- Daily - CERT.at

Tageszusammenfassung - 24.10.2024
by Daily end-of-shift report 24 Oct '24

24 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-10-2024 18:00 − Donnerstag 24-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Qilin ransomware encryptor features stronger encryption, evasion ∗∗∗ --------------------------------------------- A new Rust-based variant of the Qilin (Agenda) ransomware strain, dubbed Qilin.B, has been spotted in the wild, featuring stronger encryption, better evasion from security tools, and the ability to disrupt data recovery mechanisms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-qilin-ransomware-encrypt… ∗∗∗ Neue OpenSSL-Lücke ist gefährlich, aber sehr schwer auszunutzen ∗∗∗ --------------------------------------------- Während SuSE und BSI ein hohes Risiko sehen, verweist das OpenSSL-Projekt auf umfangreiche Vorbedingungen eines Exploits. Vorerst kommen keine Updates. [..] Das Risiko der Lücke mit der CVE-ID CVE-2024-9143 schätzten sie als niedrig ein, weil der Fehler schwierig auszunutzen sei. --------------------------------------------- https://heise.de/-9992067 ∗∗∗ Location tracking of phones is out of control. Here’s how to fight back. ∗∗∗ --------------------------------------------- Unique IDs assigned to Android and iOS devices threaten your privacy. Who knew? You likely have never heard of Babel Street or Location X, but chances are good that they know a lot about you and anyone else you know who keeps a phone nearby around the clock. --------------------------------------------- https://arstechnica.com/information-technology/2024/10/phone-tracking-tool-… ∗∗∗ Investigating volatile data with advanced memory forensics tools – part 1 ∗∗∗ --------------------------------------------- In this two post series I want to highlight how memory forensics plays a crucial role in enhancing forensic investigations. Specifically by providing access to volatile data that cannot be retrieved from storage devices like hard drives. --------------------------------------------- https://www.pentestpartners.com/security-blog/investigating-volatile-data-w… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Zero-Day Schwachstelle in FortiManager wird aktiv ausgenutzt - Update verfügbar ∗∗∗ --------------------------------------------- In FortiManager wurde eine kritische Sicherheitslücke entdeckt, die bereits aktiv von Angreifern ausgenutzt wird. Die Schwachstelle ermöglicht es einem nicht authentifizierten Angreifer aus der Ferne, beliebigen Code oder Befehle auszuführen. CVE-2024-47575, CVSS Base Score: 9.8 --------------------------------------------- https://www.cert.at/de/warnungen/2024/10/kritische-zero-day-schwachstelle-i… ∗∗∗ Cisco meldet mehr als 35 Sicherheitslücken in Firewall-Produkten ∗∗∗ --------------------------------------------- Ciscos ASA, Firepower und Secure Firewall Management Center weisen teils kritische Sicherheitslücken auf. Mehr als 35 schließen nun verfügbare Updates. [..] Drei der Sicherheitsmeldungen behandeln als kritisches Risiko eingestufte Sicherheitslücken, elf solche mit hohem Risiko, 21 als mittleren Bedrohungsgrad eingestufte Schwachstellen und eine weitere Meldung hat informativen Charakter ohne Risikobewertung. --------------------------------------------- https://heise.de/-9992639 ∗∗∗ Drupal Security Advisories 2024-10-23 ∗∗∗ --------------------------------------------- Drupal released 5 security advisories. (1 Critical, 3 Moderately Critical, 1 Less Critical) --------------------------------------------- https://www.drupal.org/security ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (grafana, NetworkManager-libreswan, python3.11, and python39:3.9 and python39-devel:3.9), Fedora (dotnet6.0, koji, python-fastapi, python-openapi-core, python-platformio, python-starlette, rust-pyo3, rust-pyo3-build-config, rust-pyo3-ffi, rust-pyo3-macros, rust-pyo3-macros-backend, and yarnpkg), Oracle (grafana, kernel, linux-firmware, NetworkManager-libreswan, and python3.11), Slackware (php81), and SUSE (apache2, buildah, cups-filters, go1.21-openssl, podman, postgresql16, python-pyOpenSSL, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/995550/ ∗∗∗ VU#123336: Vulnerable WiFi Alliance example code found in Arcadyan FMIMG51AX000J ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/123336 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 14, 2024 to October 20, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Unauthentifizierte Path Traversal Schwachstelle in Lawo AG vsm LTC Time Sync (vTimeSync) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/unauthenticated-path-… ∗∗∗ iniNet Solutions SpiderControl SCADA PC HMI Editor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-02 ∗∗∗ VIMESA VHF/FM Transmitter Blue Plus ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-01 ∗∗∗ Deep Sea Electronics DSE855 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-298-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2024
by Daily end-of-shift report 23 Oct '24

23 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-10-2024 18:00 − Mittwoch 23-10-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Exploit released for new Windows Server "WinReg" NTLM Relay attack ∗∗∗ --------------------------------------------- Proof-of-concept exploit code is now public for a vulnerability in Microsofts Remote Registry client that could be used to take control of a Windows domain by downgrading the security of the authentication process. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-new-win… ∗∗∗ Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland ∗∗∗ --------------------------------------------- On the first day of Pwn2Own Ireland, participants demonstrated 52 zero-day vulnerabilities across a range of devices, earning a total of $486,250 in cash prizes. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-52-zero-days… ∗∗∗ Fortinet warns of new critical FortiManager flaw used in zero-day attacks ∗∗∗ --------------------------------------------- Fortinet publicly disclosed today a critical FortiManager API vulnerability, tracked as CVE-2024-47575, that was exploited in zero-day attacks to steal sensitive files containing configurations, IP addresses, and credentials for managed devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-critic… ∗∗∗ Android und iOS: Fest codierte Cloud-Zugangsdaten in populären Apps entdeckt ∗∗∗ --------------------------------------------- Betroffen sind mehrere Apps mit teils Millionen von Downloads. Den Entdeckern zufolge gefährdet dies nicht nur Backend-Dienste, sondern auch Nutzerdaten. --------------------------------------------- https://www.golem.de/news/android-und-ios-fest-codierte-cloud-zugangsdaten-… ∗∗∗ Grandoreiro, the global trojan with grandiose ambitions ∗∗∗ --------------------------------------------- In this report, Kaspersky experts analyze recent Grandoreiro campaigns, new targets, tricks, and banking trojan versions. --------------------------------------------- https://securelist.com/grandoreiro-banking-trojan/114257/ ∗∗∗ The Crypto Game of Lazarus APT: Investors vs. Zero-days ∗∗∗ --------------------------------------------- Kaspersky GReAT experts break down the new campaign of Lazarus APT which uses social engineering and exploits a zero-day vulnerability in Google Chrome for financial gain. --------------------------------------------- https://securelist.com/lazarus-apt-steals-crypto-with-a-tank-game/114282/ ∗∗∗ CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094) ∗∗∗ --------------------------------------------- A high-severity flaw impacting Microsoft SharePoint has been added to the Known Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday, citing evidence of active .. --------------------------------------------- https://thehackernews.com/2024/10/cisa-warns-of-active-exploitation-of.html ∗∗∗ Achtung Fake-Shop: sparhimmel24.de ∗∗∗ --------------------------------------------- sparhimmel24.de ist ein betrügerischer Online-Shop, der Sie mit vermeintlichen Schnäppchen in die Falle lockt. Bestellungen werden trotz Bezahlung nicht geliefert. Wir zeigen Ihnen wie Sie Fake-Shops erkennen und sich vor Betrug schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-sparhimmel24de ∗∗∗ Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction ∗∗∗ --------------------------------------------- We examine an LLM jailbreaking technique called "Deceptive Delight," a technique that mixes harmful topics with benign ones to trick AIs, with a high success rate.The post Deceptive Delight: Jailbreak LLMs Through Camouflage and Distraction appeared first on Unit 42. --------------------------------------------- https://unit42.paloaltonetworks.com/jailbreak-llms-through-camouflage-distr… ∗∗∗ Burning Zero Days: FortiJump FortiManager vulnerability used by nation state in espionage via MSPs ∗∗∗ --------------------------------------------- Did you know there’s widespread exploitation of FortiNet products going on using a zero day, and that there’s no CVE? Now you do. --------------------------------------------- https://doublepulsar.com/burning-zero-days-fortijump-fortimanager-vulnerabi… ∗∗∗ Threat Spotlight: WarmCookie/BadSpace ∗∗∗ --------------------------------------------- WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. --------------------------------------------- https://blog.talosintelligence.com/warmcookie-analysis/ ∗∗∗ Sicherheitslücke in Samsung-Android-Treiber wird angegriffen ∗∗∗ --------------------------------------------- Treiber für Samsungs Mobilprozessoren ermöglichen Angreifern das Ausweiten ihrer Rechte. Google warnt vor laufenden Angriffen darauf. --------------------------------------------- https://heise.de/-9991521 ∗∗∗ Public Report: WhatsApp Contacts Security Assessment ∗∗∗ --------------------------------------------- In May 2024, Meta engaged NCC Group’s Cryptography Services practice to perform a cryptography security assessment of selected aspects of the WhatsApp Identity Proof Linked Storage (IPLS) protocol implementation. IPLS underpins the WhatsApp Contacts solution, which aims to store .. --------------------------------------------- https://www.nccgroup.com/us/research-blog/public-report-whatsapp-contacts-s… ===================== = Vulnerabilities = ===================== ∗∗∗ SSA-333468: Multiple Vulnerabilities in InterMesh Subscriber Devices ∗∗∗ --------------------------------------------- InterMesh Subscriber devices contain multiple vulnerabilities that could allow an unauthenticated remote attacker to execute arbitrary code with root privileges. CVSS v4.0 Base Score: 10.0, CVE-2024-47901 --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-333468.html?ste_sid=23… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dmitry, libheif, and python-sql), Fedora (suricata and wireshark), SUSE (cargo-c, libeverest, protobuf, and qemu), and Ubuntu (golang-1.22, libheif, unbound, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/995293/ ∗∗∗ 2024-10-21: Cyber Security Advisory - ABB Relion 611, 615, 620, 630 series, REX610, REX640, SMU615, SSC600, Arctic solution, COM600, SPA ZC-400, SUE3000 Guidelines to Prevent Unauthorized Modifications of Firmware and Configuration ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001911&Language… ∗∗∗ Authenticated Remote Code Execution in multiple Xerox printers ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/authenticated-remote-cod… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.10.2024
by Daily end-of-shift report 22 Oct '24

22 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 21-10-2024 18:00 − Dienstag 22-10-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FortiManager: Update dichtet offenbar attackiertes Sicherheitsleck ab ∗∗∗ --------------------------------------------- Ohne öffentliche Informationen hat Fortinet Updates für FortiManager veröffentlicht. Sie schließen offenbar attackierte Sicherheitslücken. --------------------------------------------- https://heise.de/-9990393 ∗∗∗ Auch ein .rdp File kann gefährlich sein ∗∗∗ --------------------------------------------- Heute wurde in ganz Europa eine Spear-Phishing Kampagne beobachtet, bei der es darum geht, dass der Empfänger ein angehängtes RDP File öffnen soll. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/10/auch-rdp-file-kann-gefahrlich-sein ∗∗∗ Security Flaw in Styras OPA Exposes NTLM Hashes to Remote Attackers ∗∗∗ --------------------------------------------- Details have emerged about a now-patched security flaw in Styras Open Policy Agent (OPA) that, if successfully exploited, could have led to leakage of New Technology LAN Manager (NTLM) hashes. --------------------------------------------- https://thehackernews.com/2024/10/security-flaw-in-styras-opa-exposes.html ∗∗∗ Pixel perfect Ghostpulse malware loader hides inside PNG image files ∗∗∗ --------------------------------------------- The Ghostpulse malware strain now retrieves its main payload via a PNG image file's pixels. This development, security experts say, is "one of the most significant changes" made by the crooks behind it since launching in 2023. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/22/ghostpulse_m… ∗∗∗ OpenSSL 3.4.0 released ∗∗∗ --------------------------------------------- Version 3.4.0 of the OpenSSL SSL/TLS library has been released. It adds anumber of new encryption algorithms, support for "directly fetchedcomposite signature algorithms such as RSA-SHA2-256", and more. See therelease notes for details. --------------------------------------------- https://lwn.net/Articles/995098/ ∗∗∗ Akira ransomware continues to evolve ∗∗∗ --------------------------------------------- As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the groups attack chain, targeted verticals, and potential future TTPs. --------------------------------------------- https://blog.talosintelligence.com/akira-ransomware-continues-to-evolve/ ∗∗∗ Threat actor abuses Gophish to deliver new PowerRAT and DCRAT ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. [..] Talos discovered an undocumented PowerShell RAT we’re calling PowerRAT, as one of the payloads and another infamous Remote Access Tool (RAT) DCRAT. --------------------------------------------- https://blog.talosintelligence.com/gophish-powerrat-dcrat/ ∗∗∗ Using gRPC and HTTP/2 for Cryptominer Deployment: An Unconventional Approach ∗∗∗ --------------------------------------------- In this blog entry, we discuss how malicious actors are exploiting Docker remote API servers via gRPC/h2c to deploy the cryptominer SRBMiner to facilitate their mining of XRP on Docker hosts. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/j/using-grpc-http-2-for-crypto… ∗∗∗ Web Application Security for DevOps: Site and Origin Dynamics and Cross-Site Request Forgery ∗∗∗ --------------------------------------------- This is a continuation of the series on web application security where we dive into cookie dynamics. --------------------------------------------- https://www.bitsight.com/blog/web-application-security-devops-site-and-orig… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware fixes bad patch for critical vCenter Server RCE flaw ∗∗∗ --------------------------------------------- VMware has released another security update for CVE-2024-38812, a critical VMware vCenter Server remote code execution vulnerability that was not correctly fixed in the first patch from September 2024. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-fixes-bad-patch-for-c… ∗∗∗ Zyxel security advisory for insufficiently protected credentials vulnerability in firewalls ∗∗∗ --------------------------------------------- The insufficiently protected credentials vulnerability in the CLI command of the USG FLEX H series firewalls could allow an authenticated local attacker to gain privilege escalation by stealing the authentication token of a login administrator. Note that this attack could be successful only if the administrator has not logged out. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, ghostscript, libsepol, openjdk-11, openjdk-17, perl, and python-sql), Oracle (389-ds-base, buildah, containernetworking-plugins, edk2, httpd, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, python-setuptools, skopeo, and webkit2gtk3), Red Hat (buildah), Slackware (openssl), SUSE (apache2, firefox, libopenssl-3-devel, podman, and python310-starlette), and Ubuntu (cups-browsed, firefox, libgsf, and linux-gke). --------------------------------------------- https://lwn.net/Articles/995095/ ∗∗∗ Dell Product Security Update Advisory (CVE-2024-45766) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/83995/ ∗∗∗ SolarWinds Product Security Update Advisory (CVE-2024-45711) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/84002/ ∗∗∗ ICONICS and Mitsubishi Electric Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-296-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2024
by Daily end-of-shift report 21 Oct '24

21 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-10-2024 18:00 − Montag 21-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New macOS vulnerability, “HM Surf”, could lead to unauthorized data access ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence uncovered a macOS vulnerability that could potentially allow an attacker to bypass the operating system’s Transparency, Consent, and Control (TCC) technology and gain unauthorized access to a user’s protected data. The vulnerability, which we refer to as “HM Surf”, involves removing the TCC protection for the Safari browser directory and modifying a configuration file in the said directory to gain access to the user’s data, including browsed pages, the device’s camera, microphone, and location, without the user’s consent. [..] Apple released a fix for this vulnerability, now identified as CVE-2024-44133, as part of security updates for macOS Sequoia, released on September 16, 2024. At present, only Safari uses the new protections afforded by TCC. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/17/new-macos-vulnerab… ∗∗∗ Hooked by the Call: A Deep Dive into The Tricks Used in Callback Phishing Emails ∗∗∗ --------------------------------------------- Previously, Trustwave SpiderLabs covered a massive fake order spam scheme that impersonated a tech support company and propagated via Google Groups. Since then, we have observed more spam campaigns using this hybrid form of cyberattack with varying tactics, techniques, and procedures (TTP). [..] In this blog, we will showcase the different spam techniques used in these phishing emails. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hooked-by-t… ∗∗∗ Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials ∗∗∗ --------------------------------------------- Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. [..] The attack chain, per Positive Technologies, is an attempt to exploit CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting (XSS) vulnerability via SVG animate attributes that allows for execution of arbitrary JavaScript in the context of the victim's web browser. --------------------------------------------- https://thehackernews.com/2024/10/hackers-exploit-roundcube-webmail-xss.html ∗∗∗ Severe flaws in E2EE cloud storage platforms used by millions ∗∗∗ --------------------------------------------- Several end-to-end encrypted (E2EE) cloud storage platforms are vulnerable to a set of security issues that could expose user data to malicious actors. [..] The researchers notified Sync, pCloud, Seafile, and Icedrive of their findings on April 23, 2024, and contacted Tresorit on September 27, 2024, to discuss potential improvements in their particular cryptographic designs. [..] BleepingComputer contacted all five cloud service providers for a comment on Hofmann's and Truong's research, and we received the below statements. --------------------------------------------- https://www.bleepingcomputer.com/news/security/severe-flaws-in-e2ee-cloud-s… ∗∗∗ Open source LLM tool primed to sniff out Python zero-days ∗∗∗ --------------------------------------------- The static analyzer uses Claude AI to identify vulns and suggest exploit code Researchers with Seattle-based Protect AI plan to release a free, open source tool that can find zero-day vulnerabilities in Python codebases with the help of Anthropics Claude AI model. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/20/python_zero_… ∗∗∗ Hunting for Remote Management Tools: Detecting RMMs ∗∗∗ --------------------------------------------- Given the wide range of different RMM tools available, performing a threat hunt to identify all different available tools used in the organization brings a couple of challenges. In this blog, we’ll dive a little deeper into how we tackled this challenge and share this knowledge so you can use it to keep your organization safe. --------------------------------------------- https://blog.nviso.eu/2024/10/21/hunting-for-remote-management-tools-detect… ∗∗∗ Cisco bestätigt Attacke auf DevHub-Portal und nimmt es offline ∗∗∗ --------------------------------------------- Cisco hat aktuell laufende Untersuchungen zu einem IT-Sicherheitsvorfall vorangetrieben und nun eine Attacke bestätigt. Dabei sollen Angreifer Zugriff auf nicht für die Öffentlichkeit bestimmte Daten gehabt haben. --------------------------------------------- https://heise.de/-9987412 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, chromium, php-horde-mime-viewer, and php-horde-turba), Fedora (apache-commons-io, buildah, chromium, containers-common, libarchive, libdigidocpp, oath-toolkit, podman, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, rust-tower0.4, thunderbird, and unbound), SUSE (buildah, chromedriver, chromium, element-desktop, element-web, jetty-annotations, nodejs-electron, php7, php74, php8, podman, python3-virtualbox, qemu, thunderbird, and valkey), and Ubuntu (amd64-microcode). --------------------------------------------- https://lwn.net/Articles/994941/ ∗∗∗ Angreifer können PCs mit Virenschutz von Bitdefender und Trend Micro attackieren ∗∗∗ --------------------------------------------- Sicherheitslücken in Virenschutz-Software von Bitdefender und Trend Micro gefährden Systeme. Admins sollten die verfügbaren Sicherheitsupdates zeitnah installieren, um Attacken vorzubeugen. [..] Im Supportbereich der Bitdefender-Website geben die Entwickler an, in diesem Kontext insgesamt fünf Sicherheitslücken (CVE-2023-49567, CVE-2023-49570, CVE-2023-6055, CVE-2023-6056, CVE-2023-6057) mit dem Bedrohungsgrad "hoch" geschlossen zu haben. Damit so eine Attacke klappt, können Angreifer etwa über Hashkollsionen (MD5 und SHA1) Zertifikate erzeugen, die als legitim durchgewunken werden. Die Sicherheitsprobleme sollen in der sich automatisch installierenden Total-Security-Version 27.0.25.11 gelöst sein. --------------------------------------------- https://heise.de/-9987394 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2024
by Daily end-of-shift report 18 Oct '24

18 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-10-2024 18:00 − Freitag 18-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Analysis of the Crypt Ghouls group: continuing the investigation into a series of attacks on Russia ∗∗∗ --------------------------------------------- A close look at the utilities, techniques, and infrastructure used by the hacktivist group Crypt Ghouls has revealed links to groups such as Twelve, BlackJack, etc. --------------------------------------------- https://securelist.com/crypt-ghouls-hacktivists-tools-overlap-analysis/1142… ∗∗∗ Feline Hackers Among Us? (A Deep Dive and Simulation of the Meow Attack) ∗∗∗ --------------------------------------------- Introduction In the perpetually evolving field of cybersecurity, new threats materialize daily. Attackers are on the prowl for weaknesses in infrastructure and software like a cat eyeing its helpless prey. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/feline-hack… ∗∗∗ U.S. and Allies Warn of Iranian Cyberattacks on Critical Infrastructure in Year-Long Campaign ∗∗∗ --------------------------------------------- Cybersecurity and intelligence agencies from Australia, Canada, and the U.S. have warned about a year-long campaign undertaken by Iranian cyber actors to infiltrate critical infrastructure organizations via brute-force attacks."Since October 2023, Iranian ..d --------------------------------------------- https://thehackernews.com/2024/10/us-and-allies-warn-of-iranian.html ∗∗∗ Intel hits back at Chinas accusations it bakes in NSA backdoors ∗∗∗ --------------------------------------------- Chipzilla says it obeys the law wherever it is, which is nice Intel has responded to Chinese claims that its chips include security backdoors at the direction of Americas NSA. --------------------------------------------- https://www.theregister.com/2024/10/18/intel_china_security_allegations/ ∗∗∗ Alleged Bitcoin crook faces 5 years after SECs X account pwned ∗∗∗ --------------------------------------------- SIM swappers strike again, warping cryptocurrency prices An Alabama man faces five years in prison for allegedly attempting to manipulate the price of Bitcoin by pwning the US Securities and Exchange Commissions X account earlier this year. --------------------------------------------- https://www.theregister.com/2024/10/18/sec_bitcoin_arrest/ ∗∗∗ Brazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach ∗∗∗ --------------------------------------------- Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being "USDoD," a prolific cybercriminal who rose to infamy in 2022 after infiltrating the FBIs InfraGard program and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data broker National Public Data that led .. --------------------------------------------- https://krebsonsecurity.com/2024/10/brazil-arrests-usdod-hacker-in-fbi-infr… ∗∗∗ EIW — ESET Israel Wiper — used in active attacks targeting Israeli orgs ∗∗∗ --------------------------------------------- One of my Mastodon followers sent me an interesting toot today, which lead to this forum post .. --------------------------------------------- https://doublepulsar.com/eiw-eset-israel-wiper-used-in-active-attacks-targe… ∗∗∗ What I’ve learned in my first 7-ish years in cybersecurity ∗∗∗ --------------------------------------------- Plus, a zero-day vulnerability in Qualcomm chips, exposed health care devices, and the latest on the Salt Typhoon threat actor. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-oct-17-2024/ ∗∗∗ Call stack spoofing explained using APT41 malware ∗∗∗ --------------------------------------------- Summary Call stack spoofing isn’t a new technique, but it has become more popular in the last few years. Call stacks are a telemetry source for EDR software that can be used to determine if a process made suspicious actions (requesting a handle to the lsass process, writing suspicious code to a newly allocated area, .. --------------------------------------------- https://cybergeeks.tech/call-stack-spoofing-explained-using-apt41-malware/ ∗∗∗ Fake North Korean IT Workers Infiltrate Western Firms, Demand Ransom ∗∗∗ --------------------------------------------- North Korean hackers are infiltrating Western companies using fraudulent IT workers to steal sensitive data and extort ransom. --------------------------------------------- https://hackread.com/fake-north-korean-it-workers-west-firms-demand-ransom/ ∗∗∗ U.S. and UK Warn of Russian Cyber Threats: 9 of 12 GreyNoise-Tracked Vulnerabilities in the Advisory Are Being Probed Right Now ∗∗∗ --------------------------------------------- Joint U.S. and UK advisory identifies 24 vulnerabilities exploited by Russian state-sponsored APT 29, with GreyNoise detecting active probing on nine of these critical CVEs. Stay informed with real-time .. --------------------------------------------- https://www.greynoise.io/blog/u-s-and-uk-warn-of-russian-cyber-threats-9-of… ∗∗∗ Apple Passwörter: So lautet das Rezept für generierte Passwörter ∗∗∗ --------------------------------------------- Ein leitender Softwareentwickler Apples erklärt in einem Blogpost, nach welchem Muster Apple Passwörter generiert. --------------------------------------------- https://heise.de/-9986503 ===================== = Vulnerabilities = ===================== ∗∗∗ SVD-2024-1013: Third-Party Package Updates in Splunk Add-on for Office 365 - October 2024 ∗∗∗ --------------------------------------------- Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Add-on for Office 365 versions 4.5.2 and higher. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-1013 ∗∗∗ Synology-SA-24:17 Synology Camera ∗∗∗ --------------------------------------------- The vulnerabilities allow remote attackers to execute arbitrary code, remote attackers to bypass security constraints and remote attackers to conduct denial-of-service attacks via a susceptible version of Synology Camera BC500 Firmware, Synology Camera TC500 Firmware and Synology Camera CC400W Firmware. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_17 ∗∗∗ ZDI-24-1419: Trend Micro Deep Security Improper Access Control Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1419/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.10.2024
by Daily end-of-shift report 17 Oct '24

17 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-10-2024 18:00 − Donnerstag 17-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Iranian hackers act as brokers selling critical infrastructure access ∗∗∗ --------------------------------------------- Iranian hackers are breaching critical infrastructure organizations to collect credentials and network data that can be sold on cybercriminal forums to enable cyberattacks from other threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/iranian-hackers-act-as-broke… ∗∗∗ Mit Standard-Zugangsdaten: Kubernetes-Lücke ermöglicht Root-Zugriff per SSH ∗∗∗ --------------------------------------------- Betroffen sind Images, die mit dem Kubernetes Image Builder erstellt wurden. Es gibt zwar einen Patch, doch der schützt bestehende Images nicht. --------------------------------------------- https://www.golem.de/news/mit-standard-zugangsdaten-kubernetes-luecke-ermoe… ∗∗∗ The 2024 State of ICS/OT Cybersecurity: Our Past and Our Future ∗∗∗ --------------------------------------------- The 2024 State of ICS/OT report shows our industry’s growth since 2019 and offers insight into how we may improve going into 2029. --------------------------------------------- https://www.sans.org/blog/the-2024-state-of-ics-ot-cybersecurity-our-past-a… ∗∗∗ DORA-Kernkonzepte verstehen: Fokus auf "Kritische oder wichtige Funktionen" ∗∗∗ --------------------------------------------- Mit dem Ziel, ein hohes Maß an digitaler operativer Widerstandsfähigkeit zu erreichen, bietet DORA einen umfassenden Rahmen für das wirksame .. --------------------------------------------- https://sec-consult.com/de/blog/detail/dora-core-concepts-critical-or-impor… ∗∗∗ Cisco confirms ongoing investigation after crims brag about selling tons of data ∗∗∗ --------------------------------------------- Networking giant says no evidence of impact on its systems but will tell customers if their info has been stolen UPDATED Cisco has confirmed it is investigating claims of stealing — and now selling — data belonging .. --------------------------------------------- https://www.theregister.com/2024/10/15/cisco_confirm_ongoing_investigation/ ∗∗∗ New ThreatLabz Report: Mobile remains a top threat vector with 111% spyware growth while IoT attacks rise 45% ∗∗∗ --------------------------------------------- The role of the CISO continues to expand, driven by the rising number of breaches and cyberattacks like ransomware, as well as SEC requirements for public organizations to disclose material breaches. Among the fastest-moving .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/new-threatlabz-report-mobil… ∗∗∗ Sudanese Brothers Arrested in ‘AnonSudan’ Takedown ∗∗∗ --------------------------------------------- The U.S. government on Wednesday announced the arrest and charging of two Sudanese brothers accused of running Anonymous Sudan (a.k.a. AnonSudan), a cybercrime business known for launching powerful distributed denial-of-service (DDoS) attacks against a range of targets, including dozens of hospitals, news websites and cloud providers. One of the .. --------------------------------------------- https://krebsonsecurity.com/2024/10/sudanese-brothers-arrested-in-anonsudan… ∗∗∗ Russische Hackergruppe bekennt sich zu Angriff auf das Internet Archive ∗∗∗ --------------------------------------------- Eine Gruppe namens "SN_BLACKMETA" hat nach eigenen Angaben DDoS-Attacken auf die Internetbibliothek durchgeführt --------------------------------------------- https://www.derstandard.at/story/3000000241091/russische-hackergruppe-beken… ∗∗∗ Gatekeeper Bypass: Uncovering Weaknesses in a macOS Security Mechanism ∗∗∗ --------------------------------------------- Explore how macOS Gatekeepers security could be compromised by third-party apps not enforcing quarantine attributes effectively. --------------------------------------------- https://unit42.paloaltonetworks.com/gatekeeper-bypass-macos/ ∗∗∗ Ransomware: Threat Level Remains High in Third Quarter ∗∗∗ --------------------------------------------- Recently established RansomHub group overtakes LockBit to become most prolific ransomware operation. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ Cyber Resilience Act beschlossen ∗∗∗ --------------------------------------------- Der Cyber Resilience Act (CRA) ist eine EU-Verordnung für die Sicherheit in Hard- und Softwareprodukten mit digitalen Elementen, die am 10.10.2024 im Rat der Europäischen Union verabschiedet wurde. Nach der Veröffentlichung im Amtsblatt der EU wird das .. --------------------------------------------- https://certitude.consulting/blog/de/cyber-resilience-act-beschlossen/ ∗∗∗ Hacker allegedly behind attacks on FBI, Airbus, National Public Data arrested in Brazil ∗∗∗ --------------------------------------------- Police did not name the suspect, but a threat actor known as USDoD has long boasted of being behind the attacks that were highlighted by Brazilian law enforcement following the arrest. --------------------------------------------- https://therecord.media/hacker-behind-fbi-npd-airbus-attacks-arrested-brazil ∗∗∗ Why Hackers May Be Targeting You ∗∗∗ --------------------------------------------- In todays evolving cyber threat landscape, small and mid-sized businesses can reduce their risk by understanding cybercriminals, addressing misconceptions, and enhancing their cybersecurity and incident .. --------------------------------------------- https://www.emsisoft.com/en/blog/46073/why-hackers-may-be-targeting-you/ ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Releases Quarterly Critical Patch Update Advisory for October 2024 ∗∗∗ --------------------------------------------- Oracle released its quarterly Critical Patch Update Advisory for October 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/17/oracle-releases-quarterl… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/994630/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.10.2024
by Daily end-of-shift report 16 Oct '24

16 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-10-2024 18:00 − Mittwoch 16-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ASEC and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178) ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) and the National Cyber Security Center (NCSC) have discovered a new zero-day vulnerability in the Microsoft Internet Explorer (IE) browser and have conducted a detailed analysis on attacks that exploit this vulnerability. This post shares the joint analysis report “Operation Code on Toast by TA-RedAnt” which details the findings of the ASEC and NCSC joint analysis and the responses to the threat. --------------------------------------------- https://asec.ahnlab.com/en/83877/ ∗∗∗ Exfiltration over Telegram Bots: Skidding Infostealer Logs ∗∗∗ --------------------------------------------- Bitsight’s visibility over infostealer malware which exfiltrates over Telegram suggests that the most infected countries are the USA, Turkey, and Russia, followed by India and Germany. --------------------------------------------- https://www.bitsight.com/blog/exfiltration-over-telegram-bots-skidding-info… ∗∗∗ EDRSilencer red team tool used in attacks to bypass security ∗∗∗ --------------------------------------------- A tool for red-team operations called EDRSilencer has been observed in malicious incidents attempting to identify security tools and mute their alerts to management consoles. --------------------------------------------- https://www.bleepingcomputer.com/news/security/edrsilencer-red-team-tool-us… ∗∗∗ Mehrere Dienste betroffen: Microsoft warnt Kunden vor Datenverlust beim Logging ∗∗∗ --------------------------------------------- Durch einen Softwarefehler hat Microsoft einige für seine Kunden wichtige Protokolldaten verloren. Betroffen sind mehrere Clouddienste des Konzerns. --------------------------------------------- https://www.golem.de/news/mehrere-dienste-betroffen-microsoft-warnt-kunden-… ∗∗∗ New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists ∗∗∗ --------------------------------------------- The malware is "installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs," a security researcher who goes by HaxRob said. --------------------------------------------- https://thehackernews.com/2024/10/new-linux-variant-of-fastcash-malware.html ∗∗∗ Windows 11 24H2: Probleme mit VPN-Verbindungen, Direct Access … ∗∗∗ --------------------------------------------- Seit Microsoft Windows 11 24H2 allgemein freigegeben hat, sind mir Meldungen zu Problemen rund um das Thema VPN-Verbindungen (CheckPoint VPN, WireGuard, Direct Access) untergekommen. Ich fasse mal einige dieser Meldungen in einem Beitrag zusammen, auch um ein Bild zu bekommen, ob es nur Einzelfälle sind oder ob mehr Leute betroffen sind. --------------------------------------------- https://www.borncity.com/blog/2024/10/15/windows-11-24h2-probleme-mit-vpn-v… ∗∗∗ Windows 11 24H2: Recall nicht deinstallierbar … ∗∗∗ --------------------------------------------- Trotz gegenteiliger Zusicherungen stellt sich momentan heraus, dass Microsofts umstrittene Funktion Recall sich nicht [ohne Kollateralschäden] unter Windows 11 24H2 deinstallieren lässt – das Ganze ist aktuell aber wohl noch im Fluss. --------------------------------------------- https://www.borncity.com/blog/2024/10/16/windows-11-24h2-recall-nicht-deins… ∗∗∗ Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data ∗∗∗ --------------------------------------------- This article uncovers a Golang ransomware abusing AWS S3 for data theft, and masking as LockBit to further pressure victims. The discovery of hard-coded AWS credentials in these samples led to AWS account suspensions. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/j/fake-lockbit-real-damage-ran… ∗∗∗ Comparing AI Against Traditional Static Analysis Tools to Highlight Buffer Overflows ∗∗∗ --------------------------------------------- The idea of this blog post is to use open-source software tools to analyze unknown binaries for buffer overflows. In particular we are focusing on using Ollama3 to access multiple large language models. Ollama is a platform designed to simplify the deployment and usage of LLMs on local machines.This enables private data to be held locally instead of being sent to a cloud for processing. --------------------------------------------- https://www.nccgroup.com/us/research-blog/comparing-ai-against-traditional-… ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Critical Patch Update Advisory - October 2024 ∗∗∗ --------------------------------------------- A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches address vulnerabilities in Oracle code and in third party components included in Oracle products. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update Advisory. --------------------------------------------- https://www.oracle.com/security-alerts/cpuoct2024.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, containernetworking-plugins, and skopeo), Fedora (pdns-recursor and valkey), Mageia (unbound), Red Hat (fence-agents, firefox, java-11-openjdk, python-setuptools, python3-setuptools, resource-agents, and thunderbird), SUSE (etcd-for-k8s, libsonivox3, rubygem-puma, and unbound), and Ubuntu (apr, libarchive, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, nano, and vim). --------------------------------------------- https://lwn.net/Articles/994436/ ∗∗∗ HP-DesignJet-Drucker: Angreifer können SMTP-Server-Logins abgreifen ∗∗∗ --------------------------------------------- Wie aus einer Warnmeldung hervorgeht, ist die Schwachstelle (CVE-2024-5749) mit dem Bedrohungsgrad "hoch" eingestuft. Klappen Attacken, sind SMTP-Server-Zugangsdaten einsehbar. Wie so ein Angriff ablaufen könnte, führen die HP-Entwickler derzeit nicht aus. Konkret davon betroffen sind die DesignJet-Modelle T730 und T830. --------------------------------------------- https://heise.de/-9983364 ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox for iOS 131.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-54/ ∗∗∗ Synology-SA-24:14 Synology Photos ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_14 ∗∗∗ Synology-SA-24:13 BeePhotos ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_13 ∗∗∗ Bosch: Unrestricted resource consumption in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-162032-bt.html ∗∗∗ F5: K000141463: Multiple Angular JS vulnerabilities CVE-2019-10768, CVE-2023-26116, CVE-2023-26117, and CVE-2023-26118 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141463 ∗∗∗ F5: K000141459: Angular JS vulnerabilities CVE-2019-14863 and CVE-2022-25869 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141459 ∗∗∗ F5: K000141302: Quarterly Security Notification (October 2024) ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141302 ∗∗∗ F5: K000140061: BIG-IP monitors vulnerability CVE-2024-45844 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140061 ∗∗∗ F5: K000141080: BIG-IQ vulnerability CVE-2024-47139 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000141080 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.10.2024
by Daily end-of-shift report 15 Oct '24

15 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 14-10-2024 18:00 − Dienstag 15-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ TrickMo malware steals Android PINs using fake lock screen ∗∗∗ --------------------------------------------- Forty new variants of the TrickMo Android banking trojan have been identified in the wild, linked to 16 droppers and 22 distinct command and control (C2) infrastructures, with new features designed to steal Android PINs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trickmo-malware-steals-andro… ∗∗∗ New FIDO proposal lets you securely move passkeys across platforms ∗∗∗ --------------------------------------------- The Fast IDentity Online (FIDO) Alliance has published a working draft of a new specification that aims to enable the secure transfer of passkeys between different providers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-fido-proposal-lets-you-s… ∗∗∗ BEC-ware the phish (part 1). Investigating incidents in M365 ∗∗∗ --------------------------------------------- This blog post is the first of three, that look at the key steps for an effective investigation, response, and remediation to email-based threats in M365. Part two covers response actions as well as short- and long-term remediations to prevent attackers getting back in. Part three considers the native detection and prevention options in M365. --------------------------------------------- https://www.pentestpartners.com/security-blog/bec-ware-the-phish-part-1-inv… ∗∗∗ Vorsicht vor Anrufen vom „Bankbetrugssystem Österreich“ ∗∗∗ --------------------------------------------- Derzeit werden uns wieder vermehrt Tonbandanrufe gemeldet. Eine computergenerierte Stimme gibt sich als Bankbetrugssystem Österreich aus und behauptet, dass eine Zahlung von 1500 Euro abgelehnt wurde und Ihr Konto möglicherweise gehackt wurde. Sie werden aufgefordert, die Taste „1“ zu drücken, um mit einer echten Person verbunden zu werden. Legen Sie auf, das ist Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-anrufen-vom-bankbetrugs… ∗∗∗ New Telekopye Scam Toolkit Targeting Booking.com and Airbnb Users ∗∗∗ --------------------------------------------- ESET Research found the Telekopye scam network targeting Booking.com and Airbnb. Scammers use phishing pages via compromised accounts to steal personal and payment details from travelers. --------------------------------------------- https://hackread.com/telekopye-scam-toolkit-hit-booking-com-airbnb-users/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-30088 Microsoft Windows Kernel TOCTOU Race Condition Vulnerability, CVE-2024-9680 Mozilla Firefox Use-After-Free Vulnerability, CVE-2024-28987 SolarWinds Web Help Desk Hardcoded Credential Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/15/cisa-adds-three-known-ex… ∗∗∗ Fortinet FortiGate CVE-2024-23113 - A Super Complex Vulnerability In A Super Secure Appliance In 2024 ∗∗∗ --------------------------------------------- Today wed like to share a recent journey into (yet another) SSLVPN appliance vulnerability - a Format String vulnerability, unusually, in Fortinets FortiGate devices. It affected (before patching) all currently-maintained branches, and recently was highlighted by CISA as being exploited-in-the-wild. --------------------------------------------- https://labs.watchtowr.com/fortinet-fortigate-cve-2024-23113-a-super-comple… ===================== = Vulnerabilities = ===================== ∗∗∗ Splunk Security Advisories 2024-10-14 ∗∗∗ --------------------------------------------- Splunk released 12 security advisories: 4x high, 8x medium --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ Kritische Schwachstellen in Industrieroutern mbNET ∗∗∗ --------------------------------------------- In industriellen Fernwartungsgateways und Industrieroutern mbNET wurden mehrere, teils schwerwiegende Sicherheitsschwachstellen identifiziert. Sie ermöglichen es, das Gerät vollständig zu kompromittieren sowie verschlüsselte Konfigurationen zu entschlüsseln. --------------------------------------------- https://www.syss.de/pentest-blog/kritische-schwachstellen-in-industrieroute… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, firefox, OpenIPMI, podman, and thunderbird), Debian (libapache-mod-jk, php7.4, and webkit2gtk), Fedora (edk2, koji, libgsf, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, and rust-tower0.4), Mageia (packages and thunderbird), Oracle (bind, container-tools:ol8, kernel, kernel-container, OpenIPMI, podman, and thunderbird), Red Hat (container-tools:rhel8, containernetworking-plugins, podman, and skopeo), SUSE (argocd-cli, bsdtar, keepalived, kernel, kyverno, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, OpenIPMI, opensc, php8, thunderbird, and xen), and Ubuntu (configobj, haproxy, imagemagick, nginx, and postgresql-10, postgresql-9.3). --------------------------------------------- https://lwn.net/Articles/994268/ ∗∗∗ WordPress plugin Jetpack fixes nearly decade-old critical security flaw ∗∗∗ --------------------------------------------- The popular WordPress plugin Jetpack has released a critical security update, addressing a vulnerability that could have affected 27 million websites. [..] The flaw, which is not believed to have been exploited, was found in the plugin’s contact form feature and had remained unpatched since 2016. This vulnerability could be exploited by any logged-in user on a site to read forms submitted by other users, according to Jetpack engineer Jeremy Herve. --------------------------------------------- https://therecord.media/wordpress-jetpack-plugin-fixes-flaw ∗∗∗ ZDI-24-1382: QEMU SCSI Use-After-Free Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1382/ ∗∗∗ Zahlreiche Schwachstellen im Rittal IoT Interface & CMC III Processing Unit ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… ∗∗∗ GitHub Enterprise Server (GHES) Security Update Advisory (CVE-2024-9487) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/83868/ ∗∗∗ Kubernetes: CVE-2024-9594 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/128007 ∗∗∗ Kubernetes: CVE-2024-9486 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/128006 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.10.2024
by Daily end-of-shift report 14 Oct '24

14 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-10-2024 18:00 − Montag 14-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server ∗∗∗ --------------------------------------------- Microsoft has officially deprecated the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) in future versions of Windows Server, recommending admins switch to different protocols that offer increased security. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-deprecates-pptp-a… ∗∗∗ Google warns uBlock Origin and other extensions may be disabled soon ∗∗∗ --------------------------------------------- Googles Chrome Web Store is now warning that the uBlock Origin ad blocker and other extensions may soon be blocked as part of the companys deprecation of the Manifest V2 extension specification. --------------------------------------------- https://www.bleepingcomputer.com/news/google/google-warns-ublock-origin-and… ∗∗∗ Microsoft’s guidance to help mitigate Kerberoasting ∗∗∗ --------------------------------------------- Kerberoasting, a well-known Active Directory (AD) attack vector, enables threat actors to steal credentials and navigate through devices and networks. Microsoft is sharing recommended actions administrators can take now to help prevent successful Kerberoasting cyberattacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/11/microsofts-guidanc… ∗∗∗ Nation-State Attackers Exploiting Ivanti CSA Flaws for Network Infiltration ∗∗∗ --------------------------------------------- A suspected nation-state adversary has been observed weaponizing three security flaws in Ivanti Cloud Service Appliance (CSA) a zero-day to perform a series of malicious actions. That's according to findings from Fortinet FortiGuard Labs, which said the vulnerabilities were abused to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and attempt to access the credentials of those users. --------------------------------------------- https://thehackernews.com/2024/10/nation-state-attackers-exploiting.html ∗∗∗ Chatbot Traps: How to Avoid Job Scams ∗∗∗ --------------------------------------------- While the strategies outlined here can help you detect AI-powered scams, it is important to recognise that AI technology is advancing rapidly. Many current weaknesses—such as difficulties with complex questions or live conversations—may diminish as AI continues to improve. --------------------------------------------- https://connect.geant.org/2024/10/14/chatbot-traps-how-to-avoid-job-scams ∗∗∗ Casio says ransomware attack exposed info of employees, customers and business partners ∗∗∗ --------------------------------------------- Japanese electronics manufacturer Casio confirmed on Friday that a cyber incident announced earlier this week was a ransomware attack that potentially exposed the information of employees, customers, business partners and affiliates. --------------------------------------------- https://therecord.media/casio-ransomware-attack-exposed-emplyee-customer-da… ∗∗∗ Achtung: Neue textbasierte QR-Code-Phishing-Varianten ∗∗∗ --------------------------------------------- Sicherheitsforscher von Barracuda sind auf eine neue Variante zur Gestaltung von Phishing-Nachrichten gestoßen. Diese verwenden QR-Codes aus textbasierten ASCII/Unicode-Zeichen, statt wie üblich aus statischen Bildern erstellt zu werden, um herkömmliche Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://www.borncity.com/blog/2024/10/13/achtung-neue-textbasierte-qr-code-… ∗∗∗ Sicherheitslücke in Ecovacs-Saugrobotern erlaubt Remote-Steuerung durch Hacker ∗∗∗ --------------------------------------------- In den USA häufen sich Fälle, in denen gehackte Saugroboter offenbar fremdgesteuert Beleidigungen zurufen und Bilder über die interne Kamera übertragen. --------------------------------------------- https://heise.de/-9979104 ===================== = Vulnerabilities = ===================== ∗∗∗ Notfall-Update: Tor-Nutzer über kritische Firefox-Lücke attackiert ∗∗∗ --------------------------------------------- Eine kritische Firefox-Schwachstelle betrifft auch den Tor-Browser und Thunderbird. Patches stehen bereit, kommen für einige Tor-Nutzer aber zu spät. --------------------------------------------- https://www.golem.de/news/notfall-update-tor-nutzer-ueber-kritische-firefox… ∗∗∗ Moxa: Missing Authentication and OS Command Injection Vulnerabilities in Cellular Routers, Secure Routers, and Network Security Appliances ∗∗∗ --------------------------------------------- The first vulnerability, CVE-2024-9137, allows attackers to manipulate device configurations without authentication. The second vulnerability, CVE-2024-9139, permits OS command injection through improperly restricted commands, potentially enabling attackers to execute arbitrary codes. --------------------------------------------- https://www.moxa.com/en/support/product-support/security-advisory/mpsa-2411… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (docker.io, libreoffice, node-dompurify, python-reportlab, and thunderbird), Fedora (buildah, chromium, kernel, kernel-headers, libgsf, mosquitto, p7zip, podman, python-cramjam, python-virtualenv, redis, rust-async-compression, rust-brotli, rust-brotli-decompressor, rust-libcramjam, rust-libcramjam0.2, rust-nu-command, rust-nu-protocol, rust-redlib, rust-tower-http, thunderbird, and webkit2gtk4.0), Oracle (.NET 6.0, .NET 8.0, e2fsprogs, firefox, golang, openssl, python3-setuptools, systemd, and thunderbird), SUSE (chromium, firefox, java-jwt, libmozjs-128-0, libwireshark18, ntpd-rs, OpenIPMI, thunderbird, and wireshark), and Ubuntu (firefox, python2.7, python3.5, thunderbird, and ubuntu-advantage-desktop-daemon). --------------------------------------------- https://lwn.net/Articles/994080/ ∗∗∗ Sicherheitsupdate: Angreifer können Netzwerkanalysetool Wireshark crashen lassen ∗∗∗ --------------------------------------------- Wireshark ist in einer gegen mögliche Angriffe abgesicherten Version erschienen. Darin haben die Entwickler auch mehrere Bugs gefixt. --------------------------------------------- https://heise.de/-9979991 ∗∗∗ ZDI-24-1374: IrfanView SID File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1374/ ∗∗∗ ZDI-24-1369: Zimbra GraphQL Cross-Site Request Forgery Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1369/ ∗∗∗ Security Vulnerability fixed in Firefox 131.0.3 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-53/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2024
by Daily end-of-shift report 11 Oct '24

11 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-10-2024 18:00 − Freitag 11-10-2024 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Akira and Fog ransomware now exploit critical Veeam RCE flaw ∗∗∗ --------------------------------------------- Ransomware gangs now exploit a critical security vulnerability that lets attackers gain remote code execution (RCE) on vulnerable Veeam Backup & Replication (VBR) servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now… ∗∗∗ Digitaler Krieg: Russische Hacker sollen Zimbra- und Teamcity-Exploits nutzen ∗∗∗ --------------------------------------------- Staatliche russische Hacker nähmen Zimbra- und Jetbrains Teamcity-Installationen westlicher Unternehmen aufs Korn, warnen die USA und Großbritannien. --------------------------------------------- https://www.golem.de/news/digitaler-krieg-russische-hacker-sollen-zimbra-un… ∗∗∗ Bohemia and Cannabia Dark Web Markets Taken Down After Joint Police Operation ∗∗∗ --------------------------------------------- The Dutch police have announced the takedown of Bohemia and Cannabia, which has been described as the worlds largest and longest-running dark web market for illegal goods, drugs, and cybercrime services.The takedown is the result of a collaborative investigation with Ireland, the United Kingdom, and the United States that began towards the end of 2022, the Politie said. --------------------------------------------- https://thehackernews.com/2024/10/bohemia-and-cannabia-dark-web-markets.html ∗∗∗ Perfecting Ransomware on AWS — Using keys to the kingdom to change the locks ∗∗∗ --------------------------------------------- If someone asked me what was the best way to make money from a compromised AWS Account (assume root access even) — I would have answered “dump the data and hope that no-one notices you before you finish it up.” This answer would have been valid until ~8 months ago when I stumbled upon a lesser known feature of AWS KMS which allows an attacker to do devastating ransomware attacks on a compromised AWS account. --------------------------------------------- https://medium.com/@harsh8v/redefining-ransomware-attacks-on-aws-using-aws-… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 30, 2024 to October 6, 2024) ∗∗∗ --------------------------------------------- Last week, there were 161 vulnerabilities disclosed in 147 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database --------------------------------------------- https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Lynx Ransomware: A Rebranding of INC Ransomware ∗∗∗ --------------------------------------------- Lynx ransomware shares a significant portion of its source code with INC ransomware. INC ransomware initially surfaced in August 2023 and had variants compatible with both Windows and Linux. While we haven't confirmed any Linux samples yet for Lynx ransomware, we have noted Windows samples. This ransomware operates using a ransomware-as-a-service (RaaS) model. --------------------------------------------- https://unit42.paloaltonetworks.com/inc-ransomware-rebrand-to-lynx/ ∗∗∗ Octo2 Malware Uses Fake NordVPN, Chrome Apps to Infect Android Devices ∗∗∗ --------------------------------------------- Octo2 malware is targeting Android devices by disguising itself as popular apps like NordVPN and Google Chrome. --------------------------------------------- https://hackread.com/octo2-malware-fake-nordvpn-chrome-apps-android-device/ ∗∗∗ Best Practices to Configure BIG-IP LTM Systems to Encrypt HTTP Persistence Cookies ∗∗∗ --------------------------------------------- CISA has observed cyber threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to enumerate other non-internet facing devices on the network. [..] CISA urges organizations to encrypt persistent cookies employed in F5 BIG-IP devices and review the following article for details on how to configure the BIG-IP LTM system to encrypt HTTP cookies. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/10/best-practices-configure… ∗∗∗ EU-Rat bringt Cyber Resilience Act auf den Weg ∗∗∗ --------------------------------------------- Künftig müssen vernetzte Produkte, die in der EU in Verkehr gebracht werden, gegen Angriffe gesichert sein und das mit dem CE-Zeichen signalisieren. --------------------------------------------- https://heise.de/-9977103 ===================== = Vulnerabilities = ===================== ∗∗∗ New Critical GitLab Vulnerability Could Allow Arbitrary CI/CD Pipeline Execution ∗∗∗ --------------------------------------------- GitLab has released security updates for Community Edition (CE) and Enterprise Edition (EE) to address eight security flaws, including a critical bug that could allow running Continuous Integration and Continuous Delivery (CI/CD) pipelines on arbitrary branches. --------------------------------------------- https://thehackernews.com/2024/10/new-critical-gitlab-vulnerability-could.h… ∗∗∗ Priviledged admin able to view device summary for device in different [FortiManager] ADOM ∗∗∗ --------------------------------------------- An exposure of sensitive information to an unauthorized actor vulnerability [CWE-200] in FortiManager Administrative Domain (ADOM) may allow a remote authenticated attacker assigned to an ADOM to access device summary of other ADOMs via crafted HTTP requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-472 ∗∗∗ Aw, Sugar. Critical Vulnerabilities in SugarWOD ∗∗∗ --------------------------------------------- It is possible to: * Enumerate 2 million users, names, profile pics, birthday, height, weight, and email addresses * Extract all Gyms join passwords [..] * Bypass user-chosen privacy settings --------------------------------------------- https://www.n00py.io/2024/10/critical-vulnerabilities-in-sugarwod/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (.NET 6.0, .NET 8.0, and openssl), Debian (firefox-esr), Fedora (firefox), Mageia (php, quictls, and vim), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, firefox, podman, skopeo, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, kernel, and xen), and Ubuntu (golang-1.17, libgsf, and linux-aws-6.8, linux-oracle-6.8). --------------------------------------------- https://lwn.net/Articles/993778/ ∗∗∗ Security Vulnerability fixed in Thunderbird 131.0.1, Thunderbird 128.3.1, Thunderbird 115.16.0 ∗∗∗ --------------------------------------------- * CVE-2024-9680: Use-after-free in Animation timeline --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-52/ ∗∗∗ Livewire Security Update Advisory (CVE-2024-47823) ∗∗∗ --------------------------------------------- The extension of a loaded file is guessed based on its MIME type, which could allow an attacker to conduct a remote code execution (RCE) attack by uploading a “.php” file with a valid MIME type. --------------------------------------------- https://asec.ahnlab.com/en/83775/ ∗∗∗ Apache Software Security Update Advisory (CVE-2024-45720, CVE-2024-47561) ∗∗∗ --------------------------------------------- * CVE-2024-45720: Subversion versions: ~ 1.14.3 (inclusive) (Windows) * CVE-2024-47561: Apache Avro Java SDK versions: ~ 1.11.4 (excluded) --------------------------------------------- https://asec.ahnlab.com/en/83776/ ∗∗∗ Anonymisierendes Linux: Tails 6.8.1 schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Das zum anonymen Surfen gedachte Tails-Linux schließt in Version 6.8.1 eine Sicherheitslücke. Es verbessert zudem den Umgang mit persistentem Speicher. --------------------------------------------- https://heise.de/-9977905 ∗∗∗ baserCMS plugin "BurgerEditor" vulnerable to directory listing ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN54676967/ ∗∗∗ ABB Cylon Aspect 3.07.02 (sshUpdate.php) Unauthenticated Remote SSH Service Control ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5838.php -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.10.2024
by Daily end-of-shift report 10 Oct '24

10 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-10-2024 18:00 − Donnerstag 10-10-2024 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Firefox Zero-Day Under Attack: Update Your Browser Immediately ∗∗∗ --------------------------------------------- Mozilla has revealed that a critical security flaw impacting Firefox and Firefox Extended Support Release (ESR) has come under active exploitation in the wild.The vulnerability, tracked as CVE-2024-9680, has been described as a use-after-free bug in the Animation timeline component. --------------------------------------------- https://thehackernews.com/2024/10/mozilla-warns-of-active-exploitation-in.h… ∗∗∗ CISA says critical Fortinet RCE flaw now exploited in attacks ∗∗∗ --------------------------------------------- Today, CISA revealed that attackers actively exploit a critical FortiOS remote code execution (RCE) vulnerability in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-says-critical-fortinet-… ∗∗∗ Benutzt hier jemand ein Smartphone mit Qualcomm-SOC? ∗∗∗ --------------------------------------------- Für viele Android-Geräte da draußen ist die Antwort: Ja.The zero-day vulnerability, officially designated CVE-2024-43047, “may be under limited, targeted exploitation,” according to Qualcomm, citing unspecified “indications” from Google’s Threat Analysis Group, the company’s research unit that investigates government hacking threats. --------------------------------------------- http://blog.fefe.de/?ts=99f9d232 ∗∗∗ Magenta ID wurde deaktiviert: Vorsicht vor täuschend echter Phishing-Mail ∗∗∗ --------------------------------------------- Ein sehr gut gefälschtes Magenta-Mail ist gerade in Österreich in Umlauf. Wer genau hinsieht, kann es entlarven. --------------------------------------------- https://futurezone.at/digital-life/magenta-id-wurde-deaktiviert-mail-phishi… ∗∗∗ Malware by the (Bit)Bucket: Unveiling AsyncRAT ∗∗∗ --------------------------------------------- Recently, we uncovered a sophisticated attack campaign employing a multi-stage approach to deliver AsyncRAT via a legitimate platform called Bitbucket. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/10/38043-asyncrat-bitbucket ∗∗∗ File hosting services misused for identity phishing ∗∗∗ --------------------------------------------- Since mid-April 2024, Microsoft has observed an increase in defense evasion tactics used in campaigns abusing file hosting services like SharePoint, OneDrive, and Dropbox. These campaigns use sophisticated techniques to perform social engineering, evade detection, and compromise identities, and include business email compromise (BEC) attacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/10/08/file-hosting-servi… ∗∗∗ Technical Analysis of DarkVision RAT ∗∗∗ --------------------------------------------- IntroductionDarkVision RAT is a highly customizable remote access trojan (RAT) that first surfaced in 2020, offered on Hack Forums and their website for as little as $60. Written in C/C++, and assembly, DarkVision RAT has gained popularity due to its affordability and extensive feature set, making it accessible even to low-skilled cybercriminals. The RAT’s capabilities include keylogging, taking screenshots, file manipulation, process injection, remote code execution, and password theft. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-darkvisi… ∗∗∗ Ransom & Dark Web Issues Week 2, October 2024 ∗∗∗ --------------------------------------------- * New Target of KillSec Ransomware Attack: South Korean Commercial Property Content Provider * Dark Web Market Bohemia/Cannabia Shut Down by Law Enforcement, Two Administrators Arrested * New Ransomware Gang Sarcoma: Conducted Attacks on a Total of 30 Companies --------------------------------------------- https://asec.ahnlab.com/en/83739/ ∗∗∗ Internet Archive unter Beschuss: Über 30 Millionen Nutzerdaten gestohlen ∗∗∗ --------------------------------------------- Bislang Unbekannte vergriffen sich mehrfach am Internet Archive. Bereits im September wurden Nutzerdaten und Passwort-Hashes abgezogen. --------------------------------------------- https://heise.de/-9975986 ===================== = Vulnerabilities = ===================== ∗∗∗ GitLab warns of critical arbitrary branch pipeline execution flaw ∗∗∗ --------------------------------------------- GitLab has released security updates to address multiple flaws in Community Edition (CE) and Enterprise Edition (EE), including a critical arbitrary branch pipeline execution flaw. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-arb… ∗∗∗ Experts Warn of Critical Unpatched Vulnerability in Linear eMerge E3 Systems ∗∗∗ --------------------------------------------- Cybersecurity security researchers are warning about an unpatched vulnerability in Nice Linear eMerge E3 access controller systems that could allow for the execution of arbitrary operating system (OS) commands.The flaw, assigned the CVE identifier CVE-2024-9441, carries a CVSS score of 9.8 out of a maximum of 10.0, according to VulnCheck. --------------------------------------------- https://thehackernews.com/2024/10/experts-warn-of-critical-unpatched.html ∗∗∗ wkhtmltopdf - Highly critical - Unsupported - SA-CONTRIB-2024-049 ∗∗∗ --------------------------------------------- Project: wkhtmltopdfDate: 2024-October-09Security risk: Highly critical 23 ∕ 25 AC:None/A:None/CI:All/II:All/E:Proof/TD:AllVulnerability: UnsupportedAffected versions: *Description: The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466#procedure---own-project---unsupportedSol…: If you use this project, --------------------------------------------- https://www.drupal.org/sa-contrib-2024-049 ∗∗∗ Facets - Critical - Cross Site Scripting - SA-CONTRIB-2024-047 ∗∗∗ --------------------------------------------- Project: FacetsDate: 2024-October-09Security risk: Critical 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingAffected versions: Description: This module enables you to to easily create and manage faceted search interfaces.The module doesnt sufficiently filter for malicious script leading to a reflected cross site scripting (XSS) vulnerability.Solution: Install the latest version:If you use the Facets module, upgrade to Facets --------------------------------------------- https://www.drupal.org/sa-contrib-2024-047 ∗∗∗ Block permissions - Moderately critical - Access bypass - SA-CONTRIB-2024-046 ∗∗∗ --------------------------------------------- Project: Block permissionsDate: 2024-October-09Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:AllVulnerability: Access bypassAffected versions: >=1.0.0 Description: This module enables you to manage blocks from specific modules in the specific themes.The module doesnt sufficiently check permissions under the scenario when a block is added using the form "/admin/structure/block/add/{plugin_id}/{theme}" (route --------------------------------------------- https://www.drupal.org/sa-contrib-2024-046 ∗∗∗ Monster Menus - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2024-045 ∗∗∗ --------------------------------------------- Project: Monster MenusDate: 2024-October-09Security risk: Moderately critical 13 ∕ 25 AC:None/A:None/CI:Some/II:None/E:Theoretical/TD:UncommonVulnerability: Access bypass, Information DisclosureAffected versions: Description: This module enables you to group nodes within pages that have a highly-granular, distributed permissions structure.A function which can be used by third-party code does not return valid data under certain rare circumstances. If the third-party code relies on this --------------------------------------------- https://www.drupal.org/sa-contrib-2024-045 ∗∗∗ Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048 ∗∗∗ --------------------------------------------- Project: GutenbergDate: 2024-October-09Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site Request ForgeryAffected versions: =3.0.0 Description: This module provides a new UI experience for node editing using the Gutenberg Editor library.The module did not sufficiently protect some routes against a Cross Site Request Forgery attack.This vulnerability is mitigated by the fact that the tricked user needs to have an --------------------------------------------- https://www.drupal.org/sa-contrib-2024-048 ∗∗∗ VMSA-2024-0020:VMware NSX updates address multiple vulnerabilities (CVE-2024-38818, CVE-2024-38817, CVE-2024-38815) ∗∗∗ --------------------------------------------- Multiple vulnerabilities in VMware NSX were responsibly reported to VMware. Updates are available to remediate these vulnerabilities in the affected VMware products. --------------------------------------------- https://support.broadcom.com/web/ecx/support-=content-notification/-/extern… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (firefox, koji, unbound, webkit2gtk4.0, and xen), Red Hat (glibc, net-snmp, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, buildah, cups-filters, liboath-devel, libreoffice, libunbound8, podman, and redis), and Ubuntu (cups-browsed, cups-filters, edk2, linux-raspi-5.4, and oath-toolkit). --------------------------------------------- https://lwn.net/Articles/993595/ ∗∗∗ Redis Vulnerability Security Update Advisory (CVE-2024-31449) ∗∗∗ --------------------------------------------- An update has been released to address vulnerabilities in Redis. Users of the affected versions are advised to update to the latest version. --------------------------------------------- https://asec.ahnlab.com/en/83704/ ∗∗∗ Ivanti Product Security Update Advisory ∗∗∗ --------------------------------------------- * CVE-2024-9380, CVE-2024-9381: Ivanti Cloud Services Appliance (CSA) versions: ~ 5.0.1 (inclusive) * CVE-2024-7612: Ivanti EPMM (Core) versions: ~ 12.1.0.3 (inclusive) * CVE-2024-9167: Velocity License Server versions: 5.1 (inclusive) ~ 5.1.2 (inclusive) --------------------------------------------- https://asec.ahnlab.com/en/83706/ ∗∗∗ Adobe Family October 2024 Routine Security Update Advisory ∗∗∗ --------------------------------------------- Adobe has released a security update that addresses a vulnerability in its supplied products. Users of affected systems are advised to update to the latest version. --------------------------------------------- https://asec.ahnlab.com/en/83710/ ∗∗∗ SAP Product Security Update Advisory ∗∗∗ --------------------------------------------- * CVE-2024-37179: SAP BusinessObjects Business Intelligence Platform, ENTERPRISE 420, 430, 2025, Enterprise clienttools 420 * CVE-2024-41730: SAP BusinessObjects Business Intelligence Platform, ENTERPRISE 430, 440 * CVE-2024-39592: SAP PDCE, S4CORE 102, S4CORE 103, S4COREOP 104, S4COREOP 105, S4COREOP 106, S4COREOP 107, S4COREOP 108 --------------------------------------------- https://asec.ahnlab.com/en/83736/ ∗∗∗ SonicWall SSL-VPN SMA1000 and Connect Tunnel Windows Client Affected By Multiple Vulnerabilities ∗∗∗ --------------------------------------------- 1) CVE-2024-45315 - SonicWALL SMA1000 Connect Tunnel Windows Client Link Following Denial-of-Service Vulnerability 2) CVE-2024-45316 - SonicWALL SMA1000 Connect Tunnel Windows Client Link Following Local Privilege Escalation Vulnerability 3) CVE-2024-45317 - Unauthenticated SMA1000 12.4.x Server-Side Request Forgery (SSRF) Vulnerability --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0017 ∗∗∗ CISA Releases Twenty-One Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-24-284-01 Siemens SIMATIC S7-1500 and S7-1200 CPUs * ICSA-24-284-02 Siemens Simcenter Nastran * ICSA-24-284-03 Siemens Teamcenter Visualization and JT2Go * ICSA-24-284-04 Siemens SENTRON PAC3200 Devices * ICSA-24-284-05 Siemens Questa and ModelSim * ICSA-24-284-06 Siemens SINEC Security Monitor * ICSA-24-284-07 Siemens JT2Go * ICSA-24-284-08 Siemens HiMed Cockpit * ICSA-24-284-09 Siemens PSS SINCAL * ICSA-24-284-10 Siemens SIMATIC S7-1500 CPUs * ICSA-24-284-11 Siemens RUGGEDCOM APE1808 * ICSA-24-284-12 Siemens Sentron Powercenter 1000 * ICSA-24-284-13 Siemens Tecnomatix Plant Simulation * ICSA-24-284-14 Schneider Electric Zelio Soft 2 * ICSA-24-284-15 Rockwell Automation DataMosaix Private Cloud * ICSA-24-284-16 Rockwell Automation DataMosaix Private Cloud * ICSA-24-284-17 Rockwell Automation Verve Asset Manager * ICSA-24-284-18 Rockwell Automation Logix Controllers * ICSA-24-284-19 Rockwell Automation PowerFlex 6000T * ICSA-24-284-20 Rockwell Automation ControlLogix * ICSA-24-284-21 Delta Electronics CNCSoft-G2 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/10/cisa-releases-twenty-one… ∗∗∗ Synacor Zimbra Collaboration Command Execution Vulnerability ∗∗∗ --------------------------------------------- Threat Actors are exploiting a recently fixed RCE vulnerability in Zimbra email servers, which can be exploited just by sending specially crafted emails to the SMTP server. --------------------------------------------- https://fortiguard.fortinet.com/outbreak-alert/zimbra-collaboration-rce ∗∗∗ Gutenberg - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-048 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-048 ∗∗∗ 2024-10-10: Cyber Security Advisory - ABB IRC5 RobotWare – PROFINET Stack Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=SI20337&LanguageCod… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: BGP update message containing aggregator attribute with an ASN value of zero (0) is accepted (CVE-2024-47507) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series: A large amount of traffic being processed by ATP Cloud can lead to a PFE crash (CVE-2024-47506) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Specific low privileged CLI commands and SNMP GET requests can trigger a resource leak ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: Multiple vulnerabilities in OSS component nginx resolved ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX5000 Series: Receipt of a specific malformed packet will cause a flowd crash (CVE-2024-47504) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX4600 and SRX5000 Series: Sequence of specific PIM packets causes a flowd crash (CVE-2024-47503) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: TCP session state is not always cleared on the Routing Engine (CVE-2024-47502) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: MX304, MX with MPC10/11/LC9600, and EX9200 with EX9200-15C: In a VPLS or Junos Fusion scenario specific show commands cause an FPC crash (CVE-2024-47501) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: In a BMP scenario receipt of a malformed AS PATH attribute can cause an RPD core (CVE-2024-47499) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: QFX5000 Series: Configured MAC learning and move limits are not in effect (CVE-2024-47498) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series, QFX Series, MX Series and EX Series: Receiving specific HTTPS traffic causes resource exhaustion (CVE-2024-47497) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: MX Series: The PFE will crash on running specific command (CVE-2024-47496) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: In a dual-RE scenario a locally authenticated attacker with shell privileges can take over the device (CVE-2024-47495) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: Due to a race condition AgentD process causes a memory corruption and FPC reset (CVE-2024-47494) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: J-Web: Multiple vulnerabilities resolved in PHP software. ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX5K, SRX4600 and MX Series: Trio-based FPCs: Continuous physical interface flaps causes local FPC to crash (CVE-2024-47493) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: Receipt of a specific malformed BGP path attribute leads to an RPD crash (CVE-2024-47491) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: ACX 7000 Series: Receipt of specific transit MPLS packets causes resources to be exhausted (CVE-2024-47490) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Multiple vulnerabilities resolved in c-ares 1.18.1 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: ACX Series: Receipt of specific transit protocol packets is incorrectly processed by the RE (CVE-2024-47489) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos Space: Remote Command Execution (RCE) vulnerability in web application (CVE-2024-39563) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: cRPD: Receipt of crafted TCP traffic can trigger high CPU utilization (CVE-2024-39547) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: Multiple vulnerabilities resolved in OpenSSL ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Low privileged local user able to view NETCONF traceoptions files (CVE-2024-39544) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS Evolved: Connections to the network and broadcast address accepted (CVE-2024-39534) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS: SRX Series: Low privileged user able to access sensitive information on file system (CVE-2024-39527) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: MX Series with MPC10/MPC11/LC9600, MX304, EX9200, PTX Series: Receipt of malformed DHCP packets causes interfaces to stop processing packets (CVE-2024-39526) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: When BGP nexthop traceoptions is enabled, receipt of specially crafted BGP packet causes RPD crash (CVE-2024-39525) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: Junos OS and Junos OS Evolved: Receipt of a specifically malformed BGP packet causes RPD crash when segment routing is enabled (CVE-2024-39516) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: With BGP traceoptions enabled, receipt of specially crafted BGP update causes RPD crash (CVE-2024-39515) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos Space: OS command injection vulnerability in OpenSSH (CVE-2023-51385) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: With BGP traceoptions enabled, receipt of specifically malformed BGP update causes RPD crash (CVE-2024-39516) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: In a BMP scenario receipt of a malformed AS PATH attribute can cause an RPD core (CVE-2024-47499) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ 2024-10 Security Bulletin: Junos OS and Junos OS Evolved: When BGP traceoptions is enabled, receipt of specially crafted BGP packet causes RPD crash (CVE-2024-39525) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-10-Security-Bulletin-Junos… ∗∗∗ SSA-438590 V1.0: Buffer Overflow Vulnerability in Siveillance Video Camera Drivers ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-438590.html ∗∗∗ CVE-2024-9469 Cortex XDR Agent: Local Windows User Can Disable the Agent (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9469 ∗∗∗ CVE-2024-9471 PAN-OS: Privilege Escalation (PE) Vulnerability in XML API (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9471 ∗∗∗ CVE-2024-9468 PAN-OS: Firewall Denial of Service (DoS) via a Maliciously Crafted Packet (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9468 ∗∗∗ PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities Lead to Firewall Admin Account Takeover (Severity: CRITICAL) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0010 ∗∗∗ CVE-2024-9473 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9473 ∗∗∗ PAN-SA-2024-0011 Chromium: Monthly Vulnerability Updates (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0011 ∗∗∗ CVE-2024-9470 Cortex XSOAR: Information Disclosure Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-9470 ∗∗∗ PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials (Severity: CRITICAL) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2024-0010 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2024
by Daily end-of-shift report 09 Oct '24

09 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-10-2024 18:00 − Mittwoch 09-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Two never-before-seen tools, from same group, infect air-gapped devices ∗∗∗ --------------------------------------------- Its hard enough creating one air-gap-jumping tool. GoldenJackal did it 2x in 5 years. --------------------------------------------- https://arstechnica.com/security/2024/10/two-never-before-seen-tools-from-s… ∗∗∗ European govt air-gapped systems breached using custom malware ∗∗∗ --------------------------------------------- An APT hacking group known as GoldenJackal has successfully breached air-gapped government systems in Europe using two custom toolsets to steal sensitive data, like emails, encryption keys, images, archives, and documents. --------------------------------------------- https://www.bleepingcomputer.com/news/security/european-govt-air-gapped-sys… ∗∗∗ New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks ∗∗∗ --------------------------------------------- An automated scanner has been released to help security professionals scan environments for devices vulnerable to the Common Unix Printing System (CUPS) RCE flaw tracked as CVE-2024-47176. --------------------------------------------- https://www.bleepingcomputer.com/news/software/new-scanner-finds-linux-unix… ∗∗∗ Sicherheitslücke: RDP-Server von Windows aus der Ferne angreifbar ∗∗∗ --------------------------------------------- Ein erfolgreicher Angriff erfordert zwar eine gewonnene Race Condition, dafür aber keinerlei Authentifizierung oder Nutzer-Interaktion. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-rdp-server-von-windows-aus-der-… ∗∗∗ Cisco warnt: Kinder erhöhen Cyberrisiko im Homeoffice ∗∗∗ --------------------------------------------- Laut Cisco erlauben rund zwei Drittel aller Eltern im Homeoffice ihren Kindern den Zugriff auf beruflich genutzte Geräte - häufig sogar unbeaufsichtigt. --------------------------------------------- https://www.golem.de/news/cisco-warnt-kinder-erhoehen-cyberrisiko-im-homeof… ∗∗∗ From Perfctl to InfoStealer ∗∗∗ --------------------------------------------- A few days ago, a new stealthy malware targeting Linux hosts made a lot of noise: perfctl[1]. The malware has been pretty well analyzed and I wont repeat what has been already disclosed. I found a .. --------------------------------------------- https://isc.sans.edu/diary/From+Perfctl+to+InfoStealer/31334 ∗∗∗ Ransomware gang Trinity joins pile of scumbags targeting healthcare ∗∗∗ --------------------------------------------- As if hospitals and clinics didnt have enough to worry about At least one US healthcare provider has been infected by Trinity, an emerging cybercrime gang with eponymous ransomware that uses double extortion and other "sophisticated" tactics that make it a "significant threat," according to the feds. --------------------------------------------- https://www.theregister.com/2024/10/09/trinity_ransomware_targets_healthcar… ∗∗∗ Patch Tuesday, October 2024 Edition ∗∗∗ --------------------------------------------- Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes .. --------------------------------------------- https://krebsonsecurity.com/2024/10/patch-tuesday-october-2024-edition/ ∗∗∗ How to handle vulnerability reports in aviation ∗∗∗ --------------------------------------------- TL;DR Always thank researchers for reporting vulnerabilities. Acknowledging their efforts can set the right tone. Lead all communications with researchers. Don’t let legal or PR teams take over. Provide .. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-handle-vulnerability-r… ∗∗∗ So stehlen Kriminelle mit gefälschten FinanzOnline-Benachrichtigungen Ihre Bankomatkarte ∗∗∗ --------------------------------------------- Sie werden per SMS über eine Rückerstattung vom Finanzamt informiert und klicken auf den Link. Sie gelangen auf die Webseite des Finanzamts – zumindest sieht es so aus. Sie wählen Ihre Bank aus, um das Geld zu erhalten. Doch plötzlich kommt eine Fehlermeldung von Ihrer Bank. Sie erhalten eine neue Bankomatkarte und müssen die alte zerschneiden und .. --------------------------------------------- https://www.watchlist-internet.at/news/so-stehlen-kriminelle-kartenwechsel-… ∗∗∗ Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware ∗∗∗ --------------------------------------------- Discover how North Korean attackers, posing as recruiters, used an updated downloader and backdoor in a campaign targeting tech job seekers. --------------------------------------------- https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-jo… ∗∗∗ Schwachstellen in Intels Sicherheitstechnologie TDX entdeckt ∗∗∗ --------------------------------------------- Wissenschaftler von der Universität zu Lübeck haben Schwachstellen in Intels Trusted Domain Extensions identifiziert. Intel hat eine Lücke bereits geschlossen. --------------------------------------------- https://heise.de/-9974224 ===================== = Vulnerabilities = ===================== ∗∗∗ Synology-SA-24:12 GitLab ∗∗∗ --------------------------------------------- A vulnerability allows remote attacker to bypass authentication via a susceptible version of GitLab. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_24_12 ∗∗∗ DSA-5729-2 apache2 - regression update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00200.html ∗∗∗ Announcement: Drupal core issues with some risk levels may be treated as bugs in the public issue queue, not as private security issues - PSA-2023-07-12 ∗∗∗ --------------------------------------------- https://www.drupal.org/psa-2023-07-12 ∗∗∗ Local Privilege Escalation mittels MSI installer in Palo Alto Networks GlobalProtect ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… ∗∗∗ October Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/october-2024-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.10.2024
by Daily end-of-shift report 08 Oct '24

08 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 07-10-2024 18:00 − Dienstag 08-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ ADT discloses second breach in 2 months, hacked via stolen credentials ∗∗∗ --------------------------------------------- Home and small business security company ADT disclosed it suffered a breach after threat actors gained access to its systems using stolen credentials and exfiltrated employee account data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adt-discloses-second-breach-… ∗∗∗ Casio reports IT systems failure after weekend network breach ∗∗∗ --------------------------------------------- Japanese tech giant Casio has suffered a cyberattack after an unauthorized actor accessed its networks on October 5, causing system disruption that impacted some of its services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/casio-reports-it-systems-fai… ∗∗∗ New Gorilla Botnet Launches Over 300,000 DDoS Attacks Across 100 Countries ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new botnet malware family called Gorilla (aka GorillaBot) that draws its inspiration from the leaked Mirai botnet source code.Cybersecurity firm NSFOCUS, which identified the activity last month, said the botnet "issued over 300,000 attack commands, with a shocking attack density" between September 4 and September 27, 2024. --------------------------------------------- https://thehackernews.com/2024/10/new-gorilla-botnet-launches-over-300000.h… ∗∗∗ Feds reach for sliver of crypto-cash nicked by North Koreas notorious Lazarus Group ∗∗∗ --------------------------------------------- The US government is attempting to claw back more than $2.67 million stolen by North Koreas Lazarus Group, filing two lawsuits to force the forfeiture of millions in Tether and Bitcoin.… --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/08/us_lazarus_g… ∗∗∗ Shining Light on the Dark Angels Ransomware Group ∗∗∗ --------------------------------------------- The Dark Angels ransomware threat group launched attacks beginning in April 2022, and has since been quietly executing highly targeted attacks. Dark Angels operate with more stealthy and sophisticated strategies than many other ransomware groups. Instead of outsourcing breaches to third-party initial access brokers that target a wide range of victims, Dark Angels launch their own attacks that focus on a limited number of large companies. --------------------------------------------- https://www.zscaler.com/blogs/security-research/shining-light-dark-angels-r… ∗∗∗ 7,000 WordPress Sites Affected by Unauthenticated Critical Vulnerabilities in LatePoint WordPress Plugin ∗∗∗ --------------------------------------------- On September 17, 2024, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for two critical vulnerabilities in the LatePoint plugin, which is estimated to be actively installed on more than 7,000 WordPress websites. --------------------------------------------- https://www.wordfence.com/blog/2024/10/7000-wordpress-sites-affected-by-una… ∗∗∗ Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware ∗∗∗ --------------------------------------------- In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP Scanner. Nitrogen was leveraged to deploy Sliver and Cobalt Strike beacons on the beachhead host and perform further malicious actions. --------------------------------------------- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-end… ∗∗∗ Ukrainian pleads guilty to running Raccoon Infostealer malware, agrees to pay nearly $1 million ∗∗∗ --------------------------------------------- A Ukrainian national pleaded guilty in U.S. federal court to running the Raccoon Infostealer malware, and agreed to pay victims more than $900,000 as part of the plea deal. --------------------------------------------- https://therecord.media/raccoon-stealer-operator-pleads-guilty ∗∗∗ TAG Bulletin: Q3 2024 ∗∗∗ --------------------------------------------- This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q3 2024. It was last updated on October 7, 2024. --------------------------------------------- https://blog.google/threat-analysis-group/tag-bulletin-q3-2024/ ∗∗∗ Crypto-Stealing Code Lurking in Python Package Dependencies ∗∗∗ --------------------------------------------- On September 22nd, a new PyPI user orchestrated a wide-ranging attack by uploading multiple packages within a short timeframe. These packages, bearing names like “AtomicDecoderss,” “TrustDecoderss,” “WalletDecoderss,” and “ExodusDecodes,” masqueraded as legitimate tools for decoding and managing data from an array of popular cryptocurrency wallets. --------------------------------------------- https://checkmarx.com/blog/crypto-stealing-code-lurking-in-python-package-d… ∗∗∗ Okta Fixes Critical Vulnerability Allowing Sign-On Policy Bypass ∗∗∗ --------------------------------------------- Okta fixed a vulnerability in its Classic product that allowed attackers to bypass sign-on policies. Exploitation required valid credentials and the use of an “unknown” device. Affected users should review system logs. --------------------------------------------- https://hackread.com/okta-fixes-sign-on-policy-bypass-vulnerability/ ∗∗∗ Cyberattack on American Water Shuts Down Customer Portal, Halts Billing ∗∗∗ --------------------------------------------- American Water faces a cyberattack, disrupting its customer portal and billing operations. The company assures that water services remain unaffected while cybersecurity experts manage the incident. --------------------------------------------- https://hackread.com/american-water-cyberattack-shuts-down-portal-billing/ ∗∗∗ Storm-1575 Threat Actor Deploys New Login Panels for Phishing Infrastructure ∗∗∗ --------------------------------------------- The Storm-1575 group is known for frequently rebranding its phishing infrastructure. Recently, ANY.RUN analysts identified the deployment of new login panels, which are part of the threat actor’s ongoing efforts to compromise users’ Microsoft and Google accounts. --------------------------------------------- https://hackread.com/storm-1575-threat-actor-new-login-panels-phishing-infr… ∗∗∗ Lua Malware Targeting Student Gamers via Fake Game Cheats ∗∗∗ --------------------------------------------- Morphisec Threat Labs uncovers sophisticated Lua malware targeting student gamers and educational institutions. Learn how these attacks work and how to stay protected. --------------------------------------------- https://hackread.com/lua-malware-hit-student-gamers-fake-game-cheats/ ===================== = Vulnerabilities = ===================== ∗∗∗ Qualcomm patches high-severity zero-day exploited in attacks ∗∗∗ --------------------------------------------- Qualcomm has released security patches for a zero-day vulnerability in the Digital Signal Processor (DSP) service that impacts dozens of chipsets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qualcomm-patches-high-severi… ∗∗∗ TYPO3-CORE-SA-2024-012: Information Disclosure in TYPO3 Page Tree ∗∗∗ --------------------------------------------- It has been discovered that TYPO3 CMS is susceptible to information disclosure. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-012 ∗∗∗ TYPO3-CORE-SA-2024-011: Denial of Service in TYPO3 Bookmark Toolbar ∗∗∗ --------------------------------------------- It has been discovered that TYPO3 CMS is susceptible to denial of service. --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2024-011 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Fedora (webkitgtk), Mageia (cups), Oracle (e2fsprogs, kernel, and kernel-container), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, grafana-pcp, podman, and skopeo), SUSE (Mesa, mozjs115, podofo, and redis7), and Ubuntu (cups and cups-filters). --------------------------------------------- https://lwn.net/Articles/993276/ ∗∗∗ Kritische Sicherheitslücken in Draytek-Geräten erlauben Systemübernahme ∗∗∗ --------------------------------------------- Forscher fanden im Betriebssystem der Vigor-Router vierzehn neue Lücken, betroffen sind zwei Dutzend teilweise veraltete Typen. Patches stehen bereit. --------------------------------------------- https://heise.de/-9973906 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.10.2024
by Daily end-of-shift report 07 Oct '24

07 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-10-2024 18:00 − Montag 07-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Russia arrests US-sanctioned Cryptex founder, 95 other linked suspects ∗∗∗ --------------------------------------------- Russian law enforcement detained almost 100 suspects linked to the Cryptex cryptocurrency exchange, the UAPS anonymous payment service, and 33 other online services and platforms used to make illegal payments and sell stolen credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/russia-arrests-us-sanctioned… ∗∗∗ MoneyGram: No evidence ransomware is behind recent cyberattack ∗∗∗ --------------------------------------------- MoneyGram says there is no evidence that ransomware is behind a recent cyberattack that led to a five-day outage in September. --------------------------------------------- https://www.bleepingcomputer.com/news/security/moneygram-no-evidence-ransom… ∗∗∗ Spielzeugmarke: Hack der Lego-Webseite zielt auf Kryptobetrug ab ∗∗∗ --------------------------------------------- Am 4. Oktober 2024 wurde die offizielle Website von Lego Opfer eines Hacks. Unbekannte bewarben eine Kryptowährung namens Lego-Coin. --------------------------------------------- https://www.golem.de/news/spielzeugmarke-hack-der-lego-webseite-zielt-auf-k… ∗∗∗ Nach US-Bann: Kaspersky fliegt weltweit aus dem Google Play Store ∗∗∗ --------------------------------------------- Kaspersky-Software ist seit Tagen nicht mehr im Play Store erhältlich. Ursache ist das US-Verbot des russischen Herstellers - mit globalen Auswirkungen. --------------------------------------------- https://www.golem.de/news/nach-us-bann-kaspersky-fliegt-weltweit-aus-dem-go… ∗∗∗ Awaken Likho is awake: new techniques of an APT group ∗∗∗ --------------------------------------------- Kaspersky experts have discovered a new version of the APT Awaken Likho RAT Trojan, which uses AutoIt scripts and the MeshCentral system to target Russian organizations. --------------------------------------------- https://securelist.com/awaken-likho-apt-new-implant-campaign/114101/ ∗∗∗ HUMINT and its Role within Cybersecurity ∗∗∗ --------------------------------------------- This blog explores HUMINTs role in cybersecurity, detailing its implementation, benefits, and potential risks. --------------------------------------------- https://www.sans.org/blog/humint-and-its-role-within-cybersecurity ∗∗∗ Largest Recorded DDoS Attack is 3.8 Tbps ∗∗∗ --------------------------------------------- Cloudflare just blocked the current record DDoS attack: 3.8 terabits per second. (Lots of good information on the attack, and DDoS in general, at the link.) --------------------------------------------- https://www.schneier.com/blog/archives/2024/10/largest-recorded-ddos-attack… ∗∗∗ Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in the Apache Avro Java Software Development Kit (SDK) that, if successfully exploited, could allow the execution of arbitrary code on susceptible instances.The flaw, tracked as CVE-2024-47561, .. --------------------------------------------- https://thehackernews.com/2024/10/critical-apache-avro-sdk-flaw-allows.html ∗∗∗ Chinesische Hacker stehlen sensible Daten von US-Gerichten ∗∗∗ --------------------------------------------- Via Internetdienstanbieter verschafft sich die "Salt Typhoon"-Kampagne Zugriff zu heiklen Daten. US-Behörden befürchten weitere Angriffe --------------------------------------------- https://www.derstandard.at/story/3000000239609/chinesische-hacker-stehlen-s… ∗∗∗ No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection ∗∗∗ --------------------------------------------- Four DNS tunneling campaigns identified through a new machine learning tool expose intricate tactics when targeting vital sectors like finance, healthcare and more. --------------------------------------------- https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/ ∗∗∗ From Pwn2Own Automotive: More Autel Maxicharger Vulnerabilities ∗∗∗ --------------------------------------------- This blog post highlights two additional vulnerabilities in the Autel Maxicharger that were exploited at Pwn2Own Automotive 2024. Details of the patches are also included. --------------------------------------------- https://www.thezdi.com/blog/2024/10/2/from-pwn2own-automotive-more-autel-ma… ∗∗∗ Russian state media company operation disrupted by ‘unprecedented’ cyberattack ∗∗∗ --------------------------------------------- Russian state television and radio broadcasting company VGTRK was hit by a cyberattack on Monday that disrupted its operations, the company confirmed in a statement to local news agencies. --------------------------------------------- https://therecord.media/russian-state-media-company-disrupted-cyberattack ∗∗∗ Engaging with Boards to improve the management of cyber security risk ∗∗∗ --------------------------------------------- How to communicate more effectively with board members to improve cyber security decision making. --------------------------------------------- https://www.ncsc.gov.uk/guidance/board-level-cyber-discussions-communicatin… ∗∗∗ Forensic Readiness in Container Environments ∗∗∗ --------------------------------------------- One of the most frustrating issues that Digital Forensics and Incident Response (DFIR) consultants encounter is a lack of forensic data available for analysis. This article aims to mitigate such situations by providing key considerations for improving forensic readiness. --------------------------------------------- https://www.nccgroup.com/us/research-blog/forensic-readiness-in-container-e… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5785-1 mediawiki - security update ∗∗∗ --------------------------------------------- Dom Walden discovered that the AbuseFilter extension in MediaWiki, a website engine for collaborative work, performed incomplete authorisation checks. --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00198.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (go-toolset:rhel8 and linux-firmware), Arch Linux (oath-toolkit), Debian (e2fsprogs, firefox-esr, libgsf, mediawiki, and oath-toolkit), Fedora (aws, chromium, firefox, p7zip, pgadmin4, python-gcsfs, unbound, webkitgtk, znc, znc-clientbuffer, and znc-push), Mageia (ghostscript and rootcerts nss firefox firefox-l10n), .. --------------------------------------------- https://lwn.net/Articles/993160/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2024
by Daily end-of-shift report 04 Oct '24

04 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-10-2024 18:00 − Freitag 04-10-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cloudflare blocks largest recorded DDoS attack peaking at 3.8Tbps ∗∗∗ --------------------------------------------- During a distributed denial-of-service campaign targeting organizations in the financial services, internet, and telecommunications sectors, volumetric attacks peaked at 3.8 terabits per second, the largest publicly recorded to date. The assault consisted of a "month-long" barrage of more than 100 hyper-volumetric DDoS attacks flood. [..] Many of the attacks aimed at the target’s network infrastructure (network and transport layers L3/4) exceeded two billion packets per second (pps) and three terabits per second (Tbps). [..] The threat actor behind the campaign leveraged multiple types of compromised devices, which included a large number of Asus home routers, Mikrotik systems, DVRs, and web servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloudflare-blocks-largest-re… ∗∗∗ Over 4,000 Adobe Commerce, Magento shops hacked in CosmicSting attacks ∗∗∗ --------------------------------------------- Approximately 5% of all Adobe Commerce and Magento online stores, or 4,275 in absolute numbers, have been hacked in "CosmicSting" attacks. [..] The CosmicSting vulnerability (CVE-2024-34102) is a critical severity information disclosure flaw; when chained with CVE-2024-2961, a security issue in glibc's iconv function, an attacker can achieve remote code execution on the target server. [..] Sansec says that multiple threat actors are now conducting attacks as patching speed is not matching the critical nature of the situation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-4-000-adobe-commerce-ma… ∗∗∗ Survey of CUPS exploit attempts, (Fri, Oct 4th) ∗∗∗ --------------------------------------------- It is about a week since the release of the four CUPS remote code execution vulnerabilities. After the vulnerabilities became known, I configured one of our honeypots that watches a larger set of IPs to specifically collect UDP packets to port 631. Here is a quick summary of the results. --------------------------------------------- https://isc.sans.edu/diary/rss/31326 ∗∗∗ Apple fixes bug that let VoiceOver shout your passwords ∗∗∗ --------------------------------------------- Apple just fixed a duo of security bugs in iOS 18.0.1 and iPadOS 18.0.1, one of which might cause users' saved passwords to be read aloud. It's hardly an ideal situation for the visually impaired. For those who rely on the accessibility features baked into their iGadgets, namely Apple's VoiceOver screen reader, now is a good time to apply the latest update. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/10/04/apple_voiceo… ∗∗∗ Sicherheitsupdates: Cisco patcht Lücken in Produkten quer durch die Bank ∗∗∗ --------------------------------------------- Neben einem kritischen Fehler kümmert sich der Netzwerkausrüster auch um einige Lücken mit mittlerem und hohem Risikograd. Patches stehen bereit. --------------------------------------------- https://heise.de/-9961998 ∗∗∗ DRAY:BREAK Breaking Into DreyTek Routers Before Threat Actors Do It Again ∗∗∗ --------------------------------------------- In 2024, routers are a primary target for cybercriminals and state-sponsored attackers – and are the riskiest device category on networks. With this knowledge, we investigated one vendor with a history of security flaws to help it address its issues and prevent new attacks. Our latest research discovered 14 new vulnerabilities in DrayTek routers. --------------------------------------------- https://www.forescout.com/resources/draybreak-draytek-research/ ∗∗∗ Threat actor believed to be spreading new MedusaLocker variant since 2022 ∗∗∗ --------------------------------------------- Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” The distinguishable techniques — including consistently storing the same set of tools in the same location on compromised systems, the use of tools that have the PDB path with the string “paid_memes,” and the use of a lateral movement tool named “checker” — used in the attack led us to take a deeper look to try to understand more about this threat actor. --------------------------------------------- https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-ne… ∗∗∗ Ransomware Groups Demystified: CyberVolk Ransomware ∗∗∗ --------------------------------------------- As part of our ongoing efforts to monitor emerging cyber threats, we have analyzed the activities of CyberVolk, a politically motivated hacktivist group that transitioned into using ransomware and has been active since June 2024. --------------------------------------------- https://www.rapid7.com/blog/post/2024/10/03/ransomware-groups-demystified-c… ∗∗∗ Google Adds New Pixel Security Features to Block 2G Exploits and Baseband Attacks ∗∗∗ --------------------------------------------- Google has revealed the various security guardrails that have been incorporated into its latest Pixel devices to counter the rising threat posed by baseband security attacks. --------------------------------------------- https://thehackernews.com/2024/10/android-14-adds-new-security-features.html ∗∗∗ Portable Hacking Lab: Control The Smallest Kali Linux With a Smartphone ∗∗∗ --------------------------------------------- Running Kali Linux on a Raspberry Pi Zero is a fantastic way to create a portable, powerful testing device. This guide will walk you through setting up Kali Linux Pi-Tail on a headless Raspberry Pi Zero 2 W that is powered and controlled from a smartphone via SSH or VNC that provides a graphical interface to your Pi-Tail. --------------------------------------------- https://www.mobile-hacker.com/2024/10/04/portable-hacking-lab-control-the-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, golang, linux-firmware, and thunderbird), Debian (kernel and zabbix), Fedora (firefox, pgadmin4, and php), Mageia (chromium-browser-stable, cjson, hostapd and wpa_supplicant, and openjpeg2), Oracle (firefox, flatpak, and go-toolset:ol8), Red Hat (cups-filters, firefox, grafana, linux-firmware, python3, python3.11, and python3.9), SUSE (expat, firefox, libpcap, and opensc), and Ubuntu (freeradius, imagemagick, and unzip). --------------------------------------------- https://lwn.net/Articles/992936/ ∗∗∗ Keycloak 26.0.0 released ∗∗∗ --------------------------------------------- CVE-2024-7318 - Use of a Key Past its Expiration Date in org.keycloak:keycloak-core, CVE-2024-8883 Vulnerable Redirect URI Validation Results in Open Redirect , CVE-2024-8698 Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak, CVE-2024-7254 - Stack-based Buffer Overflow in com.google.protobuf:protobuf-java --------------------------------------------- https://www.keycloak.org/2024/10/keycloak-2600-released ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 23, 2024 to September 29, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/10/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2024
by Daily end-of-shift report 03 Oct '24

03 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-10-2024 18:00 − Donnerstag 03-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake browser updates spread updated WarmCookie malware ∗∗∗ --------------------------------------------- A new FakeUpdate campaign targeting users in France leverages compromised websites to show fake browser and application updates that spread a new version of the WarmCookie malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-browser-updates-spread-… ∗∗∗ FIN7 hackers launch deepfake nude “generator” sites to spread malware ∗∗∗ --------------------------------------------- The notorious APT hacking group known as FIN7 launched a network of fake AI-powered deepnude generator sites to infect visitors with information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fin7-hackers-launch-deepfake… ∗∗∗ Weird Zimbra Vulnerability ∗∗∗ --------------------------------------------- Hackers can execute commands on a remote computer by sending malformed emails to a Zimbra mail server. It’s critical, but difficult to exploit.In an email sent Wednesday afternoon, Proofpoint researcher Greg Lesnewich seemed to largely concur that the attacks weren’t likely to lead to mass infections that could install ransomware or espionage .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/10/weird-zimbra-vulnerability.h… ∗∗∗ INTERPOL Arrests 8 in Major Phishing and Romance Fraud Crackdown in West Africa ∗∗∗ --------------------------------------------- INTERPOL has announced the arrest of eight individuals in Côte dIvoire and Nigeria as part of a crackdown on phishing scams and romance cyber fraud.Dubbed Operation Contender 2.0, the initiative is designed to tackle cyber-enabled crimes .. --------------------------------------------- https://thehackernews.com/2024/10/interpol-arrests-8-in-major-phishing.html ∗∗∗ APT and financial attacks on industrial organizations in Q2 2024 ∗∗∗ --------------------------------------------- This summary provides an overview of the reports of APT and financial attacks on industrial enterprises that were disclosed in Q2 2024, as well as the related activities of groups that have been observed attacking industrial organizations and critical infrastructure facilities. --------------------------------------------- https://ics-cert.kaspersky.com/publications/apt-and-financial-attacks-on-in… ∗∗∗ Experts warn of DDoS attacks using linux printing vulnerability ∗∗∗ --------------------------------------------- A set of bugs that has caused alarm among cybersecurity experts may enable threat actors to launch powerful attacks designed to knock systems offline. --------------------------------------------- https://therecord.media/ddos-attacks-cups-linux-print-vulnerability ∗∗∗ As ransomware attacks surge, UK privacy regulator investigating fewer incidents than ever ∗∗∗ --------------------------------------------- Of the 1,253 incidents reported to the Information Commissioner’s Office (ICO) in 2023, only 87 were investigated — fewer than 7%. The numbers so far for 2024 are similar. --------------------------------------------- https://therecord.media/uk-ico-ransomware-investigations-data ∗∗∗ Threat actor believed to be spreading new MedusaLocker variant since 2022 ∗∗∗ --------------------------------------------- Cisco Talos has discovered a financially motivated threat actor, active since 2022, recently observed delivering a MedusaLocker ransomware variant. Intelligence collected by Talos on tools regularly employed by the threat .. --------------------------------------------- https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-ne… ∗∗∗ perfctl: A Stealthy Malware Targeting Millions of Linux Servers ∗∗∗ --------------------------------------------- In this blog post, Aqua Nautilus researchers aim to shed light on a Linux malware that, over the past 3-4 years, has actively sought more than 20,000 types of misconfigurations in order to target and exploit Linux servers. If you .. --------------------------------------------- https://blog.aquasec.com/perfctl-a-stealthy-malware-targeting-millions-of-l… ∗∗∗ "Alptraum": Daten aller niederländischen Polizisten geklaut – von Drittstaat? ∗∗∗ --------------------------------------------- Hacker haben die Kontaktdaten aller Mitarbeiter der Polizei erbeutet. Nun kommt das Justizministerium mit einer weiteren alarmierenden Nachricht. --------------------------------------------- https://heise.de/-9961529 ∗∗∗ Thailändische Regierung von neuem APT "CeranaKeeper" angegriffen ∗∗∗ --------------------------------------------- Bei Angriffen auf thailändische Behörden erbeuteten Cyberkriminelle Daten, indem sie verschlüsselte Dateien zu Filesharing-Diensten hochluden. --------------------------------------------- https://heise.de/-9961562 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1321: Apple macOS AppleVADriver Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-40841. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1321/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (cups-filters), Debian (chromium and php8.2), Fedora (firefox), Oracle (cups-filters, flatpak, kernel, krb5, oVirt 4.5 ovirt-engine, and python-urllib3), Red Hat (cups-filters, firefox, go-toolset:rhel8, golang, and thunderbird), SUSE (postgresql16), and Ubuntu (gnome-shell and linux-azure-fde-5.15). --------------------------------------------- https://lwn.net/Articles/992798/ ∗∗∗ Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2024-043 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-043 ∗∗∗ Cisco Nexus Dashboard Fabric Controller Arbitrary Command Execution Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Meraki MX and Z Series Teleworker Gateway AnyConnect VPN Denial of Service Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.10.2024
by Daily end-of-shift report 02 Oct '24

02 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-10-2024 18:00 − Mittwoch 02-10-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Crook made millions by breaking into execs’ Office365 inboxes, feds say ∗∗∗ --------------------------------------------- Email accounts inside 5 US companies unlawfully breached through password resets. --------------------------------------------- https://arstechnica.com/?p=2053721 ∗∗∗ Evil Corp hit with new sanctions, BitPaymer ransomware charges ∗∗∗ --------------------------------------------- The Evil Corp cybercrime syndicate has been hit with new sanctions by the United States, United Kingdom, and Australia. The US also indicted one of its members for conducting BitPaymer ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evil-corp-hit-with-new-sanct… ∗∗∗ Arc browser launches bug bounty program after fixing RCE bug ∗∗∗ --------------------------------------------- The Browser Company has introduced an Arc Bug Bounty Program to encourage security researchers to report vulnerabilities to the project and receive rewards. --------------------------------------------- https://www.bleepingcomputer.com/news/security/arc-browser-launches-bug-bou… ∗∗∗ CISA: Network switch RCE flaw impacts critical infrastructure ∗∗∗ --------------------------------------------- U.S. cybersecurity agency CISA is warning about two critical vulnerabilities that allow authentication bypass and remote code execution in Optigo Networks ONS-S8 Aggregation Switch products used in critical infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-network-switch-rce-flaw… ∗∗∗ PyPI Repository Found Hosting Fake Crypto Wallet Recovery Tools That Steal User Data ∗∗∗ --------------------------------------------- A new set of malicious packages has been unearthed in the Python Package Index (PyPI) repository that masqueraded as cryptocurrency wallet recovery and management services, only to siphon sensitive data and facilitate the theft .. --------------------------------------------- https://thehackernews.com/2024/10/pypi-repository-found-hosting-fake.html ∗∗∗ Alert: Over 700,000 DrayTek Routers Exposed to Hacking via 14 New Vulnerabilities ∗∗∗ --------------------------------------------- A little over a dozen new security vulnerabilities have been discovered in residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices."These vulnerabilities could enable attackers to take control .. --------------------------------------------- https://thehackernews.com/2024/10/alert-over-700000-draytek-routers.html ∗∗∗ NISTs security flaw database still backlogged with 17K+ unprocessed bugs. Not great ∗∗∗ --------------------------------------------- Logjam hurting infosec processes world over one expert tells us as US body blows its own Sept deadline NIST has made some progress clearing its backlog of security vulnerability reports to process - though its not quite on target as hoped. --------------------------------------------- https://www.theregister.com/2024/10/02/cve_pileup_nvd_missed_deadline/ ∗∗∗ After Code Execution, Researchers Show How CUPS Can Be Abused for DDoS Attacks ∗∗∗ --------------------------------------------- Over 58,000 internet-exposed CUPS hosts can be abused for significant DDoS attacks, according to Akamai. --------------------------------------------- https://www.securityweek.com/after-code-execution-researchers-show-how-cups… ∗∗∗ Dotnet Source Generators in 2024 Part 1: Getting Started ∗∗∗ --------------------------------------------- In this blog post, we will cover the basics of a source generator, the major types involved, some common issues you might encounter, how to properly log those issues, and how to fix them. --------------------------------------------- https://posts.specterops.io/dotnet-source-generators-in-2024-part-1-getting… ∗∗∗ Aktive Ausnutzung einer Sicherheitslücke in Zimbra Mail Server (CVE-2024-45519) ∗∗∗ --------------------------------------------- Der Hersteller des Zimbra Mail-Servers, Synacor, hat ein Advisory zu einer Sicherheitslücke in Zimbra Collaboration veröffentlicht. Die veröffentlichte Schwachstelle, CVE-2024-45519, erlaubt es nicht-authentifizierten Benutzern aus der Ferne Code auszuführen. Für die betroffenen Versionen (9.0.0, 10.0.9, 10.1.1 und 8.8.15) stehen jeweils Updates bereit, welche eine .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/10/zimbra-rce-cve-2024-45519 ∗∗∗ Sicherheit: Datenabflüsse bei Cyberangriffen ∗∗∗ --------------------------------------------- Nach einem Cyberangriff auf eine Klinik in Bad Wildungen im August 2024 sind nun Daten im Darknet aufgetaucht. Auch bei der niederländischen Polizei gab es einen Datenabfluss nach einem Cyberangriff. Hier einige Informationen .. --------------------------------------------- https://www.borncity.com/blog/2024/10/02/sicherheit-datenabfluesse-bei-cybe… ∗∗∗ All that JavaScript for… spear phishing? ∗∗∗ --------------------------------------------- NVISO employs several hunting rules in multiple Threat Intelligence Platforms and other sources, such as VirusTotal. As you can imagine, there is no lack of APT (Advanced Persistent Threat) campaigns, cybercriminals and their associated malware families and campaigns, phishing, and so on. But now and then, something slightly different and perhaps novel .. --------------------------------------------- https://blog.nviso.eu/2024/10/02/all-that-javascript-for-spear-phishing/ ∗∗∗ ASD’s ACSC, CISA, FBI, NSA, and International Partners Release Guidance on Principles of OT Cybersecurity for Critical Infrastructure Organizations ∗∗∗ --------------------------------------------- Today, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) - in partnership with CISA, U.S. government and international partners - released the guide Principles of Operational Technology Cybersecurity. This guidance provides critical information on how to create and maintain a safe, secure operational .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/10/01/asds-acsc-cisa-fbi-nsa-a… ∗∗∗ LKA Niedersachsen warnt vor andauernder Masche mit Erpresser-Mails ∗∗∗ --------------------------------------------- Die Betrüger lassen nicht nach, warnt das LKA Niedersachsen. Erpresser-Mails etwa mit angeblichen Videoaufnahmen kursieren weiter. --------------------------------------------- https://heise.de/-9960503 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (grafana), Fedora (cjson and php), Oracle (389-ds-base, freeradius, grafana, kernel, and krb5), Slackware (cryfs, cups, and mozilla), SUSE (OpenIPMI, openssl-3, openvpn, thunderbird, and tomcat), and Ubuntu (cups, cups-filters, knot-resolver, linux-raspi, linux-raspi-5.4, orc, php7.4, php8.1, php8.3, python-asyncssh, ruby-devise-two-factor, and vim). --------------------------------------------- https://lwn.net/Articles/992650/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.10.2024
by Daily end-of-shift report 01 Oct '24

01 Oct '24

===================== = End-of-Day report = ===================== Timeframe: Montag 30-09-2024 18:00 − Dienstag 01-10-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft Defender adds detection of unsecure Wi-Fi networks ∗∗∗ --------------------------------------------- Microsoft Defender now automatically detects and notifies users with a Microsoft 365 Personal or Family subscription when theyre connected to unsecured Wi-Fi networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-defender-now-autom… ∗∗∗ Microsoft overhauls security for publishing Edge extensions ∗∗∗ --------------------------------------------- Microsoft has introduced an updated version of the "Publish API for Edge extension developers" that increases the security for developer accounts and the updating of browser extensions. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-overhauls-securit… ∗∗∗ What Are Hackers Searching for in SolarWinds Serv-U (CVE-2024-28995)? ∗∗∗ --------------------------------------------- Discover how GreyNoise’s honeypots are monitoring exploit attempts on the SolarWinds Serv-U vulnerability (CVE-2024-28995). Gain insights into the specific files attackers target and how real-time data helps security teams focus on true threats. --------------------------------------------- https://www.greynoise.io/blog/what-are-hackers-searching-for-in-solarwinds-… ∗∗∗ Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning ∗∗∗ --------------------------------------------- Researchers detail the discovery of Swiss Army Suite, an underground tool used for SQL injection scans discovered with a machine learning model. --------------------------------------------- https://unit42.paloaltonetworks.com/machine-learning-new-swiss-army-suite-t… ∗∗∗ Rackspace internal monitoring web servers hit by zero-day ∗∗∗ --------------------------------------------- Reading between the lines, it appears Rackspace was hosting a ScienceLogic-powered monitoring dashboard for its customers on its own internal web servers, those servers included a program that was bundled with ScienceLogic's software, and that program was exploited, using a zero-day vulnerability, by miscreants to gain access to those web servers. From there, the intruders were able to get hold of some monitoring-related customer information before being caught. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/09/30/rackspace_ze… ∗∗∗ Crooked Cops, Stolen Laptops & the Ghost of UGNazi ∗∗∗ --------------------------------------------- A California man accused of failing to pay taxes on tens of millions of dollars allegedly earned from cybercrime also paid local police officers hundreds of thousands of dollars to help him extort, intimidate and silence rivals and former business partners, a new indictment charges. KrebsOnSecurity has learned that many of the mans alleged targets were members of UGNazi, a hacker group behind multiple high-profile breaches and cyberattacks back in 2012. --------------------------------------------- https://krebsonsecurity.com/2024/09/crooked-cops-stolen-laptops-the-ghost-o… ∗∗∗ BSI empfiehlt die Nutzung von Passkeys ∗∗∗ --------------------------------------------- Das BSI empfiehlt die Nutzung von Passkeys. Eine Umfrage zeige auf, dass die Bekanntheit und Verbreitung ausbaufähig seien. --------------------------------------------- https://heise.de/-9959270 ∗∗∗ Ransomware: Ermittler melden neue Erfolge im Kampf gegen Lockbit ∗∗∗ --------------------------------------------- Neben Verhaftungen in Frankreich und Großbritannien haben internationale Strafverfolger die Infrastruktur der Erpresser gestört – zudem ergingen Sanktionen. --------------------------------------------- https://heise.de/-9959100 ∗∗∗ WordPress Vulnerability & Patch Roundup September 2024 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. --------------------------------------------- https://blog.sucuri.net/2024/09/wordpress-vulnerability-patch-roundup-septe… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-security-support, nghttp2, and sqlite3), Oracle (cups-filters, kernel, and osbuild-composer), SUSE (openssl-3), and Ubuntu (bubblewrap, flatpak and python2.7, python3.5). --------------------------------------------- https://lwn.net/Articles/992444/ ∗∗∗ Mozilla Foundation Security Advisories 2024-10-01 (Thunderbird and Firefox) ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ Juniper: 2024-09-30 Out of Cycle Security Advisory: Multiple Products: RADIUS protocol susceptible to forgery attacks (Blast-RADIUS) (CVE-2024-3596) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-09-30-Out-of-Cycle-Securit… ∗∗∗ Bosch: Sensitive information disclosure in Bosch Configuration Manager ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-981803-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.09.2024
by Daily end-of-shift report 30 Sep '24

30 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-09-2024 18:00 − Montag 30-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ US-Wahlkampf: Anklage wegen des Hacks der Trump-Kampagne erhoben ∗∗∗ --------------------------------------------- Drei Männer müssen sich vor Gericht wegen des Cyberangriffs auf das Wahlkampfteam von Donald Trump verantworten. --------------------------------------------- https://www.golem.de/news/us-wahlkampf-anklage-wegen-des-hacks-der-trump-ka… ∗∗∗ How to Know if Your Website Is Hacked ∗∗∗ --------------------------------------------- Whether you manage a gaming blog, an e-commerce platform, or an enterprise-level website you probably want to be able to detect infections when they occur. A hacked website can lead to financial loss, disruption of business operations, and the exposure of confidential information. The key is acting fast once you discover possible .. --------------------------------------------- https://blog.sucuri.net/2024/09/how-do-website-owners-know-that-their-websi… ∗∗∗ If youre holding important data, Iran is probably trying spearphish it ∗∗∗ --------------------------------------------- Its election year for more than 50 countries and the Islamic Republic threatens a bunch of them US and UK national security agencies are jointly warning about Iranian spearphishing campaigns, which remain an ongoing threat to various industries and governments. --------------------------------------------- https://www.theregister.com/2024/09/30/iran_spearphishing/ ∗∗∗ The Pig Butchering Invasion Has Begun ∗∗∗ --------------------------------------------- Scamming operations that once originated in Southeast Asia are now proliferating around the world, likely raking in billions of dollars in the process. --------------------------------------------- https://www.wired.com/story/pig-butchering-scam-invasion/ ∗∗∗ Eliminating Memory Safety Vulnerabilities at the Source ∗∗∗ --------------------------------------------- Memory safety vulnerabilities remain a pervasive threat to software security. At Google, we believe the path to eliminating this class of vulnerabilities at scale and building high-assurance software lies in Safe Coding, a secure-by-design approach that prioritizes transitioning .. --------------------------------------------- http://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabil… ∗∗∗ The Data Breach Disclosure Conundrum ∗∗∗ --------------------------------------------- The conundrum I refer to in the title of this post is the one faced by a breached organisation: disclose or suppress? And let me be even more specific: should they disclose to impacted individuals, or simply never let them know? --------------------------------------------- https://www.troyhunt.com/the-data-breach-disclosure-conundrum/ ∗∗∗ How can you protect your data, privacy, and finances if your phone gets lost or stolen? ∗∗∗ --------------------------------------------- Steps to take when your device is lost or stolen TL;DR This is a guide to help prepare for a situation where your mobile device is lost or stolen, including .. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-can-you-protect-your-data… ∗∗∗ Cyber Security Month: Stärken Sie Ihr Wissen ∗∗∗ --------------------------------------------- Im Oktober dreht sich alles um das Thema Cybersicherheit. Nutzen Sie die Gelegenheit, um Ihr Wissen über Phishing, Schadsoftware und andere Cyberbedrohungen aufzufrischen. --------------------------------------------- https://www.watchlist-internet.at/news/cyber-security-month-2024/ ∗∗∗ Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware ∗∗∗ --------------------------------------------- In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP .. --------------------------------------------- https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-end… ∗∗∗ Datenschutzvorfall bei GlobalSign (Sept. 2024) ∗∗∗ --------------------------------------------- Der Anbieter GlobalSign musste gegenüber einigen Kunden einen Datenschutzvorfall eingestehen. Bei deren Customer Relationship Management Platform (CRM) kam es zu einer Fehlkonfigurierung, so dass ein .. --------------------------------------------- https://www.borncity.com/blog/2024/09/30/datenschutzvorfall-bei-globalsign-… ∗∗∗ Facial DNA provider leaks biometric data via WordPress folder ∗∗∗ --------------------------------------------- ChiceDNA exposed 8,000 sensitive records, including biometric images, personal details, and facial DNA data in an unsecured WordPress… --------------------------------------------- https://hackread.com/facial-dna-provider-leak-biometric-data-wordpress-fold… ===================== = Vulnerabilities = ===================== ∗∗∗ Local Privilege Escalation mittels MSI Installer in Nitro PDF Pro ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2024
by Daily end-of-shift report 27 Sep '24

27 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-09-2024 18:00 − Freitag 27-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Storm-0501: Ransomware attacks expanding to hybrid cloud environments ∗∗∗ --------------------------------------------- Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. The .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/09/26/storm-0501-ransomw… ∗∗∗ NIST Recommends Some Common-Sense Password Rules ∗∗∗ --------------------------------------------- NIST’s second draft of its “SP 800-63-4“ - its digital identify guidelines - finally contains some really good rules about passwords. --------------------------------------------- https://www.schneier.com/blog/archives/2024/09/nist-recommends-some-common-… ∗∗∗ Kaspersky Defends Stealth Swap of Antivirus Software on US Computers ∗∗∗ --------------------------------------------- Cybersecurity firm Kaspersky has defended its decision to automatically replace its antivirus software on U.S. customers computers with UltraAV, a product from American company Pango, without explicit user consent. The forced switch, affecting nearly one million users, occurred as a result of a U.S. government ban on Kaspersky software. Kaspersky .. --------------------------------------------- https://it.slashdot.org/story/24/09/26/1825249/kaspersky-defends-stealth-sw… ∗∗∗ Hackers Could Have Remotely Controlled Kia Cars Using Only License Plates ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a set of now patched vulnerabilities in Kia vehicles that, if successfully exploited, could have allowed remote control over key functions simply by using only a license plate."These attacks could be .. --------------------------------------------- https://thehackernews.com/2024/09/hackers-could-have-remotely-controlled.ht… ∗∗∗ Victims lose $70K to one single wallet-draining app on Googles Play Store ∗∗∗ --------------------------------------------- Attackers got 10k people to download trusted web3 brand cheat before Mountain View intervened The latest in a long line of cryptocurrency wallet-draining attacks has stolen $70,000 from people who downloaded a dodgy app in a single campaign .. --------------------------------------------- https://www.theregister.com/2024/09/26/victims_lose_70k_to_play/ ∗∗∗ Patch now: Critical Nvidia bug allows container escape, complete host takeover ∗∗∗ --------------------------------------------- 33% of cloud environments using the toolkit impacted, were told A critical bug in Nvidias widely used Container Toolkit could allow a rogue user or software to escape their containers and ultimately take complete control of the underlying host. --------------------------------------------- https://www.theregister.com/2024/09/26/critical_nvidia_bug_container_escape/ ∗∗∗ Highly Anticipated Linux Flaw Allows Remote Code Execution, but Less Serious Than Expected ∗∗∗ --------------------------------------------- A researcher has disclosed the details of an unpatched vulnerability that was expected to pose a serious threat to many Linux systems. --------------------------------------------- https://www.securityweek.com/highly-anticipated-linux-flaw-allows-remote-co… ∗∗∗ US Announces Charges, Sanctions Against Russian Administrator of Carding Website ∗∗∗ --------------------------------------------- US offers up to $10 million for information on Timur Shakhmametov, charging him with running the carding website Joker’s Stash. --------------------------------------------- https://www.securityweek.com/us-announces-charges-sanctions-against-russian… ∗∗∗ Spatenstich für Cybersecurity-Campus der TU Graz ∗∗∗ --------------------------------------------- Rund 25 Millionen Euro werden in den Komplex für bis zu 160 Forschende in der Sandgasse investiert. Auch IT-Start-ups sollen dort Platz finden --------------------------------------------- https://www.derstandard.at/story/3000000238456/spatenstich-fuer-cybersecuri… ∗∗∗ Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023 ∗∗∗ --------------------------------------------- ESET Research has conducted a comprehensive technical analysis of Gamaredon’s toolset used to conduct its cyberespionage activities focused in Ukraine --------------------------------------------- https://www.welivesecurity.com/en/eset-research/cyberespionage-gamaredon-wa… ∗∗∗ Geoblocking als einfache DDoS-Abwehr ∗∗∗ --------------------------------------------- Distributed Denial of Service (DDoS) Angriffe gibt es in diversen Varianten, das reicht von reflected UDP mit hoher Bandbreite über Tricksereien auf Layer 4 (etwa TCP-SYN Flooding, oder auch nur Überlastung der State-Tabellen in Firewalls) bis hin zu Layer 7 Angriffen mit vielen teuren http Anfragen. Aktuell sehen wir gerade letztere, dazu wollen wir ein .. --------------------------------------------- https://www.cert.at/de/blog/2024/9/geoblocking-gegen-ddos ∗∗∗ Meta fined $101 million for storing hundreds of millions of passwords in plaintext ∗∗∗ --------------------------------------------- European regulators fined Meta for an engineering mistake that the social media giant first reported in 2019. --------------------------------------------- https://therecord.media/meta-unprotected-passwords-fine-gdpr ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1290: TeamViewer Missing Authentication Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1290/ ∗∗∗ ZDI-24-1289: TeamViewer Missing Authentication Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1289/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.09.2024
by Daily end-of-shift report 26 Sep '24

26 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-09-2024 18:00 − Donnerstag 26-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Talos discovers denial-of-service vulnerability in Microsoft Audio Bus; Potential remote code execution in popular open-source PLC ∗∗∗ --------------------------------------------- Cisco Talos’ Vulnerability Research team recently disclosed two vulnerabilities in Microsoft products that have been patched by the company over the past two Patch Tuesdays. One is a vulnerability in the High-Definition Audio Bus Driver in Windows systems that could lead to a denial of service, while the other is a memory corruption issue that exists in a multicasting protocol in Windows 10. [..] For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. --------------------------------------------- https://blog.talosintelligence.com/talos-discovers-denial-of-service-vulner… ∗∗∗ The Cyber Resilience Act, an Accidental European Alien Torts Statute? ∗∗∗ --------------------------------------------- What if someone is harmed by their own government, but the technology used against them was created by a company based in the United States? Should that person be able to hold the American company responsible? --------------------------------------------- https://www.lawfaremedia.org/article/the-cyber-resilience-act--an-accidenta… ∗∗∗ Threat landscape for industrial automation systems, Q2 2024 ∗∗∗ --------------------------------------------- In this report, we share statistics on threats to industrial control systems in Q2 2024, including statistics by region, industry, malware and other threat types. --------------------------------------------- https://securelist.com/industrial-threat-landscape-q2-2024/113981/ ∗∗∗ Direct Memory Access (DMA) attacks. Risks, techniques, and mitigations in hardware hacking ∗∗∗ --------------------------------------------- DMA allows input-output (I/O) devices to access memory without CPU involvement. Bypassing the Operating System (OS) by providing direct high-speed access to the system’s memory improves efficiency for Graphics processing units (GPUs), Network Interface Cards (NICs), storage devices (e.g. NVMe) and peripheral devices. DMA capable connections include PCI, PCI Express (PCIe), Thunderbolt, FireWire, ExpressCard. Without additional safeguards, DMA can make systems vulnerable to attacks. --------------------------------------------- https://www.pentestpartners.com/security-blog/direct-memory-access-dma-atta… ∗∗∗ Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy ∗∗∗ --------------------------------------------- We analyze new tools DPRK-linked APT Sparkling Pisces (aka Kimsuky) used in cyberespionage campaigns: KLogExe (a keylogger) and FPSpy (a backdoor variant). --------------------------------------------- https://unit42.paloaltonetworks.com/kimsuky-new-keylogger-backdoor-variant/ ∗∗∗ Simple Mail Transfer Pirates: How threat actors are abusing third-party infrastructure to send spam ∗∗∗ --------------------------------------------- Spammers are always looking for creative ways to bypass spam filters. As a spammer, one of the problems with creating your own architecture to deliver mail is that, once the spam starts flowing, these sources (IPs/domains) can be blocked. Spam can more easily find its way into the inbox if it is delivered from an unexpected or legitimate source. Realizing this, many spammers have elected to attack web pages and mail servers of legitimate organizations, so they may use these “pirated” resources to send unsolicited email. --------------------------------------------- https://blog.talosintelligence.com/simple-mail-transfer-pirates/ ∗∗∗ Phishing and Social Engineering: The Human Factor in Election Security ∗∗∗ --------------------------------------------- Discover how phishing and social engineering threaten the 2024 U.S. elections in part three of our Election Cybersecurity series. Learn how attackers exploit human vulnerabilities to compromise systems and how to defend against these evolving threats. --------------------------------------------- https://www.greynoise.io/blog/phishing-and-social-engineering-the-human-fac… ∗∗∗ Dell Hit by Third Data Leak in a Week Amid “grep” Cyberattacks ∗∗∗ --------------------------------------------- Dell faces its third data leak in a week as hacker “grep” continues targeting the tech giant. Sensitive internal files, including project documents and MFA data, were exposed. Dell has yet to issue a formal response. --------------------------------------------- https://hackread.com/dell-data-leak-in-week-amid-grep-cyberattacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ HPE Aruba Networking fixes critical flaws impacting Access Points ∗∗∗ --------------------------------------------- HPE Aruba Networking has fixed three critical vulnerabilities in the Command Line Interface (CLI) service of its Aruba Access Points, which could let unauthenticated attackers gain remote code execution on vulnerable devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hpe-aruba-networking-fixes-t… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools:rhel8, dovecot, emacs, expat, git-lfs, go-toolset:rhel8, golang, grafana, grafana-pcp, gtk3, kernel, kernel-rt, nano, python3, python3.11, python3.12, and virt:rhel and virt-devel:rhel), Debian (mediawiki and puredata), Fedora (chisel), Mageia (glib2.0, gtk+2.0 and gtk+3.0, and python-astropy), Red Hat (git-lfs, grafana, grafana-pcp, kernel, and kernel-rt), SUSE (kubernetes1.24, kubernetes1.25, kubernetes1.26, kubernetes1.27, kubernetes1.28, opensc, and python36), and Ubuntu (apparmor, apr, ca-certificates, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-raspi, openjpeg2, ruby-rack, and tomcat8, tomcat9). --------------------------------------------- https://lwn.net/Articles/991897/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0005 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2024-23271, CVE-2024-27808, CVE-2024-27820, CVE-2024-27833, CVE-2024-27838, CVE-2024-27851, CVE-2024-40866, CVE-2024-44187 --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0005.html ∗∗∗ Cisco IOS XE Software for Wireless Controllers CWA Pre-Authentication ACL Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Web UI Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS and IOS XE Software Web UI Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 16, 2024 to September 22, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/09/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.09.2024
by Daily end-of-shift report 25 Sep '24

25 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-09-2024 18:00 − Mittwoch 25-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ ChatGPT macOS Flaw Couldve Enabled Long-Term Spyware via Memory Function ∗∗∗ --------------------------------------------- A now-patched security vulnerability in OpenAI's ChatGPT app for macOS could have made it possible for attackers to plant long-term persistent spyware into the artificial intelligence (AI) tool's memory. The technique, dubbed SpAIware, could be abused to facilitate "continuous data exfiltration of any information the user typed or responses received by ChatGPT, including any future chat sessions," security researcher Johann Rehberger said. --------------------------------------------- https://thehackernews.com/2024/09/chatgpt-macos-flaw-couldve-enabled-long.h… ∗∗∗ Schon wieder: Offizielles Twitter-Konto OpenAIs von Krypto-Betrügern übernommen ∗∗∗ --------------------------------------------- Der offizielle Twitter-Account der Pressestelle von ChatGPT-Anbieter OpenAI wurde von Betrügern übernommen und genutzt, um eine Fake-Kryptowährung zu promoten. --------------------------------------------- https://heise.de/-9953073 ∗∗∗ AI-Generated Malware Found in the Wild ∗∗∗ --------------------------------------------- HP has intercepted an email campaign comprising a standard malware payload delivered by an AI-generated dropper. --------------------------------------------- https://www.securityweek.com/ai-generated-malware-found-in-the-wild/ ∗∗∗ Investigating Infrastructure and Tactics of Phishing-as-a-Service Platform Sniper Dz ∗∗∗ --------------------------------------------- Delve into the infrastructure and tactics of phishing platform Sniper Dz, which targets popular brands and social media. We discuss its unique aspects and more. --------------------------------------------- https://unit42.paloaltonetworks.com/phishing-platform-sniper-dz-unique-tact… ∗∗∗ LummaC2: Obfuscation Through Indirect Control Flow ∗∗∗ --------------------------------------------- This blog post delves into the analysis of a control flow obfuscation technique employed by recent LummaC2 (LUMMAC.V2) stealer samples. In addition to the traditional control flow flattening technique used in older versions, the malware now leverages customized control flow indirection to manipulate the execution of the malware. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/lummac2-obfuscatio… ∗∗∗ Modified LockBit and Conti ransomware shows up in DragonForce gang’s attacks ∗∗∗ --------------------------------------------- The manufacturing, real estate and transportation industries are recent targets of the cybercrime operation known as DragonForce. Researchers say its serving up versions of LockBit and Conti to affiliates. --------------------------------------------- https://therecord.media/lockbit-conti-dragonforce-ransomware-cybercrime ∗∗∗ Shedding Light on Election Deepfakes ∗∗∗ --------------------------------------------- Contrary to popular belief, deepfakes — AI-crafted audio files, images, or videos that depict events and statements that never occurred; a portmanteau of “deep learning” and “fake” — are not all intrinsically malicious. [..] Let’s take a look at the state of deepfakes during the 2020 elections, how it’s currently making waves in the 2024 election cycle, and how voters can tell truth from digital deception. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/shedding-li… ===================== = Vulnerabilities = ===================== ∗∗∗ 20,000 WordPress Sites Affected by Privilege Escalation Vulnerability in WCFM – WooCommerce Frontend Manager WordPress Plugin ∗∗∗ --------------------------------------------- This vulnerability makes it possible for an authenticated attacker to change the email of any user, including an administrator, which allows them to reset the password and take over the account and website. [..] After providing full disclosure details, the developer released a patch on September 23, 2024. [..] CVE ID: CVE-2024-8290 --------------------------------------------- https://www.wordfence.com/blog/2024/09/20000-wordpress-sites-affected-by-pr… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (booth), Gentoo (Xpdf), Oracle (go-toolset:ol8, golang, grafana, grafana-pcp, kernel, libnbd, openssl, pcp, and ruby:3.3), Red Hat (container-tools:rhel8, go-toolset:rhel8, golang, kernel, and kernel-rt), SUSE (apr, cargo-audit, chromium, obs-service-cargo, python311, python36, quagga, traefik, and xen), and Ubuntu (intel-microcode, linux-azure-fde-5.15, and puma). --------------------------------------------- https://lwn.net/Articles/991701/ ∗∗∗ WatchGuard SSO and Moodle ∗∗∗ --------------------------------------------- rt-sa-2024-008: WatchGuard SSO Client Denial-of-Service, rt-sa-2024-007: WatchGuard SSO Agent Telnet Authentication Bypass, rt-sa-2024-006: WatchGuard SSO Protocol is Unencrypted and Unauthenticated, rt-sa-2024-009: Moodle: Remote Code Execution via Calculated Questions --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/ ∗∗∗ Teamviewer: Hochriskante Lücken ermöglichen Rechteausweitung ∗∗∗ --------------------------------------------- In den Teamviewer-Remote-Clients können Angreifer eine unzureichende kryptografische Prüfung von Treiberinstallationen missbrauchen, um ihre Rechte auszuweiten und Treiber zu installieren (CVE-2024-7479, CVE-2024-7481; beide CVSS 8.8, Risiko "hoch"). [..] Die seit Dienstag dieser Woche verfügbare Version 15.58.4 oder neuere schließen diese Sicherheitslücken. --------------------------------------------- https://heise.de/-9953034 ∗∗∗ XenServer and Citrix Hypervisor Security Update for CVE-2024-45817 ∗∗∗ --------------------------------------------- https://support.citrix.com/s/article/CTX691646-xenserver-and-citrix-hypervi… ∗∗∗ Schwachstelle in BlackBerry CylanceOPTICS Windows Installer Package ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/schwachstelle-in-blac… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.09.2024
by Daily end-of-shift report 24 Sep '24

24 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 23-09-2024 18:00 − Dienstag 24-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hackerangriff hier, Hackerangriff da? Nein. ∗∗∗ --------------------------------------------- Ein Kommentar zur aktuellen Berichterstattung rund um DDoS-Angriffe gegen die Webseiten politischer Parteien in Österreich. --------------------------------------------- https://datenrausch.substack.com/p/hackerangriff-hier-hackerangriff ∗∗∗ New Mallox ransomware Linux variant based on leaked Kryptina code ∗∗∗ --------------------------------------------- An affiliate of the Mallox ransomware operation, also known as TargetCompany, was spotted using a slightly modified version of the Kryptina ransomware to attack Linux systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mallox-ransomware-linux-… ∗∗∗ New Octo Android malware version impersonates NordVPN, Google Chrome ∗∗∗ --------------------------------------------- A new version of the Octo Android malware, named "Octo2," has been seen spreading across Europe under the guise of NordVPN, Google Chrome, and an app called Europe Enterprise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-octo-android-malware-ver… ∗∗∗ Exploitation of RAISECOM Gateway Devices Vulnerability CVE-2024-7120, (Tue, Sep 24th) ∗∗∗ --------------------------------------------- Late in July, a researcher using the alias "NETSECFISH" published a blog post revealing a vulnerability in RASIECOM gateway devices [1]. The vulnerability affects the "vpn/list_base_Config.php" endpoint and allows for unauthenticated remote code execution. According to Shodan, about 25,000 vulnerable devices are exposed to the internet. With a simple proof of concept available, it is no surprise that we aseethe vulnerability exploited. --------------------------------------------- https://isc.sans.edu/diary/rss/31292 ∗∗∗ Untersuchung von Solaris / SunOS - Persistenz mit Systemprozessen ∗∗∗ --------------------------------------------- Im Vergleich zu Windows oder sogar Linux ist das öffentliche Wissen und die Anleitung zur digitalen Forensik für Solaris / SunOS eher dünn. Während dieses Einsatzes haben wir unser Wissen über Solaris erheblich erweitert und es auf verschiedene Angreifertechniken hin untersucht. In diesem Blog-Beitrag möchten wir unsere Erfahrungen mit der Untersuchung potenzieller Persistenz durch Systemprozesse im Zusammenhang mit der MITRE ATT&CK-Technik T1543 teilen. --------------------------------------------- https://sec-consult.com/de/blog/detail/investigating-solaris-sunos-persiste… ∗∗∗ Deloitte Says No Threat to Sensitive Data After Hacker Claims Server Breach ∗∗∗ --------------------------------------------- A notorious hacker has announced the theft of data from an improperly protected server allegedly belonging to Deloitte. {..] Deloitte says no sensitive data exposed after a notorious hacker leaked what he claimed to be internal communications. --------------------------------------------- https://www.securityweek.com/deloitte-says-no-threat-to-sensitive-data-afte… ∗∗∗ Kirchenaustritt nicht über kirchenaustritt-digital-beantragen.at beantragen ∗∗∗ --------------------------------------------- Wer Informationen zum Kirchenaustritt sucht, landet schnell bei kirchenaustritt-digital-beantragen.at. Wir raten jedoch davon ab, über diesen kostenpflichtigen Dienst den Austritt zu beantragen. Beschwerden zufolge wird die Kündigung trotz Bezahlung nicht an die Kirche übermittelt. Außerdem werden sehr viele Daten und eine Ausweiskopie verlangt. Wir raten generell davon ab, Kündigungen usw. über Drittanbieter abzuwickeln. --------------------------------------------- https://www.watchlist-internet.at/news/kirchenaustritt/ ∗∗∗ Inside SnipBot: The Latest RomCom Malware Variant ∗∗∗ --------------------------------------------- We deconstruct SnipBot, a variant of RomCom malware. Its authors, who target diverse sectors, seem to be aiming for espionage instead of financial gain. --------------------------------------------- https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/ ∗∗∗ Hacker Leaks 12,000 Alleged Twilio Call Records with Audio Recordings ∗∗∗ --------------------------------------------- A hacker has leaked 12,000 alleged Twilio call records, including phone numbers and audio recordings. The breach exposes personal data, creating significant privacy risks for businesses and individuals using the service. --------------------------------------------- https://hackread.com/hacker-leaks-twilio-call-records-audio-recordings/ ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched Vulnerabilities Expose Riello UPSs to Hacking: Security Firm ∗∗∗ --------------------------------------------- Hackers can take control of Riello UPS devices by exploiting vulnerabilities that likely remain unpatched, according to CyberDanube, an Austria-based firm specializing in industrial cybersecurity. --------------------------------------------- https://www.securityweek.com/unpatched-vulnerabilities-expose-riello-upss-t… ∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-24-268-01 OPW Fuel Management Systems SiteSentinel, ICSA-24-268-02 Alisonic Sibylla, ICSA-24-268-03 Franklin Fueling Systems TS-550 EVO, ICSA-24-268-04 Dover Fueling Solutions ProGauge MAGLINK LX CONSOLE, ICSA-24-268-05 Moxa MXview One, ICSA-24-268-06 OMNTEC Proteus Tank Monitoring, ICSA-24-156-01 Uniview NVR301-04S2-P4 (Update A), ICSA-19-274-01 Interpeak IPnet TCP/IP Stack (Update E) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/24/cisa-releases-eight-indu… ∗∗∗ Zyxel security advisory for post-authentication memory corruption vulnerabilities in some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions ∗∗∗ --------------------------------------------- Zyxel has released patches for some DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router versions affected by post-authentication memory corruption vulnerabilities. Users are advised to install them for optimal protection. (CVE-2024-38266 CVE-2024-38267 CVE-2024-38268 CVE-2024-38269) --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Critical Vulnerabilities Discovered in Automated Tank Gauge Systems ∗∗∗ --------------------------------------------- In this blogpost, we will explore the ATG systems, their inherent risk when exposed to the Internet and the several critical vulnerabilities uncovered by Bitsight TRACE. By understanding these vulnerabilities, we hope that the reader can better appreciate the urgent need for enhanced security measures and the steps that need to be taken to protect these systems from exploitation. --------------------------------------------- https://www.bitsight.com/blog/critical-vulnerabilities-discovered-automated… ∗∗∗ Xen Security Advisory CVE-2024-45817 / XSA-462 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-462.html ∗∗∗ Keycloak Security Update Advisory (CVE-2024-8698) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/83325/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.09.2024
by Daily end-of-shift report 23 Sep '24

23 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-09-2024 18:00 − Montag 23-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hyper-V und VMware: Schwachstellen, Patches, PoCs ∗∗∗ --------------------------------------------- In Hyper-V wurde kürzlich eine Schwachstelle gepatcht – jetzt gibt es einen Proof of Concept (PoC) für diese Schwachstelle. Und bei VMware gibt es ebenfalls Schwachstellen sowie Infos, wie sich aus der VM ausbrechen lässt. --------------------------------------------- https://www.borncity.com/blog/2024/09/23/hyper-v-und-vmware-schwachstellen-… ∗∗∗ Android malware Necro infects 11 million devices via Google Play ∗∗∗ --------------------------------------------- A new version of the Necro Trojan malware for Android was installed on 11 million devices through Google Play in malicious SDK supply chain attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-necro-infect… ∗∗∗ Global infostealer malware operation targets crypto users, gamers ∗∗∗ --------------------------------------------- A massive infostealer malware operation encompassing thirty campaigns targeting a broad spectrum of demographics and system platforms has been uncovered, attributed to a cybercriminal group named "Marko Polo." --------------------------------------------- https://www.bleepingcomputer.com/news/security/global-infostealer-malware-o… ∗∗∗ Phishing links with @ sign and the need for effective security awareness building, (Mon, Sep 23rd) ∗∗∗ --------------------------------------------- While going over a batch of phishing e-mails that were delivered to us here at the Internet Storm Center during the first half of September, I noticed one message which was somewhat unusual. Not because it was untypically sophisticated or because it used some completely new technique, but rather because its authors took advantage of one of the less commonly misused aspects of the URI format – the ability to specify information about a user in the URI before its "host" part (domain or IP address). --------------------------------------------- https://isc.sans.edu/diary/rss/31288 ∗∗∗ Staying a Step Ahead: Mitigating the DPRK IT Worker Threat ∗∗∗ --------------------------------------------- This report aims to increase awareness of the DPRK's efforts to obtain employment as IT workers and shed light on their operational tactics for obtaining employment and maintaining access to corporate systems. Understanding these methods can help organizations better detect these sorts of suspicious behaviors earlier in the hiring process. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/mitigating-dprk-it… ∗∗∗ Why Do Criminals Love Phishing-as-a-Service Platforms? ∗∗∗ --------------------------------------------- Phishing-as-a-Service (PaaS) platforms have become the go-to tool for cybercriminals, to launch sophisticated phishing campaigns targeting the general public and businesses, especially in the financial services sector. [..] In this blog, we’ll explore the key features offered by PaaS platforms, highlight the major platforms Trustwave SpiderLabs has recently observed, and cover effective phishing mitigation strategies. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/why-do-crim… ∗∗∗ CISA boss: Makers of insecure software are enablers of the real villains ∗∗∗ --------------------------------------------- Software suppliers who ship buggy, insecure code are the true baddies in the cyber crime story, Jen Easterly, boss of the US government's Cybersecurity and Infrastructure Security Agency, has argued. "The truth is: Technology vendors are the characters who are building problems" into their products, which then "open the doors for villains to attack their victims," declared Easterly during a Wednesday keynote address at Mandiant's mWise conference. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/09/20/cisa_sloppy_… ∗∗∗ Proxy Detection: Comparing Detection Services with the Truth ∗∗∗ --------------------------------------------- In our previous blog post, we looked at different (free and paid) solutions to detect the use of anonymity tools during attacks executed on our Remote Desktop Protocol (RDP) honeypots. Confronted with inconclusive outcomes, this blog post aims to evaluate the different proxy detector tools by analyzing their results with our dataset of Truth. --------------------------------------------- https://gosecure.ai/blog/2024/09/23/proxy-detection-comparing-detection-ser… ∗∗∗ Hackers Claim Second Dell Data Breach in One Week ∗∗∗ --------------------------------------------- Hackers claim a second Dell data breach within a week, exposing sensitive internal files via compromised Atlassian tools. Allegedly, data from Jira, Jenkins, and Confluence was leaked. Dell is already investigating the first incident. --------------------------------------------- https://hackread.com/dell-hit-by-second-security-breach-in-week/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (expat, fence-agents, firefox, libnbd, openssl, pcp, ruby:3.3, and thunderbird), Debian (ruby-saml), Fedora (aardvark-dns, chromium, expat, jupyterlab, less, openssl, python-jupyterlab-server, python-notebook, python3-docs, and python3.12), Gentoo (calibre, curl, Emacs, org-mode, Exo, file, GPL Ghostscript, gst-plugins-good, liblouis, Mbed TLS, OpenVPN, Oracle VirtualBox, PJSIP, Portage, PostgreSQL, pypy, pypy3, Rust, Slurm, stb, VLC, and Xen), SUSE (container-suseconnect, ffmpeg-4, kernel, libpcap, python3, python310, python36, and wpa_supplicant), and Ubuntu (firefox, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-azure, and linux-ibm-5.15, linux-oracle-5.15). --------------------------------------------- https://lwn.net/Articles/991377/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2024
by Daily end-of-shift report 20 Sep '24

20 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-09-2024 18:00 − Freitag 20-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ever wonder how crooks get the credentials to unlock stolen phones? ∗∗∗ --------------------------------------------- iServer provided a simple service for phishing credentials to unlock phones. --------------------------------------------- https://arstechnica.com/?p=2051165 ∗∗∗ CISA warns of actively exploited Apache HugeGraph-Server bug ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Agency (CISA) has added five flaws to its Known Exploited Vulnerabilities (KEV) catalog, among which is a remote code execution (RCE) flaw impacting Apache HugeGraph-Server. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-explo… ∗∗∗ macOS Sequoia change breaks networking for VPN, antivirus software ∗∗∗ --------------------------------------------- Users of macOS 15 Sequoia are reporting network connection errors when using certain endpoint detection and response (EDR) or virtual private network (VPN) solutions, and web browsers. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/macos-sequoia-change-breaks-net… ∗∗∗ 1 In 10 Orgs Dumping Their Security Vendors After CrowdStrike Outage ∗∗∗ --------------------------------------------- An anonymous reader quotes a report from The Register: Germanys Federal Office for Information Security (BSI) says one in ten organizations in the country affected by CrowdStrikes outage in July are dropping their current vendors products. Four percent of organizations have already abandoned their existing solutions, while a further 6 percent plan to .. --------------------------------------------- https://it.slashdot.org/story/24/09/19/1721236/1-in-10-orgs-dumping-their-s… ∗∗∗ SAP Hash Cracking Techniques ∗∗∗ --------------------------------------------- Hashing is a one-way encryption technique employed to ensure data integrity, authenticate information, and secure passwords alongside other sensitive data. Hash functions convert input data into a fixed-size string of characters that are both uniform and deterministic, making them an excellent choice for maintaining data security. --------------------------------------------- https://redrays.io/blog/sap-hash-cracking-techniques/ ∗∗∗ This Windows PowerShell Phish Has Scary Potential ∗∗∗ --------------------------------------------- Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. While its unlikely that many programmers fell for this .. --------------------------------------------- https://krebsonsecurity.com/2024/09/this-windows-powershell-phish-has-scary… ∗∗∗ Ivanti Warns of Second CSA Vulnerability Exploited in Attacks ∗∗∗ --------------------------------------------- In addition to the Ivanti CSA flaw CVE-2024-8190, another vulnerability affecting the same product, tracked as CVE-2024-8963, has been exploited. --------------------------------------------- https://www.securityweek.com/ivanti-warns-of-second-csa-vulnerability-explo… ∗∗∗ Noise Storms: Massive Amounts of Spoofed Web Traffic Linked to China ∗∗∗ --------------------------------------------- GreyNoise has observed millions of spoofed IPs flooding internet providers with web traffic primarily focusing on TCP connections. --------------------------------------------- https://www.securityweek.com/noise-storms-massive-amounts-of-spoofed-web-tr… ∗∗∗ Vorsicht vor gefälschten Gewinnspielen von ÖAMTC und ADAC ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie per E-Mail ein Gewinnspiel für ein Auto-Notfallset erhalten. Kriminelle geben sich als ÖAMTC oder ADAC aus und behaupten, Sie hätten ein Auto-Notfallset gewonnen. Klicken Sie nicht auf den Link, Sie werden in eine Abo-Fall gelockt! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-gewinnspiele-oeamtc-adac/ ∗∗∗ Datendiebstahl via Slack, Disney stellt Nutzung des Messenger-Dienstes ein ∗∗∗ --------------------------------------------- Die Hackergruppe Nullbulge konnte Computercode und Details über unveröffentlichte Projekte stehlen und veröffentlichen --------------------------------------------- https://www.derstandard.at/story/3000000237370/datendiebstahl-disney-trennt… ∗∗∗ High-risk vulnerabilities in common enterprise technologies ∗∗∗ --------------------------------------------- Rapid7 is warning customers about high-risk vulnerabilities in Adobe ColdFusion, Broadcom VMware vCenter Server, and Ivanti Endpoint Manager (EPM). These CVEs are likely attack targets for APT and/or financially motivated adversaries. --------------------------------------------- https://www.rapid7.com/blog/post/2024/09/19/etr-high-risk-vulnerabilities-i… ∗∗∗ Jugendherbergen offenbar Opfer von Ransomware-Bande Hunters ∗∗∗ --------------------------------------------- Ende August kam es zu Störungen bei rund 450 deutschen Jugendherbergen. Die Ursache war unklar. Offenbar ist eine Ransomware-Attacke schuld. --------------------------------------------- https://heise.de/-9938226 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5773-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00186.html ∗∗∗ OpenSSH 9.9 released ∗∗∗ --------------------------------------------- https://lwn.net/Articles/991028/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2024
by Daily end-of-shift report 19 Sep '24

19 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-09-2024 18:00 − Donnerstag 19-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Clever GitHub Scanner campaign abusing repos to push malware ∗∗∗ --------------------------------------------- A clever threat campaign is abusing GitHub repositories to distribute the Lumma Stealer password-stealing malware targeting users who frequent an open source project repository or are subscribed to email notifications from it. [..] The domain, github-scanner[.]com is not affiliated with GitHub and is being used to deliver malware to visitors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clever-github-scanner-campai… ∗∗∗ Sicherheitsexperte: Müssen uns nicht vor explodierenden Handys fürchten ∗∗∗ --------------------------------------------- Nach Explosionswellen im Libanon sorgen sich manche nun um die eigenen Smartphones. Cyberexperte Joe Pichelmayr sieht da aber wenig Gefahr. --------------------------------------------- https://futurezone.at/digital-life/sicherheitsexperte-handys-smartphone-exp… ∗∗∗ Google Cloud Document AI flaw (still) allows data theft despite bounty payout ∗∗∗ --------------------------------------------- Overly permissive settings in Google Cloud's Document AI service could be abused by data thieves to break into Cloud Storage buckets and steal sensitive information. [..] A Google spokesperson has told us in response to the above: [..] We developed a fix and are actively working to roll it out. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/09/17/google_cloud… ∗∗∗ Cracked Software or Cyber Trap? The Rising Danger of AsyncRAT Malware ∗∗∗ --------------------------------------------- In this blog, we’ll examine the mechanics of AsyncRAT, how it spreads by masquerading as cracked software, and the steps you can take to protect yourself from this increasingly common cyber threat. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cracked-software-or-cy… ∗∗∗ Solar Cybersecurity And The Nuances Of Renewable Energy Integration ∗∗∗ --------------------------------------------- The modern age of renewable energy has seen a surge in solar panels and wind turbines. While these systems enhance sustainability, their digital technologies carry risks. Cybersecurity professionals must know the relevant nuances when integrating renewable systems. --------------------------------------------- https://www.tripwire.com/state-of-security/solar-cybersecurity-and-nuances-… ∗∗∗ Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool ∗∗∗ --------------------------------------------- Discover Splinter, a new post-exploitation tool with advanced features like command execution and file manipulation, detected by Unit 42 researchers. --------------------------------------------- https://unit42.paloaltonetworks.com/analysis-pentest-tool-splinter/ ∗∗∗ Betrugsfall mit tegut teo-App und fiktiver Mitarbeiternummer ∗∗∗ --------------------------------------------- Im Prozess sagte der Angeklagte: "Ich war zu der Zeit arbeitslos. Für die Märkte gibt es eine App und da konnte man bei Bezahlungsmitteln die Mitarbeiternummer als Karte hinterlegen. Ich habe es einfach mit einer zufälligen Zahl probiert, und es hat direkt geklappt. --------------------------------------------- https://www.borncity.com/blog/2024/09/19/betrugsfall-mit-tegut-teo-app-und-… ∗∗∗ Aktuelle Phishing-Masche: Terminwunsch für Telefonat mit angeblicher Sparkasse ∗∗∗ --------------------------------------------- Die Verbraucherzentrale NRW warnt vor einer aktuellen Phishing-Masche. Angeblich will die Sparkasse einen Termin für ein Telefonat. --------------------------------------------- https://heise.de/-9909574 ∗∗∗ Discord startet Ende-zu-Ende-Verschlüsselung für Audio- und Video-Chats ∗∗∗ --------------------------------------------- Um die Privatsphäre zu wahren, verschlüsselt der Onlinedienst Discord ab sofort bestimmte Formen des Nachrichtenaustauschs Ende-zu-Ende. --------------------------------------------- https://heise.de/-9909594 ===================== = Vulnerabilities = ===================== ∗∗∗ VU#138043: A stack-based overflow vulnerability exists in the Microchip Advanced Software Framework (ASF) implementation of the tinydhcp server ∗∗∗ --------------------------------------------- CVE-2024-7490 There exists a vulnerability in all publicly available examples of the ASF codebase that allows for a specially crafted DHCP request to cause a stack-based overflow that could lead to remote code execution. --------------------------------------------- https://kb.cert.org/vuls/id/138043 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat and tinyproxy), Fedora (frr, microcode_ctl, python3.10, python3.12, python3.6, and ruby), Oracle (expat, fence-agents, firefox, ghostscript, java-1.8.0-openjdk, kernel, and thunderbird), Red Hat (firefox, openssl, ruby:3.3, and thunderbird), SUSE (clamav, ffmpeg-4, kernel, libmfx, python3, python312, runc, ucode-intel, and wireshark), and Ubuntu (apache2, git, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-nvidia, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, and linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle). --------------------------------------------- https://lwn.net/Articles/990877/ ∗∗∗ GitLab Patches Critical Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- GitLab has patched a critical-severity SAML authentication bypass affecting both Community Edition (CE) and Enterprise Edition (EE) instances. [..] The issue, tracked as CVE-2024-45409 (CVSS score of 10/10), only affects GitLab CE/EE instances that have been configured to use SAML-based authentication. --------------------------------------------- https://www.securityweek.com/gitlab-patches-critical-authentication-bypass-… ∗∗∗ DSA-5772-1 libreoffice - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00185.html ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 9, 2024 to September 15, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/09/wordfence-intelligence-weekly-wordpr… ∗∗∗ MegaSys Computer Technologies Telenium Online Web Application ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-04 ∗∗∗ IDEC PLCs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-02 ∗∗∗ Kastle Systems Access Control System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-05 ∗∗∗ IDEC CORPORATION WindLDR and WindO/I-NV4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-03 ∗∗∗ Rockwell Automation RSLogix 5 and RSLogix 500 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-263-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2024
by Daily end-of-shift report 18 Sep '24

18 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-09-2024 18:00 − Mittwoch 18-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Construction firms breached in brute force attacks on accounting software ∗∗∗ --------------------------------------------- Hackers are brute-forcing passwords for highly privileged accounts on exposed Foundation accounting servers, widely used in the construction industry, to breach corporate networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/construction-firms-breached-… ∗∗∗ Temu denies breach after hacker claims theft of 87 million data records ∗∗∗ --------------------------------------------- Temu denies it was hacked or suffered a data breach after a threat actor claimed to be selling a stolen database containing 87 million records of customer information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/temu-denies-breach-after-hac… ∗∗∗ Sandbox scores are not an antivirus replacement ∗∗∗ --------------------------------------------- Automatic sandbox services should not be treated like "antivirus scanners" to determine maliciousness for samples. That’s not their intended use, and they perform poorly in that role. Unfortunately, providing an "overall score" or "verdict" is misleading. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/09/38031-sandbox-scores-are-not-an-… ∗∗∗ Vanir Locker: Deutsche Polizei übernimmt Tor-Seite einer Hackergruppe ∗∗∗ --------------------------------------------- Wer die Datenleckseite der Ransomwaregruppe Vanir Locker aufruft, findet dort nun eine Meldung des LKA vor. Die Seite wurde beschlagnahmt. --------------------------------------------- https://www.golem.de/news/lka-baden-wuerttemberg-polizei-uebernimmt-leak-se… ∗∗∗ Python Infostealer Patching Windows Exodus App, (Wed, Sep 18th) ∗∗∗ --------------------------------------------- A few months ago, I wrote a diary about a Python script that replaced the Exodus[2] Wallet app with a rogue one on macOS. Infostealers are everywhere these days. They target mainly browsers (cookies, credentials) and classic applications that may handle sensitive information. Cryptocurrency wallets are another category of applications .. --------------------------------------------- https://isc.sans.edu/forums/diary/Python+Infostealer+Patching+Windows+Exodu… ∗∗∗ VMware patches remote make-me-root holes in vCenter Server, Cloud Foundation ∗∗∗ --------------------------------------------- Bug reports made in China Broadcom has emitted a pair of patches for vulnerabilities in VMware vCenter Server that a miscreant with network access to the software could exploit to completely commandeer a system. This also affects Cloud Foundation. --------------------------------------------- https://www.theregister.com/2024/09/17/vmware_vcenter_patch/ ∗∗∗ Australian Police conducted supply chain attack on criminal collaborationware ∗∗∗ --------------------------------------------- Sting led to cuffing of alleged operator behind Ghost – an app for drug trafficking, money laundering, and violence-as-a-service Australias Federal Police (AFP) yesterday arrested and charged a man with creating and administering an app named Ghost that was allegedly "a dedicated encrypted communication platform … built solely for the criminal underworld" and .. --------------------------------------------- https://www.theregister.com/2024/09/18/afp_operation_kraken_ghost_crimeware… ∗∗∗ Did a Chinese University Hacking Competition Target a Real Victim? ∗∗∗ --------------------------------------------- Participants in a hacking competition with ties to China’s military were, unusually, required to keep their activities secret, but security researchers say the mystery only gets stranger from there. --------------------------------------------- https://www.wired.com/story/china-hacking-competition-real-victim/ ∗∗∗ Scam ‘Funeral Streaming’ Groups Thrive on Facebook ∗∗∗ --------------------------------------------- Scammers are flooding Facebook with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information. Recently, these scammers have branched out into offering fake streaming services for nearly any .. --------------------------------------------- https://krebsonsecurity.com/2024/09/scam-funeral-streaming-groups-thrive-on… ∗∗∗ Russian Security Firm Doctor Web Hacked ∗∗∗ --------------------------------------------- Antimalware company Doctor Web was recently targeted in a cyberattack that prompted it to disconnect all resources from its networks. --------------------------------------------- https://www.securityweek.com/russian-security-firm-doctor-web-discloses-tar… ∗∗∗ North Korean Hackers Lure Critical Infrastructure Employees With Fake Jobs ∗∗∗ --------------------------------------------- A North Korean group tracked as UNC2970 has been spotted trying to deliver new malware to people in the aerospace and energy industries. --------------------------------------------- https://www.securityweek.com/north-korean-hackers-lure-critical-infrastruct… ∗∗∗ Cyber threats to shipping explained ∗∗∗ --------------------------------------------- TL;DR Modern vessels are becoming increasingly connected. While it is unlikely that hackers could fully control a container ship remotely, they may be able to disrupt systems such as the […]The post Cyber threats to shipping explained first appeared on Pen Test Partners. --------------------------------------------- https://www.pentestpartners.com/security-blog/cyber-threats-to-shipping-exp… ∗∗∗ Vulnerabilities in Cellular Packet Cores Part IV: Authentication ∗∗∗ --------------------------------------------- Our research reveals two significant vulnerabilities in Microsoft Azure Private 5G Core (AP5GC). The first vulnerability (CVE-2024-20685) allows a crafted signaling message to crash the control plane, leading to potential service outages. The second (ZDI-CAN-23960) disconnects and replaces attached base stations, disrupting network operations. While these .. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/i/vulnerabilities-in-cellular-… ∗∗∗ RAMBO Attack: Electromagnetic Waves Steal Data from Air-Gapped Systems ∗∗∗ --------------------------------------------- Air-gapped systems, once considered immune to attacks, are now vulnerable. Learn about a groundbreaking new method that .. --------------------------------------------- https://hackread.com/rambo-attack-electromagnetic-waves-data-air-gapped-sys… ∗∗∗ CISA KEV performance in the Financial Sector ∗∗∗ --------------------------------------------- I’ve had a number of requests to examine the finance sector in more detail including breakdowns of exactly what kind of financial organizations are experiencing greater risk and who is remediating more quickly. Heres some answers. --------------------------------------------- https://www.bitsight.com/blog/cisa-kev-performance-financial-sector ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in WordPress plugin "Welcart e-Commerce" ∗∗∗ --------------------------------------------- WordPress plugin "Welcart e-Commerce" provided by Welcart Inc. contains multiple vulnerabilities. --------------------------------------------- https://jvn.jp/en/jp/JVN19766555/ ∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Apple released security updates to address vulnerabilities in multiple Apple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/18/apple-releases-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.09.2024
by Daily end-of-shift report 17 Sep '24

17 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 16-09-2024 18:00 − Dienstag 17-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Exploit code released for critical Ivanti RCE flaw, patch now ∗∗∗ --------------------------------------------- A proof-of-concept (PoC) exploit for CVE-2024-29847, a critical remote code execution (RCE) vulnerability in Ivanti Endpoint Manager, is now publicly released, making it crucial to update devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-code-released-for-cr… ∗∗∗ Emergency Accounts: Last Call! ∗∗∗ --------------------------------------------- Even if you have been out of office for the last couple of months, you should be aware that starting October 15th you will need to provide Multi Factor Authentication (MFA) to logon to Azure portal, Entra admin center and Intune admin center. This will be enforced to all users accessing these resources regardless of their role or permission level. [..] With Microsoft’s new MFA enforcement, you need a different approach for emergency accounts. --------------------------------------------- https://blog.nviso.eu/2024/09/17/emergency-accounts-last-call/ ∗∗∗ Secure Boot-neutering PKfail debacle is more prevalent than anyone knew ∗∗∗ --------------------------------------------- A supply chain failure that compromises Secure Boot protections on computing devices from across the device-making industry extends to a much larger number of models than previously known, including those used in ATMs, point-of-sale terminals, and voting machines. --------------------------------------------- https://arstechnica.com/?p=2050182 ∗∗∗ Check24 und Verivox: Sensible Daten von Kreditnehmern leicht zugänglich im Netz ∗∗∗ --------------------------------------------- Bei zwei namhaften Vergleichsportalen hat ein Experte Sicherheitslücken entdeckt. Dadurch sollen Kreditangebote mit sensiblen Daten frei abrufbar gewesen sein. [..] Genannt wurden Daten wie Namen und Adressen sowie Angaben zum jeweiligen Arbeitsverhältnis, Einkommen und die Anzahl der Kinder. --------------------------------------------- https://www.golem.de/news/check24-und-verivox-sensible-daten-von-kreditnehm… ∗∗∗ What to Do With Products Without SSO? ∗∗∗ --------------------------------------------- Let’s start with the role that SSO plays in modern defense architecture, and then cover how to implement similar security measures without such a centralized mechanism. --------------------------------------------- https://zeltser.com/products-without-sso/ ∗∗∗ Cyber predators target vulnerable victims: Hackers blackmail hospitals, trade patient data and find partners through darknet ads ∗∗∗ --------------------------------------------- According to data from Check Point Research (CPR), from January – September 2024, the global weekly average number of attacks per organization within the healthcare industry was 2,018, representing a 32% increase, compared to the same period last year. --------------------------------------------- https://blog.checkpoint.com/research/cyber-predators-target-vulnerable-vict… ∗∗∗ ‘Clipper’ malware is being used to steal crypto, Binance warns ∗∗∗ --------------------------------------------- Binance is warning customers that malware is being used to manipulate withdrawal addresses in order to steal cryptocurrency, in a campaign that has led to “significant financial losses for victims.” --------------------------------------------- https://therecord.media/clipper-malware-binance-stealing-crypto ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php-twig and pymongo), Fedora (linux-firmware, microcode_ctl, and python3.13), Mageia (clamav, microcode, postgresql13 and postgresql15, python3-webob, suricata, tcpreplay, tgt, and wireshark), Oracle (httpd, kernel, and linux-kernel), Red Hat (firefox, kernel, kernel-rt, pcs, and thunderbird), SUSE (389-ds, chromium, golang-github-prometheus-prometheus, htmldoc, kernel, SUSE Manager Client Tools, and wireshark), and Ubuntu (clamav, curl, dcmtk, dovecot, nginx, openssh, and python3.10, python3.12, python3.8). --------------------------------------------- https://lwn.net/Articles/990588/ ∗∗∗ Apple Patches Major Security Flaws With iOS 18 Refresh ∗∗∗ --------------------------------------------- Apple warns that attackers can use Siri to access sensitive user data, control nearby devices, or view recent photos without authentication. According to a bulletin from Cupertino, iOS 18 has been fitted with fixes for vulnerabilities in core components including accessibility features, Bluetooth, Control Center, and Wi-Fi, with several flaws allowing unauthorized access to sensitive data or full device control. --------------------------------------------- https://www.securityweek.com/apple-patches-major-security-flaws-with-ios-18… ∗∗∗ Sicherheitspatch: Hintertür in einigen D-Link-Routern erlaubt unbefugte Zugriffe ∗∗∗ --------------------------------------------- Angreifer können bestimmte Router-Modelle von D-Link attackieren und kompromittieren. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-9870648 ∗∗∗ MISP 2.4.198 released with many bugs fixed, security fixes and improvements. ∗∗∗ --------------------------------------------- https://www.misp-project.org/2024/09/17/MISP.2.4.198.released.html/ ∗∗∗ Yokogawa Dual-redundant Platform for Computer (PC2CKM) ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-261-03 ∗∗∗ Millbeck Communications Proroute H685t-w ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-261-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.09.2024
by Daily end-of-shift report 16 Sep '24

16 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-09-2024 18:00 − Montag 16-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 1.3 million Android-based TV boxes backdoored; researchers still don’t know how ∗∗∗ --------------------------------------------- Infection corrals devices running AOSP-based firmware into a botnet. --------------------------------------------- https://arstechnica.com/?p=2049773 ∗∗∗ Malware locks browser in kiosk mode to steal Google credentials ∗∗∗ --------------------------------------------- A malware campaign uses the unusual method of locking users in their browsers kiosk mode to annoy them into entering their Google credentials, which are then stolen by information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-locks-browser-in-kio… ∗∗∗ Nach Cyberangriff: Hacker stellen Daten von Kawasaki ins Darknet ∗∗∗ --------------------------------------------- Kawasaki selbst behauptet, der Cyberangriff sei "nicht erfolgreich" gewesen. Dennoch sind im Darknet fast 500 GBytes an Unternehmensdaten aufgetaucht. --------------------------------------------- https://www.golem.de/news/nach-cyberangriff-hacker-stellen-daten-von-kawasa… ∗∗∗ Australia Threatens to Force Companies to Break Encryption ∗∗∗ --------------------------------------------- In 2018, Australia passed the Assistance and Access Act, which - among other things - gave the government the power to force companies to break their own encryption. The Assistance and Access Act includes key components that outline investigatory powers between government and industry. These components include: Technical Assistance .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/09/australia-threatens-to-force… ∗∗∗ Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have warned of ongoing phishing campaigns that abuse refresh entries in HTTP headers to deliver spoofed email login pages that are designed to harvest users credentials."Unlike other phishing webpage .. --------------------------------------------- https://thehackernews.com/2024/09/cybercriminals-exploit-http-headers-for.h… ∗∗∗ Prison just got rougher as band of heinously violent cybercrims sentenced to lengthy stints ∗∗∗ --------------------------------------------- Orchestrators of abductions, torture, crypto thefts, and more get their comeuppance One cybercriminal of the most violent kind will spend his best years behind bars, as will 11 of his thug pals for a string of cryptocurrency robberies in the US. --------------------------------------------- https://www.theregister.com/2024/09/16/prison_just_got_rougher_as/ ∗∗∗ Germany’s CDU still struggling to restore data months after June cyberattack ∗∗∗ --------------------------------------------- Putting a spanner in work for plans of opposition party to launch a comeback during next years elections One of Germanys major political parties is still struggling to restore member data more than three months after a June cyberattack targeting its systems. --------------------------------------------- https://www.theregister.com/2024/09/16/nein_luck_for_germanys_cdu/ ∗∗∗ Acquiring Malicious Browser Extension Samples on a Shoestring Budget ∗∗∗ --------------------------------------------- A friend of mine sent me a link to an article on malicious browser extensions that worked around Google Chrome Manifest V3 and asked if I had or could acquire a sample. In the process of getting a sample, I thought, if I was someone who didn’t have the paid resources that an enterprise might have, how would .. --------------------------------------------- https://pberba.github.io/crypto/2024/09/14/malicious-browser-extension-gene… ∗∗∗ Akute Welle an DDoS-Angriffen gegen österreichische Unternehmen und Organisationen ∗∗∗ --------------------------------------------- Seit kurzem sind verschiedene österreichische Unternehmen und Organisationen aus unterschiedlichen Branchen und Sektoren mit DDoS-Angriffen konfrontiert. Die genauen Hintergründe der Attacke sind uns zurzeit nicht bekannt, Hinweise für eine hacktivistische Motivation liegen jedoch vor. In Anbetracht der aktuellen Geschehnisse empfehlen wir .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/9/ddos-angriffe-september-2024 ∗∗∗ German radio station forced to broadcast emergency tape following cyberattack ∗∗∗ --------------------------------------------- Radio Geretsried, a local station in Germany, has blamed “unknown attackers from Russia” after an apparent ransomware incident left it broadcasting music from emergency backups. --------------------------------------------- https://therecord.media/germany-cyberattack-radio-geretsried ∗∗∗ Small Devices, Big Threats: The Dark Side of Removable Devices ∗∗∗ --------------------------------------------- Our new article highlights the security risks of removable devices like USB drives and SD cards, exploring real-world threats and offering key cybersecurity tips to protect sensitive data. --------------------------------------------- https://www.emsisoft.com/en/blog/45977/small-devices-big-threats-the-dark-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (git, nodejs, and ring), Fedora (apr, bubblewrap, chromium, clamav, flatpak, mingw-expat, python3-docs, python3.12, and thunderbird), Mageia (assimp, botan2, python-tqdm, and radare2), Slackware (libarchive), and SUSE (curl). --------------------------------------------- https://lwn.net/Articles/990455/ ∗∗∗ MISP 2.4.198 released with bug and security fixes. ∗∗∗ --------------------------------------------- Based on a set of fixes including a security fix, we are pleased to announce the immediate availability of MISP 2.4.198. You can find a list of the detailed changes along with new features further below. As with any security release, we highly encourage everyone to update their instance as soon as .. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.198 ∗∗∗ ZDI-24-1226: mySCADA myPRO Hard-Coded Credentials Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1226/ ∗∗∗ ZDI-24-1225: SolarWinds Access Rights Manager Hard-Coded Credentials Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1225/ ∗∗∗ ZDI-24-1224: SolarWinds Access Rights Manager JsonSerializationBinder Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1224/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2024
by Daily end-of-shift report 13 Sep '24

13 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-09-2024 18:00 − Freitag 13-09-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Distributed Denial of Truth (DDoT): The Mechanics of Influence Operations and The Weaponization of Social Media ∗∗∗ --------------------------------------------- With the US election on the horizon, it’s a good time to explore the concept of social media weaponization and its use in asymmetrically manipulating public opinion through bots, automation, AI, and shady new tools in what Trustwave SpiderLabs has dubbed the Distributed Denial of Truth (DDoT). --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/distributed… ∗∗∗ Fortinet Confirms Limited Data Breach After Hacker Leaks 440 GB of Data ∗∗∗ --------------------------------------------- A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint vulnerability. The breach, dubbed “Fortileak,” was revealed on a forum with access credentials shared online. [..] Fortinet has now published a blog post addressing the incident, which only affected less than 0.3% of its customers. --------------------------------------------- https://hackread.com/fortinet-confirms-data-breach-hacker-data-leak/ ∗∗∗ Nach CrowdStrike: Microsoft plant Security-Lösungen aus dem Windows-Kernel zu entfernen ∗∗∗ --------------------------------------------- Microsoft hat erste Pläne skizziert, wie sich Windows-Systeme so absichern lassen, dass ein kaputtes Update einer Endpunkt-Sicherheitslösung nicht das ganze Betriebssystem in den Abgrund reißt. --------------------------------------------- https://www.borncity.com/blog/2024/09/13/nach-crowdstrike-microsoft-plant-s… ∗∗∗ I stole 20 GB of data from Capgemini – and now Im leaking it, says cybercrook ∗∗∗ --------------------------------------------- A miscreant claims to have broken into Capgemini and leaked a large amount of sensitive data stolen from the technology services giant – including source code, credentials, and T-Mobile's virtual machine logs. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/09/12/capgemini_br… ∗∗∗ 1.3 Million Android TV Boxes Infected by Vo1d Malware ∗∗∗ --------------------------------------------- Doctor Web warns of the new Vo1d Android malware infecting roughly 1.3 million TV boxes running older OS versions. --------------------------------------------- https://www.securityweek.com/1-3-million-android-tv-boxes-infected-by-vo1d-… ∗∗∗ CVE-2024-29847 Deep Dive: Ivanti Endpoint Manager AgentPortal Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Ivanti Endpoint Manager (EPM) is an enterprise endpoint management solution that allows for centralized management of devices within an organization. On September 12th, 2024, ZDI and Ivanti released an advisory describing a deserialization vulnerability resulting in remote code execution with a CVSS score of 9.8. In this post we detail the internal workings of this vulnerability. --------------------------------------------- https://www.horizon3.ai/attack-research/attack-blogs/cve-2024-29847-deep-di… ∗∗∗ The Dark Nexus Between Harm Groups and ‘The Com’ ∗∗∗ --------------------------------------------- A cyberattack that shut down two of the top casinos in Las Vegas last year quickly became one of the most riveting security stories of 2023. It was the first known case of native English-speaking hackers in the United States and Britain teaming up with ransomware gangs based in Russia. But that made-for-Hollywood narrative has eclipsed a far more hideous trend: Many of these young, Western cybercriminals are also members of fast-growing online groups that exist solely to bully, stalk, harass and extort vulnerable teens into physically harming themselves and others. --------------------------------------------- https://krebsonsecurity.com/2024/09/the-dark-nexus-between-harm-groups-and-… ∗∗∗ Woo Skimmer Uses Style Tags and Image Extension to Steal Card Details ∗∗∗ --------------------------------------------- This post starts the same way many others do on this blog, and it will be familiar to those who keep up with website security: A client came to us having been notified by their payment processor that credit cards were being stolen from the checkout page of their eCommerce website. The question of course was how? During this investigation we uncovered a very interesting (and in fact, creative) way that threat actors were pilfering credit card details from this compromised website. --------------------------------------------- https://blog.sucuri.net/2024/09/woo-skimmer-uses-style-tags-and-image-exten… ∗∗∗ We can try to bridge the cybersecurity skills gap, but that doesn’t necessarily mean more jobs for defenders ∗∗∗ --------------------------------------------- I have written about the dreaded “cybersecurity skills gap” more times than I can remember in this newsletter, but I feel like it’s time to revisit this topic again. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-sept-12-2024/ ∗∗∗ FBI and CISA Release Joint PSA, Just So You Know: False Claims of Hacked Voter Information Likely Intended to Sow Distrust of U.S. Elections ∗∗∗ --------------------------------------------- As observed through multiple election cycles, foreign actors and cybercriminals continue to spread false information through various platforms to manipulate public opinion, discredit the electoral process, and undermine confidence in U.S. democratic institutions. The FBI and CISA continue to work closely with federal, state, local, and territorial election partners and provide services and information to safeguard U.S. voting processes and maintain the resilience of the U.S. elections. --------------------------------------------- https://www.cisa.gov/news-events/news/fbi-and-cisa-release-joint-psa-just-s… ===================== = Vulnerabilities = ===================== NTR -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.09.2024
by Daily end-of-shift report 12 Sep '24

12 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-09-2024 18:00 − Donnerstag 12-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ GitLab warns of critical pipeline execution vulnerability ∗∗∗ --------------------------------------------- GitLab has released critical updates to address multiple vulnerabilities, the most severe of them (CVE-2024-6678) allowing an attacker to trigger pipelines as arbitrary users under certain conditions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitlab-warns-of-critical-pip… ∗∗∗ Sicherheitspaket: CCC droht mit Anleitungen zur Überwachungssabotage ∗∗∗ --------------------------------------------- Zivilgesellschaftliche Verbände sind empört über das Sicherheitspaket der Bundesregierung. Der "billige Populismus" spiele Rechtsextremen in die Hände. --------------------------------------------- https://www.golem.de/news/sicherheitspaket-ccc-droht-mit-anleitungen-zur-ue… ∗∗∗ SiteCheck Remote Website Scanner — Mid-Year 2024 Report ∗∗∗ --------------------------------------------- Conducting an external website scan for indicators of compromise is one of the easiest ways to identify security issues. While remote website scanners may not provide as comprehensive of a scan as server-side scanners, .. --------------------------------------------- https://blog.sucuri.net/2024/09/sitecheck-remote-website-scanner-mid-year-2… ∗∗∗ DragonRank Black Hat SEO Campaign Targeting IIS Servers Across Asia and Europe ∗∗∗ --------------------------------------------- A "simplified Chinese-speaking actor" has been linked to a new campaign that has targeted multiple countries in Asia and Europe with the end goal of performing search engine optimization (SEO) rank manipulation.The black hat SEO .. --------------------------------------------- https://thehackernews.com/2024/09/dragonrank-black-hat-seo-campaign.html ∗∗∗ Exposed Selenium Grid Servers Targeted for Crypto Mining and Proxyjacking ∗∗∗ --------------------------------------------- Internet-exposed Selenium Grid instances are being targeted by bad actors for illicit cryptocurrency mining and proxyjacking campaigns."Selenium Grid is a server that facilitates running test cases in parallel .. --------------------------------------------- https://thehackernews.com/2024/09/exposed-selenium-grid-servers-targeted.ht… ∗∗∗ Transport for London confirms 5,000 user bank data exposed, pulls large chunks of IT infra offline ∗∗∗ --------------------------------------------- Hauling in 30,000 staff IN PERSON to do password resets Breaking Transport for Londons ongoing cyber incident has taken a dark turn as the organization confirmed that some data, including bank details, might have been accessed, and 30,000 employees passwords will need to be reset via in-person appointments. --------------------------------------------- https://www.theregister.com/2024/09/12/transport_for_londons_cyber_attack/ ∗∗∗ Microsoft Windows MSI Installer - Repair to SYSTEM - A detailed journey ∗∗∗ --------------------------------------------- Repair functions of Microsoft Windows MSI installers can be vulnerable in several ways, for instance allowing local attackers to .. --------------------------------------------- https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detail… ∗∗∗ Living off the land, GPO style ∗∗∗ --------------------------------------------- TL;DR The ability to edit Group Policy Object (GPOs) from non-domain joined computers using the native Group Policy editor has been on my list for a long time. This blog .. --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/ ∗∗∗ Ransomware: Attacks Once More Nearing Peak Levels ∗∗∗ --------------------------------------------- Attacks surge again in second quarter of 2024 as attackers bounce back from disruption. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ Introduction to Third-Party Risk Management ∗∗∗ --------------------------------------------- In today’s world, organizations are increasingly depending on their third-party vendors, suppliers, and partners to support their operations. This way of working, in addition to the digitalization era we’re in, can have great advantages such as being able to offer new services quickly while relying on other’s expertise or cutting costs on already existing processes. --------------------------------------------- https://blog.nviso.eu/2024/09/12/introduction-to-third-party-risk-managemen… ∗∗∗ Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API ∗∗∗ --------------------------------------------- CVE-2024-38257 is considered “less likely” to be exploited, though it does not require any user interaction or user privileges. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-sept-11-2024/ ∗∗∗ Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities ∗∗∗ --------------------------------------------- In this blog entry, we provide an analysis of the recent remote code execution attacks related to Progress Software’s WhatsUp Gold that possibly abused the vulnerabilities CVE-2024-6670 and CVE-2024-6671. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/i/whatsup-gold-rce.html ∗∗∗ Hadooken Malware Targets Weblogic Applications ∗∗∗ --------------------------------------------- Aqua Nautilus researchers identified a new Linux malware targeting Weblogic servers. The main payload calls itself Hadooken which we think is referring to the attack “surge fist” in the Street Fighter series. When Hadooken is executed, .. --------------------------------------------- https://blog.aquasec.com/hadooken-malware-targets-weblogic-applications-1 ∗∗∗ Microsoft Office: ActiveX wird abgedreht ∗∗∗ --------------------------------------------- Länger war es still darum, aber ActiveX gibt es noch. Kommende Microsoft Office-Versionen schalten die Unterstützung endlich ab. Zumindest fast. --------------------------------------------- https://heise.de/-9865690 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Routed Passive Optical Network Controller Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software UDP Packet Memory Exhaustion Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Multiple Cisco Products Web-Based Management Interface Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Network Convergence System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Segment Routing for Intermediate System-to-Intermediate System Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Dedicated XML Agent TCP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software CLI Arbitrary File Read Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software CLI Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.09.2024
by Daily end-of-shift report 11 Sep '24

11 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-09-2024 18:00 − Mittwoch 11-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New PIXHELL acoustic attack leaks secrets from LCD screen noise ∗∗∗ --------------------------------------------- A novel acoustic attack named PIXHELL can leak secrets from air-gapped and audio-gapped systems, and without requiring speakers, through the LCD monitors they connect to. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-pixhell-acoustic-attack-… ∗∗∗ Air-Gapped-Systeme: Malware nutzt LCD-Pixelmuster für Datenausleitung per Schall ∗∗∗ --------------------------------------------- Der Empfang erfolgt zum Beispiel über ein in der Nähe befindliches Smartphone. Die Datenrate ist gering, reicht aber für Keylogging und Passwörter. --------------------------------------------- https://www.golem.de/news/air-gapped-systeme-malware-nutzt-lcd-pixelmuster-… ∗∗∗ Python Libraries Used for Malicious Purposes ∗∗∗ --------------------------------------------- Since I'm interested in malicious Python scripts, I found multiple samples that rely on existing libraries. The most-known repository is probably pypi.org[1] that reports, as of today, 567,478 projects! Malware developers are like regular developers: They don't want to reinvent the wheel and make their shopping across existing libraries to expand their scripts capabilities. --------------------------------------------- https://isc.sans.edu/forums/diary/Python+Libraries+Used+for+Malicious+Purpo… ∗∗∗ Developers Beware: Lazarus Group Uses Fake Coding Tests to Spread Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new set of malicious Python packages that target software developers under the guise of coding assessments."The new samples were tracked to GitHub projects that .. --------------------------------------------- https://thehackernews.com/2024/09/developers-beware-lazarus-group-uses.html ∗∗∗ Microsoft says it broke some Windows 10 patching – as it fixes flaws under attack ∗∗∗ --------------------------------------------- CISA wants you to leap on Citrix and Ivanti issues. Adobe, Intel, SAP also bid for patching priorities Patch Tuesday Another Patch Tuesday has dawned, as usual with the unpleasant news that there are pressing security weaknesses and blunders to address. --------------------------------------------- https://www.theregister.com/2024/09/11/patch_tuesday_september_2024/ ∗∗∗ So you paid a ransom demand … and now the decryptor doesnt work ∗∗∗ --------------------------------------------- A really big oh sh*t moment, for sure For C-suite execs and security leaders, discovering your organization has been breached, your critical systems locked up and your data stolen, then receiving a ransom demand, is probably the worst day of your professional life. --------------------------------------------- https://www.theregister.com/2024/09/11/ransomware_decryptor_not_working/ ∗∗∗ Over 40,000 WordPress Sites Affected by Privilege Escalation Vulnerability Patched in Post Grid and Gutenberg Blocks Plugin ∗∗∗ --------------------------------------------- On August 14th, 2024, we received a submission for a Privilege Escalation vulnerability in Post Grid and Gutenberg Blocks, a WordPress plugin with over 40,000 active installations. This vulnerability can be leveraged by attackers with minimal authenticated access to set their role to administrator utilizing the form submission functionality. --------------------------------------------- https://www.wordfence.com/blog/2024/09/over-40000-wordpress-sites-affected-… ∗∗∗ ADCS Attack Paths in BloodHound — Part 3 ∗∗∗ --------------------------------------------- In Part 1 of this series, we explained how we incorporated Active Directory Certificate Services (ADCS) objects into BloodHound and demonstrated how to effectively use BloodHound to identify attack paths, including the ESC1 domain escalation technique. Part 2 covered the Golden Certificates .. --------------------------------------------- https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-3-33efb008… ∗∗∗ Phishing Pages Delivered Through Refresh HTTP Response Header ∗∗∗ --------------------------------------------- We detail a rare phishing mechanism using a refresh entry in the HTTP response header for stealth redirects to malicious pages, affecting finance and government sectors. --------------------------------------------- https://unit42.paloaltonetworks.com/rare-phishing-page-delivery-header-refr… ∗∗∗ The September 2024 Security Update Review ∗∗∗ --------------------------------------------- We’ve reached September and the pumpkin spice floats in the air. While they aren’t pumpkin-spiced, Microsoft and Adobe have released their latest spicy security patches – including some zesty 0-days. Take a break from .. --------------------------------------------- https://www.thezdi.com/blog/2024/9/10/the-september-2024-security-update-re… ∗∗∗ SBOMs and the importance of inventory ∗∗∗ --------------------------------------------- Can a Software Bill of Materials (SBOM) provide organisations with better insight into their supply chains? --------------------------------------------- https://www.ncsc.gov.uk/blog-post/sboms-and-the-importance-of-inventory ∗∗∗ We Spent $20 To Achieve RCE And Accidentally Became The Admins Of .MOBI ∗∗∗ --------------------------------------------- Welcome back to another watchTowr Labs blog. Brace yourselves, this is one of our most astounding discoveries.SummaryWhat started out as a bit of fun between colleagues while avoiding the Vegas heat and $20 bottles of water in our Black Hat hotel .. --------------------------------------------- https://labs.watchtowr.com/we-spent-20-to-achieve-rce-and-accidentally-beca… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (389-ds:1.4, dovecot, emacs, and glib2), Fedora (bluez, iwd, libell, linux-firmware, seamonkey, vim, and wireshark), Mageia (apr, libtiff, Nginx, openssl, orc, unbound, webmin, and zziplib), Red Hat (389-ds:1.4), and SUSE (containerd, curl, go1.22, go1.23, gstreamer-plugins-bad, kernel, ntpd-rs, python-Django, and python311). --------------------------------------------- https://lwn.net/Articles/989772/ ∗∗∗ Cisco Releases Security Updates for Cisco Smart Licensing Utility ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/10/cisco-releases-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.09.2024
by Daily end-of-shift report 10 Sep '24

10 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 09-09-2024 18:00 − Dienstag 10-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Quad7 botnet targets more SOHO and VPN routers, media servers ∗∗∗ --------------------------------------------- The Quad7 botnet is expanding its targeting scope with the addition of new clusters and custom implants that now also target Zyxel VPN appliances and Ruckus wireless routers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/quad7-botnet-targets-more-so… ∗∗∗ NoName ransomware gang deploying RansomHub malware in recent attacks ∗∗∗ --------------------------------------------- The NoName ransomware gang has been trying to build a reputation for more than three years targeting small and medium-sized businesses worldwide with its encryptors and may now be working as a RansomHub affiliate. --------------------------------------------- https://www.bleepingcomputer.com/news/security/noname-ransomware-gang-deplo… ∗∗∗ Trustwave SpiderLabs Research: 20% of Ransomware Attacks in Financial Services Target Banking Institutions ∗∗∗ --------------------------------------------- The 2024 Trustwave Risk Radar Report: Financial Services Sector underscores the escalating threat landscape facing the industry. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trustwave-s… ∗∗∗ Russias top-secret military unit reportedly plots undersea cable sabotage ∗∗∗ --------------------------------------------- US alarmed by heightened Kremlin naval activity worldwide Russias naval activity near undersea cables is reportedly drawing the scrutiny of US officials, further sparking concerns that the Kremlin may be plotting to "sabotage" underwater infrastructure via a secretive, dedicated military unit called the General Staff Main Directorate for Deep Sea Research (GUGI). --------------------------------------------- https://www.theregister.com/2024/09/09/russia_readies_submarine_cable_sabot… ∗∗∗ Phishing Via Typosquatting and Brand Impersonation: Trends and Tactics ∗∗∗ --------------------------------------------- Introduction Following the 2024 ThreatLabz Phishing Report, Zscaler ThreatLabz has been closely tracking domains associated with typosquatting and brand impersonation - common techniques used by threat actors to proliferate phishing campaigns. Typosquatting involves registering domains with misspelled versions of popular websites or .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/phishing-typosquatting-and-… ∗∗∗ Slim CD Data Breach Impacts 1.7 Million Individuals ∗∗∗ --------------------------------------------- Slim CD says the personal and credit card information of 1.7 million was compromised in a ten-month-long data breach. --------------------------------------------- https://www.securityweek.com/slim-cd-data-breach-impacts-1-7-million-indivi… ∗∗∗ Study Finds Excessive Use of Remote Access Tools in OT Environments ∗∗∗ --------------------------------------------- The excessive use of remote access tools in OT environments can increase the attack surface, complicate identity management, and hinder visibility. --------------------------------------------- https://www.securityweek.com/study-finds-excessive-use-of-remote-access-too… ∗∗∗ Smart home security advice. Ring, SimpliSafe, Swann, and Yale ∗∗∗ --------------------------------------------- Introduction This guide covers the security of smart home security products from Ring, Yale, Swann, and SimpliSafe. Whether you’re looking to monitor your property remotely, enhance your home’s security, or .. --------------------------------------------- https://www.pentestpartners.com/security-blog/smart-home-security-advice-ri… ∗∗∗ Firmen überschätzen eigene Abwehrbereitschaft gegen Hacker ∗∗∗ --------------------------------------------- Laut einer aktuellen Studie zahlten 86 Prozent der befragten Firmen im vergangenen Jahr "Lösegeld", nachdem ihre Systeme infiziert wurden --------------------------------------------- https://www.derstandard.at/story/3000000235958/firmen-ueberschaetzen-eigene… ∗∗∗ Threat Assessment: North Korean Threat Groups ∗∗∗ --------------------------------------------- Explore Unit 42s review of North Korean APT groups and their impact, detailing the top 10 malware and tools weve seen from these threat actors. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-assessment-north-korean-threat-g… ∗∗∗ Threat Assessment: Repellent Scorpius, Distributors of Cicada3301 Ransomware ∗∗∗ --------------------------------------------- Repellent Scorpius distributes Cicada3301 ransomware, using double extortion and targeting global victims since May 2024. We break down their toolset and more. --------------------------------------------- https://unit42.paloaltonetworks.com/repellent-scorpius-cicada3301-ransomwar… ∗∗∗ August 2024’s Most Wanted Malware: RansomHub Reigns Supreme While Meow Ransomware Surges ∗∗∗ --------------------------------------------- Check Point’s latest threat index reveals RansomHub’s continued dominance and Meow ransomware’s rise with novel tactics and significant impact. Check Point’s Global Threat Index for August 2024 revealed ransomware remains a dominant force, with RansomHub sustaining its position as the top ransomware group. This Ransomware-as-a-Service (RaaS) .. --------------------------------------------- https://blog.checkpoint.com/research/august-2024s-most-wanted-malware-ranso… ∗∗∗ CISA says SonicWall bug being exploited as experts warn of ransomware gang use ∗∗∗ --------------------------------------------- Federal cybersecurity experts are warning that a vulnerability affecting products from SonicWall is being exploited, and ordered all federal civilian agencies to implement a patch for the bug by the end of the month. --------------------------------------------- https://therecord.media/cisa-orders-patching-of-sonicwall-bug-ransomware ∗∗∗ CISA Releases Election Security Focused Checklists for Both Cybersecurity and Physical Security ∗∗∗ --------------------------------------------- Today, the Cybersecurity and Infrastructure Security Agency (CISA) released two election security checklists as part of the comprehensive suite of resources available for election officials, the Physical Security Checklist for Election Offices and Election Infrastructure Cybersecurity Readiness and Resilience Checklist. These checklists are tools to quickly review existing practices and take steps to enhance physical and cyber resilience in preparation for election day. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-releases-election-security-focus… ∗∗∗ Do We Need Yet Another Vulnerability Scoring System? If it’s SSVC that’s a resounding YASS ∗∗∗ --------------------------------------------- Want to know about Yet Another Vulnerability Scoring System (YASS)? Ben Edwards breaks down Stakeholder Specific Vulnerability Categorization and how to make it work. --------------------------------------------- https://www.bitsight.com/blog/do-we-need-yet-another-vulnerability-scoring-… ∗∗∗ Wegen US-Verbannung: Kaspersky-Kunden erhalten UltraAV von Pango ∗∗∗ --------------------------------------------- Nach dem Bann in den USA stellt das Unternehmen Kunden nun auf UltraAV um, bestätigt Kaspersky gegenüber heise online. --------------------------------------------- https://heise.de/-9862992 ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix Releases Security Updates for Citrix Workspace App for Windows ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/10/citrix-releases-security… ∗∗∗ September 2024 Security Update ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/september-2024-security-update -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.09.2024
by Daily end-of-shift report 09 Sep '24

09 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-09-2024 18:00 − Montag 09-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Transport for London staff faces systems disruptions after cyberattack ∗∗∗ --------------------------------------------- Transport for London, the citys public transportation agency, revealed today that its staff has limited access to systems and email due to measures implemented in response to a Sunday cyberattack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/transport-for-london-staff-f… ∗∗∗ Softwarefehler bei Landtagswahl: CCC kritisiert Intransparenz bei Wahlsoftware ∗∗∗ --------------------------------------------- Eine "stümperhafte Implementierung" könnte zu dem Berechnungsfehler bei der Landtagswahl in Sachsen geführt haben. Der CCC fordert mehr Transparenz. --------------------------------------------- https://www.golem.de/news/softwarefehler-bei-landtagswahl-ccc-kritisiert-in… ∗∗∗ Angriff auf Air-Gapped-Systeme: Malware exfiltriert Daten drahtlos durch den RAM ∗∗∗ --------------------------------------------- Die Angriffstechnik liefert zwar keine hohe Datenrate, für ein Keylogging in Echtzeit sowie das Ausleiten von Passwörtern und RSA-Keys reicht sie aber aus. --------------------------------------------- https://www.golem.de/news/angriff-auf-air-gapped-systeme-malware-exfiltrier… ∗∗∗ North Korean threat actor Citrine Sleet exploiting Chromium zero-day ∗∗∗ --------------------------------------------- Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium (CVE-2024-7971) to gain remote code execution (RCE) in the Chromium renderer process. Our assessment of ongoing analysis and observed infrastructure attributes this activity to Citrine Sleet, a North Korean threat actor that commonly targets the cryptocurrency .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/08/30/north-korean-threa… ∗∗∗ The Underground World of Black-Market AI Chatbots is Thriving ∗∗∗ --------------------------------------------- An anonymous reader shares a report: ChatGPTs 200 million weekly active users have helped propel OpenAI, the company behind the chatbot, to a $100 billion valuation. But outside the mainstream theres still plenty of money to be made -- especially if youre catering to the underworld. Illicit large language models (LLMs) can make up to $28,000 in two months .. --------------------------------------------- https://slashdot.org/story/24/09/06/1648218/the-underground-world-of-black-… ∗∗∗ Hypervisor Development in Rust for Security Researchers (Part 1) ∗∗∗ --------------------------------------------- In the ever-evolving field of information security, curiosity and continuous learning drive innovation. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hypervisor-… ∗∗∗ Exploring an Experimental Windows Kernel Rootkit in Rust ∗∗∗ --------------------------------------------- Around two years ago, memN0ps took the initiative to create one of the first publicly available rootkit proof of concepts (PoCs) in Rust as an experimental project, while learning a new programming language. It still lacks many features, which are relatively easy to add once the concept is understood, but it was developed within a month, at a part-time capacity. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exploring-a… ∗∗∗ Predator Spyware Resurfaces With Fresh Infrastructure ∗∗∗ --------------------------------------------- Recorded Future observes renewed Predator spyware activity on fresh infrastructure after a drop caused by US sanctions. --------------------------------------------- https://www.securityweek.com/predator-spyware-resurfaces-with-fresh-infrast… ∗∗∗ Chinese APT Abuses VSCode to Target Government in Asia ∗∗∗ --------------------------------------------- A first in our telemetry: Chinese APT Stately Taurus uses Visual Studio Code to maintain a reverse shell in victims environments for Southeast Asian espionage. --------------------------------------------- https://unit42.paloaltonetworks.com/stately-taurus-abuses-vscode-southeast-… ∗∗∗ Sextortion-Betrugsversuch I: Aufzeichnung des Porno-Konsums; und "Rechnungszahlung" ∗∗∗ --------------------------------------------- Aktuell laufen wieder sogenannte Sextortion-Kampagnen, bei der Opfer per E-Mail mit angeblich kompromittierendem Material erpresst werden sollen. Ich fasse daher einige Informationen der letzten Tage über laufende Sextortion-Kampagnen in .. --------------------------------------------- https://www.borncity.com/blog/2024/09/09/sextortion-betrugsversuch-i-aufzei… ∗∗∗ AI Firm’s Misconfigured Server Exposed 5.3 TB of Mental Health Records ∗∗∗ --------------------------------------------- A misconfigured server from a US-based AI healthcare firm Confidant Health exposed 5.3 TB of sensitive mental health… --------------------------------------------- https://hackread.com/ai-firm-misconfigured-server-exposed-mental-health-dat… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/09/cisa-adds-three-known-ex… ∗∗∗ Eigene Identität im Blick: Google Dark Web Report warnt vor Datenlecks ∗∗∗ --------------------------------------------- Mit dem Dark Web Report von Google lässt sich die eigene Identität auf Datenpannen überwachen. Der Dienst ist nun kostenlos und nicht mehr Abo-Bestandteil. --------------------------------------------- https://heise.de/-9860797 ∗∗∗ Polen zerschlägt Ring von Cybersaboteuren ∗∗∗ --------------------------------------------- Das EU- und Nato-Land Polen ist zunehmend Ziel von Cyberattacken. Warschau vermutet dahinter die Tätigkeit russischer und belarussischer Geheimdienste. --------------------------------------------- https://heise.de/-9862555 ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1196: Adobe Acrobat Reader DC Doc Object Use-After-Free Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Adobe Acrobat Reader DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2024-45107. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1196/ ∗∗∗ DSA-5767-1 thunderbird - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00180.html ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.13 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-30/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2024
by Daily end-of-shift report 06 Sep '24

06 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-09-2024 18:00 − Freitag 06-09-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ US charges Russian GRU hackers behind WhisperGate intrusions ∗∗∗ --------------------------------------------- Feds post $10 million bounty for each of the sixs whereabouts The US today charged five Russian military intelligence officers and one civilian for their involvement with the data-wiping WhisperGate campaign conducted against Ukraine in January 2022 before the ground invasion began. --------------------------------------------- https://www.theregister.com/2024/09/05/uncle_sam_charges_russian_gru/ ∗∗∗ Ransomware Gang Claims Cyberattack on Planned Parenthood ∗∗∗ --------------------------------------------- Planned Parenthood confirms "cybersecurity incident" as RansomHub ransomware gang threatens to leak 93 Gb of data stolen from the nonprofit last week. --------------------------------------------- https://www.securityweek.com/ransomware-gang-claims-cyberattack-on-planned-… ∗∗∗ Sicherheitslücken in Veeam Backup & Replication - Updates verfügbar ∗∗∗ --------------------------------------------- Der Softwarehersteller Veeam hat Aktualisierungen für mehrere seiner Produkte veröffentlicht. Unter den Sicherheitslücken die im Rahmen dieser Veröffentlichung behoben wurden befindet sich CVE-2024-40711, eine schwerwiegende Schwachstelle in Veeam Backup & Replication. Die Ausnutzung dieser Lücke ermöglicht es Angreifer:innen unauthentifiziert .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/9/sicherheitslucken-in-veeam-backup-r… ∗∗∗ Aktive Ausnutzung einer Sicherheitslücke in SonicWall SonicOS (CVE-2024-40766) ∗∗∗ --------------------------------------------- Der Hersteller SonicWall hat am 21.08.2024 ein Advisory zu einer schwerwiegenden Sicherheitslücke in seinem Betriebssystem für Netzwerkgeräte, SonicOS, veröffentlicht. Die Ausnutzung besagter Schwachstelle, CVE-2024-40766, könnte es Angreifer:innen erlauben, betroffene Geräte zum Absturz zu bringen. Zeitgleich mit der .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/9/aktive-ausnutzung-einer-sicherheits… ∗∗∗ Colombian president suggests prior administration illegally sent $11 million in cash to Israel for spyware ∗∗∗ --------------------------------------------- Colombia’s President Gustavo Petro said Wednesday that his administration is probing the disappearance of $11 million allegedly used to buy powerful Pegasus spyware, which he said he believes was acquired by the previous administration. --------------------------------------------- https://therecord.media/colombian-president-pegasus-spyware-israel-missing-… ∗∗∗ Passwort Spraying-Angriffe auf (Sophos-) Firewalls von IP 92.53.65.166 ∗∗∗ --------------------------------------------- Kurze Information für Administratoren von Sophos Firewalls - ein Leser hat mich darauf hingewiesen, dass er seit dem seit dem 5. September 2024 vermehrt Angriffsversuche auf seine Firewalls von Sophos beobachtet. Und speziell das VPN-Portal wird über Port 443 mit Login-Versionen überschüttet .. --------------------------------------------- https://www.borncity.com/blog/2024/09/06/passwort-spraying-angriffe-auf-sop… ∗∗∗ Hunting Chromium Notifications ∗∗∗ --------------------------------------------- Browser notifications provide social-engineering opportunities. In this post well cover the associated forensic artifacts, threat hunting possibilities and hardening recommendations. --------------------------------------------- https://blog.nviso.eu/2024/09/06/hunting-chromium-notifications/ ∗∗∗ The best and worst ways to get users to improve their account security ∗∗∗ --------------------------------------------- In my opinion, mandatory enrollment is best enrollment. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-sept-5-2024/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-24-1195: Malwarebytes Antimalware Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1195/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2024
by Daily end-of-shift report 05 Sep '24

05 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-09-2024 18:00 − Donnerstag 05-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hacker trap: Fake OnlyFans tool backstabs cybercriminals, steals passwords ∗∗∗ --------------------------------------------- Hackers are targeting other hackers with a fake OnlyFans tool that claims to help steal accounts but instead infects threat actors with the Lumma stealer information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacker-trap-fake-onlyfans-to… ∗∗∗ Windows 11/Server 2024 SMB Security-Hardening ∗∗∗ --------------------------------------------- Microsoft hat im Vorgriff auf die kommenden Releases von Windows 11 24H2 und Windows Server 2025 Ende August 2024 einen Techcommunity-Beitrag zum Thema "SMB Security-Hardening" veröffentlicht. Das Ganze ist Teil der Microsoft Secure Future Initiative (SFI), und die Betriebssysteme sollen bereits vom Start an über gehärtete SMB-Einstellungen verfügen, um sich vor Cyberangriffen besser zu schützen. --------------------------------------------- https://www.borncity.com/blog/2024/09/05/windows-11-server-2024-smb-securit… ∗∗∗ CVE-2024-45195: Apache OFBiz Unauthenticated Remote Code Execution (Fixed) ∗∗∗ --------------------------------------------- Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution (CVE-2024-45195) on Linux and Windows. Exploitation is facilitated by bypassing previous patches. [..] Based on our analysis, three of these vulnerabilities are, essentially, the same vulnerability with the same root cause. Since the patch bypass we are disclosing today elaborates on those previous disclosures, we’ll outline them now. --------------------------------------------- https://www.rapid7.com/blog/post/2024/09/05/cve-2024-45195-apache-ofbiz-una… ∗∗∗ Watch the Typo: Our PoC Exploit for Typosquatting in GitHub Actions ∗∗∗ --------------------------------------------- In this blog, we explain how we managed to leverage typosquatting in GitHub Actions and got several applications with inadvertent typos to run our ‘fake’ action. If we had bad intentions, these mistakenly triggered actions could have included malicious code, for instance installing malware, stealing secrets, or making covert changes to code. --------------------------------------------- https://orca.security/resources/blog/typosquatting-in-github-actions/ ∗∗∗ Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 ∗∗∗ --------------------------------------------- On July 1, the project maintainers released an advisory for the vulnerability CVE-2024-36401 (CVSS score: 9.8). Multiple OGC request parameters allow remote code execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The shortcoming has been addressed in versions 2.23.6, 2.24.4, and 2.25.2. [..] In this article, we will explore the details of the payload and malware. --------------------------------------------- https://feeds.fortinet.com/~/904077668/0/fortinet/blogs~Threat-Actors-Explo… ===================== = Vulnerabilities = ===================== ∗∗∗ Veeam warns of critical RCE flaw in Backup & Replication software ∗∗∗ --------------------------------------------- Veeam has released security updates for several of its products as part of a single September 2024 security bulletin that addresses 18 high and critical severity flaws in Veeam Backup & Replication, Service Provider Console, and One. --------------------------------------------- https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-rce-… ∗∗∗ Angreifer können durch Hintertür in Cisco Smart Licensing Utility schlüpfen ∗∗∗ --------------------------------------------- Aufgrund von mehreren Schwachstellen sind Attacken auf Cisco Expressway Edge, Duo Epic for Hyperdrive, Identity Services Engine, Meraki Systems Manager und Smart Licensing Utility vorstellbar. [..] Smart Licensing Utility ist durch zwei "kritische" Sicherheitslücken (CVE-2024-20439, CVE-2024-20440) bedroht. Im ersten Fall kann ein entfernter Angreifer ohne Anmeldung aufgrund von statischen Admin-Zugangsdaten auf Instanzen zugreifen. Mit den Adminrechten des Accounts erlangt ein Angreifer die volle Kontrolle. [..] Meraki Systems Manager Agent for Windows kann sich aufgrund einer Lücke (CVE-2024-20430 "hoch") an einer mit Schadcode präparierten DLL-Datei verschlucken. [..] --------------------------------------------- https://heise.de/-9857962 ∗∗∗ Drupal: Security advisories 2024-September-04 ∗∗∗ --------------------------------------------- Drupal released 5 security advisories (1x Critical, 4x Moderately critical) --------------------------------------------- https://www.drupal.org/security ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (bubblewrap and flatpak, containernetworking-plugins, fence-agents, ghostscript, krb5, orc, podman, python3.11, python3.9, resource-agents, runc, and wget), Debian (chromium, cinder, glance, gnutls28, nova, nsis, python-oslo.utils, ruby-sinatra, and setuptools), Fedora (kernel), Oracle (bubblewrap and flatpak, buildah, containernetworking-plugins, fence-agents, ghostscript, gvisor-tap-vsock, kernel, krb5, libndp, nodejs:18, orc, podman, postgresql, python-urllib3, python3.11, python3.12, python3.9, runc, skopeo, and wget), SUSE (hdf5, netcdf, trilinos), and Ubuntu (firefox, imagemagick, ironic, openssl, python-django, vim, and znc). --------------------------------------------- https://lwn.net/Articles/989046/ ∗∗∗ Juniper: SA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP9 IF02 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.09.2024
by Daily end-of-shift report 04 Sep '24

04 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-09-2024 18:00 − Mittwoch 04-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ YubiKeys klonen? ∗∗∗ --------------------------------------------- Heute gab es dazu eine reißerische Meldung: diese lassen sich klonen. [..] Das ist mal klarerweise nicht gut. Aber wie so oft bei Schlagzeilen dieser Art lohnt es sich, genauer zu lesen, was eigentlich passiert ist, und wie realistisch die Angriffe wirklich sind. --------------------------------------------- https://www.cert.at/de/blog/2024/9/yubikeys-eucleak ∗∗∗ Hackers Hijack 22,000 Removed PyPI Packages, Spreading Malicious Code to Developers ∗∗∗ --------------------------------------------- A new supply chain attack technique targeting the Python Package Index (PyPI) registry has been exploited in the wild in an attempt to infiltrate downstream organizations. It has been codenamed Revival Hijack by software supply chain security firm JFrog, which said the attack method could be used to hijack 22,000 existing PyPI packages and result in "hundreds of thousands" of malicious package downloads. --------------------------------------------- https://thehackernews.com/2024/09/hackers-hijack-22000-removed-pypi.html ∗∗∗ Hackers inject malicious JS in Cisco store to steal credit cards, credentials ∗∗∗ --------------------------------------------- Ciscos site for selling company-themed merchandise is currently offline and under maintenance due to hackers compromising it with JavaScript code that steals sensitive customer details provided at checkout. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-inject-malicious-js-… ∗∗∗ Mallox ransomware: in-depth analysis and evolution ∗∗∗ --------------------------------------------- In this report, we provide an in-depth analysis of the Mallox ransomware, its evolution, ransom strategy, encryption scheme, etc. --------------------------------------------- https://securelist.com/mallox-ransomware/113529/ ∗∗∗ Earth Lusca Uses KTLVdoor Backdoor for Multiplatform Intrusion ∗∗∗ --------------------------------------------- While monitoring Earth Lusca, we discovered the threat group’s use of KTLVdoor, a highly obfuscated multiplatform backdoor, as part of a large-scale attack campaign. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/i/earth-lusca-ktlvdoor.html ∗∗∗ Advanced forensic techniques for recovering hidden data in wearable device ∗∗∗ --------------------------------------------- This blog post covers how forensic skills and tooling can be used to recover potentially sensitive data left on phones from devices such as Google’s Fitbit. The principles and techniques here also apply to similar products with similar functionality. --------------------------------------------- https://www.pentestpartners.com/security-blog/advanced-forensic-techniques-… ∗∗∗ Vorsicht vor US Green Card Lotterie Anbietern wie AmericanGC.com ∗∗∗ --------------------------------------------- Die USA gelten für viele als Wunschziel fürs Auswandern. Über die Green Card Lotterie wird bis zu 50.000 Menschen jährlich eine Einwanderung mit Greencard ermöglicht. Der Andrang auf diese Lotterie ist groß und das machen sich auch unseriöse und betrügerische Anbieter wie AmericanGC.com zunutze. --------------------------------------------- https://www.watchlist-internet.at/news/green-card-americangccom/ ∗∗∗ US-Behörden sollen Internet-Routing absichern ∗∗∗ --------------------------------------------- Das Weiße Haus macht Druck auf Behörden: Sie sollen ihre Netzrouten kryptografisch absichern. Erst dann können Fehler auffallen. --------------------------------------------- https://heise.de/-9856483 ∗∗∗ Mesh-WLAN von Plume Design: Teure Bespitzelung ∗∗∗ --------------------------------------------- Mesh-Netzwerke sind gut gegen WLAN-Funklöcher. Doch Vorsicht: Ein US-Hersteller überwacht mit seinen Routern und Extendern Nutzer und gibt munter vertrauliche Daten weiter. Eine Recherche von Erik Bärwaldt (Datenschutz, WLAN) --------------------------------------------- https://www.golem.de/news/mesh-wlan-von-plume-design-teure-bespitzelung-240… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, gvisor-tap-vsock, nodejs:18, python-urllib3, and skopeo), Debian (firefox-esr and openssl), Fedora (apr and seamonkey), Red Hat (podman), Slackware (mozilla and seamonkey), SUSE (bubblewrap and flatpak, buildah, docker, dovecot23, ffmpeg, frr, go1.21-openssl, graphviz, java-1_8_0-openj9, kubernetes1.26, kubernetes1.27, kubernetes1.28, openssl-1_0_0, openssl-3, perl-DBI, python-aiohttp, python-Django, python-WebOb, thunderbird, tiff, ucode-intel, unbound, webkit2gtk3, and xen), and Ubuntu (drupal7 and twisted). --------------------------------------------- https://lwn.net/Articles/988746/ ∗∗∗ Android Patchday: Updates schließen mehrere hochriskante Lücken ∗∗∗ --------------------------------------------- Jetzt ist es an den Handy-Herstellern, die sicherheitsrelevanten Fehlerkorrekturen in Firmware-Updates für die Android-Smartphones zu gießen und an die betroffenen Kunden zu verteilen. --------------------------------------------- https://heise.de/-9856847 ∗∗∗ WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN67963942/ ∗∗∗ Progress: OpenEdge Third-Party Vulnerabilities Fixed In OpenEdge LTS Update 11.7.20 ∗∗∗ --------------------------------------------- https://community.progress.com/s/article/OpenEdge-Third-Party-Vulnerabiliti… ∗∗∗ Hitachi Energy: Multiple vulnerabilities in Hitachi Energy MicroSCADA X SYS600 product ∗∗∗ --------------------------------------------- https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160&LanguageC… ∗∗∗ Zyxel security advisory for OS command injection vulnerability in APs and security router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Zyxel security advisory for buffer overflow vulnerability in some 5G NR CPE, DSL/Ethernet CPE, fiber ONT, WiFi extender, and security router devices ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox and Focus ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/ ∗∗∗ C-MOR: Mehrere Sicherheitsschwachstellen in Videoüberwachungssoftware C-MOR (SYSS-2024-020 bis -030) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-sicherheitsschwachstellen-in-video… ∗∗∗ F5: K000140908: MySQL Server vulnerabiliity CVE-2024-21134 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140908 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.09.2024
by Daily end-of-shift report 03 Sep '24

03 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Montag 02-09-2024 18:00 − Dienstag 03-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ D-Link says it is not fixing four RCE flaws in DIR-846W routers ∗∗∗ --------------------------------------------- D-Link is warning that four remote code execution (RCE) flaws impacting all hardware and firmware versions of its DIR-846W router will not be fixed as the products are no longer supported. [..] The researcher published the information on August 27, 2024, but has withheld the publication of proof-of-concept (PoC) exploits for now. --------------------------------------------- https://www.bleepingcomputer.com/news/security/d-link-says-it-is-not-fixing… ∗∗∗ The state of sandbox evasion techniques in 2024 ∗∗∗ --------------------------------------------- This post is about sandbox evasion techniques and their usefulness in more targeted engagements. --------------------------------------------- https://fudgedotdotdot.github.io/posts/sandbox-evasion-in-2024/sandboxes.ht… ∗∗∗ CVE-2024-37084: Spring Cloud Remote Code Execution ∗∗∗ --------------------------------------------- CVE-2024-37084 is a critical security vulnerability in Spring Cloud Skipper, specifically related to how the application processes YAML input. [..] The vulnerability affects versions 2.11.0 through 2.11.3 of Spring Cloud Skipper. --------------------------------------------- https://blog.securelayer7.net/spring-cloud-skipper-vulnerability/ ∗∗∗ Intel Responds to SGX Hacking Research ∗∗∗ --------------------------------------------- Intel has shared some clarifications on claims made by a researcher regarding the hacking of its SGX security technology. --------------------------------------------- https://www.securityweek.com/intel-responds-to-sgx-hacking-research/ ∗∗∗ Rechnungen und Mahnungen von cvneed.com ignorieren ∗∗∗ --------------------------------------------- Sie haben einen Lebenslauf auf cvneed.com erstellt? Sie sind davon ausgegangen, dass dies kostenlos ist? Doch plötzlich flattern Rechnungen und sogar Mahnungen ins Haus? Ignorieren Sie diese und zahlen Sie nichts. Es handelt sich um eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/mahnungen-von-cvneed/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2021-20123/CVE-2021-20124 Draytek VigorConnect Path Traversal Vulnerability, CVE-2024-7262 Kingsoft WPS Office Path Traversal Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/09/03/cisa-adds-three-known-ex… ∗∗∗ Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several related Microsoft Office documents uploaded to VirusTotal by various actors between May and July 2024 that were all generated by a version of a payload generator framework called “MacroPack.” --------------------------------------------- https://blog.talosintelligence.com/threat-actors-using-macropack/ ∗∗∗ A look into Web Application Security ∗∗∗ --------------------------------------------- An in-depth look into Web Application Security, and Bitsights approach to related security metrics. --------------------------------------------- https://www.bitsight.com/blog/look-web-application-security ===================== = Vulnerabilities = ===================== ∗∗∗ Zyxel: Mehrere hochriskante Sicherheitslücken in Firewalls ∗∗∗ --------------------------------------------- Zyxel warnt vor mehreren Sicherheitslücken in den Firewalls des Unternehmens. Updates stehen bereit, die Lecks abdichten. [..] Am schwerwiegendsten ist eine Lücke, die Angreifern das Einschleusen von Befehlen im IPSec VPN der Zyxel-Firewalls ermöglicht. Mit manipulierten Nutzernamen können sie Befehle schmuggeln, die vom Betriebssystem ausgeführt werden. --------------------------------------------- https://heise.de/-9855938 ∗∗∗ VMSA-2024-0018:VMware Fusion update addresses a code execution vulnerability (CVE-2024-38811) ∗∗∗ --------------------------------------------- VMware Fusion contains a code-execution vulnerability due to the usage of an insecure environment variable. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8. --------------------------------------------- https://support.broadcom.com/web/ecx/support-=content-notification/-/extern… ∗∗∗ OpenSSL Security Advisory [3rd September 2024] ∗∗∗ --------------------------------------------- Possible denial of service in X.509 name checks (CVE-2024-6119) [..] OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue. --------------------------------------------- https://openssl-library.org/news/secadv/20240903.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (python3.12), Debian (calibre, exfatprogs, frr, git, libtommath, nbconvert, ruby-nokogiri, ruby-tzinfo, and webkit2gtk), Fedora (flatpak, lua-mpack, and python3.12), Red Hat (389-ds-base, 389-ds:1.4, buildah, fence-agents, gvisor-tap-vsock, httpd:2.4, kernel, kernel-rt, nodejs:18, orc, postgresql, postgresql:12, postgresql:13, postgresql:15, python-urllib3, python3.12, and skopeo), SUSE (389-ds, bubblewrap and flatpak, cacti, cacti-spine, curl, glib2, kernel-firmware, libqt5-qt3d, libqt5-qtquick3d, opera, python39, qemu, unbound, xen, and zziplib), and Ubuntu (ffmpeg, linux-raspi-5.4, and python-webob). --------------------------------------------- https://lwn.net/Articles/988570/ ∗∗∗ Chrome 128 Updates Patch High-Severity Vulnerabilities ∗∗∗ --------------------------------------------- https://www.securityweek.com/chrome-128-updates-patch-high-severity-vulnera… ∗∗∗ Lenze: Install Directory with insufficient permissions ∗∗∗ --------------------------------------------- https://certvde.com/de/advisories/VDE-2024-053/ ∗∗∗ LOYTEC Electronics LINX Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-247-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.09.2024
by Daily end-of-shift report 02 Sep '24

02 Sep '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-08-2024 18:00 − Montag 02-09-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Administrative IT infiltriert: Cyberangriff trifft Deutsche Flugsicherung ∗∗∗ --------------------------------------------- Nach Angaben eines Unternehmenssprechers betrifft der Vorfall die Büro-IT der DFS. Auswirkungen auf den Flugverkehr hat der Angriff wohl nicht. [..] Wer genau hinter dem Cyberangriff auf die Deutsche Flugsicherung steckt, lässt sich noch nicht mit Gewissheit beantworten. [..] Derzeit sei das Unternehmen dabei, den Vorfall einzudämmen und dessen Auswirkungen zu minimieren. --------------------------------------------- https://www.golem.de/news/administrative-it-infiltriert-cyberangriff-trifft… ∗∗∗ TSA-Airport-Sicherheitskontrollen per SQL-Injection ausgehebelt ∗∗∗ --------------------------------------------- Sicherheitsforschern in den USA ist es gelungen, über SQL-Injection das FlyCASS-Sicherheitssystem zu täuschen und damit Zugangssperren zu umgehen. --------------------------------------------- https://heise.de/-9853305 ∗∗∗ Windows: Side-Loading DLL-Angriffe über licensingdiag.exe ∗∗∗ --------------------------------------------- Wer sich um den Punkt Windows-Sicherheit Gedanken macht, sollte das Befehlszeilentool licensingdiag.exe im Fokus behalten. Es ist ein weiteres "living of the land" Tool, welches für Side-Loading DLL-Angriffe genutzt werden kann. --------------------------------------------- https://www.borncity.com/blog/2024/09/01/windows-side-loading-dll-angriffe-… ∗∗∗ Spoofed GlobalProtect Used to Deliver Unique WikiLoader Variant ∗∗∗ --------------------------------------------- Unit 42 discusses WikiLoader malware spoofing GlobalProtect VPN, detailing evasion techniques, malicious URLs, and mitigation strategies. --------------------------------------------- https://unit42.paloaltonetworks.com/global-protect-vpn-spoof-distributes-wi… ∗∗∗ GitHub comments abused to push password stealing malware masked as fixes ∗∗∗ --------------------------------------------- GitHub is being abused to distribute the Lumma Stealer information-stealing malware as fake fixes posted in project comments. [..] The solution tells people to download a password-protected archive from mediafire.com or through a bit.ly URL and run the executable within it. In the current campaign, the password has been "changeme" in all the comments we have seen. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-comments-abused-to-pu… ∗∗∗ Docker-OSX image used for security research hit by Apple DMCA takedown ∗∗∗ --------------------------------------------- The popular Docker-OSX project has been removed from Docker Hub after Apple filed a DMCA (Digital Millennium Copyright Act) takedown request, alleging that it violated its copyright. --------------------------------------------- https://www.bleepingcomputer.com/news/security/docker-osx-image-used-for-se… ∗∗∗ Cicada3301 ransomware’s Linux encryptor targets VMware ESXi systems ∗∗∗ --------------------------------------------- A new ransomware-as-a-service (RaaS) operation named Cicada3301 has already listed 19 victims on its extortion portal, as it quickly attacked companies worldwide. [..] An analysis of the new malware by Truesec revealed significant overlaps between Cicada3301 and ALPHV/BlackCat, indicating a possible rebrand or a fork created by former ALPHV's core team members. [..] For context, ALPHV performed an exit scam in early March 2024 involving fake claims about an FBI takedown operation after they stole a massive $22 million payment from Change Healthcare from one of their affiliates. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cicada3301-ransomwares-linux… ∗∗∗ Ausweiskopie und persönliche Daten an Kriminelle weitergegeben? Das können Sie tun ∗∗∗ --------------------------------------------- Sie wurden Opfer einer Betrugsmasche und haben dabei persönliche Daten oder sogar Ausweiskopien übermittelt? Wir zeigen Ihnen, was Sie tun können, wenn Kriminelle Ihre Daten ergaunert haben! --------------------------------------------- https://www.watchlist-internet.at/news/ausweiskopie-und-persoenliche-daten-… ∗∗∗ Malware "Voldemort": Angreifer nehmen verstärkt Steuerzahler ins Visier ∗∗∗ --------------------------------------------- Eine neue Angriffswelle zielt verstärkt auf Steuerbehörden, aber auch auf andere Behörden und Unternehmen verschiedener Länder ab, auch hierzulande. Dabei wird die Malware "Voldemort" über Phishing-Mails verbreitet. Wer klickt, installiert sich womöglich eine Backdoor. [..] Über die Hälfte der betroffenen Organisationen stammt aus den Bereichen Versicherungen, Luft- und Raumfahrt, Verkehr und Bildung. --------------------------------------------- https://heise.de/-9854106 ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra fixed two severe issues in FileCatalyst Workflow, including a critical flaw ∗∗∗ --------------------------------------------- Cybersecurity and automation company Fortra released patches for two vulnerabilities in FileCatalyst Workflow. Once of the vulnerabilities is a critical issue, tracked as CVE-2024-6633 (CVSS score of 9.8) described as Insecure Default in FileCatalyst Workflow Setup. --------------------------------------------- https://securityaffairs.com/167838/security/fortra-filecatalyst-critical-wo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (postgresql:16), Debian (dovecot, pymatgen, ruby2.7, systemd, and webkit2gtk), Fedora (microcode_ctl, python3.11, vim, and xen), Oracle (kernel, postgresql:12, postgresql:13, postgresql:15, and python39:3.9 and python39-devel:3.9), Slackware (libpcap), SUSE (cacti, cacti-spine, python-Django, and trivy), and Ubuntu (dovecot). --------------------------------------------- https://lwn.net/Articles/988364/ ∗∗∗ WordPress Vulnerability & Patch Roundup August 2024 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2024/08/wordpress-vulnerability-patch-roundup-augus… ∗∗∗ MISP 2.4.197 released with many bugs fixed, a security fix and improvements. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.197 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2024
by Daily end-of-shift report 30 Aug '24

30 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-08-2024 18:00 − Freitag 30-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake Palo Alto GlobalProtect used as lure to backdoor enterprises ∗∗∗ --------------------------------------------- Threat actors target Middle Eastern organizations with malware disguised as the legitimate Palo Alto GlobalProtect Tool that can steal data and execute remote PowerShell commands to infiltrate internal networks further. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-palo-alto-globalprotect… ∗∗∗ FBI: RansomHub ransomware breached 210 victims since February ∗∗∗ --------------------------------------------- Since surfacing in February 2024, RansomHub ransomware affiliates have breached over 200 victims from a wide range of critical U.S. infrastructure sectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-ransomhub-ransomware-bre… ∗∗∗ Russische Hacker nutzen die gleichen Lücken wie Staatstrojaner ∗∗∗ --------------------------------------------- Immer wieder warnen Experten davor, dass auch Kriminelle jene Schlupflöcher nutzen können, über die auch Regierungen Verdächtige überwachen. --------------------------------------------- https://futurezone.at/netzpolitik/russische-hacker-staatstrojaner-messenger… ∗∗∗ Studie: 78 Prozent aller Ransomware-Opfer zahlen offenbar Lösegeld ∗∗∗ --------------------------------------------- Viele betroffene Unternehmen zahlen wohl sogar mehrfach. Auch vier- oder mehr Lösegeldzahlungen sind keine Seltenheit - vor allem nicht in Deutschland. --------------------------------------------- https://www.golem.de/news/studie-78-prozent-aller-ransomware-opfer-zahlen-o… ∗∗∗ Feds claim sinister sysadmin locked up thousands of Windows workstations, demanded ransom ∗∗∗ --------------------------------------------- Sordid search history evidence in case that could see him spend 35 years for extortion and wire fraud A former infrastructure engineer who allegedly locked IT department colleagues out of their employers systems, then threatened to shut down servers unless paid a ransom, has been arrested and charged after an FBI investigation. --------------------------------------------- https://www.theregister.com/2024/08/29/vm_engineer_extortion_allegations/ ∗∗∗ How to enhance the security of your social media accounts ∗∗∗ --------------------------------------------- TL;DR Strong passwords: Use a password manager. Multi-factor authentication (MFA): MFA requires multiple forms of identification, adding an extra layer of security. This makes it harder for unauthorised users to .. --------------------------------------------- https://www.pentestpartners.com/security-blog/how-to-enhance-the-security-o… ∗∗∗ TLD Tracker: Exploring Newly Released Top-Level Domains ∗∗∗ --------------------------------------------- Unit 42 researchers use a novel graph-based pipeline to detect misuse of 19 new TLDs for phishing, chatbots and more in several case studies. --------------------------------------------- https://unit42.paloaltonetworks.com/tracking-newly-released-top-level-domai… ∗∗∗ Malicious North Korean packages appear again in open source code repository ∗∗∗ --------------------------------------------- North Korean hackers continue to exploit the widely used npm code repository, publishing malicious packages intended to infect software developers’ devices with malware, according to recent research. --------------------------------------------- https://therecord.media/npm-javascript-repository-north-korean-malware ∗∗∗ TR-88 - Motivation, procedure and rational for leaked credential notifications ∗∗∗ --------------------------------------------- In today’s digital landscape, protecting user data is essential for every organization. When public data leaks expose customer credentials, it is critical to respond promptly to mitigate risks. This document outlines why CIRCL .. --------------------------------------------- https://www.circl.lu/pub/tr-88 ∗∗∗ Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence ∗∗∗ --------------------------------------------- Trend Micro discovered that old Atlassian Confluence versions that were affected by CVE-2023-22527 are being exploited using a new in-memory fileless backdoor. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/h/godzilla-fileless-backdoors.… ∗∗∗ Gaps in Skills, Knowledge, and Technology Pave the Way for Breaches ∗∗∗ --------------------------------------------- The stakes continue growing higher for organizations when it comes to cybersecurity incidents, with the fallout of such incidents becoming more costly and complex. According to the Fortinet 2024 Cybersecurity Skills Gap Report, the overwhelming majority (87%) of those surveyed said they experienced one or .. --------------------------------------------- https://www.fortinet.com/blog/industry-trends/gaps-in-skills-knowledge-tech… ∗∗∗ Ransomware Roundup - Underground ∗∗∗ --------------------------------------------- The Underground ransomware has victimized companies in various industries since July 2023. It encrypts files without changing the original file extension. --------------------------------------------- https://www.fortinet.com/blog/threat-research/ransomware-roundup-underground ∗∗∗ Nach Cyberangriff: Solaranbieter "Qcells" informiert Kunden über Datenleck ∗∗∗ --------------------------------------------- Wieder gibt es ein Datenleck in der Solarbranche. Kunden von Qcell werden darum informiert. --------------------------------------------- https://heise.de/-9852641 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (libvpx, postgresql, postgresql:12, postgresql:13, postgresql:15, and python39:3.9 and python39-devel:3.9), Debian (chromium and ghostscript), Fedora (python3.13), and SUSE (chromium and podman). --------------------------------------------- https://lwn.net/Articles/987836/ ∗∗∗ DSA-5761-1 chromium - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00174.html ∗∗∗ IPCOM vulnerable to information disclosure ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN29238389/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2024
by Daily end-of-shift report 29 Aug '24

29 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-08-2024 18:00 − Donnerstag 29-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Unpatchable 0-day in surveillance cam is being exploited to install Mirai ∗∗∗ --------------------------------------------- Vulnerability is easy to exploit and allows attackers to remotely execute commands. --------------------------------------------- https://arstechnica.com/?p=2046043 ∗∗∗ Iranian hackers work with ransomware gangs to extort breached orgs ∗∗∗ --------------------------------------------- An Iran-based hacking group known as Pioneer Kitten is breaching defense, education, finance, and healthcare organizations across the United States and working with affiliates of several ransomware operations to extort the victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/iranian-hackers-work-with-ra… ∗∗∗ Endlich: Maßnahme gegen Anrufe mit gefälschten Nummern tritt in Kraft ∗∗∗ --------------------------------------------- Dass die eigene Handynummer für Spamanrufe genutzt wird, soll ab dem 1. September nicht mehr möglich sein. --------------------------------------------- https://futurezone.at/netzpolitik/rtr-veordnung-massnahme-nummer-gefaelscht… ∗∗∗ Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations ∗∗∗ --------------------------------------------- Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler. Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the .. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-de… ∗∗∗ Cybercrime and Sabotage Cost German Firms $300 Billion In Past Year ∗∗∗ --------------------------------------------- According to a new survey from Bitkom, cybercrime and other acts of sabotage have cost German companies around $298 billion in the past year, up 29% on the year before. Reuters reports: Bitkom surveyed around 1,000 companies from all sectors and found that 90% expect more cyberattacks in the next 12 months, with the remaining 10% expecting the same level of .. --------------------------------------------- https://it.slashdot.org/story/24/08/28/211228/cybercrime-and-sabotage-cost-… ∗∗∗ 12 Best Practices to Secure Your WordPress Login Page ∗∗∗ --------------------------------------------- WordPress powers a significant portion of websites on the internet. With this popularity comes the need for strict security measures, especially for the login page. These entry points are prime targets for hackers and malicious actors. By implementing proper security practices outlined in this guide, you can maintain a secure WordPress login and .. --------------------------------------------- https://blog.sucuri.net/2024/08/12-best-practices-to-secure-your-wordpress-… ∗∗∗ Microsoft hosts a security summit but no press, public allowed ∗∗∗ --------------------------------------------- CrowdStrike, other vendors, friendly govt reps .. but not anyone who would tell you what happened op-ed Microsoft will host a security summit next month with CrowdStrike and other "key" endpoint security partners joining the fun - and during which the CrowdStrike-induced outage that borked millions of Windows machines will undoubtedly be a top-line agenda item. --------------------------------------------- https://www.theregister.com/2024/08/28/microsoft_closed_security_summit/ ∗∗∗ Censys Finds Hundreds of Exposed Servers as Volt Typhoon APT Targets Service Providers ∗∗∗ --------------------------------------------- Amidst Volt Typhoon zero-day exploitation, Censys finds hundreds of exposed servers presenting ripe attack surface for attackers. --------------------------------------------- https://www.securityweek.com/censys-finds-hundreds-of-exposed-servers-as-vo… ∗∗∗ Telegram als Betrugsfalle ∗∗∗ --------------------------------------------- Der Kurznachrichtendienst Telegram ist spätestens seit der Verhaftung des Erfinders Pawel Durow in Paris in aller Munde. Telegram beschäftigt uns bei der Watchlist Internet aber schon viel länger. Kaum woanders gelingt es Kriminellen besser, Opfer in ihre Fallen zu locken. Insbesondere Investitionsbetrug, Schneeballsysteme und betrügerische Jobangebote sorgen teils für horrende Schadenssummen. Konsequenzen gibt es auf Telegram für die Kriminellen bisher keine. --------------------------------------------- https://www.watchlist-internet.at/news/telegram-als-betrugsfalle/ ∗∗∗ $2.5 million reward offered for hacker linked to notorious Angler Exploit Kit ∗∗∗ --------------------------------------------- Who doesnt fancy earning US $2.5 million? Thats the reward thats on offer from US authorities for information leading to the arrest and/or conviction of the man who allegedly was a key figure behind the development and distribution of the notorious Angler Exploit Kit. Read more in my article on the Tripwire State of Security blog. --------------------------------------------- https://www.tripwire.com/state-of-security/25-million-reward-offered-cyber-… ∗∗∗ Cisco: BlackByte ransomware gang only posting 20% to 30% of successful attacks ∗∗∗ --------------------------------------------- The BlackByte ransomware gang is only posting a fraction of its successful attacks on its leak site this year, according to researchers from Cisco. --------------------------------------------- https://therecord.media/blackbyte-ransomware-group-posting-fraction-of-leaks ∗∗∗ State-backed attackers and commercial surveillance vendors repeatedly use the same exploits ∗∗∗ --------------------------------------------- We’re sharing an update on suspected state-backed attacker APT29 and the use of exploits identical to those used by Intellexa and NSO. --------------------------------------------- https://blog.google/threat-analysis-group/state-backed-attackers-and-commer… ∗∗∗ The Big TIBER Encyclopedia ∗∗∗ --------------------------------------------- An analysis of current TIBER implementations ahead of DORA’s TLPT requirements Introduction TIBER (Threat Intelligence-Based Ethical Red Teaming) is a framework introduced by the European Central Bank (ECB) in 2018 as a response to the increasing number of cyber threats faced by financial institutions. The framework provides a .. --------------------------------------------- https://blog.nviso.eu/2024/08/29/the-big-tiber-encyclopedia/ ∗∗∗ The vulnerabilities we uncovered by fuzzing µC/OS protocol stacks ∗∗∗ --------------------------------------------- Fuzzing has long been one of our favorite ways to search for security issues or vulnerabilities in software, but when it comes to fuzzing popular systems used in ICS environments, it traditionally involved a custom hardware setup to fuzz the code in its native environment. --------------------------------------------- https://blog.talosintelligence.com/fuzzing-uc-os-protocol-stacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Family August 2024 First Round Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82727/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.08.2024
by Daily end-of-shift report 28 Aug '24

28 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-08-2024 18:00 − Mittwoch 28-08-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ ISPs infiltriert: Zero Day seit Monaten ausgenutzt ∗∗∗ --------------------------------------------- Eine Sicherheitslücke der Netzwerksoftware Versa Director (CVE-2024-39717) wird stärker ausgenutzt als zunächst bekannt. Bei mindestens drei Internet Service Providern (ISP) in den USA und einem außerhalb des Landes haben sich Angreifer eingenistet, um Kundenlogins und Passwörter im Klartext abzufangen, bevor sie gehasht und beim ISP gespeichert werden. [..] Der Angriff schlägt fehl, wenn die Versa-Patches installiert wurden oder wenn Port 4566 von Kundenroutern aus nicht erreichbar ist. Für Letzteres empfiehlt Versa bereits seit Jahren passende Firewall-Einstellungen und Systemhärtungen. --------------------------------------------- https://heise.de/-9849553 ∗∗∗ ADAC warnt: Die meisten Keyless-Systeme weiterhin leicht zu knacken ∗∗∗ --------------------------------------------- Der ADAC hat rund 700 Fahrzeuge mit Keyless-Schließsystem getestet. Mehr als 90 Prozent davon lassen sich per Relay-Angriff aus der Ferne öffnen und starten. --------------------------------------------- https://www.golem.de/news/adac-warnt-die-meisten-keyless-systeme-weiterhin-… ∗∗∗ Windows Downdate: Tool zum Öffnen alter Windows-Lücken veröffentlicht ∗∗∗ --------------------------------------------- Mit Windows Downdate können Windows-Komponenten wie DLLs, Treiber oder der NT-Kernel unbemerkt auf anfällige Versionen zurückgestuft werden. Das Tool ist nun öffentlich. --------------------------------------------- https://www.golem.de/news/windows-downdate-tool-zum-oeffnen-alter-windows-l… ∗∗∗ Betrügerische Abmahnung im Namen von Pornhub ∗∗∗ --------------------------------------------- „Letzte Mahnung vor Klageerhebung“ lautet der Betreff einer beunruhigenden E-Mail. Die Kanzlei Frommer Legal verschickt derzeit wahllos E-Mails, in denen behauptet wird, man habe urheberrechtlich geschützte Inhalte von Pornhub.com gestreamt. --------------------------------------------- https://www.watchlist-internet.at/news/abmahnung-pornhub/ ∗∗∗ Intels Software Guard Extensions broken? Dont panic ∗∗∗ --------------------------------------------- Today's news that Intel's Software Guard Extensions (SGX) security system is open to abuse may be overstated. [..] However, Intel has pointed out that not only would an attacker need physical access to a machine to make this work, but that string of issues would have to have been left unfixed. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/08/27/intel_root_k… ∗∗∗ New QR Code Phishing Campaign Exploits Microsoft Sway to Steal Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers are calling attention to a new QR code phishing (aka quishing) campaign that leverages Microsoft Sway infrastructure to host fake pages, once again highlighting the abuse of legitimate cloud offerings for malicious purposes. --------------------------------------------- https://thehackernews.com/2024/08/new-qr-code-phishing-campaign-exploits.ht… ∗∗∗ New LummaC2 Malware Variant Uses PowerShell, Obfuscation to Steal Data ∗∗∗ --------------------------------------------- Ontinue has discovered a new LummaC2 malware variant with increased activity, using PowerShell for initial infection and employing obfuscation and process injection to steal sensitive data. --------------------------------------------- https://hackread.com/lummac2-malware-variant-powershell-obfuscation-steal-d… ∗∗∗ Old devices, new dangers: The risks of unsupported IoT tech ∗∗∗ --------------------------------------------- Outdated devices can be easy targets, so by keeping them disconnected from the internet or discontinuing their use, you can feel safe and secure from any cyber harm through them. --------------------------------------------- https://www.welivesecurity.com/en/internet-of-things/old-devices-new-danger… ∗∗∗ CVE-2024-37079: VMware vCenter Server Integer Underflow Code Execution Vulnerability ∗∗∗ --------------------------------------------- A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted DCERPC packet to the target server. Successfully exploiting this vulnerability could lead to a heap buffer overflow, which could result in the execution of arbitrary code in the context of the vulnerable service. [..] This vulnerability was patched by the vendor in June. At the time of the patch release, there was a fair amount of attention paid to this vulnerability. However, to date, there have been no attacks detected in the wild. --------------------------------------------- https://www.thezdi.com/blog/2024/8/27/cve-2024-37079-vmware-vcenter-server-… ∗∗∗ BlackByte blends tried-and-true tradecraft with newly disclosed vulnerabilities to support ongoing attacks ∗∗∗ --------------------------------------------- In recent investigations, Talos Incident Response has observed the BlackByte ransomware group using techniques that depart from their established tradecraft. --------------------------------------------- https://blog.talosintelligence.com/blackbyte-blends-tried-and-true-tradecra… ∗∗∗ Deep Analysis of Snake Keylogger’s New Variant ∗∗∗ --------------------------------------------- We performed a deep analysis on the campaign and discovered that it delivers a new variant of Snake Keylogger. --------------------------------------------- https://feeds.fortinet.com/~/903638177/0/fortinet/blogs~Deep-Analysis-of-Sn… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (calibre, dotnet8.0, dovecot, webkit2gtk4.0, and webkitgtk), Oracle (nodejs:20), Red Hat (bind, bind and bind-dyndb-ldap, postgresql:16, and squid), Slackware (kcron and plasma), SUSE (keepalived and webkit2gtk3), and Ubuntu (drupal7). --------------------------------------------- https://lwn.net/Articles/987519/ ∗∗∗ DSA-5759-1 python3.11 - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00172.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.08.2024
by Daily end-of-shift report 27 Aug '24

27 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Montag 26-08-2024 18:00 − Dienstag 27-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers infect ISPs with malware that steals customers’ credentials ∗∗∗ --------------------------------------------- Zero-day that was exploited since June to infect ISPs finally gets fixed. --------------------------------------------- https://arstechnica.com/?p=2045401 ∗∗∗ Google tags a tenth Chrome zero-day as exploited this year ∗∗∗ --------------------------------------------- Today, Google revealed that it patched the tenth zero-day exploited in the wild in 2024 by attackers or security researchers during hacking contests. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-tags-a-tenth-chrome-z… ∗∗∗ Exposed and Encrypted: Inside a Mallox Ransomware Attack ∗∗∗ --------------------------------------------- Recently, a client enlisted the support of Trustwave to investigate an unauthorized access incident within its internal cloud-based environment, leading to the deployment of Mallox ransomware by threat actors to its server. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/exposed-and… ∗∗∗ Microsoft mistake blows up admins inboxes with fake malware alerts ∗∗∗ --------------------------------------------- Legitimate emails misclassified in software snafu Updated Many administrators have had a trying Monday after getting spammed out with false malware reports by Microsoft. --------------------------------------------- https://www.theregister.com/2024/08/26/microsoft_365_email_malware/ ∗∗∗ ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library - Part 2 ∗∗∗ --------------------------------------------- In Part 1 of this series, we’ve demonstrated how ThreatLabz reverse engineered the SketchUp 3D library in Microsoft 365 as well as the SKP file format. Furthermore, we developed two effective fuzzing harnesses.Microsoft published CVE-2023-28285 and CVE-2023-29344 (in April and May of 2023, respectively) to address the vulnerabilities .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/threatlabz-discovers-117-vu… ∗∗∗ A malicious Pidgin plugin ∗∗∗ --------------------------------------------- The developers of the Pidgin chat program have announced that a malicious plugin had been listed on its third-party plugins list for over one month. This plugin included a key logger and could capture screenshots. It went unnoticed at the time that the plugin was not providing any source code and was only providing binaries for download. Going forward, we will be .. --------------------------------------------- https://lwn.net/Articles/987320/ ∗∗∗ WordPress GiveWP POP to RCE (CVE-2024-5932) ∗∗∗ --------------------------------------------- A few days ago, Wordfence published a blog post about a PHP Object Injection vulnerability affecting the popular WordPress Plugin GiveWP in all versions <= 3.14.1. Since the blog post contains only information about (a part) of the POP chain used, I decided to take a look and build a fully functional Remote Code Execution exploit. This post describes .. --------------------------------------------- https://www.rcesecurity.com/2024/08/wordpress-givewp-pop-to-rce-cve-2024-59… ∗∗∗ 7777 Botnet – Insights into a Multi-Target Botnet ∗∗∗ --------------------------------------------- Our latest research, a collaboration between Bitsight TRACE & the security researcher Gi7w0rm, has uncovered additional details & information about the 7777 Botnet. --------------------------------------------- https://www.bitsight.com/blog/7777-botnet-insights-multi-target-botnet ∗∗∗ NFC-Malware leert Bankkonten ∗∗∗ --------------------------------------------- Phishing und Malware kombiniert ein Angreifer, um Geldautomaten Bankkarten vorzuspielen und per NFC Geld abzuheben. Beobachtet wurde das in Tschechien. --------------------------------------------- https://heise.de/-9848256 ===================== = Vulnerabilities = ===================== ∗∗∗ Moodle: Remote Code Execution via Calculated Questions ∗∗∗ --------------------------------------------- Attackers with the permission to create or modify questions in Moodle courses are able to craft malicious inputs for calculated questions, which can be abused to execute arbitrary commands on the underlying system. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2024-009/ ∗∗∗ ZDI-24-1182: Linux Kernel Netfilter Conntrack Type Confusion Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1182/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/987393/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.08.2024
by Daily end-of-shift report 26 Aug '24

26 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-08-2024 18:00 − Montag 26-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Stealthy sedexp Linux malware evaded detection for two years ∗∗∗ --------------------------------------------- A stealthy Linux malware named sedexp has been evading detection since 2022 by using a persistence technique not yet included in the MITRE ATT&CK framework. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stealthy-sedexp-linux-malwar… ∗∗∗ BSI: Prüfung der Sicherheit von Huawei bleibt ein Staatsgeheimnis ∗∗∗ --------------------------------------------- Da die Sicherheitsinteressen Deutschlands berührt sind, legt das BSI die technische Prüfung von Huawei nicht offen. Immerhin hat Golem.de erreicht, dass die Einstufung überprüft wurde. --------------------------------------------- https://www.golem.de/news/bsi-pruefung-der-sicherheit-von-huawei-bleibt-ein… ∗∗∗ DSGVO-Verstoß: Uber soll 290 Millionen Euro Geldstrafe zahlen ∗∗∗ --------------------------------------------- Dem beliebten Fahrdienst wird vorgeworfen, mehr als zwei Jahre lang sensible Fahrerdaten bei unzureichendem Schutz in die USA übermittelt zu haben. --------------------------------------------- https://www.golem.de/news/datenuebertragung-in-die-usa-uber-soll-290-millio… ∗∗∗ From Highly Obfuscated Batch File to XWorm and Redline, (Mon, Aug 26th) ∗∗∗ --------------------------------------------- If you follow my diaries, you probably already know that one of my favorite topics around malware is obfuscation. I&#;x26;#;39;m often impressed by the crazy techniques attackers use to .. --------------------------------------------- https://isc.sans.edu/diary/From+Highly+Obfuscated+Batch+File+to+XWorm+and+R… ∗∗∗ SonicWall Issues Critical Patch for Firewall Vulnerability Allowing Unauthorized Access ∗∗∗ --------------------------------------------- SonicWall has released security updates to address a critical flaw impacting its firewalls that, if successfully exploited, could grant malicious actors unauthorized access to the devices. The vulnerability, tracked as .. --------------------------------------------- https://thehackernews.com/2024/08/sonicwall-issues-critical-patch-for.html ∗∗∗ Cisco calls for United Nations to revisit cyber-crime convention ∗∗∗ --------------------------------------------- Echoes human rights groups concerns that it could suppress free speech and more Networking giant Cisco has suggested the United Nations first-ever convention against cyber-crime is dangerously flawed and should be revised before being put to a formal vote. --------------------------------------------- https://www.theregister.com/2024/08/22/cisco_criticizes_un_cybercrime_conve… ∗∗∗ Post-Quantum Cryptography: Standards and Progress ∗∗∗ --------------------------------------------- The National Institute of Standards and Technology (NIST) just released three finalized standards for post-quantum cryptography (PQC) covering public key encapsulation and two forms of digital signatures. In progress since 2016, this achievement represents a major milestone towards standards development that will keep information on the Internet secure and confidential for many years to come. --------------------------------------------- http://security.googleblog.com/2024/08/post-quantum-cryptography-standards.… ∗∗∗ Meta blockiert Whatsapp-Konten nach Hackerangriffen ∗∗∗ --------------------------------------------- Hierbei wurde die iranische Hackergruppe APT42 ins Visier genommen --------------------------------------------- https://www.derstandard.at/story/3000000233708/meta-blockiert-whatsapp-kont… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog for Versa Networks Director ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/23/cisa-adds-one-known-expl… ∗∗∗ PEAKLIGHT: Decoding the Stealthy Memory-Only Malware ∗∗∗ --------------------------------------------- Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding… ===================== = Vulnerabilities = ===================== ∗∗∗ Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desk… ∗∗∗ WPS Office Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82637/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2024
by Daily end-of-shift report 23 Aug '24

23 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-08-2024 18:00 − Freitag 23-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Qilin ransomware now steals credentials from Chrome browsers ∗∗∗ --------------------------------------------- The Qilin ransomware group has been using a new tactic and deploys a custom stealer to steal account credentials stored in Google Chrome browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qilin-ransomware-now-steals-… ∗∗∗ Hackers are exploiting critical bug in LiteSpeed Cache plugin ∗∗∗ --------------------------------------------- Hackers have already started to exploit the critical severity vulnerability that affects LiteSpeed Cache, a WordPress plugin used for accelerating response times, a day after technical details become public. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-are-exploiting-criti… ∗∗∗ Warnung vor Ebola-Infektion: Uni löst mit Phishing-Test unnötige Panik aus ∗∗∗ --------------------------------------------- Studenten und Mitarbeiter der UCSC haben per E-Mail eine falsche Warnung vor einer Ebola-Infektion auf dem Campus erhalten. Der CISO der Uni entschuldigt sich. --------------------------------------------- https://www.golem.de/news/warnung-vor-ebola-infektion-phishing-test-an-eine… ∗∗∗ Mäh- und Saugroboter: Ecovacs will Spionagelücken nun doch angehen ∗∗∗ --------------------------------------------- Mehrere Mäh- und Saugroboter von Ecovacs lassen sich von Angreifern übernehmen. Erst wollte der Hersteller gar nicht patchen, doch nun kommt die Kehrtwende. --------------------------------------------- https://www.golem.de/news/hersteller-lenkt-ein-ecovacs-arbeitet-nun-doch-an… ∗∗∗ WordPress Websites Used to Distribute ClearFake Trojan Malware ∗∗∗ --------------------------------------------- Unfortunately, scams are all over the place, and anybody who has surfed the web should know this. We’ve all gotten phishing emails, or redirected to questionable websites at some point or another. Being on your guard is an important posture to take online, and part of that is knowing how to identify threats, scams, or places you shouldn’t visit .. --------------------------------------------- https://blog.sucuri.net/2024/08/wordpress-websites-used-to-distribute-clear… ∗∗∗ Chinese Hackers Exploit Zero-Day Cisco Switch Flaw to Gain System Control ∗∗∗ --------------------------------------------- Details have emerged about a China-nexus threat groups exploitation of a recently disclosed, now-patched security flaw in Cisco switches as a zero-day to seize control of the appliances and evade detection.The activity, attributed to Velvet Ant, was .. --------------------------------------------- https://thehackernews.com/2024/08/chinese-hackers-exploit-zero-day-cisco.ht… ∗∗∗ Halliburton probes an issue disrupting business ops ∗∗∗ --------------------------------------------- What could the problem be? Reportedly, a cyberattack American oil giant Halliburton is investigating an "issue," reportedly a cyberattack, that has disrupted some business operations and global networks. --------------------------------------------- https://www.theregister.com/2024/08/22/halliburton_investigates_incident_am… ∗∗∗ Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware ∗∗∗ --------------------------------------------- We analyze a recent incident by Bling Libra, the group behind ShinyHunters ransomware as they shift from data theft to extortion, exploiting AWS credentials. --------------------------------------------- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/ ∗∗∗ CrowdStrike Outage Timeline and Analysis ∗∗∗ --------------------------------------------- Bitsights analysis of the CrowdStrike outage and timeline mysteries. --------------------------------------------- https://www.bitsight.com/blog/crowdstrike-outage-timeline-and-analysis ∗∗∗ A Global Treaty to Fight Cybercrime—Without Combating Mercenary Spyware: Article by Kate Robertson in Lawfare ∗∗∗ --------------------------------------------- In an article for Lawfare, the Citizen Labs senior research associate Kate Robertson analyzes how, in its current form, the draft treaty is poised "to become a vehicle for complicity in the global mercenary spy trade." --------------------------------------------- https://citizenlab.ca/2024/08/a-global-treaty-to-fight-cybercrime-without-c… ===================== = Vulnerabilities = ===================== ∗∗∗ SonicOS Improper Access Control Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2024
by Daily end-of-shift report 22 Aug '24

22 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-08-2024 18:00 − Donnerstag 22-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google fixes ninth Chrome zero-day exploited in attacks this year ∗∗∗ --------------------------------------------- Today, Google released a new Chrome emergency security update to patch a zero-day vulnerability, the ninth one tagged as exploited this year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-fixes-tenth-actively-… ∗∗∗ U.S. charges Karakurt extortion gang’s “cold case” negotiator ∗∗∗ --------------------------------------------- A member of the Russian Karakurt ransomware group has been charged in the U.S. for money laundering, wire fraud, and extortion crimes. --------------------------------------------- https://www.bleepingcomputer.com/news/legal/us-charges-karakurt-extortion-g… ∗∗∗ Löschpflicht und Sicherheitslücken: Bußgelder wegen Datenschutzverstößen häufen sich ∗∗∗ --------------------------------------------- In Hamburg wurden bereits jetzt mehr Bußgeldverfahren wegen Datenschutzverstößen abgeschlossen als im Kalenderjahr 2023. Die Strafen sind mitunter hoch. --------------------------------------------- https://www.golem.de/news/loeschpflicht-und-sicherheitsluecken-bussgelder-w… ∗∗∗ Memory corruption vulnerabilities in Suricata and FreeRDP ∗∗∗ --------------------------------------------- While pentesting KasperskyOS-based Thin Client and IoT Secure Gateway, we found several vulnerabilities in the Suricata and FreeRDP open-source projects. We shared details on these vulnerabilities with the community along with our fuzzer. --------------------------------------------- https://securelist.com/suricata-freerdp-memory-corruption/113489/ ∗∗∗ Windows Security best practices for integrating and managing security tools ∗∗∗ --------------------------------------------- We examine the recent CrowdStrike outage and provide a technical overview of the root cause. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/07/27/windows-security-b… ∗∗∗ Understanding the ‘Morphology’ of Ransomware: A Deeper Dive ∗∗∗ --------------------------------------------- Ransomware isnt just about malware. Its about brands, trust, and the shifting allegiances of cybercriminals. --------------------------------------------- https://www.securityweek.com/understanding-the-morphology-of-ransomware-a-d… ∗∗∗ Recall: Microsofts umstrittenes "Überwachungs"-Feature kommt zurück ∗∗∗ --------------------------------------------- Nach heftigen Sicherheitsbedenken will das Unternehmen bei der neuen KI-Funktion nachgebessert haben --------------------------------------------- https://www.derstandard.at/story/3000000233374/recall-microsofts-umstritten… ∗∗∗ BLUUID: Firewallas, Diabetics, And… Bluetooth ∗∗∗ --------------------------------------------- Dive into the fascinating and overlooked realm of Bluetooth Low Energy (BTLE) security in GreyNoise Labs latest blog post. Learn techniques for remote device identification, uncover vulnerabilities, and explore the broader implications for IoT and healthcare. --------------------------------------------- https://www.greynoise.io/blog/bluuid-firewallas-diabetics-and-bluetooth ∗∗∗ PEAKLIGHT: Decoding the Stealthy Memory-Only Malware ∗∗∗ --------------------------------------------- Mandiant identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT.OverviewMandiant Managed Defense identified a memory-only dropper and downloader delivering .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/peaklight-decoding… ∗∗∗ Angreifer können Ciscos VoIP-System Unified Communications Manager lahmlegen ∗∗∗ --------------------------------------------- Aufgrund von Sicherheitslücken sind Attacken auf mehrere Cisco-Produkte möglich. Updates sind verfügbar. --------------------------------------------- https://heise.de/-9843447 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Unified Communications Manager Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine REST API Blind SQL Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Manager Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Atlassian Jira August 2024 Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82562/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.08.2024
by Daily end-of-shift report 21 Aug '24

21 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-08-2024 18:00 − Mittwoch 21-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CrowdStrike unhappy with “shady commentary” from competitors after outage ∗∗∗ --------------------------------------------- Botched update leads to claims that competitors are "ambulance chasing." --------------------------------------------- https://arstechnica.com/?p=2044431 ∗∗∗ GitHub Enterprise Server vulnerable to critical auth bypass flaw ∗∗∗ --------------------------------------------- A critical vulnerability affecting multiple versions of GitHub Enterprise Server could be exploited to bypass authentication and enable an attacker to gain administrator privileges on the machine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-enterprise-server-vul… ∗∗∗ Großer Chipkonzern: Cyberangriff stört Produktion von Microchip Technology ∗∗∗ --------------------------------------------- Die Produktionskapazitäten des Chipherstellers sind derzeit eingeschränkt. Ursache ist eine Cyberattacke, deren Ausmaß aktuell untersucht wird. --------------------------------------------- https://www.golem.de/news/grosser-chipkonzern-cyberangriff-stoert-produktio… ∗∗∗ Sicherheitsprobleme: Lastenrad-Skandal weitet sich aus ∗∗∗ --------------------------------------------- Niederländische Verbraucherschützer untersuchen weitere Lastenradhersteller, weil dort ebenfalls gravierende Mängel aufgetreten sind. --------------------------------------------- https://www.golem.de/news/sicherheitsprobleme-lastenrad-skandal-weitet-sich… ∗∗∗ Plane tracker FlightAware admits user passwords, SSNs exposed for years ∗∗∗ --------------------------------------------- Notification omits a number of key details Popular flight-tracking app FlightAware has admitted that it was exposing a bunch of users data for more than three years. --------------------------------------------- https://www.theregister.com/2024/08/20/flightaware_data_exposure/ ∗∗∗ An AWS Configuration Issue Could Expose Thousands of Web Apps ∗∗∗ --------------------------------------------- Amazon has updated its instructions for how customers should more securely implement AWSs traffic-routing service known as Application Load Balancer, but its not clear everyone will get the memo. --------------------------------------------- https://www.wired.com/story/aws-application-load-balancer-implementation-co… ∗∗∗ Teach a Man to Phish ∗∗∗ --------------------------------------------- I decided to give away all of my phishing secrets for free. I realized at some point that I have been giving away phishing secrets for years, but only to select individuals, and only one at a time. That method of knowledge dissemination is terribly inefficient! So here it is, I’ve written it down for you instead. --------------------------------------------- https://posts.specterops.io/teach-a-man-to-phish-43528846e382 ∗∗∗ CISA Adds Four Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/21/cisa-adds-four-known-exp… ∗∗∗ CPU-Sicherheitsleck Sinkclose: Firmware-Update auch für AMDs Ryzen 3000 ∗∗∗ --------------------------------------------- Die CPU-Sicherheitslücke "Sinkclose" ermöglicht Angreifern das Einschleusen von Schadcode. Für ältere CPUs waren erst keine Updates geplant. --------------------------------------------- https://heise.de/-9842780 ===================== = Vulnerabilities = ===================== ∗∗∗ Unauthenticated information leak in Bosch IP cameras ∗∗∗ --------------------------------------------- BOSCH-SA-659648: A vulnerability was discovered in internal testing of Bosch IP cameras of families CPP13 and CPP14, that allows an unauthenticated attacker to retrieve video analytics event data. No video data is leaked through this vulnerability. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-659648.html ∗∗∗ DSA-5752-1 dovecot - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00165.html ∗∗∗ [20240803] - Core - XSS in HTML Mail Templates ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/944-20240803-core-xss-in-h… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.08.2024
by Daily end-of-shift report 20 Aug '24

20 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Montag 19-08-2024 18:00 − Dienstag 20-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows driver zero-day exploited by Lazarus hackers to install rootkit ∗∗∗ --------------------------------------------- The notorious North Korean Lazarus hacking group exploited a zero-day flaw in the Windows AFD.sys driver to elevate privileges and install the FUDModule rootkit on targeted systems. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-driver-zero-day-exp… ∗∗∗ Solaranlagen und die Cloud: Entwickler befürchtet Kollaps europäischer Stromnetze ∗∗∗ --------------------------------------------- Moderne Solaranlagen sind häufig mit Clouddiensten der Hersteller verbunden. Ein Entwickler sieht darin eine große Gefahr für unsere Energieversorgung. --------------------------------------------- https://www.golem.de/news/solaranlagen-und-die-cloud-entwickler-befuerchtet… ∗∗∗ Approach to mainframe penetration testing on z/OS ∗∗∗ --------------------------------------------- We explain how mainframes work, potential attack vectors, and what to focus on when pentesting such systems. --------------------------------------------- https://securelist.com/zos-mainframe-pentesting/113427/ ∗∗∗ Hacking Wireless Bicycle Shifters ∗∗∗ --------------------------------------------- This is yet another insecure Internet-of-things story, this one about wireless gear shifters for bicycles. These gear shifters are used in big-money professional bicycle races like the Tour de France, which provides an incentive to actually .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/08/hacking-wireless-bicycle-shi… ∗∗∗ Ransomware Victims Paid $460 Million in First Half of 2024 ∗∗∗ --------------------------------------------- Ransomware payments in H1 2024 totaled nearly $460 million and $1.58 billion have been stolen in cryptocurrency heists. --------------------------------------------- https://www.securityweek.com/ransomware-victims-paid-460-million-in-first-h… ∗∗∗ Critical Flaw in Donation Plugin Exposed 100,000 WordPress Sites to Takeover ∗∗∗ --------------------------------------------- A critical vulnerability in the GiveWP WordPress plugin could be exploited for remote code execution and arbitrary file deletion. --------------------------------------------- https://www.securityweek.com/critical-flaw-in-donation-plugin-exposed-10000… ∗∗∗ Navigating the Uncharted: A Framework for Attack Path Discovery ∗∗∗ --------------------------------------------- This is the second post in a series on Identity-Driven Offensive Tradecraft, which is also the focus of the new course we will launch in October. In the previous post, I asked, “How does one discover and abuse new attack paths?” To start answering .. --------------------------------------------- https://posts.specterops.io/navigating-the-uncharted-a-framework-for-attack… ∗∗∗ Selling Ransomware Breaches: 4 Trends Spotted on the RAMP Forum ∗∗∗ --------------------------------------------- The sale and purchase of unauthorized access to compromised enterprise networks has become a linchpin for cybercriminal operations, particularly in facilitating ransomware attacks. --------------------------------------------- https://www.rapid7.com/blog/post/2024/08/20/selling-ransomware-breaches-4-t… ∗∗∗ Challenges in Automating and Scaling Remote Vulnerability Detection ∗∗∗ --------------------------------------------- We cover investments that Bitsight is making to greatly scale out our vulnerability coverage in record time through automation. --------------------------------------------- https://www.bitsight.com/blog/challenges-automating-and-scaling-remote-vuln… ∗∗∗ Österreichs Innenminister will Messenger ausspionieren ∗∗∗ --------------------------------------------- Österreichs Geheimdienste sollen mehr Befugnisse erhalten, Malware einschleusen und WLAN-Catcher nutzen dürfen. Das beantragt die Regierungspartei ÖVP. --------------------------------------------- https://heise.de/-9840256 ∗∗∗ Softwareentwicklung: Schadcode-Attacken auf Jenkins-Server beobachtet ∗∗∗ --------------------------------------------- Derzeit nutzen Angreifer eine kritische Lücke im Software-System Jenkins aus. Davon sind auch Instanzen in Deutschland bedroht. --------------------------------------------- https://heise.de/-9840463 ===================== = Vulnerabilities = ===================== ∗∗∗ SolarWinds Product Security Update Advisory (CVE-2024-28986) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82529/ ∗∗∗ Intel Family Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82531/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.08.2024
by Daily end-of-shift report 19 Aug '24

19 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-08-2024 18:00 − Montag 19-08-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Nachbetrachtung: Windows und die TCP-IP-Schwachstelle CVE-2024-38063 ∗∗∗ --------------------------------------------- Zum 13. August 2024 wurde die 0-day-Schwachstelle CVE-2024-38063 in Windows bekannt. Es handelt sich um eine Remote-Code-Execution-Schwachstelle in der TCP/IP-Implementierung von Windows steckt. Angreifer können über IPv6-Pakete einen Host kompromittieren und dort Code ausführen. Weben der Bewertung mit dem CVEv3 Score 9.8 (critical, "Exploitation More Likely") empfiehlt Redmond Administratoren momentan IPv6 zu deaktivieren, hat aber auch Sicherheitsupdates für Windows bereitgestellt. Hier sollten Administratoren also reagieren. --------------------------------------------- https://www.borncity.com/blog/2024/08/16/nachbetrachtung-windows-und-die-tc… ∗∗∗ Technical Analysis: CVE-2024-38021 ∗∗∗ --------------------------------------------- Recently, Morphisec researchers discovered a vulnerability in Microsoft Outlook that can lead to remote code execution (RCE). This vulnerability, identified as CVE-2024-38021, highlights a significant security flaw within the Microsoft Outlook application, potentially allowing attackers to execute arbitrary code without requiring prior authentication. --------------------------------------------- https://blog.morphisec.com/technical-analysis-cve-2024-38021 ∗∗∗ New Mad Liberator gang uses fake Windows update screen to hide data theft ∗∗∗ --------------------------------------------- A new data extortion group tracked as Mad Liberator is targeting AnyDesk users and runs a fake Microsoft Windows update screen to distract while exfiltrating data from the target device. [..] It is unclear how the threat actor selects its targets but one theory, although yet to be proven, is that Mad Liberator tries potential addresses (AnyDesk connection IDs) until someone accepts the connection request. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mad-liberator-gang-uses-… ∗∗∗ Chrome will redact credit cards, passwords when you share Android screen ∗∗∗ --------------------------------------------- While the flag doesn't work at the moment, it is supposed to hide sensitive form fields present on the page by redacting the entire screen. It's unclear when the feature will be rolled out to everyone in Chrome for Android, but you'll be able to try the feature in Chrome Canary in the next few weeks. --------------------------------------------- https://www.bleepingcomputer.com/news/google/chrome-will-redact-credit-card… ∗∗∗ AMD knickt ein: Ryzen 3000 erhält nun doch Patch gegen Sinkclose-Lücke ∗∗∗ --------------------------------------------- Ursprünglich wollte AMD Ryzen-3000-CPUs nicht gegen die Sinkclose-Lücke patchen. Nach reichlich Unmut in der Community folgt nun die Kehrtwende. --------------------------------------------- https://www.golem.de/news/amd-knickt-ein-ryzen-3000-erhaelt-nun-doch-patch-… ∗∗∗ Verbesserung der Netzwerksicherheit: Überwachung der Client-Kommunikation mit Velociraptor ∗∗∗ --------------------------------------------- SEC Defence, die Managed Incident Response-Einheit von SEC Consult, hat eine Reihe von Velociraptor-Artefakten entwickelt, die es ermöglichen, die aktuelle Netzwerkkommunikation auf registrierten Clients zu überwachen und bei bestimmten Verbindungen zu alarmieren, z. B. zu bekannten bösartigen IP-Adressen oder Verbindungen, die von bekannten bösartigen Prozessen erstellt wurden. --------------------------------------------- https://sec-consult.com/de/blog/detail/verbesserung-der-netzwerksicherheit-… ∗∗∗ Xeon Sender Tool Exploits Cloud APIs for Large-Scale SMS Phishing Attacks ∗∗∗ --------------------------------------------- Malicious actors are using a cloud attack tool named Xeon Sender to conduct SMS phishing and spam campaigns on a large scale by abusing legitimate services."Attackers can use Xeon to send messages through multiple software-as-a-service (SaaS) providers using valid credentials for the service providers," SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2024/08/xeon-sender-tool-exploits-cloud-apis.html ∗∗∗ Microsoft Azure: Ab 15. Oktober 2024 MFA für Administratoren verpflichtend, aber "Aufschub" möglich ∗∗∗ --------------------------------------------- Microsoft hat gerade im M365 Admin-Nachrichten-Center bekannt gegeben, dass man bei Azure ab dem 15.10.2024 die Authentifizierung der Administratoren über MFA verlangt. Redmond gewährt aber Administratoren die Möglichkeit, diese Verpflichtung um insgesamt 5 Monate zu verschieben. --------------------------------------------- https://www.borncity.com/blog/2024/08/17/microsoft-azure-ab-15-oktober-2024… ∗∗∗ Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove ∗∗∗ --------------------------------------------- The case of Styx Stealer is a compelling example of how even sophisticated cybercriminal operations can slip up due to basic security oversights. The creator of Styx Stealer revealed his personal details, including Telegram accounts, emails, and contacts, by debugging the stealer on his own computer with a Telegram bot token provided by a customer involved in the Agent Tesla campaign. This critical OpSec failure not only compromised his anonymity but also provided valuable intelligence about other cybercriminals, including the originator of the Agent Tesla campaign. --------------------------------------------- https://research.checkpoint.com/2024/unmasking-styx-stealer-how-a-hackers-s… ∗∗∗ "WireServing" Up Credentials: Escalating Privileges in Azure Kubernetes Services ∗∗∗ --------------------------------------------- Mandiant disclosed this vulnerability to Microsoft via the MSRC vulnerability disclosure program, and Microsoft has fixed the underlying issue. [..] Adopting a process to create restrictive NetworkPolicies that allow access only to required services prevents this entire attack class. Privilege escalation via an undocumented service is prevented when the service cannot be accessed at all. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/escalating-privile… ∗∗∗ Bericht: Pixel-Handys mit heimlicher, aber inaktiver Fernwartung ausgeliefert ∗∗∗ --------------------------------------------- Pixel-Smartphones wurden auf Wunsch Verizons mit Fernwartungssoftware ausgeliefert. Wenn aktiviert, kann sie unsicheren Code nachladen. --------------------------------------------- https://heise.de/-9836726 ∗∗∗ Jetzt patchen! Schadcode-Attacken auf Solarwinds Web Help Desk beobachtet ∗∗∗ --------------------------------------------- Angreifer nutzen derzeit eine kritische Schwachstelle Solarwinds Web Help Desk aus. Ein Sicherheitspatch ist verfügbar, kann aber mitunter für Probleme sorgen. --------------------------------------------- https://heise.de/-9838566 ∗∗∗ SIM-Swapping bleibt in Deutschland Randphänomen ∗∗∗ --------------------------------------------- Zahlreiche Medien warnen vor Schäden durch SIM-Swapping. Die Betrugsmasche bleibt in Deutschland jedoch selten. --------------------------------------------- https://heise.de/-9839531 ===================== = Vulnerabilities = ===================== ∗∗∗ Mehrere Sicherheitsschwachstellen in IDOL2 (uciIDOL) ∗∗∗ --------------------------------------------- Fünf schwerwiegende Sicherheitsschwachstellen wurden in der Zeiterfassungssoftware IDOL2 (uciIDOL) identifiziert. Sie ermöglichen es, die verschlüsselte Kommunikation zwischen Client und Server vollständig zu kompromittieren. Außerdem erlauben sie Remote Code Execution sowohl auf Client- als auch auf Serverseite. --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-sicherheitsschwachstellen-in-idol-… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-asyncssh), Fedora (bind, bind-dyndb-ldap, httpd, and tor), SUSE (cosign, cpio, curl, expat, java-11-openjdk, ncurses, netty, netty-tcnative, opera, python-Django, python-Pillow, shadow, sudo, and wpa_supplicant), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/986225/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0004.html ∗∗∗ F5: K000140732: BIND vulnerability CVE-2024-1737 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140732 ∗∗∗ Kubernetes: CVE-2024-7646 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/126744 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2024
by Daily end-of-shift report 16 Aug '24

16 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-08-2024 18:00 − Freitag 16-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Opinion: More layers in malware campaigns are not a sign of sophistication ∗∗∗ --------------------------------------------- Ten infection and protection layers to deploy malware sounds impressive and very hard to deal with. However, adding more layers counterintuitively does the opposite for antivirus evasion and is not a sign of sophistication. Why is that so? --------------------------------------------- https://www.gdatasoftware.com/blog/2024/08/37995-malware-sophistication ∗∗∗ Ailurophile: New Infostealer sighted in the wild ∗∗∗ --------------------------------------------- We discovered a new stealer in the wild called "Ailurophile Stealer”. The stealer is coded in PHP and the source code indicates potential Vietnamese origins. It is available for purchase through a subscription model via its own webpage. Through the .. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/08/38005-ailurophile-infostealer ∗∗∗ Tusk: unraveling a complex infostealer campaign ∗∗∗ --------------------------------------------- Kaspersky researchers discovered Tusk campaign with ongoing activity that uses Danabot and StealC infostealers and clippers to obtain cryptowallet credentials and system data. --------------------------------------------- https://securelist.com/tusk-infostealers-campaign/113367/ ∗∗∗ PrestaShop GTAG Websocket Skimmer ∗∗∗ --------------------------------------------- During a recent investigation we uncovered another credit card skimmer leveraging a web socket connection to steal credit card details from an infected PrestaShop website.While PrestaShop is not the most popular eCommerce solution for online stores it is still in the top 10 most common ecommerce platforms in use on the web, and clocks in at just .. --------------------------------------------- https://blog.sucuri.net/2024/08/prestashop-gtag-websocket-skimmer.html ∗∗∗ Ransomware Attacks on Industrial Firms Surged in Q2 2024 ∗∗∗ --------------------------------------------- Dragos has seen a significant increase in ransomware attacks on industrial organizations in Q2 2024 compared to the previous quarter. --------------------------------------------- https://www.securityweek.com/ransomware-attacks-on-industrial-firms-surged-… ∗∗∗ Leaked Environment Variables Allow Large-Scale Extortion Operation of Cloud Environments ∗∗∗ --------------------------------------------- We recount an extensive cloud extortion campaign leveraging exposed .env files of at least 110k domains to compromise organizations AWS environments. --------------------------------------------- https://unit42.paloaltonetworks.com/large-scale-cloud-extortion-operation/ ∗∗∗ New infostealer targets macOS devices, appears to have Russian links ∗∗∗ --------------------------------------------- Researchers have discovered new information-stealing malware labeled Banshee Stealer that is designed to breach Apple computers. --------------------------------------------- https://therecord.media/apple-macos-infostealer-banshee-stealer ∗∗∗ Iranian backed group steps up phishing campaigns against Israel, U.S. ∗∗∗ --------------------------------------------- Google’s Threat Analysis Group shares insights on APT42, an Iranian government-backed threat actor. --------------------------------------------- https://blog.google/threat-analysis-group/iranian-backed-group-steps-up-phi… ∗∗∗ Ransomware Prevention Guide for Managed Service Providers ∗∗∗ --------------------------------------------- This comprehensive ransomware prevention guide outlines a strategic approach to preventing ransomware attacks, drawing upon industry best practices, compelling statistics, and expert insights. --------------------------------------------- https://www.emsisoft.com/en/blog/45911/ransomware-prevention-guide-for-mana… ∗∗∗ Hacking Beyond.com — Enumerating Private TLDs ∗∗∗ --------------------------------------------- My story started a few months ago, when I performed a red team assessment for a major retail company. During the Open Source Reconnaissance (OSINT) phase, I reviewed the SSL certificates that included the client name. In these certificates I identified that the client owned its own top-level domain (TLD). A TLD is the last part of a domain name, the letters that come after .. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/enumerating-privat… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (389-ds-base, dotnet8.0, python3.13, roundcubemail, thunderbird, and tor), Mageia (roundcubemail), Oracle (.NET 8.0, bind and bind-dyndb-ldap, bind9.16, container-tools:ol8, edk2, firefox, gnome-shell, grafana, httpd:2.4, jose, kernel, krb5, mod_auth_openidc:2.3, orc, poppler, python-urllib3, .. --------------------------------------------- https://lwn.net/Articles/985980/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily