einer per E-Mail geschickten Privatkunden-Rechnung, die von Kriminellen manipuliert wurde, wanderte vor Gericht. Der Knackpunkt: die Verschlüsselung. --------------------------------------------- https://heise.de/-10274040 ∗∗∗ Taiwan’s DeepSeek Ban Reflects Global Concerns Over AI Security ∗∗∗ --------------------------------------------- The Taiwan government’s recent decision to implement a ban on the use of the DeepSeek artificial intelligence chatbot within its public sector has drawn significant attention to the growing global concerns regarding .. --------------------------------------------- https://thecyberexpress.com/taiwans-deepseek-ban/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-17), Fedora (firefox, FlightGear, java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk, and SimGear), Mageia (gstreamer), Red Hat (firefox, kernel, kernel-rt, libsoup, and python-jinja2), SUSE (bind, curl, dcmtk, etcd, firefox, google-osconfig-agent, krb5, openssl-1_1, podman, python311-cbor2, thunderbird, wget, and xrdp), and Ubuntu (glibc). --------------------------------------------- https://lwn.net/Articles/1008502/ ∗∗∗ [R2] Tenable Identity Exposure Version 3.77.8 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2025-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.02.2025
by Daily end-of-shift report 06 Feb '25

06 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-02-2025 18:00 − Donnerstag 06-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ransomware payments declined in 2024 despite massive well-known hacks ∗∗∗ --------------------------------------------- Amount paid by victims to hackers declined by hundreds of millions of dollars. --------------------------------------------- https://arstechnica.com/security/2025/02/ransomware-payments-declined-in-20… ∗∗∗ Cisco Anyconnect: Hacker klonen Webseite der TU Dresden und verbreiten Malware ∗∗∗ --------------------------------------------- Mutmaßlich russische Angreifer wollten Nutzern von Cisco Anyconnect eine Malware unterjubeln. Mit einem Trick sollte die Masche unentdeckt bleiben. --------------------------------------------- https://www.golem.de/news/cisco-anyconnect-hacker-klonen-webseite-der-tu-dr… ∗∗∗ Scalable Vector Graphics files pose a novel phishing threat ∗∗∗ --------------------------------------------- The SVG file format can harbor malicious HTML, scripts, and malware --------------------------------------------- https://news.sophos.com/en-us/2025/02/05/svg-phishing/ ∗∗∗ Cisco stopft Sicherheitslücken in mehreren Produkten – auch kritische ∗∗∗ --------------------------------------------- In mehreren Produkten hat Cisco Sicherheitslücken entdeckt und warnt in Sicherheitsmitteilungen davor. Updates stehen bereit. --------------------------------------------- https://www.heise.de/news/Cisco-stopft-Sicherheitsluecken-in-mehreren-Produ… ∗∗∗ Thailand cuts power supply to Myanmar scam hubs ∗∗∗ --------------------------------------------- "It’s time to take decisive action,” Prime Minister Paethongthan Shinawatra said about Thailands move to cut off electricity from scam compounds in Myanmar border areas. --------------------------------------------- https://therecord.media/thailand-cuts-power-scam-compounds-myanmar ∗∗∗ U.S. Government Disclosed 39 Zero-Day Vulnerabilities in 2023, Per First-Ever Report ∗∗∗ --------------------------------------------- The number of zero-day vulnerabilities the government disclosed to vendors to be fixed, rather than keep them secret to exploit, comes out to about three a month. But the figure could rise dramatically under the Trump .. --------------------------------------------- https://www.zetter-zeroday.com/u-s-government-disclosed-39-zero-day-vulnera… ∗∗∗ Network security fundamentals ∗∗∗ --------------------------------------------- How to design, use, and maintain secure networks. --------------------------------------------- https://www.ncsc.gov.uk/guidance/network-security-fundamentals ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk and chromium), Fedora (FlightGear, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, and SimGear), Mageia (bind, chromium-browser-stable, python-django, and vim), Oracle (buildah, bzip2, firefox, keepalived, mariadb:10.11, and podman), Slackware (curl, mariadb, and mozilla), SUSE (cargo-audit-advisory-db-20250204 and python311-scikit-learn), and Ubuntu (ckeditor, krb5, and ruby2.7). --------------------------------------------- https://lwn.net/Articles/1008275/ ∗∗∗ OAuth2 Client - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-013 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-013 ∗∗∗ 2025-02-06: Cyber Security Advisory - Hard-coded credentials in ASPECT Energy Management System ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A6775&Lan… ∗∗∗ CISA Releases Six Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/02/06/cisa-releases-six-indust… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.02.2025
by Daily end-of-shift report 05 Feb '25

05 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-02-2025 18:00 − Mittwoch 05-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kosteneinsparungen: Lets Encrypt stellt Ablaufwarnungen für Zertifikate ein ∗∗∗ --------------------------------------------- Ab Juni erinnert Lets Encrypt nicht mehr an ablaufende Zertifikate. Administratoren wird empfohlen, auf alternative Dienste umzusteigen. --------------------------------------------- https://www.golem.de/news/kosteneinsparungen-let-s-encrypt-stellt-ablaufwar… ∗∗∗ Netgear fixes critical bugs as Five Eyes warn about break-ins at the edge ∗∗∗ --------------------------------------------- International security squads all focus on stopping baddies busting in through routers, IoT kit etc Netgear is advising customers to upgrade their firmware after it patched two critical vulnerabilities affecting multiple routers. --------------------------------------------- https://www.theregister.com/2025/02/05/netgear_fixes_critical_bugs_while/ ∗∗∗ In eigener Sache, wir stellen ein: System-Administrator:in (m/w/d - Vollzeit - Wien) ∗∗∗ --------------------------------------------- Für die Betreuung unserer Informations- und Kommunikationstechnik suchen wir eine/n System-Administrator:in mit Fachwissen im Bereich IT- und Netzwerk-Security. --------------------------------------------- https://www.cert.at/de/ueber-uns/jobs/ ∗∗∗ 7-Zip: Mark-of-the-Web-Lücke wurde von Angreifern missbraucht ∗∗∗ --------------------------------------------- Die kürzlich gemeldete Mark-of-the-Web-Schwachstelle in 7-Zip wurde von Angreifern in freier Wildbahn für Schadcode-Schmuggel missbraucht. --------------------------------------------- https://www.heise.de/news/7-Zip-Mark-of-the-Web-Luecke-wurde-von-Angreifern… ∗∗∗ Support ausgelaufen: Keine Sicherheitsupdates mehr für attackierte Zyxel-Router ∗∗∗ --------------------------------------------- Derzeit hat es eine Mirai-Botnet-Malware auf bestimmte Routermodelle von Zyxel abgesehen. Weil der Support ausgelaufen ist, müssen Admins jetzt handeln. --------------------------------------------- https://www.heise.de/news/Support-ausgelaufen-Keine-Sicherheitsupdates-mehr… ∗∗∗ Who’s Behind the Seized Forums ‘Cracked’ & ‘Nulled’? ∗∗∗ --------------------------------------------- The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of users that trafficked in stolen data, hacking tools and malware. An investigation into the history of these communities shows their apparent co-founders quite openly operate an Internet .. --------------------------------------------- https://krebsonsecurity.com/2025/02/whos-behind-the-seized-forums-cracked-n… ∗∗∗ Secure sanitisation and disposal of storage media ∗∗∗ --------------------------------------------- How to ensure data cannot be recovered from electronic storage media. --------------------------------------------- https://www.ncsc.gov.uk/guidance/secure-sanitisation-storage-media ∗∗∗ Hackers Using Fake Microsoft ADFS Login Pages to Steal Credentials ∗∗∗ --------------------------------------------- A global phishing campaign is actively exploiting a legacy Microsoft authentication system to steal user credentials and bypass multi-factor authentication (MFA), targeting over 150 organizations. --------------------------------------------- https://hackread.com/hackers-fake-microsoft-adfs-login-pages-steal-credenti… ∗∗∗ Banking Malware Uses Live Numbers to Hijack OTPs, Targeting 50,000 Victims ∗∗∗ --------------------------------------------- A banking malware campaign using live phone numbers to redirect SMS messages has been identified by the zLabs research team, uncovering 1,000+ malicious apps and 2.5GB of exposed data. --------------------------------------------- https://hackread.com/banking-malware-live-numbers-hijack-otp-50000-victims/ ∗∗∗ Preventing account takeover on centralized cryptocurrency exchanges in 2025 ∗∗∗ --------------------------------------------- This blog post highlights key points from our new white paper Preventing Account Takeovers on Centralized Cryptocurrency Exchanges, which documents ATO-related attack vectors and defenses tailored to CEXes. --------------------------------------------- https://blog.trailofbits.com/2025/02/05/preventing-account-takeover-on-cent… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in Defense Platform Home Edition ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN66673020/ ∗∗∗ Cisco Secure Email and Web Manager, Secure Email Gateway, and Secure Web Appliance Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Web Appliance Range Request Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS, IOS XE, and IOS XR Software SNMP Denial of Service Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Insecure Java Deserialization and Authorization Bypass Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Expressway Series Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Email and Web Manager and Secure Email Gateway Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Email and Web Manager, Secure Email Gateway, and Secure Web Appliance SNMP Polling Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.02.2025
by Daily end-of-shift report 04 Feb '25

04 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Montag 03-02-2025 18:00 − Dienstag 04-02-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 7-Zip MotW bypass exploited in zero-day attacks against Ukraine ∗∗∗ --------------------------------------------- A 7-Zip vulnerability allowing attackers to bypass the Mark of the Web (MotW) Windows security feature was exploited by Russian hackers as a zero-day since September 2024. --------------------------------------------- https://www.bleepingcomputer.com/news/security/7-zip-motw-bypass-exploited-… ∗∗∗ Beyond the Chatbot: Meta Phishing with Fake Live Support ∗∗∗ --------------------------------------------- In a previous Trustwave SpiderLabs’ blog, we explored how cybercriminals exploit Facebook Messenger chatbots to execute social engineering attacks, deceiving users into falling victim to scams and phishing schemes. These attacks .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/beyond-the-… ∗∗∗ Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden ∗∗∗ --------------------------------------------- An investigation into more than 300 cyberattacks against US K–12 schools over the past five years shows how schools can withhold crucial details from students and parents whose data was stolen. --------------------------------------------- https://www.wired.com/story/meet-the-hired-guns-who-make-sure-school-cybera… ∗∗∗ Lets Encrypt: 6-Tage-Zertifikate, keine Ablauf-Nachrichten zu Zertifikaten mehr ∗∗∗ --------------------------------------------- Lets Encrypt sieht einige Änderungen vor: Zertifikate mit sechs Tagen Laufzeit kommen neu hinzu. Zertifikat-Ablauf-Nachrichten fallen weg. --------------------------------------------- https://www.heise.de/news/Let-s-Encrypt-Ende-von-Zertifikat-Ablauf-Nachrich… ∗∗∗ A tale of enumeration, and why pen testing can’t be automated ∗∗∗ --------------------------------------------- TL;DR In an engagement we found an open directory on the internet belonging to our client By enumerating it we found a zip archive with a configuration file holding usernames .. --------------------------------------------- https://www.pentestpartners.com/security-blog/a-tale-of-enumeration-and-why… ∗∗∗ Practice being punched in the face. The realities of incident response preparation ∗∗∗ --------------------------------------------- “Everyone has a plan until they get punched in the face.” This Mike Tyson boxing quote perfectly encapsulates the chaos of a cybersecurity breach. TL;DR Accept that your organisation may .. --------------------------------------------- https://www.pentestpartners.com/security-blog/practice-being-punched-in-the… ∗∗∗ Neue Masche mit gefälschtem Post-Käuferschutz bei Kleinanzeigen ∗∗∗ --------------------------------------------- Kriminelle geben sich auf Kleinanzeigenplattformen als Kaufinteressierte aus und täuschen vor, Ihr Produkt über den Post Käuferschutz bezahlen zu wollen. Sie locken Sie auf eine gefälschte Zahlungsplattform, wo Sie Ihre Kreditkartendaten eingeben sollen, um die Zahlung zu bestätigen. Tatsächlich geben Sie aber eine Zahlung frei und .. --------------------------------------------- https://www.watchlist-internet.at/news/neue-masche-mit-gefaelschtem-post-ka… ∗∗∗ Stealers on the Rise: A Closer Look at a Growing macOS Threat ∗∗∗ --------------------------------------------- Atomic Stealer, Poseidon Stealer and Cthulhu Stealer target macOS. We discuss their various properties and examine leverage of the AppleScript framework. --------------------------------------------- https://unit42.paloaltonetworks.com/macos-stealers-growing/ ∗∗∗ Law Enforcement disrupts Major Spam Delivery Service ∗∗∗ --------------------------------------------- “The Saim Raza-run websites operated as marketplaces that advertised and facilitated the sale of tools such as phishing kits, scam pages and email extractors often .. --------------------------------------------- https://www.truesec.com/hub/blog/law-enforcement-disrupts-major-spam-delive… ∗∗∗ Hackers Hide Malware in Fake DeepSeek PyPI Packages ∗∗∗ --------------------------------------------- Malicious DeepSeek packages on PyPI spread malware, stealing sensitive data like API keys. Learn how this attack targeted developers and how to protect yourself. --------------------------------------------- https://hackread.com/hackers-hide-malware-fake-deepseek-pypi-packages/ ∗∗∗ CVE-2023-6080: A Case Study on Third-Party Installer Abuse ∗∗∗ --------------------------------------------- Mandiant exploited flaws in the Microsoft Software Installer (MSI) repair action of Lakeside Softwares SysTrack installer to obtain arbitrary code execution. An attacker with low-privilege access to a system running the vulnerable version of SysTrack .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/cve-2023-6080-thir… ∗∗∗ CISA Partners with ASD’s ACSC, CCCS, NCSC-UK, and Other International and US Organizations to Release Guidance on Edge Devices ∗∗∗ --------------------------------------------- CISA—in partnership with international and U.S. organizations—released guidance to help organizations protect their network edge devices and appliances, such as firewalls, routers, virtual private networks (VPN) gateways, Internet of Things (IoT) devices, internet-facing servers, and internet-facing operational technology (OT) .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/02/04/cisa-partners-asds-acsc-… ∗∗∗ 8 Million Requests Later, We Made The SolarWinds Supply Chain Attack Look Amateur ∗∗∗ --------------------------------------------- Surprise surprise, weve done it again. Weve demonstrated an ability to compromise significantly sensitive networks, including governments, militaries, space agencies, cyber security companies, .. --------------------------------------------- https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-… ∗∗∗ Go Supply Chain Attack: Malicious Package Exploits Go Module Proxy Caching for Persistence ∗∗∗ --------------------------------------------- Socket researchers have discovered a malicious typosquat package in the Go ecosystem, impersonating the widely used BoltDB database module (github.com/boltdb/bolt), a tool trusted by many organizations including Shopify and Heroku. The BoltDB package is widely adopted within the Go ecosystem, with 8,367 other packages depending on it. Its extensive .. --------------------------------------------- https://socket.dev/blog/malicious-package-exploits-go-module-proxy-caching-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-17), Fedora (chromium, fastd, ovn, and yq), Mageia (libxml2 and redis), Oracle (gstreamer1-plugins-base, gstreamer1-plugins-good), Red Hat (buildah, bzip2, galera, mariadb, grafana, keepalived, libsoup, mariadb:10.11, mariadb:10.5, mingw-glib2, podman, python-jinja2, and rsync), SUSE (bind, ignition, .. --------------------------------------------- https://lwn.net/Articles/1007886/ ∗∗∗ Synology-SA-25:01 DSM (PWN2OWN 2024) ∗∗∗ --------------------------------------------- A vulnerability allows man-in-the-middle attackers to hijack the authentication of administrators.The vulnerability reported by PWN2OWN 2024 (ZDI-CAN-25487) has been addressed. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_25_01 ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released nine Industrial Control Systems (ICS) advisories on February 4, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.ICSA-25-035-01 Western Telematic Inc NPS Series, DSM Series, CPM SeriesICSA-25-035-02 Rockwell Automation 1756-L8zS3 and 1756-L3 and 1756-L3ICSA-25-035-03 .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/02/04/cisa-releases-nine-indus… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 135 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-11/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird ESR 128.7 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-10/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 128.7 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-09/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.20 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-08/ ∗∗∗ Security Vulnerabilities fixed in Firefox 135 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-07/ ∗∗∗ Zyxel security advisory for command injection and insecure default credentials vulnerabilities in certain legacy DSL CPE ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2025
by Daily end-of-shift report 03 Feb '25

03 Feb '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 31-01-2025 18:00 − Montag 03-02-2025 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ DeepSeek AI tools impersonated by infostealer malware on PyPI ∗∗∗ --------------------------------------------- Threat actors are taking advantage of the rise in popularity of the DeepSeek to promote two malicious infostealer packages on the Python Package Index (PyPI), where they impersonated developer tools for the AI platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/deepseek-ai-tools-impersonat… ∗∗∗ DeepSeek’s Safety Guardrails Failed Every Test Researchers Threw at Its AI Chatbot ∗∗∗ --------------------------------------------- Security researchers tested 50 well-known jailbreaks against DeepSeek’s popular new AI chatbot. It didn’t stop a single one. --------------------------------------------- https://www.wired.com/story/deepseeks-ai-jailbreak-prompt-injection-attacks/ ∗∗∗ What Cybersecurity Can Teach Us About the Human Body ∗∗∗ --------------------------------------------- Understanding cybersecurity can sometimes feel like steering a maze of technical terms and complex systems. But a recent infographic shared by @yanabantai on X (formerly Twitter) has made it simpler, offering a fresh perspective by comparing cybersecurity to the human body. --------------------------------------------- https://thecyberexpress.com/cybersecurity-about-the-human-body/ ∗∗∗ Erstmals leicht sinkende Tendenz bei Anzeigen zur Cyberkriminalität ∗∗∗ --------------------------------------------- Wenn in den nächsten Wochen die Kriminalstatistik veröffentlicht wird, ist von einer Trendumkehr bei Cybercrime auszugehen. Erstmals wird es in diesem Bereich einen leichten Rückgang bei den Anzeigen 2024 im Vergleich zu 2023 geben. --------------------------------------------- https://www.derstandard.at/story/3000000255493/erstmals-leicht-sinkende-ten… ∗∗∗ Phishing-Fallen: Wiener Polizei sucht Täter mittels Fahndungsfotos ∗∗∗ --------------------------------------------- Mit einer SMS und gefälschten Banken-Website wurden mehrere Menschen in Österreich in die Falle gelockt und bestohlen. [..] Mit Bildern aus Überwachungskameras jener Bankautomaten, wo Geld von den Opfern behoben wurde, wird nun nach den Verdächtigen gesucht. Die Fotos sind auf der Website der Polizei zu sehen. --------------------------------------------- https://futurezone.at/digital-life/phishing-wien-polizei-oesterreich-foto-b… ∗∗∗ Hacker nutzen Google Gemini für Cyber-Angriffe ∗∗∗ --------------------------------------------- Kriminelle nutzen Googles Künstliche Intelligenz Gemini für Cyberangriffe, Phishing und Spionage. [..] Die Hacker nutzen Gemini derzeit zwar nicht, um neue kriminelle Methoden ausfindig zu machen, aber um bestehende zu verbessern. --------------------------------------------- https://futurezone.at/digital-life/google-gemini-hacker-cyber-angriffe-iran… ∗∗∗ 1-Click Phishing Campaign Targets High-Profile X Accounts ∗∗∗ --------------------------------------------- In an attack vector thats been used before, threat actors aim to commit crypto fraud by hijacking highly followed users, thus reaching a broad audience of secondary victims. --------------------------------------------- https://www.darkreading.com/endpoint-security/one-click-phishing-campaign-h… ∗∗∗ Journalists and Civil Society Members Using WhatsApp Targeted by Paragon Spyware ∗∗∗ --------------------------------------------- This is yet another story of commercial spyware being used against journalists and civil society members. The journalists and other civil society members were being alerted of a possible breach of their devices, with WhatsApp telling the Guardian it had “high confidence” that the 90 users in question had been targeted and “possibly compromised. --------------------------------------------- https://www.schneier.com/blog/archives/2025/02/journalists-and-civil-societ… ∗∗∗ Further Adventures With CMPivot — Client Coercion ∗∗∗ --------------------------------------------- CMPivot queries can be used to coerce SMB authentication from SCCM client hosts. --------------------------------------------- https://posts.specterops.io/further-adventures-with-cmpivot-client-coercion… ∗∗∗ CVE-2023-6080: A Case Study on Third-Party Installer Abuse ∗∗∗ --------------------------------------------- Mandiant exploited flaws in the Microsoft Software Installer (MSI) repair action of Lakeside Softwares SysTrack installer to obtain arbitrary code execution. An attacker with low-privilege access to a system running the vulnerable version of SysTrack could escalate privileges locally. [..] August 7, 2024 - Confirmed vulnerability fixed in version 11.0 --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/cve-2023-6080-thir… ∗∗∗ OPA Gatekeeper Bypass Reveals Risks in Kubernetes Policy Engines ∗∗∗ --------------------------------------------- Implementing Kubernetes securely can be a daunting task. Fortunately, there are tools in the K8s toolshed that provide out-of-the-box solutions using a single click. One such tools is OPA Gatekeeper. It is a great out-of-the-box security checkpoint to enforce security policies on Kubernetes. But are users using it correctly? Do they understand its limitations? Our new research says not necessarily! --------------------------------------------- https://blog.aquasec.com/opa-gatekeeper-bypass-reveals-risks-in-kubernetes-… ∗∗∗ Stronger Than Ever: How We Turned a DDoS Attack Into a Lesson in Resilience ∗∗∗ --------------------------------------------- We were subjected to several attempted DDoS attacks, and the first cohort didn't even raise an alarm, but on the 23rd Jan, we noticed the first impact. [..] Maybe you and your organisation will face a similar issue in the future and you can be more aware of the ransom scam, maybe the lessons we learned here are something you can use to avoid similar issues of your own in the future, or maybe this blog post was just an interesting read for you. --------------------------------------------- https://scotthelme.ghost.io/stronger-than-ever-how-we-turned-a-ddos-attack-… ∗∗∗ Vulnerability & Patch Roundup — January 2025 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. --------------------------------------------- https://blog.sucuri.net/2025/01/vulnerability-patch-roundup-january-2025.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Zahlreiche Lücken gefährden Backup-Appliances von Dell ∗∗∗ --------------------------------------------- Admins, die Backups mit Dells PowerProtect managen, sollten aus Sicherheitsgründen aktuelle Versionen von Data Domain Operating System (DD OS) installieren. Geschieht das nicht, können Angreifer Systeme vollständig kompromittieren. --------------------------------------------- https://www.heise.de/-10267578 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (git-lfs, libsoup, and unbound), Debian (dcmtk, ffmpeg, openjdk-11, pam-u2f, and python-aiohttp), Fedora (buku, chromium, jpegxl, nodejs18, nodejs20, and rust-routinator), Mageia (clamav, kernel, kmod-virtualbox, kmod-xtables-addons & dwarves, and kernel-linus), SUSE (apptainer, bind, buildah, chromedriver, clamav, dovecot24, ignition, kubelogin, libjxl, libQt5Bluetooth5-32bit, orc, owasp-modsecurity-crs, python-pydantic, python311-ipython, and stb), and Ubuntu (linux-azure and netdata). --------------------------------------------- https://lwn.net/Articles/1007646/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.01.2025
by Daily end-of-shift report 31 Jan '25

31 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-01-2025 18:00 − Freitag 31-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows Exploitation Tricks: Trapping Virtual Memory Access (2025 Update) ∗∗∗ --------------------------------------------- Back in 2021 I wrote a blog post about various ways you can build a virtual memory access trap primitive on Windows. The goal was to cause a reader or writer of a virtual memory address to halt for a significant (e.g. 1 or more seconds) amount of time, generally for the purpose of exploiting TOCTOU memory access .. --------------------------------------------- https://googleprojectzero.blogspot.com/2025/01/windows-exploitation-tricks-… ∗∗∗ Infrastructure Laundering: Blending in with the Cloud ∗∗∗ --------------------------------------------- In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers. Research published this week on one such outfit -- a sprawling network tied to Chinese organized crime gangs and aptly named "Funnull" -- highlights a persistent whac-a-mole problem facing cloud services. --------------------------------------------- https://krebsonsecurity.com/2025/01/infrastructure-laundering-blending-in-w… ∗∗∗ Operation "Talent" nimmt weltgrößte Plattformen für Cyberkriminalität vom Netz ∗∗∗ --------------------------------------------- Bei einer internationalen Aktion wurden die Cracking-Foren nulled.to und cracked.io vom Netz genommen --------------------------------------------- https://www.derstandard.at/story/3000000255412/operation-talent-nimmt-weltg… ∗∗∗ Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek ∗∗∗ --------------------------------------------- Evaluation of three jailbreaking techniques on DeepSeek shows risks of generating prohibited content. --------------------------------------------- https://unit42.paloaltonetworks.com/jailbreaking-deepseek-three-techniques/ ∗∗∗ On hackers, hackers, and hilarious misunderstandings ∗∗∗ --------------------------------------------- "Hacker", as we in the bizz know well, carries different meanings for different people, and this can cause hilarious misunderstandings. Yesterday, the Polish TV network TVN aired the second part of an ongoing documentary about issues in NEWAG trains that were analyzed by Dragon Sector. Near the end, the documentary featured a recording .. --------------------------------------------- https://gynvael.coldwind.pl/?id=799 ∗∗∗ Cyberangriffe auf SimpleHelp RMM beobachtet ∗∗∗ --------------------------------------------- In SimepleHelp RMM missbrauchen Angreifer Sicherheitslücken, um Netzwerke zu kompromittieren. Updates stehen bereit. --------------------------------------------- https://heise.de/-10265414 ∗∗∗ The Slow Death of OCSP ∗∗∗ --------------------------------------------- Everybody is talking about OCSP now because, just last month, at the end of 2024, Let’s Encrypt announced it was going to stop supporting online certificate revocation checking. Beginning in early May 2025, there will no longer be any OCSP revocation information in Let’s Encrypt’s certificates. Once all its earlier certificates expire, Let’s Encrypt will shut down its OCSP servers. --------------------------------------------- https://www.feistyduck.com/newsletter/issue_121_the_slow_death_of_ocsp ∗∗∗ PyPI’s New Archival Feature Closes a Major Security Gap ∗∗∗ --------------------------------------------- A major security improvement has landed on PyPI: maintainers can now archive projects, making it clear when a package is no longer actively maintained. This long-awaited feature, developed by Trail of Bits and funded by Alpha-Omega, helps developers make informed decisions about dependencies while protecting the Python ecosystem from risks associated .. --------------------------------------------- https://socket.dev/blog/pypi-adds-support-for-archiving-projects ∗∗∗ VMware Aria Vulnerabilities Addressed ∗∗∗ --------------------------------------------- VMware Security Advisory VMSA-2025-0003 addresses multiple vulnerabilities identified in VMware Aria Operations for Logs and VMware Aria Operations. These vulnerabilities, if exploited, could allow attackers to .. --------------------------------------------- https://thecyberthrone.in/2025/01/31/vmware-aria-vulnerabilities-addressed/ ∗∗∗ DeepSeek’s Popularity Sparks Surge in Crypto Phishing and Malware Campaigns ∗∗∗ --------------------------------------------- The rapid rise of DeepSeek, a Chinese artificial intelligence company known for its open-source large language models (LLMs), has sparked not only excitement but also a significant increase in cyber threats. As of January 2025, the company launched its first free chatbot app, “DeepSeek – AI Assistant,” which quickly became the most downloaded .. --------------------------------------------- https://thecyberexpress.com/deepseeks-surge-sparks-malware-campaigns/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libsoup), Debian (debian-security-support and redis), Fedora (expat, java-21-openjdk, lemonldap-ng, and phpMyAdmin), Mageia (chromium-browser-stable and git-lfs), Oracle (bzip2, git-lfs, libsoup, mariadb:10.11, mariadb:10.5, python-jinja2, redis, and unbound), Red Hat (git-lfs, libsoup, python-jinja2, .. --------------------------------------------- https://lwn.net/Articles/1007252/ ∗∗∗ VU#733789: ChatGPT-4o contains security bypass vulnerability through time and search functions called "Time Bandit" ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/733789 ∗∗∗ ZDI-25-060: Google Chrome AI Manager Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-25-060/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.01.2025
by Daily end-of-shift report 30 Jan '25

30 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-01-2025 18:00 − Donnerstag 30-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ No need to RSVP: a closer look at the Tria stealer campaign ∗∗∗ --------------------------------------------- Kaspersky GReAT experts discovered a new campaign targeting Android devices in Malaysia and Brunei with the Tria stealer to collect data from apps like WhatsApp and Gmail. --------------------------------------------- https://securelist.com/tria-stealer-collects-sms-data-from-android-devices/… ∗∗∗ Exposed DeepSeek Database Revealed Chat Prompts and Internal Data ∗∗∗ --------------------------------------------- China-based DeepSeek has exploded in popularity, drawing greater scrutiny. Case in point: Security researchers found more than 1 million records, including user data and API keys, in an open database. --------------------------------------------- https://www.wired.com/story/exposed-deepseek-database-revealed-chat-prompts… ∗∗∗ Europol warnt vor gefälschten Medikamenten in Online-Angeboten ∗∗∗ --------------------------------------------- Europol hat 2024 Medikamente im Wert von rund 11,1 Millionen Euro beschlagnahmt. Sie waren gefälscht und für den Online-Handel vorgesehen. --------------------------------------------- https://www.heise.de/news/Europol-warnt-vor-gefaelschten-Medikamenten-in-On… ∗∗∗ Warten auf Patch: Das Admin-Interface Voyager für Laravel-Apps ist verwundbar ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor möglichen Attacken auf Voyager. Bislang haben sich die Entwickler zu den Sicherheitslücken nicht geäußert. --------------------------------------------- https://www.heise.de/news/Warten-auf-Patch-Das-Admin-Interface-Voyager-fuer… ∗∗∗ Linux-related discussion as a cybersecurity threat ∗∗∗ --------------------------------------------- Starting on January 19, 2025 Facebooks internal policy makers decided that Linux is malware and labeled groups associated with Linux as being "cybersecurity threats". Any posts mentioning DistroWatch and multiple groups associated with Linux and Linux discussions have either been shut down or had many of their posts removed. Weve been hearing all week .. --------------------------------------------- https://lwn.net/Articles/1006328/ ∗∗∗ Betrugswelle auf Facebook: Gefälschte Lagerabverkäufe von Hofer und Zara ∗∗∗ --------------------------------------------- Aktuell kursieren auf Facebook Postings, die angeblich von bekannten Marken stammen und mit einem Lagerabverkauf werben. Nutzer:innen wird suggeriert, dass Unternehmen wie Hofer oder Zara kostenlose Kaffeemaschinen oder Geschenkboxen zu Sonderpreisen verschenken. Doch Vorsicht: Es handelt sich um gefälschte Angebote von Kriminellen, die es nur auf Kreditkartendaten abgesehen haben. --------------------------------------------- https://www.watchlist-internet.at/news/betrugswelle-auf-facebook-gefaelscht… ∗∗∗ Risikobild 2025 ∗∗∗ --------------------------------------------- Das österreichische Verteidigungsministerium präsentierte am 27. Jänner das "Risikobild 2025". Wie nicht anders zu erwarten war, dominieren geopolitische Herausforderungen die Risikolandschaft. Der Ukraine-Krieg, die Spannungen zwischen China und den USA sowie der Nahe Osten sind auch die ersten Themen, die mir einfallen würden, wenn mich .. --------------------------------------------- https://www.cert.at/de/blog/2025/1/risikobild-2025 ∗∗∗ Talos IR trends Q4 2024: Web shell usage and exploitation of public-facing applications spike ∗∗∗ --------------------------------------------- This new report from Cisco Talos Incident Response explores how threat actors increasingly deployed web shells against vulnerable web applications, and exploited vulnerable or unpatched public-facing applications to gain initial access. --------------------------------------------- https://blog.talosintelligence.com/talos-ir-trends-q4-2024/ ∗∗∗ FBI Seizes Leading Hacking Forums Cracked.io and Nulled.to ∗∗∗ --------------------------------------------- Nulled.to, Cracked.to and Cracked.io, major hacking forums, appear seized by the FBI as DNS records point to FBI. --------------------------------------------- https://hackread.com/fbi-seizes-hacking-forums-cracked-to-nulled-to/ ∗∗∗ Common OAuth Vulnerabilities ∗∗∗ --------------------------------------------- OAuth2’s popularity makes it a prime target for attackers. While it simplifies user login, its complexity can lead to misconfigurations that create security holes. Some of the more intricate vulnerabilities keep reappearing because the protocol’s inner workings are not always well-understood. In an effort to change that, we have decided to .. --------------------------------------------- https://blog.doyensec.com/2025/01/30/oauth-common-vulnerabilities.html ===================== = Vulnerabilities = ===================== ∗∗∗ Google Tag - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-012 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-012 ∗∗∗ Google Tag - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-011 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-011 ∗∗∗ Drupal Admin LTE theme - Critical - Unsupported - SA-CONTRIB-2025-010 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-010 ∗∗∗ Authenticator Login - Critical - Access bypass - SA-CONTRIB-2025-009 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-009 ∗∗∗ Matomo Analytics - Moderately critical - Cross site request forgery - SA-CONTRIB-2025-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-008 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.01.2025
by Daily end-of-shift report 29 Jan '25

29 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-01-2025 18:00 − Mittwoch 29-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Threat predictions for industrial enterprises 2025 ∗∗∗ --------------------------------------------- Kaspersky ICS CERT analyzes industrial threat trends and makes forecasts on how the industrial threat landscape will look in 2025. --------------------------------------------- https://securelist.com/industrial-threat-predictions-2025/115327/ ∗∗∗ ExxonMobil Lobbyist Caught Hacking Climate Activists ∗∗∗ --------------------------------------------- The Department of Justice is investigating a lobbying firm representing ExxonMobil for hacking the phones of climate activists:The hacking was allegedly commissioned by a Washington, D.C., lobbying firm, according to a lawyer representing the U.S. government. The firm, in turn, was allegedly working on behalf of one of the world’s largest oil and gas .. --------------------------------------------- https://www.schneier.com/blog/archives/2025/01/exxonmobil-lobbyist-caught-h… ∗∗∗ Industrielle Kontrollsysteme: Attacken auf kritische Infrastrukturen möglich ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für industriellen Steuerungssysteme von unter anderem Rockwell und Schneider erschienen. --------------------------------------------- https://www.heise.de/news/Industrielle-Kontrollsysteme-Attacken-auf-kritisc… ∗∗∗ Zwei Sidechannel-Attacken auf Apples M-Prozessoren ∗∗∗ --------------------------------------------- Die schwerwiegenden Sicherheitslücken lassen sich für Angriffe auf Webbrowser aus der Ferne nutzen. Betroffen sind viele Mobil- und Desktop-Geräte von Apple. --------------------------------------------- https://www.heise.de/news/Zwei-Sidechannel-Attacken-auf-Apples-M-Prozessore… ∗∗∗ How we estimate the risk from prompt injection attacks on AI systems ∗∗∗ --------------------------------------------- Modern AI systems, like Gemini, are more capable than ever, helping retrieve data and perform actions on behalf of users. However, data from external sources present new security challenges if untrusted sources are available to execute instructions on AI systems. Attackers can take advantage of this by hiding malicious instructions in data .. --------------------------------------------- http://security.googleblog.com/2025/01/how-we-estimate-risk-from-prompt.html ∗∗∗ Backups & DRP in the ransomware era ∗∗∗ --------------------------------------------- In today’s digital landscape, the threat of ransomware has forced organizations to reevaluate their disaster recovery plans. Traditional approaches to data protection were focused primarily on high availability and are no longer sufficient. As cyber threats evolve, so must our strategies for safeguarding critical information. This blog post explores the .. --------------------------------------------- https://blog.nviso.eu/2025/01/29/backups-drp-in-the-ransomware-era/ ∗∗∗ Hackers Actively Exploiting Fortinet Firewalls: Real-Time Insights from GreyNoise ∗∗∗ --------------------------------------------- This blog details how attackers are actively exploiting Fortinet FortiGate firewalls vulnerable to CVE-2022-40684, with real-time insights from GreyNoise to help defenders understand and respond to these threats. --------------------------------------------- https://www.greynoise.io/blog/hackers-actively-exploiting-fortinet-firewall… ∗∗∗ Active Exploitation of Zero-day Zyxel CPE Vulnerability (CVE-2024-40891) ∗∗∗ --------------------------------------------- CVE-2024-40891: Zyxel CPE Zero-day Exploitation. Hackers are actively exploiting a telnet-based command injection vulnerability in Zyxel CPE devices, impacting 1,500+ exposed systems. No patch is available yet. --------------------------------------------- https://www.greynoise.io/blog/active-exploitation-of-zero-day-zyxel-cpe-vul… ∗∗∗ Adversarial Misuse of Generative AI ∗∗∗ --------------------------------------------- Rapid advancements in artificial intelligence (AI) are unlocking new possibilities for the way we work and accelerating innovation in science, technology, and beyond. In cybersecurity, AI is poised to transform digital defense, empowering defenders and enhancing our collective security. Large language models (LLMs) open new possibilities for .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse… ∗∗∗ CVE-2024-46507: Yeti Platform Server-Side Template Injection (SSTI) ∗∗∗ --------------------------------------------- Yeti is a Forensic Intelligence platform and pipeline for DFIR teams. It allows threat intelligence and DFIR teams to catalog, search, and link pieces of intelligence such as IP addresses, TTPs, and threat actors. With 10,000 .. --------------------------------------------- https://rhinosecuritylabs.com/research/cve-2024-46507-yeti-server-side-temp… ∗∗∗ CISA Brings KEV Data to GitHub ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) just made a major move to improve access and usability for its Known Exploited Vulnerabilities (KEV) catalog. Announced by Tod Beardsley on LinkedIn, CISA has launched a new kev-data repository on GitHub, allowing developers, researchers, and cybersecurity enthusiasts to access KEV data in .. --------------------------------------------- https://socket.dev/blog/cisa-brings-kev-data-to-github ∗∗∗ CVE-2024-49138 Windows CLFS heap-based buffer overflow analysis – Part 2 ∗∗∗ --------------------------------------------- In the previous article, we discussed a vulnerability in the LoadContainerQ() function inside clfs.sys. The root cause of the vulnerability was LoadContainerQ() using a CLFS_CONTAINER_CONTEXT.pContainer without checking if FlushImage() invalidated the General Metadata Block. --------------------------------------------- https://security.humanativaspa.it/cve-2024-49138-windows-clfs-heap-based-bu… ∗∗∗ CVE-2024-49138 Windows CLFS heap-based buffer overflow analysis – Part 1 ∗∗∗ --------------------------------------------- CVE-2024-49138 is a Windows vulnerability detected by CrowdStrike as exploited in the wild. Microsoft patched the vulnerability on December 10th, 2024 with KB5048685 (for Windows 11 .. --------------------------------------------- https://security.humanativaspa.it/cve-2024-49138-windows-clfs-heap-based-bu… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bzip2, gimp:2.8, keepalived, mariadb:10.11, mariadb:10.5, python-jinja2, and redis), Debian (iperf3, libtar, and pdns-recursor), Fedora (abseil-cpp, dotnet8.0, dotnet9.0, golang, libsoup3, and vaultwarden), Oracle (gimp:2.8, iperf3, keepalived, kernel, redis:7, and unbound), Red Hat (libsoup), SUSE (amazon-ssm-agent, .. --------------------------------------------- https://lwn.net/Articles/1006677/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.01.2025
by Daily end-of-shift report 28 Jan '25

28 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Montag 27-01-2025 18:00 − Dienstag 28-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ EU sanctions Russian GRU hackers for cyberattacks against Estonia ∗∗∗ --------------------------------------------- The European Union sanctioned three hackers, part of Unit 29155 of Russias military intelligence service (GRU), for their involvement in cyberattacks targeting Estonias government agencies in 2020. --------------------------------------------- https://www.bleepingcomputer.com/news/security/eu-sanctions-russian-gru-hac… ∗∗∗ Israel: Hacker kapern Notfallsirenen und spielen arabische Musik ∗∗∗ --------------------------------------------- In mehreren israelischen Einrichtungen ist kürzlich unerwartet arabische Musik aus den Notfallsirenen ertönt. Eine Hackergruppe hat sich schuldig bekannt. --------------------------------------------- https://www.golem.de/news/israel-hacker-kapern-notfallsirenen-und-spielen-a… ∗∗∗ Beyond the hype: The business reality of AI for cybersecurity ∗∗∗ --------------------------------------------- Real-world insights from 400 IT leaders, plus practical guidance to enhance business outcomes --------------------------------------------- https://news.sophos.com/en-us/2025/01/28/beyond-the-hype-the-business-reali… ∗∗∗ Update: Cybercriminals still not fully on board the AI train (yet) ∗∗∗ --------------------------------------------- A year after our initial research on threat actors’ attitudes to generative AI, we revisit some underground forums and find that many cybercriminals are still skeptical – although there has been a slight shift. --------------------------------------------- https://news.sophos.com/en-us/2025/01/28/update-cybercriminals-still-not-fu… ∗∗∗ Top-Rated Chinese AI App DeepSeek Limits Registrations Amid Cyberattacks ∗∗∗ --------------------------------------------- DeepSeek, the Chinese AI startup that has captured much of the artificial intelligence (AI) buzz in recent days, said its restricting registrations on the service, citing malicious attacks."Due to large-scale malicious attacks on DeepSeeks services, .. --------------------------------------------- https://thehackernews.com/2025/01/top-rated-chinese-ai-app-deepseek.html ∗∗∗ Apple plugs security hole in its iThings thats already been exploited in iOS ∗∗∗ --------------------------------------------- Cupertino kicks off the year with a zero-day Apple has plugged a security hole in the software at the heart of its iPhones, iPads, Vision Pro goggles, Apple TVs and macOS Sequoia Macs, warning some miscreants have already exploited the bug. --------------------------------------------- https://www.theregister.com/2025/01/28/apple_cve_2025_24085/ ∗∗∗ Security pros more confident about fending off ransomware, despite being battered by attacks ∗∗∗ --------------------------------------------- Data leak, shmata leak. It will all work out, right? IT and security pros say they are more confident in their ability to manage ransomware attacks after nearly nine in ten (88 percent) were forced to contain efforts by criminals to breach their defenses in the past year. --------------------------------------------- https://www.theregister.com/2025/01/28/research_security_pros_gain_ransomwa… ∗∗∗ Auf Facebook konnte man E-Mail-Adressen, Telefonnummern, Einmalpasswörter, etc. von Fremden einsehen. ∗∗∗ --------------------------------------------- For an unknown period until the end of January 2024, Facebook appears to have suffered a data leak that has exposed users’ email addresses, phone numbers and other identifying information. [..] The issue was reported to Facebook via its bug bounty programme. While the demonstrated method stopped working two weeks after submission, the .. --------------------------------------------- https://social.leckse.net/@leckse/statuses/01JJPE94S1NQM62VY60S767S1H ∗∗∗ Sonicwall: Tausende Geräte für trivial angreifbare SSL-VPN-Lücke anfällig ∗∗∗ --------------------------------------------- Seit Anfang Januar gibt es einen Patch zum Schließen einer SSL-VPN-Lücke in Sonicwalls. Dennoch sind mehr als 5000 Geräte noch angreifbar. --------------------------------------------- https://www.heise.de/news/Leicht-angreifbare-Sonicwall-Luecke-Tausende-Gera… ∗∗∗ Teamviewer: Rechteausweitung durch Sicherheitslücke möglich ∗∗∗ --------------------------------------------- Teamviewer warnt vor einer Schwachstelle in den Windows-Versionen der Fernwartungssoftware, die Angreifern die Rechteausweitung ermöglicht. --------------------------------------------- https://www.heise.de/news/Teamviewer-Rechteausweitung-durch-Sicherheitsluec… ∗∗∗ A Tumultuous Week for Federal Cybersecurity Efforts ∗∗∗ --------------------------------------------- President Trump last week issued a flurry of executive orders that upended a number of government initiatives focused on improving the nations cybersecurity posture. The president fired all advisors from the Department of Homeland Securitys Cyber Safety Review Board, called for the creation of a strategic cryptocurrency reserve, and voided .. --------------------------------------------- https://krebsonsecurity.com/2025/01/a-tumultuous-week-for-federal-cybersecu… ∗∗∗ How Garmin watches reveal your personal data, and what you can do ∗∗∗ --------------------------------------------- TL;DR A walk-through of obtaining sensitive data from a Garmin watch using forensic techniques How digital forensics on a Garmin watch helped solve a double murder case A .. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-garmin-watches-reveal-you… ∗∗∗ New TorNet backdoor seen in widespread campaign ∗∗∗ --------------------------------------------- Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor targeting users, predominantly in Poland and Germany. --------------------------------------------- https://blog.talosintelligence.com/new-tornet-backdoor-campaign/ ∗∗∗ ScatterBrain: Unmasking the Shadow of PoisonPlugs Obfuscator ∗∗∗ --------------------------------------------- Since 2022, Google Threat Intelligence Group (GTIG) has been tracking multiple cyber espionage operations conducted by China-nexus actors utilizing POISONPLUG.SHADOW. These operations employ a custom obfuscating compiler that we refer to as "ScatterBrain," facilitating attacks against various entities across Europe and the Asia Pacific (APAC) region. ScatterBrain appears .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/scatterbrain-unmas… ∗∗∗ Stating the Obvious: Vulns On the Rise in 2025 ∗∗∗ --------------------------------------------- Join Ben Edwards, as he takes a brief look back at one of the stories that was most interesting to him as a security data nerd from 2024. --------------------------------------------- https://www.bitsight.com/blog/2025-predictions-for-cve-vulnerabilities ∗∗∗ Get FortiRekt, I Am The Super_Admin Now - Fortinet FortiOS Authentication Bypass CVE-2024-55591 ∗∗∗ --------------------------------------------- Welcome to Monday, and what an excitingly fresh start to the week were all having. Grab your coffee, grab your vodka - were diving into a currently exploited-in-the-wild critical Authentication Bypass affecting .. --------------------------------------------- https://labs.watchtowr.com/get-fortirekt-i-am-the-super_admin-now-fortios-a… ∗∗∗ Clone2Leak: Your Git Credentials Belong To Us ∗∗∗ --------------------------------------------- In October 2024, I was hunting bugs for the GitHub Bug Bounty program. After investigating GitHub Enterprise Server for a while, I felt bored and decided to try to find bugs on GitHub Desktop instead. --------------------------------------------- https://flatt.tech/research/posts/clone2leak-your-git-credentials-belong-to… ∗∗∗ Best practices for key derivation ∗∗∗ --------------------------------------------- By Marc Ilunga Key derivation is essential in many cryptographic applications, including key exchange, key management, secure communications, and building robust cryptographic primitives. But it’s also easy to get wrong: although .. --------------------------------------------- https://blog.trailofbits.com/2025/01/28/best-practices-for-key-derivation/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability in ClamAV Discovered by OSS-Fuzz ∗∗∗ --------------------------------------------- A security vulnerability has been identified in ClamAV, stemming from a potential buffer overflow read issue in .. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-04 ∗∗∗ WordPress Plugin "Simple Image Sizes" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN88046370/ ∗∗∗ TYPO3-EXT-SA-2025-001: Account Takeover in extension "OpenID Connect Authentication" (oidc) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2025-001 ∗∗∗ Rockwell Automation FactoryTalk ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.01.2025
by Daily end-of-shift report 27 Jan '25

27 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-01-2025 18:00 − Montag 27-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Eine verpasste Chance: Schwaches Passwort-Hashing in VxWorks ∗∗∗ --------------------------------------------- Die Sicherheit von eingebetteten Systemen, die Echtzeitbetriebssysteme (RTOS) wie Wind River VxWorks verwenden, ist in risikoreichen Bereichen wie OT, .. --------------------------------------------- https://sec-consult.com/de/blog/detail/eine-verpasste-chance-schwaches-pass… ∗∗∗ Cracking the Giant: How ODAT Challenges Oracle, the King of Databases ∗∗∗ --------------------------------------------- In the past decade, Oracle Database (Oracle DB) has reigned supreme in the competitive arena of database engine popularity ranking as shown in Figure 1 and Figure 2. This pervasiveness has led Oracle Database to be trusted by Fortune 500 companies (e.g. Netflix, LinkedIn, eBay, etc.) to house, process, and safeguard their critical data. Its .. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cracking-th… ∗∗∗ GitHub Desktop Vulnerability Risks Credential Leaks via Malicious Remote URLs ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in GitHub Desktop as well as other Git-related projects that, if successfully exploited, could permit an attacker to gain unauthorized access to a users Git credentials."Git implements a protocol called Git Credential Protocol to retrieve credentials from the .. --------------------------------------------- https://thehackernews.com/2025/01/github-desktop-vulnerability-risks.html ∗∗∗ Scammers Are Creating Fake News Videos to Blackmail Victims ∗∗∗ --------------------------------------------- “Yahoo Boy” scammers are impersonating CNN and other news organizations to create videos that pressure victims into making blackmail payments. --------------------------------------------- https://www.wired.com/story/scammers-are-creating-fake-news-videos-to-black… ∗∗∗ Technical Analysis of Xloader Versions 6 and 7 | Part 1 ∗∗∗ --------------------------------------------- Xloader is a malware family that is the successor to Formbook with information stealing capabilities targeting web browsers, email clients, and File Transfer Protocol (FTP) applications. The malware is also able to deploy second-stage payloads to an infected system. The author of Xloader regularly adds new functionality to target more .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-xloader-… ∗∗∗ Nach Sicherheitslücke bei D-Trust: CCC spricht von "Cyber-Augenwischerei" ∗∗∗ --------------------------------------------- Der Chaos Computer Club fordert vom Vertrauensdiensteanbieter D-Trust Verantwortung zu tragen und die Abschaffung des Hackerparagraphen. --------------------------------------------- https://www.heise.de/news/Nach-Sicherheitsluecke-bei-D-Trust-CCC-spricht-vo… ∗∗∗ Palo-Alto: Sicherheitslücken in Firmware und Bootloadern von Firewalls ∗∗∗ --------------------------------------------- Die Firmware und Bootloader von einigen Palo-Alto-Firewalls weisen Sicherheitslecks auf, die Angreifern das Einnisten nach Angriffen ermöglichen. --------------------------------------------- https://www.heise.de/news/Palo-Alto-Sicherheitsluecken-in-Firmware-und-Boot… ∗∗∗ Hacked buses blare out patriotic pro-European anthems in Tbilisi, attack government ∗∗∗ --------------------------------------------- Residents of Tbilisi, the capital city of Georgia, experienced an unexpected and unusual start to their Friday morning commute. As they boarded their public transport buses, they were greeted by a barrage of sound emanating .. --------------------------------------------- https://www.bitdefender.com/en-us/blog/hotforsecurity/hacked-buses-blare-ou… ∗∗∗ The 2024 Ransomware Landscape: Looking back on another painful year ∗∗∗ --------------------------------------------- In this post, we’ll examine the latest data points, discuss notable groups, and estimate the potential impact on victims — helping security teams plan their defenses for the months ahead. --------------------------------------------- https://www.rapid7.com/blog/post/2025/01/27/the-2024-ransomware-landscape-l… ∗∗∗ Brave Desktop Browser Vulnerability Lets Malicious Sites Appear Trusted ∗∗∗ --------------------------------------------- A critical vulnerability in Brave Browser allows malicious websites to appear as trusted sources during file uploads/downloads. --------------------------------------------- https://hackread.com/brave-desktop-browser-vulnerability-malicious-sites-tr… ∗∗∗ Datadog threat roundup: top insights for Q4 2024 ∗∗∗ --------------------------------------------- Threat insights from Datadog Security Labs for Q4 2024. --------------------------------------------- https://securitylabs.datadoghq.com/articles/2024-q4-threat-roundup/ ∗∗∗ Exploit Me, Baby, One More Time: Command Injection in Kubernetes Log Query ∗∗∗ --------------------------------------------- Kubernetes and containers in general have become a predominant force in the security world - and, as such, they’ve been a point of interest for researchers worldwide (including us). Our research journey initially led .. --------------------------------------------- https://www.akamai.com/blog/security-research/2024-january-kubernetes-log-q… ∗∗∗ Node.js EOL Versions CVE Dubbed the "Worst CVE of the Year" by Security Experts ∗∗∗ --------------------------------------------- On January 22, 2025, CVE-2025-23088 was published by HackerOne to inform users about the risks of continuing to use End-of-Life (EOL) versions of Node.js. This CVE has quickly sparked debate in the security community, with some experts labeling it the “worst CVE of the year” – not for its severity, but for the controversy surrounding .. --------------------------------------------- https://socket.dev/blog/node-js-eol-versions-cve-dubbed-the-worst-cve-of-th… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (git-lfs, java-17-openjdk, java-21-openjdk, kernel, and python-jinja2), Debian (git and git-lfs), Fedora (buildah, chromium, containers-common, freeipa, glibc, golang, mediawiki, pam-u2f, podman, and rsync), Mageia (glibc, iperf, openssl, phpmyadmin, and poppler), Oracle (firefox, git-lfs, grafana, .. --------------------------------------------- https://lwn.net/Articles/1006261/ ∗∗∗ Wind River Software VxWorks RTOS Weak Password Hashing Algorithms ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/wind-river-software-vxwo… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2025
by Daily end-of-shift report 24 Jan '25

24 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-01-2025 18:00 − Freitag 24-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker infects 18,000 "script kiddies" with fake malware builder ∗∗∗ --------------------------------------------- A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-infects-18-000-script… ∗∗∗ Malware Redirects WordPress Traffic to Harmful Sites ∗∗∗ --------------------------------------------- Recently, a customer approached us after noticing their website was redirecting visitors to a suspicious URL. They suspected their site had been compromised and sought assistance in identifying and resolving the issue. This .. --------------------------------------------- https://blog.sucuri.net/2025/01/malware-redirects-wordpress-traffic-to-harm… ∗∗∗ North Korean dev who renamed himself Bane accused of IT worker fraud scheme ∗∗∗ --------------------------------------------- 5 indicted as FBI warns North Korea dials up aggression, plus Russian devs allegedly get in on the act The US is indicting yet another five suspects it believes were involved in North Koreas long-running, fraudulent remote IT worker scheme – including one who changed their last name to "Bane" and scored a gig at a tech biz in San Francisco. --------------------------------------------- https://www.theregister.com/2025/01/24/north_korean_devs_and_their/ ∗∗∗ Dont want your Kubernetes Windows nodes hijacked? Patch this hole now ∗∗∗ --------------------------------------------- SYSTEM-level command injection via API parameter *chefs kiss* A now-fixed command-injection bug in Kubernetes can be exploited by a remote attacker to gain code execution with SYSTEM privileges on all Windows endpoints in a cluster, and thus fully take over those systems, according to Akamai researcher Tomer Peled. --------------------------------------------- https://www.theregister.com/2025/01/24/kubernetes_windows_nodes_bug/ ∗∗∗ Subaru Security Flaws Exposed Its System for Tracking Millions of Cars ∗∗∗ --------------------------------------------- Now-fixed web bugs allowed hackers to remotely unlock and start any of millions of Subarus. More disturbingly, they could also access at least a year of cars’ location histories—and Subaru employees still can. --------------------------------------------- https://www.wired.com/story/subaru-location-tracking-vulnerabilities/ ∗∗∗ Mehrere Staaten desinfizieren Botnetz, Deutschland nicht ∗∗∗ --------------------------------------------- Während Behörden in Frankreich und den USA die Schadsoftware Plug-X auf betroffenen Computern abschalten, wird in Deutschland über Infektionen nur informiert. --------------------------------------------- https://www.heise.de/news/Botnetz-Plug-X-Reinemachen-geht-nicht-10252309.ht… ∗∗∗ Jetzt patchen: Cross-Site-Scripting und Denial of Service in GitLab möglich ∗∗∗ --------------------------------------------- GitLab warnt vor drei Schwachstellen, von denen eine den Bedrohungsgrad "hoch" trägt. Patches stehen für die jüngeren Versionen bereit. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Cross-Site-Scripting-und-Denial-of-… ∗∗∗ Malvertising: Mac-Homebrew-User im Visier ∗∗∗ --------------------------------------------- Kriminelle haben bösartige Werbeanzeigen auf Google geschaltet, die anstatt auf die Homebrew-Webseite auf eine echt wirkende Malware-Seite leitet. --------------------------------------------- https://www.heise.de/news/Malvertising-Mac-Homebrew-User-im-Visier-10255909… ∗∗∗ Cyber security guidance for small fleet operators ∗∗∗ --------------------------------------------- Introduction Cyber threats aren’t just a problem for large shipping organizations, small maritime fleet operators are also at risk. Anything from phishing emails to ransomware attacks, these threats can disrupt .. --------------------------------------------- https://www.pentestpartners.com/security-blog/cyber-security-guidance-for-s… ∗∗∗ Private Keys in the Fortigate Leak ∗∗∗ --------------------------------------------- A few days ago, a download link for a leak of configuration files for Fortigate/Fortinet devices was posted on an Internet forum. It appears that the data was collected in 2022 due to a security vulnerability known as CVE-2022-40684. According to a blog post by Fortinet in 2022, they were already aware of active exploitation of the issue back then. It was first .. --------------------------------------------- https://blog.hboeck.de:443/archives/908-Private-Keys-in-the-Fortigate-Leak.… ∗∗∗ Exchange Server 2016 / 2019 erreichen im Oktober 2025 ihr EOL ∗∗∗ --------------------------------------------- Kleiner Nachtrag von dieser Woche zu einem Thema, welches eigentlich alle Exchange-Administratoren auf dem Radar haben sollten und auch dürften. Im Oktober 2025 fallen sowohl Microsoft Exchange Server 2016 als auch Microsoft Exchange .. --------------------------------------------- https://www.borncity.com/blog/2025/01/24/exchange-server-2016-2019-erreiche… ∗∗∗ Seasoning email threats with hidden text salting ∗∗∗ --------------------------------------------- Hidden text salting is a simple yet effective technique for bypassing email parsers, confusing spam filters, and evading detection engines that rely on keywords. Cisco Talos has observed an increase in the number of email threats leveraging hidden text salting. --------------------------------------------- https://blog.talosintelligence.com/seasoning-email-threats-with-hidden-text… ∗∗∗ SUSCTL (CVE-2024-54507) A particularly sus sysctl in the XNU Kernel ∗∗∗ --------------------------------------------- Every time Apple releases a new version of XNU, I run a custom suite of tests under an address sanitizer to see if I can spot any regressions, or even possibly new bugs. When I was messing around with macOS 15.0, I was shocked to see a very simple command was causing the sanitizer to report an invalid load. --------------------------------------------- https://jprx.io/cve-2024-54507/ ∗∗∗ The J-Magic Show: Magic Packets and Where to find them ∗∗∗ --------------------------------------------- The Black Lotus Labs team at Lumen Technologies has been tracking the use of a backdoor attack tailored for use against enterprise-grade Juniper routers. This backdoor is opened by a passive agent that continuously monitors for a “magic packet,” sent by .. --------------------------------------------- https://blog.lumen.com/the-j-magic-show-magic-packets-and-where-to-find-the… ∗∗∗ cURL Project and Go Security Teams Reject CVSS as Broken ∗∗∗ --------------------------------------------- The CVSS (Common Vulnerability Scoring System) is facing significant pushback as both the cURL project and Go security teams are publicly distance themselves from the framework. While CVSS is designed to assign a severity score to vulnerabilities, its one-size-fits-all approach often produces misleading results, particularly for projects like cURL, which .. --------------------------------------------- https://socket.dev/blog/curl-project-and-go-security-teams-reject-cvss-as-b… ∗∗∗ FalconFeedsio X Account Hacked, Promoting Fraudulent Crypto Scams ∗∗∗ --------------------------------------------- FalconFeedsios official X (formerly Twitter) account has been compromised, leading to the promotion of fraudulent cryptocurrency posts and scams. This hacking of FalconFeed has shocked the cybersecurity community as the platform was renowned for dark web news alerts. With this hacking of FalconFeed x account, many users and cybersecurity experts are advising .. --------------------------------------------- https://thecyberexpress.com/hacking-of-falconfeed/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and python-django), Fedora (git-lfs and pam-u2f), Mageia (golang), Red Hat (java-11-openjdk with Extended Lifecycle Support, java-17-openjdk, and java-21-openjdk), SUSE (cheat, dante, docker-stable, grafana, and kernel), and Ubuntu (cacti, cyrus-imapd, HTMLDOC, and PCL). --------------------------------------------- https://lwn.net/Articles/1006103/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.01.2025
by Daily end-of-shift report 23 Jan '25

23 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-01-2025 18:00 − Donnerstag 23-01-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zendesk’s Subdomain Registration Abused in Phishing Scams ∗∗∗ --------------------------------------------- Leveraging Zendesk’s communication features, they can send phishing emails disguised as legitimate customer support messages. These emails often include malicious links or attachments to lure victims into clicking. --------------------------------------------- https://hackread.com/zendesk-subdomain-registration-abused-phishing-scams/ ∗∗∗ Heimserver-Betriebssystem: Updates beheben Sicherheitslücken in Unraid ∗∗∗ --------------------------------------------- Angreifer könnten die Lücken ausnutzen, um dem UnRAID-Admin eigenen Javascript-Code oder bösartige Plug-ins unterzuschieben. [..] Alle Sicherheitslücken sind in der Anfang Januar veröffentlichten neuesten Major-Version 7.0.0 und in einem Bugfix-Release für die Vorgängerversion behoben. --------------------------------------------- https://heise.de/-10253366 ∗∗∗ Researchers say new attack could take down the European power grid ∗∗∗ --------------------------------------------- Late last month, researchers revealed a finding that’s likely to shock some people and confirm the low expectations of others: Renewable energy facilities throughout Central Europe use unencrypted radio signals to receive commands to feed or ditch power into or from the grid that serves some 450 million people throughout the continent. --------------------------------------------- https://arstechnica.com/security/2025/01/could-hackers-use-new-attack-to-ta… ∗∗∗ Telegram captcha tricks you into running malicious PowerShell scripts ∗∗∗ --------------------------------------------- Threat actors on X are exploiting the news around Ross Ulbricht to direct unsuspecting users to a Telegram channel that tricks them into executing PowerShell code that infects them with malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telegram-captcha-tricks-you-… ∗∗∗ Beware: Fake CAPTCHA Campaign Spreads Lumma Stealer in Multi-Industry Attacks ∗∗∗ --------------------------------------------- The attack chain begins when a victim visits a compromised website, which directs them to a bogus CAPTCHA page that specifically instructs the site visitor to copy and paste a command into the Run prompt in Windows that uses the native mshta.exe binary to download and execute an HTA file from a remote server. [..] The HTA file, in turn, executes a PowerShell command to launch a next-stage payload, a PowerShell script that unpacks a second PowerShell script responsible for decoding and loading the Lumma payload, but not before taking steps to bypass the Windows Antimalware Scan Interface (AMSI) in an effort to evade detection. --------------------------------------------- https://thehackernews.com/2025/01/beware-fake-captcha-campaign-spreads.html ∗∗∗ Palo Alto Firewalls Found Vulnerable to Secure Boot Bypass and Firmware Exploits ∗∗∗ --------------------------------------------- An exhaustive evaluation of three firewall models from Palo Alto Networks has uncovered a host of known security flaws impacting the devices firmware as well as misconfigured security features. --------------------------------------------- https://thehackernews.com/2025/01/palo-alto-firewalls-found-vulnerable-to.h… ∗∗∗ Supply chain attack hits Chrome extensions, could expose millions ∗∗∗ --------------------------------------------- Cybersecurity outfit Sekoia is warning Chrome users of a supply chain attack targeting browser extension developers that has potentially impacted hundreds of thousands of individuals already. [..] A number of the potentially affected extensions (according to Booz Allen Hamilton's report) appear to have been pulled from the Chrome Web Store at the time of writing. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/01/22/supply_chain… ∗∗∗ Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-022a ∗∗∗ Denuvo Analysis ∗∗∗ --------------------------------------------- Denuvo is an anti-tamper and digital rights management system (DRM). It is primarily used to protect digital media such as video games from piracy and reverse engineering efforts. Unlike traditional DRM systems, Denuvo employs a wide range of unique techniques and checks to confirm the integrity of both the game’s code and licensed user. --------------------------------------------- https://connorjaydunn.github.io/blog/posts/denuvo-analysis/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in SonicWall SMA1000 - aktiv ausgenutzt - Update verfügbar ∗∗∗ --------------------------------------------- In SonicWall SMA1000 Appliance Management Console (AMC) und Central Management Console (CMC) wurde eine kritische Sicherheitslücke entdeckt, die bereits aktiv von Angreifern ausgenutzt wird. Die Schwachstelle ermöglicht die Ausführung von beliebigem Code ohne vorherige Authentifizierung. CVE-Nummer(n): CVE-2025-23006 --------------------------------------------- https://www.cert.at/de/warnungen/2025/1/sonicwall-amc-cmc-rce ∗∗∗ Critical zero-days impact premium WordPress real estate plugins ∗∗∗ --------------------------------------------- The RealHome theme and the Easy Real Estate plugins for WordPress are vulnerable to two critical severity flaws that allow unauthenticated users to gain administrative privileges. [..] Also, Patchstack says the vendor released three versions since September, but no security fixes to address the critical issues were introduced. Hence, the issues remain unfixed and exploitable. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-zero-days-impact-pr… ∗∗∗ Schwachstellen in Jenkins-Plug-ins gefährden Entwicklungsumgebungen ∗∗∗ --------------------------------------------- Unter bestimmten Bedingungen können Angreifer Softwareentwicklungsserver mit Jenkins-Plug-ins attackieren. Darunter fallen etwa die Plug-ins Azure Service Fabric und Zoom. --------------------------------------------- https://heise.de/-10254105 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (redis:6), Debian (frr and git-lfs), Fedora (SDL2_sound and webkit2gtk4.0), Gentoo (firefox, GPL Ghostscript, libgsf, libuv, PHP, Qt, QtWebEngine, and Yubico pam-u2f), Mageia (chromium-browser-stable), SUSE (helmfile, nvidia-modprobe, qt6-webengine, ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1, ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1, ruby3.4-rubygem-actiontext-8.0-8.0.1-1.1, ruby3.4-rubygem-actionview-8.0-8.0.1-1.1, ruby3.4-rubygem-activejob-8.0-8.0.1-1.1, ruby3.4-rubygem-activerecord-8.0-8.0.1-1.1, ruby3.4-rubygem-activestorage-8.0-8.0.1-1.1, ruby3.4-rubygem-rails-8.0-8.0.1-1.1, and ruby3.4-rubygem-railties-8.0-8.0.1-1.1), and Ubuntu (bluez, openjpeg2, and python-django). --------------------------------------------- https://lwn.net/Articles/1005946/ ∗∗∗ Drupal: Ignition Error Pages - Critical - Cross Site Scripting - SA-CONTRIB-2025-007 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-007 ∗∗∗ Drupal: Material Admin - Critical - Unsupported - SA-CONTRIB-2025-006 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-006 ∗∗∗ Drupal: Flattern – Multipurpose Bootstrap Business Profile - Critical - Unsupported - SA-CONTRIB-2025-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-005 ∗∗∗ Drupal: AI (Artificial Intelligence) - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-004 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2025-004 ∗∗∗ QNAP: Multiple Vulnerabilities in Rsync ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-25-02 ∗∗∗ Hitachi Energy RTU500 Series Product ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-02 ∗∗∗ mySCADA myPRO Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-01 ∗∗∗ HMS Networks Ewon Flexy 202 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.01.2025
by Daily end-of-shift report 22 Jan '25

22 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-01-2025 18:00 − Mittwoch 22-01-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Großflächige Brute-Force-Angriffe auf M365 – vorsichtshalber Log-ins checken ∗∗∗ --------------------------------------------- In den vergangenen Wochen gab es großflächige Angriffe auf Zugangsdaten zur Microsoft-Cloud. IT-Admins sollten prüfen, ob diese eventuell erfolgreich waren. --------------------------------------------- https://heise.de/-10252167 ∗∗∗ Patch procrastination leaves 50,000 Fortinet firewalls vulnerable to zero-day ∗∗∗ --------------------------------------------- Data from the Shadowserver Foundation shows 48,457 Fortinet boxes are still publicly exposed and haven't had the patch for CVE-2024-55591 applied, despite stark warnings issued over the past seven days. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2025/01/21/fortinet_fir… ∗∗∗ Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet ∗∗∗ --------------------------------------------- Threat actors are exploiting an unspecified zero-day vulnerability in Cambium Networks cnPilot routers to deploy a variant of the AISURU botnet called AIRASHI to carry out distributed denial-of-service (DDoS) attacks. According to QiAnXin XLab, the attacks have leveraged the security flaw since June 2024. --------------------------------------------- https://thehackernews.com/2025/01/hackers-exploit-zero-day-in-cnpilot.html ∗∗∗ Fake Homebrew Google ads target Mac users with malware ∗∗∗ --------------------------------------------- Hackers are once again abusing Google ads to spread malware, using a fake Homebrew website to infect Macs and Linux devices with an infostealer that steals credentials, browser data, and cryptocurrency wallets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-homebrew-google-ads-tar… ∗∗∗ IPany VPN breached in supply-chain attack to push custom malware ∗∗∗ --------------------------------------------- South Korean VPN provider IPany was breached in a supply chain attack by the "PlushDaemon" China-aligned hacking group, who compromised the companys VPN installer to deploy the custom SlowStepper malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ipany-vpn-breached-in-supply… ∗∗∗ Unique 0-click deanonymization attack targeting Signal, Discord and hundreds of platforms ∗∗∗ --------------------------------------------- 3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius. [..] A few months ago, I had a lightbulb moment: if Cloudflare stores cached data so close to users, could this be exploited for deanonymization attacks on sites we don't control? [..] Cloudflare's final statement about this says they do not consider the deanonymization attack to be a vulnerability in their own systems and it is up to their consumers to disable caching for resources they wish to protect. --------------------------------------------- https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117 ∗∗∗ Turning Data into Decisions: How CVE Management Is Changing ∗∗∗ --------------------------------------------- Every day, hundreds of new Common Vulnerabilities and Exposures (CVEs) are published, many of which target critical systems that keep businesses and governments operational. For cybersecurity professionals, simply knowing that a vulnerability exists is not enough. What’s needed is context—a deeper understanding of the CVE data, its potential impact, and how to prioritize its remediation. Enter Vulnrichment, an initiative launched by the Cybersecurity and Infrastructure Security Agency (CISA) on May 10, 2024. --------------------------------------------- https://thecyberexpress.com/cve-data-vulnrichment-program/ ∗∗∗ Geolocation and Starlink, (Tue, Jan 21st) ∗∗∗ --------------------------------------------- The IP address of a satellite user identifies the ground station location, not the user's location. Starlink, on the other hand, uses satellites in low earth orbit. The network can forward traffic among satellites, but typically, the satellite will attempt to pass the traffic to the closest base station in view. Due to the low orbit, each satellite only "sees" a relatively small area, and the ground station is usually within a couple hundred miles of the user. --------------------------------------------- https://isc.sans.edu/diary/rss/31612 ∗∗∗ Mirai Botnet Launches Record 5.6 Tbps DDoS Attack with 13,000+ IoT Device ∗∗∗ --------------------------------------------- Web infrastructure and security company Cloudflare on Tuesday said it detected and blocked a 5.6 Terabit per second (Tbps) distributed denial-of-service (DDoS) attack, the largest ever attack to be reported to date. The UDP protocol-based attack took place on October 29, 2024, targeting one of its customers, an unnamed internet service provider (ISP) from Eastern Asia. --------------------------------------------- https://thehackernews.com/2025/01/mirai-botnet-launches-record-56-tbps.html ∗∗∗ Understanding Microsofts CVSS v3.1 Ratings and Severity Scores ∗∗∗ --------------------------------------------- Recently, I looked at Microsoft’s assigned CVSS v3.1 scores for Patch Tuesday vulnerabilities alongside the Microsoft assigned severity ratings. I wanted to revisit these numbers and see just how closely CVSS aligns with Microsoft’s opinion of severity. --------------------------------------------- https://www.tripwire.com/state-of-security/understanding-microsofts-cvss-v3… ∗∗∗ Vorsicht, wenn Online-Shops per WhatsApp zur Zahlung auffordern ∗∗∗ --------------------------------------------- Der Fake-Shop bikeunivers.de bietet Markenfahrräder zu günstigen Preisen an. Bezahlt werden kann nur per Banküberweisung. Wer nicht bezahlt, erhält eine Zahlungsaufforderung per E-Mail und WhatsApp. Ignorieren Sie diese, denn Sie erhalten trotz Zahlung keine Ware! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-whatsapp/ ∗∗∗ Vorsicht vor gefälschten Telegram-SMS ∗∗∗ --------------------------------------------- Derzeit kursieren gefälschte SMS, angeblich von Telegram. Die Nachricht besagt, dass Ihr Konto eingeschränkt sei und Sie es freischalten müssen. Klicken Sie auf keinen Fall auf den Link! Kriminelle stehlen Ihre Daten und versuchen sich auf einem fremden Gerät mit Ihrer Telefonnummer einzuloggen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-telegram-s… ∗∗∗ Redline, Vidar and Raccoon Malware Stole 1 Billion Passwords in 2024 ∗∗∗ --------------------------------------------- Specops 2025 Breached Password Report reveals over 1 billion passwords stolen by malware in the past year, exposing weak practices, malware trends, and security gaps. --------------------------------------------- https://hackread.com/redline-vidar-raccoon-malware-stole-1-billion-password… ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - January 2025 ∗∗∗ --------------------------------------------- This Critical Patch Update contains 318 new security patches across the product families listed below. --------------------------------------------- https://www.oracle.com/security-alerts/cpujan2025.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (snapcast), Fedora (python-jinja2), Mageia (rsync), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, gh, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nvidia-open-driver-G06-signed, and pam_u2f), and Ubuntu (linux-oem-6.11 and vim). --------------------------------------------- https://lwn.net/Articles/1005798/ ∗∗∗ Technical Advisory: Cross-Site Scripting in Umbraco Rich Text Display ∗∗∗ --------------------------------------------- Due to a lack of input sanitization on the server side, Umbraco CMS 14.3.1 or below is vulnerable to stored cross-site scripting (XSS) attacks through the rendering logic for rich text contents. [..] Umbraco has accepted this behavior as the majority of its customer base is unaffected. [..] Identify a C/C++ HTML sanitization framework best suited for the organization if using RTE is mandatory. Seek alternative components in Umbraco for content rendering otherwise. --------------------------------------------- https://www.nccgroup.com/us/research-blog/technical-advisory-cross-site-scr… ∗∗∗ PHP: PMASA-2025-3 ∗∗∗ --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2025-3/ ∗∗∗ PHP: PMASA-2025-2 ∗∗∗ --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2025-2/ ∗∗∗ PHP: PMASA-2025-1 ∗∗∗ --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2025-1/ ∗∗∗ ABB: 2025-01-21: Cyber Security Advisory - Drive Composer Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108470A5466&Lan… ∗∗∗ Cisco BroadWorks SIP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Meeting Management REST API Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco ClamAV OLE2 File Format Decryption Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.01.2025
by Daily end-of-shift report 21 Jan '25

21 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Montag 20-01-2025 18:00 − Dienstag 21-01-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing” ∗∗∗ --------------------------------------------- Sophos MDR identifies a new threat cluster riffing on the playbook of Storm-1811, and amped-up activity from the original connected to Black Basta ransomware. --------------------------------------------- https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-c… ∗∗∗ 7-Zip: Lücke erlaubt Umgehung von Mark-of-the-Web ∗∗∗ --------------------------------------------- In 7-Zip ermöglicht eine Sicherheitslücke, den Mark-of-the-Web-Schutzmechanismus auszuhebeln und so Code auszuführen. [..] Die Sicherheitslücke schließt 7-Zip Version 24.09 oder neuer, die auf der Download-Seite von 7-Zip bereits seit Ende November vergangenen Jahres zum Herunterladen bereitsteht. [..] 7-Zip-Nutzer müssen selbst aktiv werden, um sich zu schützen und das verfügbare Update installieren. --------------------------------------------- https://heise.de/-10250351 ∗∗∗ 13,000 MikroTik Routers Hijacked by Botnet for Malspam and Cyberattacks ∗∗∗ --------------------------------------------- A global network of about 13,000 hijacked Mikrotik routers has been employed as a botnet to propagate malware via spam campaigns, the latest addition to a list of botnets powered by MikroTik devices. The activity "take[s] advantage of misconfigured DNS records to pass email protection techniques," Infoblox security researcher David Brunsdon said in a technical report published last week. --------------------------------------------- https://thehackernews.com/2025/01/13000-mikrotik-routers-hijacked-by.html ∗∗∗ Exchange 2016 und 2019 erreichen Support-Ende – in 9 Monaten ∗∗∗ --------------------------------------------- Microsoft erinnert an das dräuende Support-Ende der Exchange-Server 2016 und 2019. --------------------------------------------- https://www.heise.de/-10249853 ∗∗∗ Medusa Ransomware: What You Need To Know ∗∗∗ --------------------------------------------- What is the Medusa ransomware? Medusa is a ransomware-as-a-service (RaaS) platform that first came to prominence in 2023. The ransomware impacts organisations running Windows, predominantly exploiting vulnerable and unpatched systems and hijacking accounts through initial access brokers. --------------------------------------------- https://www.tripwire.com/state-of-security/medusa-ransomware-what-you-need-… ∗∗∗ How to secure body-worn cameras and protect footage from cyber threats ∗∗∗ --------------------------------------------- Body-worn cameras are used by police [..] Cameras are taken into the field but footage could be presented as evidence [..] Cryptographic approaches are needed to ensure the confidentiality and integrity of captured video and audio. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-secure-body-worn-camer… ∗∗∗ Offene Rechnung für „Gelbe Seiten Online“-Eintrag nicht bezahlen ∗∗∗ --------------------------------------------- In den letzten Tagen haben zahlreiche Unternehmen eine E-Mail von gsol-dach.com erhalten. Darin werden sie aufgefordert, eine Rechnung für einen angeblichen Premium-Firmenbucheintrag zu bezahlen. Achtung: Diese Rechnungen sind Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/rechnung-fuer-gelbe-seiten-online-ei… ∗∗∗ Hackers impersonate Ukraine’s CERT to trick people into allowing computer access ∗∗∗ --------------------------------------------- CERT-UA is warning Ukrainians not to accept requests for help via AnyDesk software unless they are sure the source is legitimate. --------------------------------------------- https://therecord.media/fake-ukraine-cert-anydesk-requests-hackers ∗∗∗ Reverse Engineering Bambu Connect ∗∗∗ --------------------------------------------- The purpose of this guide is to demonstrate the trivial process of extracting the "private keys" used for communicating with Bambu devices to examine, and challenge, the technical basis for Bambu Lab's security justification of Bambu Connect. --------------------------------------------- https://wiki.rossmanngroup.com/wiki/Reverse_Engineering_Bambu_Connect ∗∗∗ Vulnerability Archeology: Stealing Passwords with IBM i Access Client Solutions ∗∗∗ --------------------------------------------- Two weeks ago IBM published a support article about a compatibility issue affecting IBM i Access Client Solutions (ACS) when running on Windows 11 24H2. [..] Debugging the entry point in cwbnetnt.dll also confirms that password information is no longer passed to the Network Provider!. This change was documented by Microsoft here in March 2024, we believe IBM should’ve referenced this document in their memo. This is an important change from Microsoft - let’s hope not many applications rely on this backdoor and their insecure artifacts get cleaned up properly! --------------------------------------------- https://blog.silentsignal.eu/2025/01/21/ibm-acs-password-dump/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (grafana), Debian (libebml, poco, redis, sympa, tiff, and ucf), Fedora (rsync), Mageia (dcmtk, git, proftpd, and raptor2), Red Hat (grafana, iperf3, kernel, microcode_ctl, and redis), SUSE (chromium, dhcp, git, libqt5-qtwebkit, and pam_u2f), and Ubuntu (python3.10, python3.8 and python3.12). --------------------------------------------- https://lwn.net/Articles/1005708/ ∗∗∗ Webbrowser: Lücke in Brave ermöglicht gefälschte Anzeige der Download-Quelle ∗∗∗ --------------------------------------------- Im Webbrowser Brave können Angreifer eine Sicherheitslücke missbrauchen, die zur falschen Anzeige einer Download-Quelle führt. [..] Die Sicherheitslücke schließt Brave mit der Version 1.74.48, die in der Mitte vergangener Woche veröffentlicht wurde. --------------------------------------------- https://heise.de/-10250205 ∗∗∗ Traffic Alert and Collision Avoidance System (TCAS) II ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-01 ∗∗∗ ZF Roll Stability Support Plus (RSSPlus) ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.01.2025
by Daily end-of-shift report 20 Jan '25

20 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-01-2025 18:00 − Montag 20-01-2025 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malicious PyPi package steals Discord auth tokens from devs ∗∗∗ --------------------------------------------- A malicious package named pycord-self on the Python package index (PyPI) targets Discord developers to steal authentication tokens and plant a backdoor for remote control over the system. [..] The package mimics the highly popular 'discord.py-self,' which has nearly 28 million downloads, and even offers the functionality of the legitimate project. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-package-steal… ∗∗∗ Forscher deckt auf: ChatGPT lässt sich für DDoS-Angriffe missbrauchen ∗∗∗ --------------------------------------------- Eine ChatGPT-API scheint bereitwillig eine lange Liste von Links zur gleichen Webseite anzunehmen - und diese anschließend ungebremst abzufragen. [..] Ausführen lässt sich der DDoS-Angriff laut Flesch durch eine HTTP-Anfrage an eine ChatGPT-API, konkret durch einen POST-Request an die URL "https://chatgpt.com/backend-api/attributions". Die API erwarte eine Liste von Hyperlinks, schreibt der Forscher. Jedoch werde nicht geprüft, ob ein Hyperlink zur gleichen Ressource mehrfach genannt wird. --------------------------------------------- https://www.golem.de/news/forscher-deckt-auf-chatgpt-laesst-sich-fuer-ddos-… ∗∗∗ Partial ZIP File Downloads, (Mon, Jan 20th) ∗∗∗ --------------------------------------------- Say you want a file that is inside a huge online ZIP file (several gigabytes large). Downloading the complete ZIP file would take too long. --------------------------------------------- https://isc.sans.edu/diary/rss/31608 ∗∗∗ Private Keys in the Fortigate Leak ∗∗∗ --------------------------------------------- A few days ago, a download link for a leak of configuration files for Fortigate/Fortinet devices was posted on an Internet forum. [..] It was first reported by heise, a post by Kevin Beaumont contains further info. What has not been widely recognized is that this leak also contains TLS and SSH private keys. --------------------------------------------- https://blog.hboeck.de:443/archives/908-Private-Keys-in-the-Fortigate-Leak.… ∗∗∗ Looking at the Attack Surfaces of the Pioneer DMH-WT7600NEX IVI ∗∗∗ --------------------------------------------- For the upcoming Pwn2Own Automotive contest, a total of four in-vehicle infotainment (IVI) head units have been selected as targets. [..] This blog post aims to detail some of the attack surfaces of the DMH-WT7600NEX unit as well as provide information on how to extract the software running on this unit for further vulnerability research. --------------------------------------------- https://www.thezdi.com/blog/2025/1/16/looking-at-the-attack-surfaces-of-the… ∗∗∗ Die meisten Cyberkriminellen hacken nicht, sondern loggen sich ein ∗∗∗ --------------------------------------------- Bei 57 Prozent der erfolgreichen Cyberangriffe ist kein großer Hack über Sicherheitslücken erforderlich. Die Cyberkriminellen nutzten einfach ein kompromittiertes Nutzerkonto, um Zugang auf die Systeme zu erhalten, so die Analyse von Varonis zu solchen Vorfällen --------------------------------------------- https://www.borncity.com/blog/2025/01/19/die-meisten-cyberkriminellen-hacke… ∗∗∗ Hackers Claim Breach of Hewlett Packard Enterprise, Lists Data for Sale ∗∗∗ --------------------------------------------- Hacker IntelBroker claims to have breached Hewlett Packard Enterprise (HPE), exposing sensitive data like source code, certificates, and PII, now available for sale online. --------------------------------------------- https://hackread.com/hackers-claim-hewlett-packard-data-breach-sale/ ∗∗∗ Secure Coding: Apache Maven gegen Cache-Poisoning-Attacken rüsten ∗∗∗ --------------------------------------------- Dependency-Management-Systeme wie Maven sind immer wieder Ziel von Cache-Poisoning-Angriffen, gegen die nur konsequent umgesetzte Sicherheitspraktiken helfen. --------------------------------------------- https://heise.de/-10244779 ∗∗∗ Hilton, Hyatt, Marriott: 437.000 Datensätze aus Verwaltungsplattform bei HIBP ∗∗∗ --------------------------------------------- Kriminelle haben Daten bei der Verwaltungsplattform Otelier geklaut. Rund 437.000 Datensätze etwa von Hilton, Hyatt oder Marriott sind nun bei HIBP. --------------------------------------------- https://heise.de/-10248339 ∗∗∗ Investigating an "evil" RJ45 dongle ∗∗∗ --------------------------------------------- Earlier this week, a young entrepreneur caused stir on social media by suggesting that an Ethernet-to-USB they purchased from China was preloaded with malware that “evaded virtual machines”, “captured keystrokes”, and “used Russian-language elements”. [..] To get to that point, we didn’t need a hardware lab; a bit of patience and Google-fu was enough. --------------------------------------------- https://lcamtuf.substack.com/p/investigating-an-evil-rj45-dongle ===================== = Vulnerabilities = ===================== ∗∗∗ VU#199397: Insecure Implementation of Tunneling Protocols (GRE/IPIP/4in6/6in4) ∗∗∗ --------------------------------------------- Researchers at the DistriNet-KU Leuven research group have discovered millions of vulnerable Internet systems that accept unauthenticated IPIP, GRE, 4in6, or 6in4 traffic. This can be considered a generalization of the vulnerability in VU#636397 : IP-in-IP protocol routes arbitrary traffic by default (CVE-2020-10136). The exposed systems can be abused as one-way proxies, enable an adversary to spoof the source address of packets (CWE-290 Authentication Bypass by Spoofing), or permit access to an organization's private network. --------------------------------------------- https://kb.cert.org/vuls/id/199397 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, ipa, and NetworkManager), Debian (389-ds-base, busybox, libreoffice, rsync, ruby2.7, tomcat10, and tryton-server), Fedora (chromium and stb), Mageia (openafs and vim), Oracle (.NET 8.0 and .NET 9.0), SUSE (amazon-ssm-agent, chromedriver, git, golang-github-prometheus-prometheus, govulncheck-vulndb, grafana, hplip, pam_u2f, perl-Compress-Raw-Zlib, perl-IO-Compress, redis, redis7, rsync, and velociraptor), and Ubuntu (libpodofo and linux-xilinx-zynqmp). --------------------------------------------- https://lwn.net/Articles/1005638/ ∗∗∗ Nvidia: Datenabfluss durch Sicherheitsleck in Grafiktreiber möglich ∗∗∗ --------------------------------------------- Nvidia hat Sicherheitslücken in seinen Grafikkartentreibern entdeckt. Angreifer können dadurch Informationen abgreifen. Updates stehen bereit. --------------------------------------------- https://heise.de/-10248258 ∗∗∗ Sicherheitspatch: Unbefugte Zugriffe auf bestimmte Switches von Moxa möglich ∗∗∗ --------------------------------------------- Angreifer können bei Moxa-Switches der EDS-508A-Serie die Authentifizierung umgehen. Die Sicherheitslücke gilt als kritisch. Um Angriffe vorzubeugen, sollten Netzwerkadmins die Firmware ihrer Ethernet-Switches der Serie EDS-508A von Moxa auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-10249285 ∗∗∗ Yubico Warns of 2FA Security Flaw in pam-u2f for Linux and macOS Users ∗∗∗ --------------------------------------------- https://thecyberexpress.com/yubico-2fa-bypass-vulnerability-advisory/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.01.2025
by Daily end-of-shift report 17 Jan '25

17 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-01-2025 18:00 − Freitag 17-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ D-Trust: Cyberangriff trifft Trustcenter der Bundesdruckerei ∗∗∗ --------------------------------------------- Aus einem Antragsportal der D-Trust GmbH sind potenziell personenbezogene Daten abgeflossen. Wer hinter dem Angriff steckt, ist noch unklar. --------------------------------------------- https://www.golem.de/news/d-trust-cyberangriff-trifft-trustcenter-der-bunde… ∗∗∗ Mercedes-Benz Head Unit security research report ∗∗∗ --------------------------------------------- Kaspersky experts analyzed the Mercedes-Benz head unit, its IPC protocols and firmware, and found new vulnerabilities via physical access. --------------------------------------------- https://securelist.com/mercedes-benz-head-unit-security-research/115218/ ∗∗∗ New Star Blizzard spear-phishing campaign targets WhatsApp accounts ∗∗∗ --------------------------------------------- In mid-November 2024, Microsoft Threat Intelligence observed the Russian threat actor we track as Star Blizzard sending their typical targets spear-phishing messages, this time offering the supposed opportunity to join a WhatsApp group. This is the first time we have identified a shift in Star Blizzard’s longstanding tactics, techniques, .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-… ∗∗∗ Gootloader inside out ∗∗∗ --------------------------------------------- Open-source intelligence reveals the server-side code of this pernicious SEO-driven malware - without needing a lawyer afterward --------------------------------------------- https://news.sophos.com/en-us/2025/01/16/gootloader-inside-out/ ∗∗∗ U.S. Sanctions North Korean IT Worker Network Supporting WMD Programs ∗∗∗ --------------------------------------------- The U.S. Treasury Departments Office of Foreign Assets Control (OFAC) sanctioned two individuals and four entities for their alleged involvement in illicit revenue generation schemes for the Democratic Peoples Republic of Korea (DPRK) by dispatching .. --------------------------------------------- https://thehackernews.com/2025/01/us-sanctions-north-korean-it-worker.html ∗∗∗ Hackers Likely Stole FBI Call Logs From AT&T That Could Compromise Informants ∗∗∗ --------------------------------------------- A breach of AT&T that exposed “nearly all” of the company’s customers may have included records related to confidential FBI sources, potentially explaining the bureau’s new embrace of end-to-end encryption. --------------------------------------------- https://www.wired.com/story/hackers-likely-stole-fbi-call-logs-from-att-tha… ∗∗∗ Biden ordnet für US-Behörden Verschlüsselung von E-Mail, DNS und BGP an ∗∗∗ --------------------------------------------- Ende-zu-Ende-Verschlüsselung, bessere Software und Abwehr, Post-Quanten, Aufsicht über Lieferanten, Passkeys, Erforschung von KI – Biden verordnet gute Medizin. --------------------------------------------- https://www.heise.de/news/Biden-ordnet-Verschluesselung-von-E-Mail-DNS-und-… ∗∗∗ Daten von rund 250.000 MSI-Kunden bei Have I Been Pwned ∗∗∗ --------------------------------------------- Bei einem Cybervorfall bei MSI sind 2024 offenbar zahlreiche Kundendatensätze kopiert worden. Rund 250.000 Stück hat HIBP nun aufgenommen. --------------------------------------------- https://www.heise.de/news/Daten-von-rund-250-000-MSI-Kunden-bei-Have-I-Been… ∗∗∗ Vertrauensdiensteanbieter D-Trust informiert über Datenschutzvorfall ∗∗∗ --------------------------------------------- Bei D-Trust kam es zu einem Datenschutzvorfall. Betroffen ist das Antragsportal für Signatur- und Siegelkarten. Die Ermittlungen laufen. --------------------------------------------- https://www.heise.de/news/Vertrauensdiensteanbieter-D-Trust-informiert-uebe… ∗∗∗ Chinese Innovations Spawn Wave of Toll Phishing Via SMS ∗∗∗ --------------------------------------------- Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to .. --------------------------------------------- https://krebsonsecurity.com/2025/01/chinese-innovations-spawn-wave-of-toll-… ∗∗∗ OSV-SCALIBR: A library for Software Composition Analysis ∗∗∗ --------------------------------------------- In December 2022, we announced OSV-Scanner, a tool to enable developers to easily scan for vulnerabilities in their open source dependencies. Together with the open source community, we’ve continued to build this tool, adding remediation features, as well .. --------------------------------------------- http://security.googleblog.com/2025/01/osv-scalibr-library-for-software.html ∗∗∗ PayPal ruft an? Vorsicht Betrug! ∗∗∗ --------------------------------------------- Aktuell erhält die Watchlist Internet zahlreiche Meldungen zu Anrufen durch angebliche PayPal-Mitarbeiter:innen. Heben Sie ab, berichtet man Ihnen von angeblichen Abbuchungen von Ihrem PayPal-Konto und fordert Ihre Mithilfe zum Blockieren der Abbuchungen. Tatsächlich greift man dabei aber auf Ihre Systeme zu und stiehlt Ihnen Ihr Geld. Ein Schaden entsteht erst durch das Telefonat! --------------------------------------------- https://www.watchlist-internet.at/news/paypal-ruft-an/ ∗∗∗ Let’s talk about AI and end-to-end encryption ∗∗∗ --------------------------------------------- Recently, I came across a fantastic new paper by a group of NYU and Cornell researchers entitled “How to think about end-to-end encryption and AI.” I’m extremely grateful to see this paper, because while I don’t agree with every one of it’s .. --------------------------------------------- https://blog.cryptographyengineering.com/2025/01/17/lets-talk-about-ai-and-… ∗∗∗ Threat Brief: CVE-2025-0282 and CVE-2025-0283 ∗∗∗ --------------------------------------------- CVE-2025-0282 and CVE-2025-0283 affect multiple Ivanti products. This threat brief covers attack scope, including details from an incident response case. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2025-0282-cve-2… ∗∗∗ New WDAC Exploit Technique: Leveraging Policies to Disable EDRs and Evade Detection ∗∗∗ --------------------------------------------- The file “SiPolicy.p7b” contains policies that Windows OS and Windows Defender (AV) will listen to and your antivirus will apply the policies that this .. --------------------------------------------- https://www.truesec.com/hub/blog/new-wdac-exploit-technique-leveraging-poli… ∗∗∗ IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024 ∗∗∗ --------------------------------------------- Since the end of 2024, we have been continuously monitoring large-scale DDoS attacks orchestrated by an IoT botnet exploiting vulnerable IoT devices such as wireless routers and IP cameras. --------------------------------------------- https://www.trendmicro.com/en_us/research/25/a/iot-botnet-linked-to-ddos-at… ∗∗∗ Announcing Six Day and IP Address Certificate Options in 2025 ∗∗∗ --------------------------------------------- This year we will continue to pursue our commitment to improving the security of the Web PKI by introducing the option to get certificates with six-day lifetimes (“short-lived certificates”). We will also add support for IP addresses in addition to domain names .. --------------------------------------------- https://letsencrypt.org/2025/01/16/6-day-and-ip-certs/ ∗∗∗ A Response to Recent Claims About Sessions Security Architecture ∗∗∗ --------------------------------------------- We were recently made aware of a blog published by a security researcher which makes a number of claims about Session and supposed flaws in Session’s design and implementation. We, as well as other Session contributors, have now had time to read through the blog and investigate the claims and wanted to give a detailed response on each point raised by the author. --------------------------------------------- https://getsession.org/blog/a-response-to-recent-claims-about-sessions-secu… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (rsync and tomcat9), Fedora (chromium, mingw-python-jinja2, redict, and valkey), Gentoo (GIMP and pip), Oracle (.NET, fence-agents, ipa, kernel, python-virtualenv, raptor2, and rsync), Red Hat (.NET 8.0 and .NET 9.0), SUSE (apache2-mod_jk, git, git-lfs, kernel, python-Django, thunderbird, and xen), and Ubuntu (audacity, bcel, dotnet8, dotnet9, gimp-dds, harfbuzz, libxml2, poppler, rsync, and tqdm). --------------------------------------------- https://lwn.net/Articles/1005433/ ∗∗∗ Aviatrix Controllers OS Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/threat-signal-report/5982 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.01.2025
by Daily end-of-shift report 16 Jan '25

16 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-01-2025 18:00 − Donnerstag 16-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MFA Failures - The Worst is Yet to Come ∗∗∗ --------------------------------------------- This article delves into the rising tide of MFA failures, the alarming role of generative AI in amplifying these attacks, the growing user discontent weakening our defenses, and the glaring vulnerabilities being frequently exploited. The storm is building, and the worst is yet to come. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mfa-failures-the-worst-is-ye… ∗∗∗ An honest mistake - and a cautionary tale ∗∗∗ --------------------------------------------- We all make mistakes. That is only natural. However, there are cases in which these mistakes can have unexpected consequences. A Twitter user recently found this out the hard way. The ingredients: a cheap USB-C adapter with a network connection, an internet connection and a sandbox. --------------------------------------------- https://www.gdatasoftware.com/blog/2025/01/38129-usb-network-adapter-malware ∗∗∗ Windows 10 und 11: Microsoft verwirrt Nutzer mit Bitlocker-Bug ∗∗∗ --------------------------------------------- Auf einigen Windows-Geräten mit aktivierter Bitlocker-Verschlüsselung erscheint eine unerwartete Meldung. Microsoft untersucht das Problem. --------------------------------------------- https://www.golem.de/news/windows-10-und-11-microsoft-verwirrt-nutzer-mit-b… ∗∗∗ Tiktok, Xiaomi, Aliexpress: Beschwerden wegen Datentransfers nach China eingereicht ∗∗∗ --------------------------------------------- China ist als autoritärer Überwachungsstaat nach Einschätzung von Datenschützern kein zulässiger Standort für europäische Nutzerdaten. --------------------------------------------- https://www.golem.de/news/tiktok-xiaomi-aliexpress-beschwerden-wegen-datent… ∗∗∗ Bidens Cyber Ambassador Urges Trump Not to Cede Ground to Russia and China in Global Tech Fight ∗∗∗ --------------------------------------------- Nathaniel Fick, the ambassador for cyberspace and digital policy, has led US tech diplomacy amid a rising tide of pressure from authoritarian regimes. Will the Trump administration undo that work? --------------------------------------------- https://www.wired.com/story/nathaniel-fick-us-cyber-ambassador-exit-intervi… ∗∗∗ IT-Sicherheit: EU-Kommission will Gesundheitsbranche unterstützen ∗∗∗ --------------------------------------------- Verstärkte Prävention und rasche Reaktion auf Attacken stehen im Zentrum eines EU-Plans für IT-Sicherheit von Krankenhäusern und Gesundheitsdienstleistern. --------------------------------------------- https://www.heise.de/news/IT-Attacken-So-will-die-EU-Kommission-den-Gesundh… ∗∗∗ Es kann Schadcode auf HPE Aruba Networking AOS Controllers und Gateways gelangen ∗∗∗ --------------------------------------------- Netzwerktechnik von HPE Aruba ist verwundbar. Aktuelle Updates schließen insgesamt zwei Sicherheitslücken. --------------------------------------------- https://www.heise.de/news/Es-kann-Schadcode-auf-HPE-Aruba-Networking-AOS-Co… ∗∗∗ Achtung vor go.hopeforlifefund.com: Spendenaufruf für Nikolas ist Fake! ∗∗∗ --------------------------------------------- Kinder, die an Krebs erkranken, stehen vor großen Herausforderungen und ihre Familien sind oft mit enormen finanziellen Belastungen konfrontiert. Spendenaktionen können hier ein Lichtblick sein. Doch leider gibt es auch Kriminelle, die das Mitgefühl der Menschen schamlos ausnutzen – wie im Fall der betrügerischen Spendenplattform go.hopeforlifefund.com, die angeblich für den krebskranken Jungen Nikolas Spenden sammelt. --------------------------------------------- https://www.watchlist-internet.at/news/spendenaufruf-fuer-krebskranken-niko… ∗∗∗ FTC cracks down on GoDaddy for cybersecurity failings ∗∗∗ --------------------------------------------- GoDaddy’s failure to use industry standard measures led to what the Federal Trade Commission called “several major security breaches” between 2019 and 2022. --------------------------------------------- https://therecord.media/ftc-godaddy-cyber-failings-fine ∗∗∗ Detecting Teams Chat Phishing Attacks (Black Basta) ∗∗∗ --------------------------------------------- For quite a while now, there has been a new ongoing threat campaign where the adversaries first bomb a user’s mailbox with spam emails and then pose as Help Desk or IT Support on Microsoft Teams to trick their potential victims into providing .. --------------------------------------------- https://blog.nviso.eu/2025/01/16/detecting-teams-chat-phishing-attacks-blac… ∗∗∗ 2022 zero day was used to raid Fortigate firewall configs. Somebody just released them. ∗∗∗ --------------------------------------------- Back in 2022, Fortinet warned that somebody had a zero day vulnerability and was using it to exploit Fortigate firewalls https://www.fortinet.com/blog/psirt-blogs/update-regarding-cve-2022-40684 .. --------------------------------------------- https://doublepulsar.com/2022-zero-day-was-used-to-raid-fortigate-firewall-… ∗∗∗ Black Basta-Style Cyberattack Hits Inboxes with 1,165 Emails in 90 Minutes ∗∗∗ --------------------------------------------- A recent cyberattack, mimicking the tactics of the notorious Black Basta ransomware group, targeted one of SlashNext’s clients.… --------------------------------------------- https://hackread.com/black-basta-cyberattack-hits-inboxes-with-1165-emails/ ∗∗∗ Proxying PyRIT for fun and profit ∗∗∗ --------------------------------------------- If you are in the AI security field, you are probably facing the problem of testing Large Language Models (LLMs) at scale and questioning the optimal balance between automatic testing and manual testing .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/proxying-pyrit-for-fun-and-profit/ ∗∗∗ Dont Use Session (Signal Fork) ∗∗∗ --------------------------------------------- The main reason I said to avoid Session, all those months ago, was simply due to their decision to remove forward secrecy (which is an important security property of cryptographic protocols they inherited for free when they forked libsignal). --------------------------------------------- https://soatok.blog/2025/01/14/dont-use-session-signal-fork/ ∗∗∗ UK Officials Consider Banning Ransomware Payments from Public Entities ∗∗∗ --------------------------------------------- The UK government is poised to take a decisive step in the fight against ransomware by banning public sector entities from paying ransoms. This collection of proposals, part of a broader effort to protect critical national infrastructure, aims to disrupt the business model of cybercriminals and shield essential services like the NHS, schools, and local .. --------------------------------------------- https://socket.dev/blog/uk-officials-consider-banning-ransomware-payments-f… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (fence-agents, raptor2, and rsync), Debian (chromium), Fedora (rsync and seamonkey), Mageia (openjpeg2), Red Hat (tuned), Slackware (git), SUSE (dcmtk, dnsmasq, govulncheck-vulndb, libQtWebKit4, libraptor-devel, opera, python311-Pillow, python311-translate-toolkit, rsync, and SDL2_sound-devel), and Ubuntu (linux-raspi-5.4, neomutt, and python2.7). --------------------------------------------- https://lwn.net/Articles/1005292/ ∗∗∗ CVE-2024-9042 ∗∗∗ --------------------------------------------- Command Injection affecting Windows nodes via nodes/*/logs/query API --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/129654 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.01.2025
by Daily end-of-shift report 15 Jan '25

15 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-01-2025 18:00 − Mittwoch 15-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WP3.XYZ malware attacks add rogue admins to 5,000+ WordPress sites ∗∗∗ --------------------------------------------- A new malware campaign has compromised more than 5,000 WordPress sites to create admin accounts, install a malicious plugin, and steal data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wp3xyz-malware-attacks-add-r… ∗∗∗ Undercover Operations: Scraping the Cybercrime Underground ∗∗∗ --------------------------------------------- A blog about web scraping methods, use cases, challenges, and how to overcome them. --------------------------------------------- https://www.sans.org/blog/undercover-operations-scraping-the-cybercrime-und… ∗∗∗ Cyber-Bedrohungen für die öffentliche Ladeinfrastruktur: Risiken und Schutzmaßnahmen durch Penetrationstests ∗∗∗ --------------------------------------------- Angriffe auf die öffentliche Ladeinfrastruktur für Elektrofahrzeuge nehmen zu und gefährden den Ruf und die Sicherheit der .. --------------------------------------------- https://sec-consult.com/de/blog/detail/cyber-bedrohungen-fuer-die-oeffentli… ∗∗∗ Phishing False Alarm ∗∗∗ --------------------------------------------- A very security-conscious company was hit with a (presumed) massive state-actor phishing attack with gift cards, and everyone rallied to combat it—until it turned out it was company management sending the gift cards. --------------------------------------------- https://www.schneier.com/blog/archives/2025/01/phishing-false-alarm.html ∗∗∗ Miscreants mass exploited Fortinet firewalls, highly probable zero-day used ∗∗∗ --------------------------------------------- Ransomware not off the table, Arctic Wolf threat hunter tells El Reg Updated Miscreants running a "mass exploitation campaign" against Fortinet firewalls, which peaked in December, may be using an unpatched zero-day vulnerability to compromise the equipment, according to security researchers who say theyve observed the .. --------------------------------------------- https://www.theregister.com/2025/01/14/miscreants_mass_exploited_fortinet_f… ∗∗∗ Patchday Fortinet: Hintertür ermöglicht unbefugte Zugriffe auf FortiSwitch ∗∗∗ --------------------------------------------- Der Anbieter von IT-Securitylösungen Fortinet hat zahlreiche Sicherheitsupdates für seine Produkte veröffentlicht. Das sollten Netzwerkadmins im Blick haben. --------------------------------------------- https://www.heise.de/news/Patchday-Fortinet-Hintertuer-ermoeglicht-unbefugt… ∗∗∗ Cybergang Cl0p: Angeblich Daten durch Cleo-Sicherheitslücke abgezogen ∗∗∗ --------------------------------------------- Die kriminelle Bande Cl0p hat angeblich bei vielen Unternehmen Daten durch eine Sicherheitslücke in der Transfersoftware Cleo gestohlen. --------------------------------------------- https://www.heise.de/news/Cybergang-Cl0p-Angeblich-Daten-durch-Cleo-Sicherh… ∗∗∗ Security flaws found in tiny phones promoted to children ∗∗∗ --------------------------------------------- TL;DR Three mini smartphones promoted to children were analysed These types of phones are heavily promoted on TikTok All had outdated operating systems All could be rooted without wiping the .. --------------------------------------------- https://www.pentestpartners.com/security-blog/security-flaws-found-in-tiny-… ∗∗∗ Security flaws found in tiny phones promoted to children ∗∗∗ --------------------------------------------- TL;DR Three mini smartphones promoted to children were analysed Those devices are heavily promoted on TikTok All had outdated operating systems All could be rooted without wiping the phone, allowing .. --------------------------------------------- https://www.pentestpartners.com/security-blog/security-flaws-found-in-tiny-… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe released security updates to address vulnerabilities in multiple Adobe software products including Adobe Photoshop, Animate, and Illustrator for iPad. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/01/14/adobe-releases-security-… ∗∗∗ TAG Bulletin: Q3 2024 ∗∗∗ --------------------------------------------- This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2024. --------------------------------------------- https://blog.google/threat-analysis-group/tag-bulletin-q3-2024/ ∗∗∗ Patchday: Windows 10/11 Updates (14. Januar 2025) ∗∗∗ --------------------------------------------- Am 14. Januar 2024 (zweiter Dienstag im Monat, Patchday bei Microsoft) hat Microsoft auch kumulative Updates für die noch unterstützten Versionen der Client-Betriebssysteme Windows 10 und Windows 11 veröffentlicht. Hier einige .. --------------------------------------------- https://www.borncity.com/blog/2025/01/15/patchday-windows-10-11-updates-14-… ∗∗∗ Passkeys: the promise of a simpler and safer alternative to passwords ∗∗∗ --------------------------------------------- The merits of choosing passkeys over passwords to help keep your online accounts more secure, and explaining how the technology promises to do this --------------------------------------------- https://www.ncsc.gov.uk/blog-post/passkeys-promise-simpler-alternative-pass… ∗∗∗ Your Single-Page Applications Are Vulnerable: Heres How to Fix Them ∗∗∗ --------------------------------------------- Due to their client-side nature, single-page applications (SPAs) will typically have multiple access control vulnerabilitiesBy implementing a robust access control policy on supporting APIs, the risks associated with client-side rendering can be largely mitigatedUsing server-side .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/single-page-applic… ∗∗∗ Tracking cloud-fluent threat actors - Part two: Behavioral cloud IOCs ∗∗∗ --------------------------------------------- Discover how behavioral cloud IOCs can expose malicious activity as we break down real-world examples to reveal actionable detection techniques. --------------------------------------------- https://www.wiz.io/blog/detecting-behavioral-cloud-indicators-of-compromise… ∗∗∗ The Risks of Misguided Research in Supply Chain Security ∗∗∗ --------------------------------------------- On January 8, 2025, it came to light that Snyk, a well-known security tool—frequently used to protect against supply chain attacks—was implicated in a troubling event. Several malicious packages targeting the popular AI coding platform Cursor were deployed to the public npm registry. These packages, named “cursor-retrieval,” “cursor-always-local,” .. --------------------------------------------- https://socket.dev/blog/the-risks-of-misguided-research-in-supply-chain-sec… ∗∗∗ Penetration Testing for ISO/IEC 27001: A Detailed Guide to Compliance ∗∗∗ --------------------------------------------- In an era where data breaches and cyber threats dominate headlines, safeguarding sensitive information has become a critical priority for organizations worldwide. ISO/IEC 27001, the internationally recognized standard for Information Security Management Systems (ISMS), offers a robust framework to protect valuable information assets. By .. --------------------------------------------- https://fortbridge.co.uk/regulations/penetration-testing-for-iso-iec-27001-… ===================== = Vulnerabilities = ===================== ∗∗∗ Six vulnerabilities discovered in rsync ∗∗∗ --------------------------------------------- Nick Tait announced on the oss-security mailing list that rsync, the widely used file transfer program, had a number of serious vulnerabilities.Users can mitigate all six vulnerabilities by upgrading to version 3.4.0, which was released on January 14. While all users should upgrade, servers that use rsyncd are especially impacted:In the most severe CVE, an attacker .. --------------------------------------------- https://lwn.net/Articles/1005129/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (rsync), Debian (rsync), Fedora (perl-Net-OAuth and redis), Red Hat (ipa, raptor2, rsync, and tuned), Slackware (rsync), SUSE (apache2-mod_jk, git, kernel, rclone, rsync, and webkit2gtk3), and Ubuntu (git, linux-azure-5.4, pdns, pdns-recursor, python-django, rlottie, and rsync). --------------------------------------------- https://lwn.net/Articles/1005163/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.01.2025
by Daily end-of-shift report 14 Jan '25

14 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Montag 13-01-2025 18:00 − Dienstag 14-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Abgehörte Kryptohandys: BGH erlaubt Verwertung - Berliner Landgericht lehnt ab ∗∗∗ --------------------------------------------- Die Justiz ringt seit Jahren um die Verwertung von Daten abgehörter Kryptohandys. Nun gab es in wenigen Wochen gegensätzliche Urteile. --------------------------------------------- https://www.golem.de/news/abgehoerte-kryptohandys-bgh-erlaubt-verwertung-be… ∗∗∗ Analyzing CVE-2024-44243, a macOS System Integrity Protection bypass through kernel extensions ∗∗∗ --------------------------------------------- Microsoft discovered a macOS vulnerability allowing attackers to bypass System Integrity Protection (SIP) by loading third party kernel extensions, which could lead to serious consequences, such as allowing attackers to install rootkits, create persistent malware, bypass Transparency, Consent, and Control (TCC), and expand the attack surface to perform other .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2025/01/13/analyzing-cve-2024… ∗∗∗ The Database Slayer: Deep Dive and Simulation of the Xbash Malware ∗∗∗ --------------------------------------------- In the world of malware, common ransomware schemes aim to take the data within databases (considered the "gold" in the vault of any organization) and hold them hostage, promising data recovery upon ransom payment. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-databas… ∗∗∗ Snyk appears to deploy malicious packages targeting Cursor for unknown reason ∗∗∗ --------------------------------------------- Packages removed, vendor said to have apologized to AI code editor as onlookers say it could have been a test Developer security company Snyk is at the center of allegations concerning the possible targeting or testing of Cursor, an AI code editor company, using "malicious" packages uploaded to NPM. --------------------------------------------- https://www.theregister.com/2025/01/14/snyk_npm_deployment_removed/ ∗∗∗ SAP-Patchday: Updates schließen 14 teils kritische Schwachstellen ∗∗∗ --------------------------------------------- Im Januar bedenkt SAP Produkte mit 14 Sicherheitsmitteilungen und zugehörigen Updates. Zwei davon gelten als kritisch. --------------------------------------------- https://www.heise.de/news/SAP-Patchday-Hersteller-stopft-teils-kritische-SI… ∗∗∗ Telefónica: Infostealer-Kampagne legt interne Jira-Issues offen ∗∗∗ --------------------------------------------- Der Telekommunikationsanbieter Telefónica wurde Opfer eines Cyberangriffs. Kriminelle erbeuteten offenbar Zugriff auf große Mengen interner Daten. --------------------------------------------- https://www.heise.de/news/Telefonica-Infostealer-Kampagne-legt-interne-Jira… ∗∗∗ Achtung Fake: vailllant.at und vaillantproservice.at ∗∗∗ --------------------------------------------- Kriminelle missbrauchen das für Heiztechnik bekannte Unternehmen Vaillant für eine Betrugsmasche. Auf gefälschten Webseiten geben sich die Kriminellen als 24-Stunden-Notdienst für Österreich bzw. Wien/Niederösterreich aus. Ruft man den betrügerischen Notdienst an, kommen unseriöser Handwerker:innen, die den Schaden nicht fachgerecht beheben, sondern eine horrende Summe in Rechnung stellen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-vailllantat-und-vaillan… ∗∗∗ One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks ∗∗∗ --------------------------------------------- Graph neural networks aid in analyzing domains linked to known attack indicators, effectively uncovering new malicious domains and cybercrime campaigns. --------------------------------------------- https://unit42.paloaltonetworks.com/graph-neural-networks/ ∗∗∗ Ransomware: Threat Level Remains High in Third Quarter ∗∗∗ --------------------------------------------- Recently established RansomHub group overtakes LockBit to become most prolific ransomware operation. --------------------------------------------- https://www.security.com/threat-intelligence/ransomware-threat-level-remain… ∗∗∗ CISA Releases the JCDC AI Cybersecurity Collaboration Playbook and Fact Sheet ∗∗∗ --------------------------------------------- Today, CISA released the JCDC AI Cybersecurity Collaboration Playbook and Fact Sheet to foster operational collaboration among government, industry, and international partners and strengthen artificial intelligence (AI) cybersecurity. The playbook provides voluntary information-sharing processes that, if adopted, can help protect organizations from emerging .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2025/01/14/cisa-releases-jcdc-ai-cy… ∗∗∗ Major location data broker reports hack to Norwegian authorities ∗∗∗ --------------------------------------------- The location data broker Gravy Analytics confirmed to Norwegian authorities that it was breached by a hacker — potentially exposing a trove of sensitive information. --------------------------------------------- https://therecord.media/location-data-broker-gravy-breach ∗∗∗ NPM command confusion ∗∗∗ --------------------------------------------- Intro Managing dependencies in JavaScript projects can quickly become a complex undertaking. Tasks include keeping track of versions, ensuring compatibility, and handling updates . npm provides a robust solution to these problems, through a centralized system for managing project dependencies. Primarily accessed through its command-line interface (CLI), npm .. --------------------------------------------- https://checkmarx.com/blog/npm-command-confusion/ ∗∗∗ Malicious Kong Ingress Controller Image Found on DockerHub ∗∗∗ --------------------------------------------- A critical security breach in the software supply chain has been detected. An attacker accessed Kong’s DockerHub account --------------------------------------------- https://hackread.com/malicious-kong-ingress-controller-image-dockerhub/ ∗∗∗ Hackers Using Fake YouTube Links to Steal Login Credentials ∗∗∗ --------------------------------------------- Cybercriminals exploit fake YouTube links to redirect users to phishing pages, stealing login credentials via URI .. --------------------------------------------- https://hackread.com/hackers-fake-youtube-links-steal-login-credentials/ ∗∗∗ Kill Switch Hidden in npm Packages Typosquatting Chalk and Chokidar ∗∗∗ --------------------------------------------- In Hindi, chokidar (चौकीदार) means “gatekeeper” or “watchman”—a perfect descriptor for chokidar one of Node.js most trusted file-watching libraries with around 56 million weekly downloads. Meanwhile, chalk serves as a cornerstone for terminal string styling in JavaScript, drawing over 265 million downloads weekly. Unfortunately, our Socket threat .. --------------------------------------------- https://socket.dev/blog/kill-switch-hidden-in-npm-packages-typo-squatting-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Zyxel security advisory for improper privilege management vulnerability in APs and security router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ January Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/january-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.01.2025
by Daily end-of-shift report 13 Jan '25

13 Jan '25

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-01-2025 18:00 − Montag 13-01-2025 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ongoing attacks on Ivanti VPNs install a ton of sneaky, well-written malware ∗∗∗ --------------------------------------------- In-the-wild attacks tamper with built-in security tool providing infection warnings. --------------------------------------------- https://arstechnica.com/security/2025/01/ivanti-vpn-users-are-getting-hacke… ∗∗∗ Phishing texts trick Apple iMessage users into disabling protection ∗∗∗ --------------------------------------------- Cybercriminals are exploiting a trick to turn off Apple iMessages built-in phishing protection for a text and trick users into re-enabling disabled phishing links. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-texts-trick-apple-i… ∗∗∗ Ransomware abuses Amazon AWS feature to encrypt S3 buckets ∗∗∗ --------------------------------------------- A new ransomware campaign encrypts Amazon S3 buckets using AWSs Server-Side Encryption with Customer Provided Keys (SSE-C) known only to the threat actor, demanding ransoms to receive the decryption key. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-abuses-amazon-aws… ∗∗∗ Anwendung blockiert: MacOS stuft Docker Desktop als Malware ein ∗∗∗ --------------------------------------------- Einige Dateien von Docker Desktop für MacOS wurden falsch signiert, so dass Nutzer eine Malware-Warnung erhalten. Eine echte Gefahr besteht nicht. --------------------------------------------- https://www.golem.de/news/anwendung-blockiert-docker-desktop-unter-macos-al… ∗∗∗ New LLM Jailbreak Uses Models Evaluation Skills Against Them ∗∗∗ --------------------------------------------- SC Media reports on a new jailbreak method for large language models (LLMs) that "takes advantage of models ability to identify and score harmful content in order to trick the models into generating content related to malware, illegal activity, harassment and more. "The Bad Likert Judge multi-step jailbreak technique was developed and tested by .. --------------------------------------------- https://it.slashdot.org/story/25/01/12/2010218/new-llm-jailbreak-uses-model… ∗∗∗ Nominet probes network intrusion linked to Ivanti zero-day exploit ∗∗∗ --------------------------------------------- Unauthorized activity detected, but no backdoors found UK domain registry Nominet is investigating a potential intrusion into its network related to the latest Ivanti zero-day exploits. --------------------------------------------- https://www.theregister.com/2025/01/13/nominet_ivanti_zero_day/ ∗∗∗ Paypal-Phishing: Angebliche monatliche Finanzberichte ködern Opfer ∗∗∗ --------------------------------------------- Derzeit schaffen es Phishing-Mails an Spam-Filtern vorbeizukommen, die einen monatlichen Finanzbericht für Paypal versprechen. --------------------------------------------- https://www.heise.de/news/Paypal-Phishing-Angebliche-monatliche-Finanzberic… ∗∗∗ Log Source Management App für IBM QRadar SIEM ist auf vielen Wegen angreifbar ∗∗∗ --------------------------------------------- Weil mehrere Komponenten verwundbar sind, können Angreifer Systeme mit Log Source Management App für IBM QRadar SIEM attackieren. --------------------------------------------- https://www.heise.de/news/Log-Source-Management-App-fuer-IBM-QRadar-SIEM-is… ∗∗∗ Tackling AI threats. Advanced DFIR methods and tools for deepfake detection ∗∗∗ --------------------------------------------- TL; DR AI-generated documents, videos and more pose significant challenges for DFIR DFIR teams can harness innovative detection strategies and tooling Digital fingerprinting and watermarking, AI-powered and behavioural analyses .. --------------------------------------------- https://www.pentestpartners.com/security-blog/tackling-ai-threats-advanced-… ∗∗∗ Rufnummernmissbrauch dank Verordnung drastisch zurückgegangen ∗∗∗ --------------------------------------------- Die "Anti-Spoofing-Verordnung" der RTR greift seit September, seitdem gibt es nur noch wenige Vorfälle von Betrug mittels gekaperter Rufnummern --------------------------------------------- https://www.derstandard.at/story/3000000252624/rufnummernmissbrauch-dank-ve… ∗∗∗ Muddling Meerkat Linked to Domain Spoofing in Global Spam Scams ∗∗∗ --------------------------------------------- Infoblox cybersecurity researchers investigating the mysterious activities of Muddling Meerkat unexpectedly uncovered widespread use of domain spoofing in malicious spam campaigns. --------------------------------------------- https://hackread.com/muddling-meerkat-domain-spoofing-spam-scams/ ∗∗∗ Fake CrowdStrike Recruiters Distribute Malware Via Phishing Emails ∗∗∗ --------------------------------------------- SUMMARY Cybercriminals are deploying a tricky new phishing campaign impersonating the cybersecurity firm CrowdStrike‘s .. --------------------------------------------- https://hackread.com/fake-crowdstrike-recruiters-malware-phishing-emails/ ∗∗∗ 3 Russians Indicted for Operating Blender.io and Sinbad.io Crypto Mixers ∗∗∗ --------------------------------------------- SUMMARY Three Russian nationals have been indicted for their alleged roles in running cryptocurrency mixing services Blender.io and… --------------------------------------------- https://hackread.com/3-russian-operating-blender-io-sinbad-io-crypto-mixers/ ∗∗∗ Exploitation Walkthrough and Techniques - Ivanti Connect Secure RCE (CVE-2025-0282) ∗∗∗ --------------------------------------------- As we saw in our previous blogpost, we fully analyzed Ivanti’s most recent unauthenticated Remote Code Execution vulnerability in their Connect Secure (VPN) appliance. Specifically, we analyzed CVE-2025-0282.Today, we’re .. --------------------------------------------- https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-c… ∗∗∗ Deep Dive Into a Linux Rootkit Malware ∗∗∗ --------------------------------------------- This is a follow-up analysis to a previous blog about a zero day exploit where the FortiGuard Incident Response (FGIR) team examined how remote attackers exploited multiple vulnerabilities in an appliance to gain control of a customer’s system. --------------------------------------------- https://feeds.fortinet.com/~/910912481/0/fortinet/blogs~Deep-Dive-Into-a-Li… ∗∗∗ Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603) ∗∗∗ --------------------------------------------- The Wiz Incident Response team is currently responding to multiple incidents involving CVE-2024-50603, an Aviatrix Controller unauthenticated RCE vulnerability, that can lead to privileges escalation in the AWS control plane. Organizations should patch urgently. --------------------------------------------- https://www.wiz.io/blog/wiz-research-identifies-exploitation-in-the-wild-of… ∗∗∗ Analysis of Counter-Ransomware Activities in 2024 ∗∗∗ --------------------------------------------- The scourge of ransomware continues primarily because ofthree main reasons: Ransomware-as-a-Service (RaaS), cryptocurrency, and safe havens.RaaS platforms enable aspiring cybercriminals to join a gang and begin launching attacks with a support system that help extract ransom payments from their victims.Cryptocurrency enables cybercriminals to receive funds .. --------------------------------------------- https://blog.bushidotoken.net/2025/01/analysis-of-counter-ransomware.html ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (dpdk, firefox, iperf3, thunderbird, and webkit2gtk3), Debian (firefox-esr, gnuchess, node-mocha, openafs, python-django, and thunderbird), Fedora (libxmp, python-jinja2, suricata, thunderbird, and xen), Mageia (avahi, libjxl, opencontainers-runc, radare2, rizin, and tinyproxy), Oracle (cups, dpdk, firefox, iperf3, .. --------------------------------------------- https://lwn.net/Articles/1004962/ ∗∗∗ MISP 2.4.203 and 2.5.5 released including new features, improvements and many security improvements. ∗∗∗ --------------------------------------------- We are thrilled to announce the release of MISP v2.4.203 and MISP v2.5.5, bringing a range of new features, improvements, and fixes to enhance the platforms performance, usability, and security. These updates reflect our ongoing commitment to providing a robust and reliable open-source .. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.203 ∗∗∗ Security Vulnerabilities fixed in Firefox for iOS 134 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2025-06/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily