- Daily - CERT.at

Tageszusammenfassung - 09.08.2024
by Daily end-of-shift report 09 Aug '24

09 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-08-2024 18:00 − Freitag 09-08-2024 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malware force-installs Chrome extensions on 300,000 browsers, patches DLLs ∗∗∗ --------------------------------------------- An ongoing and widespread malware campaign force-installed malicious Google Chrome and Microsoft Edge browser extensions in over 300,000 browsers, modifying the browsers executables to hijack homepages and steal browsing history. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-force-installs-chrom… ∗∗∗ ‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections ∗∗∗ --------------------------------------------- Researchers warn that a bug in AMD’s chips would allow attackers to root into some of the most privileged portions of a computer—and that it has persisted in the company’s processors for decades. --------------------------------------------- https://www.wired.com/story/amd-chip-sinkclose-flaw/ ∗∗∗ Windows Server durch PoC-Exploit für CVE-2024-38077 gefährdet ∗∗∗ --------------------------------------------- Nochmals ein Nachgang zum Juli 2024-Patchday, bei dem Microsoft die Schwachstelle CVE-2024-38077 im Windows-Remotedesktop-Lizenzierungsdienst (RDL) von Windows Server geschlossen hat. [..] es wurde ein Proof of Concept (PoC) für diese Schwachstelle veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2024/08/09/windows-server-durch-poc-exploit-f… ∗∗∗ How Hackers Extracted the ‘Keys to the Kingdom’ to Clone HID Keycards ∗∗∗ --------------------------------------------- [HID]s actually known about the vulnerabilities [..] since sometime in 2023, when it was first informed about the technique by another security researcher [..] HID warned customers about the existence of a vulnerability that would allow hackers to clone keycards in an advisory in January, which includes recommendations about how customers can protect themselves—but it offered no software update at that time. --------------------------------------------- https://www.wired.com/story/hid-keycard-authentication-key-vulnerability/ ∗∗∗ ICANN reserves .internal for private use at the DNS level ∗∗∗ --------------------------------------------- The Internet Corporation for Assigned Names and Numbers (ICANN) has agreed to reserve the .internal top-level domain so it can become the equivalent to using the 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16 IPv4 address blocks for internal networks. Those blocks are reserved for private use by the Internet Assigned Numbers Authority, which requires they never appear on the public internet. --------------------------------------------- https://www.theregister.com/2024/08/08/dot_internal_ratified/ ∗∗∗ New attack against the [Linux kernel] SLUB allocator ∗∗∗ --------------------------------------------- Researchers from Graz University of Technology have published details of a new attack on the Linux kernel called SLUBstack. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind. --------------------------------------------- https://lwn.net/Articles/984984/ ∗∗∗ Fake-Videos: Van der Bellen & Assinger werben nicht für Investmentplattformen ∗∗∗ --------------------------------------------- Derzeit erleben wir erneut eine Welle von Deepfake-Videos, in denen österreichische Prominente auf Facebook und Instagram für Investmentplattformen werben. Lassen Sie sich nicht täuschen: Weder Bundespräsident Alexander van der Bellen noch TV-Moderator Armin Assinger sind plötzlich Finanzexperten, die eine Investmentplattform entwickelt haben. Die Plattformen sind betrügerisch und die Videos wurden von Kriminellen erstellt. --------------------------------------------- https://www.watchlist-internet.at/news/fake-videos-van-der-bellen-assinger-… ∗∗∗ Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! ∗∗∗ --------------------------------------------- This article explores architectural issues within the Apache HTTP Server, highlighting several technical debts within Httpd, including 3 types of Confusion Attacks, 9 new vulnerabilities, 20 exploitation techniques, and over 30 case studies. [..] These vulnerabilities were reported through the official security mailing list and were addressed by the Apache HTTP Server in the 2.4.60 update published on 2024-07-01. --------------------------------------------- https://devco.re/blog/2024/08/09/confusion-attacks-exploiting-hidden-semant… ∗∗∗ Best Practices for Cisco Device Configuration ∗∗∗ --------------------------------------------- In recent incidents, CISA has seen malicious cyber actors acquire system configuration files by leveraging available protocols or software on devices, such as abusing the legacy Cisco Smart Install feature. CISA recommends organizations disable Smart Install and review NSA’s Smart Install Protocol Misuse advisory and Network Infrastructure Security Guide for configuration guidance. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/08/best-practices-cisco-dev… ∗∗∗ Sicherheitsforscher verwandeln Sonos-One-Lautsprecher in Wanze ∗∗∗ --------------------------------------------- Angreifer können über das eingebaute Mikrofon von Sonos-One-Lautsprechern Gespräche mitschneiden. Mittlerweile ist das Sicherheitsproblem gelöst. --------------------------------------------- https://heise.de/-9830061 ===================== = Vulnerabilities = ===================== ∗∗∗ Schwachstellen in 1Password gefährden MacOS-Nutzer [CVE-2024-42218, CVE-2024-42219] ∗∗∗ --------------------------------------------- In 1Password 8 für Mac klaffen zwei Sicherheitslücken, die es Angreifern ermöglichen, Tresorelemente von MacOS-Nutzern abzugreifen. [..] Damit ein Angriff gelingt, muss ein Angreifer allerdings bei beiden Lücken bereits in der Lage sein, auf dem Zielsystem eine eigene Software auszuführen. --------------------------------------------- https://www.golem.de/news/datenabfluss-moeglich-schwachstellen-in-1password… ∗∗∗ Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability [CVE-2024-38219] ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and take additional actions prior to exploitation to prepare the target environment. Fxied in Microsoft Edge Version 127.0.2651.98 released 8/8/2024. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38219 ∗∗∗ Microsoft Edge (HTML-based) Memory Corruption Vulnerability [CVE-2024-38218] ∗∗∗ --------------------------------------------- The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. Fixed in Microsoft Edge Version 127.0.2651.98 released 8/8/2024. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38218 ∗∗∗ Multiple vulnerabilities in LogSign ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-24-1102/ http://www.zerodayinitiative.com/advisories/ZDI-24-1103/ http://www.zerodayinitiative.com/advisories/ZDI-24-1104/ https://www.zerodayinitiative.com/advisories/ZDI-24-1105/ https://www.zerodayinitiative.com/advisories/ZDI-24-1106/ --------------------------------------------- https://support.logsign.net/hc/en-us/articles/20617133769362-07-08-2024-Ver… ∗∗∗ PostgreSQL relation replacement during pg_dump executes arbitrary SQL [CVE-2024-7348] ∗∗∗ --------------------------------------------- Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. --------------------------------------------- https://www.postgresql.org/support/security/CVE-2024-7348/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (httpd, kernel, kernel-rt, and libtiff), Debian (postgresql-13, postgresql-15, and thunderbird), Fedora (frr, thunderbird, vim, and xrdp), Gentoo (Librsvg, Nautilus, ncurses, Percona XtraBackup, QEMU, and re2c), Red Hat (httpd, kernel, kernel-rt, openssl, and python-setuptools), SUSE (bind, ffmpeg-4, kubernetes1.23, kubernetes1.24, python-Django, and python3-Twisted), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-oem-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle, linux-oracle-5.4, salt. --------------------------------------------- https://lwn.net/Articles/984966/ ∗∗∗ New FileSender 2.49 release with major changes ∗∗∗ --------------------------------------------- We are happy to announce the release of FileSender 2.49. This new release includes security updates that you should install. Also, it offers a few features and improvements, as well as many bug fixes. --------------------------------------------- https://connect.geant.org/2024/08/08/new-filesender-2-49-release-with-major… ∗∗∗ 0.0.0.0 Day-Schwachstelle ermöglicht seit 18 Jahren Angriffe auf Browser ∗∗∗ --------------------------------------------- Sicherheitsforscher haben offen gelegt, dass Hacker einen seit 18 Jahren bekannten, alten Fehler in Safari, Chrome und Firefox ausgenutzt haben, um in private Netzwerke einzudringen. Die als "0.0.0.0 Day" bezeichnete Sicherheitslücke ermöglicht es böswilligen Websites, die Browsersicherheit zu umgehen und mit Diensten zu interagieren, die im lokalen Netzwerk einer Organisation laufen. Dies kann zu unautorisiertem Zugriff und Remotecodeausführung auf lokalen Diensten durch Angreifer außerhalb des Netzwerks führen. Die Browserhersteller beginnen nun, diese Adresse zu blockieren. --------------------------------------------- https://www.borncity.com/blog/2024/08/09/0-0-0-0-day-schwachstelle-ermglich… ∗∗∗ RaonSecure Product Security Advisory ∗∗∗ --------------------------------------------- Overview RaonSecure has released an update to address a vulnerability in their products. Users of affected versions are advised to update to the latest version. Affected Products TouchEn nxKey version: ~ 1.0.0.87 (included) --------------------------------------------- https://asec.ahnlab.com/en/82372/ ∗∗∗ LibreOffice: Ability to trust not validated macro signatures removed in high security mode [CVE-2024-6472] ∗∗∗ --------------------------------------------- https://www.libreoffice.org/about-us/security/advisories/CVE-2024-6472 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Vim-minimal Package Issues ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164174 ∗∗∗ Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for July 2024. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7161907 ∗∗∗ Multiple vulnerabilities in IBM Business Automation Workflow Machine Learning Server are addressed with 24.0.0-IF001 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164164 ∗∗∗ IBM Cloud Pak for Data is vulnerable to unknown impact and attack vector due to Python certifi ( CVE-2022-23491 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164180 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to multiple Base OS issues ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164175 ∗∗∗ IBM Cloud Pak for Data is vulnerable to session hijacking due to Node.js passport module ( CVE-2022-25896 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164201 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js http-cache-semantics module ( CVE-2022-25881 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164225 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js cookiejar module ( CVE-2022-25901 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164200 ∗∗∗ IBM Cloud Pak for Data is vulnerable to cross-site scripting due to Jinja2 ( CVE-2024-34064 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164204 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Pallets Werkzeug ( CVE-2023-46136 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164208 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Express.js ( CVE-2022-24999 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164217 ∗∗∗ IBM Cloud Pak for Data is vulnerable to several issues due to the go compiler ( CVE-2022-41724 CVE-2021-34558 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164255 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Rack ( CVE-2024-26146 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164274 ∗∗∗ IBM Cloud Pak for Data is vulnerable to exposing sensitive information due to Masterminds GoUtils ( CVE-2021-4238 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164234 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service due to Node.js semver ( CVE-2022-25883 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164266 ∗∗∗ IBM Cloud Pak for Data is vulnerable to regular expression denial of service due to Rack ( CVE-2023-27539 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164269 ∗∗∗ This Power System update is being released to address CVE-2024-41660 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7163146 ∗∗∗ IBM Aspera Shares improved security for user session handling (CVE-2023-38018) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164325 ∗∗∗ The IBM Engineering Lifecycle Engineering product using the -Xgc:concurrentScavenge option on IBM Z is vulnerable to Buffer overflow in GC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164658 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to cross-site scripting (CVE-2024-35153) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164651 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to remote code execution (CVE-2024-35154) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164649 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server is vulnerable to identity spoofing (CVE-2024-37532) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164653 ∗∗∗ IBM Sterling Connect:Direct Web Service is affected by Java JWT vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164709 ∗∗∗ There is a vulnerability in commons-compress-1.21.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2024-25710, CVE-2024-26308) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164810 ∗∗∗ There is a vulnerability in commons-compress-1.21.jar used by IBM Maximo Asset Management application (CVE-2024-25710, CVE-2024-26308) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164809 ∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2024-27268 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164814 ∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2024-22354 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164813 ∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to CVE-2023-51775 a denial of service due to jose4j ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164812 ∗∗∗ Maximo Application Suite - IBM WebSphere Application Server Liberty is vulnerable to multiple CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7164811 ∗∗∗ Multiple Vulnerabilities in XCC affect IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7147906 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.08.2024
by Daily end-of-shift report 08 Aug '24

08 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-08-2024 18:00 − Donnerstag 08-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kein Patch in Sicht: Phishing-Warnung in Outlook lässt sich per Mail ausblenden ∗∗∗ --------------------------------------------- Obendrein kann eine Phishing-Mail in Outlook auch vortäuschen, dass sie verschlüsselt oder signiert ist. Für Microsoft hat das Thema derzeit keine Priorität. --------------------------------------------- https://www.golem.de/news/kein-patch-in-sicht-phishing-warnung-in-outlook-l… ∗∗∗ Samsung boosts bug bounty to a cool million for cracks of the Knox Vault subsystem ∗∗∗ --------------------------------------------- Good luck, crackers: Its an isolated processor and storage enclave, and top dollar only comes from a remote attack Samsung has dangled its first $1 million bug bounty for anyone who successfully compromises Knox Vault – the isolated subsystem the Korean giant bakes into its smartphones to store info like credentials and run authentication routines. --------------------------------------------- https://www.theregister.com/2024/08/08/samsung_microsoft_big_bug_bounty/ ∗∗∗ Using 1Password on Mac? Patch up if you don’t want your Vaults raided ∗∗∗ --------------------------------------------- Hundreds of thousands of users potentially vulnerable Password manager 1Password is warning that all Mac users running versions before 8.10.36 are vulnerable to a bug that allows attackers to steal vault items. --------------------------------------------- https://www.theregister.com/2024/08/08/using_1password_on_mac_patch/ ∗∗∗ A Flaw in Windows Update Opens the Door to Zombie Exploits ∗∗∗ --------------------------------------------- A researcher found a vulnerability that would let hackers strategically downgrade a target’s Windows version to reexpose patched vulnerabilities. Microsoft is working on fixes for the issue. --------------------------------------------- https://www.wired.com/story/windows-update-downdate-exploit/ ∗∗∗ Vulnerabilities Exposed Widely Used Solar Power Systems to Hacking, Disruption ∗∗∗ --------------------------------------------- Vulnerabilities found in solar power systems could have been exploited by hackers to cause disruption and possibly blackouts. --------------------------------------------- https://www.securityweek.com/vulnerabilities-exposed-widely-used-solar-powe… ∗∗∗ Royal Ransomware Actors Rebrand as “BlackSuit,” FBI and CISA Release Update to Advisory ∗∗∗ --------------------------------------------- Today, CISA—in partnership with the Federal Bureau of Investigation (FBI)—released an update to joint Cybersecurity Advisory #StopRansomware: Royal Ransomware, #StopRansomware: BlackSuit (Royal) Ransomware. The updated advisory provides network .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/07/royal-ransomware-actors-… ∗∗∗ US offers $10 million for info on Iranian leaders behind CyberAv3ngers water utility attacks ∗∗∗ --------------------------------------------- The U.S. State Department identified at least six Iranian government hackers allegedly responsible for a string of attacks on U.S. water utilities last fall and offered a large reward for information on their whereabouts. --------------------------------------------- https://therecord.media/us-offers-reward-for-info-on-iranian-hackers-water-… ∗∗∗ BOTNET 7777: ARE YOU BETTING ON A COMPROMISED ROUTER? ∗∗∗ --------------------------------------------- A “7777 botnet” was first referenced in public reporting in October 2023 by Gi7w0rm. At the time, it was described as a botnet with approximately 10,000 nodes, observed primarily in brute-force attacks against Microsoft Azure instances. These attacks .. --------------------------------------------- https://www.team-cymru.com/post/botnet-7777-are-you-betting-on-a-compromise… ∗∗∗ Go deeper: Linux runtime visibility meets Wireshark ∗∗∗ --------------------------------------------- Aqua Tracee is an open source runtime security and forensics tool for Linux, built to address common Linux security issues. Tracee’s main use case is to be installed in a production environment and continuously monitor system activity and detect suspicious behavior. Some alternative use cases which Tracee can be used for are dynamic malware analysis, system tracing, .. --------------------------------------------- https://blog.aquasec.com/go-deeper-linux-runtime-visibility-meets-wireshark ∗∗∗ PureHVNC Deployed via Python Multi-stage Loader ∗∗∗ --------------------------------------------- FortiGuard Lab reveals a malware "PureHVNC", sold on the cybercrime forum, is spreading through a phishing campaign targeting employees via a python multi-stage loader --------------------------------------------- https://www.fortinet.com/blog/threat-research/purehvnc-deployed-via-python-… ∗∗∗ Cisco: Angreifer können Befehle auf IP-Telefonen ausführen, Update kommt nicht ∗∗∗ --------------------------------------------- Für kritische Lücken in Cisco-IP-Telefonen wird es keine Updates geben. Für eine jüngst gemeldete Lücke ist ein Proof-of-Concept-Exploit aufgetaucht. --------------------------------------------- https://heise.de/-9827988 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5743-1 roundcube - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00154.html ∗∗∗ Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Small Business SPA300 Series and SPA500 Series IP Phones Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2024
by Daily end-of-shift report 07 Aug '24

07 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-08-2024 18:00 − Mittwoch 07-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Schweiz: Kuh stirbt nach Cyberangriff auf Melkroboter ∗∗∗ --------------------------------------------- Die Angreifer forderten ein Lösegeld. Da der Landwirt nicht zahlen wollte, ist ihm der Zugang zu wichtigen Informationen über seine Kühe verwehrt geblieben. --------------------------------------------- https://www.golem.de/news/schweiz-kuh-stirbt-nach-cyberangriff-auf-melkrobo… ∗∗∗ New Linux Kernel Exploit Technique SLUBStick Discovered by Researchers ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a novel Linux kernel exploitation technique dubbed SLUBStick that could be exploited to elevate a limited heap vulnerability to an arbitrary memory read-and-write primitive."Initially, it exploits .. --------------------------------------------- https://thehackernews.com/2024/08/new-linux-kernel-exploit-technique.html ∗∗∗ Roundcube Webmail Flaws Allow Hackers to Steal Emails and Passwords ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victims web browser and steal sensitive information from their account under specific .. --------------------------------------------- https://thehackernews.com/2024/08/roundcube-webmail-flaws-allow-hackers.html ∗∗∗ CrowdStrike hires outside security outfits to review troubled Falcon code ∗∗∗ --------------------------------------------- And reveals the small mistake that bricked 8.5M Windows boxes CrowdStrike has hired two outside security firms to review its threat-detection suite Falcon that sparked a global IT outage last month - though it may not have an awful lot .. --------------------------------------------- https://www.theregister.com/2024/08/07/crowdstrike_full_incident_root_cause… ∗∗∗ Police take just 2 days to recover $40M stolen in business email scam ∗∗∗ --------------------------------------------- Timor-Leste is a known cybercrime hotspot Two days is all it took for Interpol to recover more than $40 million worth of stolen funds in a recent business email compromise (BEC) heist, the international cop shop said this week. --------------------------------------------- https://www.theregister.com/2024/08/07/police_take_just_two_days/ ∗∗∗ Small CSS tweaks can help nasty emails slip through Outlooks anti-phishing net ∗∗∗ --------------------------------------------- A simple HTML change and the warning is gone! Researchers say cybercriminals can have fun bypassing one of Microsofts anti-phishing measures in Outlook with some simple CSS tweaks. --------------------------------------------- https://www.theregister.com/2024/08/07/small_css_tweaks_can_help/ ∗∗∗ BloodHound Operator — Dog Whispering Reloaded ∗∗∗ --------------------------------------------- Back in the BloodHound “Legacy” days, I wrote some PowerShell tooling to make my life easy and automate various tasks around BloodHound. When the new BloodHound came out, most of these tools .. --------------------------------------------- https://posts.specterops.io/bloodhound-operator-dog-whispering-reloaded-156… ∗∗∗ CISA Releases Secure by Demand Guidance ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) have released Secure by Demand Guide: How Software Customers Can Drive a Secure Technology Ecosystem to help organizations drive a secure technology ecosystem by ensuring their software manufacturers prioritize secure technology from the start.An organization’s acquisition staff often has a general .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/06/cisa-releases-secure-dem… ∗∗∗ Achtung: Microsofts UEFI Zertifikat läuft am 19. Okt. 2026 aus – Secure Boot betroffen ∗∗∗ --------------------------------------------- [English]Ich stelle mal ein Thema hier im Blog ein, was noch "ein paar Tage Zeit hat", aber arg unangenehme Folgen haben könnte. Im Herbst 2026 läuft ein Zertifikat in Windows aus, welches im UEFI dafür sorgt, dass der .. --------------------------------------------- https://www.borncity.com/blog/2024/08/07/achtung-microsofts-uefi-zertifikat… ∗∗∗ Looking back at the ballot – securing the general election ∗∗∗ --------------------------------------------- NCSC CEO Felicity Oswald shares reflections on keeping the 2024 General Election safe. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/looking-back-at-the-ballot-securing-the-g… ∗∗∗ The Risks of Parked Domains ∗∗∗ --------------------------------------------- Many organizations view parked domains as dormant, low-risk, and not worth the investment in robust security measures. This is a misconception. Heres why. --------------------------------------------- https://www.bitsight.com/blog/risks-parked-domains ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5739-1 wpa - security update ∗∗∗ --------------------------------------------- Rory McNamara reported a local privilege escalation in wpasupplicant: A user able to escalate to the netdev group can load arbitrary shared object files in the context of the wpa_supplicant process running as root. --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00151.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.08.2024
by Daily end-of-shift report 06 Aug '24

06 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Montag 05-08-2024 18:00 − Dienstag 06-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Mac and Windows users infected by software updates delivered over hacked ISP ∗∗∗ --------------------------------------------- DNS poisoning attack worked even when targets used DNS from Google and Cloudflare. --------------------------------------------- https://arstechnica.com/?p=2041175 ∗∗∗ Microsoft Bounty Program Year in Review: $16.6M in Rewards ∗∗∗ --------------------------------------------- We are excited to announce that this year the Microsoft Bounty Program has awarded $16.6M in bounty awards to 343 security researchers from 55 countries, securing Microsoft customers in partnership with the Microsoft Security Response Center (MSRC). Each year we identify over a thousand potential security issues together, safeguarding our customers from possible threats through the Microsoft Bounty Program. --------------------------------------------- https://msrc.microsoft.com/blog/2024/08/microsoft-bounty-program-year-in-re… ∗∗∗ A Survey of Scans for GeoServer Vulnerabilities ∗∗∗ --------------------------------------------- A little bit over a year ago, I wrote about scans for GeoServer. GeoServer is a platform to process geographic data. It makes it easy to share geospatial data in various common standard formats. Recently, new vulnerabilities were discovered in GeoServer, prompting me to look again at what our honeypots pick up. --------------------------------------------- https://isc.sans.edu/diary/A+Survey+of+Scans+for+GeoServer+Vulnerabilities/… ∗∗∗ MDM vendor Mobile Guardian attacked, leading to remote wiping of 13,000 devices ∗∗∗ --------------------------------------------- Singapore Ministry of Education orders software removed after string of snafus UK-based mobile device management vendor Mobile Guardian has admitted that on August 4 it suffered a security incident that involved unauthorized access to iOS and ChromeOS devices managed by its tools, which are currently unavailable. In Singapore, the incident resulted in .. --------------------------------------------- https://www.theregister.com/2024/08/06/mobile_guardian_mdm_attack/ ∗∗∗ Bad apps bypass Windows security alerts for six years using newly unveiled trick ∗∗∗ --------------------------------------------- Windows SmartScreen and Smart App Control both have weaknesses of which to be wary Elastic Security Labs has lifted the lid on a slew of methods available to attackers who want to run malicious apps without triggering Windows security .. --------------------------------------------- https://www.theregister.com/2024/08/06/bad_apps_bypass_windows_security/ ∗∗∗ Olympia: Cyberkriminelle fordern nach Attacke auf Museen in Frankreich Lösegeld ∗∗∗ --------------------------------------------- Mehr als 40 Institutionen sind betroffen, darunter der Olympia-Austragungsort Grand Palais. Kriminelle haben das System für die Zentralisierung von Finanzdaten angegriffen --------------------------------------------- https://www.derstandard.at/story/3000000231309/olympia-cyber-attacke-auf-mu… ∗∗∗ IoT firmware emulation and device fingerprinting challenges ∗∗∗ --------------------------------------------- Gathering information on a device could be tricky if you don’t have direct access to exposed services like SNMP, HTTP, FTP, or any other ports or protocols which could provide relevant information on the asset like the .. --------------------------------------------- https://medium.com/tenable-techblog/iot-firmware-emulation-and-device-finge… ∗∗∗ Rapid7’s Ransomware Radar Report Shows Threat Actors are Evolving …Fast. ∗∗∗ --------------------------------------------- The Ransomware Radar Report offers some startling insights into who ransomware threat actors are and how they’ve been operating in the first half of 2024. --------------------------------------------- https://www.rapid7.com/blog/post/2024/08/06/rapid7s-ransomware-radar-report… ∗∗∗ LKA Niedersachsen warnt vor Phishing mit QR-Codes per Briefpost ∗∗∗ --------------------------------------------- Per Briefpost suchen Betrüger Opfer, die einen QR-Code scannen und auf den dadurch geöffneten Phishing-Link hereinfallen, warnt das LKA Niedersachsen. --------------------------------------------- https://heise.de/-9825879 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice), Gentoo (containerd and firefox), Red Hat (httpd), SUSE (ca-certificates-mozilla, ksh, openssl-3-livepatches, podman, python-Twisted, and skopeo), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/984598/ ∗∗∗ DSA-5737-1 libreoffice - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00149.html ∗∗∗ DSA-5736-1 openjdk-11 - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00148.html ∗∗∗ ZDI-24-1099: Apache OFBiz resolveURI Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1099/ ∗∗∗ Security Vulnerabilities fixed in Firefox 129 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-33/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.08.2024
by Daily end-of-shift report 05 Aug '24

05 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-08-2024 18:00 − Montag 05-08-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms ∗∗∗ --------------------------------------------- StormBamboo successfully compromised an internet service provider (ISP) in order to poison DNS responses for target organizations. Insecure software update mechanisms were targeted to surreptitiously install malware on victim machines running macOS and Windows. --------------------------------------------- https://www.volexity.com/blog/2024/08/02/stormbamboo-compromises-isp-to-abu… ∗∗∗ Google Chrome warns uBlock Origin may soon be disabled ∗∗∗ --------------------------------------------- Google Chrome is now encouraging uBlock Origin users who have updated to the latest version to switch to other ad blockers before Manifest v2 extensions are disabled. --------------------------------------------- https://www.bleepingcomputer.com/news/google/google-chrome-warns-ublock-ori… ∗∗∗ Security Tips for Modern Web Administrators ∗∗∗ --------------------------------------------- By understanding and implementing key security practices, you can significantly reduce the risk of attacks and ensure a safe experience for your users. Let’s break down some essential tips and strategies to enhance your website’s security. --------------------------------------------- https://blog.sucuri.net/2024/08/security-tips-for-modern-web-administrators… ∗∗∗ Google gamed into advertising a malicious version of Authenticator ∗∗∗ --------------------------------------------- Scammers have been using Google's own ad system to fool people into downloading a borked copy of the Chocolate Factory's Authenticator software. A team at security shop Malwarebytes spotted the adverts, which appear to come from a Google approved domain – and from a verified user – earlier this week. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/08/05/security_in_… ∗∗∗ New SLUBStick Attack Makes Linux Kernel Vulnerabilities More Dangerous ∗∗∗ --------------------------------------------- A team of researchers from the Graz University of Technology in Austria has published a paper on SLUBStick, a new Linux kernel exploitation technique that can make heap vulnerabilities more dangerous. --------------------------------------------- https://www.securityweek.com/new-slubstick-attack-makes-linux-kernel-vulner… ∗∗∗ Homebrew-Audit enthüllt Sicherheitslücken – die meisten hat das Team geschlossen ∗∗∗ --------------------------------------------- Ein umfangreiches Security-Audit hat Schwachstellen im Code und den CI/CD-Prozessen des Paketmanagers Homebrew gefunden. Viele, aber nicht alle, sind gefixt. --------------------------------------------- https://heise.de/-9822824 ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke bedroht Unternehmenssoftware Apache OFBiz ∗∗∗ --------------------------------------------- Angreifer können Systeme mit Apache OFBiz attackieren und eigenen Code ausführen. Eine dagegen abgesicherte Version steht zum Download bereit. [..] Derzeit gibt es kaum Informationen zur Lücke (CVE-2024-38856). Aus einem Seclists-Beitrag geht hervor, dass es zu Fehlern bei der Authentifizierung kommen kann, sodass Angreifer eigenen Code ausführen können. --------------------------------------------- https://heise.de/-9824150 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-11), Fedora (bind, bind-dyndb-ldap, chromium, ffmpeg, hostapd, trafficserver, and wpa_supplicant), and Ubuntu (curl and linux-oem-6.5). --------------------------------------------- https://lwn.net/Articles/984552/ ∗∗∗ Pimax Play and PiTool accept WebSocket connections from unintended endpoints ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN50850706/ ∗∗∗ Helmholz: Multiple products are vulnerable to regreSSHion ∗∗∗ --------------------------------------------- https://certvde.com/de/advisories/VDE-2024-044/ ∗∗∗ Red Lion Europe: Multiple products are vulnerable to regreSSHion ∗∗∗ --------------------------------------------- https://certvde.com/de/advisories/VDE-2024-042/ ∗∗∗ RaspAP Security Update Advisory (CVE-2024-41637) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82193/ ∗∗∗ OpenAM Security Update Advisory (CVE-2024-41667) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82194/ ∗∗∗ GStreamer Product Security Update Advisory (CVE-2024-40897) ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/82196/ ∗∗∗ Roundcube: Security updates 1.6.8 and 1.5.8 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 ∗∗∗ F5: K000140505: Apache HTTPD vulnerability CVE-2024-38473 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140505 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2024
by Daily end-of-shift report 02 Aug '24

02 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-08-2024 18:00 − Freitag 02-08-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Tech support scam ring leader gets 7 years in prison, $6M fine ∗∗∗ --------------------------------------------- The leader of a tech support fraud scheme was sentenced to seven years in prison after tricking at least 6,500 victims and generating more than $6 million. --------------------------------------------- https://www.bleepingcomputer.com/news/legal/tech-support-scam-ring-leader-g… ∗∗∗ A recent spate of Internet disruptions ∗∗∗ --------------------------------------------- Cloudflare Radar is constantly monitoring the Internet for widespread disruptions. Here we examine several recent noteworthy disruptions detected in the first month of Q3, including traffic anomalies observed in Bangladesh, Syria, Pakistan, and Venezuela --------------------------------------------- https://blog.cloudflare.com/a-recent-spate-of-internet-disruptions-july-2024 ∗∗∗ Leaked GitHub Python Token ∗∗∗ --------------------------------------------- Cybersecurity researchers from JFrog recently discovered a GitHub Personal Access Token in a public Docker container hosted on Docker Hub, which granted elevated access to the GitHub repositories of the Python language, Python Package Index (PyPI), and the Python Software Foundation (PSF).JFrog discussed what could .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/08/leaked-github-python-token.h… ∗∗∗ Mirai Botnet targeting OFBiz Servers Vulnerable to Directory Traversal ∗∗∗ --------------------------------------------- Enterprise Resource Planning (ERP) Software is at the heart of many enterprising supporting human resources, accounting, shipping, and manufacturing. These systems can become very complex and difficult to maintain. They are often highly customized, which .. --------------------------------------------- https://thehackernews.com/2024/08/mirai-botnet-targeting-ofbiz-servers.html ∗∗∗ New Windows Backdoor BITSLOTH Exploits BITS for Stealthy Communication ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a previously undocumented Windows backdoor that leverages a built-in feature called Background Intelligent Transfer Service (BITS) as a command-and-control (C2) mechanism. The newly identified malware .. --------------------------------------------- https://thehackernews.com/2024/08/new-windows-backdoor-bitsloth-exploits.ht… ∗∗∗ This Week in Security: Echospoofing, Ransomware Records, and Github Attestations ∗∗∗ --------------------------------------------- It’s a bit of bitter irony, when a security product gets used maliciously, to pull off the exact attack it was designed to prevent. Enter Proofpoint, and the .. --------------------------------------------- https://hackaday.com/2024/08/02/this-week-in-security-echospoofing-ransomwa… ∗∗∗ Russland bekommt zwei schwerkriminelle Hacker zurück ∗∗∗ --------------------------------------------- Niemand soll je so viele Menschen finanziell geschädigt haben wie Roman Selesnew. Wladislaw Kljuschin hingegen gilt als Putins Trader und Schrecken der Wall Street --------------------------------------------- https://www.derstandard.at/story/3000000230914/russland-bekommt-zwei-schwer… ∗∗∗ China dismisses Germany’s accusations over cyberattack as ‘targeted defamation’ ∗∗∗ --------------------------------------------- Chinese officials on Thursday responded to accusations from Germany that it was behind an attack on the country’s state cartography agency, calling them “unfounded.” --------------------------------------------- https://therecord.media/china-germany-cyberattack-unfounded ∗∗∗ White House officials meet with allies, industry on connected car risks ∗∗∗ --------------------------------------------- Leaders from the White House and State Department met with representatives from several major allied countries, the European Union and industry leaders Wednesday for what has been billed as the “first multinational meeting” to address the national security risks posed by connected cars. --------------------------------------------- https://therecord.media/white-house-officials-meet-with-nations-industry-co… ∗∗∗ From Evidence to Advantage: Leveraging Incident Response Artifacts for Red Team Engagements ∗∗∗ --------------------------------------------- What is this blog post about? This blog post is about why incident responder artifacts not only play a role on the defensive but also offensive side of cyber security. We are gonna look at some of the usually collected evidences and how they can be valuable to us as red team operators. We .. --------------------------------------------- https://blog.nviso.eu/2024/08/02/from-evidence-to-advantage-leveraging-inci… ∗∗∗ CISA Releases Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle ∗∗∗ --------------------------------------------- Today, the Cybersecurity and Infrastructure Security Agency (CISA) announced the release of its “Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain .. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-releases-software-acquisition-gu… ∗∗∗ Panamorfi: A New Discord DDoS Campaign ∗∗∗ --------------------------------------------- Aqua Nautilus researchers uncovered a new Distributed Denial of Service (DDoS) campaign dubbed ‘Panamorfi’, utilizing the Java written minecraft DDoS package - mineping - the threat actor launches a DDoS. Thus far weve only seen it deployed via misconfigured Jupyter notebooks. In this blog we explain about this attack, the techniques used by the threat actor and how to protect your environments. --------------------------------------------- https://blog.aquasec.com/panamorfi-a-new-discord-ddos-campaign ∗∗∗ Unbefugte Zugriffe auf IT-Managementlösung Aruba ClearPass möglich ∗∗∗ --------------------------------------------- Die Entwickler von HPE Aruba Networking haben in ClearPass Policy Manager unter anderem eine kritische Sicherheitslücke geschlossen. --------------------------------------------- https://heise.de/-9821717 ∗∗∗ Bericht: Cyberkriminelle nutzen Cloudflare-Tunnel zur Verbreitung von Malware ∗∗∗ --------------------------------------------- Bisher unbekannte Cyberkriminelle nutzen "TryCloudflare" zur unbehelligten Verbreitung von Malware. Das berichten Sicherheitsexperten. --------------------------------------------- https://heise.de/-9821797 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium), SUSE (docker and patch), and Ubuntu (bind9, gross, linux-azure, linux-azure-4.15, linux-lowlatency-hwe-6.5, and tomcat8, tomcat9). --------------------------------------------- https://lwn.net/Articles/984370/ ∗∗∗ ZDI-24-1042: NoMachine Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1042/ ∗∗∗ ZDI-24-1041: Google Chrome Updater DosDevices Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-1041/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2024
by Daily end-of-shift report 01 Aug '24

01 Aug '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 31-07-2024 18:00 − Donnerstag 01-08-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Credit card users get mysterious shopify-charge.com charges ∗∗∗ --------------------------------------------- People worldwide report seeing mysterious $1 or $0 charges from Shopify-charge.com appearing on their credit card bills, even when they did not attempt to purchase anything. [..] BleepingComputer attempted to contact Shopify multiple times but did not receive a reply to our emails. [..] Shopify has recently suffered a third-party data breach at one of its vendors, leading many to think these charges may be related. However, the data exposed in that breach did not contain credit card or payment information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/credit-card-users-get-myster… ∗∗∗ Onyx Sleet uses array of malware to gather intelligence [..] ∗∗∗ --------------------------------------------- First observed by Microsoft in 2014, Onyx Sleet has conducted cyber espionage through numerous campaigns aimed at global targets with the goal of intelligence gathering. More recently, it has expanded its goals to include financial gain. This threat actor operates with an extensive set of custom tools and malware, and regularly evolves its toolset to add new functionality and to evade detection, while keeping a fairly uniform attack pattern. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/07/25/onyx-sleet-uses-ar… ∗∗∗ CrowdStrike Is Sued By Shareholders Over Huge Software Outage ∗∗∗ --------------------------------------------- Shareholders have sued CrowdStrike on Tuesday, claiming the cybersecurity company defrauded them by concealing how its inadequate software testing could cause the global software outage earlier this month that crashed millions of computers. --------------------------------------------- https://yro.slashdot.org/story/24/07/31/2233234/crowdstrike-is-sued-by-shar… ∗∗∗ Hackers Distributing Malicious Python Packages via Popular Developer Q&A Platform ∗∗∗ --------------------------------------------- In yet another sign that threat actors are always looking out for new ways to trick users into downloading malware, it has come to light that the question-and-answer (Q&A) platform known as Stack Exchange has been abused to direct unsuspecting developers to bogus Python packages capable of draining their cryptocurrency wallets. --------------------------------------------- https://thehackernews.com/2024/08/hackers-distributing-malicious-python.html ∗∗∗ Mozilla follows Google in losing trust in Entrusts TLS certificates ∗∗∗ --------------------------------------------- A little over a month ago, Google was the first to make the bold step of dropping Entrust as a CA, saying it noted a "pattern of concerning behaviors" from the company. Entrust has apologized to Google, Mozilla, and the wider web community, outlining its plans to regain the trust of browsers, but these appear to be unsatisfactory to both Google and Mozilla. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/08/01/mozilla_entr… ∗∗∗ Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 3 ∗∗∗ --------------------------------------------- To wrap up this blog series we wanted to include one more technique that you can use when exploiting this class of vulnerabilities. This technique, introduced to us by Abdelhamid Naceri, becomes useful when you have an on-boot arbitrary delete primitive that you want to transform into an on-demand delete, so that you can escalate using the C:\Config.msi technique. --------------------------------------------- https://www.thezdi.com/blog/2024/7/31/breaking-barriers-and-assumptions-tec… ∗∗∗ Detecting evolving threats: NetSupport RAT campaign ∗∗∗ --------------------------------------------- In this first Deep Dive with NTDR, we explore how defenders can leverage Snort for the detection of evasive malware threats. --------------------------------------------- https://blog.talosintelligence.com/detecting-evolving-threats-netsupport-ra… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- ecurity updates have been issued by Debian (chromium), Fedora (kernel, obs-cef, and xen), Mageia (emacs), Oracle (freeradius, freeradius:3.0, and kernel), Red Hat (emacs, httpd, and kpatch-patch-4_18_0-305_120_1), Slackware (curl), SUSE (apache2, cockpit-wicked, glibc, gnutls, gvfs, less, nghttp2, opensc, python-idna, python-requests, qemu, rpm, tpm2-0-tss, tpm2.0-tools, and unbound), and Ubuntu (clickhouse, exim4, libcommons-collections3-java, linux, linux-aws, linux-kvm, linux-lts-xenial, mysql-8.0, openssl, php-cas, prometheus-alertmanager, and snapd). --------------------------------------------- https://lwn.net/Articles/984212/ ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- Johnson Controls, AVTECH, Vonets, Rockwell --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/08/01/cisa-releases-nine-indus… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (July 22, 2024 to July 28, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/08/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.07.2024
by Daily end-of-shift report 31 Jul '24

31 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-07-2024 18:00 − Mittwoch 31-07-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Black Basta ransomware switches to more evasive custom malware ∗∗∗ --------------------------------------------- The Black Basta ransomware gang has shown resilience and an ability to adapt to a constantly shifting space, using new custom tools and tactics to evade detection and spread throughout a network. --------------------------------------------- https://www.bleepingcomputer.com/news/security/black-basta-ransomware-switc… ∗∗∗ Fraud ring pushes 600+ fake web shops via Facebook ads ∗∗∗ --------------------------------------------- A malicious fraud campaign dubbed "ERIAKOS" promotes more than 600 fake web shops through Facebook advertisements to steal visitors personal and financial information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fraud-ring-pushes-600-plus-f… ∗∗∗ Kampf gegen Cyberkriminalität: Spamhaus Project wirft Cloudflare Untätigkeit vor ∗∗∗ --------------------------------------------- Laut Spamhaus macht sich Cloudflare "das Leben leicht", indem es Beschwerden über böswillige Aktivitäten weiterreicht, statt selber Maßnahmen einzuleiten. --------------------------------------------- https://www.golem.de/news/kampf-gegen-cyberkriminalitaet-spamhaus-project-w… ∗∗∗ Apple Patches Everything. July 2024 Edition ∗∗∗ --------------------------------------------- Yesterday, Apple released patches across all of its operating systems. A standalone patch for Safari was released to address WebKit problems in older macOS versions. Apple does not provide CVSS scores or severity ratings. The ratings .. --------------------------------------------- https://isc.sans.edu/forums/diary/Apple+Patches+Everything+July+2024+Editio… ∗∗∗ SYS01 Infostealer and Rilide Malware Likely Developed by the Same Threat Actor ∗∗∗ --------------------------------------------- Drawing on extensive proprietary research, Trustwave SpiderLabs believes the threat actors behind the Facebook malvertising infostealer SYS01 are the same group that developed the previously reported Rilide malware. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/sys01-infos… ∗∗∗ Five months after takedown, LockBit is a shadow of its former self ∗∗∗ --------------------------------------------- An unprecedented period for an unparalleled force in cybercrime Feature For roughly two years, LockBits ransomware operation was by far the most prolific of its kind, until the fateful events of February. After claiming thousands of victims, extorting hundreds of millions of dollars, and building a robust army of sophisticated cybercriminals, the lifes .. --------------------------------------------- https://www.theregister.com/2024/07/31/five_months_after_lockbit/ ∗∗∗ ThreatLabz Ransomware Report: Unveiling a $75M Ransom Payout Amid Rising Attacks ∗∗∗ --------------------------------------------- Ransomware has been a daunting threat to organizations worldwide for decades. Recent trends show that ransomware attacks continue to grow more advanced and persistent. It’s become increasingly clear that no one is spared as cybercriminals carry out attacks that even target the children of corporate executives to force ransom payments. Despite the .. --------------------------------------------- https://www.zscaler.com/blogs/security-research/threatlabz-ransomware-repor… ∗∗∗ Don’t Let Your Domain Name Become a “Sitting Duck” ∗∗∗ --------------------------------------------- More than a million domain names -- including many registered by Fortune 100 firms and brand protection companies -- are vulnerable to takeover by cybercriminals thanks to authentication weaknesses at a number of large web hosting providers and domain registrars, new research finds. --------------------------------------------- https://krebsonsecurity.com/2024/07/dont-let-your-domain-name-become-a-sitt… ∗∗∗ Deutschland bestellt chinesischen Botschafter wegen Cyberangriff ein ∗∗∗ --------------------------------------------- Die Attacke ereignete sich im Jahr 2021 und kann laut Nachrichtendiensten chinesischen staatlichen Akteuren zugeordnet werden --------------------------------------------- https://www.derstandard.at/story/3000000230669/deutschland-bestellt-chinesi… ∗∗∗ DigiCert Certificate Revocations ∗∗∗ --------------------------------------------- DigiCert, a certificate authority (CA) organization, is revoking a subset of transport layer security (TLS) certificates due to a non-compliance issue with domain control verification (DCV). Revocation of these certificates may cause temporary disruptions to websites, services, and applications relying on these certificates for secure .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/07/30/digicert-certificate-rev… ∗∗∗ Cyber-Angriff und Bug Ursache des Microsoft Cloud-Ausfalls vom 30.7.2024 ∗∗∗ --------------------------------------------- Am 30. Juli 2024 kam es weltweit zu einem partiellen Ausfall der Microsoft Cloud-Dienste (Azure, Microsoft 365 etc.). Ich hatte berichtet – aber nicht alle Nutzer waren betroffen. Nun hat Microsoft einen Post Incident-Report vorgelegt .. --------------------------------------------- https://www.borncity.com/blog/2024/07/31/cyber-angriff-und-bug-ursache-des-… ∗∗∗ Moderne Sklaverei: Mann monatelang festgehalten und zu Online-Betrug gezwungen ∗∗∗ --------------------------------------------- Ein IT-Spezialist wurde monatelang unter Folter dazu gezwungen, sich als eine reiche Frau aus Singapur auszugeben. Das berichtet das Wall Street Journal. --------------------------------------------- https://heise.de/-9818990 ∗∗∗ Statt "schalke04" und "1234": Passkeys werden immer beliebter ∗∗∗ --------------------------------------------- Die passwortlose Authentifizierung etabliert sich, wie aktuelle Zahlen nahelegen. Insbesondere Kunden bei Amazon, eBay und Co. setzen Passkeys inzwischen ein. --------------------------------------------- https://heise.de/-9819866 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (xdg-desktop-portal-hyprland), Red Hat (freeradius, freeradius:3.0, git-lfs, httpd, kernel, openssh, and varnish:6), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, .. --------------------------------------------- https://lwn.net/Articles/984080/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.07.2024
by Daily end-of-shift report 30 Jul '24

30 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Montag 29-07-2024 18:00 − Dienstag 30-07-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Specula tool uses Outlook for remote code execution in Windows ∗∗∗ --------------------------------------------- Microsoft Outlook can be turned into a C2 beacon to remotely execute code, as demonstrated by a new red team post-exploitation framework named "Specula," released today by cybersecurity firm TrustedSec. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-specula-tool-uses-outloo… ∗∗∗ DigiCert mass-revoking TLS certificates due to domain validation bug ∗∗∗ --------------------------------------------- DigiCert is warning that it will be mass-revoking SSL/TLS certificates due to a bug in how the company verified if a customer owned or operated a domain and requires impacted customers to reissue certificates within 24 hours. --------------------------------------------- https://www.bleepingcomputer.com/news/security/digicert-mass-revoking-tls-c… ∗∗∗ Post-CrowdStrike, Microsoft to discourage use of kernel drivers by security tools ∗∗∗ --------------------------------------------- Microsoft has vowed to reduce cybersecurity vendors' reliance on kernel-mode code, which was at the heart of the CrowdStrike super-snafu this month. --------------------------------------------- https://www.theregister.com/2024/07/29/microsoft_crowdstrike_kernel_mode/ ∗∗∗ Vorsicht vor plötzlichen Erbschaften ∗∗∗ --------------------------------------------- Eine unbekannte Person kontaktiert Sie per E-Mail oder über Soziale Netzwerke. Sie stellt sich beispielsweise als „Gouverneur der Bank von Thailand“ vor und behauptet, dass Sie eine große Summe Geld erben werden. Um glaubwürdig zu wirken, schickt die Person als Beweis Ausweiskopien, Zertifikate und KI-generierte Videobotschaften. Ignorieren Sie solche Nachrichten, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-ploetzlichen-erbschafte… ∗∗∗ Deep Sea Phishing Pt. 2 ∗∗∗ --------------------------------------------- I wanted to write this blog about several good techniques for endpoint detection and response (EDR) evasion; however, as I was writing about how to evade EDRs, I was hit with an epiphany: “EDR evasion is all about looking like legitimate software” — ph3eds, 2024 --------------------------------------------- https://posts.specterops.io/deep-sea-phishing-pt-2-29c48f1e214e?source=rss-… ∗∗∗ Breaking Barriers and Assumptions: Techniques for Privilege Escalation on Windows: Part 1 ∗∗∗ --------------------------------------------- In this blog series, we will discuss two additional techniques that take advantage of legacy functionality within Windows and provide various examples through the over 20 vulnerabilities that we found. We will also address some failures despite efforts and explanations from our side with various vendors. --------------------------------------------- https://www.thezdi.com/blog/2024/7/29/breaking-barriers-and-assumptions-tec… ∗∗∗ Hacker Scrapes and Publishes 100,000-Line CrowdStrike IoC List ∗∗∗ --------------------------------------------- USDoD hacker scrapes and leaks a 100,000-line Indicator of Compromise (IoC) list from CrowdStrike, revealing detailed threat intelligence data. The leak, posted on Breach Forums, includes critical insights into the Mispadu malware and SAMBASPIDER threat actor. --------------------------------------------- https://hackread.com/hacker-scrapes-publishes-crowdstrike-ioc-list/ ∗∗∗ Dont RegreSSH An Anti-Pavlovian Approach to Celebrity Vulns ∗∗∗ --------------------------------------------- Before Crowdstrike caused the world to melt down for a few days, the talk of the security town was a recent OpenSSH vulnerability. Lets revisit CVE-2024-6387. --------------------------------------------- https://www.bitsight.com/blog/dont-regressh-anti-pavlovian-approach-celebri… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in VMware ESXi - aktiv ausgenutzt - Update verfügbar ∗∗∗ --------------------------------------------- Sicherheitsforscher:innen von Microsoft haben eine kritische Sicherheitslücke in VMware ESXi entdeckt, deren Ausnutzung es Angreifer:innen ermöglicht die vollständige Kontrolle über einen von der Schwachstelle betroffenen Hypervisor zu übernehmen. Die Lücke wird bereits aktiv für Ransomware-Angriffe missbraucht. CVE-Nummer(n): CVE-2024-37085 --------------------------------------------- https://www.cert.at/de/warnungen/2024/7/kritische-sicherheitslucke-in-vmwar… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl), Mageia (virtualbox), Oracle (squid), Red Hat (kernel), SUSE (apache2, bind, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, devscripts, espeak-ng, freerdp, ghostscript, gnome-shell, gtk2, gtk3, java-11-openjdk, java-17-openjdk, kubevirt, libgit2, openssl-3, orc, p7zip, python-dnspython, and shadow), and Ubuntu (kernel, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-oem-6.8, linux-raspi, linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux-aws, linux-aws-5.4, linux-aws-5.15, linux-ibm, linux-ibm-5.15, linux-raspi, linux-gcp-5.15, and linux-lowlatency). --------------------------------------------- https://lwn.net/Articles/983935/ ∗∗∗ WordPress Vulnerability & Patch Roundup July 2024 ∗∗∗ --------------------------------------------- https://blog.sucuri.net/2024/07/wordpress-vulnerability-patch-roundup-july-… ∗∗∗ ManageEngine (Exchange Reporter Plus, Exchange Reporter Plus) Family July 2024 Security Update Advisory ∗∗∗ --------------------------------------------- https://asec.ahnlab.com/en/80826/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2024
by Daily end-of-shift report 29 Jul '24

29 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-07-2024 18:00 − Montag 29-07-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Mehr als 3.000 Hotels betroffen: API-Lücke lässt Angreifer Hoteltüren öffnen ∗∗∗ --------------------------------------------- In vielen Hotels können Gäste heute per Smartphone einchecken und die Türen der gebuchten Zimmer öffnen. Eine API-Schwachstelle zeigt, wie schnell das zum Problem werden kann. --------------------------------------------- https://www.golem.de/news/mehr-als-3-000-hotels-betroffen-api-luecke-laesst… ∗∗∗ Sicherheitslücke: Whatsapp für Windows führt Skripte ohne Warnung aus ∗∗∗ --------------------------------------------- In der Regel blockiert Whatsapp das Öffnen ausführbarer Dateien direkt aus dem Chat heraus. Bei Python- und PHP-Skripten ist das offenkundig nicht der Fall. [..] Ein Patch ist vorerst nicht zu erwarten, so dass Nutzer achtsam bleiben sollten. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-whatsapp-fuer-windows-fuehrt-sk… ∗∗∗ Mandrake spyware sneaks onto Google Play again, flying under the radar for two years ∗∗∗ --------------------------------------------- Mandrake spyware threat actors resume attacks with new functionality targeting Android devices while being publicly available on Google Play. --------------------------------------------- https://securelist.com/mandrake-apps-return-to-google-play/113147/ ∗∗∗ Create Your Own BSOD: NotMyFault, (Sat, Jul 27th) ∗∗∗ --------------------------------------------- With all the Blue Screen Of Death screenshots we saw lately, I got the idea to write about Sysinternals' tool NotMyFault. --------------------------------------------- https://isc.sans.edu/diary/rss/31120 ∗∗∗ CrowdStrike Outage Themed Maldoc, (Mon, Jul 29th) ∗∗∗ --------------------------------------------- I found a malicious Word document with VBA code using the CrowdStrike outage for social engineering purposes. It's an .ASD file (AutoRecover file). --------------------------------------------- https://isc.sans.edu/diary/rss/31116 ∗∗∗ Proofpoint Email Routing Flaw Exploited to Send Millions of Spoofed Phishing Emails ∗∗∗ --------------------------------------------- An unknown threat actor has been linked to a massive scam campaign that exploited an email routing misconfiguration in email security vendor Proofpoints defenses to send millions of messages spoofing various legitimate companies. --------------------------------------------- https://thehackernews.com/2024/07/proofpoint-email-routing-flaw-exploited.h… ∗∗∗ Millions of Websites Susceptible XSS Attack via OAuth Implementation Flaw ∗∗∗ --------------------------------------------- Researchers discovered and published details of an XSS attack that could potentially impact millions of websites around the world. --------------------------------------------- https://www.securityweek.com/millions-of-websites-susceptible-xss-attack-vi… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-4879 ServiceNow Improper Input Validation Vulnerability, CVE-2024-5217 ServiceNow Incomplete List of Disallowed Inputs Vulnerability, CVE-2023-45249 Acronis Cyber Infrastructure (ACI) Insecure Default Password Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/07/29/cisa-adds-three-known-ex… ∗∗∗ Angreifer nutzen Schadcode-Lücke in Acronis Cyber Infrastructure aus ∗∗∗ --------------------------------------------- In mehreren aktualisierten Versionen von Acronis Cyber Infrastructure haben die Entwickler eine kritische Lücke geschlossen. --------------------------------------------- https://heise.de/-9816667 ===================== = Vulnerabilities = ===================== ∗∗∗ Wiedergabe reicht aus: MacOS-Lücke ermöglicht Schadcode-Attacke per Video ∗∗∗ --------------------------------------------- Das Abspielen eines Videos im Browser oder einer anderen Anwendung reicht aus, um sich unter MacOS eine Malware einzufangen. Ursache ist eine Lücke in einem Videodecoder. --------------------------------------------- https://www.golem.de/news/wiedergabe-reicht-aus-macos-luecke-ermoeglicht-sc… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (java-11-openjdk), Debian (bind9), Fedora (darkhttpd, mod_http2, and python-scrapy), Red Hat (python3.11, rhc-worker-script, and thunderbird), SUSE (assimp, gh, opera, python-Django, and python-nltk), and Ubuntu (edk2, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-nvidia-6.5, linux-oracle, linux-raspi, and lua5.4). --------------------------------------------- https://lwn.net/Articles/983816/ ∗∗∗ Sicherheitsupdate schützt SolarWinds Platform vor möglichen Attacken ∗∗∗ --------------------------------------------- Angreifer können die IT-Verwaltungssoftware SolarWinds Platform attackieren. Die Entwickler haben mehrere Schwachstellen geschlossen. [..] Aus den Details zur Version 2024.2.1 geht hervor, dass eine Lücke (CVE-2022-37601) in webpack.js als "kritisch" gilt. Hier können Angreifer auf einem nicht näher beschriebenen Weg eigenen Code ausführen. --------------------------------------------- https://heise.de/-9816342 ∗∗∗ ABB: 2024-07-26: Cyber Security Advisory - CODESYS OPC DA Server 3.5 Insecure storage of passwords ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR011267&Language… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2024
by Daily end-of-shift report 26 Jul '24

26 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-07-2024 18:00 − Freitag 26-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Mit Test-Key für Secure Boot: PC-Hersteller liefern unsichere UEFI-Firmware aus ∗∗∗ --------------------------------------------- Betroffen sind angeblich fast 900 verschiedene Systeme namhafter Hersteller wie Lenovo, Dell und HP. Anfällige Firmwares reichen zurück bis ins Jahr 2012. --------------------------------------------- https://www.golem.de/news/mit-test-key-fuer-secure-boot-pc-hersteller-liefe… ∗∗∗ Forscher warnen: Daten aus gelöschten und privaten Github-Repos frei abrufbar ∗∗∗ --------------------------------------------- Github-Repositories enthalten nicht selten sensible Daten. Ein Repo zu löschen oder auf privat zu stellen, schützt aber nicht immer vor einem Fremdzugriff. --------------------------------------------- https://www.golem.de/news/forscher-warnen-daten-aus-geloeschten-und-private… ∗∗∗ ExelaStealer Delivered "From Russia With Love" ∗∗∗ --------------------------------------------- Some simple PowerShell scripts might deliver nasty content if executed by the target. I found a very simple .. --------------------------------------------- https://isc.sans.edu/diary/ExelaStealer+Delivered+From+Russia+With+Love/311… ∗∗∗ Ongoing Cyberattack Targets Exposed Selenium Grid Services for Crypto Mining ∗∗∗ --------------------------------------------- Cybersecurity researchers are sounding the alarm over an ongoing campaign that is leveraging internet-exposed Selenium Grid services for illicit cryptocurrency mining.Cloud security Wiz is tracking the activity under the name .. --------------------------------------------- https://thehackernews.com/2024/07/ongoing-cyberattack-targets-exposed.html ∗∗∗ Zahlreiche Fake-Shops geben sich als Lidl aus ∗∗∗ --------------------------------------------- Kriminelle registrieren aktuell zahlreiche Fake-Shops, die den Namen und das Logo des Supermarkt-Discounters Lidl missbrauchen. Mit zeitlich begrenzten Angeboten werden die Opfer unter Druck gesetzt. Doch wer hier bestellt, verliert sein Geld und erhält keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-fake-shops-geben-sich-als… ∗∗∗ Scam Attacks Taking Advantage of the Popularity of the Generative AI Wave ∗∗∗ --------------------------------------------- A direct correlation between GenAI’s explosive popularity and scam attacks is addressed in this article, using plentiful data and a case study of network abuse. --------------------------------------------- https://unit42.paloaltonetworks.com/cybersquatting-using-genai-keywords/ ∗∗∗ France launches large-scale operation to fight cyber spying ahead of Olympics ∗∗∗ --------------------------------------------- French authorities launched a major operation to clean the country’s computer systems of malware believed to have affected several thousand users, “particularly for espionage purposes,” Paris’s top prosecutor announced shortly before the start of the Olympics. --------------------------------------------- https://therecord.media/france-combat-cyber-spying-operation-olympics ∗∗∗ LummaC2 Malware Abusing the Game Platform ‘Steam’ ∗∗∗ --------------------------------------------- LummaC2 is an Infostealer that is being actively distributed, disguised as illegal programs (e.g. cracks, keygens, and game hacking programs) available from distribution websites, YouTube, and LinkedIn using the SEO poisoning technique. Recently, it has also been distributed via search engine ads, posing as web pages of Notion, Slack, .. --------------------------------------------- https://asec.ahnlab.com/en/68309/ ∗∗∗ Weiterer EU-Abgeordneter im Fokus Cyberkrimineller ∗∗∗ --------------------------------------------- Der deutsche EU-Parlamentarier Daniel Freund (Grüne) war zwei Wochen vor der Europawahl Ziel einer versuchten Ausspähung mit dem Staatstrojaner Candiru. --------------------------------------------- https://heise.de/-9813814 ∗∗∗ Jetzt patchen!: Angreifer attackieren Now Platform von ServiceNow ∗∗∗ --------------------------------------------- Die Cloud Computing Plattform von ServiceNow ist derzeit im Visier von Angreifern und sie nutzen kritische Sicherheitslücken aus. --------------------------------------------- https://heise.de/-9814238 ===================== = Vulnerabilities = ===================== ∗∗∗ ORC vulnerable to stack-based buffer overflow ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN02030803/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/983523/ ∗∗∗ CVE-2024-6922: Automation Anywhere Automation 360 Server-Side Request Forgery ∗∗∗ --------------------------------------------- https://www.rapid7.com/blog/post/2024/07/26/cve-2024-6922-automation-anywhe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2024
by Daily end-of-shift report 25 Jul '24

25 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-07-2024 18:00 − Donnerstag 25-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ KnowBe4 mistakenly hires North Korean hacker, faces infostealer attack ∗∗∗ --------------------------------------------- American cybersecurity company KnowBe4 says a person it recently hired as a Principal Software Engineer turned out to be a North Korean state actor who attempted to install information-stealing on its devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/knowbe4-mistakenly-hires-nor… ∗∗∗ French police push PlugX malware self-destruct payload to clean PCs ∗∗∗ --------------------------------------------- The French police and Europol are pushing out a "disinfection solution" that automatically removes the PlugX malware from infected devices in France. --------------------------------------------- https://www.bleepingcomputer.com/news/security/french-police-push-plugx-mal… ∗∗∗ How a cheap barcode scanner helped fix CrowdStriked Windows PCs in a flash ∗∗∗ --------------------------------------------- Not long after Windows PCs and servers at the Australian limb of audit and tax advisory Grant Thornton started BSODing last Friday, senior systems engineer Rob Woltz remembered a small but important fact: When PCs boot, they consider barcode scanners no differently to keyboards. --------------------------------------------- https://www.theregister.com/2024/07/25/crowdstrike_remediation_with_barcode… ∗∗∗ XWorm Hidden With Process Hollowing ∗∗∗ --------------------------------------------- XWorm is not a brand-new malware family. Its a common RAT (Remote Access Tool) re-use regularly in new campaigns. Yesterday, I found a sample that behaves like a dropper and runs the malware using the Process Hollowing technique. --------------------------------------------- https://isc.sans.edu/diary/rss/31112 ∗∗∗ Kriminelle werben mit Fake-Profilen von Finanzexperten für betrügerische Investmentplattformen ∗∗∗ --------------------------------------------- Der österreichische Finanzjournalist und Unternehmer Niko Jilch betreibt verschiedene Informationskanäle zu Finanzen, Geldanlage und Bitcoin. Seine Reichweite und Bekanntheit nutzen mittlerweile aber auch Kriminelle, um Privatanleger:innen auf betrügerische Investmentplattformen zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-werben-mit-fake-profilen-… ===================== = Vulnerabilities = ===================== ∗∗∗ Progress warns of critical RCE bug in Telerik Report Server ∗∗∗ --------------------------------------------- Progress Software has warned customers to patch a critical remote code execution security flaw in the Telerik Report Server that can be used to compromise vulnerable devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/progress-warns-of-critical-r… ∗∗∗ Container angreifbar: Docker muss kritische Schwachstelle von 2019 erneut patchen ∗∗∗ --------------------------------------------- Docker hatte die Lücke längst geschlossen. Nur Monate später flog der Patch aber wieder raus. Die Docker Engine ist damit fünf Jahre lang angreifbar gewesen. --------------------------------------------- https://www.golem.de/news/container-angreifbar-docker-muss-kritische-schwac… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (containernetworking-plugins, cups, edk2, httpd, httpd:2.4, libreoffice, libuv, libvirt, python3, and runc), Fedora (exim, python-zipp, xdg-desktop-portal-hyprland, and xmedcon), Red Hat (cups, fence-agents, freeradius, freeradius:3.0, httpd:2.4, kernel, kernel-rt, nodejs:18, podman, and resource-agents), Slackware (htdig and libxml2), SUSE (exim), and Ubuntu (ocsinventory-server, php-cas, and poppler). --------------------------------------------- https://lwn.net/Articles/983328/ ∗∗∗ Nvidia Patches High-Severity Vulnerabilities in AI, Networking Products ∗∗∗ --------------------------------------------- Nvidia has patched high-severity vulnerabilities in its Jetson, Mellanox OS, OnyX, Skyway, and MetroX products. --------------------------------------------- https://www.securityweek.com/nvidia-patches-high-severity-vulnerabilities-i… ∗∗∗ Sicherheitsupdates: Aruba EdgeConnect SD-WAN vielfältig attackierbar ∗∗∗ --------------------------------------------- Die Entwickler von HPE haben in Arubas SD-WAN-Lösung EdgeConnect mehrere gefährliche Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-9813256 ∗∗∗ Positron Broadcast Signal Processor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-207-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.07.2024
by Daily end-of-shift report 24 Jul '24

24 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-07-2024 18:00 − Mittwoch 24-07-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ BreachForums v1 hacking forum data leak exposes members’ info ∗∗∗ --------------------------------------------- The private member information of the BreachForums v1 hacking forum from 2022 has been leaked online, allowing threat actors and researchers to gain insight into its users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/breachforums-v1-hacking-foru… ∗∗∗ SocGholish: Fake update puts visitors at risk ∗∗∗ --------------------------------------------- The SocGholish downloader has been a favourite of several cybercrime groups since 2017. It delivers a payload that poses as a browser update. As any piece of malware, it undergoes an evolutionary process. We have taken a look at the latest developments, which targets Wordpress based websites. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/07/37976-socgholish-fake-update ∗∗∗ Update-Panne bei Microsoft: Windows-Update erfordert Eingabe des Bitlocker-Keys ∗∗∗ --------------------------------------------- Das jüngste Sicherheitsupdate für Windows 10, 11 und gängige Windows-Server-Versionen führt dazu, dass einige Systeme ohne Bitlocker-Key nicht mehr starten. --------------------------------------------- https://www.golem.de/news/update-panne-bei-microsoft-windows-update-erforde… ∗∗∗ NIS-2-Richtlinie: Kabinett beschließt strengere Regeln für Cybersicherheit ∗∗∗ --------------------------------------------- Fast 30.000 Firmen in Deutschland müssen künftig die Sicherheitsvorgaben nach der NIS-2-Richtlinie umsetzen. --------------------------------------------- https://www.golem.de/news/nis-2-richtlinie-kabinett-beschliesst-strengere-r… ∗∗∗ New Exploit Variation Against D-Link NAS Devices (CVE-2024-3273) ∗∗∗ --------------------------------------------- In April, an OS command injection vulnerability in various D-Link NAS devices was made public. The vulnerability, %%CVE:2024-3273%% was exploited soon after it became public. Many of the affected devices are no longer supported. --------------------------------------------- https://isc.sans.edu/diary/New+Exploit+Variation+Against+DLink+NAS+Devices+… ∗∗∗ Forget security – Googles reCAPTCHA v2 is exploiting users for profit ∗∗∗ --------------------------------------------- Web puzzles dont protect against bots, but humans have spent 819 million unpaid hours solving them Google promotes its reCAPTCHA service as a security mechanism for websites, but researchers affiliated with the University of California, Irvine, argue its harvesting information while extracting human .. --------------------------------------------- https://www.theregister.com/2024/07/24/googles_recaptchav2_labor/ ∗∗∗ A Hacker ‘Ghost’ Network Is Quietly Spreading Malware on GitHub ∗∗∗ --------------------------------------------- Cybersecurity researchers have spotted a 3,000-account network on GitHub that is manipulating the platform and spreading ransomware and info stealers. --------------------------------------------- https://www.wired.com/story/github-malware-spreading-network-stargazer-gobl… ∗∗∗ Siemens Patches Power Grid Product Flaw Allowing Backdoor Deployment ∗∗∗ --------------------------------------------- Siemens has released out-of-band updates to patch two potentially serious vulnerabilities in products used in energy supply. --------------------------------------------- https://www.securityweek.com/siemens-patches-power-grid-product-flaw-allowi… ∗∗∗ New legislation will help counter the cyber threat to our essential services ∗∗∗ --------------------------------------------- The announcement of the Cyber Security and Resilience Bill is a landmark moment in tackling the growing threat to the UKs critical systems. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/legislation-help-counter-cyber-threat-cni ∗∗∗ Malware Campaign Lures Users With Fake W2 Form ∗∗∗ --------------------------------------------- Rapid7 has recently observed an ongoing campaign targeting users searching for W2 forms using the Microsoft search engine Bing. --------------------------------------------- https://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-wi… ===================== = Vulnerabilities = ===================== ∗∗∗ ISC Releases Security Advisories for BIND 9 ∗∗∗ --------------------------------------------- The Internet Systems Consortium (ISC) released security advisories to address vulnerabilities affecting multiple versions of ISC’s Berkeley Internet Name Domain (BIND) 9. A cyber threat actor could exploit one of these vulnerabilities to cause a denial-of-service condition. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/07/24/isc-releases-security-ad… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.07.2024
by Daily end-of-shift report 23 Jul '24

23 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Montag 22-07-2024 18:00 − Dienstag 23-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ US-Ausschuss lädt ein: Crowdstrike-CEO soll für IT-Panne Rede und Antwort stehen ∗∗∗ --------------------------------------------- Millionen von Windows-PCs konnten am Freitag plötzlich nicht mehr starten. Der Heimatschutzausschuss des US-Repräsentantenhauses will genau wissen, wie es dazu kam. --------------------------------------------- https://www.golem.de/news/us-ausschuss-laedt-ein-crowdstrike-ceo-soll-fuer-… ∗∗∗ Ukrainian Institutions Targeted Using HATVIBE and CHERRYSPY Malware ∗∗∗ --------------------------------------------- The Computer Emergency Response Team of Ukraine (CERT-UA) has alerted of a spear-phishing campaign targeting a scientific research institution in the country with malware known as HATVIBE and CHERRYSPY. --------------------------------------------- https://thehackernews.com/2024/07/ukrainian-institutions-targeted-using.html ∗∗∗ Law Enforcement Disrupts DDoS-for-Hire Service DigitalStress ∗∗∗ --------------------------------------------- Authorities in the UK infiltrated and disrupted the DDoS-for-hire service DigitalStress, and one suspect was arrested. --------------------------------------------- https://www.securityweek.com/law-enforcement-disrupts-ddos-for-hire-service… ∗∗∗ FrostyGoop ICS Malware Left Ukrainian City’s Residents Without Heating ∗∗∗ --------------------------------------------- The FrostyGoop ICS malware was used recently in an attack against a Ukrainian energy firm that resulted in loss of heating for many buildings. --------------------------------------------- https://www.securityweek.com/frostygoop-ics-malware-left-ukrainian-citys-re… ∗∗∗ Kriminelle nutzen weltweite IT-Ausfälle für Betrugsmaschen ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie Anrufe oder E-Mails im Namen von Crowdstrike oder Microsoft erhalten. Die weltweiten IT-Ausfälle, die durch Crowdstrike verursacht wurden, werden nun von Kriminellen als Vorwand für verschiedene Betrugsmaschen genutzt. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-nutzen-weltweite-it-ausfa… ∗∗∗ Vorsicht vor gefälschten Anfragen im Namen der PORR ∗∗∗ --------------------------------------------- Kriminelle geben sich als Firma PORR aus und versenden betrügerische E-Mail-Anfragen. Sie werden gebeten, ein Angebot zu stellen und dazu die Ausschreibungsunterlagen auf www.ausschreibungen-porr.at zu verwenden. Dieser Link führt jedoch zu einem gefälschten Ondrive-Ordner! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-anfragen-i… ∗∗∗ Vulnerabilities in LangChain Gen AI ∗∗∗ --------------------------------------------- This article is a detailed study of CVE-2023-46229 and CVE-2023-44467, two vulnerabilities discovered by our researchers affecting generative AI framework LangChain. --------------------------------------------- https://unit42.paloaltonetworks.com/langchain-vulnerabilities/ ∗∗∗ Daggerfly: Espionage Group Makes Major Update to Toolset ∗∗∗ --------------------------------------------- APT group appears to be using a shared framework to create Windows, Linux, macOS, and Android threats. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfl… ∗∗∗ Learning from the Recent Windows/Falcon Sensor Outage: Causes and Potential Improvement Strategies in Linux Using Open Source Solutions ∗∗∗ --------------------------------------------- How can a configuration file crash an OS? Because the real issue is not the configuration file itself, but the kernel driver using it. Let’s take a quick, non-technical tour of the potential reasons behind this situation, how it is addressed in the Linux kernel, and what you as users or customers can do to avoid such issues. --------------------------------------------- https://www.circl.lu/pub/learning-from-falcon-sensor-outage/ ∗∗∗ Exploiting CVE-2024-21412: A Stealer Campaign Unleashed ∗∗∗ --------------------------------------------- FortiGuard Labs has observed a stealer campaign spreading multiple files that exploit CVE-2024-21412 to download malicious executable files. --------------------------------------------- https://www.fortinet.com/blog/threat-research/exploiting-cve-2024-21412-ste… ∗∗∗ So nicht: Wie sich ein Netzbetreiber in den Totalausfall manövriert hat ∗∗∗ --------------------------------------------- 26 Stunden lang sind die Kunden eines großen Netzbetreibers offline. Damit auch Notruf, Banken, Kassen. 2 Jahre später wird deutlich, was schiefgelaufen ist. --------------------------------------------- https://heise.de/-9808767 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (gtk3 and jpegxl), Red Hat (kpatch-patch and thunderbird), SUSE (apache2, git, gnome-shell, java-11-openjdk, java-21-openjdk, kernel, kernel-firmware, kernel-firmware-nvidia-gspx-G06, libgit2, mozilla-nss, nodejs20, python-Django, and python312), and Ubuntu (linux-aws, linux-aws, linux-aws-5.4, linux-iot, linux-aws-5.15, pymongo, and ruby-rack). --------------------------------------------- https://lwn.net/Articles/982939/ ∗∗∗ Software-Distributionssystem TeamCity erinnert sich an gelöschte Zugangstoken ∗∗∗ --------------------------------------------- Angreifer können an sechs mittlerweile geschlossenen Sicherheitslücken in JetBrain TeamCity ansetzen. --------------------------------------------- https://heise.de/-9810746 ∗∗∗ 10,000 WordPress Sites Affected by High Severity Vulnerabilities in BookingPress WordPress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/07/10000-wordpress-sites-affected-by-hi… ∗∗∗ National Instruments IO Trace ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-205-01 ∗∗∗ RADIUS Protocol Forgery Vulnerability (Blast-RADIUS) ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0014 ∗∗∗ Hitachi Energy AFS/AFR Series Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-205-02 ∗∗∗ National Instruments LabVIEW ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-205-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2024
by Daily end-of-shift report 22 Jul '24

22 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-07-2024 18:00 − Montag 22-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Attackers Abuse Swap File to Steal Credit Cards ∗∗∗ --------------------------------------------- Bad actors exploited the humble swap file to maintain a persistent credit card skimmer on a Magento e-commerce site. This clever tactic allowed the malware to survive multiple cleanup attempts. --------------------------------------------- https://blog.sucuri.net/2024/07/attackers-abuse-swap-file-to-steal-credit-c… ∗∗∗ Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware ∗∗∗ --------------------------------------------- Cybersecurity firm CrowdStrike, which is facing the heat for causing worldwide IT disruptions by pushing out a flawed update to Windows devices, is now warning that threat actors are exploiting the situation to distribute Remcos RAT to its customers in Latin America under the guise of providing a hotfix. --------------------------------------------- https://thehackernews.com/2024/07/cybercriminals-exploit-crowdstrike.html ∗∗∗ SocGholish Malware Exploits BOINC Project for Covert Cyberattacks ∗∗∗ --------------------------------------------- The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC. --------------------------------------------- https://thehackernews.com/2024/07/socgholish-malware-exploits-boinc.html ∗∗∗ PINEAPPLE and FLUXROOT Hacker Groups Abuse Google Cloud for Credential Phishing ∗∗∗ --------------------------------------------- A Latin America (LATAM)-based financially motivated actor codenamed FLUXROOT has been observed leveraging Google Cloud serverless projects to orchestrate credential phishing activity, highlighting the abuse of the cloud computing model for malicious purposes. --------------------------------------------- https://thehackernews.com/2024/07/pineapple-and-fluxroot-hacker-groups.html ∗∗∗ From RA Group to RA World: Evolution of a Ransomware Group ∗∗∗ --------------------------------------------- Ransomware gang RA World rebranded from RA Group. We discuss their updated tactics from leak site changes to an analysis of their operational tools. --------------------------------------------- https://unit42.paloaltonetworks.com/ra-world-ransomware-group-updates-tool-… ∗∗∗ Addressing CrowdStrike on Cloud VMs in AWS with Automated Remediation ∗∗∗ --------------------------------------------- Published guidance instructs administrators to reboot the machine in Safe Mode, delete a specific file, and reboot back to normal mode. Obviously, this isn’t a viable resolution on virtual machines hosted in the public cloud as there is no way to get to Safe Mode. --------------------------------------------- https://orca.security/resources/blog/crowdstrike-cloud-vm-automated-remedia… ∗∗∗ Crowdstrike-Ausfälle: Microsoft veröffentlicht Wiederherstellungstool ∗∗∗ --------------------------------------------- Microsoft hat ein Image für USB-Sticks veröffentlicht, mit dem sich betroffene Systeme wiederherstellen lassen. Vorausgesetzt, man hat den BitLocker-Key. --------------------------------------------- https://heise.de/-9808481 ===================== = Vulnerabilities = ===================== ∗∗∗ Telegram zero-day allowed sending malicious Android APKs as videos ∗∗∗ --------------------------------------------- A Telegram for Android zero-day vulnerability dubbed EvilVideo allowed attackers to send malicious Android APK payloads disguised as video files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telegram-zero-day-allowed-se… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (botan2, chromium, ffmpeg, fluent-bit, gtk3, httpd, suricata, tcpreplay, and thunderbird), Mageia (apache, chromium-browser-stable, libfm & libfm-qt, and thunderbird), Oracle (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, libndp, qt5-qtbase, ruby, skopeo, thunderbird, and virt:ol and virt-devel:rhel), Red Hat (containernetworking-plugins, firefox, libndp, qt5-qtbase, and thunderbird), SUSE (caddy,[...] --------------------------------------------- https://lwn.net/Articles/982845/ ∗∗∗ Sicherheitsupdates: Angreifer können Sonicwall-Firewalls lahmlegen ∗∗∗ --------------------------------------------- Einige Firewalls von Sonicwall sind verwundbar. Attacken könnten bevorstehen. --------------------------------------------- https://heise.de/-9808904 ∗∗∗ BIOS-Sicherheitslücke gefährdet unzählige HP-PCs ∗∗∗ --------------------------------------------- Angreifer können viele Desktopcomputer von HP mit Schadcode attackieren. --------------------------------------------- https://heise.de/-9809134 ∗∗∗ SSA-071402 V1.0: Multiple Vulnerabilities in SICAM Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-071402.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2024
by Daily end-of-shift report 19 Jul '24

19 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-07-2024 18:00 − Freitag 19-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Wieso weltweit zahlreiche IT-Systeme durch zwei Fehler am 19. Juli 2024 ausfielen ∗∗∗ --------------------------------------------- Am 19. Juli 2024 kam es weltweit zu zahlreichen Störungen an IT-Systemen. Der Betrieb an Flughäfen stand, Banken konnten nicht mehr arbeiten, Züge fielen aus, und Firmen schickten ihre Mitarbeiter nach Hause (z.B. Tegut), weil die IT-Systeme nicht mehr gingen. Es war aber kein Cyberangriff, sondern das gleichzeitige Auftreten zweier Fehler – unabhängig voneinander, die zum Ausfall von Funktionen führte. --------------------------------------------- https://www.borncity.com/blog/2024/07/19/wieso-weltweit-zahlreiche-it-syste… ∗∗∗ Recent Splunk Enterprise Vulnerability Easy to Exploit: Security Firm ∗∗∗ --------------------------------------------- SonicWall warns that a simple GET request is enough to exploit a recent Splunk Enterprise vulnerability. --------------------------------------------- https://www.securityweek.com/recent-splunk-enterprise-vulnerability-easy-to… ∗∗∗ Fake-SMS: „Ihre Registrierung für die Unternehmensservice Portal ID läuft ab“ ∗∗∗ --------------------------------------------- Kriminelle senden aktuell SMS an Unternehmer:innen und geben sich dabei als Unternehmensservice Portal (USP) aus. Es wird behauptet, dass die ID für das Portal abläuft - und zwar schon morgen. Tatsächlich versuchen Kriminelle hier, an Ihre Daten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-sms-ihre-registrierung-fuer-die… ∗∗∗ HotPage: Story of a signed, vulnerable, ad-injecting driver ∗∗∗ --------------------------------------------- The analysis of this rather generic-looking piece of malware has proven, once again, that adware developers are still willing to go the extra mile to achieve their goals. Not only that, these have developed a kernel component with a large set of techniques to manipulate processes, but they also went through the requirements imposed by Microsoft to obtain a code-signing certificate for their driver component. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/hotpage-story-signed-vulner… ∗∗∗ Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma ∗∗∗ --------------------------------------------- Trend Micro threat hunters discovered that the Play ransomware group has been deploying a new Linux variant that targets ESXi environments. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/g/new-play-ransomware-linux-va… ∗∗∗ APT41 Has Arisen From the DUST ∗∗∗ --------------------------------------------- In collaboration with Google’s Threat Analysis Group (TAG), Mandiant has observed a sustained campaign by the advanced persistent threat group APT41 targeting and successfully compromising multiple organizations operating within the global shipping and logistics, media and entertainment, technology, and automotive sectors. The majority of organizations were operating in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, java-1.8.0-openjdk, java-17-openjdk, java-21-openjdk, libndp, openssh, qt5-qtbase, ruby, skopeo, and thunderbird), Debian (thunderbird), Fedora (dotnet6.0, httpd, python-django, python-django4.2, qt6-qtbase, rapidjson, and ruby), Red Hat (389-ds-base, firefox, java-1.8.0-openjdk, java-11-openjdk, libndp, qt5-qtbase, and thunderbird), Slackware (httpd), SUSE (apache2, chromium, and kernel), and Ubuntu (apache2, linux-aws, linux-azure-fde, linux-azure-fde-5.15, linux-hwe-5.15, linux-aws-6.5, linux-lowlatency-hwe-6.5, linux-oracle-6.5, linux-starfive-6.5, and linux-raspi, linux-raspi-5.4). --------------------------------------------- https://lwn.net/Articles/982559/ ∗∗∗ SonicWall SMA100 NetExtender Windows Client Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Vulnerability in SonicWall SMA100 NetExtender Windows (32 and 64-bit) client 10.2.339 and earlier versions allows an attacker to arbitrary code execution when processing an EPC Client update. SonicWall strongly advises SSL VPN NetExtender client users to upgrade to the latest release version. IMPORTANT: This vulnerability does not affect SonicWall firewall (SonicOS) products. CVE: CVE-2024-29014 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0011 ∗∗∗ Atlassian Bamboo: Angreifer können Entwicklungsumgebungen kompromittieren ∗∗∗ --------------------------------------------- Es sind Attacken auf Atlassian Bamboo Data Center und Server vorstellbar. Dagegen abgesicherte Version sind erschienen. --------------------------------------------- https://heise.de/-9806185 ∗∗∗ Schlupfloch für Schadcode in Ivanti Endpoint Manager geschlossen ∗∗∗ --------------------------------------------- Stimmen die Voraussetzungen, sind Attacken auf Ivanti Endpoint Manager möglich. Ein Sicherheitspatch schafft Abhilfe. [..] In einem Beitrag schreiben die Entwickler, dass von der Lücke (CVE-2024-37381 "hoch") EPM 2024 flat betroffen ist. Unklar ist, ob davon auch andere Versionen bedroht sind. Im späteren Verlauf schreiben sie, dass das Sicherheitsproblem in zukünftigen EPM-Ausgaben gelöst wird. --------------------------------------------- https://heise.de/-9806384 ∗∗∗ Bosch: "regreSSHion" OpenSSH vulnerability in PRC7000 ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-258444.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2024
by Daily end-of-shift report 18 Jul '24

18 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-07-2024 18:00 − Donnerstag 18-07-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ SolarWinds fixes 8 critical bugs in access rights audit software ∗∗∗ --------------------------------------------- SolarWinds has fixed eight critical vulnerabilities in its Access Rights Manager (ARM) software, six of which allowed attackers to gain remote code execution (RCE) on vulnerable devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-fixes-8-critical-… ∗∗∗ Cisco-Schwachstelle: Secure Email Gateway ist vor allem secure, außer vor Mails ∗∗∗ --------------------------------------------- Eine E-Mail mit einem speziell gestalteten Anhang reicht aus, um ein anfälliges Gateway zu infiltrieren und es zum Absturz zu bringen oder Schadcode auszuführen. --------------------------------------------- https://www.golem.de/news/cisco-schwachstelle-secure-email-gateway-ist-vor-… ∗∗∗ Forensik-Tool Cellebrite: Diese Smartphones kann das FBI knacken ∗∗∗ --------------------------------------------- Kürzlich hat das FBI das Smartphone des Trump-Attentäters geknackt. Geleakte Dokumente von Cellebrite zeigen, bei welchen Geräten das grundsätzlich möglich ist. --------------------------------------------- https://www.golem.de/news/forensik-tool-cellebrite-diese-smartphones-kann-d… ∗∗∗ Criminal Gang Physically Assaulting People for Their Cryptocurrency ∗∗∗ --------------------------------------------- This is pretty horrific: a group of men behind a violent crime spree designed to compel victims to hand over access to their cryptocurrency savings. That announcement and the criminal complaint laying out charges against St. Felix focused largely on a single theft of cryptocurrency from an elderly North Carolina couple, whose home .. --------------------------------------------- https://www.schneier.com/blog/archives/2024/07/criminal-gang-physically-ass… ∗∗∗ SAP AI Core Vulnerabilities Expose Customer Data to Cyber Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered security shortcomings in SAP AI Core cloud-based platform for creating and deploying predictive artificial intelligence (AI) workflows that could be exploited to get hold of access tokens and customer data. The five vulnerabilities have been collectively dubbed SAPwned by cloud .. --------------------------------------------- https://thehackernews.com/2024/07/sap-ai-core-vulnerabilities-expose.html ∗∗∗ TAG-100: New Threat Actor Uses Open-Source Tools for Widespread Attacks ∗∗∗ --------------------------------------------- Unknown threat actors have been observed leveraging open-source tools as part of a suspected cyber espionage campaign targeting global government and private sector organizations. Recorded Futures Insikt Group is tracking the activity .. --------------------------------------------- https://thehackernews.com/2024/07/tag-100-new-threat-actor-uses-open.html ∗∗∗ Container Breakouts: Escape Techniques in Cloud Environments ∗∗∗ --------------------------------------------- Unit 42 researchers test container escape methods and possible impacts within a Kubernetes cluster using a containerd container runtime. --------------------------------------------- https://unit42.paloaltonetworks.com/container-escape-techniques/ ∗∗∗ Windows Patchday-Nachlese: MSHTML 0-day-Schwachstelle CVE-2024-38112 durch Malware ausgenutzt ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag zum Juli 2024 Patchday bei Microsoft. Mit den Sicherheitsupdates hat Microsoft auch eine MSHTML Spoofing-Schwachstelle geschlossen. Es gab die Information, dass diese Schwachstelle (CVE-2024-38112) durch .. --------------------------------------------- https://www.borncity.com/blog/2024/07/18/windows-patchday-nachlese-mshtml-0… ∗∗∗ FIN7 Cybercrime Gang Evolves with Ransomware and Hacking Tools ∗∗∗ --------------------------------------------- FIN7, a notorious cybercrime gang, is back with a new bag of tricks! --------------------------------------------- https://hackread.com/fin7-cybercrime-gang-ransomware-hacking-tools/ ∗∗∗ CISA Releases Playbook for Infrastructure Resilience Planning ∗∗∗ --------------------------------------------- Today, the Cybersecurity and Infrastructure Security Agency (CISA) released a companion guide to the Infrastructure Resilience Planning Framework (IRPF), which provides guidance on how local governments and the private sector can .. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-releases-playbook-infrastructure… ∗∗∗ Critical Patch Update: Oracles Quartalsupdate liefert 386 Sicherheitspatches ∗∗∗ --------------------------------------------- Angreifer können kritische Lücken in unter anderem Oracle HTTP Server oder MySQL Cluster ausnutzen. --------------------------------------------- https://heise.de/-9804741 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2024-07-18 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/publicationListing.x ∗∗∗ Heap-based buffer overflow vulnerability in SonicOS IPSec VPN ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0012 ∗∗∗ CVE-2024-5321 ∗∗∗ --------------------------------------------- https://github.com/kubernetes/kubernetes/issues/126161 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.07.2024
by Daily end-of-shift report 17 Jul '24

17 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-07-2024 18:00 − Mittwoch 17-07-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Scattered Spider Adopts RansomHub and Qilin Ransomware for Cyber Attacks ∗∗∗ --------------------------------------------- The infamous cybercrime group known as Scattered Spider has incorporated ransomware strains such as RansomHub and Qilin into its arsenal, Microsoft has revealed. Scattered Spider is the designation given to a threat actor that's known for its .. --------------------------------------------- https://thehackernews.com/2024/07/scattered-spider-adopts-ransomhub-and.html ∗∗∗ Ransomware continues to pile on costs for critical infrastructure victims ∗∗∗ --------------------------------------------- Millions more spent without any improvement in recovery times Costs associated with ransomware attacks on critical national infrastructure (CNI) organizations skyrocketed in the past year. --------------------------------------------- https://www.theregister.com/2024/07/17/ransomware_continues_to_pile_on/ ∗∗∗ Anlagebetrug: Vorsicht vor E-Mails mit Entschädigungsversprechen ∗∗∗ --------------------------------------------- Sie haben in der Vergangenheit durch Anlagebetrug Geld verloren? Vorsicht: Sie sind noch immer im Visier von Kriminellen. Diese kontaktieren nämlich ehemalige Opfer mit der Behauptung, dass Ihr Geld gefunden wurde. Ignorieren Sie solche Angebote und gehen Sie nicht darauf ein, sonst verlieren Sie erneut Geld! --------------------------------------------- https://www.watchlist-internet.at/news/anlagebetrug-vorsicht-vor-e-mails-mi… ∗∗∗ ‘GhostEmperor’ returns: Mysterious Chinese hacking group spotted for first time in two years ∗∗∗ --------------------------------------------- An elusive and highly covert Chinese hacking group tracked as GhostEmperor - notorious for its sophisticated supply-chain attacks targeting telecommunications and government entities in Southeast Asia - has been spotted for the first time in more than two years. And according to the researchers, the group has gotten even better at evading detection. --------------------------------------------- https://therecord.media/ghostemperor-spotted-first-time-in-two-years ∗∗∗ Reverse-Proxy-Phishing-Angriffe trotz Phishing-Schutz ∗∗∗ --------------------------------------------- Weltweit lässt sich eine Zunahme von Phishing und Reverse-Proxy-Phishing-Angriffen konstatieren. Anbieter von Sicherheitslösungen haben damit begonnen, fortschrittlichere Erkennungsmethoden zu implementieren. Aber reicht das aus, um entschlossene und ausgebuffte Angreifer abzuwehren? Kuba Gretzky hat sich auf der .. --------------------------------------------- https://www.borncity.com/blog/2024/07/17/reverse-proxy-phishing-angriffe-an… ∗∗∗ Private HTS Program Continuously Used in Attacks ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has previously covered a case where Quasar RAT was distributed through private home trading systems (HTS) in the blog post “Quasar RAT Being Distributed by Private HTS Program“. The same threat actor has been continuously distributing malware, and attack cases have been confirmed even recently. Similar to the previous .. --------------------------------------------- https://asec.ahnlab.com/en/67969/ ∗∗∗ Root-Sicherheitslücke bedroht KI-Gadget Rabbit R1 ∗∗∗ --------------------------------------------- Angreifer können das KI-Gadget Rabbit R1 über den Android-Exploit Kamakiri komplett kompromittieren. Bislang gibt es keinen Sicherheitspatch. --------------------------------------------- https://heise.de/-9803666 ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5731-1 linux - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00142.html ∗∗∗ Oracle Critical Patch Update Advisory - July 2024 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/cpujul2024.html ∗∗∗ Security Vulnerabilities fixed in Thunderbird 115.13 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-31/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 128 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-32/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.07.2024
by Daily end-of-shift report 16 Jul '24

16 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Montag 15-07-2024 18:00 − Dienstag 16-07-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zwei Tage nach Attentat: FBI knackt Smartphone des Trump-Schützen ∗∗∗ --------------------------------------------- Ein Attentat auf Donald Trump sorgte am Wochenende für Aufsehen. Das FBI ist nun in der Lage, die Inhalte des Smartphones des Schützen zu analysieren. --------------------------------------------- https://www.golem.de/news/zwei-tage-nach-attentat-fbi-knackt-smartphone-des… ∗∗∗ "Reply-chain phishing" with a twist, (Tue, Jul 16th) ∗∗∗ --------------------------------------------- Few weeks ago, I was asked by a customer to take a look at a phishing message which contained a link that one of their employees clicked on. The concern was whether the linked-to site was only a generic credential stealing web page or something targeted/potentially more dangerous. Luckily, it was only a run-of-the-mill phishing kit login page, nevertheless, the e-mail message itself turned out to be somewhat more interesting, since although it didn’t look like anything special, it did make it to the recipient’s inbox, instead of the e-mail quarantine where it should have ended up. --------------------------------------------- https://isc.sans.edu/diary/rss/31084 ∗∗∗ Konfety Ad Fraud Uses 250+ Google Play Decoy Apps to Hide Malicious Twins ∗∗∗ --------------------------------------------- Details have emerged about a "massive ad fraud operation" that leverages hundreds of apps on the Google Play Store to perform a host of nefarious activities. --------------------------------------------- https://thehackernews.com/2024/07/konfety-ad-fraud-uses-250-google-play.html ∗∗∗ DarkGate, the Swiss Army knife of malware, sees boom after rival Qbot crushed ∗∗∗ --------------------------------------------- Meet the new boss, same as the old boss The DarkGate malware family has become more prevalent in recent months, after one of its main competitors was taken down by the FBI. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/07/16/darkgate_mal… ∗∗∗ Hackers Claim to Have Leaked 1.1 TB of Disney Slack Messages ∗∗∗ --------------------------------------------- A hacker group called “NullBulge” says it stole more than a terabyte of Disneys internal Slack messages and files from nearly 10,000 channels in an apparent protest over AI-generated art. --------------------------------------------- https://www.wired.com/story/disney-slack-leak-nullbulge/ ∗∗∗ Kaspersky Leaving US Following Government Ban ∗∗∗ --------------------------------------------- Kaspersky is shutting down operations in the US and laying off employees following the recent Commerce Department ban. --------------------------------------------- https://www.securityweek.com/kaspersky-leaving-us-following-government-ban/ ∗∗∗ Beware of BadPack: One Weird Trick Being Used Against Android Devices ∗∗∗ --------------------------------------------- Our data shows a pattern of APK malware bundled as BadPack files. We discuss how this technique is used to garble malicious Android files, creating challenges for analysts. --------------------------------------------- https://unit42.paloaltonetworks.com/apk-badpack-malware-tampered-headers/ ∗∗∗ Check Point Research Reports Highest Increase of Global Cyber Attacks seen in last two years – a 30% Increase in Q2 2024 Global Cyber Attacks ∗∗∗ --------------------------------------------- Check Point Research (CPR) releases new data on Q2 2024 cyber attack trends. The data is segmented by global volume, industry and geography. These cyber attack numbers were driven by a variety of reasons, ranging from the continued increase in digital transformation and the growing sophistication of cybercriminals using advanced techniques like AI and machine learning. --------------------------------------------- https://blog.checkpoint.com/research/check-point-research-reports-highest-i… ∗∗∗ Punch Card Hacking – Exploring a Mainframe Attack Vector ∗∗∗ --------------------------------------------- Mainframes are the unseen workhorses that carry the load for many services we use on a daily basis: Withdrawing money from an ATM, credit card payments, and airline reservations to name just a few of the high volume workloads that are primarily handled by mainframes. [..] In this article, we demonstrate an entry level technique for penetration testers to get started using a different twist on a familiar technology to attack these computing giants. --------------------------------------------- https://blog.nviso.eu/2024/07/16/punch-card-hacking-exploring-a-mainframe-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Xen Security Advisory CVE-2024-31144 / XSA-459 ∗∗∗ --------------------------------------------- If a fraudulent metadata backup has been written into an SR which also contains a legitimate metadata backup, and an administrator explicitly chooses to restore from backup, the fraudulent metadata might be consumed instead of the legitimate metadata. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-459.html ∗∗∗ Xen Security Advisory CVE-2024-31143 / XSA-458 ∗∗∗ --------------------------------------------- Denial of Service (DoS) affecting the entire host, crashes, information leaks, or elevation of privilege all cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-458.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel), Fedora (erlang-jose, mingw-python-certifi, and yt-dlp), Mageia (firefox, nss, libreoffice, sendmail, and tomcat), Red Hat (firefox, ghostscript, git-lfs, kernel, kernel-rt, ruby, and skopeo), SUSE (Botan, cockpit, kernel, nodejs18, p7zip, python3, and tomcat), and Ubuntu (ghostscript, linux, linux-azure, linux-azure-5.15, linux-gcp, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-nvidia, linux-oracle, linux-azure-6.5, linux-gcp-6.5, and linux-gke, linux-nvidia). --------------------------------------------- https://lwn.net/Articles/982169/ ∗∗∗ Rockwell Automation Pavilion 8 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-198-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.07.2024
by Daily end-of-shift report 15 Jul '24

15 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-07-2024 18:00 − Montag 15-07-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Neue Absenderadresse für unsere täglichen Mails an Netzbetreiber ∗∗∗ --------------------------------------------- Wir versenden jeden Tag zwischen 150 und 250 Mails an unsere Kontakte bei Netzbetreibern in Österreich, um diese über Probleme in ihren Netzen zu informieren, die wir (bzw. unsere Datenquellen) dort gefunden haben. [..] Jetzt haben wir uns dazu entschlossen, den gleichen Weg zu nehmen, den schon viele andere Firmen beschritten haben: Wir senden ab sofort diese Mails nicht mehr von team(a)cert.at als Absender, sondern von noreply(a)cert.at aus. [..] Echte Rückfragen sollten weiterhin an team(a)cert.at gerichtet werden. --------------------------------------------- https://www.cert.at/de/blog/2024/7/neuer-absender-fuer-notifications ∗∗∗ Uncoordinated Vulnerability Disclosure: The Continuing Issues with CVD ∗∗∗ --------------------------------------------- On patch Tuesday last week, Microsoft released an update for CVE-2024-38112, which they said was being exploited in the wild. We at the Trend Micro Zero Day Initiative (ZDI) agree with them because that’s what we told them back in May when we detected this exploit in the wild and reported it to Microsoft. However, you may notice that no one from Trend or ZDI was acknowledged by Microsoft. This case has become a microcosm of the problems with coordinated vulnerability disclosure (CVD) as vendors push for coordinated disclosure from researchers but rarely practice any coordination regarding the fix. This lack of transparency from vendors often leaves researchers who practice CVD with more questions than answers. --------------------------------------------- https://www.thezdi.com/blog/2024/7/15/uncoordinated-vulnerability-disclosur… ∗∗∗ Microsoft Says Windows Not Impacted by regreSSHion as Second OpenSSH Bug Is Found ∗∗∗ --------------------------------------------- Microsoft confirmed last week that Windows is not affected by the vulnerability. --------------------------------------------- https://www.securityweek.com/microsoft-says-windows-not-impacted-by-regress… ∗∗∗ ClickFix Deception: A Social Engineering Tactic to Deploy Malware ∗∗∗ --------------------------------------------- The HTML file masquerades as a Word document, displaying an error prompt to deceive users. [..] In a nutshell, clicking on the “How to fix” button triggers the execution of JavaScript code that copies the PowerShell script directly onto the clipboard. [..] Once the script is pasted and executed in the PowerShell terminal, it allows the malware to infiltrate the victim’s system, potentially leading to data theft, system compromise, or further propagation of the malware. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clickfix-deception-a-s… ∗∗∗ DNS hijacks target crypto platforms registered with Squarespace ∗∗∗ --------------------------------------------- A wave of coordinated DNS hijacking attacks targets decentralized finance (DeFi) cryptocurrency domains using the Squarespace registrar, redirecting visitors to phishing sites hosting wallet drainers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dns-hijacks-target-crypto-pl… ∗∗∗ June Windows Server updates break Microsoft 365 Defender features ∗∗∗ --------------------------------------------- Microsoft has confirmed that Windows Server updates from last months Patch Tuesday break some Microsoft 365 Defender features that use the network data reporting service. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/june-windows-server-updates… ∗∗∗ Facebook ads for Windows desktop themes push info-stealing malware ∗∗∗ --------------------------------------------- Cybercriminals use Facebook business pages and advertisements to promote fake Windows themes that infect unsuspecting users with the SYS01 password-stealing malware. [..] While using Facebook advertisements to push information-stealing malware is not new, the social media platform's massive reach makes these campaigns a significant threat. --------------------------------------------- https://www.bleepingcomputer.com/news/security/facebook-ads-for-windows-the… ∗∗∗ Knot Resolver 6 News: DoS protection – operator’s overview ∗∗∗ --------------------------------------------- The team behind Knot Resolver, the scalable caching DNS resolver, is hard at work developing a complex solution for protecting DNS servers and other participants on the Internet alike against denial-of-service attacks. This effort is a part of the ongoing DNS4EU project, co-funded by the European Union1, which we are a proud part of. [..] As usual with projects from CZ.NIC, all of this code is also free and open source under the GPL license, so everyone is free to study and adapt it for their own exciting purposes. --------------------------------------------- https://en.blog.nic.cz/2024/07/15/knot-resolver-6-news-dos-protection-opera… ∗∗∗ 16-bit Hash Collisions in .xls Spreadsheets, (Sat, Jul 13th) ∗∗∗ --------------------------------------------- Since the hashing algorithm used for the protection of .xls files produces a 16-bit integer with its highest bit set, there are 32768 (0x8000) possible hash values (called verifier), and thus ample chance to generate hash collisions. I generated such a list, and included it in an update of my oledump plugin plugin_biff.py. --------------------------------------------- https://isc.sans.edu/diary/rss/31066 ∗∗∗ Protected OOXML Spreadsheets, (Mon, Jul 15th) ∗∗∗ --------------------------------------------- I was asked a question about the protection of an .xlsm spreadsheet [..] --------------------------------------------- https://isc.sans.edu/diary/rss/31070 ∗∗∗ CRYSTALRAY Hackers Infect Over 1,500 Victims Using Network Mapping Tool ∗∗∗ --------------------------------------------- A threat actor that was previously observed using an open-source network mapping tool has greatly expanded their operations to infect over 1,500 victims. Sysdig, which is tracking the cluster under the name CRYSTALRAY, said the activities have witnessed a tenfold surge, adding it includes "mass scanning, exploiting multiple vulnerabilities, and placing backdoors using multiple [open-source software] security tools." --------------------------------------------- https://thehackernews.com/2024/07/crystalray-hackers-infect-over-1500.html ∗∗∗ CVE-2024-38112: Void Banshee Targets Windows Users Through Zombie Internet Explorer in Zero-Day Attacks ∗∗∗ --------------------------------------------- Our threat hunters discovered CVE-2024-38112, which was used as a zero-day by APT group Void Banshee, to access and execute files through the disabled Internet Explorer using MSHTML. We promptly identified and reported this zero-day vulnerability to Microsoft, and it has been patched. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/g/CVE-2024-38112-void-banshee.… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cups, krb5, pgadmin4, python3.6, and yarnpkg), Mageia (freeradius, kernel, kmod-xtables-addons, kmod-virtualbox, and dwarves, kernel-linus, and squid), Red Hat (ghostscript, kernel, and less), SUSE (avahi, c-ares, cairo, cups, fdo-client, gdk-pixbuf, git, libarchive, openvswitch3, podman, polkit, python-black, python-Jinja2, python-urllib3, skopeo, squashfs, tiff, traceroute, and wget), and Ubuntu (linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-ibm, linux-ibm-5.4, linux-kvm). --------------------------------------------- https://lwn.net/Articles/982029/ ∗∗∗ Admin-Lücke bedroht Palo Alto Networks Migration-Tool Expedition ∗∗∗ --------------------------------------------- Verschiedene Cybersicherheitsprodukte von Palo Alto Networks sind verwundbar. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-9800845 ∗∗∗ Wireshark 4.2.6 Released, (Sun, Jul 14th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/31068 ∗∗∗ 2024-07-15: Cyber Security Advisory -Mint Workbench I Unquoted Service Path Enumeration ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7912&Lan… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2024
by Daily end-of-shift report 12 Jul '24

12 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-07-2024 18:00 − Freitag 12-07-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Nach Social-Media-Drama: Signal patcht eine seit 2018 bekannte Schwachstelle ∗∗∗ --------------------------------------------- Durch die Schwachstelle können andere Anwendungen auf Signal-Chats zugreifen. Bekannt ist das Problem schon seit sechs Jahren. Nun soll endlich ein Fix kommen. --------------------------------------------- https://www.golem.de/news/nach-social-media-drama-signal-patcht-seit-sechs-… ∗∗∗ Understanding SSH Honeypot Logs: Attackers Fingerprinting Honeypots ∗∗∗ --------------------------------------------- Some of the commands observed can be confusing for a novice looking at ssh honeypot logs. Sure, you have some obvious commands like "uname -a" to fingerprint the kernel. However, other commands are less intuitive and are not commands a normal user would use. I am trying to summarize some of the more common ones here, focusing on commands attackers use to figure out if they are inside a honeypot. --------------------------------------------- https://isc.sans.edu/diary/Understanding+SSH+Honeypot+Logs+Attackers+Finger… ∗∗∗ 60 New Malicious Packages Uncovered in NuGet Supply Chain Attack ∗∗∗ --------------------------------------------- Threat actors have been observed publishing a new wave of malicious packages to the NuGet package manager as part of an ongoing campaign that began in August 2023, while also adding a new layer of stealth to evade detection.The fresh packages, about 60 in number and spanning 290 versions, demonstrate a refined approach from the .. --------------------------------------------- https://thehackernews.com/2024/07/60-new-malicious-packages-uncovered-in.ht… ∗∗∗ Critical Exim Mail Server Vulnerability Exposes Millions to Malicious Attachments ∗∗∗ --------------------------------------------- A critical security issue has been disclosed in the Exim mail transfer agent that could enable threat actors to deliver malicious attachments to target users inboxes.The vulnerability, tracked as CVE-2024-39929, has a CVSS .. --------------------------------------------- https://thehackernews.com/2024/07/critical-exim-mail-server-vulnerability.h… ∗∗∗ Telefonbetrug: Scam Anruf von Anwälten im Umlauf ∗∗∗ --------------------------------------------- Der Betrüger fälscht die Telefonnummer einer renommierten Anwaltskanzlei in der Umgebung und ruft das Opfer an. Im Gespräch gibt sich der vermeintliche Anwalt als eine echte Person aus, die .. --------------------------------------------- https://blog.zettasecure.com/telefonbetrug-scam-anruf-von-anwaelten-im-umla… ∗∗∗ AT&T wurde Opfer eines riesigen Hackerangriffs ∗∗∗ --------------------------------------------- Verbindungsdaten von 109 Millionen Kunden wurden von unbekannten Angreifern heruntergeladen --------------------------------------------- https://www.derstandard.at/story/3000000228237/att-wurde-opfer-eines-riesig… ∗∗∗ Apple sends new warning about mercenary spyware attacks to iPhone users. Should you worry now? ∗∗∗ --------------------------------------------- Though mercenary spyware attacks are rare and typically sent only to targeted individuals, Apple has alerted iPhone users about them for the second time this year. --------------------------------------------- https://www.zdnet.com/article/apple-warns-of-mercenary-spyware-attacks-agai… ∗∗∗ mSpy: Dritter Hack seit 2010 legt Millionen Nutzerdaten offen ∗∗∗ --------------------------------------------- Es heißt ja "Aller guten Dinge sind drei" – was aber hier wohl eher nicht zutrifft. Der Anbieter von Smartphone-Überwachung, mySpy, ist erneut durch ein Datenleck auf Grund eines Hacks aufgefallen (der dritte Vorfall seit 2010). Ein .. --------------------------------------------- https://www.borncity.com/blog/2024/07/12/mspy-dritter-hack-seit-2010-legt-m… ∗∗∗ Checking in on the state of cybersecurity and the Olympics ∗∗∗ --------------------------------------------- Even if a threat actor isn’t successful in some widespread breach that makes international headlines, even smaller-scale threats and actors are just hoping to cause chaos. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-july-12-2024/ ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5729-1 apache2 - security update ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been discovered in the Apache HTTP server,which may result in authentication bypass, execution of scripts in directories not directly reachable by any URL, server-side request forgery or denial of service. --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00140.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2024
by Daily end-of-shift report 11 Jul '24

11 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-07-2024 18:00 − Donnerstag 11-07-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Datenleck: Millionen von 2FA-SMS standen frei zugänglich im Netz ∗∗∗ --------------------------------------------- Die vom CCC entdeckten SMS haben wohl neben internen Verwaltungs- und Abrechnungsdaten auf einer ungesicherten S3-Instanz eines Dienstleisters gelegen. --------------------------------------------- https://www.golem.de/news/datenleck-millionen-von-2fa-sms-standen-frei-zuga… ∗∗∗ You had a year to patch this Veeam flaw and now its going to hurt ∗∗∗ --------------------------------------------- LockBit variant targets backup software - which you may remember is supposed to help you recover from ransomware Yet another new ransomware gang, this one dubbed EstateRansomware, is exploiting a .. --------------------------------------------- https://www.theregister.com/2024/07/11/estate_ransomware_veeam_bug/ ∗∗∗ Achtung: Phishingversuche im Namen von Bitpanda! ∗∗∗ --------------------------------------------- Derzeit kursieren vermehrt Phishingmails und SMS, die vortäuschen, vom Finanzdienstleister BitPanda versendet worden zu sein. Geben Sie keine persönlichen Daten oder Codes weiter, sonst geben Sie Kriminellen Zugang zu Ihrem Wallet! --------------------------------------------- https://www.watchlist-internet.at/news/phishingversuche-bitpanda/ ∗∗∗ E-Mail genügt: Outlook-Lücke gibt Angreifern Zugriff aufs System ∗∗∗ --------------------------------------------- Gefahr insbesondere bei Mails von "vertrauenswürdigen Absendern" – Patch steht bereit --------------------------------------------- https://www.derstandard.at/story/3000000228006/e-mail-genuegt-outlook-lueck… ∗∗∗ Impact of data breaches is fueling scam campaigns ∗∗∗ --------------------------------------------- Data breaches have become one of the most crucial threats to organizations across the globe, and they’ve only become more prevalent and serious over time. A data breach occurs when unauthorized .. --------------------------------------------- https://blog.talosintelligence.com/data-breaches-fueling-scam-campaigns/ ∗∗∗ CISA and FBI Release Secure by Design Alert on Eliminating OS Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- Today, CISA and FBI are releasing their newest Secure by Design Alert in the series, Eliminating OS Command Injection Vulnerabilities, in response to recent well-publicized threat actor campaigns that exploited OS command injection .. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/07/10/cisa-and-fbi-release-sec… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5728-1 exim4 - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00139.html ∗∗∗ DSA-5727-1 firefox-esr - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00138.html ∗∗∗ 2024-07 Security Bulletin: Junos OS Evolved: Execution of a specific CLI command will cause a crash in the AFT manager (CVE-2024-39513) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-07-Security-Bulletin-Junos… ∗∗∗ 2024-07 Security Bulletin: Junos OS and Junos OS Evolved: BGP multipath incremental calculation is resulting in an rpd crash (CVE-2024-39554) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-07-Security-Bulletin-Junos… ∗∗∗ NetScaler Console, Agent and SDX Security Bulletin for CVE-2024-6235 and CVE-2024-6236 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX677998/netscaler-console-agent-and-sd… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.07.2024
by Daily end-of-shift report 10 Jul '24

10 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-07-2024 18:00 − Mittwoch 10-07-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ticket Heist network of 700 domains sells fake Olympic Games tickets ∗∗∗ --------------------------------------------- A large-scale fraud campaign with over 700 domain names is likely targeting Russian-speaking users looking to purchase tickets for the Summer Olympics in Paris. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ticket-heist-network-of-700-… ∗∗∗ Im Klartext: Linksys-Router senden wohl WLAN-Passwörter an US-Server ∗∗∗ --------------------------------------------- Eine Verbraucherorganisation hat zwei Routermodelle von Linksys getestet. Beide übermitteln wohl sensible Daten an einen Server in den USA. Einen Patch gibt es bisher nicht. --------------------------------------------- https://www.golem.de/news/im-klartext-linksys-router-senden-wohl-wlan-passw… ∗∗∗ Cyberangriff trifft IT-Konzern: 49 Systeme von Fujitsu mit Malware infiziert ∗∗∗ --------------------------------------------- Cyberkriminellen ist es gelungen, interne Systeme von Fujitsu zu infiltrieren. Potenziell sind auch Kundendaten abgeflossen. Viele Details nennt der Konzern aber nicht. --------------------------------------------- https://www.golem.de/news/cyberangriff-trifft-it-konzern-49-systeme-von-fuj… ∗∗∗ Finding Honeypot Data Clusters Using DBSCAN: Part 1 ∗∗∗ --------------------------------------------- Sometimes data needs to be transformed or different tools need to be used so that it can be compared with other data. Some honeypot data is easy to compare since there is no customized information such as randomly generated file names, IP addresses, etc. --------------------------------------------- https://isc.sans.edu/diary/Finding+Honeypot+Data+Clusters+Using+DBSCAN+Part… ∗∗∗ Ransomware crews investing in custom data stealing malware ∗∗∗ --------------------------------------------- BlackByte, LockBit among the criminals using bespoke tools As ransomware crews increasingly shift beyond just encrypting victims files and demanding a payment to unlock them, instead swiping sensitive info straight away, some of the .. --------------------------------------------- https://www.theregister.com/2024/07/10/ransomware_data_exfil_malware/ ∗∗∗ Google Is Adding Passkey Support for Its Most Vulnerable Users ∗∗∗ --------------------------------------------- Google is bringing the password-killing “passkey” tech to its Advanced Protection Program users more than a year after rolling them out broadly. --------------------------------------------- https://www.wired.com/story/google-passkey-advance-protection-program/ ∗∗∗ Augen auf beim Ticketkauf ∗∗∗ --------------------------------------------- Wie Betrüger beliebte Ticketplattformen für ihre finsteren Zwecke missbrauchen --------------------------------------------- https://www.welivesecurity.com/de/tipps-ratgeber/augen-auf-beim-ticketkauf/ ∗∗∗ Largest Patch Tuesday in 3 months includes 5 critical vulnerabilities ∗∗∗ --------------------------------------------- This is the largest Patch Tuesday since April, when Microsoft patched 150 vulnerabilities. --------------------------------------------- https://blog.talosintelligence.com/microsoft-patch-tuesday-july-2024/ ∗∗∗ Inside the ransomware playbook: Analyzing attack chains and mapping common TTPs ∗∗∗ --------------------------------------------- Based on a comprehensive review of more than a dozen prominent ransomware groups, we identified several commonalities in TTPs, along with several notable differences and outliers. --------------------------------------------- https://blog.talosintelligence.com/common-ransomware-actor-ttps-playbooks/ ∗∗∗ Eldorado Ransomware Targeting Windows and Linux with New Malware ∗∗∗ --------------------------------------------- Another day, another threat against Windows and Linux systems! --------------------------------------------- https://hackread.com/eldorado-ransomware-windows-linux-malware/ ∗∗∗ CVE-2024-38021: Moniker RCE Vulnerability Uncovered in Microsoft Outlook ∗∗∗ --------------------------------------------- Morphisec researchers have identified a significant vulnerability, CVE-2024-38021 — a zero-click remote code execution (RCE) vulnerability that impacts most Microsoft Outlook applications. --------------------------------------------- https://blog.morphisec.com/cve-2024-38021-microsoft-outlook-moniker-rce-vul… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (buildah, gvisor-tap-vsock, kernel-rt, libreswan, linux-firmware, pki-core, and podman), Fedora (firefox and jpegxl), Gentoo (Buildah, HarfBuzz, and LIVE555 Media Server), Oracle (buildah, gvisor-tap-vsock, kernel, libreswan, and podman), Red Hat (containernetworking-plugins, dotnet6.0, dotnet8.0, fence-agents, kernel, libreswan, libvirt, perl-HTTP-Tiny, python39:3.9, toolbox, and virt:rhel and virt-devel:rhel modules), SUSE (firefox, --------------------------------------------- https://lwn.net/Articles/981508/ ∗∗∗ [20240705] - Core - XSS in com_fields default field value ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/939-20240705-core-xss-in-c… ∗∗∗ [20240704] - Core - XSS in Wrapper extensions ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/938-20240704-core-xss-in-w… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.07.2024
by Daily end-of-shift report 09 Jul '24

09 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Montag 08-07-2024 18:00 − Dienstag 09-07-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Trojanized jQuery Packages Found on npm, GitHub, and jsDelivr Code Repositories ∗∗∗ --------------------------------------------- Unknown threat actors have been found propagating trojanized versions of jQuery on npm, GitHub, and jsDelivr in what appears to be an instance of a "complex and persistent" supply chain .. --------------------------------------------- https://thehackernews.com/2024/07/trojanized-jquery-packages-found-on-npm.h… ∗∗∗ Houthi rebels are operating their own GuardZoo spyware ∗∗∗ --------------------------------------------- Fairly low budget, unsophisticated malware, say researchers, but it can collect the same data as Pegasus .. --------------------------------------------- https://www.theregister.com/2024/07/09/houthi_rebels_malware/ ∗∗∗ People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action ∗∗∗ --------------------------------------------- The following Advisory provides a sample of significant case studies of this adversary’s techniques in action against two victim networks. The case studies are consequential for cybersecurity practitioners to .. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a ∗∗∗ Vulnerability discovered in RADIUS protocol ∗∗∗ --------------------------------------------- On 9 July 2024, a vulnerability in the RADIUS protocol was published that allows an attacker to manipulate RADIUS server responses and thus gain unauthorized access. --------------------------------------------- https://www.dfn.de/en/blastradius-newsmeldung/ ∗∗∗ Exploring Compiled V8 JavaScript Usage in Malware ∗∗∗ --------------------------------------------- In this article, we give you a basic understanding of how V8 compiled code is used not just in regular apps but also for malicious purposes. --------------------------------------------- https://research.checkpoint.com/2024/exploring-compiled-v8-javascript-usage… ∗∗∗ Microsoft’s cybersecurity dilemma: An open letter to Satya Nadella ∗∗∗ --------------------------------------------- Microsoft is suffering cybersecurity failures due to systemic problems with strategic leadership. The world is witnessing an alarming trend of cybersecurity issues with Microsoft products and services. Over the past .. --------------------------------------------- https://www.helpnetsecurity.com/2024/07/09/microsoft-cybersecurity-dilemma/ ∗∗∗ Mitarbeiter:innen wollen Gehaltskonto ändern? Vorsicht vor Betrug! ∗∗∗ --------------------------------------------- Kriminelle haben es aktuell auf die Lohnzahlungen Ihrer Angestellten abgesehen. Per E-Mail treten sie mit der zuständigen Abteilung Ihres Unternehmens in Kontakt und versuchen, eine Änderung der IBAN zum Empfang der Gehälter zu erwirken. Klappt der Betrug, landet das Geld in den Taschen Krimineller und wird erst bemerkt, wenn die Auszahlung des Gehalts nie bei der tatsächlich angestellten Person eingeht. --------------------------------------------- https://www.watchlist-internet.at/news/gehaltskonto-aendern-betrug/ ∗∗∗ "Ich hab doch nur gschaut .. (bis sich eine bessere Gelegenheit bietet)!" ∗∗∗ --------------------------------------------- Angriffe mit (vermeintlich) hacktivistischer Motivation sind inzwischen ein fester Bestandteil des digitalen Hintergrundrauschens. Das ist nicht erst seit Beginn des russischen Angriffskrieges auf die Ukraine der Fall, jedoch hat die Zahl von Attacken durch Bedrohungsakteure, welche im Sinne ihrer "Sache" für eine der Seiten innerhalb .. --------------------------------------------- https://www.cert.at/de/blog/2024/7/industriesteueranlagen-und-fernwartung-d… ∗∗∗ Amazon Prime Day: Vorsicht vor Phishing und falschen Amazon-Webseiten ∗∗∗ --------------------------------------------- Mehr als 1.230 neue Amazon-bezogene Domains wurden im Juni 2024 registriert, 85 Prozent davon werden als bösartig oder verdächtig eingestuft. --------------------------------------------- https://www.zdnet.de/88416929/amazon-prime-day-vorsicht-vor-phishing-und-fa… ∗∗∗ New group exploits public cloud services to spy on Russian agencies, Kaspersky says ∗∗∗ --------------------------------------------- Researchers say they have discovered a new hacker group, dubbed CloudSorcerer, that uses “a sophisticated cyberespionage tool” to steal data from Russian government agencies. --------------------------------------------- https://therecord.media/cloudsorcerer-apt-kaspersky-research ∗∗∗ Wordpress-Plug-in mit 150.000 Installation ermöglicht beliebige Dateiuploads ∗∗∗ --------------------------------------------- In einem Wordpress-Plug-in mit 150.000 Installationen wurde eine Sicherheitslücke entdeckt, die das Hochladen beliebiger Dateien erlaubt. --------------------------------------------- https://heise.de/-9794927 ∗∗∗ Ransomware: Entschlüsselungstool für Muse, DarkRace und DoNex veröffentlicht ∗∗∗ --------------------------------------------- Opfer der Verschlüsselungstrojaner Muse, DarkRace und DoNex können ab sofort, ohne Lösegeld zu zahlen, wieder auf ihre Daten zugreifen. --------------------------------------------- https://heise.de/-9795098 ∗∗∗ Patchday: SAP rüstet Unternehmenssoftware gegen etwaige Angriffe ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates unter anderem für SAP Commerce und NetWeaver erschienen. --------------------------------------------- https://heise.de/-9795171 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (virt:rhel and virt-devel:rhel), Fedora (ghostscript, golang, httpd, libnbd, netatalk, rust-sequoia-chameleon-gnupg, rust-sequoia-gpg-agent, rust-sequoia-keystore, rust-sequoia-openpgp, and rust-sequoia-sq), Mageia (apache), Red Hat (booth, buildah, edk2, fence-agents, git, gvisor-tap-vsock, kernel, kernel-rt, less, libreswan, linux-firmware, openssh, pki-core, podman, postgresql-jdbc, python3, tpm2-tss, virt:rhel, and virt:rhel and virt-devel:rhel --------------------------------------------- https://lwn.net/Articles/981285/ ∗∗∗ Another OpenSSH remote code execution vulnerability ∗∗∗ --------------------------------------------- https://lwn.net/Articles/981287/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.13 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-30/ ∗∗∗ Security Vulnerabilities fixed in Firefox 128 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-29/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.07.2024
by Daily end-of-shift report 08 Jul '24

08 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-07-2024 18:00 − Montag 08-07-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fast 10 Milliarden Passwörter: Gigantischer Passwort-Leak wirft Fragen auf ∗∗∗ --------------------------------------------- In einem Hackerforum ist eine fast 50 GByte große Passwortliste namens Rockyou2024 aufgetaucht. [..] Das erhebliche Sicherheitsrisiko, vor dem einige Medien warnen, scheint von Rockyou2024 allerdings nicht auszugehen. [..] "Sorry, hier gibt es nichts zu sehen. Das ist einfach nur minderwertiger Müll – sowohl die 'geleakte' Datei als auch die Berichterstattung darüber", so Karlslunds Fazit. --------------------------------------------- https://www.golem.de/news/fast-10-milliarden-passwoerter-gigantischer-passw… ∗∗∗ Nach Cyberangriff: Warnmail von Microsoft landet bei vielen Kunden im Spam ∗∗∗ --------------------------------------------- Seit Juni informiert Microsoft betroffene Kunden über bei einem Cyberangriff abgeflossene E-Mails. So ganz reibungslos läuft das offenbar noch nicht. [..] "Überprüfen Sie Ihre E-Mail-Protokolle (einschließlich Exchange Online) auf eine E-Mail von mbsupport(a)microsoft.com", warnt der Forscher. --------------------------------------------- https://www.golem.de/news/nach-cyberangriff-warnmail-von-microsoft-landet-b… ∗∗∗ Nach Cyberangriff: Hacker erpressen Ticketmaster und verschenken Tickets ∗∗∗ --------------------------------------------- Die Angreifer behaupten, Ticket-Barcodes im Gesamtwert von mehr als 22 Milliarden US-Dollar erbeutet zu haben. Für Taylor-Swift-Konzerte stehen schon einige im Netz. --------------------------------------------- https://www.golem.de/news/nach-cyberangriff-hacker-erpressen-ticketmaster-u… ∗∗∗ Booking.com: Aufforderung zur erneuten Buchungsbestätigung ist Betrug ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie im Nachrichtenportal von booking.com trotz bestätigter Buchung aufgefordert werden, die Buchung erneut zu bestätigen. Dahinter stecken Kriminelle, die sich Zugang zum Buchungssystem des Hotels verschafft haben. Klicken Sie nicht auf den Link und antworten Sie nicht! --------------------------------------------- https://www.watchlist-internet.at/news/bookingcom-aufforderung-zur-erneuten… ∗∗∗ Schadcode-Attacken auf Multifunktionsdrucker von Toshiba und Sharp möglich ∗∗∗ --------------------------------------------- Angreifer können hunderte Multifunktionsdrucker von Toshiba und Sharp ins Visier nehmen. Sicherheitsupdates sind verfügbar. [..] Toshiba hat bereits Mitte Juni 2024 Informationen zu den Schwachstellen und betroffenen Modellen bekannt gegeben. Der Sicherheitsforscher hat seine Informationen erst kürzlich veröffentlicht. --------------------------------------------- https://heise.de/-9793179 ∗∗∗ Kunai: Keep an Eye on your Linux Hosts Activity, (Mon, Jul 8th) ∗∗∗ --------------------------------------------- Last week, I attended « Pass The Salt », a conference focussing on open-source software and cybersecurity. I participated in a very interesting workshop about « Kunai ». This tool, developed by Quentin Jérôme from CIRCL (the Luxembourg CERT) aims to replace SysmonForLinux. Its goal is to record and log system activity but in a more «Linux-oriented» flavor. It was presented for the first time at hack.lu in 2023 and it now reaches enough maturity to be tested and deployed on some Linux hosts. --------------------------------------------- https://isc.sans.edu/diary/rss/31054 ∗∗∗ Polyfill[.]io Attack Impacts Over 380,000 Hosts, Including Major Companies ∗∗∗ --------------------------------------------- The supply chain attack targeting the widely-used Polyfill[.]io JavaScript library is broader in scope than previously thought, with new findings from Censys showing that over 380,000 hosts are embedding a polyfill script linking to the malicious domain as of July 2, 2024. [..] "Approximately 237,700, are located within the Hetzner network (AS24940), primarily in Germany," it noted. "This is not surprising – Hetzner is a popular web hosting service, and many website developers leverage it." --------------------------------------------- https://thehackernews.com/2024/07/polyfillio-attack-impacts-over-380000.html ∗∗∗ Tool: AtomDucky ∗∗∗ --------------------------------------------- Atom Ducky is a HID device controlled through a web browser. Its designed to function as a wirelessly operated Rubber Ducky, personal authenticator, or casual keyboard. Its primary aim is to help ethical hackers gain knowledge about Rubber Ducky devices while integrating their use into everyday life. --------------------------------------------- https://www.reddit.com/r/netsec/comments/1drhkc0/atom_ducky_wifi_rubber_duc… ∗∗∗ Shelltorch Explained: Multiple Vulnerabilities in Pytorch Model Server (Torchserve) (CVSS 9.9, CVSS 9.8) Walkthrough ∗∗∗ --------------------------------------------- In July 2023, the Oligo Research Team disclosed multiple new critical vulnerabilities to Pytorch maintainers Amazon and Meta, including CVE-2023-43654 (CVSS 9.8). [..] Want the deep dive, full story with technical walkthrough for the PyTorch (TorchServe) ShellTorch vulnerabilities CVE-2023-43654 (CVSS: 9.8) and CVE-2022-1471 (CVSS: 9.9)? You’re in the right place. --------------------------------------------- https://www.oligo.security/blog/shelltorch-explained-multiple-vulnerabiliti… ∗∗∗ Kimsuky Group’s New Backdoor (HappyDoor) ∗∗∗ --------------------------------------------- This report is a summarized version of “Analysis Report of Kimsuky Group’s HappyDoor Malware” introduced in AhnLab Threat Intelligence Platform (TIP), containing key information for analyzing breaches. The report in AhnLab TIP includes details on encoding & encryption methods, packet structure, and more in addition to the characteristics and features of the malware. --------------------------------------------- https://asec.ahnlab.com/en/67660/ ∗∗∗ The Current State of Browser Cookies ∗∗∗ --------------------------------------------- Well, almost every other website uses cookies. According to W3Techs, as of June 24, 2024, 41.3% of all websites use cookies with some of the most prominent providers included in that list, such as Google, Facebook, Microsoft and Apple. [..] Although cookies are being used to save sensitive data, they are still stored in a way that enables attackers to leak them easily and use them for malicious purposes. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/the-current-state-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (openssh), Debian (krb5), Fedora (yt-dlp), Gentoo (firefox, KDE Plasma Workspaces, Stellarium, thunderbird, and X.Org X11 library), Mageia (python-js2py and znc), Oracle (389-ds, c-ares, container-tools, cups, go-toolset, httpd:2.4/httpd, iperf3, kernel, less, libreoffice, libuv, nghttp2, openldap, openssh, python-idna, python-jinja2, python-pillow, python3, python3.11-PyMySQL, and xmlrpc-c), Red Hat (kernel, kernel-rt, openssh, and virt:rhel and virt-devel:rhel modules), and SUSE (go1.21, go1.22, krb5, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, netty3, opera, and python-urllib3). --------------------------------------------- https://lwn.net/Articles/981119/ ∗∗∗ Mastodon: Sicherheitslücke ermöglicht unbefugten Zugriff auf Posts ∗∗∗ --------------------------------------------- Neue Versionen der Mastodon-Serversoftware schließen eine als hochriskant eingestufte Sicherheitslücke. Angreifer können sich unbefugten Zugriff auf Posts verschaffen. [..] Der Fehler tritt demnach ab Mastodon 2.6.0 auf. Die Entwickler haben die Versionen Mastodon 4.2.10 sowie 4.1.18 veröffentlicht. [..] Nähere Details wollen die Mastodon-Entwickler laut Sicherheitsmitteilung am Montag kommender Woche, den 15. Juli, veröffentlichen. --------------------------------------------- https://heise.de/-9792706 ∗∗∗ Mattermost security updates 9.9.1 / 9.8.2 / 9.7.6 / 9.5.7 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-9-1-9-8-2-9-7-6-9… ∗∗∗ MSI Center: Schwachstelle CVE-2024-37726 ermöglicht System-Privilegien ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2024/07/06/msi-center-schwachstelle-cve-2024-… ∗∗∗ K000140257: OpenSSL vulnerability CVE-2024-4741 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000140257 ∗∗∗ Vulnerability Summary for the Week of July 1, 2024 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb24-190 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.07.2024
by Daily end-of-shift report 05 Jul '24

05 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-07-2024 18:00 − Freitag 05-07-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Eldorado ransomware targets Windows, VMware ESXi VMs ∗∗∗ --------------------------------------------- A new ransomware-as-a-service (RaaS) called Eldorado emerged in March and comes with locker variants for VMware ESXi and Windows. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-eldorado-ransomware-targ… ∗∗∗ Turla: A Master’s Art of Evasion ∗∗∗ --------------------------------------------- Turla, a well-known piece of malware, has taken to weaponising LNK-files to infect computers. We have observed a current example of this. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/07/37977-turla-evasion-lnk-files ∗∗∗ New Golang-Based Zergeca Botnet Capable of Powerful DDoS Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new botnet called Zergeca thats capable of conducting distributed denial-of-service (DDoS) attacks. Written in Golang, the botnet is so named for its reference to a string named "ootheca" present in the command-and-control (C2) servers ("ootheca[.]pw" and "ootheca[.]top"). --------------------------------------------- https://thehackernews.com/2024/07/new-golang-based-zergeca-botnet-capable.h… ∗∗∗ Latest Ghostscript vulnerability haunts experts as the next big breach enabler ∗∗∗ --------------------------------------------- Theres also chatter about whether medium severity scare is actually code red nightmare Infosec circles are awash with chatter about a vulnerability in Ghostscript some experts believe could be the cause of several major breaches in the coming months. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/07/05/ghostscript_… ∗∗∗ Binance-Kund:innen aufgepasst: SMS zu Login-Versuch ist Fake ∗∗∗ --------------------------------------------- Aktuell erreichen uns Meldungen über eine SMS im Namen der Handelsplattform Binance: Angeblich gibt es einen Login-Versuch aus Malta oder einem anderen Land. Es wird um einen Rückruf gebeten. Ignorieren Sie die SMS. Kriminelle versuchen Ihr Konto zu kapern und an Ihr Geld zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/binance-login-fake/ ∗∗∗ TeamViewer gibt Entwarnung: Keine Kundendaten beim Hack im Juni 2024 abgeflossen ∗∗∗ --------------------------------------------- Der Hack des Fernwartungsanbieters TeamViewer scheint wohl glimpflicher abgegangen zu sein, als befürchtet. Ein staatlicher Akteur (APT29) hatte zwar Zugriff auf die interne IT-Umgebung des Unternehmens. Aber weder die Produktivumgebung mit den Quellen und Binärdateien der Fernwartungssoftware noch Kundendaten scheinen betroffen. Das hat der Anbieter in einem nunmehr dritten Statusupdate bekannt gegeben. --------------------------------------------- https://www.borncity.com/blog/2024/07/05/teamviewer-gibt-entwarnung-keine-k… ∗∗∗ Turning Jenkins Into a Cryptomining Machine From an Attackers Perspective ∗∗∗ --------------------------------------------- In this blog entry, we will discuss how the Jenkins Script Console can be weaponized by attackers for cryptomining activity if not configured properly. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/g/turning-jenkins-into-a-crypt… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cockpit, python-astropy, python3-docs, and python3.12), Gentoo (BusyBox, GNU Coreutils, GraphicsMagick, podman, PuTTY, Sofia-SIP, TigerVNC, and WebKitGTK+), Mageia (chromium-browser-stable and openvpn), SUSE (cockpit, krb5, and netatalk), and Ubuntu (kopanocore, libreoffice, linux-aws, linux-oem-6.8, linux-aws-5.15, linux-azure, linux-azure-4.15, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oracle, linux-starfive-6.5, and virtuoso-opensource). --------------------------------------------- https://lwn.net/Articles/980855/ ∗∗∗ ZDI-24-897: Trend Micro Apex One modOSCE SQL Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-897/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.07.2024
by Daily end-of-shift report 04 Jul '24

04 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-07-2024 18:00 − Donnerstag 04-07-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ MikroTik Router als DDoS Quellen: Zahlen für Österreich ∗∗∗ --------------------------------------------- OVH beschreibt ausführlich in einem Blogbeitrag, dass sie es in letzter Zeit öfters mit DDoS-Angriffen zu tun hatten, die sie auf kompromittierte MikroTik Router zurückführen. Es geht hier um ernsthafte Bandbreiten und Packets/Sekunde: kein Wunder, wenn es die Angreifer geschafft haben, gute angebundene Router für ihre Zwecke einzuspannen. [..] Ich habe das als Anlass genommen, mal in unserer Datenbasis (basierend auf Scans von Shadowserver) nachzuschauen, wie es um diese Geräte in Österreich bestellt ist: MikroTik Router, die per SNMP ihre Modellnummern verraten. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/7/mikrotik-snmp ∗∗∗ Authy: Hacker greifen Millionen von Telefonnummern über eine ungesicherte API ab ∗∗∗ --------------------------------------------- Nachdem Kriminelle eine CSV-Datei mit Telefonnummern von angeblich 33 Millionen Authy-Nutzern geleakt haben, drohen unter anderem SMS-Phishing-Attacken. --------------------------------------------- https://heise.de/-9789229 ∗∗∗ Backup-Fiasko in Indonesien: Hacker verschenken Schlüssel und entschuldigen sich ∗∗∗ --------------------------------------------- Ein Ransomwareangriff bereitet Indonesien enorme Probleme. Die Lage ist sogar derart prekär, dass die Angreifer den Behörden nun die Hand reichen. --------------------------------------------- https://www.golem.de/news/backup-fiasko-in-indonesien-hacker-verschenken-sc… ∗∗∗ Neues zum Hack des Qualys-Blogs ∗∗∗ --------------------------------------------- Qualys hat nun (auf meinen Bericht) zum Hack des Unternehmensblogs reagiert und geantwortet. Keine Kunden- und Unternehmensdaten gefährdet, nur a bisserl Spam im Blog, der bei einem Drittanbieter lief. --------------------------------------------- https://www.borncity.com/blog/2024/07/04/neues-zum-hack-des-qualys-blogs/ ∗∗∗ Attack Cases Against HTTP File Server (HFS) (CVE-2024-23692) ∗∗∗ --------------------------------------------- HTTP File Server (HFS) is a program that provides a simple type of web service. [..] Recently, the remote code execution vulnerability CVE-2024-23692 in the HFS program that provides web services was announced. Attack cases against vulnerable versions of HFS continue to be detected ever since. Because HFS is exposed to the public in order to enable users to connect to the HFS web server and download files, it can be a target for external attacks if it has a vulnerability. --------------------------------------------- https://asec.ahnlab.com/en/67650/ ∗∗∗ WordPress User Enumeration: Risks & Mitigation Steps ∗∗∗ --------------------------------------------- In this post, we’re diving deep into WordPress user enumeration. We’ll break down what it is, why it’s a problem, and most importantly — how to prevent a compromise. --------------------------------------------- https://blog.sucuri.net/2024/07/wordpress-user-enumeration.html ∗∗∗ The Not-So-Secret Network Access Broker x999xx ∗∗∗ --------------------------------------------- Most accomplished cybercriminals go out of their way to separate their real names from their hacker handles. But among certain old-school Russian hackers it is not uncommon to find major players who have done little to prevent people from figuring out who they are in real life. A case study in this phenomenon is "x999xx," the nickname chosen by a venerated Russian hacker who specializes in providing the initial network access to various ransomware groups. --------------------------------------------- https://krebsonsecurity.com/2024/07/the-not-so-secret-network-access-broker… ∗∗∗ Dissecting GootLoader With Node.js ∗∗∗ --------------------------------------------- We demonstrate effective methods to circumvent anti-analysis evasion techniques from GootLoader, a backdoor and loader malware distributed through fake forum posts. --------------------------------------------- https://unit42.paloaltonetworks.com/javascript-malware-gootloader/ ∗∗∗ No room for error: Don’t get stung by these common Booking.com scams ∗∗∗ --------------------------------------------- >From sending phishing emails to posting fake listings, here’s how fraudsters hunt for victims while you’re booking your well-earned vacation. --------------------------------------------- https://www.welivesecurity.com/en/scams/common-bookingcom-scams/ ∗∗∗ Senate leader demands answers from CISA on Ivanti-enabled hack of sensitive systems ∗∗∗ --------------------------------------------- Sen. Charles Grassley (R-IA) on Wednesday sent Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly a stern letter seeking documentation and answers relating to a January hack of the agency’s Chemical Security Assessment Tool (CSAT) along with the breach of a second sensitive system. Grassley noted that the cyberattack led to “malicious activity” potentially compromising some of the country’s most sensitive industrial and critical infrastructure information. --------------------------------------------- https://therecord.media/senator-grassley-cisa-letter-hack ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (389-ds, c-ares, container-tools, cups, fontforge, go-toolset, iperf3, less, libreoffice, libuv, nghttp2, openldap, python-idna, python-jinja2, python-pillow, python3, python3.11-PyMySQL, qemu-kvm, and xmlrpc-c), Debian (znc), Fedora (firmitas and libnbd), Mageia (dcmtk, krb5, libcdio, and openssh), Oracle (golang, openssh, pki-core, and qemu-kvm), Red Hat (openssh), SUSE (apache2-mod_auth_openidc, emacs, go1.21, go1.22, krb5, openCryptoki, and openssh), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-kvm, linux-lts-xenial, linux, linux-gcp, linux-gcp-6.5, linux-laptop, linux-nvidia-6.5, linux-raspi, linux, linux-gcp, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-xilinx-zynqmp, linux, linux-ibm, linux-lowlatency, linux-nvidia, linux-raspi, linux-aws, linux-aws-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-starfive, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-oracle, linux-oracle-5.15, linux-azure, linux-azure, linux-azure-6.5, linux-bluefield, linux-iot, linux-gcp, linux-intel, linux-hwe-5.15, and php7.0 and php7.2). --------------------------------------------- https://lwn.net/Articles/980755/ ∗∗∗ Citrix: Cloud Software Group Security Advisory for CVE-2024-6387 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX678072/cloud-software-group-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.07.2024
by Daily end-of-shift report 03 Jul '24

03 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-07-2024 18:00 − Mittwoch 03-07-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Europol takes down 593 Cobalt Strike servers used by cybercriminals ∗∗∗ --------------------------------------------- Europol coordinated a joint law enforcement action known as Operation Morpheus, which led to the takedown of almost 600 Cobalt Strike servers used by cybercriminals to infiltrate victims networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/europol-takes-down-593-cobal… ∗∗∗ Cyberangriff: Hacker erbeuten Daten von TÜV Rheinland ∗∗∗ --------------------------------------------- Einer Ransomwarebande ist es gelungen, in ein Schulungsnetzwerk des TÜV Rheinland einzudringen. Dabei sind womöglich Zugangsdaten abgeflossen. --------------------------------------------- https://www.golem.de/news/cyberangriff-hacker-erbeuten-daten-von-tuev-rhein… ∗∗∗ South Korean ERP Vendors Server Hacked to Spread Xctdoor Malware ∗∗∗ --------------------------------------------- An unnamed South Korean enterprise resource planning (ERP) vendors product update server has been found to be compromised to deliver a Go-based backdoor dubbed Xctdoor.The AhnLab Security Intelligence Center (ASEC), which identified .. --------------------------------------------- https://thehackernews.com/2024/07/south-korean-erp-vendors-server-hacked.ht… ∗∗∗ Hijacked: How hacked YouTube channels spread scams and malware ∗∗∗ --------------------------------------------- Here's how cybercriminals go after YouTube channels and use them as conduits for fraud – and what you should watch out for when watching videos on the platform. --------------------------------------------- https://www.welivesecurity.com/en/scams/hijacked-hacked-youtube-channels-sc… ∗∗∗ LockBit claims cyberattack on Croatia’s largest hospital ∗∗∗ --------------------------------------------- The LockBit ransomware gang has claimed responsibility for a cyberattack on Croatia’s largest hospital, which forced it to shut down IT systems for a day. The group claims to have gained access to patient and employee information, medical records, organ and donor data and contracts signed with external companies. --------------------------------------------- https://therecord.media/lockbit-claims-cyberattack-croatia-hospital ∗∗∗ Wurde der Blog von Qualys gehackt? (2. Juli 2024) ∗∗∗ --------------------------------------------- Kurze Information zu Qualys, ein Technologieunternehmen mit Dienstleistungsangeboten im Bereich Cloud-Sicherheit und Compliance. Es steht die Frage im Raum, ob die mit ihrem Blog womöglich gehackt wurden. --------------------------------------------- https://www.borncity.com/blog/2024/07/03/wurde-der-blog-von-qualys-gehackt-… ∗∗∗ Cisco NX-OS: Update gegen seit April angegriffene Sicherheitslücke ∗∗∗ --------------------------------------------- Im Cisco NX-OS mehrerer Nexus- und MDS-Switches wird eine Sicherheitslücke bereits seit April angegriffen. Jetzt stellt Cisco ein Update bereit. --------------------------------------------- https://heise.de/-9787532 ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerabilities in PanelView Plus devices could lead to remote code execution ∗∗∗ --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/07/02/vulnerabilities-in… ∗∗∗ Unpatched RCE Vulnerabilities in Gogs: Argument Injection in the Built-In SSH Server ∗∗∗ --------------------------------------------- https://www.sonarsource.com/blog/securing-developer-tools-unpatched-code-vu… ∗∗∗ Remote Unauthenticated Code Execution Vulnerability in OpenSSH Server (regreSSHion): July 2024 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ [R1] Tenable Identity Exposure Version 3.59.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.07.2024
by Daily end-of-shift report 02 Jul '24

02 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Montag 01-07-2024 18:00 − Dienstag 02-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Latest Intel CPUs impacted by new Indirector side-channel attack ∗∗∗ --------------------------------------------- Modern Intel processors, including chips from the Raptor Lake and the Alder Lake generations are susceptible to a new type of a high-precision Branch Target Injection (BTI) attack dubbed Indirector, which could be used to steal sensitive information from the CPU. --------------------------------------------- https://www.bleepingcomputer.com/news/security/latest-intel-cpus-impacted-b… ∗∗∗ Zahlungsaufforderung von Tecom für Erotikdienstleistungen ignorieren ∗∗∗ --------------------------------------------- In letzter Zeit werden uns vermehrt SMS-Nachrichten von Tecom gemeldet. Darin werden 90 Euro für Erotikdienstleistungen gefordert. Der Betrag soll auf ein tschechisches Konto überwiesen oder in bar per Einschreiben bezahlt werden. Bezahlen Sie nicht, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/zahlungsaufforderung-von-tecom-fuer-… ∗∗∗ Getting Unauthenticated Remote Code Execution on the Logsign Unified SecOps Platform ∗∗∗ --------------------------------------------- This blog looks at two separate vulnerabilities that can be combined to achieve remote, unauthenticated code execution on the web server via HTTP requests. [..] Logsign patched these and other vulnerabilities with version 6.4.8. --------------------------------------------- https://www.thezdi.com/blog/2024/7/1/getting-unauthenticated-remote-code-ex… ∗∗∗ The End of Passwords? Embrace the Future with Passkeys. ∗∗∗ --------------------------------------------- Passkeys will become the new norm in a few years. Users will realize that passkeys simplify their lives, and companies and users alike will appreciate the reduced risk of breaches from phishing or brute-force attacks. However, building user trust in passkeys remains a challenge, like the adoption of password managers. --------------------------------------------- https://blog.nviso.eu/2024/07/02/the-end-of-passwords-embrace-the-future-wi… ∗∗∗ Modern Cryptographic Attacks: A Guide for the Perplexed ∗∗∗ --------------------------------------------- In this write-up, we lay out in simple terms: “Classic Flavor” modern cryptanalysis (e.g. meet-in-the-middle attacks, Birthday Attack on CBC) [..] Side Channel Attacks (e.g. Timing Attacks, an honorable mention for SPECTRE) [..] Attacks on RSA (e.g. Bleichenbacher’s attack, related message attacks, Coppersmith’s method) --------------------------------------------- https://research.checkpoint.com/2024/modern-cryptographic-attacks-a-guide-f… ∗∗∗ CocoaPods: Anfällig für Supply-Chain-Angriffe in "zahllosen" Mac- und iOS-Apps ∗∗∗ --------------------------------------------- Der Dependency-Manager auf Open-Source-Basis steckt in Millionen von Swift- und Objective-C-Programmen. [..] Eva Security fand heraus, dass CocoaPods bereits im Jahr 2014 alle Pods auf einen neuen "Trunk Server" auf GitHub migriert hat. Dabei wurden die Autoren jeder Bibliothek einfach zurückgesetzt. CocoaPods forderte die Entwickler dann auf, ihre jeweilige Bibliothek zu "claimen". Allerdings taten dies nicht alle. --------------------------------------------- https://heise.de/-9786099 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands as root on the underlying operating system of an affected device. [..} To successfully exploit this vulnerability on a Cisco NX-OS device, an attacker must have Administrator credentials. [..] In April 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of attempted exploitation of this vulnerability in the wild. [..] CVE-2024-20399 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (httpd:2.4/httpd), Arch Linux (openssh), Fedora (cups, emacs, and python-urllib3), Gentoo (OpenSSH), Mageia (ffmpeg, gdb, openssl, python-idna, and python-imageio), Red Hat (golang and kernel), SUSE (booth, libreoffice, openssl-1_1-livepatches, podman, python-arcomplete, python-Fabric, python-PyGithub, python- antlr4-python3-runtime, python-avro, python-chardet, python-distro, python- docker, python-fakeredis, python-fixedint, pyth, python-Js2Py, python310, python39, and squid), and Ubuntu (cups and netplan.io). --------------------------------------------- https://lwn.net/Articles/980393/ ∗∗∗ QNAP: Vulnerability in OpenSSH ∗∗∗ --------------------------------------------- A remote code execution (RCE) vulnerability in OpenSSH has been reported to affect QTS 5.2.0 Release Candidate and QuTS hero h5.2. [..] QNAP is actively investigating this issue and working on a solution. We will fix the issue in the official releases of QTS 5.2.0 and QuTS hero h5.2.0. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-24-31 ∗∗∗ Juniper: Notfall-Update für Junos OS auf SRX-Baureihe ∗∗∗ --------------------------------------------- Juniper Networks schließt eine als hochriskant eingestufte DoS-Lücke im Juniper OS der SRX-Geräte mit einem Update außer der Reihe. [..] Nachdem bereits am Freitag Notfall-Updates von Juniper Networks für Session Smart Router nötig waren, legt das Unternehmen nun mit einem Update außer der Reihe für das Junos OS auf Geräten der SRX-Baureihe nach. Sie dichten eine Denial-of-Service-Sicherheitslücke ab. [..] CVE-2024-21586 --------------------------------------------- https://heise.de/-9785970 ∗∗∗ Android: Google schließt teils kritische Lücken am Juli-Patchday ∗∗∗ --------------------------------------------- Google hat Updates für Android 12, 12L, 13 und 14 im Rahmen des Juli-Patchdays veröffentlicht. Sie schließen Rechteausweitungs-Lücken. [..] Wie immer müssen sich Smartphone-Besitzer etwas gedulden, bis die Android-Aktualisierungen sich als Firmware-Updates für ihr eingesetztes Gerät materialisieren. Selbst für Googles hauseigene Pixel-Smartphones steht das Juli-Update zum Meldungszeitpunkt noch aus. --------------------------------------------- https://heise.de/-9786995 ∗∗∗ Splunk Security Advisories 2024-07-01 ∗∗∗ --------------------------------------------- https://advisory.splunk.com/advisories ∗∗∗ ICONICS and Mitsubishi Electric Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-03 ∗∗∗ Johnson Controls Kantech Door Controllers ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-01 ∗∗∗ mySCADA myPRO ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-184-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.07.2024
by Daily end-of-shift report 01 Jul '24

01 Jul '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-06-2024 18:00 − Montag 01-07-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Roles in Cybersecurity: CSIRTs / LE / others ∗∗∗ --------------------------------------------- Back in January 2024, I was asked by the Belgian EU Presidency to moderate a panel during their high-level conference on cyber security in Brussels. The topic was the relationship between cyber security and law enforcement: how do CSIRTs and the police / public prosecutors cooperate, what works here and where are the fault lines in this collaboration. As the moderator, I wasn’t in the position to really present my own view on some of the issues, so I’m using this blogpost to document my thinking regarding the CSIRT/LE division of labour. From that starting point, this text kind of turned into a rant on what’s wrong with IT Security. --------------------------------------------- https://www.cert.at/en/blog/2024/7/csirt-le-military ∗∗∗ NIS2 - Implementing Acts ∗∗∗ --------------------------------------------- Es liegen endlich Entwürfe für die Implementing Acts zur NIS 2 Richtline vor, die Umsetzungsdetails regeln werden. Genauer gesagt: es geht um Kriterien, wann ein Vorfall meldepflichtig wird und Maßnahmen zum Risikomanagement. Seitens der EU gibt es ein öffentliches Konsultationsverfahren dazu, das bis zum 25. Juli offen ist. Die Entwürfe sind auch über diese Webseite abrufbar. --------------------------------------------- https://www.cert.at/de/blog/2024/6/nis2-implementing-acts ∗∗∗ Vorsicht vor gefälschten Gewinnspielen zur UEFA EURO 2024 ∗∗∗ --------------------------------------------- Kriminelle verbreiten per E-Mail gefälschte Gewinnspiele zur UEFA EURO 2024. In der E-Mail heißt es, dass man eine UEFA EURO 2024 Mystery Box gewinnen kann, wenn man auf den Link klickt und an einer kurzen Umfrage teilnimmt. Vorsicht: Kriminelle stehlen Ihre Daten und Sie tappen in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-gewinnspie… ∗∗∗ Hackers exploit critical D-Link DIR-859 router flaw to steal passwords ∗∗∗ --------------------------------------------- Hackers are exploiting a critical vulnerability that affects all D-Link DIR-859 WiFi routers to collect account information from the device, including passwords. The security issue was disclosed in January and is currently tracked as CVE-2024-0769 (9.8 severity score) - a path traversal flaw that leads to information disclosure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-d-l… ∗∗∗ Dev rejects CVE severity, makes his GitHub repo read-only ∗∗∗ --------------------------------------------- The popular open source project, ip had its GitHub repository archived, or made "read-only" by its developer as a result of a dubious CVE report filed for his project. Unfortunately, open-source developers have recently been met with an uptick in debatable or outright bogus CVEs filed for their projects. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-mak… ∗∗∗ Fake IT support sites push malicious PowerShell scripts as Windows fixes ∗∗∗ --------------------------------------------- Fake IT support sites promote malicious PowerShell "fixes" for common Windows errors, like the 0x80070643 error, to infect devices with information-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-it-support-sites-push-m… ∗∗∗ Router makers support portal responds with MetaMask phishing ∗∗∗ --------------------------------------------- BleepingComputer has verified that the helpdesk portal of a router manufacturer is currently sending MetaMask phishing emails in response to newly filed support tickets, in what appears to be a compromise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/router-makers-support-portal… ∗∗∗ Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data ∗∗∗ --------------------------------------------- [..] threat actor known as Kimsuky has been linked to the use of a new malicious Google Chrome extension thats designed to steal sensitive information as part of an ongoing intelligence collection effort. --------------------------------------------- https://thehackernews.com/2024/06/kimsuky-using-translatext-chrome.html ∗∗∗ CapraRAT Spyware Disguised as Popular Apps Threatens Android Users ∗∗∗ --------------------------------------------- The threat actor known as Transparent Tribe has continued to unleash malware-laced Android apps as part of a social engineering campaign to target individuals of interest. [..] The list of new malicious APK files identified by SentinelOne is as follows - Crazy Game, Sexy Videos, TikToks, Weapons --------------------------------------------- https://thehackernews.com/2024/07/caprarat-spyware-disguised-as-popular.html ∗∗∗ Unveiling Qilin/Agenda Ransomware - A Deep Dive into Modern Cyber Threats ∗∗∗ --------------------------------------------- Agenda ransomware, also known as 'Qilin,' first emerged in July 2022. Written in Golang, Agenda supports multiple encryption modes, all controlled by its operators. The Agenda ransomware actors use double extortion tactics, demanding payment for both a decryptor and the non-release of stolen data. This ransomware primarily targets large enterprises and high-value organizations, focusing particularly on the healthcare and education sectors in Africa and Asia. --------------------------------------------- https://sec-consult.com/blog/detail/unveiling-qilin-agenda-ransomware-a-dee… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dcmtk, edk2, emacs, glibc, gunicorn, libmojolicious-perl, openssh, org-mode, pdns-recursor, tryton-client, and tryton-server), Fedora (freeipa, kitty, libreswan, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, mingw-poppler, and mingw-python-urllib3), Gentoo (cpio, cryptography, GNU Emacs, Org Mode, GStreamer, GStreamer Plugins, Liferea, Pixman, SDL_ttf, SSSD, and Zsh), Oracle (pki-core), Red Hat (httpd:2.4, libreswan, and pki-core), SUSE (glib2 and kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t), and Ubuntu (espeak-ng, libcdio, and openssh). --------------------------------------------- https://lwn.net/Articles/980252/ ∗∗∗ regreSSHion: Remote Unauthenticated Code Execution Vulnerability (CVE-2024-6387) in OpenSSH server ∗∗∗ --------------------------------------------- Eine kritische Schwachstelle (CVE-2024-6387) wurde im OpenSSH Server (sshd) auf glibc-basierten Linux-Systemen getestet. Diese Sicherheitslücke ermöglicht es einem nicht authentifizierten Angreifer potentiell, über eine Race-Condition im Signalhandler beliebigen Code als root auf dem betroffenen System auszuführen. OpenBSD-basierte Systeme sind nicht betroffen. Obwohl die Schwachstelle als Remote Code Execution (RCE) eingestuft wird, ist ihre Ausnutzung äußerst komplex. [..] Betroffen sind OpenSSH-Versionen früher als 4.4p1, es sei denn, sie wurden gegen die Schwachstellen CVE-2006-5051 und CVE-2008-4109 gepatcht, sowie OpenSSH-Versionen von 8.5p1 bis einschließlich 9.8p1. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/7/regresshion-remote-unauthenticated-… ∗∗∗ IP-Telefonie: Avaya IP Office stopft kritische Sicherheitslecks ∗∗∗ --------------------------------------------- Updates für Avaya IP Office dichten Sicherheitslecks in der Software ab. Angreifer können dadurch Schadcode einschleusen. --------------------------------------------- https://heise.de/-9784229 ∗∗∗ ABB: 2024-07-01: Cyber Security Advisory -ASPECT system operating with default credentials while exposed to the Internet ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A6101&Lan… ∗∗∗ Kubernetes: Invalid entry in vulnerability feed ∗∗∗ --------------------------------------------- https://github.com/kubernetes/website/issues/47003 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.06.2024
by Daily end-of-shift report 28 Jun '24

28 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-06-2024 18:00 − Freitag 28-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ New Unfurling Hemlock threat actor floods systems with malware ∗∗∗ --------------------------------------------- A threat actor tracked as Unfurling Hemlock has been infecting target systems with up to ten pieces of malware at the same time in campaigns that distribute hundreds of thousands of malicious files .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-unfurling-hemlock-threat… ∗∗∗ BlackSuit ransomware gang claims attack on KADOKAWA corporation ∗∗∗ --------------------------------------------- The BlackSuit ransomware gang claimed a recent cyberattack on KADOKAWA corporation and is now threatening to publish stolen data if a ransom is not paid. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blacksuit-ransomware-gang-cl… ∗∗∗ Teamviewer gehackt: Cyberangriff trifft populäre Fernwartungssoftware ∗∗∗ --------------------------------------------- Teamviewer hat bestätigt, dass es einen Sicherheitsvorfall gegeben hat. Erste Hinweise deuten darauf hin, dass die Hackergruppe Midnight Blizzard dahinterstecken könnte. --------------------------------------------- https://www.golem.de/news/teamviewer-gehackt-cyberangriff-trifft-populaere-… ∗∗∗ Support of SSL 2.0 on web servers in 2024 ∗∗∗ --------------------------------------------- We last discussed SSLv2 support on internet-exposed web servers about a year ago, when we discovered that there were still about 450 thousand web servers that supported this protocol left on the internet. We also found that a significant portion of these servers was located in Kazakhstan, Tunisia .. --------------------------------------------- https://isc.sans.edu/diary/Support+of+SSL+20+on+web+servers+in+2024/31044 ∗∗∗ Microsoft Informs Customers that Russian Hackers Spied on Emails ∗∗∗ --------------------------------------------- Russian hackers who broke into Microsofts systems and spied on staff inboxes earlier this year also stole emails from its customers, the tech giant said on Thursday, around six months after it first disclosed the intrusion. Reuters: The disclosure underscores the breadth of the breach as Microsoft faces increasing regulatory scrutiny .. --------------------------------------------- https://yro.slashdot.org/story/24/06/28/1319219/microsoft-informs-customers… ∗∗∗ Google cuts ties with Entrust in Chrome over trust issues ∗∗∗ --------------------------------------------- Move comes weeks after Mozilla blasted certificate authority for failings Google is severing its trust in Entrust after what it describes as a protracted period of failures around compliance and general improvements. --------------------------------------------- https://www.theregister.com/2024/06/28/google_axes_entrust_over_six/ ∗∗∗ An Inside Look at The Malware and Techniques Used in the WordPress.org Supply Chain Attack ∗∗∗ --------------------------------------------- On Monday June 24th, 2024 the Wordfence Threat Intelligence team was made aware of the presence of malware in the Social Warfare repository plugin .. --------------------------------------------- https://www.wordfence.com/blog/2024/06/an-inside-look-at-the-malware-and-te… ∗∗∗ Akute Welle an DDoS-Angriffen gegen österreichische Unternehmen und Organisationen ∗∗∗ --------------------------------------------- Seit heute Morgen sind verschiedene österreichische Unternehmen und Organisationen aus unterschiedlichen Branchen und Sektoren mit DDoS-Angriffen konfrontiert. Die genauen Hintergründe der Attacke .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/6/akute-welle-an-ddos-angriffen-gegen… ∗∗∗ SVR Cyber Actors Adapt Tactics for Initial Cloud Access ∗∗∗ --------------------------------------------- This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear.The UK National Cyber Security Centre (NCSC) and international partners assess that APT29 is a cyber espionage group, almost certainly part of the SVR, an .. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a ∗∗∗ Supply Chain Compromise Leads to Trojanized Installers for Notezilla, RecentX, Copywhiz ∗∗∗ --------------------------------------------- On Tuesday, June 18th, 2024, Rapid7 initiated an investigation into suspicious activity in a customer environment. Our investigation identified that the suspicious behavior was emanating from the installation of .. --------------------------------------------- https://www.rapid7.com/blog/post/2024/06/27/supply-chain-compromise-leads-t… ∗∗∗ Juniper: Kritische Lücke erlaubt Angreifern Übernahme von Session Smart Router ∗∗∗ --------------------------------------------- Juniper Networks liefert außerplanmäßige Updates gegen eine kritische Sicherheitslücke in Session Smart Router, -Conductor und WAN Assurance Router. --------------------------------------------- https://heise.de/-9781931 ===================== = Vulnerabilities = ===================== ∗∗∗ GitLab Releases Patch for Critical CI/CD Pipeline Vulnerability and 13 Others ∗∗∗ --------------------------------------------- https://thehackernews.com/2024/06/gitlab-releases-patch-for-critical-cicd.h… ∗∗∗ 2024-06: Out-Of-Cycle Security Bulletin: Session Smart Router(SSR): On redundant router deployments API authentication can be bypassed (CVE-2024-2973) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-06-Out-Of-Cycle-Security-B… ∗∗∗ OMSA-2024-0001 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/OMSA-2024-0001.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.06.2024
by Daily end-of-shift report 27 Jun '24

27 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-06-2024 18:00 − Donnerstag 27-06-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Exploit for critical Fortra FileCatalyst Workflow SQLi flaw released ∗∗∗ --------------------------------------------- The Fortra FileCatalyst Workflow is vulnerable to an SQL injection vulnerability that could allow remote unauthenticated attackers to create rogue admin users and manipulate data on the application database. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-for-critical-fortra-… ∗∗∗ Sicherheitslücke: Ungeschützte API liefert sensible Daten deutscher Häftlinge ∗∗∗ --------------------------------------------- Welcher Häftling wann mit seinem Anwalt oder Therapeuten telefoniert hat, ist aufgrund der Sicherheitslücke für jedermann einsehbar gewesen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-ungeschuetzte-api-liefert-sensi… ∗∗∗ What Setting Live Traps for Cybercriminals Taught Me About Security [Guest Diary], (Wed, Jun 26th) ∗∗∗ --------------------------------------------- For anyone who doesn’t know what a honeypot is, it is a server created specifically for the purpose of gathering information about unauthorized users that connect to it. A honeypot is usually vulnerable by design and often designed to be enticing to trap unsuspecting criminals into spending more time with it. I named my honeypot “Winnie.” --------------------------------------------- https://isc.sans.edu/diary/rss/31038 ∗∗∗ Rust-Based P2PInfect Botnet Evolves with Miner and Ransomware Payloads ∗∗∗ --------------------------------------------- The peer-to-peer malware botnet known as P2PInfect has been found targeting misconfigured Redis servers with ransomware and cryptocurrency miners. --------------------------------------------- https://thehackernews.com/2024/06/rust-based-p2pinfect-botnet-evolves.html ∗∗∗ Warnung vor Fake Finanzamt-SMS ∗∗∗ --------------------------------------------- Es häufen sich Berichte über eine erneute Smishing-Welle, bei der Kriminelle versuchen, ahnungslose Bürger:innen mit gefälschten SMS-Nachrichten im Namen des Finanzamtes hereinzulegen. --------------------------------------------- https://www.watchlist-internet.at/news/warnung-finanzamt-sms/ ∗∗∗ Rabbit R1: Verrissenes KI-Gadget erweist sich auch als Sicherheitsalbtraum ∗∗∗ --------------------------------------------- Hacker demonstrieren, dass sie auf jede an R1-Geräte geschickte Antwort zugreifen können. Zudem lassen sich die Geräte auf diesem Weg beschädigen und Antworten manipulieren. --------------------------------------------- https://www.derstandard.at/story/3000000226115/rabbit-r1-verrissenes-ki-gad… ∗∗∗ Snowflake isn’t an outlier, it’s the canary in the coal mine ∗∗∗ --------------------------------------------- Headlines continue to roll in about the many implications and follow-on attacks originating from leaked and/or stolen credentials for the Snowflake cloud data platform. --------------------------------------------- https://blog.talosintelligence.com/infostealer-landscape-facilitates-breach… ∗∗∗ MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems ∗∗∗ --------------------------------------------- FortiGuard Labs uncovers MerkSpy, a new spyware exploiting CVE-2021-40444 to steal keystrokes and sensitive data. --------------------------------------------- https://www.fortinet.com/blog/threat-research/merkspy-exploiting-cve-2021-4… ∗∗∗ The Growing Threat of Malware Concealed Behind Cloud Services ∗∗∗ --------------------------------------------- Cybersecurity threats are increasingly leveraging cloud services to store, distribute, and establish command and control (C2) servers. --------------------------------------------- https://www.fortinet.com/blog/threat-research/growing-threat-of-malware-con… ===================== = Vulnerabilities = ===================== ∗∗∗ Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack ∗∗∗ --------------------------------------------- Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library ("polyfill.js") to redirect users to malicious and scam sites. --------------------------------------------- https://thehackernews.com/2024/06/over-110000-websites-affected-by.html ∗∗∗ Prompt Injection Flaw in Vanna AI Exposes Databases to RCE Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a high-severity security flaw in the Vanna.AI library that could be exploited to achieve remote code execution vulnerability via prompt injection techniques. --------------------------------------------- https://thehackernews.com/2024/06/prompt-injection-flaw-in-vanna-ai.html ∗∗∗ GitLab Security Updates Patch 14 Vulnerabilities ∗∗∗ --------------------------------------------- GitLab CE and EE updates resolve 14 vulnerabilities, including a critical- and three high-severity bugs. --------------------------------------------- https://www.securityweek.com/gitlab-security-updates-patch-14-vulnerabiliti… ∗∗∗ Multiple vulnerabilities in TP-Link Omada system could lead to root access ∗∗∗ --------------------------------------------- Affected devices could include wireless access points, routers, switches and VPNs. --------------------------------------------- https://blog.talosintelligence.com/multiple-vulnerabilities-in-tp-link-omad… ∗∗∗ TELSAT marKoni FM Transmitter ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-01 ∗∗∗ Johnson Controls Illustra Essentials Gen 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-04 ∗∗∗ Johnson Controls Illustra Essentials Gen 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-07 ∗∗∗ SDG Technologies PnPSCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-02 ∗∗∗ Johnson Controls Illustra Essentials Gen 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-05 ∗∗∗ Yokogawa FAST/TOOLS and CI Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-03 ∗∗∗ Johnson Controls Illustra Essentials Gen 4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-179-06 ∗∗∗ Local Privilege Escalation über MSI Installer in SoftMaker Office / FreeOffice ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.06.2024
by Daily end-of-shift report 26 Jun '24

26 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-06-2024 18:00 − Mittwoch 26-06-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New Medusa Android Trojan Targets Banking Users Across 7 Countries ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered an updated version of an Android banking trojan called Medusa that has been used to target users in Canada, France, Italy, Spain, Turkey, the U.K., and the U.S. --------------------------------------------- https://thehackernews.com/2024/06/new-medusa-android-trojan-targets.html ∗∗∗ New Credit Card Skimmer Targets WordPress, Magento, and OpenCart Sites ∗∗∗ --------------------------------------------- Multiple content management system (CMS) platforms like WordPress, Magento, and OpenCart have been targeted by a new credit card web skimmer called Caesar Cipher Skimmer. --------------------------------------------- https://thehackernews.com/2024/06/new-credit-card-skimmer-targets.html ∗∗∗ Vorsicht vor Jobbetrug auf dm-supermall.com ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie für Ihren neuen Job, bei dm-supermall.com einkaufen müssen. Diese Plattform ist Teil einer Betrugsmasche. Der neue Job, bei dem Sie Online-Shops oder Dienstleistungen testen, ist betrügerisch. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-jobbetrug-auf-dm-superm… ∗∗∗ Attackers Exploiting Public Cobalt Strike Profiles ∗∗∗ --------------------------------------------- Unit 42 researchers examine how attackers use publicly available Malleable C2 profiles, examining their structure to reveal evasive techniques. --------------------------------------------- https://unit42.paloaltonetworks.com/attackers-exploit-public-cobalt-strike-… ∗∗∗ Buying a VPN? Here’s what to know and look for ∗∗∗ --------------------------------------------- VPNs are not all created equal – make sure to choose the right provider that will help keep your data safe from prying eyes. --------------------------------------------- https://www.welivesecurity.com/en/privacy/buying-vpn-what-know-look-for/ ===================== = Vulnerabilities = ===================== ∗∗∗ Snowblind malware abuses Android security feature to bypass security ∗∗∗ --------------------------------------------- A novel Android attack vector from a piece of malware tracked as Snowblind is abusing a security feature to bypass existing anti-tampering protections in apps that handle sensitive user data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/snowblind-malware-abuses-and… ∗∗∗ A Novel DoS Vulnerability affecting WebRTC Media Servers ∗∗∗ --------------------------------------------- A critical denial-of-service (DoS) vulnerability has been identified in media servers that process WebRTC’s DTLS-SRTP, specifically in their handling of ClientHello messages. --------------------------------------------- https://www.rtcsec.com/article/novel-dos-vulnerability-affecting-webrtc-med… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (git, python3.11, and python3.9), Debian (chromium, emacs, git, linux-5.10, and org-mode), Fedora (libopenmpt, nginx-mod-modsecurity, and thunderbird), Mageia (emacs, python-ansible-core, and python-authlib), Oracle (git, python3.11, and python3.9), Red Hat (kernel, kernel-rt, and samba), and Ubuntu (ansible, cups, google-guest-agent, google-osconfig-agent, libheif, openvpn, roundcube, and salt). --------------------------------------------- https://lwn.net/Articles/979740/ ∗∗∗ Supply-Chain-Angriff gegen polyfill.js ∗∗∗ --------------------------------------------- Die populäre Javascript-Bibliothek polyfill.js, welche von Entwickler:innen verwendet wird, um alte Browserversionen zu unterstützen, wurde Opfer eines Supply-Chain-Angriffes beziehungsweise für einen solchen missbraucht. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/6/supply-chain-angriff-gegen-polyfill… ∗∗∗ Jetzt patchen! Progress-MOVEit-Sicherheitslücken werden bereits angegriffen ∗∗∗ --------------------------------------------- Progress hat zwei kritische Lücken in MOVEit Gateway und Transfer gestopft. Eine davon missbrauchen Cyberkriminelle bereits. --------------------------------------------- https://heise.de/-9778266 ∗∗∗ Sicherheitslücke: Apple stoppt Bluetooth-Übernahme von AirPods und Beats-Geräten ∗∗∗ --------------------------------------------- Apple hat eine neue Firmware für verschiedene Kopfhörermodelle veröffentlicht, die eine problematische Lücke schließt. Das Update ist allerdings nicht einfach. --------------------------------------------- https://heise.de/-9778924 ∗∗∗ ZDI-24-882: VMware vCenter Server Appliance License Server Uncontrolled Memory Allocation Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-882/ ∗∗∗ Multiple Vulnerabilities in Siemens Power Automation Products (CP-8000/CP-8021/CP8-022/CP-8031/CP-8050/SICORE) ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.06.2024
by Daily end-of-shift report 25 Jun '24

25 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Montag 24-06-2024 18:00 − Dienstag 25-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ NISG 2024 im Innenausschuss ∗∗∗ --------------------------------------------- Ich wurde eingeladen, am 19. Juni im Innenausschuss des Parlaments als Experte in einem Hearing zum NISG 2024 aufzutreten. Das war keine Vorladung zu einem Untersuchungsausschuss, die man kaum ausschlagen kann, sondern ein wirklich freiwilliger Termin. Ich war schon öfters beruflich im Parlament, aber bisher immer auf Einladung der Parlamentsdirektion: das hier war der erste Termin mit Mandataren. Die Illusion, mit diesem Auftritt irgendwas bewirken zu können, hatte ich nie. [..] In diesem Blogpost will ich kurz erklären, was ich kommunizieren wollte. --------------------------------------------- https://www.cert.at/de/blog/2024/6/nisg-2024-im-innenausschuss ∗∗∗ New attack uses MSC files and Windows XSS flaw to breach networks ∗∗∗ --------------------------------------------- A novel command execution technique dubbed GrimResource uses specially crafted MSC (Microsoft Saved Console) and an unpatched Windows XSS flaw to perform code execution via the Microsoft Management Console. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-grimresource-attack-uses… ∗∗∗ Kurioser Fehlalarm: Microsoft Defender stuft harmlose Textdatei als Trojaner ein ∗∗∗ --------------------------------------------- Der Microsoft Defender erkannte demnach eine einfache Textdatei mit dem Inhalt "This content is no longer available." (auf Deutsch: "Dieser Inhalt ist nicht mehr verfügbar.") als Trojaner – genauer gesagt als Trojan:Win32/Casdet!rfn. [..] wurde der Fehlalarm angeblich dadurch ausgelöst, dass jemand eine Textdatei mit dem bereits genannten Inhalt in die Malwaredatenbank von Microsoft aufgenommen hat. Inzwischen scheint der Konzern das Problem aber behoben zu haben ... --------------------------------------------- https://www.golem.de/news/kurioser-fehlalarm-microsoft-defender-stuft-harml… ∗∗∗ Atlas Oil: The Consequences of a Ransomware Attack ∗∗∗ --------------------------------------------- Overview Atlas Oil, a major player in the oil and fuel distribution industry, fell victim to a ransomware attack orchestrated by the Black Basta group. This attack not only compromised sensitive company data but also exposed a variety of documents that could potentially harm the company’s operations and reputation. Overall, Black Basta claims to have exfiltrated approximately 730 GB of data. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/atlas-oil-t… ∗∗∗ New Cyberthreat Boolka Deploying BMANAGER Trojan via SQLi Attacks ∗∗∗ --------------------------------------------- A previously undocumented threat actor dubbed Boolka has been observed compromising websites with malicious scripts to deliver a modular trojan codenamed BMANAGER. --------------------------------------------- https://thehackernews.com/2024/06/new-cyberthreat-boolka-deploying.html ∗∗∗ Recent Zyxel NAS Vulnerability Exploited by Botnet ∗∗∗ --------------------------------------------- A Mirai-like botnet has started exploiting a critical-severity vulnerability in discontinued Zyxel NAS products. Tracked as CVE-2024-29973, the issue is described as a code injection flaw that can be exploited remotely without authentication. It was introduced last year, when Zyxel patched CVE-2023-27992, a similar code injection bug. --------------------------------------------- https://www.securityweek.com/recent-zyxel-nas-vulnerability-exploited-by-bo… ∗∗∗ Falscher Ryanair-Support auf X ∗∗∗ --------------------------------------------- Wenn Sie Probleme mit Ihrem Ryanair-Flug haben, gibt es verschiedene Möglichkeiten, den Kundenservice zu erreichen. Eine Möglichkeit ist X (früher Twitter). Achten Sie bei der Kontaktaufnahme über X jedoch darauf, dass Sie eine Anfrage an das richtige Profil senden. Immer häufiger geben sich Kriminelle mit gefälschten Profilen als Ryanair Support aus, um Geld und Daten zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/falscher-ryanair-support-auf-x/ ∗∗∗ Betrügerische Finanz-Online-SMS ∗∗∗ --------------------------------------------- Derzeit versenden Kriminelle wieder vermehrt gefälschte Nachrichten im Namen des Finanzamtes. Darin wird behauptet, dass Ihre Registrierung für die Finanz-Online ID abläuft und Sie Ihre Daten über einen Link erneuern sollen. Klicken Sie nicht auf den Link, Kriminelle stehlen Ihre persönlichen Daten! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-finanz-online-sms/ ∗∗∗ Auth. Bypass In (Un)Limited Scenarios - Progress MOVEit Transfer (CVE-2024-5806) ∗∗∗ --------------------------------------------- Many sysadmins may remember last year’s CVE-2023-34362, a cataclysmic vulnerability in Progress MOVEit Transfer that sent ripples through the industry, claiming such high-profile victims as the BBC and FBI. [..] Today (25th June 2024), Progress un-embargoed an authentication bypass vulnerability in Progress MOVEit Transfer. --------------------------------------------- https://labs.watchtowr.com/auth-bypass-in-un-limited-scenarios-progress-mov… ∗∗∗ Grazer Lauschangriff braucht bloß TCP/IP - weder Malware noch Sicherheitslücke ∗∗∗ --------------------------------------------- Der SnailLoad genannte Lauschangriff gründet darauf, dass Downloads verschiedener Dateien Schwankungen der Paketlaufzeiten aufweisen (Round Trip Times, RTTs), und dass diese Schwankungen individuell sind, sofern dieselbe Datei vom selben Server auf demselben Netzwerkweg geladen wird. [..] Damit lässt sich ermitteln, welches Video oder welche Webseite ein User abruft. [..] Die Angriffe lassen sich von beliebigen Positionen im Internet führen, von denen aus sich IP-Pakete an das Opfer schicken lassen. --------------------------------------------- https://heise.de/-9775311 ∗∗∗ Wordpress: Fünf Plug-ins mit Malware unterwandert ∗∗∗ --------------------------------------------- In fünf Wordpress-Plug-ins haben IT-Sicherheitsforscher dieselbe eingeschleuste Malware entdeckt. --------------------------------------------- https://heise.de/-9777207 ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress 6.5.5 Security Release – What You Need to Know ∗∗∗ --------------------------------------------- WordPress Core 6.5.5 was released yesterday, on June 24, 2023. Contained within this release are three security fixes addressing two Cross-Site Scripting (XSS) vulnerabilities and one Windows-specific Directory Traversal vulnerability. Despite these vulnerabilities being medium-severity, the worst of them (specifically, the XSS vulnerabilities) can allow for site takeover by an authenticated, contributor-level user if successfully exploited. --------------------------------------------- https://www.wordfence.com/blog/2024/06/wordpress-6-5-5-security-release-wha… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (python3.11), Debian (composer), Fedora (thunderbird), Mageia (chromium-browser-stable, python-aiohttp, python-gunicorn, python-werkzeug, and virtualbox), Oracle (libreswan and python3.11), Red Hat (git, kpatch-patch, python3.11, python3.9, and thunderbird), and SUSE (avahi, ghostscript, grafana and mybatis, hdf5, kernel, openssl-1_1-livepatches, python-docker, and wget). --------------------------------------------- https://lwn.net/Articles/979606/ ∗∗∗ Cloud Software Group Security Advisory for CVE-2024-3661 ∗∗∗ --------------------------------------------- This vulnerability may allow an attacker on the same local network as the victim to read, disrupt, or modify network traffic expected to be protected by the VPN. [..] CTX677069 NewCloud Software Group Security Advisory for CVE-2024-3661 [..] Applicable Products : NetScaler, NetScaler Gateway --------------------------------------------- https://support.citrix.com/article/CTX677069/cloud-software-group-security-… ∗∗∗ ABB: 2024-06-25: Cyber Security Advisory -ABB PCM600 Installer Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA002251&Language… ∗∗∗ ABB Ability System 800xA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-177-01 ∗∗∗ PTC Creo Elements/Direct License Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-177-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.06.2024
by Daily end-of-shift report 24 Jun '24

24 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-06-2024 18:00 − Montag 24-06-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Ratel RAT targets outdated Android phones in ransomware attacks ∗∗∗ --------------------------------------------- An open-source Android malware named Ratel RAT is widely deployed by multiple cybercriminals to attack outdated devices, some aiming to lock them down with a ransomware module that demands payment on Telegram. [..] As for the targets, Check Point mentions successful targeting of high-profile organizations, including in government and the military sector, with most victims being from the United States, China, and Indonesia. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ratel-rat-targets-outdated-a… ∗∗∗ Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins ∗∗∗ --------------------------------------------- On Monday June 24th, 2024 the Wordfence Threat Intelligence team became aware of a plugin, Social Warfare, that was injected with malicious code on June 22, 2024 based on a forum post by the WordPress.org Plugin Review team. [..] We then reached out to the WordPress plugins team to alert them about the four additional plugins but have not yet received a response, though it appears the plugins have been delisted. [..] At this stage, we know that the injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server. --------------------------------------------- https://www.wordfence.com/blog/2024/06/supply-chain-attack-on-wordpress-org… ∗∗∗ Facebook PrestaShop module exploited to steal credit cards ∗∗∗ --------------------------------------------- Hackers are exploiting a flaw in a premium Facebook module for PrestaShop named pkfacebook to deploy a card skimmer on vulnerable e-commerce sites and steal peoples payment credit card details. [..] Analysts at TouchWeb discovered the flaw on March 30, 2024, but Promokit.eu said the flaw was fixed "a long time ago," without providing any proof. --------------------------------------------- https://www.bleepingcomputer.com/news/security/facebook-prestashop-module-e… ∗∗∗ XZ backdoor: Hook analysis ∗∗∗ --------------------------------------------- In our first article on the XZ backdoor, we analyzed its code from initial infection to the function hooking it performs. As we mentioned then, its initial goal was to successfully hook one of the functions related to RSA key manipulation. In this article, we will focus on the backdoor’s behavior inside OpenSSH, specifically OpenSSH portable version 9.7p1 – the most recent version at this time. --------------------------------------------- https://securelist.com/xz-backdoor-part-3-hooking-ssh/113007/ ∗∗∗ Sysinternals Process Monitor Version 4 Released, (Sat, Jun 22nd) ∗∗∗ --------------------------------------------- These releases bring improvements to performance and the user interface. --------------------------------------------- https://isc.sans.edu/diary/rss/31026 ∗∗∗ Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a now-patch security flaw affecting the Ollama open-source artificial intelligence (AI) infrastructure platform that could be exploited to achieve remote code execution. Tracked as CVE-2024-37032, the vulnerability has been codenamed Probllama by cloud security firm Wiz. --------------------------------------------- https://thehackernews.com/2024/06/critical-rce-vulnerability-discovered.html ∗∗∗ Deye Wechselrichter: Cloud Account zeigt fremde Anlagen-/Kundendaten an ∗∗∗ --------------------------------------------- In deutschen Objekten dürften einige Balkonkraftwerke und auch fest installierte Solaranlagen arbeiten, bei denen Wechselrichter des chinesischen Herstellers Deye verwendet werden. [..] Ein Leser hat mich bereits im Mai 2024 mit einem anderen Problem konfrontiert. Er konnte die Anlagendaten einer ihm komplett unbekannten Person einsehen. [..] Der Leser hat die deutsche Dependance kontaktiert [..] Die Reaktion hat den Leser erstaunt, denn als er den Hersteller auf den Bug hinwies, habe dieser das bezweifelt. [..] Generöser Weise bot Deye dem Betroffenen an, zu helfen, die zweite Anlage aus dem Benutzerkonto auszutragen. --------------------------------------------- https://www.borncity.com/blog/2024/06/24/deye-wechselrichter-cloud-account-… ∗∗∗ Horror auf dem Vision Pro: Exploit schleust Spinnen und Fledermäuse in den Raum ∗∗∗ --------------------------------------------- Damit der Angriff gelingt, muss der Vision-Pro-Nutzer lediglich eine präparierte Webseite aufrufen. Der Raum füllt sich daraufhin mit gruseligen Tierchen, inklusive Sound. --------------------------------------------- https://www.golem.de/news/horror-auf-der-vision-pro-exploit-schleust-spinne… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise) ∗∗∗ --------------------------------------------- The product WINSelect from Faronics is used to restrict the possible actions of users on a system and can even be used to implement a Kiosk mode. Due to hardcoded credentials and an unfitting application architecture an attacker could decrypt the configuration file and retrieve the password which is used to configure the software. Thus, an attacker could completely disable the software. [..] The vendor provides a patched version 8.30.xx.903 since May 2024 [..] Since the hardcoded password for the encryption is not fixed, we ask if this will be addressed as well. Vendor responds that this will be addressed in a future release. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (ipa and libreswan), Debian (netty), Fedora (python-PyMySQL, tomcat, and webkitgtk), Gentoo (Flatpak, GLib, JHead, LZ4, and RDoc), Mageia (thunderbird), Oracle (nghttp2 and thunderbird), Red Hat (dnsmasq, libreswan, pki-core, and python3.11), Slackware (emacs), SUSE (gnome-settings-daemon, libarchive, qpdf, vte, and wget), and Ubuntu (libhibernate3-java). --------------------------------------------- https://lwn.net/Articles/979520/ ∗∗∗ CosmicSting: Schwachstelle CVE-2024-34102 gefährdet Adobe Commerce- und Magento-Shops ∗∗∗ --------------------------------------------- Seit Mitte des Monats ist bekannt, dass in Adobe Commerce- und Magento-Online-Shops die Schwachstelle CVE-2024-34102 existiert. Zusammen mit einer Linux-Schwachstelle lassen sich Tausende Shops durch Angreifer übernehmen. Es gibt seit einigen Tagen einen Fix, aber ein Großteil der Online-Shops läuft noch mit ungepatchten Versionen. --------------------------------------------- https://www.borncity.com/blog/2024/06/24/cosmicsting-schwachstelle-cve-2024… ∗∗∗ Vulnerability Summary for the Week of June 17, 2024 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb24-176 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.06.2024
by Daily end-of-shift report 21 Jun '24

21 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-06-2024 18:00 − Freitag 21-06-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Linux version of RansomHub ransomware targets VMware ESXi VMs ∗∗∗ --------------------------------------------- The RansomHub ransomware operation is using a Linux encryptor designed specifically to encrypt VMware ESXi environments in corporate attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-ransomhub-r… ∗∗∗ Qilin: We knew our Synnovis attack would cause a healthcare crisis at London hospitals ∗∗∗ --------------------------------------------- The ransomware gang responsible for a healthcare crisis at London hospitals says it has no regrets about its cyberattack, which was entirely deliberate, it told The Register in an interview. --------------------------------------------- https://www.theregister.com/2024/06/20/qilin_our_plan_was_to/ ∗∗∗ LLMNR – das oft vergessene Einfallstor ins Netzwerk ∗∗∗ --------------------------------------------- LLMNR dient zur Namensauflösung in lokalen Netzwerken, wenn kein Domain Name System (DNS) vorhanden ist – was heutzutage so gut wie nie vorkommt. Da LLMNR keine Sicherheitsmechanismen enthält, lässt es sich sehr leicht für Angriffe missbrauchen. --------------------------------------------- https://www.syss.de/pentest-blog/llmnr-das-oft-vergessene-einfallstor-ins-n… ∗∗∗ Meine Gesundheitsdaten wurden gestohlen. Was nun? ∗∗∗ --------------------------------------------- Gesundheitsdaten bleiben weiterhin ein begehrtes Ziel für Hacker. Gelangen sie – warum auch immer – in fremde Hände, sollten Sie diese Schritte befolgen, um den Schaden zu minimieren. --------------------------------------------- https://www.welivesecurity.com/de/privatsphare/meine-gesundheitsdaten-wurde… ∗∗∗ SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023. --------------------------------------------- https://blog.talosintelligence.com/sneakychef-sugarghost-rat/ ∗∗∗ Worldwide 2023 Email Phishing Statistics and Examples ∗∗∗ --------------------------------------------- Explore the need for going beyond built-in Microsoft 365 and Google Workspace™ security based on email threats detected in 2023. --------------------------------------------- https://www.trendmicro.com/en_us/ciso/23/e/worldwide-email-phishing-stats-e… ∗∗∗ CISA Releases Guidance on Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: (SMBs) ∗∗∗ --------------------------------------------- Today, CISA released Barriers to Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: Identifying Challenges and Opportunities, a detailed report exploring challenges to SSO adoption by small and medium-sized businesses (SMBs). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/06/20/cisa-releases-guidance-s… ∗∗∗ Cybercrime: Datenlecks bei Apple und T-Mobile, Gerüchte über Jira-Exploit ∗∗∗ --------------------------------------------- Ein bekannter Cyberkrimineller versucht interne Daten aus Apples und T-Mobiles Beständen sowie Schadcode für Jira zu Geld zu machen. Ein Unternehmen dementiert. --------------------------------------------- https://heise.de/-9771149 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (ghostscript and thunderbird), Debian (chromium, composer, libndp, and sendmail), Fedora (composer), Mageia (flatpak and python-scikit-learn), Red Hat (curl, ghostscript, and thunderbird), SUSE (hdf5 and opencc), and Ubuntu (gdb and php7.4, php8.1, php8.2, php8.3). --------------------------------------------- https://lwn.net/Articles/979153/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (firefox, ghostscript, idm:DL1, and thunderbird), Debian (php8.2 and putty), Mageia (chromium-browser-stable), Oracle (ghostscript and thunderbird), Red Hat (thunderbird), and SUSE (containerd, kernel, php-composer2, podofo, python-cryptography, and rmt-server). --------------------------------------------- https://lwn.net/Articles/979257/ ∗∗∗ 2024-06-21: Cyber Security Advisory -System 800xA SECURITY Advisory - ABB 800xA Base 6.0.x, 6.1.x CSLib communication DoS vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=7PAA013309&Language… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.06.2024
by Daily end-of-shift report 20 Jun '24

20 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-06-2024 18:00 − Donnerstag 20-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SolarWinds Serv-U path-traversal flaw actively exploited in attacks ∗∗∗ --------------------------------------------- Threat actors are actively exploiting a SolarWinds Serv-U path-traversal vulnerability, leveraging publicly available proof-of-concept (PoC) exploits. [..] The vulnerability, CVE-2024-28995, is a high-severity directory traversal flaw, allowing unauthenticated attackers to read arbitrary files from the filesystem by crafting specific HTTP GET requests. [..] SolarWinds released the 15.4.2 Hotfix 2, version 15.4.2.157, on June 5, 2024, to address this vulnerability by introducing improved validation mechanisms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-serv-u-path-trave… ∗∗∗ No Excuses, Free Tools to Help Secure Authentication in Ubuntu Linux [Guest Diary], (Thu, Jun 20th) ∗∗∗ --------------------------------------------- Being in the IT and cybersecurity world it seems the costs of controls keeps going up and up. With all the new flashy tools coming out daily it’s easy to forget that there are tons of free tools that can be just as effective at stopping attacks. --------------------------------------------- https://isc.sans.edu/diary/rss/31024 ∗∗∗ Researchers Uncover UEFI Vulnerability Affecting Multiple Intel CPUs ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a now-patched security flaw in Phoenix SecureCore UEFI firmware that affects multiple families of Intel Core desktop and mobile processors. Tracked as CVE-2024-0762 (CVSS score: 7.5), the "UEFIcanhazbufferoverflow" vulnerability has been described as a case of a buffer overflow stemming from the use of an unsafe variable in the Trusted Platform Module (TPM) configuration that could result in the execution of malicious code. --------------------------------------------- https://thehackernews.com/2024/06/researchers-uncover-uefi-vulnerability.ht… ∗∗∗ Fickle Stealer Distributed via Multiple Attack Chain ∗∗∗ --------------------------------------------- This article summarizes the details of this campaign, roughly dividing the attack chain into three stages: Delivery, Preparatory Work, and Packer and Stealer Payload. --------------------------------------------- https://feeds.fortinet.com/~/899735243/0/fortinet/blogs~Fickle-Stealer-Dist… ∗∗∗ A Traveler’s Guide to Cybersecurity ∗∗∗ --------------------------------------------- In this Q&A with Jonas Walker, a Security Strategist with Fortinet’s FortiGuard Labs, he offers his insight into how to stay safe and avoid attacks from threat actors while traveling in today’s cyber world. --------------------------------------------- https://feeds.fortinet.com/~/701705230/0/fortinet/blogs~A-Traveler%e2%80%99… ∗∗∗ BSI warnt vor angreifbaren Codeschmuggel-Lecks in tausenden Exchange-Servern ∗∗∗ --------------------------------------------- Das BSI schreibt, dass mehr als 18.000 Exchange-Server einen offenen Outlook-Web-Access anbieten und für eine oder sogar mehrere Codeschmuggel-Lücken anfällig seien. --------------------------------------------- https://heise.de/-9770441 ===================== = Vulnerabilities = ===================== ∗∗∗ D-Link: Versteckte Backdoor in 16 Routermodellen entdeckt ∗∗∗ --------------------------------------------- Angreifer können aus der Ferne den Telnet-Dienst betroffener D-Link-Router aktivieren. Auch die Admin-Zugangsdaten sind offenbar in der Firmware hinterlegt. --------------------------------------------- https://www.golem.de/news/d-link-versteckte-backdoor-in-16-routermodellen-e… ∗∗∗ Sicherheitslücken: Attacken auf Atlassian Confluence & Co. möglich ∗∗∗ --------------------------------------------- Sicherheitslücken bedrohen mehrere Anwendungen von Atlassian. Angreifer können Abstürze auslösen oder unbefugt Daten einsehen. [..] Wie aus einer Warnmeldung hervorgeht, haben die Entwickler insgesamt neun Schwachstellen geschlossen, die alle mit dem Bedrohungsgrad "hoch" eingestuft sind. --------------------------------------------- https://heise.de/-9770453 ∗∗∗ Arbitrary File Upload in edu-sharing (metaVentis GmbH) ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/arbitrary-file-upload-in… ∗∗∗ Sonicwall: Heap-based buffer overflow vulnerability in SonicOS SSL-VPN ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0009 ∗∗∗ Sonicwall: Stack-based buffer overflow vulnerability in SonicOS HTTP server ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0008 ∗∗∗ CAREL Boss-Mini ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-172-02 ∗∗∗ Westermo L210-F2G ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-172-03 ∗∗∗ Yokogawa CENTUM ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-172-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.06.2024
by Daily end-of-shift report 19 Jun '24

19 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-06-2024 18:00 − Mittwoch 19-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ ONNX phishing service targets Microsoft 365 accounts at financial firms ∗∗∗ --------------------------------------------- A new phishing-as-a-service (PhaaS) platform called ONNX Store is targeting Microsoft 365 accounts for employees at financial firms using QR codes in PDF attachments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/onnx-phishing-service-target… ∗∗∗ Re-moo-te Code Execution in Mailcow: Always Sanitize Error Messages ∗∗∗ --------------------------------------------- Mailcow is an easy-to-use email solution that can be set up in minutes. [..] In this blog post, we will cover the code intricacies that led to the vulnerabilities. We will first go over the details of the XSS vulnerability and then explore the Path Traversal flaw. We will also cover how the mailcow maintainers have tackled these issues and give advice on how to avoid such vulnerabilities in your code. [..] They have been fixed in mailcow 2024-04 and seem to have existed for at least three years. --------------------------------------------- https://www.sonarsource.com/blog/remote-code-execution-in-mailcow-always-sa… ∗∗∗ Sicherheitslücke: Phisher können E-Mails im Namen von Microsoft verschicken ∗∗∗ --------------------------------------------- Durch die Schwachstelle lassen sich E-Mails beispielsweise mit security(a)microsoft.com als Absender übermitteln. [..] Wie aus einem Bericht von Techcrunch hervorgeht, funktioniert das Spoofing nur beim Mail-Versand an Outlook-Konten, womit jedoch weltweit mehrere Hundert Millionen Nutzer betroffen sind. [..] Technische Details nannte der Forscher aus Sicherheitsgründen bisher nicht. [..] Wann das Spoofing-Problem behoben sein wird, bleibt jedoch weiterhin offen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-phisher-koennen-e-mails-im-name… ∗∗∗ Vorsicht vor gefälschten BAWAG-Nachrichten ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit betrügerische SMS-Nachrichten im Namen der BAWAG. Darin wird behauptet, dass eine IP-Adresse aus Schweden Ihre App aktiviert hat. Wenn dies nicht Sie waren, werden Sie aufgefordert, auf einen Link zu klicken. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-bawag-nach… ∗∗∗ IT-Sicherheitsforscher warnen vor neuer Angriffstechnik über die Zwischenablage ∗∗∗ --------------------------------------------- ClearFake ist ein bösartiges JavaScript-Framework, das auf kompromittierten Websites eingesetzt wird, um mittels Drive-by-Download-Technik weitere Malware zu verbreiten. Dabei erhalten die Opfer eine Fehlermeldung, die vorgibt, von einer vertrauenswürdigen Quelle wie dem Betriebssystem zu stammen. Sie suggeriert ein Problem und liefert gleichzeitig eine Lösung in Form eines PowerShell-Befehls, den das Opfer nur noch kopieren und ausführen muss. --------------------------------------------- https://heise.de/-9768750 ∗∗∗ 20 Prozent der Microsoft SQL Server läuft trotz End of Life ∗∗∗ --------------------------------------------- Ein Fünftel der SQL-Server-Instanzen läuft mit veralteten Versionen. Ab nächsten Monat könnten es mit SQL Server 2014 sogar ein Drittel werden. --------------------------------------------- https://heise.de/-9769490 ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP8 IF03 ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been resolved in 7.5.0 UP8 IF03. These issues affect Juniper Networks Juniper Secure Analytics: Severity Critical --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (container-tools, firefox, and flatpak), Debian (composer, roundcube, and thunderbird), Fedora (kitty and webkitgtk), Oracle (container-tools and flatpak), Red Hat (flatpak and java-1.8.0-ibm), SUSE (gdcm, gdk-pixbuf, libarchive, libzypp, zypper, ntfs-3g_ntfsprogs, openssl-1_1, openssl-3, podman, python-Werkzeug, and thunderbird), and Ubuntu (git, linux-hwe-6.5, mariadb, mariadb-10.6, and thunderbird). --------------------------------------------- https://lwn.net/Articles/978907/ ∗∗∗ Paradox IP150 Internet Module Cross-Site Request Forgery ∗∗∗ --------------------------------------------- The Paradox IP150 Internet Module in version 1.40.00 is vulnerable to Cross-Site Request Forgery (CSRF) attacks due to a lack of countermeasures and the use of the HTTP method `GET` to introduce changes in the system. [..] We are not aware of a vendor fix yet. --------------------------------------------- https://github.com/sbaresearch/advisories/commit/9b61d7e591aa320b9ecedd6701… ∗∗∗ Multiple vulnerabilities in Ricoh Streamline NX PC Client ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN00442488/ ∗∗∗ Multiple vulnerabilities in ID Link Manager and FUJITSU Software TIME CREATOR ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN65171386/ ∗∗∗ Huawei: Security Advisory - Path Traversal Vulnerability in Huawei Home Music System ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-ptvihhms-… ∗∗∗ Huawei: Security Advisory - Connection Hijacking Vulnerability in Some Huawei Home Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2024/huawei-sa-chvishhr-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.06.2024
by Daily end-of-shift report 18 Jun '24

18 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Montag 17-06-2024 18:02 − Dienstag 18-06-2024 18:02 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Hackers use F5 BIG-IP malware to stealthily steal data for years ∗∗∗ --------------------------------------------- A group of suspected Chinese cyberespionage actors named Velvet Ant are deploying custom malware on F5 BIG-IP appliances to gain a persistent connection to the internal network and steal data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-f5-big-ip-malwar… ∗∗∗ Analysis of user password strength ∗∗∗ --------------------------------------------- Kaspersky experts conducted a study of password resistance to attacks that use brute force and smart guessing techniques. --------------------------------------------- https://securelist.com/passworde-brute-force-time/112984/ ∗∗∗ New Malware Targets Exposed Docker APIs for Cryptocurrency Mining ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new malware campaign that targets publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads. --------------------------------------------- https://thehackernews.com/2024/06/new-malware-targets-exposed-docker-apis.h… ∗∗∗ From Clipboard to Compromise: A PowerShell Self-Pwn ∗∗∗ --------------------------------------------- Proofpoint has observed an increase in a technique leveraging unique social engineering that directs users to copy and paste malicious PowerShell scripts to infect their computers with malware. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powe… ∗∗∗ Exfiltrate sensitive user data from apps on Android 12 and 13 using CVE-2024-0044 vulnerability ∗∗∗ --------------------------------------------- With physical access to Android device with enabled ADB debugging running Android 12 or 13 before receiving March 2024 security patch, it is possible to access internal data of any user installed app by misusing CVE-2024-0044 vulnerability. --------------------------------------------- https://www.mobile-hacker.com/2024/06/17/exfiltrate-sensitive-user-data-fro… ∗∗∗ Achtung Fake: doouglasparfum.com ∗∗∗ --------------------------------------------- In professionell wirkenden Online-Shops von Douglas werden aktuell Markenparfüms um mehr als 50 Prozent billiger angeboten. Sogar die Internetadressen doouglasparfum.com oder dougllas.com erscheinen zunächst plausibel. Wer in diesen Fake-Shops einkauft verliert aber Geld und erhält keine Ware. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-doouglasparfumcom/ ∗∗∗ Attack Paths Into VMs in the Cloud ∗∗∗ --------------------------------------------- Virtual machines (VMs) are a significant attack target. Focusing on three major CSPs, this research summarizes the conditions for possible VM attack paths. --------------------------------------------- https://unit42.paloaltonetworks.com/cloud-virtual-machine-attack-vectors/ ∗∗∗ Private Microsoft Outlook-Mailkonten sollen besser abgesichert werden ∗∗∗ --------------------------------------------- Microsoft hat vor einigen Tagen eine Ankündigung gemacht, dass man "Outlook für private Nutzer" in Zukunft besser absichern will. --------------------------------------------- https://www.borncity.com/blog/2024/06/18/private-microsoft-outlook-mailkont… ∗∗∗ How are attackers trying to bypass MFA? ∗∗∗ --------------------------------------------- Exploring trends on how attackers are trying to manipulate and bypass MFA, as well as when/how attackers will try their push-spray MFA attacks --------------------------------------------- https://blog.talosintelligence.com/how-are-attackers-trying-to-bypass-mfa/ ∗∗∗ Malvertising Campaign Leads to Execution of Oyster Backdoor ∗∗∗ --------------------------------------------- Rapid7 has observed a recent malvertising campaign that lures users into downloading malicious installers for popular software such as Google Chrome and Microsoft Teams. --------------------------------------------- https://www.rapid7.com/blog/post/2024/06/17/malvertising-campaign-leads-to-… ∗∗∗ Cloaked and Covert: Uncovering UNC3886 Espionage Operations ∗∗∗ --------------------------------------------- Following the discovery of malware residing within ESXi hypervisors in September 2022, Mandiant began investigating numerous intrusions conducted by UNC3886, a suspected China-nexus cyber espionage actor that has targeted prominent strategic organizations on a global scale. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886… ∗∗∗ CISA and Partners Release Guidance for Modern Approaches to Network Access Security ∗∗∗ --------------------------------------------- Today, CISA, in partnership with the Federal Bureau of Investigation (FBI), released guidance, Modern Approaches to Network Access Security. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/06/18/cisa-and-partners-releas… ∗∗∗ New Diamorphine rootkit variant seen undetected in the wild ∗∗∗ --------------------------------------------- Diamorphine is a well-known Linux kernel rootkit that supports different Linux kernel versions (2.6.x, 3.x, 4.x, 5.x and 6.x) and processor architectures (x86, x86_64 and ARM64). Briefly stated, when loaded, the module becomes invisible and hides all the files and folders starting with the magic prefix chosen by the attacker at compilation time. --------------------------------------------- https://decoded.avast.io/davidalvarez/new-diamorphine-rootkit-variant-seen-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.3), Fedora (galera, ghostscript, and mariadb), Mageia (cups, iperf, and libndp), Oracle (firefox and flatpak), Red Hat (container-tools:rhel8, Firefox, firefox, and flatpak), SUSE (booth, bouncycastle, firefox, ghostscript, less, libaom, openssl-1_1, openssl-3, podman, python-Authlib, python-requests, python-Werkzeug, webkit2gtk3, and xdg-desktop-portal), and Ubuntu (ghostscript, ruby-rack, ruby2.7, ruby3.0, ruby3.1, ruby3.2, and sssd). --------------------------------------------- https://lwn.net/Articles/978804/ ∗∗∗ Sicherheitsupdates: Root-Lücke bedroht VMware vCenter Server ∗∗∗ --------------------------------------------- Unter anderem zwei kritische Schwachstelle bedrohen vCenter Server und Cloud Foundation von VMware. --------------------------------------------- https://heise.de/-9767493 ∗∗∗ Python-based exploit in Autodesk Maya software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0011 ∗∗∗ Kritische Schwachstelle CVE-2024-38428 in wget ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2024/06/18/kritische-schwachstelle-cve-2024-3… ∗∗∗ RAD Data Communications SecFlow-2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-170-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.06.2024
by Daily end-of-shift report 17 Jun '24

17 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-06-2024 18:00 − Montag 17-06-2024 18:02 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New Linux malware is controlled through emojis sent from Discord ∗∗∗ --------------------------------------------- The malware is similar to many other backdoors/botnets used in different attacks, allowing threat actors to execute commands, take screenshots, steal files, deploy additional payloads, and search for files. However, its use of Discord and emojis as a command and control (C2) platform makes the malware stand out from others and could allow it to bypass security software that looks for text-based commands. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-linux-malware-is-control… ∗∗∗ New ARM TIKTAG attack impacts Google Chrome, Linux systems ∗∗∗ --------------------------------------------- A new speculative execution attack named "TIKTAG" targets ARMs Memory Tagging Extension (MTE) to leak data with over a 95% chance of success, allowing hackers to bypass the security feature. [..] Leaking those tags does not directly expose sensitive data such as passwords, encryption keys, or personal information. However, it can theoretically allow attackers to undermine the protections provided by MTE, rendering the security system ineffective against stealthy memory corruption attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-arm-tiktag-attack-impact… ∗∗∗ Ransomware Roundup – Shinra and Limpopo Ransomware ∗∗∗ --------------------------------------------- he Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. --------------------------------------------- https://www.fortinet.com/blog/threat-research/ransomware-roundup-shinra-and… ∗∗∗ Ivanti Endpoint Manager: Exploit für kritische Lücke aufgetaucht ∗∗∗ --------------------------------------------- Ende Mai wurden teils kritische Sicherheitslücken in Ivantis Endpoint Manager (EPM) bekannt. Inzwischen haben IT-Sicherheitsforscher einen Proof-of-Concept-Exploit für eine davon veröffentlicht. --------------------------------------------- https://heise.de/-9765685 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (389-ds-base, buildah, c-ares, cockpit, containernetworking-plugins, fence-agents, gdk-pixbuf2, gvisor-tap-vsock, libreoffice, podman, python-idna, rpm-ostree, and ruby), Debian (atril, chromium, ffmpeg, libndp, libvpx, nano, plasma-workspace, pymongo, roundcube, sendmail, and thunderbird), Fedora (booth and thunderbird), Mageia (aom, atril, libvpx, nano, nss, firefox, and vte), Red Hat (linux-firmware), SUSE (bind, booth, mariadb, openssl-1_1, php7, php8, and webkit2gtk3), and Ubuntu (linux-azure, linux-azure-fde, linux-azure, linux-gke, and linux-nvidia-6.5). --------------------------------------------- https://lwn.net/Articles/978709/ ∗∗∗ Sicherheitsupdates: Angreifer können Asus-Router kompromittieren ∗∗∗ --------------------------------------------- Mehrere WLAN-Router von Asus sind verwundbar und Angreifer können auf sie zugreifen. Updates lösen mehrere Sicherheitsprobleme. [..] Wie aus dem Sicherheitsbereich der Asus-Website hervorgeht, sind von der „kritischen“ Schwachstelle (CVE-2024-3080) die WLAN-Router-Modelle RT-AC68U, RTAC86U, RT-AX57, RT-AX58U, RT-AX88U, XT8_V2 und XT8 betroffen. --------------------------------------------- https://heise.de/-9765067 ∗∗∗ Nextcloud: Angreifer können Zwei-Faktor-Authentifizierung umgehen ∗∗∗ --------------------------------------------- Die Clouddienst-Software Nextcloud ist verwundbar. In aktuellen Versionen haben die Entwickler mehrere Sicherheitslücken geschlossen. [..] Am gefährlichsten gelten zwei Lücken in Nextcloud und Nextcloud Enterprise. An diesen Stellen können Angreifer die Rechte von Freigaben ausweiten (CVE-2024-37882 "hoch") oder die Zwei-Faktor-Authentifizierung umgehen (CVE-2024-37313 "hoch"). Wie solche Attacken ablaufen könnten, führen die Entwickler derzeit nicht aus. --------------------------------------------- https://heise.de/-9766062 ∗∗∗ Vulnerability Summary for the Week of June 10, 2024 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb24-169 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.06.2024
by Daily end-of-shift report 14 Jun '24

14 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-06-2024 18:00 − Freitag 14-06-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ 2023 Hacked Website & Malware Threat Report ∗∗∗ --------------------------------------------- This year, we’ve included new insights to highlight the most prevalent tactics and techniques observed in compromised web environments and remote scanners. --------------------------------------------- https://blog.sucuri.net/2024/06/2023-hacked-website-malware-threat-report.h… ∗∗∗ How to Write Good Incident Response Reports ∗∗∗ --------------------------------------------- Creating an informative and readable report is among the many challenges of responding to cybersecurity incidents. A good report not only answers its readers questions but also instills confidence in the response and enables the organization to learn from the incident. This blog highlights my advice on writing such incident reports. --------------------------------------------- https://zeltser.com/good-incident-reports/ ∗∗∗ Edge Devices: The New Frontier for Mass Exploitation Attacks ∗∗∗ --------------------------------------------- The increase in mass exploitation involving edge services and devices is likely to worsen. --------------------------------------------- https://www.securityweek.com/edge-devices-the-new-frontier-for-mass-exploit… ∗∗∗ Microsoft president tells lawmakers red lines needed for nation-state attacks ∗∗∗ --------------------------------------------- Microsoft president Brad Smith testified before a congressional committee on Thursday, at times accepting responsibility for the company’s recent cybersecurity mistakes while simultaneously deflecting criticism of the tech giant’s practices. He also called on the government to create "consequences" for nation-state hackers who compromise U.S. systems. --------------------------------------------- https://therecord.media/microsoft-president-brad-smith-lawmakers-cyber ∗∗∗ Windows 11 "Copilot+PC" kommt (vorerst) ohne Recall ∗∗∗ --------------------------------------------- Was für ein PR-Desaster für Microsoft – nächste Woche sollen Geräte mit dem Konzept "Copilot+PC" auf den Markt kommen. Aber die wichtigste Funktion "Windows Recall", die Microsoft noch vor kurzen als den "Stein der KI-Weisen" in den Himmel gelobt hat, wird fehlen. Es gibt den recall von Recall, was als Meme inzwischen durch das Netz geistert. [..] Denn Sicherheit habe bei Microsoft "oberste Priorität" und dieser Rückruf sei im Sinne der Secure Future Initiative (SFI). --------------------------------------------- https://www.borncity.com/blog/2024/06/14/windows-11-copilotpc-kommt-vorerst… ∗∗∗ Noodle RAT: Reviewing the Backdoor Used by Chinese-Speaking Groups ∗∗∗ --------------------------------------------- This blog entry provides an analysis of the Noodle RAT backdoor, which is likely being used by multiple Chinese-speaking groups engaged in espionage and other types of cybercrime. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/f/noodle-rat-reviewing-the-new… ∗∗∗ UNC3944 Targets SaaS Applications ∗∗∗ --------------------------------------------- UNC3944 is a financially motivated threat group that carries significant overlap with public reporting of "0ktapus," "Octo Tempest," "Scatter Swine," and "Scattered Spider," and has been observed adapting its tactics to include data theft from software-as-a-service (SaaS) applications to attacker-owned cloud storage objects (using cloud synchronization tools), persistence mechanisms against virtualization platforms, and lateral movement via SaaS permissions abuse. --------------------------------------------- https://cloud.google.com/blog/topics/threat-intelligence/unc3944-targets-sa… ===================== = Vulnerabilities = ===================== ∗∗∗ Nextcloud Security Advisories 2024-06-14 ∗∗∗ --------------------------------------------- 2x High, 5x Moderate, 5x Low --------------------------------------------- https://github.com/nextcloud/security-advisories/security?page=1 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, bind, bind-dyndb-ldap, and dhcp, firefox, glibc, ipa, less, libreoffice, and thunderbird), Debian (cups), Fedora (chromium and cyrus-imapd), Mageia (golang and poppler), Oracle (bind, bind-dyndb-ldap, and dhcp, gvisor-tap-vsock, python-idna, and ruby), Red Hat (dnsmasq and expat), SUSE (libaom, php8, podman, python-pymongo, python-scikit-learn, and tiff), and Ubuntu (h2database and vte2.91). --------------------------------------------- https://lwn.net/Articles/978418/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.12 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-28/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.06.2024
by Daily end-of-shift report 13 Jun '24

13 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-06-2024 18:00 − Donnerstag 13-06-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft Patchday Juni 2024 - CVE-2024-30080, CVE-2024-30078 ∗∗∗ --------------------------------------------- Im Rahmen des aktuellen Patchday hat Microsoft Patches für 58 Sicherheitslücken veröffentlicht. Aus der Liste stechen zwei Schwachstellen besonders hervor: CVE-2024-30080, eine Remote Code Execution in Microsoft Message Queuing (MSMQ) [..] CVE-2024-30078, eine Remote Code Execution in "Windows Wi-Fi Driver". --------------------------------------------- https://www.cert.at/de/aktuelles/2024/6/microsoft-patchday-juni-2024-cve-20… ∗∗∗ Kundenservice österreichischer Unternehmen nicht über kunden-support.tel kontaktieren! ∗∗∗ --------------------------------------------- Sie suchen die Kontaktdaten des Kundendienstes Ihrer Bank oder Ihres Mobilfunkanbieters? Sie haben eine Frage an die Österreichische Post oder müssen die Wiener Stadtwerke erreichen? Wenn Sie im Internet nach den Kontaktdaten eines dieser oder vieler anderer Unternehmen suchen, um den Kundensupport anzurufen, könnten Sie auf die Seite kunden-support.tel stoßen. Diese Seite schaltet Werbung auf Google und gibt vor, die Kontaktdaten verschiedener österreichischer Kundendienste aufzulisten. Aber Vorsicht! Dahinter stecken Kriminelle! --------------------------------------------- https://www.watchlist-internet.at/news/kundenservice-oesterreichischer-unte… ∗∗∗ Cinterion EHS5 3G UMTS/HSPA Module Research ∗∗∗ --------------------------------------------- In the course of the modem security analysis, we found seven locally exploited vulnerabilities and one remotely exploited vulnerability. The combination of these vulnerabilities could allow an attacker to completely get control over the modem. [..] All discovered vulnerabilities have been reported to the vendor. Some of them have not been addressed by the vendor so far as the product support discontinued. --------------------------------------------- https://ics-cert.kaspersky.com/publications/cinterion-ehs5-3g-umts-hspa-mod… ∗∗∗ Phishing emails abuse Windows search protocol to push malicious scripts ∗∗∗ --------------------------------------------- A new phishing campaign uses HTML attachments that abuse the Windows search protocol (search-ms URI) to push batch files hosted on remote servers that deliver malware. [..] In June 2022, security researchers devised a potent attack chain that also exploited a Microsoft Office flaw to launch searches directly from Word documents. Trustwave SpiderLabs researchers now report that this technique is used in the wild by threat actors who are using HTML attachments to launch Windows searches on attackers' servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-emails-abuse-window… ∗∗∗ Fortinet: CVE 2024-21754: Passwords on a Silver Platter ∗∗∗ --------------------------------------------- Matthias Barkhausen and Hendrik Eckardt have discovered a flaw in the firmware of Fortinet firewalls. This flaw potentially reveals sensitive information to attackers, such as passwords. [..] The flaw has been responsibly disclosed to the vendor. It has been addressed in FortiOS v7.4.4, dated June 11, 2024. [..] Learn more details and read the full story on the blog of G DATA Advanced Analytics. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/01/37834-passwords-on-a-silver-plat… ∗∗∗ Cybercriminals Employ PhantomLoader to Distribute SSLoad Malware ∗∗∗ --------------------------------------------- The nascent malware known as SSLoad is being delivered by means of a previously undocumented loader called PhantomLoader, according to findings from cybersecurity firm Intezer. [..] The attack chains typically involve the use of an MSI installer that, when launched, initiates the infection sequence. Specifically, it leads to the execution of PhantomLoader, a 32-bit DLL written in C/C++ that masquerades as a DLL module for an antivirus software called 360 Total Security ("MenuEx.dll"). --------------------------------------------- https://thehackernews.com/2024/06/cybercriminals-employ-phantomloader-to.ht… ∗∗∗ New Attack Technique Sleepy Pickle Targets Machine Learning Models ∗∗∗ --------------------------------------------- The security risks posed by the Pickle format have once again come to the fore with the discovery of a new "hybrid machine learning (ML) model exploitation technique" dubbed Sleepy Pickle. [..] While pickle is a widely used serialization format by ML libraries like PyTorch, it can be used to carry out arbitrary code execution attacks simply by loading a pickle file (i.e., during deserialization). --------------------------------------------- https://thehackernews.com/2024/06/new-attack-technique-sleepy-pickle.html ∗∗∗ Digitale Stellenangebote: Job gesucht, Betrug gefunden ∗∗∗ --------------------------------------------- Jahresverdienst von 90.000 Euro, Homeoffice und 30 Tage Urlaub für eine Einstiegsstelle als Junior Data Analyst – das klingt zu gut, um wahr zu sein, oder? Ist es auch: Denn oftmals entpuppen sich solche Stellenangebote als Betrug. --------------------------------------------- https://www.welivesecurity.com/de/scams/digitale-stellenangebote-job-gesuch… ∗∗∗ Watch Out! CISA Warns It Is Being Impersonated By Scammers ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that scammers are impersonating its employees in an attempt to commit fraud. --------------------------------------------- https://www.tripwire.com/state-of-security/watch-out-cisa-warns-it-being-im… ∗∗∗ Malware-Ranking: Androxgh0st-Botnet breitet sich in Deutschland aus ∗∗∗ --------------------------------------------- Die seit April aktive Malware schafft es im Mai bereits auf Platz 2. Lockbit erholt sich von den Maßnahmen der Strafverfolger und macht weltweit wieder 33 Prozent der veröffentlichten Ransomware-Angriffe aus. --------------------------------------------- https://www.zdnet.de/88416444/malware-ranking-androxgh0st-botnet-breitet-si… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücke: Der VLC Media Player ist angreifbar ∗∗∗ --------------------------------------------- Durch einen speziell gestalteten MMS-Stream lässt sich der VLC-Player zum Absturz bringen. Laut VideoLAN ist potenziell auch eine Schadcodeausführung möglich. [..] Anfällig sind alle VLC-Versionen bis einschließlich 3.0.20. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-der-vlc-media-player-ist-angrei… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (nginx-mod-modsecurity, php, and tomcat), Mageia (strongswan), Oracle (389-ds-base, buildah, c-ares, cockpit, containernetworking-plugins, fence-agents, firefox, gdk-pixbuf2, idm:DL1, ipa, kernel, libreoffice, podman, rpm-ostree, and thunderbird), Red Hat (dnsmasq and nghttp2), Slackware (mozilla), SUSE (curl, firefox, kernel, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, openssl-3, and python-Pillow), and Ubuntu (libmatio, libndp, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-oem-6.5, and virtuoso-opensource). --------------------------------------------- https://lwn.net/Articles/978291/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-32896 Android Pixel Privilege Escalation Vulnerability, CVE-2024-26169 Microsoft Windows Error Reporting Service Improper Privilege Management Vulnerability, CVE-2024-4358 Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/06/13/cisa-adds-three-known-ex… ∗∗∗ Google fixed an actively exploited zero-day in the Pixel Firmware ∗∗∗ --------------------------------------------- https://securityaffairs.com/164500/security/google-fixed-pixel-firmware-zer… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (June 3, 2024 to June 9, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/06/wordfence-intelligence-weekly-wordpr… ∗∗∗ Palo Alto: CVE-2024-5908 GlobalProtect App: Encrypted Credential Exposure via Log Files (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-5908 ∗∗∗ Palo Alto: CVE-2024-5909 Cortex XDR Agent: Local Windows User Can Disable the Agent (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-5909 ∗∗∗ Palo Alto: CVE-2024-5906 Prisma Cloud Compute: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-5906 ∗∗∗ Palo Alto: CVE-2024-5907 Cortex XDR Agent: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-5907 ∗∗∗ Fuji Electric Tellus Lite V-Simulator ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-14 ∗∗∗ Rockwell Automation FactoryTalk View SE ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-18 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.06.2024
by Daily end-of-shift report 12 Jun '24

12 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-06-2024 18:00 − Mittwoch 12-06-2024 18:00 Handler: Alexander Riepl Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Schwachstelle in Windows: Angreifer können per WLAN Schadcode einschleusen ∗∗∗ --------------------------------------------- Ein Angreifer muss sich lediglich in WLAN-Reichweite zum Zielsystem befinden, um bösartigen Code auszuführen. Betroffen sind alle gängigen Windows-Versionen. --------------------------------------------- https://www.golem.de/news/schwachstelle-in-windows-angreifer-koennen-per-wl… ∗∗∗ JetBrains warns of IntelliJ IDE bug exposing GitHub access tokens ∗∗∗ --------------------------------------------- JetBrains warned customers to patch a critical vulnerability that impacts users of its IntelliJ integrated development environment (IDE) apps and exposes GitHub access tokens. --------------------------------------------- https://www.bleepingcomputer.com/news/security/jetbrains-warns-of-intellij-… ∗∗∗ New backdoor BadSpace delivered by high-ranking infected websites ∗∗∗ --------------------------------------------- Imagine visiting your favorite website with the same address that you always use and it tells you that your browser needs an update. After downloading and executing the update, theres an unwelcome surprise: the .. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor ∗∗∗ Geheimdienst deckt auf: China-Hacker dringen in 20.000 Fortinet-Systeme ein ∗∗∗ --------------------------------------------- Ziele der Cyberangriffe sind dem niederländischen NCSC zufolge westliche Regierungen, diplomatische Einrichtungen und die Rüstungsindustrie. --------------------------------------------- https://www.golem.de/news/geheimdienst-deckt-auf-china-hacker-dringen-in-20… ∗∗∗ Microsoft Patch Tuesday June 2024, (Tue, Jun 11th) ∗∗∗ --------------------------------------------- Microsoft's June 2024 update fixes a total of 58 vulnerabilities. 7 of these vulnerabilities are associated with Chromium and Microsoft's Brave browser. Only one vulnerability is rated critical. One of the vulnerabilities had been disclosed before today. --------------------------------------------- https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+June+2024/31000 ∗∗∗ Black Basta Ransomware May Have Exploited MS Windows Zero-Day Flaw ∗∗∗ --------------------------------------------- Threat actors linked to the Black Basta ransomware may have exploited a recently disclosed privilege escalation flaw in the Microsoft Windows Error Reporting Service as a zero-day, according to new findings from .. --------------------------------------------- https://thehackernews.com/2024/06/black-basta-ransomware-may-have.html ∗∗∗ Adobe Plugs Code Execution Holes in After Effects, Illustrator ∗∗∗ --------------------------------------------- Patch Tuesday: Adobe fixes critical flaws and warns of the risk of code execution attacks on Windows and macOS platforms. --------------------------------------------- https://www.securityweek.com/adobe-plugs-code-execution-holes-in-after-effe… ∗∗∗ Betrifft iOS und MacOS: Angreifer können per Mail Facetime-Anrufe einleiten ∗∗∗ --------------------------------------------- Der Entdecker der Schwachstelle behauptet, sie lasse sich sehr einfach ausnutzen. Selbst ein aktiver Lockdown-Modus könne die unerwünschten Anrufe nicht blockieren. --------------------------------------------- https://www.golem.de/news/betrifft-ios-und-macos-angreifer-koennen-per-mail… ∗∗∗ Ransomware Group Exploits PHP Vulnerability Days After Disclosure ∗∗∗ --------------------------------------------- The TellYouThePass ransomware gang started exploiting a recent code execution flaw in PHP days after public disclosure. --------------------------------------------- https://www.securityweek.com/ransomware-group-exploits-php-vulnerability-da… ∗∗∗ GitHub Paid Out Over $4 Million via Bug Bounty Program ∗∗∗ --------------------------------------------- The code hosting platform GitHub has paid out more than $4 million since the launch of its bug bounty program 10 years ago. --------------------------------------------- https://www.securityweek.com/github-paid-out-over-4-million-via-bug-bounty-… ∗∗∗ The Evolution of QR Code Phishing: ASCII-Based QR Codes ∗∗∗ --------------------------------------------- Quishing is a rapidly evolving threat. Starting around August, when we saw the first rapid increase, we’ve also seen a change in the type of QR code attacks. It started with standard MFA authentication requests. It then evolved to conditional routing and custom targeting. Now, we’re seeing another evolution, into the manipulation of .. --------------------------------------------- https://blog.checkpoint.com/harmony-email/the-evolution-of-qr-code-phishing… ∗∗∗ Ukrainian police identify suspected affiliate of Conti, LockBit groups ∗∗∗ --------------------------------------------- Ukrainian cyber police say they have identified a local hacker affiliated with the notorious Conti and LockBit .. --------------------------------------------- https://therecord.media/ukraine-suspected-lockbit-conti-affiliate ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-5707-1 vlc - security update ∗∗∗ --------------------------------------------- https://lists.debian.org/debian-security-announce/2024/msg00117.html ∗∗∗ ZDI-24-579: Apple macOS PPM Image Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-579/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/978136/ ∗∗∗ XenServer and Citrix Hypervisor Security Update for CVE-2024-5661 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX677100/xenserver-and-citrix-hyperviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.06.2024
by Daily end-of-shift report 11 Jun '24

11 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Montag 10-06-2024 18:00 − Dienstag 11-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Gitloker attacks abuse GitHub notifications to push malicious oAuth apps ∗∗∗ --------------------------------------------- Threat actors impersonate GitHubs security and recruitment teams in phishing attacks to hijack repositories using malicious OAuth apps in an ongoing extortion campaign wiping compromised repos. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gitloker-attacks-abuse-githu… ∗∗∗ Arm warns of actively exploited flaw in Mali GPU kernel drivers ∗∗∗ --------------------------------------------- Arm has issued a security bulletin warning of a memory-related vulnerability in Bifrost and Valhall GPU kernel drivers that is being exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/arm-warns-of-actively-exploi… ∗∗∗ QR code SQL injection and other vulnerabilities in a popular biometric terminal ∗∗∗ --------------------------------------------- The report analyzes the security properties of a popular biometric access control terminal made by ZkTeco and describes vulnerabilities found in it. --------------------------------------------- https://securelist.com/biometric-terminal-vulnerabilities/112800/ ∗∗∗ A Brief History of SmokeLoader, Part 1 ∗∗∗ --------------------------------------------- In May 2024, Zscaler ThreatLabz technical analysis of SmokeLoader supported an international law enforcement action known as Operation Endgame, which remotely disinfected tens of thousands of infections. In the process of providing assistance to law enforcement for the operation, ThreatLabz has documented SmokeLoader for nearly all known versions. In this two-part blog series, we explore the evolution of SmokeLoader. --------------------------------------------- https://www.zscaler.com/blogs/security-research/brief-history-smokeloader-p… ∗∗∗ „Hallo Mama/Hallo Papa“-Nachrichten zielen auf persönliche Fotos ∗∗∗ --------------------------------------------- Vorsicht, wenn Ihr Kind plötzlich von einer unbekannten Nummer schreibt und behauptet, dies sei nun die neue Nummer. Dahinter stecken Kriminelle, die Ihnen Geld stehlen wollen. Außerdem bittet „Ihr Kind“ um die Zusendung von persönlichen Fotos. Diese werden von den Kriminellen vermutlich für weitere Betrugsmaschen missbraucht. --------------------------------------------- https://www.watchlist-internet.at/news/hallo-mama-hallo-papa-nachrichten-zi… ∗∗∗ Enumerating System Management Interrupts ∗∗∗ --------------------------------------------- System Management Interrupts (SMI) provide a mechanism for entering System Management Mode (SMM) which primarily implements platform-specific functions related to power management. SMM is a privileged execution mode with access to the complete physical memory of the system, and to which the operating system has no visibility. --------------------------------------------- https://research.nccgroup.com/2024/06/10/enumerating-system-management-inte… ∗∗∗ BIOS-Update 01.17.00 macht HP Probooks 445 G7 und 455 G7 komplett unbrauchbar ∗∗∗ --------------------------------------------- Hewlett Packard (HP) hat eine kaputte BIOS-Version veröffentlicht, die Notebooks der Modelle HP Probook 445 G7 455 G7 aus dem Jahr 2020 zum teuren Briefbeschwerer machen. [..] Dieses BIOS 01.17.00.Update soll eine kritische Sicherheitslücke schließen, was auch so vom Support Assistant als kritisches Update gelistet wurde, welches man möglichst schnell installieren sollte. --------------------------------------------- https://www.borncity.com/blog/2024/06/11/bios-update-01-17-00-macht-hp-prob… ===================== = Vulnerabilities = ===================== ∗∗∗ Netgear WNR614 flaws allow device takeover, no fix available ∗∗∗ --------------------------------------------- Researchers found half a dozen vulnerabilities of varying severity impacting Netgear WNR614 N300, a budget-friendly router that proved popular among home users and small businesses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netgear-wnr614-flaws-allow-d… ∗∗∗ (0Day) Microsoft Windows Incorrect Permission Assignment Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to disclose sensitive information or to create a denial-of-service condition on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. Furthermore, the vulnerable behavior occurs only in certain hardware configurations. [..] Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-24-598/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (ruby:3.3), Fedora (efifs, libvirt, podman-tui, prometheus-podman-exporter, and strongswan), Red Hat (firefox, idm:DL1, ipa, nghttp2, and thunderbird), SUSE (aws-nitro-enclaves-cli, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, frr, glibc, go1.21, go1.22, gstreamer-plugins-base, kernel, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, libxml2, mariadb, poppler, python-Brotli, python-docker, python-idna, rmt-server, skopeo, sssd, unbound, unrar, util-linux, and webkit2gtk3), and Ubuntu (giflib, libphp-adodb, linux-gkeop, linux-gkeop-5.15, linux-kvm, linux-laptop, linux-oem-6.8, nodejs, and tiff). --------------------------------------------- https://lwn.net/Articles/977939/ ∗∗∗ CVE-2024-28995: Trivially Exploitable Information Disclosure Vulnerability in SolarWinds Serv-U ∗∗∗ --------------------------------------------- On June 5, 2024, SolarWinds disclosed CVE-2024-28995, a high-severity directory traversal vulnerability affecting the Serv-U file transfer server. Successful exploitation of the vulnerability allows unauthenticated attackers to read sensitive files on the host. --------------------------------------------- https://www.rapid7.com/blog/post/2024/06/11/etr-cve-2024-28995-trivially-ex… ∗∗∗ SAP liefert am Patchday Sicherheitskorrekturen für zwei hochriskante Lücken ∗∗∗ --------------------------------------------- SAP warnt zum Juni-Patchday vor zehn neuen Sicherheitslücken. Aktualisierungen zum Abdichten der Lecks stehen bereit. --------------------------------------------- https://heise.de/-9757338 ∗∗∗ Avast Antivirus: Angreifer können Rechte durch Schwachstelle ausweiten ∗∗∗ --------------------------------------------- Avast Antivirus ermöglichte bösartigen Akteuren aufgrund einer Sicherheitslücke, ihre Rechte im System auszuweiten. Aktualisierte Software ist verfügbar und sollte idealerweise bereits mittels automatischem Update-Mechanismus verteilt worden sein. In der Auflistung der Sicherheitsmitteilungen von Norton (unter dieser Gen Digital Inc.-Marke sind Avast-, Avira-, AVG- und Norton Security-Produkte inzwischen gruppiert) findet sich nichts zu dieser Lücke, jedoch hat NortonLifeLock als CNA einen entsprechenden CVE-Eintrag erstellt. --------------------------------------------- https://heise.de/-9757748 ∗∗∗ Citrix: XenServer and Citrix Hypervisor Security Update for CVE-2024-5661 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX677100/xenserver-and-citrix-hyperviso… ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 127 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-25/ ∗∗∗ Phoenix Contact: Unbounded growth of OpenSSL session cache in multiple FL MGUARD devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-029/ ∗∗∗ Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-03 ∗∗∗ AVEVA PI Asset Framework Client ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-03 ∗∗∗ AVEVA PI Web API ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-02 ∗∗∗ Rockwell Automation ControlLogix, GuardLogix, and CompactLogix ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-01 ∗∗∗ Intrado 911 Emergency Gateway ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-04 ∗∗∗ MicroDicom DICOM Viewer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-163-01 ∗∗∗ SSA-900277 V1.0: MODEL File Parsing Vulnerability in Tecnomatix Plant Simulation before V2302.0012 and V2024.0001 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-900277.html ∗∗∗ SSA-879734 V1.0: Multiple Vulnerabilities in SCALANCE XM-400/XR-500 before V6.6.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-879734.html ∗∗∗ SSA-771940 V1.0: X_T File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-771940.html ∗∗∗ SSA-690517 V1.0: Multiple Vulnerabilities in SCALANCE W700 802.11 AX Family ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-690517.html ∗∗∗ SSA-625862 V1.0: Multiple Vulnerabilities in Third-Party Components in SIMATIC CP 1542SP-1 and CP 1543SP-1 before V2.3 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-625862.html ∗∗∗ SSA-620338 V1.0: Buffer Overflow Vulnerability in SICAM AK3 / BC / TM ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-620338.html ∗∗∗ SSA-540640 V1.0: Improper Privilege Management Vulnerability in Mendix Runtime ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-540640.html ∗∗∗ SSA-481506 V1.0: Information Disclosure Vulnerability in SIMATIC S7-200 SMART Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-481506.html ∗∗∗ SSA-341067 V1.0: Multiple vulnerabilities in third-party components in ST7 ScadaConnect before V1.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-341067.html ∗∗∗ SSA-337522 V1.0: Multiple Vulnerabilities in TIM 1531 IRC before V2.4.8 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-337522.html ∗∗∗ SSA-319319 V1.0: Denial of Service Vulnerability in TIA Administrator ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-319319.html ∗∗∗ SSA-238730 V1.0: Out-of-Bounds Write Vulnerabilities in SITOP UPS1600 before V2.5.4 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-238730.html ∗∗∗ SSA-196737 V1.0: Multiple Vulnerabilities in SINEC Traffic Analyzer before V1.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-196737.html ∗∗∗ SSA-024584 V1.0: Authentication Bypass Vulnerability in PowerSys before V3.11 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-024584.html ∗∗∗ Fortinet: Blind SQL Injection ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-128 ∗∗∗ Fortinet: Buffer overflow in fgfmd ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-036 ∗∗∗ Fortinet: FortiOS/FortiProxy - XSS in reboot page ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-471 ∗∗∗ Fortinet: FortiSOAR is vulnerable to sql injection in Event Auth API via uuid parameter ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-495 ∗∗∗ Fortinet: Multiple buffer overflows in diag npu command ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-460 ∗∗∗ Fortinet: Stack buffer overflow on bluetooth write feature ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-356 ∗∗∗ Fortinet: TunnelVision - CVE-2024-3661 ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-170 ∗∗∗ Fortinet: Weak key derivation for backup file ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-423 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.06.2024
by Daily end-of-shift report 10 Jun '24

10 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-06-2024 18:00 − Montag 10-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ How We Cover Your Back ∗∗∗ --------------------------------------------- As a national CERT, one of our extremely important tasks is to proactively inform network operators about potential or confirmed security issues that could affect Austrian companies. Initially, I intended to discuss the technical changes in our systems, but I believe its better to start by explaining what we actually do and how we help you sleep well at night — though you should never rely solely on us! --------------------------------------------- https://www.cert.at/en/blog/2024/6/how-we-cover-your-back ∗∗∗ Exploit for critical Veeam auth bypass available, patch now ∗∗∗ --------------------------------------------- A proof-of-concept (PoC) exploit for a Veeam Backup Enterprise Manager authentication bypass flaw tracked as CVE-2024-29849 is now publicly available, making it urgent that admins apply the latest security updates. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-for-critical-veeam-a… ∗∗∗ DDoS attacks target EU political parties as elections begin ∗∗∗ --------------------------------------------- Hacktivists are conducting DDoS attacks on European political parties that represent and promote strategies opposing their interests, according to a report by Cloudflare. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ddos-attacks-target-eu-polit… ∗∗∗ Malicious VSCode extensions with millions of installs discovered ∗∗∗ --------------------------------------------- A group of Israeli researchers explored the security of the Visual Studio Code marketplace and managed to "infect" over 100 organizations by trojanizing a copy of the popular 'Dracula Official theme to include risky code. Further research into the VSCode Marketplace found thousands of extensions with millions of installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-… ∗∗∗ Bypassing 2FA with phishing and OTP bots ∗∗∗ --------------------------------------------- Explaining how scammers use phishing and OTP bots to gain access to accounts protected with 2FA. --------------------------------------------- https://securelist.com/2fa-phishing/112805/ ∗∗∗ Attacker Probing for New PHP Vulnerablity CVE-2024-4577, (Sun, Jun 9th) ∗∗∗ --------------------------------------------- Our honeypots have detected the first probes for CVE-2024-4577. [..] Watchtwr Labs says PHP is only vulnerable if used in CGI mode in Chinese and Japanese locales. According to Orange Tsai, other locales may be vulnerable as well. --------------------------------------------- https://isc.sans.edu/diary/rss/30994 ∗∗∗ LightSpy Spywares macOS Variant Found with Advanced Surveillance Capabilities ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed that the LightSpy spyware allegedly targeting Apple iOS users is in fact a previously undocumented macOS variant of the implant. [..] The attack chain begins with the exploitation of CVE-2018-4233, a Safari WebKit flaw, via rogue HTML pages to trigger code execution, leading to the delivery of a 64-bit Mach-O binary that masquerades as a PNG image file. --------------------------------------------- https://thehackernews.com/2024/06/lightspy-spywares-macos-variant-found.html ∗∗∗ Technical Analysis of the Latest Variant of ValleyRAT ∗∗∗ --------------------------------------------- ValleyRAT is a remote access trojan (RAT) that was initially documented in early 2023. Its main objective is to infiltrate and compromise systems, providing remote attackers with unauthorized access and control over infected machines. ValleyRAT is commonly distributed through phishing emails or malicious downloads. In the latest version, ValleyRAT introduced new commands, such as capturing screenshots, process filtering, forced shutdown, and clearing Windows event logs. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-latest-v… ===================== = Vulnerabilities = ===================== ∗∗∗ Veeam Recovery Orchestrator Vulnerability (CVE-2024-29855) ∗∗∗ --------------------------------------------- A vulnerability (CVE-2024-29855) in Veeam Recovery Orchestrator (VRO) version 7.0.0.337 allows an attacker to access the VRO web UI with administrative privileges. Note: The attacker must know the exact username and role of an account that has an active VRO UI access token to accomplish the hijack --------------------------------------------- https://www.veeam.com/kb4585 ∗∗∗ Nvidia Patches High-Severity GPU Driver Vulnerabilities ∗∗∗ --------------------------------------------- The GPU driver updates, rolling out as versions R555, R550, R535, and R470, resolve a total of five security defects, three of which are rated ‘high severity’ and two rated ‘medium severity’, Nvidia’s advisory reveals. The most severe of these flaws, tracked as CVE‑2024‑0090, could allow attackers to execute arbitrary code, access or tamper with data, escalate privileges, or cause a denial-of-service (DoS) condition. --------------------------------------------- https://www.securityweek.com/nvidia-patches-high-severity-gpu-driver-vulner… ∗∗∗ Critical PyTorch Vulnerability Can Lead to Sensitive AI Data Theft ∗∗∗ --------------------------------------------- A critical vulnerability in the PyTorch distributed RPC framework could be exploited for remote code execution. Impacting the distributed RPC (Remote Procedure Call) framework of PyTorch and tracked as CVE-2024-5480, the issue exists because the framework does not verify the functions called during RPC operations. --------------------------------------------- https://www.securityweek.com/critical-pytorch-vulnerability-can-lead-to-sen… ∗∗∗ tenable: [R1] Security Center Version 6.4.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- A stored cross site scripting vulnerability exists in Tenable Security Center where an authenticated, remote attacker could inject HTML code into a web application scan result page. - CVE-2024-1891 An improper privilege management vulnerability exists in Tenable Security Center where an authenticated, remote attacker could view unauthorized objects and launch scans without having the required privileges. - CVE-2024-5759 --------------------------------------------- https://www.tenable.com/security/tns-2024-10 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (galera and mariadb10.11), Mageia (0-plugins-base and plasma-workspace), Oracle (ruby:3.1 and ruby:3.3), Red Hat (bind, bind-dyndb-ldap, and dhcp), SUSE (apache2, glib2, libvirt, openssl-1_1, openssl-3, opera, python-Jinja2, python-requests, and squid), and Ubuntu (linux, linux-gcp, linux-gcp-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-xilinx-zynqmp, linux, linux-gcp, linux-gcp-6.5, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-raspi, linux, linux-ibm, linux-lowlatency, linux-raspi, linux-aws, linux-gcp, linux-azure, linux-azure-6.5, linux-starfive, linux-starfive-6.5, and linux-gke, linux-ibm, linux-intel-iotg, linux-oracle). --------------------------------------------- https://lwn.net/Articles/977789/ ∗∗∗ Vulnerability Summary for the Week of June 3, 2024 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb24-162 ∗∗∗ Canon: CPE2024-003 – uniFLOW Online Device Registration Susceptible To Compromise – 10 June 2024 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.06.2024
by Daily end-of-shift report 07 Jun '24

07 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-06-2024 18:00 − Freitag 07-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Alexander Riepl ===================== = News = ===================== ∗∗∗ Sicherheitslücke (CVE-2024-4577) für Remote-Code Ausführung in PHP-CGI / XAMPP entdeckt ∗∗∗ --------------------------------------------- In PHP-CGI wurde eine Sicherheitslücke (CVE-2024-4577) entdeckt, die es Angreifern ermöglicht, aus der Ferne und ohne Authentifizierung beliebigen Code auf betroffenen Servern auszuführen. Die Schwachstelle betrifft PHP-Installationen auf Windows-Systemen und erlaubt es Angreifern, durch spezifische Zeichenfolgen den Schutz einer früheren .. --------------------------------------------- https://www.cert.at/de/aktuelles/2024/6/sicherheitslucke-cve-2024-4577-fur-… ∗∗∗ New Fog ransomware targets US education sector via breached VPNs ∗∗∗ --------------------------------------------- A new ransomware operation named Fog launched in early May 2024, using compromised VPN credentials to breach the networks of educational organizations in the U.S. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-fog-ransomware-targets-u… ∗∗∗ Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells ∗∗∗ --------------------------------------------- Chinese threat actors are targeting ThinkPHP applications vulnerable to CVE-2018-20062 and CVE-2019-9082 to install a persistent web shell named Dama. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-2018-thinkph… ∗∗∗ Ukraine says hackers abuse SyncThing tool to steal data ∗∗∗ --------------------------------------------- The Computer Emergency Response Team of Ukraine (CERT-UA) reports about a new campaign dubbed "SickSync," launched by the UAC-0020 (Vermin) hacking group in attacks on the Ukrainian .. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ukraine-says-hackers-abuse-s… ∗∗∗ In Bad Company: JScript RAT and CobaltStrike ∗∗∗ --------------------------------------------- Remote Access Trojans (RATs) that are based in JScript are gaining traction. We have looked at a recent example that emerged in mid-May. It turns out that this RAT has some companions on the way that we are familiar with. --------------------------------------------- https://feeds.feedblitz.com/~/899072462/0/gdatasecurityblog-en~In-Bad-Compa… ∗∗∗ Angriffswelle: Hacker löscht Github-Repos und fordert Lösegeld ∗∗∗ --------------------------------------------- Für die Kontaktaufnahme verweist der Angreifer auf Telegram. Er gibt sich als "Analyst für Cybervorfälle" aus und behauptet, ein Back-up erstellt zu haben. --------------------------------------------- https://www.golem.de/news/angriffswelle-hacker-loescht-github-repos-und-for… ∗∗∗ Commando Cat Cryptojacking Attacks Target Misconfigured Docker Instances ∗∗∗ --------------------------------------------- The threat actor known as Commando Cat has been linked to an ongoing cryptojacking attack campaign that leverages poorly secured Docker instances to deploy cryptocurrency miners for financial gain. --------------------------------------------- https://thehackernews.com/2024/06/commando-cat-cryptojacking-attacks.html ∗∗∗ POC exploit code published for 9.8-rated Apache HugeGraph RCE flaw ∗∗∗ --------------------------------------------- You upgraded when this was fixed in April, right? Right?? If you havent yet upgraded to version 1.3.0 of Apache HugeGraph, nows a good time because at least two proof-of-concept exploits for a CVSS 9.8-rated remote command execution bug .. --------------------------------------------- www.theregister.com/2024/06/07/poc_apache_hugegraph/ ∗∗∗ Ethical hacker releases tool to exploit Microsofts Recall AI, says its not rocket science ∗∗∗ --------------------------------------------- Recall AI hasnt launched yet but its already a target. --------------------------------------------- https://www.zdnet.com/article/ethical-hacker-says-his-windows-11-recall-ai-… ∗∗∗ Ransomware: Hacker greifen überwiegend außerhalb der Arbeitszeiten an ∗∗∗ --------------------------------------------- Der Anteil liegt bei rund 76 Prozent. Auch nehmen die Ransomware-Aktivitäten deutlich zu. --------------------------------------------- https://www.zdnet.de/88416372/ransomware-hacker-greifen-ueberwiegend-ausser… ∗∗∗ CERT-Bund warnt vor Schwachstelle WID-SEC-2024-131 in Microsoft Azure ∗∗∗ --------------------------------------------- Ein Leser hat mich auf eine Warnung vom 7. Juni 2024 des CERT-Bund (BSI) vor einer Schwachstelle in Microsoft Azure hingewiesen. Diese Schwachstelle wird vom BSI mit einem CVSS-Score von 10.0 eingestuft, da sie .. --------------------------------------------- https://www.borncity.com/blog/2024/06/07/cert-bund-warnt-vor-schwachstelle-… ∗∗∗ Howling at the Inbox: Sticky Werewolfs Latest Malicious Aviation Attacks ∗∗∗ --------------------------------------------- Morphisec Labs has been monitoring increased activity associated with Sticky Werewolf, a group suspected to have geopolitical and/or hacktivist ties. While the group’s geographical origin and home base remain unclear, recent attack techniques suggest espionage and data exfiltration intent. --------------------------------------------- https://blog.morphisec.com/sticky-werewolfs-aviation-attacks ∗∗∗ Jetzt patchen! Exploitcode für kritische Lücke in Apache HugeGraph in Umlauf ∗∗∗ --------------------------------------------- Admins sollten aus Sicherheitsgründen das Tool zum Erstellen von Diagrammen HugeGraph von Apache zügig auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-9751687 ∗∗∗ Forschungsteam: Herzimplantat-Patienten müssen mehr über Cyberrisiken erfahren ∗∗∗ --------------------------------------------- Mit besseren technologischen Möglichkeiten steige auch das Risiko eines Cyberangriffs auf Herzimplantate, sagt ein Forschungsteam und fordert mehr Aufklärung. --------------------------------------------- https://heise.de/-9752245 ∗∗∗ Ausgeblockt: Antispam-Blockliste SORBS ist abgeschaltet ∗∗∗ --------------------------------------------- Mit der DNS-Blockliste wollte Gründerin Michelle Sullivan seit 2001 das Internet vor Spam bewahren. Die Gründe für die Schließung sind vage, Nachfolger unklar. --------------------------------------------- https://heise.de/-9752366 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- https://lwn.net/Articles/977442/ ∗∗∗ MISP 2.4.193 released with many bugs fixed, API improvements and security fixes ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.193 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.06.2024
by Daily end-of-shift report 06 Jun '24

06 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-06-2024 18:00 − Donnerstag 06-06-2024 18:00 Handler: Alexander Riepl Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Qilin ransomware gang linked to attack on London hospitals ∗∗∗ --------------------------------------------- A ransomware attack that hit pathology services provider Synnovis on Monday and impacted several major NHS hospitals in London has now been linked to the Qilin ransomware operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qilin-ransomware-gang-linked… ∗∗∗ Linux version of TargetCompany ransomware focuses on VMware ESXi ∗∗∗ --------------------------------------------- Researchers observed a new Linux variant of the TargetCompany ransomware family that targets VMware ESXi environments using a custom shell script to deliver and execute payloads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-targetcompa… ∗∗∗ Brute Force Attacks Against Watchguard VPN Endpoints, (Wed, Jun 5th) ∗∗∗ --------------------------------------------- If you have a pulse and work in information security (or are a new scraping script without a pulse), you have probably seen reports of attacks against VPN endpoints. Running any VPN without strong authentication has been negligent for years, but in recent times, ransomware gangs, in particular, picked them off pretty quickly. --------------------------------------------- https://isc.sans.edu/diary/rss/30984 ∗∗∗ Malicious Python Script with a "Best Before" Date, (Thu, Jun 6th) ∗∗∗ --------------------------------------------- The script purpose is classic: it will fetch a payload from a remote site, inject it in memory and start a new thread. Such payload are usually related to CobaltStike. --------------------------------------------- https://isc.sans.edu/diary/rss/30988 ∗∗∗ Hackers Target Python Developers with Fake "Crytic-Compilers" Package on PyPI ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a malicious Python package uploaded to the Python Package Index (PyPI) repository thats designed to deliver an information stealer called Lumma (aka LummaC2). --------------------------------------------- https://thehackernews.com/2024/06/hackers-target-python-developers-with.html ∗∗∗ Prevent Account Takeover with Better Password Security ∗∗∗ --------------------------------------------- Tom works for a reputable financial institution. He has a long, complex password that would be near-impossible to guess. He’s memorized it by heart, so he started using it for his social media accounts and on his personal devices too. Unbeknownst to Tom, one of these sites has had its password database compromised by hackers and put it up for sale on the dark web. --------------------------------------------- https://thehackernews.com/2024/06/prevent-account-takeover-with-better.html ∗∗∗ 7-year-old Oracle WebLogic bug under active exploitation ∗∗∗ --------------------------------------------- Experts say Big Red will probably re-release patch in an upcoming cycle. --------------------------------------------- https://www.theregister.com/2024/06/06/oracle_weblogic_vulnerability_exploi… ∗∗∗ Exploitation of Recent Check Point VPN Zero-Day Soars ∗∗∗ --------------------------------------------- GreyNoise has observed a rapid increase in the number of exploitation attempts targeting a recent Check Point VPN zero-day. --------------------------------------------- https://www.securityweek.com/exploitation-of-recent-check-point-vpn-zero-da… ∗∗∗ Ransomware: FBI hat Zugriff auf 7000 LockBit-Schlüssel und macht Opfern Hoffnung ∗∗∗ --------------------------------------------- Der Kampf gegen Lockbit ist nach wie vor im Gange. Dank beschlagnahmter Schlüssel sollen nun weitere Opfer wieder auf ihre Daten zugreifen können. --------------------------------------------- https://heise.de/-9749844 ===================== = Vulnerabilities = ===================== ∗∗∗ 2024-06-04: Cyber Security Advisory -KNX Secure Devices FDSK Leak and replay attack ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108464A0803&Lan… ∗∗∗ Cisco Finesse Web-Based Management Interface Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Vulnerabilities Patched in Kiuwan Code Security Products After Long Disclosure Process ∗∗∗ --------------------------------------------- https://www.securityweek.com/vulnerabilities-patched-in-kiuwan-code-securit… ∗∗∗ Emerson Ovation ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-02 ∗∗∗ Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-03 ∗∗∗ Emerson PACSystem and Fanuc ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-01 ∗∗∗ Johnson Controls Software House iStar Pro Door Controller ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-04 ∗∗∗ K000139901: PyYAML vulnerability CVE-2017-18342 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000139901 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.06.2024
by Daily end-of-shift report 05 Jun '24

05 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-06-2024 18:00 − Mittwoch 05-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New V3B phishing kit targets customers of 54 European banks ∗∗∗ --------------------------------------------- Cybercriminals are promoting a new phishing kit named V3B on Telegram, which currently targets customers of 54 major financial institutes in Ireland, the Netherlands, Finland, Austria, Germany, France, Belgium, Greece, Luxembourg, and Italy. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-v3b-phishing-kit-targets… ∗∗∗ Cisco Webex: Tausende Videokonferenzen von Ministerien waren abhörbar ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in Cisco Webex ermöglichte Angreifern das Abhören von Onlinemeetings. Jüngste Recherchen zeigen: Die Liste der Betroffenen ist lang. --------------------------------------------- https://www.golem.de/news/cisco-webex-tausende-videokonferenzen-von-ministe… ∗∗∗ Authentifizierung: Microsofts NTLM ist nun offiziell veraltet ∗∗∗ --------------------------------------------- Das Authentifizierungsprotokoll wird allerdings in vielen Apps und Arbeitsgruppen noch immer verwendet. Microsoft empfiehlt Kerberos. --------------------------------------------- https://www.golem.de/news/authentifizierung-microsofts-ntlm-ist-nun-offizie… ∗∗∗ Cross-Execute Your Linux Binaries, Don’t Cross-Compile Them ∗∗∗ --------------------------------------------- Lolbins? Where we’re going, we don’t need lolbins. --------------------------------------------- https://research.nccgroup.com/2024/06/05/cross-execute-your-linux-binaries-… ∗∗∗ Vorsicht vor E-Mail zu ausstehenden Schulden im Namen angeblicher Kunden ∗∗∗ --------------------------------------------- Kriminelle senden E-Mails an Unternehmen und geben sich als deren Kunden aus. Es wird nachgefragt, ob derzeit offene Forderungen bestehen. Ist dies der Fall, sollen die entsprechenden Rechnungen zugesandt werden. Antworten Sie nicht auf diese E-Mails. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-e-mail-zu-ausstehenden-… ∗∗∗ RansomHub: New Ransomware has Origins in Older Knight ∗∗∗ --------------------------------------------- Emergent operation has grown quickly to become one of the most prolific ransomware threats. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhu… ∗∗∗ Threat Actors’ Systems Can Also Be Exposed and Used by Other Threat Actors ∗∗∗ --------------------------------------------- Types of cyberattack include not only Advanced Persistent Threat (APT) attacks targeting a few specific companies or organizations but also scan attacks targeting multiple random servers connected to the Internet. This means that the infrastructures of threat actors can become the targets of cyberattack alongside companies, organizations, and personal users. --------------------------------------------- https://asec.ahnlab.com/en/66372/ ∗∗∗ DarkGate switches up its tactics with new payload, email templates ∗∗∗ --------------------------------------------- Cisco Talos is actively tracking a recent increase in activity from malicious email campaigns containing a suspicious Microsoft Excel attachment that, when opened, infected the victims system with the DarkGate malware. --------------------------------------------- https://blog.talosintelligence.com/darkgate-remote-template-injection/ ∗∗∗ Muhstik Malware Targets Message Queuing Services Applications ∗∗∗ --------------------------------------------- Aqua Nautilus discovered a new campaign of Muhstik malware targeting message queuing services applications, specifically the Apache RocketMQ platform. --------------------------------------------- https://blog.aquasec.com/muhstik-malware-targets-message-queuing-services-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (deepin-qt5integration, deepin-qt5platform-plugins, dotnet8.0, dwayland, fcitx-qt5, fcitx5-qt, gammaray, kddockwidgets, keepassxc, kf5-akonadi-server, kf5-frameworkintegration, kf5-kwayland, plasma-integration, python-qt5, qadwaitadecorations, qgnomeplatform, qt5, qt5-qt3d, qt5-qtbase, qt5-qtcharts, qt5-qtconnectivity, qt5-qtdatavis3d, qt5-qtdeclarative, qt5-qtdoc, qt5-qtgamepad, qt5-qtgraphicaleffects, qt5-qtimageformats, qt5-qtlocation, [...] --------------------------------------------- https://lwn.net/Articles/977233/ ∗∗∗ TikTok: Zero-Day-Lücke ermöglichte Übernahme von Promi- und Marken-Accounts ∗∗∗ --------------------------------------------- Wegen einer Zero-Day-Lücke ließen sich auf TikTok Accounts über eine Direktnachricht übernehmen. --------------------------------------------- https://heise.de/-9748177 ∗∗∗ Patchday: Attacken auf Geräte mit Android 12, 13 und 14 möglich ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Schwachstellen in verschiedenen Android-Versionen. --------------------------------------------- https://heise.de/-9748243 ∗∗∗ 40,000 WordPress Sites affected by Vulnerability That Leads to Privilege Escalation in Login/Signup Popup WordPress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/06/40000-wordpress-sites-affected-by-vu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.06.2024
by Daily end-of-shift report 04 Jun '24

04 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Montag 03-06-2024 18:00 − Dienstag 04-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Vorsicht vor betrügerischen Seiten zu Digitaler Euro und Bundesschatz! ∗∗∗ --------------------------------------------- Der Watchlist Internet werden aktuell massenhaft E-Mails gemeldet, die im Namen von der Österreichischen Nationalbank ein Pilotprogramm zum digitalen Euro ankündigen. Dabei wird mit „einmaligen Renditechancen“ geworben und durch den Hinweis auf die Kooperation von bundesschatz.at und der Europäischen Zentralbank Seriosität und Vertrauenswürdigkeit vorgetäuscht. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-seiten-… ∗∗∗ Azure Service Tags tagged as security risk, Microsoft disagrees ∗∗∗ --------------------------------------------- Security researchers at Tenable discovered what they describe as a high-severity vulnerability in Azure Service Tags that could allow attackers to access customers private data. [..] Tenable's Liv Matan explained that threat actors can use the vulnerability to craft malicious SSRF-like web requests to impersonate trusted Azure services and bypass firewall rules based on Azure Service Tags, often used to secure Azure services and sensitive data without authentication checks. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/azure-service-tags-tagged-a… ∗∗∗ PoC for Progress Telerik RCE chain released (CVE-2024-4358, CVE-2024-1800) ∗∗∗ --------------------------------------------- Security researchers have published a proof-of-concept (PoC) exploit that chains together two vulnerabilities (CVE-2024-4358, CVE-2024-1800) to achieve unauthenticated remote code execution on Progress Telerik Report Servers. Telerik Report Server is a centralized enterprise platform for report creation, management, storage and delivery/distribution. [..] It was reported by an anonymous researcher and fixed earlier this year by Progress Software. --------------------------------------------- https://www.helpnetsecurity.com/2024/06/04/cve-2024-4358-cve-2024-1800-poc/ ∗∗∗ Details of Atlassian Confluence RCE Vulnerability Disclosed ∗∗∗ --------------------------------------------- Successful exploitation of the bug, however, requires that the attacker has the privileges required for adding new macro languages, and to upload a malicious language file using the ‘Add a new language’ function in the ‘Configure Code Macro’ section. According to Atlassian, which rolled out patches for the vulnerability a couple of weeks ago, the issue was introduced in Confluence version 5.2. --------------------------------------------- https://www.securityweek.com/details-of-atlassian-confluence-rce-vulnerabil… ∗∗∗ Aktuelle Phishingwelle bei Hetzner (Juni 2024) ∗∗∗ --------------------------------------------- Behauptet wird, dass die Domain nicht mehr zugreifbar sei, weil es ein Problem mit einem Zahlungsversuch gegeben habe. Ziel ist es, die Zahlungsinformationen des Opfers abzugreifen. Wer bei Hetzner hostet, könnte möglicherweise darauf hereinfallen. --------------------------------------------- https://www.borncity.com/blog/2024/06/04/aktuelle-phishingwelle-bei-hetzner… ∗∗∗ 122 Gigabyte persönliche Nutzerdaten über Telegram-Messenger geleakt ∗∗∗ --------------------------------------------- Sicherheitsforscher haben ein großes Archiv mit persönlichen Daten aus Telegram-Kanälen zusammengetragen. Darunter sind neben E-Mail-Adressen auch Passwörter. [..] Einem Bericht zufolge wurde das Archiv dem Betreiber des Onlineservices Have I Been Pwned (HIBP) zugespielt. Der Service sammelt aus Cyberattacken geleakte Daten. Dort kann man anonymisiert etwa durch die Eingabe der eigenen E-Mail-Adresse prüfen, ob man in einem Datenleak auftaucht. --------------------------------------------- https://heise.de/-9746825 ===================== = Vulnerabilities = ===================== ∗∗∗ IT-Management-Plattform SolarWinds über mehrere Wege angreifbar ∗∗∗ --------------------------------------------- Wie aus einer Mitteilung zur aktuellen abgesicherten Version 2024.2 hervorgeht, haben die Entwickler in der Managementplattform direkt drei Lücken (CVE-2024-28996 "hoch", CVE-2024-28999 "mittel", CVE-2024-29004 "hoch") geschlossen. Darunter können Angreifer unter anderem für eine persistente XSS-Attacke ansetzen. In diesem Fall können sie beim Aufruf der Webkonsole eigenen Code ausführen. Dafür benötigt ein Angreifer aber bereits im Vorfeld hohe Nutzerrechte und zudem muss ein Opfer mitspielen. --------------------------------------------- https://heise.de/-9747340 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (chromium-browser-stable, git, libreoffice, microcode, python-requests, webkit2, and wireshark), Oracle (container-tools:ol8, glibc, go-toolset:ol8, idm:DL1 and idm:client, less, python39:3.9 and python39-devel:3.9, ruby:3.0, and virt:ol and virt-devel:rhel), Red Hat (nodejs, nodejs:18, python-idna, and ruby:3.1), and SUSE (389-ds, ffmpeg, ffmpeg-4, gnutls, gstreamer-plugins-base, libhtp, mariadb104, poppler, python-python-jose, squid, and unbound). --------------------------------------------- https://lwn.net/Articles/976977/ ∗∗∗ Zyxel security advisory for multiple vulnerabilities in NAS products ∗∗∗ --------------------------------------------- Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support*. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ CODESYS: Vulnerability can cause a DoS on CODESYS OPC UA products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-026/ ∗∗∗ CODESYS: Vulnerability in multiple products through exposure of resource to wrong sphere ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-027/ ∗∗∗ Uniview NVR301-04S2-P4 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-156-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.06.2024
by Daily end-of-shift report 03 Jun '24

03 Jun '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 31-05-2024 18:00 − Montag 03-06-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Sicherheitsbehörde warnt: Schwachstelle im Linux-Kernel wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Die US-amerikanische Cybersicherheitsbehörde Cisa hat kürzlich eine Warnung vor der aktiven Ausnutzung einer Schwachstelle im Linux-Kernel herausgegeben. Die Sicherheitslücke ist als CVE-2024-1086 registriert und ermöglicht es Angreifern mit lokalem Zugriff auf ein anfälliges System, ihre Rechte auszuweiten und dadurch einen Root-Zugriff zu erlangen. --------------------------------------------- https://www.golem.de/news/sicherheitsbehoerde-warnt-schwachstelle-im-linux-… ∗∗∗ Researcher Uncovers Flaws in Cox Modems, Potentially Impacting Millions ∗∗∗ --------------------------------------------- Now-patched authorization bypass issues impacting Cox modems that could have been abused as a starting point to gain unauthorized access to the devices and run malicious commands. --------------------------------------------- https://thehackernews.com/2024/06/researcher-uncovers-flaws-in-cox-modems.h… ∗∗∗ PoC Published for Exploited Check Point VPN Vulnerability ∗∗∗ --------------------------------------------- PoC code targeting a recent Check Point VPN zero-day has been released as Censys identifies 14,000 internet-accessible appliances. --------------------------------------------- https://www.securityweek.com/poc-published-for-exploited-check-point-vpn-vu… ∗∗∗ Resilience isnt enough, NATO must be proactive for cyberdefense, warns official ∗∗∗ --------------------------------------------- NATO allies need to allow their militaries to be proactive in cyberspace to ensure the alliance isn't affected by a cyberattack that could disrupt the deployment of forces if a conflict was to occur, Christian-Marc Lifländer, the head of NATO's cyber and hybrid policy section, warned on Friday. --------------------------------------------- https://therecord.media/nato-resilience-cyberdefense-liflander-cycon ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CVE-2017-3506 Oracle WebLogic Server OS Command Injection Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/06/03/cisa-adds-one-known-expl… ∗∗∗ Hacks bei Santander und Ticketmaster über Snowflake-Konten ∗∗∗ --------------------------------------------- Die Woche wurden Hacks der Santander Bank und des Anbieters von Tickets, Ticketmaster, bekannt. Bei beiden Hacks wurden Benutzerdaten im großen Umfang erbeutet, die nun in Untergrundforen verkauft werden. Brisant wird die Geschichte, weil diese Hacks wohl über kompromittierte Benutzerkonten beim Cloud-Anbieter Snowflake möglich werden. --------------------------------------------- https://www.borncity.com/blog/2024/06/01/hacks-bei-santander-und-ticketmast… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by AlmaLinux (python39:3.9 and python39-devel:3.9 and ruby:3.0), Debian (chromium, gst-plugins-base1.0, and kernel), Fedora (chromium, glances, glycin-loaders, gnome-tour, helix, helvum, kitty, libarchive, libipuz, librsvg2, loupe, maturin, ntpd-rs, plasma-workspace, and a huge list of Rust-based packages due to a ""mini-mass-rebuild"" that updated the toolchain to Rust 1.78 and picked up fixes for various pieces), Mageia (gifsicle, netatalk, openssl, python-jinja2, and unbound), Red Hat (kernel and kernel-rt), SUSE (bind, glibc, gstreamer-plugins-base, squid, and tiff), and Ubuntu (glibc). --------------------------------------------- https://lwn.net/Articles/976782/ ∗∗∗ Sicherheitsupdate: Schadcode-Attacken auf Autodesk AutoCAD möglich ∗∗∗ --------------------------------------------- Die CAD-Softwares Advance Steel, Civil 3D und AutoCAD von Autodesk sind verwundbar. Das Sicherheitsrisiko gilt als hoch. [..] In allen Fällen müssen Angreifer Opfern präparierte Dateien (etwa X_B oder CARPTODUCT) unterschieben. --------------------------------------------- https://heise.de/-9745419 ∗∗∗ 2024-06-03: Cyber Security Advisory - ABB WebPro SNMP card PowerValue Cross-Site Scripting (XSS) vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2CMT006108&Language… ∗∗∗ ifm: moneo password reset can be exploited ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-028/ ∗∗∗ Vulnerability Summary for the Week of May 27, 2024 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb24-155 ∗∗∗ Baxter Welch Allyn Connex Spot Monitor ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-151-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily