- Daily - CERT.at

Tageszusammenfassung - 22.03.2024
by Daily end-of-shift report 22 Mar '24

22 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-03-2024 18:00 − Freitag 22-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Windows 11, Tesla, and Ubuntu Linux hacked at Pwn2Own Vancouver ∗∗∗ --------------------------------------------- On the first day of Pwn2Own Vancouver 2024, contestants demoed 19 zero-day vulnerabilities in Windows 11, Tesla, Ubuntu Linux and other devices and software to win $732,500 and a Tesla Model 3 car. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-11-tesla-and-ubuntu-… ∗∗∗ Darknet marketplace Nemesis Market seized by German police ∗∗∗ --------------------------------------------- The German police have seized infrastructure for the darknet Nemesis Market cybercrime marketplace in Germany and Lithuania, disrupting the sites operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/darknet-marketplace-nemesis-… ∗∗∗ Mit gefälschten Keycards: Hacker können weltweit Millionen von Hoteltüren öffnen ∗∗∗ --------------------------------------------- Mehr als drei Millionen Türen in Hotels und Mehrfamilienhäusern sind anfällig für Angriffe mit gefälschten RFID-Schlüsselkarten. Teure Spezialausrüstung braucht es dafür nicht. --------------------------------------------- https://www.golem.de/news/mit-gefaelschten-keycards-hacker-koennen-weltweit… ∗∗∗ Whois "geofeed" Data, (Thu, Mar 21st) ∗∗∗ --------------------------------------------- Attributing a particular IP address to a specific location is hard and often fails miserably. --------------------------------------------- https://isc.sans.edu/diary/rss/30766 ∗∗∗ Unterstützungsmail im Namen von Marlene Engelhorn ist Fake! ∗∗∗ --------------------------------------------- Derzeit kursieren zahlreiche E-Mails im Namen der österreichischen Millionärin Marlene Engelhorn: Angeblich will sie mit einem Teil ihres Erbes „aufstrebende Unternehmer und lokale Projekte“ unterstützen. Achtung: Hinter dieser E-Mail stecken Kriminelle. Antworten Sie daher auf keinen Fall. --------------------------------------------- https://www.watchlist-internet.at/news/fake-marlene-engelhorn/ ∗∗∗ Large-Scale StrelaStealer Campaign in Early 2024 ∗∗∗ --------------------------------------------- We unravel the details of two large-scale StrelaStealer campaigns from 2023 and 2024. This email credential stealer has a new variant delivered through zipped JScript. --------------------------------------------- https://unit42.paloaltonetworks.com/strelastealer-campaign/ ∗∗∗ “Pig butchering” is an evolution of a social engineering tactic we’ve seen for years ∗∗∗ --------------------------------------------- In the case of pig butchering scams, it’s not really anything that can be solved by a cybersecurity solution or sold in a package. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-march-21-2024/ ∗∗∗ Sicherheit contra Offenheit – ein Kommentar zu Secure Boot ∗∗∗ --------------------------------------------- Secure Boot ist kompliziert, frickelig und wird von Microsoft dominiert. Stattdessen brauchen wir offene sichere Systeme, meint Christof Windeck. --------------------------------------------- https://heise.de/-9659071 ===================== = Vulnerabilities = ===================== ∗∗∗ KDE advises extreme caution after theme wipes Linux users files ∗∗∗ --------------------------------------------- On Wednesday, the KDE team warned Linux users to exercise "extreme caution" when installing global themes, even from the official KDE Store, because these themes run arbitrary code on devices to customize the desktops appearance. --------------------------------------------- https://www.bleepingcomputer.com/news/linux/kde-advises-extreme-caution-aft… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, pillow, and thunderbird), Fedora (apptainer, chromium, ovn, and webkitgtk), Mageia (apache-mod_auth_openidc, ffmpeg, fontforge, libuv, and nodejs-tough-cookie), Oracle (kernel, libreoffice, postgresql-jdbc, ruby:3.1, squid, and squid:4), Red Hat (go-toolset:rhel8 and libreoffice), SUSE (firefox, jbcrypt, trilead-ssh2, jsch-agent-proxy, kernel, tiff, and zziplib), and Ubuntu (linux-aws and openssl1.0). --------------------------------------------- https://lwn.net/Articles/966415/ ∗∗∗ Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect ∗∗∗ --------------------------------------------- During the course of an intrusion investigation in late October 2023, Mandiant observed novel N-day exploitation of CVE-2023-46747 affecting F5 BIG-IP Traffic Management User Interface. Additionally, in February 2024, we observed exploitation of Connectwise ScreenConnect CVE-2024-1709 by the same actor. --------------------------------------------- https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-s… ∗∗∗ Microsoft schließt Sicherheitslücke in Xbox-Gaming-Dienst – nach Hickhack ∗∗∗ --------------------------------------------- Microsoft hat ein Sicherheitsleck im Xbox Gaming Service abgedichtet. Dem ging jedoch eine Diskussion voraus. --------------------------------------------- https://heise.de/-9662746 ∗∗∗ Kritische Sicherheitslücke in FortiClientEMS wird angegriffen ∗∗∗ --------------------------------------------- Eine kritische Schwachstelle in FortiClientEMS wird inzwischen aktiv angegriffen. Zudem ist ein Proof-of-Concept-Exploit öffentlich geworden. --------------------------------------------- https://heise.de/-9662866 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2024
by Daily end-of-shift report 21 Mar '24

21 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-03-2024 18:00 − Donnerstag 21-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Unpatchable vulnerability in Apple chip leaks secret encryption keys ∗∗∗ --------------------------------------------- A newly discovered vulnerability baked into Apple’s M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday. --------------------------------------------- https://arstechnica.com/?p=2011812 ∗∗∗ Spa Grand Prix email account hacked to phish banking info from fans ∗∗∗ --------------------------------------------- Hackers hijacked the official contact email for the Belgian Grand Prix event and used it to lure fans to a fake website promising a €50 gift voucher. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spa-grand-prix-email-account… ∗∗∗ Evasive Sign1 malware campaign infects 39,000 WordPress sites ∗∗∗ --------------------------------------------- A previously unknown malware campaign called Sign1 has infected over 39,000 websites over the past six months, causing visitors to see unwanted redirects and popup ads. [..] While Sucuri's client was breached through a brute force attack, Sucuri has not shared how the other detected sites were compromised. However, based on previous WordPress attacks, it probably involves a combination of brute force attacks and exploiting plugin vulnerabilities to gain access to the site. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evasive-sign1-malware-campai… ∗∗∗ AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on a tool referred to as AndroxGh0st thats used to target Laravel applications and steal sensitive data. [..] Earlier this January, U.S. cybersecurity and intelligence agencies warned of attackers deploying the AndroxGh0st malware to create a botnet for "victim identification and exploitation in target networks." --------------------------------------------- https://thehackernews.com/2024/03/androxgh0st-malware-targets-laravel.html ∗∗∗ Vulnerability Allowed One-Click Takeover of AWS Service Accounts ∗∗∗ --------------------------------------------- The vulnerability, named FlowFixation by Tenable, has been patched by AWS and it can no longer be exploited, but the security company pointed out that its research uncovered a wider problem that may again emerge in the future. --------------------------------------------- https://www.securityweek.com/vulnerability-allowed-one-click-takeover-of-aw… ∗∗∗ Betrügerische Europol-SMS führt zu Schadsoftware ∗∗∗ --------------------------------------------- In der massenhaft verschickten, betrügerischen SMS wird behauptet, dass Sie als Beteiligter in einem EUROPOL-Fall geführt werden. Um Einspruch zu erheben, sollen Sie eine App installieren. Vorsicht – Sie installieren Schadsoftware auf Ihrem Gerät und geben Kriminellen Zugang zu Ihren Daten! --------------------------------------------- https://www.watchlist-internet.at/news/fake-europol-sms/ ∗∗∗ Curious Serpens’ FalseFont Backdoor: Technical Analysis, Detection and Prevention ∗∗∗ --------------------------------------------- Curious Serpens (aka Peach Sandstorm) is a known espionage group that has previously targeted the aerospace and energy sectors. FalseFont is the latest tool in Curious Serpens’ arsenal. The examples we analyzed show how the threat actors mimic legitimate human resources software, using a fake job recruitment process to trick victims into installing the backdoor. --------------------------------------------- https://unit42.paloaltonetworks.com/curious-serpens-falsefont-backdoor/ ∗∗∗ Rescoms rides waves of AceCryptor spam ∗∗∗ --------------------------------------------- Insight into ESET telemetry statistics about AceCryptor in H2 2023 with a focus on Rescoms campaigns in European countries. --------------------------------------------- https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryp… ∗∗∗ Warning Against Infostealer Disguised as Installer ∗∗∗ --------------------------------------------- The StealC malware disguised as an installer is being distributed en masse. It was identified as being downloaded via Discord, GitHub, Dropbox, etc. Considering the cases of distribution using similar routes, it is expected to redirect victims multiple times from a malicious webpage disguised as a download page for a certain program to the download URL. StealC is an Infostealer that extorts a variety of key information such as system, browser, cryptocurrency wallet, Discord, Telegram, and mail client data. --------------------------------------------- https://asec.ahnlab.com/en/63308/ ∗∗∗ New details on TinyTurla’s post-compromise activity reveal full kill chain ∗∗∗ --------------------------------------------- We now have new information on the entire kill chain this actor uses, including the tactics, techniques and procedures (TTPs) utilized to steal valuable information from their victims and propagate through their infected enterprises. --------------------------------------------- https://blog.talosintelligence.com/tinyturla-full-kill-chain/ ∗∗∗ The Updated APT Playbook: Tales from the Kimsuky threat actor group ∗∗∗ --------------------------------------------- In this blog we will detail new techniques that we have observed used by this actor group over the recent months. We believe that sharing these evolving techniques gives defenders the latest insights into measures required to protect their assets. --------------------------------------------- https://www.rapid7.com/blog/post/2024/03/20/the-updated-apt-playbook-tales-… ∗∗∗ CISA, FBI, and MS-ISAC Release Update to Joint Guidance on Distributed Denial-of-Service Techniques ∗∗∗ --------------------------------------------- Today, CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated joint guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, to address the specific needs and challenges faced by organizations in defending against DDoS attacks. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/21/cisa-fbi-and-ms-isac-rel… ===================== = Vulnerabilities = ===================== ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (March 11, 2024 to March 17, 2024) ∗∗∗ --------------------------------------------- Last week, there were 159 vulnerabilities disclosed in 123 WordPress Plugins and 1 WordPress Theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 68 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2024/03/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pdns-recursor and php-dompdf-svg-lib), Fedora (grub2, libreswan, rubygem-yard, and thunderbird), Mageia (libtiff and python-scipy), Red Hat (golang, nodejs, and nodejs:16), Slackware (python3), and Ubuntu (linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-4.15, linux-kvm, linux-laptop, linux-oem-6.1, and linux-raspi). --------------------------------------------- https://lwn.net/Articles/966246/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-081-01 ∗∗∗ F5: K000138966 : Intel Xeon CPU vulnerability CVE-2023-23908 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138966 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2024
by Daily end-of-shift report 20 Mar '24

20 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-03-2024 18:00 − Mittwoch 20-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Misconfigured Firebase instances leaked 19 million plaintext passwords ∗∗∗ --------------------------------------------- Three cybersecurity researchers discovered close to 19 million plaintext passwords exposed on the public internet by misconfigured instances of Firebase, a Google platform for hosting databases, cloud computing, and app development. --------------------------------------------- https://www.bleepingcomputer.com/news/security/misconfigured-firebase-insta… ∗∗∗ Android malware, Android malware and more Android malware ∗∗∗ --------------------------------------------- In this report, we share our latest Android malware findings: the Tambir spyware, Dwphon downloader and Gigabud banking Trojan. --------------------------------------------- https://securelist.com/crimeware-report-android-malware/112121/ ∗∗∗ Scans for Fortinet FortiOS and the CVE-2024-21762 vulnerability, (Wed, Mar 20th) ∗∗∗ --------------------------------------------- Late last week, an exploit surfaced on GitHub for CVE-2024-21762. This vulnerability affects Fortinet's FortiOS. A patch was released on February 8th. Owners of affected devices had over a month to patch. --------------------------------------------- https://isc.sans.edu/diary/rss/30762 ∗∗∗ Phishing im Namen der Österreichischen Gesundheitskasse ÖGK ∗∗∗ --------------------------------------------- Nehmen Sie sich vor betrügerischen E-Mails in Acht, die Sie im Namen der Österreichischen Gesundheitskasse ÖGK erhalten. Aktuell spielt man Ihnen vor, dass es eine ausstehende Rückerstattung für Sie gibt. Folgen Sie hier keinen Links und geben Sie keine Daten bekannt. Man versucht Ihnen Geld und Daten zu stehlen! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-gesundheitskasse-oegk/ ∗∗∗ Gotta Hack ‘Em All: Pokémon passwords reset after attack ∗∗∗ --------------------------------------------- Are you using the same passwords in multiple places online? Well, stop. Stop right now. And make sure that youve told your friends and family to stop being reckless too. --------------------------------------------- https://www.bitdefender.com/blog/hotforsecurity/gotta-hack-em-all-pokemon-p… ∗∗∗ A prescription for privacy protection: Exercise caution when using a mobile health app ∗∗∗ --------------------------------------------- Given the unhealthy data-collection habits of some mHealth apps, you’re well advised to tread carefully when choosing with whom you share some of your most sensitive data. --------------------------------------------- https://www.welivesecurity.com/en/privacy/prescription-privacy-protection-e… ∗∗∗ Loop DoS: Verschiedene Netzwerkdienste leiden unter Protokoll-Endlosschleife ∗∗∗ --------------------------------------------- Unter den Diensten, die Sicherheitsforscher als Gefahr identifiziert haben, sind auch solche aus der Frühzeit des Internets. Nun sind Netzwerk-Admins gefragt. --------------------------------------------- https://heise.de/-9660179 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fontforge and imagemagick), Fedora (firefox), Mageia (cherrytree, python-django, qpdf, and sqlite3), Red Hat (bind, cups, emacs, fwupd, gmp, kernel, libreoffice, libX11, nodejs, opencryptoki, postgresql-jdbc, postgresql:10, postgresql:13, and ruby:3.1), Slackware (gnutls and mozilla), and Ubuntu (firefox, linux, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, [...] --------------------------------------------- https://lwn.net/Articles/966053/ ∗∗∗ Netgear wireless router open to code execution after buffer overflow vulnerability ∗∗∗ --------------------------------------------- There is also a newly disclosed vulnerability in a graphics driver for some NVIDIA GPUs that could lead to a memory leak. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-march-20-2024/ ∗∗∗ Atlassian: Patch-Reigen im März für Bamboo, Bitbucket, Confluence und Jira ∗∗∗ --------------------------------------------- Atlassian behandelt 25 Sicherheitslücken in Bamboo, Bitbucket, Confluence und Jira. Eine davon gilt als kritisch. --------------------------------------------- https://heise.de/-9660075 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Command Injection in Bosch Network Synchronizer ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-152190-bt.html ∗∗∗ Security Update for Ivanti Neurons for ITSM ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-neurons-for-itsm ∗∗∗ Security Update for Ivanti Standalone Sentry ∗∗∗ --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-standalone-sentry ∗∗∗ Webbrowser Chrome: Google dichtet mehrere Sicherheitslecks ab ∗∗∗ --------------------------------------------- https://heise.de/-9659978 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.03.2024
by Daily end-of-shift report 19 Mar '24

19 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 18-03-2024 18:00 − Dienstag 19-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New AcidPour data wiper targets Linux x86 network devices ∗∗∗ --------------------------------------------- A new destructive malware named AcidPour was spotted in the wild, featuring data-wiper functionality and targeting Linux x86 IoT and networking devices. [..] AcidPour shares many similarities with AcidRain, such as targeting specific directories and device paths common in embedded Linux distributions, but their codebase overlaps by an estimated 30%. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-acidpour-data-wiper-targ… ∗∗∗ Turnier verschoben: Mögliche RCE-Schwachstelle bedroht Apex-Legends-Spieler ∗∗∗ --------------------------------------------- Der weitverbreitete Free-to-play-Shooter Apex Legends steht derzeit im Verdacht, unter einer Sicherheitslücke zu leiden, die es Angreifern ermöglicht, aus der Ferne die Kontrolle über die Computer der Spieler zu übernehmen. Ob die Schwachstelle das Spiel selbst oder dessen Anti-Cheat-Software betrifft, ist wohl noch unklar. --------------------------------------------- https://www.golem.de/news/turnier-verschoben-moegliche-rce-schwachstelle-be… ∗∗∗ ARM MTE: Androids Hardwareschutz gegen Speicherlücken umgehbar ∗∗∗ --------------------------------------------- Mit dem Memory-Tagging moderner ARM-CPUs soll das Potenzial bestimmter Sicherheitslücken verkleinert werden. Die Idee hat deutliche Grenzen. Das Security-Forschungsteam des Code-Hosters Github hat die Ausnutzung einer Speicherlücke beschrieben, bei der der dafür eigentlich vorgesehene Schutz, das Memory-Tagging, offenbar gar keine Rolle spielt. Den Beteiligten ist es demnach gelungen, eine Sicherheitslücke in ARMs GPU-Treiber, die vollen Kernelzugriff und das Erlangen von Root-Rechten ermöglicht, auch auf einem aktuellen Pixel 8 auszunutzen, auf dem die sogenannten Memory Tagging Extension (MTE) aktiviert ist. --------------------------------------------- https://www.golem.de/news/arm-mte-androids-hardwareschutz-gegen-speicherlue… ∗∗∗ Threat landscape for industrial automation systems. H2 2023 ∗∗∗ --------------------------------------------- Kaspersky ICS CERT shares industrial threat statistics for H2 2023: most commonly detected malicious objects, threat sources, threat landscape by industry and region. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-h… ∗∗∗ Attacker Hunting Firewalls, (Tue, Mar 19th) ∗∗∗ --------------------------------------------- The competition for freshly deployed vulnerable devices, or devices not patched for the latest greatest vulnerability, is immense. Your success in the ransomware or access broker ecosystem depends on having a consistently updated list of potential victims. As a result, certain IP addresses routinely scan the internet for specific types of vulnerabilities. One such example is 77.90.185.152. This IP address has been scanning for a different vulnerability each day. --------------------------------------------- https://isc.sans.edu/diary/rss/30758 ∗∗∗ New DEEP#GOSU Malware Campaign Targets Windows Users with Advanced Tactics ∗∗∗ --------------------------------------------- A new elaborate attack campaign has been observed employing PowerShell and VBScript malware to infect Windows systems and harvest sensitive information. [..] A notable aspect of the infection procedure is that it leverages legitimate services such as Dropbox or Google Docs for command-and-control (C2), thus allowing the threat actor to blend undetected into regular network traffic. [..] The starting point is said to be a malicious email attachment containing a ZIP archive with a rogue shortcut file (.LNK) that masquerades as a PDF file ("IMG_20240214_0001.pdf.lnk"). --------------------------------------------- https://thehackernews.com/2024/03/new-deepgosu-malware-campaign-targets.html ∗∗∗ Unit 42 Collaborative Research With Ukraine’s Cyber Agency To Uncover the Smoke Loader Backdoor ∗∗∗ --------------------------------------------- This article announces the publication of our first collaborative effort with the State Cyber Protection Centre of the State Service of Special Communications and Information Protection of Ukraine (SCPC SSSCIP). This collaborative research focuses on recent Smoke Loader malware activity observed throughout Ukraine from May to November 2023 from a group the CERT-UA designates as UAC-0006. --------------------------------------------- https://unit42.paloaltonetworks.com/unit-42-scpc-ssscip-uncover-smoke-loade… ∗∗∗ Claroty-Report: Zahlreiche Schwachstellen in medizinischen Netzwerken und Geräten ∗∗∗ --------------------------------------------- Sicherheitsanbieter Claroty hat sein Team82, eine Forschungseinheit von Claroty, auf das Thema Sicherheit im Medizinbereich, bezogen auf Geräte und Netzwerke, angesetzt, um die Auswirkungen der zunehmenden Vernetzung medizinischer Geräte zu untersuchen. Ziel des Berichts ist es, die umfassende Konnektivität kritischer medizinischer Geräte – von bildgebenden Systemen bis hin zu Infusionspumpen – aufzuzeigen und die damit verbundenen Risiken zu beleuchten. [..] Das erschreckende Ergebnis: Im Rahmen der Untersuchungen von Team82 tauchen häufig Schwachstellen und Implementierungsfehler auf. --------------------------------------------- https://www.borncity.com/blog/2024/03/19/claroty-report-zahlreiche-schwachs… ∗∗∗ Jenkins Args4j CVE-2024-23897: Files Exposed, Code at Risk ∗∗∗ --------------------------------------------- Jenkins, a popular open-source automation server, was discovered to be affected by a file read vulnerability, CVE-2024-23897. [..] Given its high severity we would like to emphasize the need for swift measures to secure Jenkins installations. [..] Jenkins patched CVE-2024-23897 in versions 2.442 and LTS 2.426.3 by disabling the problematic command parser feature. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/cve-2024-23897.html ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2024-1212: Unauthenticated Command Injection In Progress Kemp LoadMaster ∗∗∗ --------------------------------------------- LoadMaster is a load balancer and application delivery controller. Exploiting this vulnerability enables command execution on the LoadMaster if you have access to the administrator web user interface. Once command execution is obtained, it is possible to escalate privileges to root from the default admin “bal” user by abusing sudo entries, granting full control of the device. A proof of concept exploit is available in our CVE GitHub repository. --------------------------------------------- https://rhinosecuritylabs.com/research/cve-2024-1212unauthenticated-command… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti, postgresql-11, and zfs-linux), Fedora (freeimage, mingw-expat, and mingw-freeimage), Mageia (apache-mod_security-crs, expat, and multipath-tools), Oracle (.NET 7.0 and kernel), Red Hat (kernel, kernel-rt, and kpatch-patch), and Ubuntu (bash, kernel, linux, linux-aws, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, and vim). --------------------------------------------- https://lwn.net/Articles/965958/ ∗∗∗ RaspberryMatic: Kritische Lücke erlaubt Codeschmuggel ∗∗∗ --------------------------------------------- Im freien HomeMatic-Server RaspberryMatic klafft eine Codeschmuggel-Lücke. Sie gilt als kritisch. Ein Update steht bereit. --------------------------------------------- https://heise.de/-9658709 ∗∗∗ Sicherheitsupdates für Firefox und Thunderbird ∗∗∗ --------------------------------------------- Mozilla dichtet zahlreiche Sicherheitslücken im Webbrowser Firefox und Mailer Thunderbird ab. --------------------------------------------- https://heise.de/-9659433 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Franklin Fueling System EVO 550/5000 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-079-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2024
by Daily end-of-shift report 18 Mar '24

18 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-03-2024 18:00 − Montag 18-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New acoustic attack determines keystrokes from typing patterns ∗∗∗ --------------------------------------------- Researchers have demonstrated a new acoustic side-channel attack on keyboards that can deduce user input based on their typing patterns, even in poor conditions, such as environments with noise. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-acoustic-attack-determin… ∗∗∗ Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new malware campaign that leverages bogus Google Sites pages and HTML smuggling to distribute a commercial malware called AZORult in order to facilitate information theft. --------------------------------------------- https://thehackernews.com/2024/03/hackers-using-sneaky-html-smuggling-to.ht… ∗∗∗ Opening Pandora’s box - Supply Chain Insider Threats in Open Source projects ∗∗∗ --------------------------------------------- Granting repository "Write" access in an Open Source project is a high-stakes decision. We delve into the risks of insider threats, using a responsible disclosure for the AWS Karpenter project to demonstrate why strict safeguards are essential. --------------------------------------------- https://boostsecurity.io/blog/opening-pandora-box-supply-chain-insider-thre… ∗∗∗ Saisonale Betrugsmaschen: Vorsicht bei der Urlaubsbuchung! ∗∗∗ --------------------------------------------- Passend zur Jahreszeit, in der besonders viele Urlaubsbuchungen vorgenommen werden, veröffentlichen Kriminelle betrügerische Urlaubsbuchungsplattformen wie fincas-und-villen.com. Lassen Sie sich nicht von den günstigen Preisen und schönen Bildern blenden: Hier verlieren Sie Ihr Geld und enden im schlimmsten Fall ohne Unterkunft am Urlaubsziel. --------------------------------------------- https://www.watchlist-internet.at/news/saisonale-betrugsmaschen-urlaubsbuch… ∗∗∗ Wie OAuth-Anwendungen über Tenant-Grenzen schützen/detektieren? ∗∗∗ --------------------------------------------- Es ist eine Frage, die sich wohl jeder Sicherheitsverantwortliche stellt, wenn es um die Cloud und den Zugriff auf Dienste mittels OAuth geht. Die Fragestellung: Wie lassen sich OAuth-Anwendungen über Tenant-Grenzen schützen/detektieren? Und wie kann man das mit Microsoft-Technologie erledigen. --------------------------------------------- https://www.borncity.com/blog/2024/03/17/wie-oauth-anwendungen-ber-tenant-g… ∗∗∗ Top things that you might not be doing (yet) in Entra Conditional Access – Advanced Edition ∗∗∗ --------------------------------------------- In this second part, we’ll go over more advanced security controls within Conditional Access that, in my experience, are frequently overlooked in environments during security assessments. --------------------------------------------- https://blog.nviso.eu/2024/03/18/top-things-that-you-might-not-be-doing-yet… ∗∗∗ Ethereum’s CREATE2: A Double-Edged Sword in Blockchain Security ∗∗∗ --------------------------------------------- Ethereum’s CREATE2 function is being exploited by attackers to compromise the security of digital wallets, bypassing traditional security measures and facilitating unauthorized access to funds. --------------------------------------------- https://research.checkpoint.com/2024/ethereums-create2-a-double-edged-sword… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers exploit Aiohttp bug to find vulnerable networks ∗∗∗ --------------------------------------------- The ransomware actor ShadowSyndicate was observed scanning for servers vulnerable to CVE-2024-23334, a directory traversal vulnerability in the aiohttp Python library. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-aiohttp-bug-… ∗∗∗ Two Bytes is Plenty: FortiGate RCE with CVE-2024-21762 ∗∗∗ --------------------------------------------- In this post we detail the steps we took to identify the patched vulnerability and produce a working exploit. --------------------------------------------- https://www.assetnote.io/resources/research/two-bytes-is-plenty-fortigate-r… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, spip, and unadf), Fedora (chromium, iwd, opensc, openvswitch, python3.6, shim, shim-unsigned-aarch64, and shim-unsigned-x64), Mageia (batik, imagemagick, irssi, jackson-databind, jupyter-notebook, ncurses, and yajl), Oracle (.NET 7.0, .NET 8.0, and dnsmasq), Red Hat (postgresql:10), SUSE (chromium, kernel, openvswitch, python-rpyc, and tiff), and Ubuntu (openjdk-8). --------------------------------------------- https://lwn.net/Articles/965829/ ∗∗∗ PoC Published for Critical Fortra Code Execution Vulnerability ∗∗∗ --------------------------------------------- A critical directory traversal vulnerability in Fortra FileCatalyst Workflow could lead to remote code execution. --------------------------------------------- https://www.securityweek.com/poc-published-for-critical-fortra-code-executi… ∗∗∗ Kritische Sicherheitslücke CVE-2024-21762 in Fortinet FortiOS wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- In unserer Warnung vom 09. Februar 2024 haben wir bereits über die Sicherheitslücken CVE-2024-21762 und CVE-2024-23113 berichtet und in Folge Besitzer:innen über die für die IP-Adressen hinterlegten Abuse-Kontakten informiert. CVE-2024-21762 wird seit kurzem nun aktiv ausgenutzt. Unauthentifizierte Angreifer:innen können auf betroffenen Geräten beliebigen Code ausführen. --------------------------------------------- https://cert.at/de/aktuelles/2024/3/kritische-sicherheitslucke-cve-2024-217… ∗∗∗ Spring Framework: Updates beheben neue, alte Sicherheitslücke ∗∗∗ --------------------------------------------- Nutzen Spring-basierte Anwendungen eine URL-Parsing-Funktion des Frameworks, öffnen sie sich für verschiedene Attacken. Nicht zum ersten Mal. --------------------------------------------- https://heise.de/-9657496 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Stack-based Overflow Vulnerability in the TrueViewTM Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0006 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2024
by Daily end-of-shift report 15 Mar '24

15 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-03-2024 18:00 − Freitag 15-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SIM swappers hijacking phone numbers in eSIM attacks ∗∗∗ --------------------------------------------- SIM swappers have adapted their attacks to steal a targets phone number by porting it into a new eSIM card, a digital SIM stored in a rewritable chip present on many recent smartphone models. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sim-swappers-hijacking-phone… ∗∗∗ StopCrypt: Most widely distributed ransomware now evades detection ∗∗∗ --------------------------------------------- A new variant of StopCrypt ransomware (aka STOP) was spotted in the wild, employing a multi-stage execution process that involves shellcodes to evade security tools. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stopcrypt-most-widely-distri… ∗∗∗ 5Ghoul Revisited: Three Months Later, (Fri, Mar 15th) ∗∗∗ --------------------------------------------- About three months ago, I wrote about the implications and impacts of 5Ghoul in a previous diary. The 5Ghoul family of vulnerabilities could cause User Equipment (UEs) to be continuously exploited (e.g. dropping/freezing connections, which would require manual rebooting or downgrading a 5G connection to 4G) once they are connected to the malicious 5Ghoul gNodeB (gNB, or known as the base station in traditional cellular networks). Given the potential complexities in the realm of 5G mobile network modems used in a multitude of devices (such as mobile devices and 5G-enabled environments such as Industrial Internet-of-Things and IP cameras), I chose to give the situation a bit more time before revisiting the 5Ghoul vulnerability. --------------------------------------------- https://isc.sans.edu/diary/rss/30746 ∗∗∗ Third-Party ChatGPT Plugins Could Lead to Account Takeovers ∗∗∗ --------------------------------------------- Cybersecurity researchers have found that third-party plugins available for OpenAI ChatGPT could act as a new attack surface for threat actors looking to gain unauthorized access to sensitive data. According to new research published by Salt Labs, security flaws found directly in ChatGPT and within the ecosystem could allow attackers to install malicious plugins without users' consent and hijack accounts on third-party websites like GitHub. --------------------------------------------- https://thehackernews.com/2024/03/third-party-chatgpt-plugins-could-lead.ht… ∗∗∗ Vorsicht vor Abo-Falle auf produktretter.at! ∗∗∗ --------------------------------------------- Einmal registrieren und schon erhalten Sie hochwertige und voll funktionsfähige Produkte, die andere retourniert haben. Es fallen lediglich Versandkosten von maximal 2,99 Euro an. Klingt zu schön, um wahr zu sein? Ist es auch. Denn Seiten wie produktretter.at, produkttest-anmeldung.com oder retourenheld.io locken in eine Abo-Falle. Die versprochenen Produkte kommen nie an. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-abo-falle-auf-produktre… ∗∗∗ Inside the Rabbit Hole: BunnyLoader 3.0 Unveiled ∗∗∗ --------------------------------------------- We analyze recent samples of BunnyLoader 3.0 to illuminate this malware’s evolved and upscaled capabilities, including its new downloadable module system. --------------------------------------------- https://unit42.paloaltonetworks.com/analysis-of-bunnyloader-malware/ ∗∗∗ How to share sensitive files securely online ∗∗∗ --------------------------------------------- Here are a few tips for secure file transfers and what else to consider when sharing sensitive documents so that your data remains safe. --------------------------------------------- https://www.welivesecurity.com/en/how-to/share-sensitive-files-securely-onl… ∗∗∗ The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions ∗∗∗ --------------------------------------------- Talos explores the recent law enforcement takedown of LockBit, a prolific ransomware group that claimed to resume their operations 7 days later. --------------------------------------------- https://blog.talosintelligence.com/ransomware-affiliate-model/ ∗∗∗ Zwei Backdoors in Ivanti-Appliances analysiert ∗∗∗ --------------------------------------------- Anfang 2024 wurden die Pulse Secure Appliances von Ivanti durch die damals gemeldeten Schwachstellen CVE-2023-46805 und CVE-2024-21887 weiträumig ausgenutzt. Zwei Exemplare dieser Backdoors haben Sicherheitsforscher jetzt ausführlich beschrieben. --------------------------------------------- https://heise.de/-9656137 ∗∗∗ Sicherheitsforscher genervt: Lücken-Datenbank NVD seit Wochen unvollständig ∗∗∗ --------------------------------------------- Die von der US-Regierung betriebene Datenbank reichert im CVE-System gemeldete Sicherheitslücken mit wichtigen Metadaten an. Das blieb seit Februar aus. [..] Von über 2.200 seit 15. Februar veröffentlichten Sicherheitslücken mit CVE-ID sind lediglich 59 mit Metadaten versehen, 2.152 liegen brach. [..] Darüber, wie sie die Tausenden offenen Sicherheitslücken abarbeiten will und vor allem, wann sie ihre Arbeit wieder aufnimmt, schweigt sich die NVD derzeit aus. --------------------------------------------- https://heise.de/-9656574 ===================== = Vulnerabilities = ===================== ∗∗∗ Juniper: On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP7 IF06 ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been resolved in 7.5.0 UP7 IF06. Severity Critical --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ Micropatches Released for Microsoft Outlook "MonikerLink" Remote Code Execution Vulnerability (CVE-2024-21413) ∗∗∗ --------------------------------------------- In February 2024, still-Supported Microsoft Outlook versions got an official patch for CVE-2024-21413, a vulnerability that allowed an attacker to execute arbitrary code on users computer when the user opened a malicious hyperlink in attackers email. The micropatch was written for the following security-adopted versions of Office with all available updates installed: Microsoft Office 2013, Microsoft Office 2010 --------------------------------------------- https://blog.0patch.com/2024/03/micropatches-released-for-microsoft.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (composer and node-xml2js), Fedora (baresip), Mageia (fonttools, libgit2, mplayer, open-vm-tools, and packages), Red Hat (dnsmasq, gimp:2.8, and kernel-rt), and SUSE (389-ds, gdb, kernel, python-Django, python3, python36-pip, spectre-meltdown-checker, sudo, and thunderbird). --------------------------------------------- https://lwn.net/Articles/965576/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CVE-2024-2247: JFrog Artifactory Cross-Site Scripting ∗∗∗ --------------------------------------------- https://jfrog.com/help/r/jfrog-release-information/cve-2024-2247-jfrog-arti… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2024
by Daily end-of-shift report 14 Mar '24

14 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-03-2024 18:00 − Donnerstag 14-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ PixPirate Android malware uses new tactic to hide on phones ∗∗∗ --------------------------------------------- The latest version of the PixPirate banking trojan for Android employs a previously unseen method to hide from the victim while remaining active on the infected device even if its dropper app has been removed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pixpirate-android-malware-us… ∗∗∗ Increase in the number of phishing messages pointing to IPFS and to R2 buckets, (Thu, Mar 14th) ∗∗∗ --------------------------------------------- Interesting trends do emerge from time to time. One such recent trend seems to be connected with an increased use of IPFS and R2 buckets to host phishing pages. --------------------------------------------- https://isc.sans.edu/diary/rss/30744 ∗∗∗ Breaking Down APT29’s Latest Tactics and How to Defend Against Them ∗∗∗ --------------------------------------------- Recently, the US National Security Agency (NSA) joined United Kingdom’s National Cyber Security Center (NCSC) in releasing an advisory detailing the recent TTPs (or tactics, techniques, and procedures) of the group known as APT29 (or, in other taxonomies of threat actors, Midnight Blizzard, the Dukes, and Cozy Bear). --------------------------------------------- https://orca.security/resources/blog/how-to-defend-against-apt29-cozy-bear-… ===================== = Vulnerabilities = ===================== ∗∗∗ A patched Windows attack surface is still exploitable ∗∗∗ --------------------------------------------- In this report, we highlight the key points about a class of recently-patched elevation-of-privilege vulnerabilities affecting Microsoft Windows, and then focus on how to check if any of them have been exploited or if there have been any attempts to exploit them. --------------------------------------------- https://securelist.com/windows-vulnerabilities/112232/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and openvswitch), Fedora (chromium, python-multipart, thunderbird, and xen), Mageia (java-17-openjdk and screen), Red Hat (.NET 7.0, .NET 8.0, kernel-rt, kpatch-patch, postgresql:13, and postgresql:15), Slackware (expat), SUSE (glibc, python-Django, python-Django1, sudo, and vim), and Ubuntu (expat, linux-ibm, linux-ibm-5.4, linux-oracle, linux-oracle-5.4, linux-lowlatency, linux-raspi, python-cryptography, texlive-bin, and xorg-server). --------------------------------------------- https://lwn.net/Articles/965470/ ∗∗∗ Kubernetes Vulnerability Allows Remote Code Execution on Windows Endpoints ∗∗∗ --------------------------------------------- A high-severity Kubernetes vulnerability tracked as CVE-2023-5528 can be exploited to execute arbitrary code on Windows endpoints. --------------------------------------------- https://www.securityweek.com/kubernetes-vulnerability-allows-remote-code-ex… ∗∗∗ Cisco schließt hochriskante Lücken in IOS XR ∗∗∗ --------------------------------------------- Cisco warnt vor SIcherheitslücken mit teils hohem Risiko im Router-Betriebssystem IOS XR. Updates stehen bereit. --------------------------------------------- https://heise.de/-9654542 ∗∗∗ Schnell upgraden: Problematische Sicherheitslücke in Apples GarageBand ∗∗∗ --------------------------------------------- Neue Funktionen liefert GarageBand 10.4.11 laut Apple nicht. Dafür steckt ein wichtiger Sicherheitsfix drin. Nutzer sollten die macOS-App schnell aktualisieren. --------------------------------------------- https://heise.de/-9654638 ∗∗∗ HP: Viele Laptops und PCs von Codeschmuggel-Lücke betroffen ∗∗∗ --------------------------------------------- Eine BIOS-Sicherheitsfunktion von HP-Laptops und -PCs kann von Angreifern umgangen werden. BIOS-Updates stehen bereit oder werden grad entwickelt. --------------------------------------------- https://heise.de/-9654678 ∗∗∗ VU#488902: CPU hardware utilizing speculative execution may be vulnerable to speculative race conditions ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/488902 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Softing edgeConnector ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-13 ∗∗∗ Mitsubishi Electric MELSEC-Q/L Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-14 ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-12 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.03.2024
by Daily end-of-shift report 13 Mar '24

13 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-03-2024 18:00 − Mittwoch 13-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ RisePro stealer targets Github users in “gitgub” campaign ∗∗∗ --------------------------------------------- We identified at least 13 such repositories belonging to a RisePro stealer campaign that was named “gitgub” by the threat actors. The repositories look similar, featuring a README.md file with the promise of free cracked software. [..] RisePro resurfaces with new string encryption and a bloated MSI installer that crashes reversing tools like IDA. The "gitgub" campaign already sent more than 700 archives of stolen data to Telegram. --------------------------------------------- https://www.gdatasoftware.com/blog/2024/03/37885-risepro-stealer-campaign-g… ∗∗∗ Using ChatGPT to Deobfuscate Malicious Scripts, (Wed, Mar 13th) ∗∗∗ --------------------------------------------- Today, most of the malicious scripts in the wild are heavily obfuscated. [...] There was a huge amount of obfuscated strings (443 in total). Let's try tro process them with ChatGPT [..] The request took a few seconds to get some feedback but results were perfect (I only submitted a small part of the script). --------------------------------------------- https://isc.sans.edu/diary/rss/30740 ∗∗∗ FakeBat delivered via several active malvertising campaigns ∗∗∗ --------------------------------------------- A number of software brands are being impersonated with malicious ads and fake sites to distribute malware. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/03/fakebat-deliv… ∗∗∗ Geldwäsche statt Babysitting: Vorsicht vor diesem Jobbetrug! ∗∗∗ --------------------------------------------- Kriminelle suchen über Babysitter-Börsen angeblich eine Betreuung für ihr Kind oder ihre Kinder. Das vermeintliche Elternteil behauptet, derzeit noch im Ausland zu leben und erst zu einem späteren Zeitpunkt nach Österreich zu ziehen. Damit sich die Kinder gleich von Anfang an wohl fühlen, sollen die neuen Babysitter:innen bereits im Vorfeld Spielzeug einkaufen. --------------------------------------------- https://www.watchlist-internet.at/news/geldwaesche-statt-babysitting-vorsic… ∗∗∗ JetBrains vulnerability exploitation highlights debate over silent patching ∗∗∗ --------------------------------------------- Czech software giant JetBrains harshly criticized security company Rapid7 this week following a dispute over two recently-discovered vulnerabilities. In a blog post published Monday, JetBrains attributed the compromise of several customers’ servers to Rapid7’s decision to release detailed information on the vulnerabilities. --------------------------------------------- https://therecord.media/jetbrains-rapid7-silent-patching-dispute ∗∗∗ Unpacking Flutter hives ∗∗∗ --------------------------------------------- The goal of this blogpost is to obtain the content of an encrypted Hive without having access to the source code. --------------------------------------------- https://blog.nviso.eu/2024/03/13/unpacking-flutter-hives/ ∗∗∗ Threat actors leverage document publishing sites for ongoing credential and session token theft ∗∗∗ --------------------------------------------- Talos IR has responded to several recent incidents in which threat actors used legitimate digital document publishing sites such as Publuu and Marq to host phishing documents as part of ongoing credential and session harvesting attacks. Threat actors have used a similar tactic of deploying phishing lures on well-known cloud storage and contract management sites such as Google Drive, OneDrive, SharePoint, DocuSign and Oneflow. --------------------------------------------- https://blog.talosintelligence.com/threat-actors-leveraging-document-publis… ∗∗∗ CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign ∗∗∗ --------------------------------------------- The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft Windows SmartScreen bypass CVE-2024-21412 that led to malicious Microsoft (.MSI) installers. [..] This campaign was part of the larger Water Hydra APT zero-day analysis. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-ope… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2024-03-13 ∗∗∗ --------------------------------------------- Security Impact Rating: 3x High, 4x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Palo Alto Security Advisories 2024-03-13 ∗∗∗ --------------------------------------------- Security Impact Rating: 3x Medium --------------------------------------------- https://security.paloaltonetworks.com/ ∗∗∗ Critical Vulnerability Remains Unpatched in Two Permanently Closed MiniOrange WordPress Plugins – $1,250 Bounty Awarded ∗∗∗ --------------------------------------------- Both miniOrange’s Malware Scanner and Web Application Firewall plugins contain a critical privilege escalation vulnerability, and both have been permanently closed. So we urge all users to delete these plugins from their websites immediately! [..] This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password. --------------------------------------------- https://www.wordfence.com/blog/2024/03/critical-vulnerability-remains-unpat… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (edk2, freeipa, kernel, and liblas), Oracle (kernel), Red Hat (docker, edk2, kernel, kernel-rt, and kpatch-patch), SUSE (axis, fontforge, gnutls, java-1_8_0-openjdk, kernel, python3, sudo, and zabbix), and Ubuntu (dotnet7, dotnet8, libgoogle-gson-java, openssl, and ovn). --------------------------------------------- https://lwn.net/Articles/965278/ ∗∗∗ März-Patchday: Microsoft stopft zwei kritische Löcher in Hyper-V ∗∗∗ --------------------------------------------- Insgesamt bringt der März-Patchday Fixes für 61 Sicherheitslücken. --------------------------------------------- https://www.zdnet.de/88414822/maerz-patchday-microsoft-stopft-zwei-kritisch… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe Experience Manager, Adobe Premiere Pro, Adobe ColdFusion, Adobe Bridge, Adobe Lightroom, Adobe Animate --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/12/adobe-releases-security-… ∗∗∗ AMD und Intel schließen CPU-Sicherheitslücken in Core- und Ryzen-CPUs ∗∗∗ --------------------------------------------- Zum Patch-Tuesday räumen AMD und Intel weitere Sicherheitslücken in ihren Prozessoren ein. Es geht unter anderem um Race Conditions. --------------------------------------------- https://heise.de/-9653846 ∗∗∗ Fortinet-Patchday: Updates gegen kritische Schwachstellen ∗∗∗ --------------------------------------------- Fortinet hat zum März-Patchday Sicherheitslücken in FortiOS, FortiProxy, FortiClientEMS und im FortiManager geschlossen. --------------------------------------------- https://heise.de/-9653730 ∗∗∗ Citrix Hypervisor Security Update for CVE-2023-39368 and CVE-2023-38575 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX616982/citrix-hypervisor-security-upd… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Lenovo Security Advisories 2024-03-12 ∗∗∗ --------------------------------------------- https://support.lenovo.com/at/de/product_security/home ∗∗∗ Xen Security Advisory CVE-2024-2193 / XSA-453 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-453.html ∗∗∗ Xen Security Advisory CVE-2023-28746 / XSA-452 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-452.html ∗∗∗ Wago: Multiple vulnerabilities in web-based management of multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-039/ ∗∗∗ Bosch: BVMS affected by Autodesk Design Review Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-246962-bt.html ∗∗∗ Bosch: RPS and RPS-LITE operator and communication process vulnerabilities. ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-099637-bt.html ∗∗∗ Canon: CPE2024-002 – Vulnerability Mitigation/Remediation for Small Office Multifunction Printers and Laser Printers – 14 March 2024 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ SonicWall: SonicWall Email Security Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0006 ∗∗∗ SonicWall: SonicOS SSLVPN Portal Stored Cross-site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0005 ∗∗∗ SonicWall: Integer-Based Buffer Overflow Vulnerability In SonicOS via IPSec ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0004 ∗∗∗ Google Chrome: Drei Sicherheitslöcher gestopft ∗∗∗ --------------------------------------------- https://heise.de/-9653082 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.03.2024
by Daily end-of-shift report 12 Mar '24

12 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 11-03-2024 18:00 − Dienstag 12-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Inception Attack: Neue Angriffstechnik ermöglicht Manipulation von VR-Inhalten ∗∗∗ --------------------------------------------- Angreifer können nicht nur sensible Informationen abgreifen, sondern auch dem VR-Nutzer angezeigte Inhalte verändern, ohne dass dieser etwas merkt. --------------------------------------------- https://www.golem.de/news/inception-attack-neue-angriffstechnik-ermoeglicht… ∗∗∗ Verträge und Abos kündigen: Vorsicht vor kostenpflichtigen Angeboten ∗∗∗ --------------------------------------------- Sie möchten Ihren Vertrag kündigen, wissen aber nicht wie? Oft sind die Informationen zur Kündigung und Kontaktadressen des jeweiligen Unternehmens auch unauffindbar. Aus gutem Grund suchen Konsument:innen daher nach Diensten, die den Kündigungsprozess übernehmen. Oft sind diese Dienste kostenpflichtig oder selbst eine Abofalle. --------------------------------------------- https://www.watchlist-internet.at/news/vertraege-und-abos-kuendigen-vorsich… ∗∗∗ Ransomware: Attacks Continue to Rise as Operators Adapt to Disruption ∗∗∗ --------------------------------------------- Available evidence suggests vulnerability exploitation has replaced botnets as a prime infection vector. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ CISA Publishes SCuBA Hybrid Identity Solutions Guidance ∗∗∗ --------------------------------------------- CISA has published Secure Cloud Business Applications (SCuBA) Hybrid Identity Solutions Guidance (HISG) to help users better understand identity management capabilities and securely integrate their traditional on-premises enterprise networks with cloud-based solutions. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/12/cisa-publishes-scuba-hyb… ∗∗∗ VCURMS: A Simple and Functional Weapon ∗∗∗ --------------------------------------------- ForitGuard Labs uncovers a rat VCURMS weapon and STRRAT in a phishing campaign --------------------------------------------- https://feeds.fortinet.com/~/873512375/0/fortinet/blogs~VCURMS-A-Simple-and… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qemu), Mageia (libtiff and thunderbird), Red Hat (kernel, kpatch-patch, postgresql, and rhc-worker-script), SUSE (compat-openssl098, openssl, openssl1, python-Django, python-Django1, and wpa_supplicant), and Ubuntu (accountsservice, libxml2, linux-bluefield, linux-raspi-5.4, linux-xilinx-zynqmp, linux-oem-6.1, openvswitch, postgresql-9.5, and ruby-rack). --------------------------------------------- https://lwn.net/Articles/965113/ ∗∗∗ SAP schließt zehn Sicherheitslücken am März-Patchday ∗∗∗ --------------------------------------------- SAP hat zehn neue Sicherheitsmitteilungen zum März-Patchday veröffentlicht. Zwei der geschlossenen Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-9652057 ∗∗∗ Synology dichtet Sicherheitslecks in SRM ab ∗∗∗ --------------------------------------------- Im Synology Router Manager (SRM) klaffen Sicherheitslecks, durch die Angreifer etwa Scripte einschleusen können. Ein Update steht bereit. --------------------------------------------- https://heise.de/-9652225 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Fortiguard Security Advisories ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt ∗∗∗ SSA-918992 V1.0: Unused HTTP Service on SENTRON 3KC ATC6 Ethernet Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-918992.html ∗∗∗ SSA-832273 V1.0: Multiple Vulnerabilities in Fortigate NGFW on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-832273.html ∗∗∗ SSA-792319 V1.0: Missing Read Out Protection in SENTRON 7KM PAC3x20 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-792319.html ∗∗∗ SSA-770721 V1.0: Multiple Vulnerabilities in SIMATIC RF160B before V2.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-770721.html ∗∗∗ SSA-653855 V1.0: Information Disclosure vulnerability in SINEMA Remote Connect Client before V3.1 SP1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-653855.html ∗∗∗ SSA-576771 V1.0: Multiple Vulnerabilities in SINEMA Remote Connect Server before V3.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-576771.html ∗∗∗ SSA-382651 V1.0: File Parsing Vulnerability in Solid Edge before V223.0.11 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-382651.html ∗∗∗ SSA-366067 V1.0: Multiple Vulnerabilities in Fortigate NGFW before V7.4.1 on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-366067.html ∗∗∗ SSA-353002 V1.0: Multiple Vulnerabilities in SCALANCE XB-200 / XC-200 / XP-200 / XF-200BA / XR-300WG Family ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-353002.html ∗∗∗ SSA-225840 V1.0: Vulnerabilities in the Network Communication Stack in Sinteso EN and Cerberus PRO EN Fire Protection Systems ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-225840.html ∗∗∗ SSA-145196 V1.0: Authorization Bypass Vulnerability in Siveillance Control ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-145196.html ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in CHARX SEC charge controllers ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-011/ ∗∗∗ Citrix SDWAN Security Bulletin for CVE-2024-2049 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX617071/citrix-sdwan-security-bulletin… ∗∗∗ Stack-based Overflow Vulnerability in the TrueViewTM Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0005 ∗∗∗ Missing PSK secret for IKEv2 connection can cause libreswan to restart ∗∗∗ --------------------------------------------- https://libreswan.org/security/CVE-2024-2357/CVE-2024-2357.txt ∗∗∗ Schneider Electric EcoStruxure Power Design ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-072-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2024
by Daily end-of-shift report 11 Mar '24

11 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-03-2024 18:00 − Montag 11-03-2024 18:00 Handler: Alexander Riepl Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fake Leather wallet app on Apple App Store is a crypto drainer ∗∗∗ --------------------------------------------- The developers of the Leather cryptocurrency wallet are warning of a fake app on the Apple App Store, with users reporting it is a wallet drainer that stole their digital assets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-leather-wallet-app-on-a… ∗∗∗ What happens when you accidentally leak your AWS API keys? [Guest Diary], (Sun, Mar 10th) ∗∗∗ --------------------------------------------- As a college freshman taking my first computer science class, I wanted to create a personal project that would test my abilities and maybe have some sort of return. I saw a video online of someone who created a python script that emailed colleges asking for free swag to be shipped to him. I liked the idea and adapted it. --------------------------------------------- https://isc.sans.edu/diary/rss/30730 ∗∗∗ Check your email security, and protect your customers ∗∗∗ --------------------------------------------- Free online tool from the NCSC prevents cyber criminals using your email to conduct cyber attacks. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/cyes-protect-customers ∗∗∗ Leicht verdientes Geld auf Instagram? Vorsicht vor dieser Betrugsmasche ∗∗∗ --------------------------------------------- Sie erhalten eine Nachricht auf Instagram – angeblich von einer Künstlerin bzw. einem Künstler. Die Person behauptet, dass sie eines Ihrer Bilder auf Instagram als Vorlage für ein Gemälde nutzen möchte. Sie bekommen dafür angeblich 500 Euro. Gehen Sie nicht auf dieses Angebot ein, Sie werden betrogen! --------------------------------------------- https://www.watchlist-internet.at/news/leicht-verdientes-geld-auf-instagram… ∗∗∗ Misconfiguration Manager: Overlooked and Overprivileged ∗∗∗ --------------------------------------------- Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance. We’re also presenting this material at SO-CON 2024 on March 11, 2024. We’ll update this post with a link to the recording when it becomes available. --------------------------------------------- https://posts.specterops.io/misconfiguration-manager-overlooked-and-overpri… ∗∗∗ Ransomware tracker: The latest figures [March 2024] ∗∗∗ --------------------------------------------- Note: this Ransomware Tracker is updated on the second Sunday of each month to stay current. --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures ∗∗∗ Kritische Schwachstelle (CVE-2024-1403) in Progress OpenEdge Authentication Gateway/AdminServer – PoC öffentlich ∗∗∗ --------------------------------------------- Es gibt eine kritische Schwachstelle (CVE-2024-1403) in diesem Produkt (CVSS 10.0), die die Umgehung der Authentifizierung ermöglicht. Nun ist ein Exploit zur Ausnutzung dieser Schwachstelle bekannt geworden. --------------------------------------------- https://www.borncity.com/blog/2024/03/11/kritische-schwachstelle-cve-2024-1… ===================== = Vulnerabilities = ===================== ∗∗∗ Unauthenticated Stored XSS Vulnerability Patched in Ultimate Member WordPress Plugin ∗∗∗ --------------------------------------------- The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. --------------------------------------------- https://www.wordfence.com/blog/2024/03/unauthenticated-stored-xss-vulnerabi… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libuv1, nss, squid, tar, tiff, and wordpress), Fedora (chromium, exercism, grub2, qpdf, and wpa_supplicant), Oracle (edk2 and opencryptoki), and SUSE (cpio, openssl-1_0_0, openssl-1_1, openssl-3, sudo, tomcat, and xen). --------------------------------------------- https://lwn.net/Articles/965032/ ∗∗∗ ArubaOS: Sicherheitslücken erlauben Befehlsschmuggel ∗∗∗ --------------------------------------------- HPE Aruba warnt vor zum Teil hochriskanten Sicherheitslücken im Betriebssystem ArubaOS für Switches aus dem Hause. Mehrere gelten als hohes Risiko und erlauben das Einschmuggeln von Befehlen. --------------------------------------------- https://heise.de/-9650985 ∗∗∗ Qnap hat teils kritische Lücken in seinen Betriebssystemen geschlossen ∗∗∗ --------------------------------------------- Qnap hat Warnungen vor Sicherheitslücken in QTS, QuTS Hero und QuTScloud veröffentlicht. Aktualisierte Firmware dichtet sie ab. --------------------------------------------- https://heise.de/-9650933 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2024
by Daily end-of-shift report 08 Mar '24

08 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-03-2024 18:00 − Freitag 08-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Update on Microsoft Actions Following Attack by Nation State Actor Midnight Blizzard ∗∗∗ --------------------------------------------- This blog provides an update on the nation-state attack that was detected by the Microsoft Security Team on January 12, 2024. As we shared, on January 19, the security team detected this attack on our corporate email systems and immediately activated our response process. --------------------------------------------- https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-followi… ∗∗∗ New Malware Campaign Found Exploiting Stored XSS in Popup Builder < 4.2.3 ∗∗∗ --------------------------------------------- In the past three weeks, we’ve started seeing an uptick in attacks from a new malware campaign targeting this same Popup Builder vulnerability. According to PublicWWW, over 3,300 websites have already been infected by this new campaign. Our own SiteCheck remote malware scanner has detected this malware on over 1,170 sites. --------------------------------------------- https://blog.sucuri.net/2024/03/new-malware-campaign-found-exploiting-store… ∗∗∗ Google-Präsenz verbessern? Vorsicht vor Abzocker-Unternehmen! ∗∗∗ --------------------------------------------- Unternehmen wenden sich derzeit an uns und berichten von unseriösen Anbietern, die sich als Kooperationspartner von Google ausgeben. Das Angebot: Sie helfen dabei, den Unternehmensauftritt bei Google zu verbessern, ein angebotenes Beratungsgespräch soll nach dem Gespräch bezahlt werden und koste einmalig bis zu 80 Euro. Doch weit gefehlt: Erfahrungsberichten zufolge tappt man hier in eine Abo-Falle, die nur schwer zu kündigen ist. --------------------------------------------- https://www.watchlist-internet.at/news/abzocke-google-praesenz/ ∗∗∗ Online scam taxonomy: the many ways to trick us ∗∗∗ --------------------------------------------- Because there are so many different types of online scams, we have compiled a list of scam taxonomy, shortly explaining what these scams mean. It’s important to stay vigilant against these threats, so it’s easier to avoid them. --------------------------------------------- https://blog.f-secure.com/online-scam-taxonomy/ ∗∗∗ Magnet Goblin Targets Publicly Facing Servers Using 1-Day Vulnerabilities ∗∗∗ --------------------------------------------- Magnet Goblin is a financially motivated threat actor that quickly adopts and leverages 1-day vulnerabilities in public-facing services as an initial infection vector. At least in one case of Ivanti Connect Secure VPN (CVE-2024-21887), the exploit entered the group’s arsenal as fast as within 1 day after a POC for it was published. Campaigns that we were able to attribute to this actor targeted Ivanti, Magento, Qlink Sense and possibly Apache ActiveMQ. --------------------------------------------- https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-… ∗∗∗ Cisco: Angreifer können sich zum Root-Nutzer unter Linux machen ∗∗∗ --------------------------------------------- Cisco AppDynamics, Duo Authentication, Secure Client, Secure Client for Linux und Wireless Access Points der Small-Business-Reihe sind angreifbar. Sicherheitspatches stehen zum Download bereit. --------------------------------------------- https://heise.de/-9649863 ∗∗∗ Angeblicher Tesla-Hack mit Flipper Zero entpuppt sich als Sturm im Wasserglas ∗∗∗ --------------------------------------------- Mittels eines gefälschten Gast-WLANs im Tesla-Design könnten Angreifer an Superchargern oder in Service-Centern Zugänge abgreifen, warnen die Experten. --------------------------------------------- https://heise.de/-9650018 ===================== = Vulnerabilities = ===================== ∗∗∗ pgAdmin (<=8.3) Path Traversal in Session Handling Leads to Unsafe Deserialization and Remote Code Execution (RCE) ∗∗∗ --------------------------------------------- “pgAdmin is the most popular and feature rich Open Source administration and development platform for PostgreSQL, the most advanced Open Source database in the world. [..] If the server is running on Windows, an unauthenticated attacker can load and deserialize remote pickle objects and gain code execution. If the server is running on POSIX/Linux, an authenticated attacker can upload pickle objects, deserialize them and gain code execution. --------------------------------------------- https://www.shielder.com/advisories/pgadmin-path-traversal_leads_to_unsafe_… ∗∗∗ QNAP Security Advisories 2024-03-09 ∗∗∗ --------------------------------------------- Security Impact Rating: 1x Critical, 4x Medium --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fontforge), Fedora (chromium, iwd, libell, and thunderbird), Oracle (buildah, kernel, skopeo, and tomcat), Red Hat (opencryptoki), Slackware (ghostscript), SUSE (go1.21, go1.22, google-oauth-java-client, jetty-minimal, openssl-1_0_0, python310, sudo, wpa_supplicant, and xmlgraphics-batik), and Ubuntu (libhtmlcleaner-java, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-lowlatency-hwe-5.15, linux-nvidia, linux-azure, linux-azure-6.5, linux-hwe-6.5, mqtt-client, ncurses, and puma). --------------------------------------------- https://lwn.net/Articles/964832/ ∗∗∗ macOS 14.4 und mehr: Apple patcht schwere Sicherheitslücken ∗∗∗ --------------------------------------------- Apples Update-Reigen geht weiter: Nach iOS und iPadOS hat der Hersteller in der Nacht auf Freitag neue Versionen und Patches veröffentlicht, die für macOS, watchOS, tvOS und visionOS veröffentlicht. Neben kleineren Funktionserweiterungen und Bugfixes sollen die Aktualisierungen auch zwei gravierende Zero-Day-Schwachstellen im Kernel ausräumen, die nach Informationen von Apple wohl bereits aktiv für Angriffe ausgenutzt wurden. --------------------------------------------- https://heise.de/-9649559 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2024
by Daily end-of-shift report 07 Mar '24

07 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-03-2024 18:00 − Donnerstag 07-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Hacked WordPress sites use visitors browsers to hack other sites ∗∗∗ --------------------------------------------- Hackers are conducting widescale attacks on WordPress sites to inject scripts that force visitors browsers to bruteforce passwords for other sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacked-wordpress-sites-use-v… ∗∗∗ New Python-Based Snake Info Stealer Spreading Through Facebook Messages ∗∗∗ --------------------------------------------- Facebook messages are being used by threat actors to a Python-based information stealer dubbed Snake that’s designed to capture credentials and other sensitive data. --------------------------------------------- https://thehackernews.com/2024/03/new-python-based-snake-info-stealer.html ∗∗∗ Code injection on Android without ptrace ∗∗∗ --------------------------------------------- I came up with the idea to port linux_injector. The project has a simple premise: injecting code into a process without using ptrace. --------------------------------------------- https://erfur.github.io/blog/dev/code-injection-without-ptrace ∗∗∗ CVE-2023-36049: Microsoft .NET CRLF Injection Arbitrary File Write/Deletion Vulnerability ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability would allow a remote attacker to write or delete files in the context of the FTP server. The following is a portion of their write-up covering CVE-2023-36049, with a few minimal modifications. --------------------------------------------- https://www.thezdi.com/blog/2024/3/6/cve-2023-36049-microsoft-net-crlf-inje… ∗∗∗ Delving into Dalvik: A Look Into DEX Files ∗∗∗ --------------------------------------------- Through a case study of the banking trojan sample, this blog post aims to give an insight into the Dalvik Executable file format, how it is constructed, and how it can be altered to make analysis easier. --------------------------------------------- https://www.mandiant.com/resources/blog/dalvik-look-into-dex-files ∗∗∗ Staatstrojaner: Infrastruktur der Spyware Predator erneut abgeschaltet ∗∗∗ --------------------------------------------- Die Betreiber der Plattform hinter Predator haben offenbar Server vom Netz genommen, die sie zum Ausliefern und Steuern der Überwachungssoftware verwendeten. --------------------------------------------- https://heise.de/-9648238 ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2024-1403: Progress OpenEdge Authentication Bypass Deep-Dive ∗∗∗ --------------------------------------------- On February 27, 2024, Progress released a security advisory for OpenEdge, their application development and deployment platform suite. The advisory details that there exists an authentication bypass vulnerability which effects certain components of the OpenEdge platform. --------------------------------------------- https://www.horizon3.ai/attack-research/cve-2024-1403-progress-openedge-aut… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and yard), Fedora (cpp-jwt, golang-github-tdewolff-argp, golang-github-tdewolff-minify, golang-github-tdewolff-parse, and suricata), Mageia (wpa_supplicant), Oracle (curl, edk2, golang, haproxy, keylime, mysql, openssh, and rear), Red Hat (kernel and postgresql:12), SUSE (containerd, giflib, go1.21, gstreamer-plugins-bad, java-1_8_0-openjdk, python3, python311, python39, sudo, and vim), and Ubuntu (frr, linux, linux-gcp, linux-gcp-5.4, [...] --------------------------------------------- https://lwn.net/Articles/964725/ ∗∗∗ VMware schließt Schlupflöcher für Ausbruch aus virtueller Maschine ∗∗∗ --------------------------------------------- Angreifer können Systeme mit VMware ESXi, Fusion und Workstation attackieren. Sicherheitsupdates stehen zum Download. --------------------------------------------- https://heise.de/-9648396 ∗∗∗ VU#949046: Sceiner firmware locks and associated devices are vulnerable to encryption downgrade and arbitrary file upload attacks ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/949046 ∗∗∗ Registration role - Critical - Access bypass - SA-CONTRIB-2024-015 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-015 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Local Privilege Escalation via writable files in CheckMK Agent ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/local-privilege-escalati… ∗∗∗ Mattermost security updates 9.5.2 (ESR) / 9.4.4 / 9.3.3 / 8.1.11 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-5-2-esr-9-4-4-9-3… ∗∗∗ Apple Releases Security Updates for iOS and iPadOS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/07/apple-releases-security-… ∗∗∗ Chirp Systems Chirp Access ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-067-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.03.2024
by Daily end-of-shift report 06 Mar '24

06 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-03-2024 18:00 − Mittwoch 06-03-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Why Your Firewall Will Kill You, (Tue, Mar 5th) ∗∗∗ --------------------------------------------- The last few years have been great for attackers exploiting basic web application vulnerabilities. Usually, home and small business products from companies like Linksys, D-Link, and Ubiquity are known to be favorite targets. But over the last couple of years, enterprise products from companies like Ivanti, Fortigate, Sonicwall, and Citrix (among others) have become easy to exploit targets. The high value of the networks protected by these "solutions" has made them favorites for ransomware attackers. --------------------------------------------- https://isc.sans.edu/diary/rss/30714 ∗∗∗ Scanning and abusing the QUIC protocol, (Wed, Mar 6th) ∗∗∗ --------------------------------------------- The QUIC protocol has slowly (pun intended) crawled into our browsers and many other protocols. Last week, at BSides Zagreb I presented some research I did about applications using (and abusing) this protocol, so it made sense to put this into one diary. --------------------------------------------- https://isc.sans.edu/diary/rss/30720 ∗∗∗ Living off the land with native SSH and split tunnelling ∗∗∗ --------------------------------------------- Lately I was involved in an assumed compromise project where stealth and simplicity was required, reducing the opportunity to use a sophisticated C2 infrastructure. We did note that the built-in Windows SSH client could make this simpler for us. [..] Windows native SSH can be a convenient attack path IF an organisation doesn’t have the ability to block and monitor the forwarded internal traffic. [..] The obvious route is to restrict access to the SSH command for all users who don’t have a business need, or to uninstall it from your default Windows build and use something like PuTTY instead. --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-land-with-nati… ∗∗∗ Schneeballsystem-Alarm bei DCPTG.com! ∗∗∗ --------------------------------------------- An die Watchlist Internet wird aktuell vermehrt ein Schneeball- bzw. Pyramidensystem mit dem Namen dcptg.com gemeldet. Versprochen werden Erfahrungsberichten nach völlig unrealistische und risikofreie Gewinnmöglichkeiten von 2 bis 5 Prozent des eingesetzten Kapitals pro Tag. Außerdem müssen laufend weitere Menschen angeworben werden, um langfristig an dem System teilnehmen zu können. Vorsicht: DCPTG.com ist betrügerisch! --------------------------------------------- https://www.watchlist-internet.at/news/schneeballsystem-alarm-bei-dctpgcom/ ∗∗∗ Fake-Gewinnspiel im Namen vom Tiergarten Schönbrunn ∗∗∗ --------------------------------------------- Über ein Fake-Profil des Tiergartens Schönbrunn wird derzeit ein betrügerisches Gewinnspiel auf Facebook verbreitet. Die Facebook-Seite „Tiergarten Wien“ verlost angeblich 4 Eintrittskarten. Sie müssen lediglich die Versandgebühren für die Karten bezahlen. Vorsicht: Sie tappen in eine Abo-Falle und geben Ihre persönlichen Daten an Kriminelle weiter. --------------------------------------------- https://www.watchlist-internet.at/news/fake-gewinnspiel-im-namen-vom-tierga… ∗∗∗ Whoops! ACEMAGIC ships mini PCs with free bonus pre-installed malware ∗∗∗ --------------------------------------------- Chinese mini PC manufacturer ACEMAGIC has made life a bit more interesting for its customers, by admitting that it has also been throwing in free malware with its products. --------------------------------------------- https://grahamcluley.com/whoops-acemagic-ships-mini-pcs-with-free-bonus-pre… ∗∗∗ Data Exfiltration: Increasing Number of Tools Leveraged by Ransomware Attackers ∗∗∗ --------------------------------------------- Ransomware actors are deploying a growing array of data-exfiltration tools in their attacks and, over the past three months alone, Symantec has found attackers using at least dozen different tools capable of data exfiltration. While some exfiltration tools are malware, the vast majority are dual-use – legitimate software used by the attackers for malicious purposes. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomwa… ∗∗∗ Badgerboard: A PLC backplane network visibility module ∗∗∗ --------------------------------------------- Analysis of the traffic between networked devices has always been of interest since devices could even communicate with one another. As the complexity of networks grew, the more useful dedicated traffic analysis tools became. Major advancements have been made over the years with tools like Snort or Wireshark, but these tools are only useful when accurate information is provided to them. By only sending a subset of the information being passed across a network to monitoring tools, analysts will be provided with an incomplete picture of the state of their network. --------------------------------------------- https://blog.talosintelligence.com/badgerboard-research/ ∗∗∗ Coper / Octo - A Conductor for Mobile Mayhem… With Eight Limbs? ∗∗∗ --------------------------------------------- In this blog post, we will detail our analysis and understanding of the Coper/Octo Android malware, examining the malware’s continued development, as well as providing insights into attack patterns, infrastructure utilization and management, and hunting tips. --------------------------------------------- https://www.team-cymru.com/post/coper-octo-a-conductor-for-mobile-mayhem-wi… ∗∗∗ New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps ∗∗∗ --------------------------------------------- According to Cado Security’s research research shared with Hackread.com ahead of publication on Wednesday, Spinning Yarn is a malicious campaign that exploits weaknesses in popular Linux software used by businesses across various sectors. --------------------------------------------- https://www.hackread.com/new-linux-malware-alert-spinning-yarn-docker-apps/ ∗∗∗ Fritz.box: Domain aus dem Verkehr gezogen ∗∗∗ --------------------------------------------- Unbekannte sicherten sich im Januar die Domain fritz.box. Doch die Verwirrung hielt nicht lange an. Jetzt wurde die Adresse aus dem Verkehr gezogen. --------------------------------------------- https://heise.de/-9647776 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2024-02-28 ∗∗∗ --------------------------------------------- Security Impact Rating: 2x High, 5x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ VMSA-2024-0006 ∗∗∗ --------------------------------------------- VMware ESXi, Workstation, and Fusion contain a use-after-free vulnerability in the XHCI USB controller. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.3 for Workstation/Fusion and in the Important severity range with a maximum CVSSv3 base score of 8.4 for ESXi. [..] A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2024-0006.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libapache2-mod-auth-openidc, libuv1, php-phpseclib, and phpseclib), Red Hat (buildah, cups, curl, device-mapper-multipath, emacs, fence-agents, frr, fwupd, gmp, gnutls, golang, haproxy, keylime, libfastjson, libmicrohttpd, linux-firmware, mysql, openssh, rear, skopeo, sqlite, squid, systemd, and tomcat), Slackware (mozilla), SUSE (kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, postgresql-jdbc, python, python-cryptography, rubygem-rack, wpa_supplicant, and xmlgraphics-batik), and Ubuntu (c-ares, firefox, libde265, libgit2, and ruby-image-processing). --------------------------------------------- https://lwn.net/Articles/964559/ ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2024-23225 / CVE-2024-23296 Apple iOS and iPadOS Memory Corruption Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/03/06/cisa-adds-two-known-expl… ∗∗∗ Foxit: Sicherheitsupdates in Foxit PDF Reader 2024.1 und Foxit PDF Editor 2024.1 verfügbar ∗∗∗ --------------------------------------------- https://www.foxit.com/de/support/security-bulletins.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Bosch: Git for Windows Multiple Security Vulnerabilities in Bosch DIVAR IP all-in-one Devices ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-637386-bt.html ∗∗∗ Bosch: Multiple OpenSSL vulnerabilities in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-090577-bt.html ∗∗∗ F5: K000138827 : OpenSSH vulnerability CVE-2023-51385 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138827 ∗∗∗ iOS 17.4 und iOS 16.7.6: Wichtige sicherheitskritische Bugfixes ∗∗∗ --------------------------------------------- https://heise.de/-9647164 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.03.2024
by Daily end-of-shift report 05 Mar '24

05 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Montag 04-03-2024 18:00 − Dienstag 05-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ScreenConnect flaws exploited to drop new ToddleShark malware ∗∗∗ --------------------------------------------- The North Korean APT hacking group Kimsuky is exploiting ScreenConnect flaws, particularly CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed ToddleShark. --------------------------------------------- https://www.bleepingcomputer.com/news/security/screenconnect-flaws-exploite… ∗∗∗ Network tunneling with… QEMU? ∗∗∗ --------------------------------------------- While investigating an incident, we detected uncommon malicious activity inside one of the systems. We ran an analysis on the artifacts, only to find that the adversary had deployed and launched the QEMU hardware emulator. --------------------------------------------- https://securelist.com/network-tunneling-with-qemu/111803/ ∗∗∗ Warning: Thread Hijacking Attack Targets IT Networks, Stealing NTLM Hashes ∗∗∗ --------------------------------------------- The threat actor known as TA577 has been observed using ZIP archive attachments in phishing emails with an aim to steal NT LAN Manager (NTLM) hashes. --------------------------------------------- https://thehackernews.com/2024/03/warning-thread-hijacking-attack-targets.h… ∗∗∗ Pegasus spyware creator ordered to reveal code used to spy on WhatsApp users ∗∗∗ --------------------------------------------- Meta has won a court case against spyware vendor NSO Group to reveal the Pegasus spyware code that allows spying on WhatsApp users. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/03/pegasus-spyware-creator-orde… ∗∗∗ AnyDesk: Zugriffsversuche aus Spanien; Unsignierter Client verteilt ∗∗∗ --------------------------------------------- Das Drama bei AnyDesk geht anscheinend weiter, obwohl ich die Hoffnung hatte, das Thema langsam abschließen zu können... --------------------------------------------- https://www.borncity.com/blog/2024/03/05/anydesk-zugriffsversuche-aus-spani… ∗∗∗ WogRAT Malware Exploits aNotepad (Windows, Linux) ∗∗∗ --------------------------------------------- AhnLab Security intelligence Center (ASEC) has recently discovered the distribution of backdoor malware via aNotepad, a free online notepad platform. --------------------------------------------- https://asec.ahnlab.com/en/62446/ ∗∗∗ GhostSec’s joint ransomware operation and evolution of their arsenal ∗∗∗ --------------------------------------------- Cisco Talos observed a surge in GhostSec, a hacking group’s malicious activities since this past year. GhostSec has evolved with a new GhostLocker 2.0 ransomware, a Golang variant of the GhostLocker ransomware. --------------------------------------------- https://blog.talosintelligence.com/ghostsec-ghostlocker2-ransomware/ ∗∗∗ Ransomware: ALPHV/Blackcat betrügt offensichtlich Partner und zieht sich zurück ∗∗∗ --------------------------------------------- Die Fakten legen nahe, dass ALPHV/Blackcat einen Cybercrime-Partner um 22 Millionen US-Dollar betrogen und sich nun zurückgezogen hat. --------------------------------------------- https://heise.de/-9646707 ===================== = Vulnerabilities = ===================== ∗∗∗ Exploit available for new critical TeamCity auth bypass bug, patch now ∗∗∗ --------------------------------------------- A critical vulnerability (CVE-2024-27198) in the TeamCity On-Premises CI/CD solution from JetBrains can let a remote unauthenticated attacker take control of the server with administrative permissions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-available-for-new-cr… ∗∗∗ Multiple vulnerabilities in RT-Thread RTOS ∗∗∗ --------------------------------------------- I reviewed RT-Thread’s source code hosted on GitHub and identified multiple security vulnerabilities that may cause memory corruption and security feature bypass. Their impacts range from denial of service to potential arbitrary code execution. --------------------------------------------- https://security.humanativaspa.it/multiple-vulnerabilities-in-rt-thread-rto… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (yard), Oracle (buildah and kernel), Red Hat (389-ds:1.4, edk2, frr, gnutls, haproxy, libfastjson, libX11, postgresql:12, sqlite, squid, squid:4, tcpdump, and tomcat), SUSE (apache2-mod_auth_openidc and glibc), and Ubuntu (linux-gke, python-cryptography, and python-django). --------------------------------------------- https://lwn.net/Articles/964450/ ∗∗∗ Zeek Security Tool Vulnerabilities Allow ICS Network Hacking ∗∗∗ --------------------------------------------- Vulnerabilities in a plugin for the Zeek network security monitoring tool can be exploited in attacks aimed at ICS environments. --------------------------------------------- https://www.securityweek.com/zeek-security-tool-vulnerabilities-allow-ics-n… ∗∗∗ VU#782720: TCG TPM2.0 implementations vulnerable to memory corruption ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/782720 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 115.8.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-11/ ∗∗∗ Nice Linear eMerge E3-Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-065-01 ∗∗∗ Santesoft Sante FFT Imaging ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-065-01 ∗∗∗ K000138814 : OpenLDAP vulnerability CVE-2023-2953 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138814 ∗∗∗ Patchday: Kritische Schadcode-Lücken bedrohen Android 12, 13 und 14 ∗∗∗ --------------------------------------------- https://heise.de/-9646073 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2024
by Daily end-of-shift report 04 Mar '24

04 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-03-2024 18:00 − Montag 04-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Gemini, ChatGPT und LLaVA: Neuer Wurm verbreitet sich in KI-Ökosystemen selbst ∗∗∗ --------------------------------------------- Forscher haben einen KI-Wurm entwickelt. Dieser kann nicht nur sensible Daten abgreifen, sondern sich auch selbst in einem GenAI-Ökosystem ausbreiten. --------------------------------------------- https://www.golem.de/news/gemini-chatgpt-und-llava-neuer-wurm-verbreitet-si… ∗∗∗ Hunting For Integer Overflows In Web Servers ∗∗∗ --------------------------------------------- In order to overflow something (e.g. an integer overflow) we clearly need some way to be able to do that (think pouring water from a kettle into a cup), and that’s the source (us using the kettle) to overflow the cup. Cup of tea aside, what things can be accessed remotely and take user input (those sources)? Web servers! This blog post title does not lie! --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hunting-for… ∗∗∗ New Wave of SocGholish Infections Impersonates WordPress Plugins ∗∗∗ --------------------------------------------- SocGholish malware, otherwise known as “fake browser updates”, is one of the most common types of malware infections that we see on hacked websites. This long-standing malware campaign leverages a JavaScript malware framework that has been in use since at least 2017. The malware attempts to trick unsuspecting users into downloading what is actually a Remote Access Trojan (RAT) onto their computers, which is often the first stage in a ransomware infection. Late last week our incident response team identified a fresh wave of SocGholish (fake browser update) infections targeting WordPress websites. --------------------------------------------- https://blog.sucuri.net/2024/03/new-wave-of-socgholish-infections-impersona… ∗∗∗ Rise in Deceptive PDF: The Gateway to Malicious Payloads ∗∗∗ --------------------------------------------- McAfee Labs has recently observed a significant surge in the distribution of prominent malware through PDF files. Malware is not solely sourced from dubious websites or downloads; certain instances of malware may reside within apparently harmless emails, particularly within the PDF file attachments accompanying them. The subsequent trend observed in the past three months through McAfee telemetry pertains to the prevalence of malware distributed through non-portable executable (non-PE) vectors. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-in-deceptive-pdf-… ∗∗∗ Remote Stuxnet-Style Attack Possible With Web-Based PLC Malware: Researchers ∗∗∗ --------------------------------------------- A team of researchers has developed malware designed to target modern programmable logic controllers (PLCs) in an effort to demonstrate that remote Stuxnet-style attacks can be launched against such industrial control systems (ICS). --------------------------------------------- https://www.securityweek.com/remote-stuxnet-style-attack-possible-with-web-… ∗∗∗ Vorsicht vor falschen Paketbenachrichtigungen ∗∗∗ --------------------------------------------- Sie erwarten ein Paket? Prüfen Sie Benachrichtigungen über den Sendungsstatus sehr genau! Derzeit sind gefälschte Paketbenachrichtigungen im Namen aller gängigen Zustelldiensten im Umlauf. Klicken Sie niemals voreilig auf Links in E-Mails und SMS und geben Sie keine Kreditkartendaten preis! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-paketbenachric… ∗∗∗ Threat Brief: WordPress Exploit Leads to Godzilla Web Shell, Discovery & New CVE ∗∗∗ --------------------------------------------- Below is a recent Threat Brief that we shared with our customers. Each year, we produce over 50 detailed Threat Briefs, which follow a format similar to the below. Typically, these reports include specific dates and times to provide comprehensive insights; however, please note that such information has been redacted in this public version. IOCs are available to customers within Event 27236 (uuid – fe12e833-6f0c-45c9-97d6-83337ea6c5d3). --------------------------------------------- https://thedfirreport.com/2024/03/04/threat-brief-wordpress-exploit-leads-t… ∗∗∗ Microsoft schließt ausgenutzte Windows 0-day Schwachstelle CVE-2024-21338 sechs Monate nach Meldung ∗∗∗ --------------------------------------------- Im Februar 2024 hat Microsoft die Schwachstelle CVE-2024-21338 im Kernel von Windows 10/11 und diversen Windows Server-Versionen geschlossen. Super! Der Fehler an der Geschichte: Die Schwachstelle wurde von AVAST im August 2023 gemeldet, und die Schwachstelle wurde zu dieser Zeit als 0-day ausgenutzt. --------------------------------------------- https://www.borncity.com/blog/2024/03/03/microsoft-schliet-ausgenutzte-wind… ∗∗∗ Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO ∗∗∗ --------------------------------------------- The RA World (previously the RA Group) ransomware has managed to successfully breach organizations around the world since its first appearance in April 2023. Although the threat actor casts a wide net with its attacks, many of its targets were in the US, with a smaller number of attacks occurring in countries such as Germany, India, and Taiwan. When it comes to industries, the group focuses its efforts on businesses in the healthcare and financial sectors. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/c/multistage-ra-world-ransomwa… ∗∗∗ GitHub als Malware-Schleuder ∗∗∗ --------------------------------------------- Eine Sicherheitsfirma berichtet über eine neue Masche, wie Schadcode im großen Stil verteilt wird: über kompromittierte Klon-Repositories auf GitHub. --------------------------------------------- https://heise.de/-9644525 ===================== = Vulnerabilities = ===================== ∗∗∗ Critical vulnerabilities in TeamCity JetBrains fixed, release of technical details imminent, patch quickly! (CVE-2024-27198, CVE-2024-27199) ∗∗∗ --------------------------------------------- JetBrains has fixed two critical security vulnerabilities (CVE-2024-27198, CVE-2024-27199) affecting TeamCity On-Premises and is urging customers to patch them immediately. --------------------------------------------- https://www.helpnetsecurity.com/2024/03/04/cve-2024-27198-cve-2024-27199/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and thunderbird), Fedora (dotnet6.0, dotnet8.0, and mod_auth_openidc), Gentoo (Blender, Tox, and UltraJSON), Oracle (kernel), Red Hat (edk2), SUSE (sendmail and zabbix), and Ubuntu (nodejs and thunderbird). --------------------------------------------- https://lwn.net/Articles/964376/ ∗∗∗ Hikvision Patches High-Severity Vulnerability in Security Management System ∗∗∗ --------------------------------------------- Chinese video surveillance equipment manufacturer Hikvision has announced patches for two vulnerabilities in its security management system HikCentral Professional. The most important of these flaws is CVE-2024-25063, a high-severity bug that could lead to unauthorized access to certain URLs. --------------------------------------------- https://www.securityweek.com/hikvision-patches-high-severity-vulnerability-… ∗∗∗ Aruba: Codeschmuggel durch Sicherheitslücken im Clearpass Manager möglich ∗∗∗ --------------------------------------------- Im Aruba Clearpass Manager von HPE klaffen teils kritische Sicherheitslücken. Updates zum Schließen stehen bereit. [..] Eine Lücke betrifft den mitgelieferten Apache Struts-Server und erlaubt das Einschleusen von Befehlen (CVE-2023-50164, CVSS 9.8, Risiko "kritisch"). --------------------------------------------- https://heise.de/-9644607 ∗∗∗ Solarwinds: Schadcode-Lücke in Security Event Manager ∗∗∗ --------------------------------------------- Sicherheitslücken in Solarwinds Secure Event Manager können Angreifer zum Einschleusen von Schadcode missbrauchen. Updates stopfen die Lecks. --------------------------------------------- https://heise.de/-9644643 ∗∗∗ Angreifer können Systeme mit Dell-Software kompromittieren ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitspatches für Dell Data Protection Advisor, iDRAC8 und Secure Connect Gateway erschienen. --------------------------------------------- https://heise.de/-9644978 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ F5: K000138726 : Linux kernel vulnerability CVE-2023-3611 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138726 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.03.2024
by Daily end-of-shift report 01 Mar '24

01 Mar '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-02-2024 18:00 − Freitag 01-03-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ CISA cautions against using hacked Ivanti VPN gateways even after factory resets ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-cautions-against-using-… ∗∗∗ Angriffe auf Windows-Lücke – Update seit einem halben Jahr verfügbar ∗∗∗ --------------------------------------------- Die CISA warnt vor Angriffen auf eine Lücke in Microsofts Streaming Service. Updates gibt es seit mehr als einem halben Jahr. --------------------------------------------- https://heise.de/-9643763 ∗∗∗ Wireshark Tutorial: Exporting Objects From a Pcap ∗∗∗ --------------------------------------------- This Wireshark tutorial guides the reader in exporting different packet capture objects. It builds on a foundation of malware traffic analysis skills. --------------------------------------------- https://unit42.paloaltonetworks.com/using-wireshark-exporting-objects-from-… ∗∗∗ Blue Team toolkit: 6 open-source tools to assess and enhance corporate defenses ∗∗∗ --------------------------------------------- Here’s how the blue team wards off red teamers and a few open-source tools it may leverage to identify chinks in the corporate armor. --------------------------------------------- https://www.welivesecurity.com/en/business-security/blue-team-toolkit-6-ope… ∗∗∗ Researchers spot new infrastructure likely used for Predator spyware ∗∗∗ --------------------------------------------- Cybersecurity researchers have identified new infrastructure likely used by the operators of the commercial spyware known as Predator in at least 11 countries. --------------------------------------------- https://therecord.media/new-predator-spyware-infrastructure-identified ∗∗∗ Covert TLS n-day backdoors: SparkCockpit & SparkTar ∗∗∗ --------------------------------------------- This report documents two covert TLS-based backdoors identified by NVISO: SparkCockpit & SparkTar. Both backdoors employ selective interception of TLS communication towards the legitimate Ivanti server applications. --------------------------------------------- https://blog.nviso.eu/2024/03/01/covert-tls-n-day-backdoors-sparkcockpit-sp… ∗∗∗ How To Hunt For UEFI Malware Using Velociraptor ∗∗∗ --------------------------------------------- UEFI threats have historically been limited in number and mostly implemented bynation state actors as stealthy persistence. However, the recent proliferationof Black Lotus on the dark web, Trickbot enumeration module (late 2022), andGlupteba (November 2023) indicates that this historical trend may be changing. With this context, it is becoming important for security practitioners to understand visibility and collection capabilities for UEFI threats. This post covers some of these areas and presents several recent Velociraptor artifacts that can be used in the field. --------------------------------------------- https://www.rapid7.com/blog/post/2024/02/29/how-to-hunt-for-uefi-malware-us… ∗∗∗ Bluetooth Unleashed: Syncing Up with the RattaGATTa Series! Part 1 ∗∗∗ --------------------------------------------- This post introduces GreyNoise Labs series on BTLE, highlighting its privacy and security implications, as well as the journey from basic usage to sophisticated system development, offering insights for cybersecurity professionals and tech enthusiasts alike. --------------------------------------------- https://www.greynoise.io/blog/bluetooth-unleashed-syncing-up-with-the-ratta… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and thunderbird), Debian (gsoap, python-django, and wireshark), Fedora (dotnet7.0 and gifsicle), Mageia (sympa), Oracle (postgresql:10, postgresql:12, thunderbird, and unbound), Red Hat (kpatch-patch, python-pillow, and squid:4), SUSE (nodejs12, nodejs14, nodejs16, nodejs18, and openvswitch3), and Ubuntu (linux-azure, linux-lowlatency, linux-starfive-6.5, php-guzzlehttp-psr7, and php-nyholm-psr7). --------------------------------------------- https://lwn.net/Articles/964166/ ∗∗∗ Sicherheitsupdate: Nividia-Grafikkarten-Treiber als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Insgesamt hat Nvidia mit den Updates acht Sicherheitslücken geschlossen. Davon sind vier (CVE-2024-0071, CVE-2024-0073, CVE-2024-0075, CVE-2024-0077) mit dem Bedrohungsgrad "hoch" eingestuft. An diesen Stellen können Angreifer auf einem nicht näher beschriebenen Weg Speicherfehler auslösen und so Schadcode auf Systeme schieben und ausführen. Im Anschluss gelten Computer in der Regel als vollständig kompromittiert. --------------------------------------------- https://heise.de/-9643306 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Autodesk: Multiple Vulnerabilities in the Autodesk AutoCAD Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0004 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.02.2024
by Daily end-of-shift report 29 Feb '24

29 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-02-2024 18:00 − Donnerstag 29-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ LockBit ransomware returns to attacks with new encryptors, servers ∗∗∗ --------------------------------------------- The LockBit ransomware gang is once again conducting attacks, using updated encryptors with ransom notes linking to new servers after last weeks law enforcement disruption. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-returns-t… ∗∗∗ Neue Ransomwaregruppe: Angeblicher Cyberangriff auf Epic Games bleibt zweifelhaft ∗∗∗ --------------------------------------------- Die Hackergruppe Mogilevich bietet im Darknet Daten von Epic Games im Umfang von 189 GByte zum Verkauf an. Zweifel an dem Angebot sind jedoch angebracht. --------------------------------------------- https://www.golem.de/news/daten-stehen-zum-verkauf-neue-ransomwaregruppe-ha… ∗∗∗ GTPDOOR Linux Malware Targets Telecoms, Exploiting GPRS Roaming Networks ∗∗∗ --------------------------------------------- Threat hunters have discovered a new Linux malware called GTPDOOR that’s designed to be deployed in telecom networks that are adjacent to GPRS roaming exchanges (GRX). The malware is novel in the fact that it leverages the GPRS Tunnelling Protocol (GTP) for command-and-control (C2) communications. --------------------------------------------- https://thehackernews.com/2024/02/gtpdoor-linux-malware-targets-telecoms.ht… ∗∗∗ New Silver SAML Attack Evades Golden SAML Defenses in Identity Systems ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new attack technique called Silver SAML that can be successful even in cases where mitigations have been applied against Golden SAML attacks. --------------------------------------------- https://thehackernews.com/2024/02/new-silver-saml-attack-evades-golden.html ∗∗∗ #StopRansomware: Phobos Ransomware ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a ∗∗∗ ALPHV is singling out healthcare sector, say FBI and CISA ∗∗∗ --------------------------------------------- CISA, FBI and HHS are warning about the ALPHV/ Blackcat ransomware group targeting the healthcare industry. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/02/alphv-is-singling-out-health… ∗∗∗ GUloader Unmasked: Decrypting the Threat of Malicious SVG Files ∗∗∗ --------------------------------------------- This sophisticated malware loader has garnered attention for its stealthy techniques and ability to evade detection, posing a significant risk to organizations and individuals. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/guloader-unmasked-decr… ∗∗∗ Amazon-Vishing: Vorsicht vor Fake-Amazon-Anrufen! ∗∗∗ --------------------------------------------- Am Telefon geben sich Kriminelle als Amazon-Mitarbeiter:innen aus. Unter verschiedenen Vorwänden bringen sie Sie dazu, TeamViewer oder AnyDesk zu installieren und räumen Ihr Konto leer! Sollten Sie so einen Anruf erhalten, legen Sie auf und blockieren Sie die Nummer. --------------------------------------------- https://www.watchlist-internet.at/news/amazon-vishing-vorsicht-vor-fake-ama… ∗∗∗ ADCS ESC14 Abuse Technique ∗∗∗ --------------------------------------------- In this blog post, we will explore the variations of abuse of explicit certificate mapping in AD, what the requirements are, and how you can protect your environment against it. --------------------------------------------- https://posts.specterops.io/adcs-esc14-abuse-technique-333a004dc2b9 ∗∗∗ The Art of Domain Deception: Bifrosts New Tactic to Deceive Users ∗∗∗ --------------------------------------------- The RAT Bifrost has a new Linux variant that leverages a deceptive domain in order to compromise systems. We analyze this expanded attack surface. --------------------------------------------- https://unit42.paloaltonetworks.com/new-linux-variant-bifrost-malware/ ∗∗∗ Vulnerabilities in business VPNs under the spotlight ∗∗∗ --------------------------------------------- As adversaries increasingly set their sights on vulnerable enterprise VPN software to infiltrate corporate networks, concerns mount about VPNs themselves being a source of cyber risk. --------------------------------------------- https://www.welivesecurity.com/en/business-security/vulnerabilities-busines… ∗∗∗ IT-Sicherheitsprodukte von Sophos verschlucken sich am Schaltjahr ∗∗∗ --------------------------------------------- Aufgrund eines Fehlers können Sophos Endpoint, Home und Server vor dem Besucht legitimer Websites warnen. Erste Lösungen sind bereits verfügbar. --------------------------------------------- https://heise.de/-9642801 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (moodle), Red Hat (kernel, kernel-rt, and postgresql:15), Slackware (wpa_supplicant), SUSE (Java and rear27a), and Ubuntu (libcpanel-json-xs-perl, libuv1, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.4, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, python-openstackclient, and unbound). --------------------------------------------- https://lwn.net/Articles/964039/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved in JSA Applications ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-S… ∗∗∗ On Demand: JSA Series: Multiple vulnerabilities resolved in Juniper Secure Analytics in 7.5.0 UP7 IF05 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/On-Demand-JSA-Series-Multiple-v… ∗∗∗ Delta Electronics CNCSoft-B ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-060-01 ∗∗∗ MicroDicom DICOM Viewer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-060-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.02.2024
by Daily end-of-shift report 28 Feb '24

28 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-02-2024 18:00 − Mittwoch 28-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ivanti: Enhanced External Integrity Checking Tool to Provide Additional Visibility and Protection for Customers Against Evolving Threat Actor Techniques in Relation to Previously Disclosed Vulnerabilities ∗∗∗ --------------------------------------------- As part of our exhaustive investigation into the recent attack against our customers, Ivanti and Mandiant released findings today regarding evolving threat actor tactics, techniques and procedures (TTPs). These findings were identified in the ongoing analysis of the previously disclosed vulnerabilities affecting Ivanti Connect Secure, Policy Secure and ZTA gateways, and include potential persistence techniques that we are monitoring, even though to date they have not been deployed successfully in the wild. --------------------------------------------- https://www.ivanti.com/blog/enhanced-external-integrity-checking-tool-to-pr… ∗∗∗ Savvy Seahorse gang uses DNS CNAME records to power investor scams ∗∗∗ --------------------------------------------- A threat actor named Savvy Seahorse is abusing CNAME DNS records Domain Name System to create a traffic distribution system that powers financial scam campaigns. --------------------------------------------- https://www.bleepingcomputer.com/news/security/savvy-seahorse-gang-uses-dns… ∗∗∗ Take Downs and the Rest of Us: Do they matter?, (Tue, Feb 27th) ∗∗∗ --------------------------------------------- Last week, the US Department of Justice published a press release entitled "Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federations Main Intelligence Directorate of the General Staff (GRU)". The disruption targeted a botnet built using the "Moobot" malware. According to the press release, this particular botnet focused on routers made by Ubiquity, using well-known default credentials. Why do nation-state actors go after "simple" home devices? --------------------------------------------- https://isc.sans.edu/diary/rss/30694 ∗∗∗ European diplomats targeted by SPIKEDWINE with WINELOADER ∗∗∗ --------------------------------------------- Zscalers ThreatLabz discovered a suspicious PDF file uploaded to VirusTotal from Latvia on January 30th, 2024. This PDF file is masqueraded as an invitation letter from the Ambassador of India, inviting diplomats to a wine-tasting event in February 2024. The PDF also included a link to a fake questionnaire that redirects users to a malicious ZIP archive hosted on a compromised site, initiating the infection chain. --------------------------------------------- https://www.zscaler.com/blogs/security-research/european-diplomats-targeted… ∗∗∗ Hacker-Gruppe fordert Bitcoins: Erpresserische E-Mails enthalten Wohnadresse als Druckmittel ∗∗∗ --------------------------------------------- „Es freut uns sehr dir mitteilen zu können, das du keine Ahnung von Cyber Security Hast und wir dein Handy infizieren konnten“ beginnt ein E-Mail von einer angeblichen Hacker-Gruppe mit dem Namen „Russian Blakmail Army“. Angeblich wurden private Fotos und Inhalte von Ihnen gesammelt. Wenn Sie nicht wollen, dass diese veröffentlicht werden, sollten Sie 1000 Euro an eine Bitcoin-Wallet senden. Ignorieren Sie dieses E-Mail, es handelt sich um Fake. --------------------------------------------- https://www.watchlist-internet.at/news/hacker-gruppe-fordert-bitcoins-erpre… ∗∗∗ Navigating the Cloud: Exploring Lateral Movement Techniques ∗∗∗ --------------------------------------------- We illuminate lateral movement techniques observed in the wild within cloud environments, including Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. --------------------------------------------- https://unit42.paloaltonetworks.com/cloud-lateral-movement-techniques/ ∗∗∗ Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day ∗∗∗ --------------------------------------------- Avast discovered an in-the-wild admin-to-kernel exploit for a previously unknown zero-day vulnerability in the appid.sys AppLocker driver. Thanks to Avast’s prompt report, Microsoft addressed this vulnerability as CVE-2024-21338 in the February Patch Tuesday update. The exploitation activity was orchestrated by the notorious Lazarus Group, with the end goal of establishing a kernel read/write primitive. This primitive enabled Lazarus to perform direct kernel object manipulation in an updated version of their data-only FudModule rootkit, a previous version of which was analyzed by ESET and AhnLab. --------------------------------------------- https://decoded.avast.io/janvojtesek/lazarus-and-the-fudmodule-rootkit-beyo… ∗∗∗ Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations ∗∗∗ --------------------------------------------- This advisory provides observed tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and recommendations to mitigate the threat posed by APT28 threat actors related to compromised EdgeRouters. --------------------------------------------- https://www.ic3.gov/Media/News/2024/240227.pdf ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (knot-resolver and wpa), Fedora (chromium, kernel, thunderbird, and yarnpkg), Mageia (c-ares), Oracle (firefox, kernel, opensc, postgresql:13, postgresql:15, and thunderbird), Red Hat (edk2, gimp:2.8, and kernel), SUSE (bind, bluez, container-suseconnect, dnsdist, freerdp, gcc12, gcc7, glib2, gnutls, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libqt5-qtbase, libqt5-qtsvg, nodejs18, nodejs20, openssl, openssl-1_0_0, poppler, python-crcmod, python-cryptography, python-cryptography- vectors, python-pip, python-requests, python3-requests, python311, python39, rabbitmq-c, samba, sccache, shim, SUSE Manager 4.2, SUSE Manager Server 4.2, the Linux-RT Kernel, and thunderbird), and Ubuntu (less, openssl, php7.0, php7.2, php7.4, and tiff). --------------------------------------------- https://lwn.net/Articles/963957/ ∗∗∗ TeamViewer Passwort-Schwachstelle CVE-2024-0819 ∗∗∗ --------------------------------------------- Der Client für Windows sollte dringend auf die Version 15.51.5 aktualisiert werden. Der Hersteller hat einen Sicherheitshinweis veröffentlicht, aus dem hervorgeht, dass ältere Software-Versionen nur einen unvollständigen Schutz der persönlichen Kennworteinstellungen bieten. --------------------------------------------- https://www.borncity.com/blog/2024/02/28/teamviewer-passwort-schwachstelle-… ∗∗∗ Cisco Security Advisories 2024-02-28 ∗∗∗ --------------------------------------------- Security Impact Rating: 2x High, 3x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Checkmk: Werk #16361: Privilege escalation in Windows agent ∗∗∗ --------------------------------------------- https://checkmk.com/werk/16361 ∗∗∗ ARISTA Security Advisory 0093 ∗∗∗ --------------------------------------------- https://www.arista.com/en/support/advisories-notices/security-advisory/1903… ∗∗∗ Wiesemann & Theis: Multiple products prone to unquoted search path ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-018/ ∗∗∗ F5: K000138731 : Linux vulnerability CVE-2023-3776 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138731 ∗∗∗ Google Chrome: Sicherheitsupdate bessert vier Schwachstellen aus ∗∗∗ --------------------------------------------- https://heise.de/-9641080 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.02.2024
by Daily end-of-shift report 27 Feb '24

27 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Montag 26-02-2024 18:00 − Dienstag 27-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Open-Source Xeno RAT Trojan Emerges as a Potent Threat on GitHub ∗∗∗ --------------------------------------------- An "intricately designed" remote access trojan (RAT) called Xeno RAT has been made available on GitHub, making it available to other actors at no extra cost. --------------------------------------------- https://thehackernews.com/2024/02/open-source-xeno-rat-trojan-emerges-as.ht… ∗∗∗ Achtung Betrug: Kriminelle locken mit gratis Spar-Geschenkkarten und Klimatickets ∗∗∗ --------------------------------------------- Aktuell kursieren gefälschte Gewinnspiele für kostenlose Spar-Geschenkkarten und Klimatickets. Die Angebote werden per E-Mail, in Sozialen Netzwerken oder per Direktnachricht auf Ihr Handy verbreitet. Die verlockenden Angebote dienen dazu, Ihnen persönliche Daten und Geld zu stehlen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-betrug-kriminelle-locken-mit… ∗∗∗ Booking.com refund request? It might be an Agent Tesla malware attack ∗∗∗ --------------------------------------------- Always be wary of opening unsolicited attachments - they might harbour malware. --------------------------------------------- https://grahamcluley.com/booking-com-refund-request-it-might-be-an-agent-te… ∗∗∗ Phishing Malware That Sends Stolen Information Using Telegram API ∗∗∗ --------------------------------------------- Recently, several phishing scripts using Telegram are being distributed indiscriminately through keywords such as remittance and receipts. --------------------------------------------- https://asec.ahnlab.com/en/62177/ ∗∗∗ Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities ∗∗∗ --------------------------------------------- This blog entry gives a detailed analysis of these recent ScreenConnect vulnerabilities. We also discuss our discovery of threat actor groups, including Black Basta and Bl00dy Ransomware gangs, that are actively exploiting CVE-2024-1708 and CVE-2024-1709 based on our telemetry. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-includin… ∗∗∗ Hunting PrivateLoader: The malware behind InstallsKey PPI service ∗∗∗ --------------------------------------------- Read the latest Bitsight research on PrivateLoader including important updates recently, including a new string encryption algorithm, a new alternative communication protocol and more. --------------------------------------------- https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installs… ∗∗∗ Februar-Sicherheitsupdates für Windows 11 können fehlschlagen ∗∗∗ --------------------------------------------- Microsoft arbeitet an der Lösung eines Problems, das die Installation der Februar-Sicherheitsupdates in Windows 11 verhindert. --------------------------------------------- https://heise.de/-9639866 ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk ∗∗∗ --------------------------------------------- A security vulnerability has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable unauthenticated users to escalate their privileges. --------------------------------------------- https://thehackernews.com/2024/02/wordpress-litespeed-plugin.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (engrampa and libgit2), Fedora (libxls, perl-Spreadsheet-ParseXLSX, and wpa_supplicant), Gentoo (PyYAML), Mageia (packages and thunderbird), Red Hat (firefox, kernel, linux-firmware, thunderbird, and unbound), Slackware (openjpeg), SUSE (golang-github-prometheus-prometheus, installation-images, kernel, python-azure-core, python-azure-storage-blob, salt and python-pyzmq, SUSE Manager 4.2.11, SUSE Manager 4.3, SUSE Manager Server 4.2, and wayland), [...] --------------------------------------------- https://lwn.net/Articles/963805/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-451 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-451.html ∗∗∗ Zyxel Patches Remote Code Execution Bug in Firewall Products ∗∗∗ --------------------------------------------- https://www.securityweek.com/zyxel-patches-remote-code-execution-bug-in-fir… ∗∗∗ Festo: Multiple vulnerabilities affect MES PC shipped with Windows 10 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-065/ ∗∗∗ Nagios XI: Schwachstellen CVE-2024-24401 und CVE-2024-24402; PoC öffentlich ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2024/02/27/nagios-xi-schwachstellen-cve-2024-… ∗∗∗ Mitsubishi Electric Multiple Factory Automation Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-058-01 ∗∗∗ Santesoft Sante DICOM Viewer Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-058-01 ∗∗∗ VMSA-2024-0005 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2024-0005.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.02.2024
by Daily end-of-shift report 26 Feb '24

26 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-02-2024 18:00 − Montag 26-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Hijacked subdomains of major brands used in massive spam campaign ∗∗∗ --------------------------------------------- A massive ad fraud campaign named "SubdoMailing" is using over 8,000 legitimate internet domains and 13,000 subdomains to send up to five million emails per day to generate revenue through scams and malvertising. [..] As these domains belong to trusted companies, they gain the benefit of being able to bypass spam filters and, in some cases, take advantage of configured SPF and DKIM email policies that tell secure email gateways that the emails are legitimate and not spam. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hijacked-subdomains-of-major… ∗∗∗ New IDAT Loader Attacks Using Steganography to Deploy Remcos RAT ∗∗∗ --------------------------------------------- Ukrainian entities based in Finland have been targeted as part of a malicious campaign distributing a commercial remote access trojan known as Remcos RAT using a malware loader called IDAT Loader. --------------------------------------------- https://thehackernews.com/2024/02/new-idat-loader-attacks-using.html ∗∗∗ Actively exploited open redirect in Google Web Light ∗∗∗ --------------------------------------------- An open redirect vulnerability exists in the remains of Google Web Light service, which is being actively exploited in multiple phishing campaigns. Google decided not to fix it, so it might be advisable to block access to the Web Light domain in corporate environments. --------------------------------------------- https://untrustednetwork.net/en/2024/02/26/google-open-redirect/ ∗∗∗ Webinar: Wie schütze ich mich vor Identitätsdiebstahl? ∗∗∗ --------------------------------------------- n diesem Webinar schauen wir uns aktuelle Betrugsmaschen an und besprechen Tools, mit denen man sicherer im Internet unterwegs ist. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-wie-schuetze-ich-mich-vor-id… ∗∗∗ Mattermost: Support for Extended Support Release 8.1 is ending soon ∗∗∗ --------------------------------------------- As of May 15, 2024, Mattermost Extended Support Release (ESR) version 8.1 will no longer be supported. If any of your servers are not on ESR 9.5 or later, upgrading is recommended. --------------------------------------------- https://mattermost.com/blog/support-for-extended-support-release-8-1-is-end… ∗∗∗ SVR Cyber Actors Adapt Tactics for Initial Cloud Access ∗∗∗ --------------------------------------------- This advisory details recent tactics, techniques, and procedures (TTPs) of the group commonly known as APT29, also known as Midnight Blizzard, the Dukes, or Cozy Bear. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a ∗∗∗ Analysis of Nood RAT Used in Attacks Against Linux (Gh0st RAT’s Variant) ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) recently discovered that Nood RAT is being used in malware attacks. Nood RAT is a variant of Gh0st RAT that works in Linux. Although the number of Gh0st RAT for Linux is fewer compared to Gh0st RAT for Windows, the cases of Gh0st RAT for Linux are continuously being collected. --------------------------------------------- https://asec.ahnlab.com/en/62144/ ∗∗∗ Ransomware Roundup – Abyss Locker ∗∗∗ --------------------------------------------- FortiGuard Labs highlights the Abyss Locker ransomware group that steals information from victims and encrypts files for financial gain. --------------------------------------------- https://www.fortinet.com/blog/threat-research/ransomware-roundup-abyss-lock… ∗∗∗ Ransomware: LockBit gibt Fehler zu, plant Angriffe auf staatliche Einrichtungen ∗∗∗ --------------------------------------------- Die Ransomware-Gruppe LockBit gesteht Fehler aus Faulheit ein, macht sich über das FBI lustig und will Angriffe auf staatliche Einrichtungen intensivieren. --------------------------------------------- https://heise.de/-9638063 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnutls28, iwd, libjwt, and thunderbird), Fedora (chromium, expat, mingw-expat, mingw-openexr, mingw-python3, mingw-qt5-qt3d, mingw-qt5-qtactiveqt, mingw-qt5-qtbase, mingw-qt5-qtcharts, mingw-qt5-qtdeclarative, mingw-qt5-qtgraphicaleffects, mingw-qt5-qtimageformats, mingw-qt5-qtlocation, mingw-qt5-qtmultimedia, mingw-qt5-qtquickcontrols, mingw-qt5-qtquickcontrols2, mingw-qt5-qtscript, mingw-qt5-qtsensors, mingw-qt5-qtserialport, mingw-qt5-qtsvg, mingw-qt5-qttools, mingw-qt5-qttranslations, mingw-qt5-qtwebchannel, mingw-qt5-qtwebsockets, mingw-qt5-qtwinextras, mingw-qt5-qtxmlpatterns, and thunderbird), Gentoo (btrbk, Glances, and GNU Aspell), Mageia (clamav and xen, qemu and libvirt), Oracle (firefox and postgresql), Red Hat (firefox, opensc, postgresql:10, postgresql:12, postgresql:13, postgresql:15, thunderbird, and unbound), SUSE (firefox, java-1_8_0-ibm, libxml2, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-oracle, linux-raspi, linux-starfive, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-oem-6.1, and roundcube). --------------------------------------------- https://lwn.net/Articles/963725/ ∗∗∗ Critical Flaw in Popular ‘Ultimate Member’ WordPress Plugin ∗∗∗ --------------------------------------------- The vulnerability carries a CVSS severity score of 9.8/10 and affects web sites running the Ultimate Member WordPress membership plugin. --------------------------------------------- https://www.securityweek.com/critical-flaw-in-popular-ultimate-member-wordp… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Local Privilege Escalation via DLL Hijacking im Qognify VMS Client Viewer ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… ∗∗∗ F5: K000138695 : OpenSSL vulnerability CVE-2024-0727 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138695 ∗∗∗ F5: K000138682 : libssh vulnerability CVE-2023-2283 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138682 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.02.2024
by Daily end-of-shift report 23 Feb '24

23 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-02-2024 18:00 − Freitag 23-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Web3 Crypto Malware: Angel Drainer – From Phishing Sites to Malicious Injections ∗∗∗ --------------------------------------------- In this post, we’ll describe how bad actors have started using crypto drainers to monetize traffic to compromised sites. Our analysis starts with a brief overview of the threat landscape and investigation of Wave 2 (the most massive infection campaign) before covering Angel Drainer scan statistics, predecessors, and most recent variants of website hacks that involve crypto drainers. --------------------------------------------- https://blog.sucuri.net/2024/02/web3-crypto-malware-angel-drainer.html ∗∗∗ Shortcuts-Lücke: Zero-Day-Exploit konnte Apples Systemsicherheit aushebeln ∗∗∗ --------------------------------------------- Apples TCC-Verfahren soll eigentlich verhindern, dass böswillige Apps ausgeführt werden. Mittels Shortcuts war das doch möglich. Die Lücke ist gestopft. --------------------------------------------- https://www.heise.de/-9636600 ∗∗∗ Intruders in the Library: Exploring DLL Hijacking ∗∗∗ --------------------------------------------- Dynamic-link library (DLL) hijacking remains a popular technique to run malware. We address its evolution using examples from the realm of cybercrime and more. --------------------------------------------- https://unit42.paloaltonetworks.com/dll-hijacking-techniques/ ∗∗∗ Everything you need to know about IP grabbers ∗∗∗ --------------------------------------------- You would never give your personal ID to random strangers, right? So why provide the ID of your computer? Unsuspecting users beware, IP grabbers do not ask for your permission. --------------------------------------------- https://www.welivesecurity.com/en/cybersecurity/everything-you-need-to-know… ∗∗∗ Weitere Informationen zu Angriffen gegen ConnectWise ScreenConnect ∗∗∗ --------------------------------------------- Sophos hat einen Überblick über Angriffe gegen ConnectWise ScreenConnect veröffentlicht. Demnach wurden bereits verschiedene Arten von Ransomware, verschiedene Information Stealer und auch unterschiedliche Remote-Access-Trojans (RATs) auf Basis der kürzlich von ConnectWise veröffentlichten Vulnerabilities in ScreenConnect deployt. Diese heterogene Bedrohungslage bedingt zur Abklärung einer bereits stattgefundenen Kompromittierung auch einen abstrahierten Blick auf etwaige eigene Installationen. Sophos beschreibt in den Kapiteln "Recommendations" und "Threat hunting information" Empfehlungen zur Vorgangsweise, selbst betriebene Instanzen auf Kompromittierungen zu untersuchen. Wir empfehlen weiterhin, etwaige eigene Installationen von ConnectWise ScreenConnect eine genaueren Untersuchung zuzuführen - auch wenn die vom Hersteller herausgegebenen Updates bereits eingespielt wurden. --------------------------------------------- https://cert.at/de/aktuelles/2024/2/weitere-informationen-zu-angriffen-gege… ∗∗∗ ProxyNotShell: Scan-Problematik der "false positives" bei Exchange (nmap, Greenbone) ∗∗∗ --------------------------------------------- Ende September 2022 scheuchte die als ProxyNotShell bekannt gewordene Schwachstelle in Microsoft Exchange Server Administratoren auf. Die Anfang August 2022 entdeckte Schwachstelle wurde als 0-day mit Exploits angegriffen und Microsoft brauchte mehrere Versuche, die Sicherheitslücke zu schließen. Inzwischen gibt es Scanner wie nmap oder Greenbone, um Exchange Server auf diese Schwachstelle zu prüfen. Allerdings liefern diese Scanner ggf. auch Fehlalarme. --------------------------------------------- https://www.borncity.com/blog/2024/02/23/proxynotshell-scan-problematik-der… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Root-Lücke bedroht Servermonitoringtool Nagios XI ∗∗∗ --------------------------------------------- Admins sollten das Dienste-Monitoring mit Nagios XI aus Sicherheitsgründen zeitnah auf den aktuellen Stand bringen. --------------------------------------------- https://www.heise.de/-9636505 ∗∗∗ Sicherheitslücken: GitLab gegen mögliche Attacken abgesichert ∗∗∗ --------------------------------------------- Updates schließen mehrere Schwachstellen in GitLab. Eine Lücke bleibt aber offensichtlich erstmal bestehen. --------------------------------------------- https://www.heise.de/-9636995 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, imagemagick, and iwd), Fedora (chromium, firefox, and pdns-recursor), Mageia (nodejs and yarnpkg), Red Hat (firefox, postgresql, and postgresql:15), and SUSE (bind, mozilla-nss, openssh, php-composer2, python-pycryptodome, python-uamqp, python310, and tiff). --------------------------------------------- https://lwn.net/Articles/963352/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Sonicwall: SMA100 MFA Improper Access Control Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0001 ∗∗∗ F5: K000138693 : Linux kernel vulnerabilities CVE-2023-4206, CVE-2023-4207, and CVE-2023-4208 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138693 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.02.2024
by Daily end-of-shift report 22 Feb '24

22 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-02-2024 18:00 − Donnerstag 22-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New SSH-Snake malware steals SSH keys to spread across the network ∗∗∗ --------------------------------------------- A threat actor is using an open-source network mapping tool named SSH-Snake to look for private keys undetected and move laterally on the victim infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ssh-snake-malware-steals… ∗∗∗ Google Play Store: Banking-Trojaner nimmt europäische Nutzer ins Visier ∗∗∗ --------------------------------------------- Im Google Play Store tauchen Varianten des Anatsa-Banking-Trojaners auf. Sie kommen auf über 100.000 Installationen. --------------------------------------------- https://www.heise.de/news/Google-Play-Store-Banking-Trojaner-nimmt-europaei… ∗∗∗ Why ransomware gangs love using RMM tools—and how to stop them ∗∗∗ --------------------------------------------- More and more ransomware gangs are using RMM tools in their attacks. --------------------------------------------- https://www.malwarebytes.com/blog/business/2024/02/why-ransomware-gangs-lov… ∗∗∗ Unmasking Lorenz Ransomware: A Dive into Recent Tactics, Techniques and Procedures ∗∗∗ --------------------------------------------- In the ever-evolving landscape of cyber threats, ransomware remains a persistent menace, with groups like Lorenz actively exploiting vulnerabilities in small to medium businesses globally. --------------------------------------------- https://research.nccgroup.com/2024/02/22/unmasking-lorenz-ransomware-a-dive… ∗∗∗ Angriffe gegen ConnectWise ScreenConnect ∗∗∗ --------------------------------------------- Die Remote Desktop und Access Software ConnectWise ScreenConnect ist aktuell Ziel von Cyberangriffen. Der Hersteller der Software hatte kürzlich ein Security Advisory bezüglich Authentication Bypass und Path Traversal Vulnerabilities veröffentlicht und dieses inzwischen um Hinweise auf bereits laufende Angriff und Indikatoren für eine bereits stattgefundene Kompromittierung erweitert. --------------------------------------------- https://cert.at/de/aktuelles/2024/2/angriffe-gegen-connectwise-screenconnect ∗∗∗ TinyTurla-NG in-depth tooling and command and control analysis ∗∗∗ --------------------------------------------- Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed. --------------------------------------------- https://blog.talosintelligence.com/tinyturla-ng-tooling-and-c2/ ∗∗∗ LockBit Attempts to Stay Afloat With a New Version ∗∗∗ --------------------------------------------- This research is the result of our collaboration with the National Crime Agency in the United Kingdom, who took action against LockBit as part of Operation Cronos, an international effort resulting in the undermining of its operations. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/b/lockbit-attempts-to-stay-afl… ∗∗∗ Decrypted: HomuWitch Ransomware ∗∗∗ --------------------------------------------- HomuWitch is a ransomware strain that initially emerged in July 2023. Unlike the majority of current ransomware strains, HomuWitch targets end-users - individuals - rather than institutions and companies. --------------------------------------------- https://decoded.avast.io/threatresearch/decrypted-homuwitch-ransomware/ ∗∗∗ “To live is to fight, to fight is to live! - IBM ODM Remote Code Execution ∗∗∗ --------------------------------------------- In today’s match-up, we’re looking at various versions(both old and new!) of IBM’s “Operational Decision Manager” (ODM). --------------------------------------------- https://labs.watchtowr.com/double-k-o-rce-in-ibm-operation-decision-manager/ ===================== = Vulnerabilities = ===================== ∗∗∗ Codeschmuggel-Lücke in diversen HP Laser-Druckern ∗∗∗ --------------------------------------------- HP warnt mit gleich zwei Sicherheitsmeldungen vor Lücken in diversen Laserjet-Druckern. Firmwareupdates sollen sie schließen. --------------------------------------------- https://www.heise.de/news/Codeschmuggel-Luecke-in-diversen-HP-Laser-Drucker… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (python-pillow), Debian (firefox-esr and imagemagick), Fedora (kernel, mbedtls, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Gentoo (LibreOffice), Red Hat (kpatch-patch), Slackware (mozilla), SUSE (docker, python-pycryptodome, python3, and qemu), [...] --------------------------------------------- https://lwn.net/Articles/963205/ ∗∗∗ Progress Kemp LoadMaster (Load-Balancer) Schwachstelle CVE-2024-1212 ∗∗∗ --------------------------------------------- Zum 8. Februar 2024 gab es den Hinweis für Administratoren, die den Load-Balancer LoadMaster von Progress Kemp verwenden, dessen Firmware zu aktualisieren. --------------------------------------------- https://www.borncity.com/blog/2024/02/22/progress-kemp-loadmaster-load-bala… ∗∗∗ 2024-02-22: Cyber Security Advisory - B&R Automation Studio & Technology Guarding products use insufficient communication encryption ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA23P019_Automation_Studio_Upgrade_… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ WAGO: Multiple products affected by Terrapin ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-014/ ∗∗∗ [R1] Tenable Identity Exposure Secure Relay Version 3.59.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-03 ∗∗∗ [R1] Tenable Identity Exposure Version 3.59.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-04 ∗∗∗ Delta Electronics CNCSoft-B DOPSoft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-053-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.02.2024
by Daily end-of-shift report 21 Feb '24

21 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-02-2024 18:00 − Mittwoch 21-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Open Source in Enterprise Environments - Where Are We Now and What Is Our Way Forward? ∗∗∗ --------------------------------------------- We have been used to hearing that free and open source software and enterprise environments in Big Business are fundamentally opposed and do not mix well. Is that actually the case, or should we rather explore how business and free software can both benefit going forward? --------------------------------------------- https://bsdly.blogspot.com/2022/09/open-source-in-enterprise-environments.h… ∗∗∗ VoltSchemer attacks use wireless chargers to inject voice commands, fry phones ∗∗∗ --------------------------------------------- A team of academic researchers show that a new set of attacks called VoltSchemer can inject voice commands to manipulate a smartphones voice assistant through the magnetic field emitted by an off-the-shelf wireless charger. --------------------------------------------- https://www.bleepingcomputer.com/news/security/voltschemer-attacks-use-wire… ∗∗∗ Security: Forscher erzeugen Fingerabdrücke aus Wischgeräuschen ∗∗∗ --------------------------------------------- Die Methode basiert auf einer Reihe komplexer Algorithmen, mit denen sich schließlich ein Master-Fingerabdruck erzeugen lässt. --------------------------------------------- https://www.golem.de/news/security-forscher-erzeugen-fingerabdruecke-aus-wi… ∗∗∗ Phishing pages hosted on archive.org, (Wed, Feb 21st) ∗∗∗ --------------------------------------------- The Internet Archive is a well-known and much-admired institution, devoted to creating a “digital library of Internet sites and other cultural artifacts in digital form”[1]. [...] Unfortunately, since it allows for uploading of files by users, it is also used by threat actors to host malicious content from time to time[2,3]. --------------------------------------------- https://isc.sans.edu/diary/rss/30676 ∗∗∗ Breakdown of Tycoon Phishing-as-a-Service System ∗∗∗ --------------------------------------------- Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/breakdown-o… ∗∗∗ re: Zyxel VPN Series Pre-auth Remote Command Execution ∗∗∗ --------------------------------------------- An unauthenticated command injection exploit affecting Zyxel firewalls was published in late January without an associated CVE. The vulnerability turns out to be CVE-2023-33012. The associated disclosure did not mention any caveats to exploitation, but it turns out only an uncommon configuration is affected. --------------------------------------------- https://vulncheck.com/blog/zyxel-cve-2023-33012 ∗∗∗ Vibrator virus steals your personal information ∗∗∗ --------------------------------------------- One of our customers found their vibrator was buzzing with a hint of malware. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/02/vibrator-virus-steals-your-p… ∗∗∗ Redis Servers Targeted With New ‘Migo’ Malware ∗∗∗ --------------------------------------------- Attackers weaken Redis instances to deploy the new Migo malware and install a rootkit and cryptominers. --------------------------------------------- https://www.securityweek.com/redis-servers-targeted-with-new-migo-malware/ ∗∗∗ Fake-SMS zum Ablauf der Finanz-Online ID im Umlauf! ∗∗∗ --------------------------------------------- Kriminelle versenden aktuell massenhaft SMS im Namen des BMF zum angeblichen Ablauf der FinanzOnline ID, beziehungsweise ID Austria. Links in den Smishing-Nachrichten führen auf gefälschte Finanz-Online-Websites, auf denen persönliche Daten abgegriffen werden. Diese Daten können anschließend für personalisierte Folgebetrugsmaschen eingesetzt werden. Ignorieren Sie diese SMS-Nachrichten! --------------------------------------------- https://www.watchlist-internet.at/news/fake-sms-zum-ablauf-der-finanz-onlin… ∗∗∗ Detecting Malicious Actors By Observing Commands in Shell History ∗∗∗ --------------------------------------------- Among the myriad techniques and tools at the disposal of cybersecurity experts, one subtle yet powerful method often goes unnoticed: the analysis of shell history to detect malicious actors. --------------------------------------------- https://orca.security/resources/blog/understand-shell-commands-detect-malic… ∗∗∗ Practical Vulnerability Archaeology Starring Ivantis CVE-2021-44529 ∗∗∗ --------------------------------------------- In 2021, Ivanti patched a vulnerability that they called “code injection”. Rumors say it was a backdoor in an open source project. Let’s find out what actually happened! --------------------------------------------- https://www.greynoise.io/blog/practical-vulnerability-archaeology-starring-… ∗∗∗ CISA, EPA, and FBI Release Top Cyber Actions for Securing Water Systems ∗∗∗ --------------------------------------------- Today, CISA, the Environmental Protection Agency (EPA), and the Federal Bureau of Investigation (FBI) released the joint fact sheet Top Cyber Actions for Securing Water Systems. This fact sheet outlines the following practical actions Water and Wastewater Systems (WWS) Sector entities can take to better protect water systems from malicious cyber activity and provides actionable guidance [...] --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/21/cisa-epa-and-fbi-release… ∗∗∗ Lucifer DDoS botnet Malware is Targeting Apache Big-Data Stack ∗∗∗ --------------------------------------------- Aqua Nautilus has unveiled a new campaign targeting Apache big-data stack, specifically Apache Hadoop and Apache Druid. Upon investigation, it was discovered that the attacker exploits existing misconfigurations and vulnerabilities within our Apache cloud honeypots to execute the attacks. --------------------------------------------- https://blog.aquasec.com/lucifer-ddos-botnet-malware-is-targeting-apache-bi… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Unified Intelligence Center Insufficient Access Control Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Live Data server of Cisco Unified Intelligence Center could allow an unauthenticated, local attacker to read and modify data in a repository that belongs to an internal service on an affected device. This vulnerability is due to insufficient access control implementations on cluster configuration CLI requests. An attacker could exploit this vulnerability by sending a cluster configuration CLI request to specific directories on an affected device. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Web Services Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- In February 2024, the Cisco Product Security Incident Response Team (PSIRT) became aware of additional attempted exploitation of this vulnerability in the wild. Cisco continues to strongly recommend that customers upgrade to a fixed software release to remediate this vulnerability. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ WS_FTP Server Service Pack (February 2024) ∗∗∗ --------------------------------------------- This article contains the details of the specific updates within the WS_FTP Server February 2024 Service Pack. The Service Pack contains a fix for the newly disclosed CVE described below. Progress highly recommends you apply this Service Pack for product updates and security improvements. For Service Pack content, please review the Service Pack Release Notes and this knowledgebase article carefully. --------------------------------------------- https://community.progress.com/s/article/WS-FTP-Server-Service-Pack-Februar… ∗∗∗ Broadcom schließt Sicherheitslücken in VMware Aria Operations und EAP-Plug-in ∗∗∗ --------------------------------------------- Broadcom verteilt Updates für VMware Aria Operations und das EAP Browser Plug-in. Sie bessern teils kritische Sicherheitslücken aus. --------------------------------------------- https://www.heise.de/-9634714.html ∗∗∗ Firefox und Thunderbird: Neue Versionen liefern Sicherheitsfixes ∗∗∗ --------------------------------------------- Neue Versionen von Firefox, Firefox ESR und Thunderbird stehen bereit. Sie dichten im Kern Sicherheitslücken ab. --------------------------------------------- https://www.heise.de/-9634418.html ∗∗∗ VMSA-2024-0003 ∗∗∗ --------------------------------------------- Addressing Arbitrary Authentication Relay and Session Hijack Vulnerabilities in Deprecated VMware Enhanced Authentication Plug-in (EAP) (CVE-2024-22245, CVE-2024-22250) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2024-0003.html ∗∗∗ VMSA-2024-0004 ∗∗∗ --------------------------------------------- VMware Aria Operations updates address local privilege escalation vulnerability. (CVE-2024-22235) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2024-0004.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (linux-firmware and python-reportlab), Debian (unbound), Fedora (freeglut and syncthing), Red Hat (edk2, go-toolset:rhel8, java-1.8.0-ibm, kernel, kernel-rt, mysql:8.0, oniguruma, and python-pillow), Slackware (libuv and mozilla), SUSE (abseil-cpp, grpc, opencensus-proto, protobuf, python- abseil, python-grpcio, re2, bind, dpdk, firefox, hdf5, libssh, libssh2_org, libxml2, mozilla-nss, openssl-1_1, openvswitch, postgresql12, postgresql13, postgresql14, postgresql15, postgresql16, python-aiohttp, python-time-machine, python-pycryptodomex, runc, and webkit2gtk3), and Ubuntu (kernel, libspf2, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux, linux-aws, linux-kvm, linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/963035/ ∗∗∗ Chrome 122, Firefox 123 Patch High-Severity Vulnerabilities ∗∗∗ --------------------------------------------- Google and Mozilla resolve high-severity memory safety vulnerabilities with the latest Chrome and Firefox updates. --------------------------------------------- https://www.securityweek.com/chrome-122-firefox-123-patch-high-severity-vul… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000138649 : GnuTLS vulnerability CVE-2023-5981 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138649 ∗∗∗ K000138650 : cURL vulnerability CVE-2023-46218 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138650 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.02.2024
by Daily end-of-shift report 20 Feb '24

20 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Montag 19-02-2024 18:00 − Dienstag 20-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ransomware: Lockbit durch Ermittler zerschlagen - zwei Festnahmen ∗∗∗ --------------------------------------------- Operation Cronos: Je eine Verhaftung in Polen und der Ukraine, Ermittler haben Datenschatz sowie Zugriff auf Kryptogeld und Websites von Lockbit erbeutet. --------------------------------------------- https://www.heise.de/-9633327 ∗∗∗ Hackers exploit critical RCE flaw in Bricks WordPress site builder ∗∗∗ --------------------------------------------- Hackers are actively exploiting a critical remote code execution (RCE) flaw impacting the Brick Builder Theme to run malicious PHP code on vulnerable sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-rce… ∗∗∗ Cactus ransomware claim to steal 1.5TB of Schneider Electric data ∗∗∗ --------------------------------------------- The Cactus ransomware gang claims they stole 1.5TB of data from Schneider Electric after breaching the companys network last month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cactus-ransomware-claim-to-s… ∗∗∗ Over 28,500 Exchange servers vulnerable to actively exploited bug ∗∗∗ --------------------------------------------- Up to 97,000 Microsoft Exchange servers may be vulnerable to a critical severity privilege escalation flaw tracked as CVE-2024-21410 that hackers are actively exploiting. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-28-500-exchange-servers… ∗∗∗ Vorsicht vor falschen Microsoft-Sicherheitswarnungen beim Surfen im Internet ∗∗∗ --------------------------------------------- Beim Surfen im Internet taucht plötzlich eine Sicherheitswarnung von Microsoft auf. Darin heißt es, dass Ihr Gerät von einem Virus befallen sei und Sie die „Windowshilfe“ anrufen sollen. Rufen Sie diese Nummer keinesfalls an. Es handelt sich um ein betrügerisches Pop-Up-Fenster. Wenn Sie anrufen, stehlen Kriminelle Daten und Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-falschen-microsoft-sich… ∗∗∗ Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns ∗∗∗ --------------------------------------------- Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe. The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly observe new email distribution campaigns. --------------------------------------------- https://blog.talosintelligence.com/google-cloud-run-abuse/ ∗∗∗ A technical analysis of the BackMyData ransomware used to attack hospitals in Romania ∗∗∗ --------------------------------------------- Summary According to BleepingComputer, a ransomware attack that occurred starting 0n February 11 forced 100 hospitals across Romania to take their systems offline. BackMyData ransomware, which took credit for it, belongs to the Phobos family. --------------------------------------------- https://cybergeeks.tech/a-technical-analysis-of-the-backmydata-ransomware-u… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Flaws Found in ConnectWise ScreenConnect Software - Patch Now ∗∗∗ --------------------------------------------- ConnectWise has released software updates to address two security flaws in its ScreenConnect remote desktop and access software, including a critical bug that could enable remote code execution on affected systems. The vulnerabilities, which currently lack CVE identifiers, are listed below - Authentication bypass using an alternate path or channel (CVSS score: 10.0) - Improper limitation of a pathname to a restricted directory aka "path traversal" (CVSS score: 8.4) --------------------------------------------- https://thehackernews.com/2024/02/critical-flaws-found-in-connectwise.html ∗∗∗ Multiple Stored Cross-Site-Scripting Vulnerabilities in OpenOLAT (Frentix GmbH) ∗∗∗ Several stored XSS vulnerabilities were identified in the open source e-learning application OpenOLAT, as well as missing security measures in the standard configurations regarding content security policy (CSP). [..] The vendor provides a patch which should be installed immediately. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/mutiple-stored-cross-sit… ∗∗∗ SQL Injection Vulnerability Patched in RSS Aggregator by Feedzy WordPress Plugin ∗∗∗ --------------------------------------------- On February 1st, 2024, during our second Bug Bounty Extravaganza, we received a submission for a SQL Injection vulnerability in RSS Aggregator by Feedzy, a WordPress plugin with more than 50,000+ active installations. The vulnerability enables threat actors with contributor-level permissions or higher to extract sensitive data from the database, such as password hashes. --------------------------------------------- https://www.wordfence.com/blog/2024/02/sql-injection-vulnerability-patched-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (freeglut, hugin, libmodsecurity, qemu, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Mageia (packages, radare2, ruby-rack, and wireshark), Oracle (.NET 8.0 and python-pillow), Red Hat (gimp:2.8, java-1.8.0-ibm, and kpatch-patch), SUSE (dpdk and opera), and Ubuntu (bind9, curl, linux-raspi, linux-raspi-5.4, node-ip, and tiff). --------------------------------------------- https://lwn.net/Articles/962881/ ∗∗∗ Zyxel security advisory for multiple vulnerabilities in firewalls and APs ∗∗∗ --------------------------------------------- Zyxel has released patches addressing multiple vulnerabilities in some firewall and access point (AP) versions. Users are advised to install the patches for optimal protection. CVEs: CVE-2023-6397, CVE-2023-6398, CVE-2023-6399, CVE-2023-6764 --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Joomla: [20240205] - Core - Inadequate content filtering within the filter code ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/929-20240205-core-inadequa… ∗∗∗ Joomla: [20240204] - Core - XSS in mail address outputs ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/928-20240204-core-xss-in-m… ∗∗∗ Joomla: [20240203] - Core - XSS in media selection fields ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/927-20240203-core-xss-in-m… ∗∗∗ Joomla: [20240202] - Core - Open redirect in installation application ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/926-20240202-core-open-red… ∗∗∗ Joomla: [20240201] - Core - Insufficient session expiration in MFA management views ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/925-20240201-core-insuffic… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 123 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-05/ ∗∗∗ MISP 2.4.185 released with sighting performance improvements, security and bugs fixes. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.185 ∗∗∗ Ethercat Zeek Plugin ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-02 ∗∗∗ Mitsubishi Electric Electrical Discharge Machines ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-03 ∗∗∗ Commend WS203VICM ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-051-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.02.2024
by Daily end-of-shift report 19 Feb '24

19 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-02-2024 18:00 − Montag 19-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Anatsa Android malware downloaded 150,000 times via Google Play ∗∗∗ --------------------------------------------- The Anatsa banking trojan has been targeting users in Europe by infecting Android devices through malware droppers hosted on Google Play. --------------------------------------------- https://www.bleepingcomputer.com/news/security/anatsa-android-malware-downl… ∗∗∗ Mirai-Mirai On The Wall... [Guest Diary], (Sun, Feb 18th) ∗∗∗ --------------------------------------------- This article is about one of the ways attackers on the open Internet are attempting to use the Mirai Botnet [1][2] malware to exploit vulnerabilities on exposed IoT devices. --------------------------------------------- https://isc.sans.edu/diary/rss/30658 ∗∗∗ Remote Access Trojan (RAT): Types, Mitigation & Removal ∗∗∗ --------------------------------------------- Remote Access Trojans (RATs) are a serious threat capable of giving attackers control over infected systems. This malware stealthily enters systems (often disguised as legitimate software or by exploiting a vulnerability in the system) and opens backdoors for attackers to perform a wide range of malicious activities on the victim’s computer. This blog post is designed to educate readers on RATs - how they work, the risks they pose, and how to protect against them. --------------------------------------------- https://blog.sucuri.net/2024/02/remote-access-trojan-rat-types-mitigation-r… ∗∗∗ The scary DNS “KeyTrap” bug explained in plain words ∗∗∗ --------------------------------------------- If you were following the IT media last week, you’d have been forgiven for awaiting the imminent implosion of the internet, with DNS itself in desperate danger. [...] Obviously, the next step is for the community to update the DNSSEC specifications, and thereby to protect proactively against this sort of extreme denial-of-service attack by building in new precautions for everyone to follow. --------------------------------------------- https://pducklin.com/2024/02/18/the-scary-dns-keytrap-bug-explained-in-plai… ∗∗∗ KI: OpenAI und Microsoft schließen Konten staatlicher Bedrohungsakteure ∗∗∗ --------------------------------------------- Microsoft und OpenAI haben Konten mutmaßlicher staatlicher Bedrohungsakteure geschlossen, die ChatGPT für kriminelle Zwecke nutzten. --------------------------------------------- https://www.heise.de/-9631899.html ∗∗∗ Mastodon: Spamwelle zeigt Schwächen auf und weckt Sorge vor schlimmerer Methode ∗∗∗ --------------------------------------------- Seit Tagen klagen einige User auf Mastodon über eine Spamwelle. Der liegen automatisierte Angriffe auf unzureichend geschützte Teile des Fediverse zugrunde. --------------------------------------------- https://www.heise.de/-9632055.html ∗∗∗ CVE Prioritizer: Open-source tool to prioritize vulnerability patching ∗∗∗ --------------------------------------------- CVE Prioritizer is an open-source tool designed to assist in prioritizing the patching of vulnerabilities. It integrates data from CVSS, EPSS, and CISA’s KEV catalog to offer insights into the probability of exploitation and the potential effects of vulnerabilities on your systems. --------------------------------------------- https://www.helpnetsecurity.com/2024/02/19/cve-prioritizer-open-source-vuln… ∗∗∗ Why keeping track of user accounts is important ∗∗∗ --------------------------------------------- CISA has issued an advisory after the discovery of documents containing information about a state government organization’s network environment on a dark web brokerage site. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/02/why-keeping-track-of-user-ac… ∗∗∗ Gefälschtes Flixbus-Angebot: „Verlorenes Gepäck für 2 Euro“ ∗∗∗ --------------------------------------------- Auf Facebook und Instagram kursiert eine gefälschte Flixbus-Werbung. In der Anzeige steht, dass Flixbus angeblich verlorenes Gepäck um 2 Euro verkauft. Geködert werden Sie mit dem Versprechen, dass sich in den Koffern oft Handys, Laptops oder Schmuck befinden. Es handelt sich aber um eine Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-flixbus-angebot-verlore… ∗∗∗ The Most Dangerous Entra Role You’ve (Probably) Never Heard Of ∗∗∗ --------------------------------------------- Entra ID has a built-in role called “Partner Tier2 Support” that enables escalation to Global Admin, but [...] --------------------------------------------- https://posts.specterops.io/the-most-dangerous-entra-role-youve-probably-ne… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2024-23724: Ghost CMS Stored XSS Leading to Owner Takeover ∗∗∗ --------------------------------------------- During research on the Ghost CMS application, the Rhino research team identified a Stored Cross-Site Scripting (XSS) vulnerability which can be triggered by a malicious profile image. [...] The vendor does not view this as a valid vector so will not be releasing an official patch, but it’s important to us at Rhino to not release unpatched vulnerabilities. While this is a unique case, we’ve decided to make the patch ourselves [...] --------------------------------------------- https://rhinosecuritylabs.com/research/cve-2024-23724-ghost-cms-stored-xss/ ∗∗∗ Solarwinds: Codeschmuggel möglich, Updates verfügbar ∗∗∗ --------------------------------------------- Solarwinds schließt Sicherheitslücken in Access Rights Manager und Platform (Orion). Angreifer können Schadcode einschleusen. --------------------------------------------- https://www.heise.de/-9632541.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (engrampa, openvswitch, pdns-recursor, and runc), Fedora (caddy, expat, freerdp, libgit2, libgit2_1.6, mbedtls, python-cryptography, qt5-qtbase, and sudo), Gentoo (Apache Log4j, Chromium, Google Chrome, Microsoft Edge, CUPS, e2fsprogs, Exim, firefox, Glade, GNU Tar, intel-microcode, libcaca, QtNetwork, QtWebEngine, Samba, Seamonkey, TACACS+, Thunar, and thunderbird), Mageia (dnsmasq, unbound, and vim), Oracle (container-tools:4.0, container-tools:ol8, dotnet6.0, dotnet7.0, kernel, nss, openssh, and sudo), Red Hat (python-pillow), and SUSE (bitcoin, dpdk, libssh, openvswitch, postgresql12, and postgresql13). --------------------------------------------- https://lwn.net/Articles/962753/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ ADS-TEC Industrial IT: Docker vulnerability affects multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-016/ ∗∗∗ K000138640 : Perl vulnerability CVE-2023-47038 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138640 ∗∗∗ K000138641 : cURL vulnerability CVE-2023-46219 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138641 ∗∗∗ K000138643 : OpenSSH vulnerability CVE-2023-51767 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138643 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.02.2024
by Daily end-of-shift report 16 Feb '24

16 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-02-2024 18:00 − Freitag 16-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ RansomHouse gang automates VMware ESXi attacks with new MrAgent tool ∗∗∗ --------------------------------------------- The RansomHouse ransomware operation has created a new tool named MrAgent that automates the deployment of its data encrypter across multiple VMware ESXi hypervisors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomhouse-gang-automates-v… ∗∗∗ Berliner Kritis-Lieferant: PSI Software nimmt Systeme nach Cyberangriff offline ∗∗∗ --------------------------------------------- Der Softwarekonzern beliefert unter anderem Betreiber von Energienetzen und Verkehrsinfrastrukturen sowie Kunden aus den Bereichen Industrie und Logistik. --------------------------------------------- https://www.golem.de/news/berliner-kritis-lieferant-psi-software-nimmt-syst… ∗∗∗ Phishing und Spoofing: BSI gibt Hinweise zur E-Mail-Authentifizierung ∗∗∗ --------------------------------------------- Gewappnet mit Standards wie SPF, DKIM und DMARC könnten Anbieter selbst neue Angriffe wie SMTP-Smuggling erschweren, heißt es in einer Technischen Richtlinie. --------------------------------------------- https://www.heise.de/-9631309 ∗∗∗ F5 behebt 20 Sicherheitslücken in Big-IP-Loadbalancer, WAF und nginx ∗∗∗ --------------------------------------------- Unter anderem konnten Angreifer eigenen Code in den Loadbalancer einschmuggeln, nginx hingegen verschluckte sich an HTTP3/QUIC-Anfragen. --------------------------------------------- https://www.heise.de/-9629983 ∗∗∗ Falsche DHL-Boten fordern am Telefon SMS-Code für vermeintliche Paketzustellung ∗∗∗ --------------------------------------------- Kriminelle ergaunern SMS-Codes für Paket-Zustellungen. Dabei geben sich die Täter gegenüber potenziellen Opfern als angebliche DHL-Mitarbeiter aus. --------------------------------------------- https://www.heise.de/-9630541 ∗∗∗ Alpha Ransomware Emerges From NetWalker Ashes ∗∗∗ --------------------------------------------- Alpha, a new ransomware that first appeared in February 2023 and stepped up its operations in recent weeks, has strong similarities to the long-defunct NetWalker ransomware, which disappeared in January 2021 following an international law enforcement operation. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/alpha-ne… ===================== = Vulnerabilities = ===================== ∗∗∗ CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched security flaw impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to its Known Exploited Vulnerabilities (KEV) catalog, following reports that its being likely exploited in Akira ransomware attacks. --------------------------------------------- https://thehackernews.com/2024/02/cisa-warning-akira-ransomware.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (bind), Red Hat (.NET 8.0 and kpatch-patch), SUSE (golang-github-prometheus-alertmanager, java-1_8_0-openj9, kernel, libaom, openssl-3, postgresql15, salt, SUSE Manager Client Tools, SUSE Manager Server 4.3, and webkit2gtk3), and Ubuntu (shadow). --------------------------------------------- https://lwn.net/Articles/962506/ ∗∗∗ Eight Vulnerabilities Disclosed in the AI Development Supply Chain ∗∗∗ --------------------------------------------- Details of eight vulnerabilities found in the open source supply chain used to develop in-house AI and ML models have been disclosed. All have CVE numbers, one has critical severity, and seven have high severity. [..] They are: CVE-2023-6975: arbitrary file write in MLFLow, CVSS 9.8, CVE-2023-6753: arbitrary file write on Windows in MLFlow, CVSS 9.6, CVE-2023-6730: RCE in Hugging Face Transformers via RagRetriever.from_pretrained(), CVSS 9.0, CVE-2023-6940: server side template injection bypass in MLFlow, CVSS 9.0, CVE-2023-6976: arbitrary file upload patch bypass in MLFlow, CVSS 8.8, CVE-2023-31036: RCE via arbitrary file overwrite in Triton Inference Server, CVSS 7.5, CVE-2023-6909: local file inclusion in MLFlow, CVSS 7.5, CVE-2024-0964: LFI in Gradio, CVSS 7.5 --------------------------------------------- https://www.securityweek.com/eight-vulnerabilities-disclosed-in-the-ai-deve… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.02.2024
by Daily end-of-shift report 15 Feb '24

15 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-02-2024 18:00 − Donnerstag 15-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Warnung vor kritischer Outlook RCE-Schwachstelle CVE-2024-21413 ∗∗∗ --------------------------------------------- In Microsoft Outlook wurde eine als kritisch eingestufte CVE-2024-21413 bekannt, die mit den Februar 2024 Sicherheitsupdates geschlossen wird. Die Remote Code Execution-Schwachstelle lässt sich geradezu trivial ausnutzen. [..] Die von Checkpoint Security aufgedeckte Schwachstelle ermöglicht einem Angreifer die geschützte Office-Ansicht zu umgehen und das Dokument im Bearbeitungsmodus statt im geschützten Modus zu öffnen. [..] Dazu muss der Angreifer einen bösartigen Link erstellen, der das Protected View-Protokoll umgeht. Das führt dann zum Abfluss lokaler NTLM-Anmeldeinformationen und zur Remotecodeausführung (RCE). --------------------------------------------- https://www.borncity.com/blog/2024/02/15/warnung-vor-kritischer-outlook-rce… ∗∗∗ Nachlese zu CU 14 für Exchange 2019 und Schwachstelle CVE-2024-21410 (Feb. 2024) ∗∗∗ --------------------------------------------- Zum 13. Februar 2024 wurde ja eine kritische Schwachstelle CVE-2024-21410 in Microsoft Exchange Server öffentlich. [..] Was ist mit Exchange Server 2016 und was muss ich tun, um vor CVE-2024-21410 geschützt zu sein. Hier eine Nachlese mit einem groben Abriss. --------------------------------------------- https://www.borncity.com/blog/2024/02/15/nachlese-zu-cu-14-fr-exchange-2019… ∗∗∗ New ‘Gold Pickaxe’ Android, iOS malware steals your face for fraud ∗∗∗ --------------------------------------------- A new iOS and Android trojan named GoldPickaxe employs a social engineering scheme to trick victims into scanning their faces and ID documents, which are believed to be used to generate deepfakes for unauthorized banking access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-gold-pickaxe-android-ios… ∗∗∗ QR Phishing. Fact or Fiction? ∗∗∗ --------------------------------------------- To understand the attack you need understand the challenge that the attacker faces. Currently, most initial access attempts are carried out with social engineering, commonly phishing. Why is that? Well, it looks like people have finally got good at patching. According to the 2022 Verizon data breach incident report only 5% of data breaches investigated by them were caused by software vulnerabilities. --------------------------------------------- https://www.pentestpartners.com/security-blog/qr-phishing-fact-or-fiction/ ∗∗∗ Vorsicht vor dieser Fake Erste Bank SMS ∗∗∗ --------------------------------------------- Kriminelle versenden SMS im Namen der Erste Bank bzw. George. Darin behaupten sie, dass eine Überweisung über einen hohen Geldbetrag freigegeben oder ein Darlehen aufgenommen wurde und bitten um Kontaktaufnahmen. Kontaktieren Sie nicht die angegebene Nummer, Sie werden dazu verleitet Schadsoftware zu installieren! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-dieser-fake-erste-bank-… ∗∗∗ The Complete Guide to Advanced Persistent Threats ∗∗∗ --------------------------------------------- Understanding the mechanics and implications of APTs is essential to safeguard organizations and individuals. In this comprehensive guide, we explore the world of APTs, explaining their nature, mechanisms, and the best strategies to counteract them. --------------------------------------------- https://www.emsisoft.com/en/blog/44815/the-complete-guide-to-advanced-persi… ∗∗∗ TinyTurla Next Generation - Turla APT spies on Polish NGOs ∗∗∗ --------------------------------------------- Talos, in cooperation with CERT.NGO, investigated another compromise by the Turla threat actor, with a new backdoor quite similar to TinyTurla, that we are calling TinyTurla-NG (TTNG). [..] Talos identified the existence of three different TinyTurla-NG samples, but only obtained access to two of them. This campaign’s earliest compromise date was Dec. 18, 2023, and was still active as recently as Jan. 27, 2024. However, we assess that the campaign may have started as early as November 2023 based on malware compilation dates. --------------------------------------------- https://blog.talosintelligence.com/tinyturla-next-generation/ ===================== = Vulnerabilities = ===================== ∗∗∗ AlphaESS Wechselrichter: WLAN-Zugang mit unveränderlichem Passwort ∗∗∗ --------------------------------------------- Wechselrichter und Speichersysteme von AlphaESS kommen mit optionalem WLAN-Modul. Das spannt einen Zugangspunkt mit Standard-Passwort auf. --------------------------------------------- https://www.heise.de/-9628912 ∗∗∗ Node.js: Sicherheitsupdates beheben Codeschmuggel und Serverabstürze ∗∗∗ --------------------------------------------- Neben Problemen im Kern des Projekts aktualisiert das Node-Projekt auch einige externe Bibliotheken. --------------------------------------------- https://www.heise.de/-9629299 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (edk2, postgresql-13, and postgresql-15), Fedora (engrampa, vim, and xen), Mageia (mbedtls and quictls), Oracle (nss, openssh, and tcpdump), Red Hat (.NET 8.0), SUSE (hugin, kernel, pdns-recursor, python3, tomcat, and tomcat10), and Ubuntu (clamav, edk2, linux-gcp-6.2, linux-intel-iotg-5.15, linux-oem-6.1, and ujson). --------------------------------------------- https://lwn.net/Articles/962284/ ∗∗∗ Drupal: CKEditor 4 LTS - WYSIWYG HTML editor - Moderately critical - Cross Site Scripting - SA-CONTRIB-2024-009 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-009 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (February 5, 2024 to February 11, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/02/wordfence-intelligence-weekly-wordpr… ∗∗∗ Autodesk: ZDI reported security vulnerabilities in the Autodesk AutoCAD Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0002 ∗∗∗ Palo Alto: CVE-2024-0011 PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in Captive Portal Authentication (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0011 ∗∗∗ Palo Alto: CVE-2024-0008 PAN-OS: Insufficient Session Expiration Vulnerability in the Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0008 ∗∗∗ Palo Alto: CVE-2024-0010 PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in GlobalProtect Portal (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0010 ∗∗∗ Palo Alto: CVE-2024-0007 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0007 ∗∗∗ Palo Alto: CVE-2024-0009 PAN-OS: Improper IP Address Verification in GlobalProtect Gateway (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2024-0009 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.02.2024
by Daily end-of-shift report 14 Feb '24

14 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-02-2024 18:00 − Mittwoch 14-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ubuntu command-not-found tool can be abused to spread malware ∗∗∗ --------------------------------------------- A logic flaw between Ubuntus command-not-found package suggestion system and the snap package repository could enable attackers to promote malicious Linux packages to unsuspecting users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ubuntu-command-not-found-too… ∗∗∗ Security review for Microsoft Edge version 121 ∗∗∗ --------------------------------------------- Microsoft Edge version 121 introduced 11 new computer settings and 11 new user settings. We have included a spreadsheet listing the new settings in the release to make it easier for you to find them. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Fake-Angebote für Samsungs Galaxy S24, S24+ und S24 Ultra mit Nachnahmezahlung! ∗∗∗ --------------------------------------------- Vor wenigen Wochen hat Samsung das Galaxy S24, das Galaxy S24+ sowie das Galaxy S24 Ultra vorgestellt. Die Preise für die neuen Geräte bewegen sich zum Marktstart zwischen 780 und 1800 Euro für die unterschiedlichen Modelle. Um vieles billiger versprechen Kriminelle das Gerät. Für 269 Euro per Nachnahme gibt es das teuerste Gerät auf shop.mgmmgme.shop. So viel ist sicher: Das versprochene Gerät wird hier nie geliefert und Zahlungen per Nachnahme sind verloren. --------------------------------------------- https://www.watchlist-internet.at/news/fake-angebote-fuer-samsungs-galaxy-s… ∗∗∗ The Risks of the #MonikerLink Bug in Microsoft Outlook and the Big Picture ∗∗∗ --------------------------------------------- Recently, Check Point Research released a white paper titled “The Obvious, the Normal, and the Advanced: A Comprehensive Analysis of Outlook Attack Vectors”, detailing various attack vectors on Outlook to help the industry understand the security risks the popular Outlook app may bring into organizations. As mentioned in the paper, we discovered an interesting security issue in Outlook when the app handles specific hyperlinks. In this blog post, we will share our research on the issue with the security community and help defend against it. We will also highlight the broader impact of this bug in other software. --------------------------------------------- https://research.checkpoint.com/2024/the-risks-of-the-monikerlink-bug-in-mi… ∗∗∗ TicTacToe Dropper ∗∗∗ --------------------------------------------- We analyzed multiple samples of this dropper. The executable malware file was usually delivered through an .iso file. From cases directly observed in the wild, these iso files were delivered to the victim via phishing as an attachment (T1566.001). This technique of packing malware inside an iso file is typically employed to avoid detection by antivirus software and as a mark-of-the-web (MOTW) bypass technique (T1553.005). --------------------------------------------- https://feeds.fortinet.com/~/869921006/0/fortinet/blogs~TicTacToe-Dropper ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Adobe schließt Schadcode-Lücken in Acrobat & Co. ∗∗∗ --------------------------------------------- Für mehrere Adobe-Produkte sind wichtige Sicherheitsupdates erschienen. Damit haben die Entwickler unter anderem kritische Schwachstellen geschlossen. --------------------------------------------- https://www.heise.de-9627753 ∗∗∗ Webkonferenz-Tool Zoom: Rechteausweitung durch kritische Schwachstelle ∗∗∗ --------------------------------------------- Zoom warnt vor mehreren Schwachstellen in den Produkten des Unternehmens. Eine gilt als kritisches Sicherheitsrisiko. --------------------------------------------- https://www.heise.de/-9627817 ∗∗∗ Microsoft Security Update Summary (13. Februar 2024) ∗∗∗ --------------------------------------------- Am 13. Februar 2024 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 73 Schwachstellen (CVEs), zwei sind 0-day Sicherheitslücken, die bereits ausgenutzt werden. --------------------------------------------- https://www.borncity.com/blog/2024/02/13/microsoft-security-update-summary-… ∗∗∗ Released: 2024 H1 Cumulative Update for Exchange Server ∗∗∗ --------------------------------------------- Today we are announcing the availability of the 2024 H1 Cumulative Update (CU) for Exchange Server 2019 (aka CU14). CU14 includes fixes for customer reported issues, a security change, and all previously released Security Updates (SUs). --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-2024-h1-… ∗∗∗ Chipmaker Patch Tuesday: AMD and Intel Patch Over 100 Vulnerabilities ∗∗∗ --------------------------------------------- AMD and Intel patch dozens of vulnerabilities on February 2024 Patch Tuesday, including multiple high-severity bugs.The post Chipmaker Patch Tuesday: AMD and Intel Patch Over 100 Vulnerabilities appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/chipmaker-patch-tuesday-amd-and-intel-patch-ov… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and unbound), Fedora (clamav, firecracker, libkrun, rust-event-manager, rust-kvm-bindings, rust-kvm-ioctls, rust-linux-loader, rust-userfaultfd, rust-versionize, rust-vhost, rust-vhost-user-backend, rust-virtio-queue, rust-vm-memory, rust-vm-superio, rust-vmm-sys-util, and virtiofsd), Red Hat (.NET 6.0, dotnet6.0, and dotnet7.0), Slackware (bind and dnsmasq), and Ubuntu (dotnet6, dotnet7, dotnet8, linux-lowlatency, linux-raspi, linux-nvidia-6.2, and ujson). --------------------------------------------- https://lwn.net/Articles/962077/ ∗∗∗ F5: K000138353 : Quarterly Security Notification (February 2024) ∗∗∗ --------------------------------------------- On February 14, 2024, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. --------------------------------------------- https://my.f5.com/manage/s/article/K000138353 ∗∗∗ F5: K98606833 : BIG-IP and BIG-IQ scp vulnerability CVE-2024-21782 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K98606833 ∗∗∗ F5: K91054692 : BIG-IP Appliance mode iAppsLX vulnerability CVE-2024-23976 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K91054692 ∗∗∗ F5: K000137521 : BIG-IP AFM vulnerability CVE-2024-21763 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137521 ∗∗∗ F5: K000137334 : F5 Application Visibility and Reporting module and BIG-IP Advanced WAF/ASM vulnerability CVE-2024-23805 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137334 ∗∗∗ 2024-02-14: Cyber Security Advisory - B&R APROL SSH service vulnerable to Terrapin attack ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA24P004_SSH_Service_Vulnerable_To_… ∗∗∗ tenable: [R1] Security Center Version 6.3.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-02 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Lenovo Security Advisories ∗∗∗ --------------------------------------------- https://support.lenovo.com/at/en/product_security/home -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.02.2024
by Daily end-of-shift report 13 Feb '24

13 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Montag 12-02-2024 18:00 − Dienstag 13-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ The (D)Evolution of Pikabot ∗∗∗ --------------------------------------------- Pikabot is a malware loader that originally emerged in early 2023. Over the past year, ThreatLabz has been tracking the development of Pikabot and its modus operandi. There was a significant increase in usage in the second half of 2023 following the FBI-led takedown of Qakbot. This was likely the result of a BlackBasta ransomware affiliate replacing Qakbot with Pikabot for initial access. However, Pikabot ceased activity shortly after Christmas 2023, with its version number being 1.1.19 at that time. In recent campaigns, which started in February 2024, Pikabot reemerged with significant changes in its code base and structure. --------------------------------------------- https://www.zscaler.com/blogs/security-research/d-evolution-pikabot ∗∗∗ GMX, Web.de, Online-Dienste: Angriffe auf Zugangsdaten nehmen zu ∗∗∗ --------------------------------------------- Etwas alarmistisch melden einige Medien, dass es vermehrt Angriffe auf Zugangskonten von GMX oder Web.de gebe, die unter anderem sehr populäre Webmail-Dienste bereitstellen. Es werden dort bei zahlreichen Konten sehr hohe Zahlen für fehlerhafte Log-in-Versuche angezeigt. Es handelt sich offenbar um die alltäglichen Angriffe auf Zugangsdaten von Cyberkriminellen, die versuchen, mit gestohlenen Accountinformationen auf Online-Dienste zuzugreifen. --------------------------------------------- https://www.heise.de/-9626994 ∗∗∗ Vorsicht vor gefälschten WKÖ-E-Mails ∗∗∗ --------------------------------------------- Kriminelle geben sich als Wirtschaftskammer Österreich aus und bitten Unternehmen in einem E-Mail, Kontaktdaten zu aktualisieren. Klicken Sie keinesfalls auf den Link, Sie werden auf eine gefälschte WKÖ-Seite geführt. Dort stehlen Kriminelle Firmen- und Bankdaten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-wkoe-e-mai… ∗∗∗ Directory.ReadWrite.All Is Not As Powerful As You Might Think ∗∗∗ --------------------------------------------- Directory.ReadWrite.All is an MS Graph permission that is frequently cited as granting high amounts of privilege, even being equated to the Global Admin Entra ID role [..] Misleading or incorrect documentation create most of the misconceptions regarding this permission. --------------------------------------------- https://posts.specterops.io/directory-readwrite-all-is-not-as-powerful-as-y… ∗∗∗ Ongoing Microsoft Azure account hijacking campaign targets executives ∗∗∗ --------------------------------------------- A phishing campaign detected in late November 2023 has compromised hundreds of user accounts in dozens of Microsoft Azure environments, including those of senior executives. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ongoing-microsoft-azure-acco… ∗∗∗ Fileless Revenge RAT Malware ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) recently discovered the distribution of Revenge RAT malware that had been developed based on legitimate tools. It appears that the attackers have used tools such as ‘smtp-validator’ and ‘Email To Sms’. At the time of execution, the malware creates and runs both a legitimate tool and a malicious file, making it difficult for users to realize that a malicious activity has occurred. --------------------------------------------- https://asec.ahnlab.com/en/61584/ ===================== = Vulnerabilities = ===================== ∗∗∗ Request Tracker Write-up (CVE-2023-41259, CVE-2023-41260) ∗∗∗ --------------------------------------------- Without authentication we were able to extract file-attachments that were uploaded to RT, including e-mails received from and to users regarding tickets and issues. We also found it was possible to obtain information about tickets and users. --------------------------------------------- https://www.linkedin.com/pulse/request-tracker-write-up-tom-wolters-ygsae ∗∗∗ PowerDNS Security Advisory 2024-01: crafted DNSSEC records in a zone can lead to a denial of service in Recursor ∗∗∗ --------------------------------------------- An attacker can publish a zone that contains crafted DNSSEC related records. While validating results from queries to that zone using the RFC mandated algorithms, the Recursor’s resource usage can become so high that processing of other queries is impacted, resulting in a denial of service. Note that any resolver following the RFCs can be impacted, this is not a problem of this particular implementation. --------------------------------------------- https://doc.powerdns.com/recursor/security-advisories/powerdns-advisory-202… ∗∗∗ DNS-Server: Bind und Unbound stolpern über Sicherheitslücke "KeyTrap" ∗∗∗ --------------------------------------------- Mit einer präparierten DNS-Anfrage können Angreifer eine hohe Prozessorlast verursachen und den Dienst für legitime Nutzer so blockieren. Patches stehen bereit. --------------------------------------------- https://www.heise.de/-9627276 ∗∗∗ Sicherheitslücken: Angreifer können Dell Unity kompromittieren ∗∗∗ --------------------------------------------- Die Fehler stecken in Dell Unity Operating Enviroment (OE). Die Entwickler geben an, die Ausgabe 5.4.0.0.5.094 repariert zu haben. Von den Sicherheitsproblemen sind unter anderem Dell EMC Unity, Dell EMC Unity XT 380F und Dell EMC Unity Hybrid betroffen. Alle verwundbaren Produkte sind in der Warnmeldung aufgelistet. --------------------------------------------- https://www.heise.de/-9626407 ∗∗∗ Qnap: Sicherheitslücken in Firmware erlauben Einschleusen von Befehlen ∗∗∗ --------------------------------------------- In der Sicherheitswarnung schreibt Qnap, dass es sich um zwei Schwachstellen handelt. Die Beschreibung für beide lautet: Eine Befehlsschmuggel-Schwachstelle wurde in mehreren Qnap-Betriebssystemversionen gemeldet. Sofern sie missbraucht werden, erlauben sie Nutzern, Befehle über das Netzwerk auszuführen (CVE-2023-47218, CVE-2023-50358, CVSS 5.8, Risiko "mittel"). --------------------------------------------- https://www.heise.de/-9626319 ∗∗∗ SAP patcht: 13 Sicherheitslücken abgedichtet ∗∗∗ --------------------------------------------- SAP verteilt Software-Updates, die Schwachstellen aus 13 Sicherheitsmitteilungen ausbessern. Eine Lücke ist kritisch. --------------------------------------------- https://www.heise.de/-9626592 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (clamav and virtiofsd), Oracle (gimp), Red Hat (gnutls and nss), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t and squid), and Ubuntu (openssl). --------------------------------------------- https://lwn.net/Articles/961937/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ TYPO3 Security Advisories ∗∗∗ --------------------------------------------- https://typo3.org/help/security-advisories ∗∗∗ Autodesk: Multiple Vulnerabilities in Autodesk InfraWorks software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2024-0001 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series Safety CPU ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-044-01 ∗∗∗ HIMA: Multiple products affected by DoS and Port-Based-VLAN Crossing ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-013/ ∗∗∗ Schneider Electric Security Advisories ∗∗∗ --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ SSA-943925 V1.0: Multiple Vulnerabilities in SINEC NMS before V2.0 SP1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-943925.html ∗∗∗ SSA-871717 V1.0: Multiple Vulnerabilities in Polarion ALM ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-871717.html ∗∗∗ SSA-806742 V1.0: Multiple Vulnerabilities in SCALANCE XCM-/XRM-300 before V2.4 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-806742.html ∗∗∗ SSA-797296 V1.0: XT File Parsing Vulnerability in Parasolid ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-797296.html ∗∗∗ SSA-753746 V1.0: Denial of Service Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-753746.html ∗∗∗ SSA-716164 V1.0: Multiple Vulnerabilities in Scalance W1750D ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-716164.html ∗∗∗ SSA-665034 V1.0: Vulnerability in Nozomi Guardian/CMC before 23.3.0 on RUGGEDCOM APE1808 devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-665034.html ∗∗∗ SSA-647068 V1.0: Ripple20 in SIMATIC RTLS Gateways ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-647068.html ∗∗∗ SSA-602936 V1.0: Multiple Vulnerabilities in SCALANCE SC-600 Family before V3.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-602936.html ∗∗∗ SSA-580228 V1.0: Use of Hard-Coded Credentials Vulnerability in Location Intelligence before V4.3 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-580228.html ∗∗∗ SSA-543502 V1.0: Local Privilege Escalation Vulnerability in Unicam FX ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-543502.html ∗∗∗ SSA-516818 V1.0: TCP Sequence Number Validation Vulnerability in the TCP/IP Stack of CP343-1 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-516818.html ∗∗∗ SSA-108696 V1.0: Multiple Vulnerabilities in SIDIS Prime before V4.0.400 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-108696.html ∗∗∗ SSA-017796 V1.0: Multiple File Parsing Vulnerabilities in Tecnomatix Plant Simulation ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-017796.html ∗∗∗ SSA-000072 V1.0: Multiple File Parsing Vulnerabilities in Simcenter Femap ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-000072.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.02.2024
by Daily end-of-shift report 12 Feb '24

12 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-02-2024 18:00 − Montag 12-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Free Rhysida ransomware decryptor for Windows exploits RNG flaw ∗∗∗ --------------------------------------------- South Korean researchers have publicly disclosed an encryption flaw in the Rhysida ransomware encryptor, allowing the creation of a Windows decryptor to recover files for free. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-rhysida-ransomware-decr… ∗∗∗ Hackers exploit Ivanti SSRF flaw to deploy new DSLog backdoor ∗∗∗ --------------------------------------------- Hackers are exploiting a server-side request forgery (SSRF) vulnerability in Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy the new DSLog backdoor on vulnerable devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-ivanti-ssrf-… ∗∗∗ Exploit against Unnamed "Bytevalue" router vulnerability included in Mirai Bot, (Mon, Feb 12th) ∗∗∗ --------------------------------------------- Today, I noticed the following URL showing up in our "First Seen" list: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/30642 ∗∗∗ Microsoft Defender: Der Erkennung mit Komma entgehen ∗∗∗ --------------------------------------------- Ein IT-Forscher hat entdeckt, dass sich die Erkennung des Microsoft Defenders mit einem Komma austricksen lässt. --------------------------------------------- https://www.heise.de/-9625770.html ∗∗∗ SiCat: Open-source exploit finder ∗∗∗ --------------------------------------------- SiCat is an open-source tool for exploit research designed to source and compile information about exploits from open channels and internal databases. Its primary aim is to assist in cybersecurity, enabling users to search the internet for potential vulnerabilities and corresponding exploits. --------------------------------------------- https://www.helpnetsecurity.com/2024/02/12/sicat-open-source-exploit-finder/ ∗∗∗ Warzone RAT Shut Down by Law Enforcement, Two Arrested ∗∗∗ --------------------------------------------- Warzone RAT dismantled in international law enforcement operation that also involved arrests of suspects in Malta and Nigeria. --------------------------------------------- https://www.securityweek.com/warzone-rat-shut-down-by-law-enforcement-two-a… ∗∗∗ Diving Into Gluptebas UEFI Bootkit ∗∗∗ --------------------------------------------- A 2023 Glupteba campaign includes an unreported feature - a UEFI bootkit. We analyze its complex architecture and how this botnet has evolved. --------------------------------------------- https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/ ∗∗∗ Bitdefender warnt vor neuer Backdoor für macOS ∗∗∗ --------------------------------------------- Sie bleibt vermutlich mindestens drei Monate unentdeckt. RustDoor erlaubt die gezielte Suche nach Daten und deren Übertragung an einen externen Server. --------------------------------------------- https://www.zdnet.de/88414203/bitdefender-warnt-vor-neuer-backdoor-fuer-mac… ∗∗∗ Angreifer spoofen Temu ∗∗∗ --------------------------------------------- Die Popularität des E-Commerce-Shops lockt Betrüger, die sich auf gefälschte Werbegeschenkcodes spezialisieren. --------------------------------------------- https://www.zdnet.de/88414209/angreifer-spoofen-temu/ ===================== = Vulnerabilities = ===================== ∗∗∗ ExpressVPN: Fehler führt zu ungeschützter Übertragung von DNS-Anfragen ∗∗∗ --------------------------------------------- Durch den Fehler können Drittanbieter potenziell nachverfolgen, welche Webseiten ExpressVPN-Nutzer besucht haben - trotz aktiver VPN-Verbindung. --------------------------------------------- https://www.golem.de/news/expressvpn-fehler-fuehrt-zu-ungeschuetzter-uebert… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CVE-2024-21762 Fortinet FortiOS Out-of-Bound Write Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/09/cisa-adds-one-known-expl… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CVE-2023-43770 Roundcube Webmail Persistent Cross-Site Scripting (XSS) Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/12/cisa-adds-one-known-expl… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libgit2), Fedora (chromium, firecracker, libkrun, openssh, python-nikola, runc, rust-event-manager, rust-kvm-bindings, rust-kvm-ioctls, rust-linux-loader, rust-userfaultfd, rust-versionize, rust-vhost, rust-vhost-user-backend, rust-virtio-queue, rust-vm-memory, rust-vm-superio, rust-vmm-sys-util, virtiofsd, webkitgtk, and wireshark), Mageia (filezilla and xpdf), Oracle (gimp), Red Hat (libmaxminddb, linux-firmware, squid:4, and tcpdump), Slackware (xpdf), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont and suse-build-key), and Ubuntu (python-glance-store and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/961842/ ∗∗∗ Mehrere Cross-Site Scripting Schwachstellen in Statamic CMS ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/mehrere-cross-site-sc… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.02.2024
by Daily end-of-shift report 09 Feb '24

09 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-02-2024 18:00 − Freitag 09-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ SonicOS SSL-VPN: Angreifer können Authentifzierung umgehen ∗∗∗ --------------------------------------------- Sonicwall warnt vor einer Sicherheitslücke im SonicOS SSL-VPN, durch die Angreifer die Authentifizierung umgehen können. --------------------------------------------- https://www.heise.de/-9623611.html ∗∗∗ Sicherheitsupdates: Authentifizierung von Ivanti Connect Secure & Co. defekt ∗∗∗ --------------------------------------------- Angreifer können ohne Anmeldung auf Ivanti Connect Secure, Policy Secure und ZTA Gateway zugreifen. --------------------------------------------- https://www.heise.de/-9623653.html ∗∗∗ Elastic Stack: Pufferüberlauf ermöglicht Codeschmuggel in Kibana-Komponente ∗∗∗ --------------------------------------------- Der in Kibana integrierte Chromium-Browser verursachte das Problem nur auf bestimmten Plattformen. Updates und eine Übergangslösung stehen bereit. --------------------------------------------- https://www.heise.de/-9624274.html ∗∗∗ Android XLoader malware can now auto-execute after installation ∗∗∗ --------------------------------------------- A new version of the XLoader Android malware was discovered that automatically executes on devices it infects, requiring no user interaction to launch. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-xloader-malware-can-… ∗∗∗ New RustDoor macOS malware impersonates Visual Studio update ∗∗∗ --------------------------------------------- A new Rust-based macOS malware spreading as a Visual Studio update to provide backdoor access to compromised systems uses infrastructure linked to the infamous ALPHV/BlackCat ransomware gang. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-rustdoor-macos-malware-i… ∗∗∗ Form Tools Remote Code Execution: We Need To Talk About PHP ∗∗∗ --------------------------------------------- To whet your appetite for what we’re going to demonstrate, below is a deep dive into a Local File Inclusion vulnerability which can lead to Remote Code Execution in installations of ‘Form Tools’, an open-source PHP-based application for creating, storing and sharing forms on the Internet, of over 15 year vintage. A short search across open data platforms reveals over 1,000 installations with "we just discovered Shodan"-tier fingerprints. --------------------------------------------- https://labs.watchtowr.com/form-tools-we-need-to-talk-about-php/ ∗∗∗ Juniper Support Portal Exposed Customer Device Info ∗∗∗ --------------------------------------------- Until earlier this week, the support website for networking equipment vendor Juniper Networks was exposing potentially sensitive information tied to customer products, including the exact devices each customer bought, as well as each devices warranty status, service contracts and serial numbers. Juniper said it has since fixed the problem, and that the inadvertent data exposure stemmed from a recent upgrade to its support portal. --------------------------------------------- https://krebsonsecurity.com/2024/02/juniper-support-portal-exposed-customer… ∗∗∗ Zahlreiche betrügerische E-Mails im Namen der Österreichischen Gesundheitskasse im Umlauf! ∗∗∗ --------------------------------------------- Derzeit werden der Watchlist Internet zahlreiche E-Mails gemeldet, die Kriminelle im Namen der Österreichischen Gesundheitskasse versenden. Angeblich erhalten die Empfänger:innen eine Rückerstattung durch die Krankenasse. Dazu sollen sie einen Link anklicken und Kreditkartendaten eingeben. Machen Sie das auf keinen Fall, da es sich um eine Phishing-Falle handelt. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-betruegerische-e-mails-im… ∗∗∗ CISA Partners With OpenSSF Securing Software Repositories Working Group to Release Principles for Package Repository Security ∗∗∗ --------------------------------------------- Today, CISA partnered with the Open Source Security Foundation (OpenSSF) Securing Software Repositories Working Group to publish the Principles for Package Repository Security framework. Recognizing the critical role package repositories play in securing open source software ecosystems, this framework lays out voluntary security maturity levels for package repositories. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/08/cisa-partners-openssf-se… ∗∗∗ Raspberry Robin: Evolving Cyber Threat with Advanced Exploits and Stealth Tactics ∗∗∗ --------------------------------------------- Raspberry Robin leverages new 1-day Local Privilege Escalation (LPE) exploits developed ahead of public knowledge, hinting at either an in-house development capability or access to a sophisticated exploit market. --------------------------------------------- https://blog.checkpoint.com/security/raspberry-robin-evolving-cyber-threat-… ∗∗∗ January 2024’s Most Wanted Malware: Major VexTrio Broker Operation Uncovered and Lockbit3 Tops the Ransomware Threats ∗∗∗ --------------------------------------------- Researchers uncovered a large cyber threat distributor known as VexTrio, which serves as a major traffic broker for cybercriminals to distribute malicious content. Meanwhile, LockBit3 topped the list of active ransomware groups and Education was the most impacted industry worldwide --------------------------------------------- https://blog.checkpoint.com/research/january-2024s-most-wanted-malware-majo… ∗∗∗ Niederlande: Militärnetzwerk über FortiGate gehackt; Volt Typhoon-Botnetz seit 5 Jahren in US-Systemen ∗∗∗ --------------------------------------------- Gerade ist eine Spionageaktion der chinesischen Regierung in einem Computernetzwerk des niederländischen Militärs aufgeflogen. Das Militärnetzwerk wurde über eine Schwachstelle in FortiGate gehackt. Das ist auch für andere Fortinet-Kunden relevant. Und mittlerweile wurde bekannt, dass das mutmaßlich von staatsnahen chinesischen [...] --------------------------------------------- https://www.borncity.com/blog/2024/02/08/niederlande-militrnetzwerk-ber-for… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (atril, chromium, gnutls, python-aiohttp, and webkitgtk), Gentoo (libxml2), Mageia (gnutls, gpac, kernel, kernel-linus, microcode, pam, and postfix), Red Hat (container-tools:2.0, container-tools:3.0, container-tools:4.0, container-tools:rhel8, gimp, libmaxminddb, python-pillow, runc, and unbound), SUSE (cosign, netpbm, python, python-Pillow, python3, and python36), and Ubuntu (libde265, linux-gcp, linux-gcp-5.4, and linux-intel-iotg). --------------------------------------------- https://lwn.net/Articles/961584/ ∗∗∗ Kritische Sicherheitslücken in Fortinet FortiOS, Updates verfügbar ∗∗∗ --------------------------------------------- Fortinet hat zwei kritische Security Advisories veröffentlicht. Beide Security Advisories behandeln Sicherheitslücken, die es unauthentifizierten Angreifer:innen erlauben, Code auf betroffenen Geräten auszuführen. Fortinet gibt bezüglich einer dieser Sicherheitslücken an, dass diese potentiell bereits aktiv für Angriffe ausgenutzt wird. --------------------------------------------- https://cert.at/de/warnungen/2024/2/kritische-sicherheitslucken-in-fortinet… ∗∗∗ Wichtige ESET Produkt-Updates verfügbar (8. Feb. 2024) ∗∗∗ --------------------------------------------- Kurzer, weiterer Informationssplitter für Administratoren, die ESET Endpoint Antivirus/Security unter Windows einsetzen. Der Hersteller hat ein wichtiges Produkt-Update für seine Windows-Produktlinie herausgegeben, welches sofort installiert werden sollte. Das Update behebt eine Schwachstelle, [...] --------------------------------------------- https://www.borncity.com/blog/2024/02/08/wichtige-eset-produkt-updates-verf… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ FortiClientEMS - Improper privilege management for site super administrator ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-357 ∗∗∗ FortiManager - Informative error messages ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-268 ∗∗∗ FortiNAC - XSS in Show Audit Log ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-063 ∗∗∗ FortiOS - Format String Bug in fgfmd ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-029 ∗∗∗ FortiOS - Fortilink lack of certificate validation ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-301 ∗∗∗ FortiOS - Out-of-bound Write in sslvpnd ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-24-015 ∗∗∗ FortiOS & FortiProxy - CVE-2023-44487 - Rapid Reset HTTP/2 vulnerability ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-397 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.02.2024
by Daily end-of-shift report 08 Feb '24

08 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-02-2024 18:00 − Donnerstag 08-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fortinet: APTs Exploiting FortiOS Vulnerabilities in Critical Infrastructure Attacks ∗∗∗ --------------------------------------------- One of the exploited vulnerabilities is CVE-2022-42475, which Fortinet patched in December 2022, when it warned that it had been aware of in-the-wild exploitation. [..] The second vulnerability described in Fortinet’s new warning is CVE-2023-27997, which came to light in June 2023, when the cybersecurity firm informed customers that it had been exploited as a zero-day in limited attacks. Fortinet noted on Wednesday that some customers have yet to patch the two FortiOS vulnerabilities and the company has seen several attacks and attack clusters, including ones aimed at the government, service provider, manufacturing, consultancy, and critical infrastructure sectors. --------------------------------------------- https://www.securityweek.com/fortinet-apts-exploiting-fortios-vulnerabiliti… ∗∗∗ State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure ∗∗∗ --------------------------------------------- CISA, NSA, FBI and the following partners are releasing this advisory to warn critical infrastructure organizations about this assessment, which is based on observations from the U.S. authoring agencies’ incident response activities at critical infrastructure organizations compromised by the PRC state-sponsored cyber group known as Volt Typhoon (also known as Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, and Insidious Taurus). --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a ∗∗∗ Fortinet warns of new FortiSIEM RCE bugs in confusing disclosure ∗∗∗ --------------------------------------------- Fortinet is warning of two new unpatched patch bypasses for a critical remote code execution vulnerability in FortiSIEM, Fortinets SIEM solution. [..] Earlier today, BleepingComputer published an article that the CVEs were released by mistake after being told by Fortinet that they were duplicates of the original CVE-2023-34992. [..] After contacting Fortinet once again, we were told their previous statement was “misstated” and that the two new CVEs are variants of the original flaw. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortis… ∗∗∗ Coyote: A multi-stage banking Trojan abusing the Squirrel installer ∗∗∗ --------------------------------------------- We will delve into the workings of the infection chain and explore the capabilities of the new Trojan that specifically targets users of more than 60 banking institutions, mainly from Brazil. --------------------------------------------- https://securelist.com/coyote-multi-stage-banking-trojan/111846/ ∗∗∗ Facebook ads push new Ov3r_Stealer password-stealing malware ∗∗∗ --------------------------------------------- A new password-stealing malware named Ov3r_Stealer is spreading through fake job advertisements on Facebook, aiming to steal account credentials and cryptocurrency. --------------------------------------------- https://www.bleepingcomputer.com/news/security/facebook-ads-push-new-ov3r-s… ∗∗∗ The toothbrush DDoS attack: How misinformation spreads in the cybersecurity world ∗∗∗ --------------------------------------------- No, three million smart toothbrushes didnt launch a DDoS attack against a Swiss company. --------------------------------------------- https://grahamcluley.com/the-toothbrush-ddos-attack-how-misinformation-spre… ∗∗∗ Fake LastPass password manager spotted on Apple’s App Store ∗∗∗ --------------------------------------------- LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-lastpass-password-manag… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiGate / FortiOS 7.4.3 FortiOS Release Notes ∗∗∗ --------------------------------------------- 2024-02-07 Initial release --------------------------------------------- https://docs.fortinet.com/document/fortigate/7.4.3/fortios-release-notes/55… ∗∗∗ SonicOS SSL-VPN Improper Authentication ∗∗∗ --------------------------------------------- An improper authentication vulnerability has been identified in SonicWall SonicOS SSL-VPN feature, which in specific conditions could allow a remote attacker to bypass authentication.This issue affects only firmware version SonicOS 7.1.1-7040. CVE: CVE-2024-22394 Last updated: Feb. 6, 2024, 4:44 p.m. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0003 ∗∗∗ SSD Advisory – TOTOLINK LR1200GB Auth Bypass ∗∗∗ --------------------------------------------- A vulnerability in TOTOLINK LR1200GB allows remote unauthenticated attackers to become authenticated due to a stack overflow vulnerability in the web interface. [..] Multiple emails to the vendor went unanswered, we are releasing this information without being able to get from the vendor a patch or response. --------------------------------------------- https://ssd-disclosure.com/ssd-advisory-totolink-lr1200gb-auth-bypass/ ∗∗∗ Sicherheitslücken: Codeschmuggel und Leistungsverweigerung bei ClamAV ∗∗∗ --------------------------------------------- Der Parser für das OLE2-Dateiformat enthält einen Pufferüberlauf und mit speziell präparierten Dateinamen lassen sich offenbar eigene Befehlszeilen ausführen. --------------------------------------------- https://www.heise.de/-9622674 ∗∗∗ Samsung Magician: Update stopft Sicherheitsleck im SSD-Tool ∗∗∗ --------------------------------------------- Samsung bietet mit Magician eine Software zum Verwalten von SSDs, Speichersticks und -Karten des Herstellers. Ein Update schließt eine Lücke darin. --------------------------------------------- https://www.heise.de/-9622729 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Red Hat (gimp, kernel, kernel-rt, and runc), Slackware (expat), SUSE (libavif), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, and linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive). --------------------------------------------- https://lwn.net/Articles/961330/ ∗∗∗ Drupal: Migrate Tools - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2024-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-008 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (January 29, 2024 to February 4, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/02/wordfence-intelligence-weekly-wordpr… ∗∗∗ Qolsys IQ Panel 4, IQ4 HUB ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-039-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.02.2024
by Daily end-of-shift report 07 Feb '24

07 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-02-2024 18:00 − Mittwoch 07-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fortinet snafu: Critical FortiSIEM CVEs are duplicates, issued in error ∗∗∗ --------------------------------------------- It turns out that critical Fortinet FortiSIEM vulnerabilities tracked as CVE-2024-23108 and CVE-2024-23109 are not new and have been published this year in error. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-snafu-critical-fort… ∗∗∗ Schlüssel ausgelesen: Bastler umgeht Bitlocker-Schutz mit Raspberry Pi Pico ∗∗∗ --------------------------------------------- Möglich war ihm dies durch das Abfangen der Kommunikation des auf dem Mainboard des Notebooks verlöteten TPM-Chips mit der CPU. [..] Auf die Möglichkeit solcher Angriffe auf Systeme mit externen TPM-Chips wiesen Sicherheitsforscher schon im Sommer 2021 hin. Grund dafür sei die unverschlüsselte Übertragung des Verschlüsselungsschlüssels, so dass sich der Schlüssel einfach über die Kontakte des TPMs abfangen lasse, hieß es schon damals. --------------------------------------------- https://www.golem.de/news/schluessel-ausgelesen-bastler-umgeht-bitlocker-sc… ∗∗∗ Unleashing the Power of Scapy for Network Fuzzing ∗∗∗ --------------------------------------------- Cybersecurity is a critical aspect of any network or software system, and fuzzing is arguably one of the most potent techniques used to identify such security vulnerabilities. Fuzzing involves injecting unexpected or invalid data into the system, which can trigger unforeseen behaviours, potentially leading to security breaches or crashes. Scapy is one of the many tools that can be used for fuzzing, and it stands out as a versatile and efficient option. --------------------------------------------- https://www.darkrelay.com/post/unleashing-the-power-of-scapy-for-network-fu… ∗∗∗ Anydesk-Einbruch: Französisches BSI-Pendant vermutet Dezember als Einbruchsdatum ∗∗∗ --------------------------------------------- Der IT-Sicherheitsvorfall bei Anydesk datiert womöglich auf den Dezember 2023, wie den Hinweisen der französischen IT-Sicherheitsbehörde zu entnehmen ist. --------------------------------------------- https://www.heise.de/news/Anydesk-Einbruch-datiert-vermutlich-auf-Dezember-… ∗∗∗ E-Mail von DNS EU ist betrügerisch ∗∗∗ --------------------------------------------- Derzeit erhalten viele Website-Betreiber:innen E-Mails von einer vermeintlichen Firma namens DNS EU. Im E-Mail behauptet das Unternehmen, dass es einen „Registrierungsantrag“ für eine Domain erhalten hat, die Ihrer eigenen Domain sehr ähnlich ist. Ihnen wird angeboten, diese Domain für € 297,50 zu kaufen. Ignorieren Sie dieses E-Mail, das Angebot ist Fake. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-von-dns-eu-ist-betruegerisch/ ∗∗∗ Vermehrte Ransomware-Angriffe mit Lockbit 3.0 ∗∗∗ --------------------------------------------- In den letzten Tagen sind österreichische Unternehmen und Organisationen vermehrt von Angriffen mit der Ransomware Lockbit 3.0 betroffen. Dabei handelt es sich um Ransomware-as-a-Service, was es einer Vielzahl von Kriminellen ermöglicht, unabhängig voneinander zu agieren und eine grössere Anzahl von Zielen zu attackieren. Bedrohungsakteure, die im Rahmen ihrer Angriffe Lockbit 3.0 einsetzen erlangen vor allem über den Missbrauch von RDP-Verbindungen (beispielsweise unter Einsatz anderweitig gestohlener Zugangsdaten) und die Ausnutzung von Schwachstellen in aus dem Internet erreichbaren Applikationen Zugang zu den Netzwerken ihrer Opfer. Wir empfehlen nachdrücklich, die eigenen Sicherheitsmaßnahmen zu überprüfen [..] --------------------------------------------- https://cert.at/de/aktuelles/2024/2/vermehrte-ransomware-angriffe-mit-lockb… ∗∗∗ Cyber Security Glossary: The Ultimate List ∗∗∗ --------------------------------------------- If you have anything to do with cyber security, you know it employs its own unique and ever-evolving language. Jargon and acronyms are the enemies of clear writing—and are beloved by cyber security experts. So Morphisec has created a comprehensive cyber security glossary that explains commonly used cybersecurity terms, phrases, and technologies. We designed this list to demystify the terms that security professionals use when describing security tools, threats, processes, and techniques. We will periodically update it, and hope you find it useful. --------------------------------------------- https://blog.morphisec.com/cyber-security-glossary ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in JetBrains TeamCity On-Premises ∗∗∗ --------------------------------------------- Das Softwareunternehmen JetBrains hat Informationen über eine kritische Sicherheitslücke in JetBrains TeamCity On-Premises veröffentlicht. Eine Ausnutzung der Schwachstelle, CVE-2024-23917, erlaubt unauthentifizierten Angreifer:innen mit HTTP(s)-Zugriff auf eine verwundbare Instanz von TeamCity das Umgehen von Authentifizierungskontrollen und somit die vollständige Übernahme der betroffenen Installation. --------------------------------------------- https://cert.at/de/aktuelles/2024/2/kritische-sicherheitslucke-in-jetbrains… ∗∗∗ Shim: Kritische Schwachstelle gefährdet Secure Boot unter Linux ∗∗∗ --------------------------------------------- In einer von den meisten gängigen Linux-Distributionen verwendeten EFI-Anwendung namens Shim wurde eine kritische Schwachstelle entdeckt, die es Angreifern ermöglicht, Schadcode auszuführen und die vollständige Kontrolle über ein Zielsystem zu übernehmen. Ausgenutzt werden könne der Fehler durch eine speziell gestaltete HTTP-Anfrage, die zu einem kontrollierten Out-of-bounds-Schreibvorgang führe, heißt es in der Beschreibung zu CVE-2023-40547. --------------------------------------------- https://www.golem.de/news/shim-kritische-schwachstelle-gefaehrdet-secure-bo… ∗∗∗ Zeroshell vulnerable to OS command injection ∗∗∗ --------------------------------------------- Zeroshell Linux distribution contains an OS command injection vulnerability. This vulnerability was reported on August 2020. The Zeroshell project reached EOL on April 2021. The communication with the developer was established on November 2023, and this JVN publication was agreed upon. --------------------------------------------- https://jvn.jp/en/jp/JVN44033918/ ∗∗∗ Cisco: (High) ClamAV OLE2 File Format Parsing Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. CVE-2024-20290 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco: (Critical) Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks, which could allow the attacker to perform arbitrary actions on an affected device. CVE-2024-20255, CVE-2024-20254, CVE-2024-20252 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ SolarWinds Platform 2024.1 Release Notes ∗∗∗ --------------------------------------------- SQL Injection Remote Code Execution Vulnerability was found using an update statement in the SolarWinds Platform. This vulnerability requires user authentication to be exploited and has not been reported outside of the initial report by the researcher. 8.0 High, CVE-2023-50395, CVE-2023-35188 --------------------------------------------- https://documentation.solarwinds.com/en/success_center/orionplatform/conten… ∗∗∗ VMware Aria: Sicherheitslücken erlauben etwa Rechteausweitung ∗∗∗ --------------------------------------------- Insgesamt fünf Sicherheitslücken dichtet VMware in Aria Operations for Networks – ehemals mit dem Namen vRealize im Umlauf – mit aktualisierter Software ab. Der Schweregrad reicht nach Einschätzung der Entwickler des Unternehmens bis zur Risikostufe "hoch". Bösartige Akteure können durch die Schwachstellen unbefugt ihre Rechte an verwundbaren Systemen erhöhen. --------------------------------------------- https://www.heise.de/-9621415 ∗∗∗ Rechtausweitung durch Lücken in Veeam Recovery Orchestrator möglich ∗∗∗ --------------------------------------------- Veeam flickt die Recovery Orchestrator-Software. Sicherheitslücken darin erlauben bösartigen Akteuren die Ausweitung von Rechten. --------------------------------------------- https://www.heise.de/-9621609 ∗∗∗ Sicherheitsupdates: Dell schließt ältere Lücken in Backuplösungen wie Avamar ∗∗∗ --------------------------------------------- Schwachstellen in Komponenten von Drittanbietern gefährden die Sicherheit von Dell-Backup-Software. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://www.heise.de/9621283 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (gimp) and Ubuntu (firefox, linux-oracle, linux-oracle-5.15, and python-django). --------------------------------------------- https://lwn.net/Articles/961173/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Google Chrome 121.0.6167.160/161 / 120.0.6099.283 mit Sicherheitsfixes ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2024/02/07/google-chrome-121-0-6167-160-161-1… ∗∗∗ [R1] Nessus Version 10.7.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.02.2024
by Daily end-of-shift report 06 Feb '24

06 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Montag 05-02-2024 18:00 − Dienstag 06-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Rust Won’t Save Us: An Analysis of 2023’s Known Exploited Vulnerabilities ∗∗∗ --------------------------------------------- We have analyzed all critical vulnerabilities from the CISA KEV catalog starting from January 2023 through January 2024, categorized the vulnerability root causes, and attempted to analyze if the current efforts in the information security industry match with the current threat vectors being abused. --------------------------------------------- https://www.horizon3.ai/analysis-of-2023s-known-exploited-vulnerabilities/ ∗∗∗ Unseriöse Dirndl-Shops drohen mit Anzeige? Ignorieren Sie die Nachrichten! ∗∗∗ --------------------------------------------- Zahlreiche Betroffene wenden sich aktuell an die Watchlist Internet, weil unseriöse Bekleidungs- und Dirndl-Shops Monate nach den Bestellungen versuchen, Kund:innen einzuschüchtern und zu einer Zahlung zu drängen. Da völlig falsche Produkte geliefert wurden, besteht aber kein Grund zur Zahlung und somit auch kein Grund zur Sorge! --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-dirndl-shops-drohen-mit-a… ∗∗∗ How are user credentials stolen and used by threat actors? ∗∗∗ --------------------------------------------- You’ve probably heard the phrase, “Attackers don’t hack anyone these days. They log on.” In this blog, we describe the various tools and techniques bad actors are using to steal credentials so they can log on with valid account details, and outline our recommendations for defense. --------------------------------------------- https://blog.talosintelligence.com/how-are-user-credentials-stolen-and-used… ∗∗∗ Navigating the Rising Tide of CI/CD Vulnerabilities: The Jenkins and TeamCity Case Studies ∗∗∗ --------------------------------------------- In the evolving landscape of cybersecurity, a new threat has emerged, targeting the core of software development processes. Recently, an alarming incident has brought to light a significant vulnerability in Jenkins CI/CD servers. Approximately 45,000 Jenkins servers have been left exposed to remote code execution (RCE) attacks, leveraging multiple exploit public POCs. This breach is not just a standalone event but a symptom of a growing trend of attacks on Continuous Integration/Continuous Deployment (CI/CD) software supply chains. --------------------------------------------- https://checkmarx.com/blog/navigating-the-rising-tide-of-ci-cd-vulnerabilit… ∗∗∗ Experts Detail New Flaws in Azure HDInsight Spark, Kafka, and Hadoop Services ∗∗∗ --------------------------------------------- Three new security vulnerabilities have been discovered in Azure HDInsights Apache Hadoop, Kafka, and Spark services that could be exploited to achieve privilege escalation and a regular expression denial-of-service (ReDoS) condition. [..] Following responsible disclosure, Microsoft has rolled out fixes as part of updates released on October 26, 2023. --------------------------------------------- https://thehackernews.com/2024/02/high-severity-flaws-found-in-azure.html ∗∗∗ Exploring the (Not So) Secret Code of Black Hunt Ransomware ∗∗∗ --------------------------------------------- In this analysis we examined the BlackHunt sample shared on X (formerly Twitter). During our analysis we found notable similarities between BlackHunt ransomware and LockBit, which suggested that it uses leaked code of Lockbit. In addition, it uses some techniques similar to REvil ransomware. --------------------------------------------- https://www.rapid7.com/blog/post/2024/02/05/exploring-the-not-so-secret-cod… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday Android: Kritische Schadcode-Lücke auf Systemebene geschlossen ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken gefährden Android-Geräte. Für bestimmte Smartphones und Tablets sind Updates erschienen. --------------------------------------------- https://www.heise.de/-9619910 ∗∗∗ Sicherheitsupdate: Mehrere Lücken gefährden Server-Monitoring-Tool Nagios XI ∗∗∗ --------------------------------------------- Unter bestimmten Bedingungen können Angreifer Schadcode auf Server mit Nagios XI laden. Ein Sicherheitsupdate schließt diese und weitere Schwachstellen. --------------------------------------------- https://www.heise.de/-9620155 ∗∗∗ Kritische Schwachstellen in Multifunktions- und Laserdruckern von Canon ∗∗∗ --------------------------------------------- Canon warnt vor kritischen Sicherheitslücken in einigen SOHO-Multifunktions- und Laserdruckern. Gegenmaßnahmen sollen helfen. --------------------------------------------- https://www.heise.de/-9620345 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, gstreamer1-plugins-bad-free, and tigervnc), Debian (ruby-sanitize), Fedora (kernel, kernel-headers, qt5-qtwebengine, and runc), Oracle (gnutls, kernel, libssh, rpm, runc, and tigervnc), Red Hat (runc), and SUSE (bouncycastle, jsch, python, and runc). --------------------------------------------- https://lwn.net/Articles/961083/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0001 ∗∗∗ --------------------------------------------- CVE identifiers: CVE-2024-23222, CVE-2024-23206, CVE-2024-23213, CVE-2023-40414, CVE-2023-42833, CVE-2014-1745 --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0001.html ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- Google Chromium V8 Type Confusion Vulnerability CVE-2023-4762 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/06/cisa-adds-one-known-expl… ∗∗∗ MISP 2.4.184 released with performance improvements, security and bugs fixes. ∗∗∗ --------------------------------------------- A series of security fixes were done in this release, the vulnerabilities are accessible to authenticated users, especially those with specific privileges like Org admin. We urge users to update to this version especially if you have different organisations having access to your instances. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.184 ∗∗∗ ZDI-24-086: TP-Link Omada ER605 Access Control Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-086/ ∗∗∗ ZDI-24-085: (Pwn2Own) TP-Link Omada ER605 DHCPv6 Client Options Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-085/ ∗∗∗ ZDI-24-087: (Pwn2Own) Western Digital MyCloud PR4100 RESTSDK Server-Side Request Forgery Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-087/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Pilz: Multiple products affected by uC/HTTP vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-002/ ∗∗∗ HID Global Encoders ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-037-01 ∗∗∗ HID Global Reader Configuration Cards ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-037-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.02.2024
by Daily end-of-shift report 05 Feb '24

05 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-02-2024 18:00 − Montag 05-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Newest Ivanti SSRF zero-day now under mass exploitation ∗∗∗ --------------------------------------------- An Ivanti Connect Secure and Ivanti Policy Secure server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893 is currently under mass exploitation by multiple attackers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/newest-ivanti-ssrf-zero-day-… ∗∗∗ Cyberangriff: Fernwartungssoftware-Anbieter Anydesk gehackt ∗∗∗ --------------------------------------------- Anydesk ist Opfer eines Cyberangriffs geworden. Die Folgen sind noch nicht klar, aber möglicherweise gravierend. --------------------------------------------- https://www.golem.de/news/cyberangriff-fernwartungssoftware-anbieter-anydes… ∗∗∗ Darknet: Anydesk-Zugangsdaten in Hackerforen aufgetaucht ∗∗∗ --------------------------------------------- Quelle der Daten ist nach aktuellen Erkenntnissen wohl nicht der jüngste Sicherheitsvorfall bei Anydesk. Ein Passwortwechsel wird dennoch empfohlen. --------------------------------------------- https://www.golem.de/news/darknet-anydesk-zugangsdaten-in-hackerforen-aufge… ∗∗∗ How to hack the Airbus NAVBLUE Flysmart+ Manager ∗∗∗ --------------------------------------------- Airbus Navblue Flysmart+ Manager allowed attackers to tamper with the engine performance calculations and intercept data. Flysmart+ is a suite of apps for pilot EFBs, helping deliver efficient and safe departure and arrival of flights. Researchers from Pen Test Partners discovered a vulnerability in Navblue Flysmart+ Manager that can be exploited [...] --------------------------------------------- https://securityaffairs.com/158661/hacking/airbus-flysmart-flaw.html ∗∗∗ Encrypted Attacks: Impact on Public Sector ∗∗∗ --------------------------------------------- Following FBI and CISA warnings to public sector defenders in November regarding increased targeting by infamous ransomware groups, the imperative to understand and defend against evolving - and increasingly covert - cyber threats has intensified. According to Zscaler ThreatLabz analysis of the 2023 threat landscape, 86% of threats hide within encrypted traffic. What does this mean for the public sector? --------------------------------------------- https://www.zscaler.com/blogs/security-research/encrypted-attacks-impact-pu… ∗∗∗ Hacking a Smart Home Device ∗∗∗ --------------------------------------------- How I reverse engineered an ESP32-based smart home device to gain remote control access and integrate it with Home Assistant. --------------------------------------------- https://jmswrnr.com/blog/hacking-a-smart-home-device ∗∗∗ Videokonferenz voller KI-Klone: Angestellter schickt Betrügern 24 Millionen Euro ∗∗∗ --------------------------------------------- Bislang werden im Rahmen der "Chef-Masche" Angestellte zumeist von einer Person überzeugt, Geld herauszugeben. Ein Fall in Hongkong hat nun eine neue Qualität. --------------------------------------------- https://www.heise.de/-9618064.html ∗∗∗ Hartkodiertes Passwort: Wärmepumpen von Alpha Innotec und Novelan angreifbar ∗∗∗ --------------------------------------------- Ein IT-Forscher hat in der Firmware von Alpha Innotec- und Novelan-Wärmepumpen das hartkodierte Root-Passwort gefunden. Updates bieten Abhilfe. --------------------------------------------- https://www.heise.de/-9618846.html ∗∗∗ Ivanti Zero Day – Threat Actors observed leveraging CVE-2021-42278 and CVE-2021-42287 for quick privilege escalation to Domain Admin ∗∗∗ --------------------------------------------- TL;dr NCC Group has observed what we believe to be the attempted exploitation of CVE-2021-42278 and CVE-2021-42287 as a means of privilege escalation, following the successful compromise of an Ivanti Secure Connect VPN using the following zero-day vulnerabilities reported by Volexity1 on 10/01/2024: [...] --------------------------------------------- https://research.nccgroup.com/2024/02/05/ivanti-zero-day-threat-actors-obse… ∗∗∗ Achtung: E-Card mit 500 Euro Guthaben für Apothekenkäufe ist Fake ∗∗∗ --------------------------------------------- Auf Facebook wird eine „E-Card-Gutscheinkarte“ beworben. Wenn Sie eine kurze Umfrage ausfüllen und 2 Euro überweisen, erhalten Sie angeblich 500 Euro für Apothekeneinkäufe. Achtung, dabei handelt es sich um Betrug. Ein solches Angebot gibt es nicht! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-e-card-mit-500-euro-guthaben… ∗∗∗ Sicherheitsvorfall bei der AnyDesk Software GmbH ∗∗∗ --------------------------------------------- Der deutsche Softwarehersteller AnyDesk Software GmbH, Entwickler der Fernwartungssoftware AnyDesk, hat am Abend des 02.02.2024 im Rahmen einer Pressemeldung über einen erfolgreichen Angriff gegen seine Infrastruktur informiert. Laut dem Unternehmen wurde direkt nach Entdeckung des Vorfalles ein externer Sicherheitsdienstleister zur Behandlung des Vorfalls hinzugezogen und die zuständigen Behörden informiert. Weiters gibt das Unternehmen an, dass keinerlei private Schlüssel, [...] --------------------------------------------- https://cert.at/de/aktuelles/2024/2/sicherheitsvorfall-bei-der-anydesk-soft… ===================== = Vulnerabilities = ===================== ∗∗∗ Docker, Kubernetes und co.: Hacker können aus Containern auf Hostsysteme zugreifen ∗∗∗ --------------------------------------------- Die Schwachstellen dafür beziehen sich auf Buildkit und das CLI-Tool runc. Eine davon erreicht mit einem CVSS von 10 den maximal möglichen Schweregrad. --------------------------------------------- https://www.golem.de/news/docker-kubernetes-und-co-hacker-koennen-aus-conta… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (rear, runc, sudo, and zbar), Fedora (chromium, grub2, libebml, mingw-python-pygments, and python-aiohttp), Gentoo (FreeType, GNAT Ada Suite, Microsoft Edge, NBD Tools, OpenSSL, QtGui, SDDM, Wireshark, and Xen), Mageia (dracut, glibc, nss and firefox, openssl, packages, perl, and thunderbird), Slackware (libxml2), SUSE (java-11-openjdk, java-17-openjdk, perl, python-uamqp, slurm, and xerces-c), and Ubuntu (libssh and openssl). --------------------------------------------- https://lwn.net/Articles/960952/ ∗∗∗ 2024-02-05: Cyber Security Advisory - B&R Automation Runtime FTP uses unsecure encryption mechanisms ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA23P004_FTP_uses_unsecure_encrypti… ∗∗∗ Canon: CPE2024-001 – Regarding vulnerabilities for Small Office Multifunction Printers and Laser Printers – 05 February 2024 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ QNAP: Neue Firmware-Versionen beheben Befehlsschmuggel-Lücke ∗∗∗ --------------------------------------------- https://www.heise.de/-9617332.html ∗∗∗ IT-Sicherheitsüberwachung Juniper JSA für mehrere Attacken anfällig ∗∗∗ --------------------------------------------- https://www.heise.de/-9617677.html ∗∗∗ HCL schließt Sicherheitslücken in Bigfix, Devops Deploy und Launch ∗∗∗ --------------------------------------------- https://www.heise.de/-9618224.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.02.2024
by Daily end-of-shift report 02 Feb '24

02 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-02-2024 18:00 − Freitag 02-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Abschaltbefehl: US-Behörden müssen Ivanti-Geräte vom Netz nehmen ∗∗∗ --------------------------------------------- In einer Notfallanordnung trägt die US-Cybersicherheitsbehörde betroffenen Stellen auf, in den nächsten Stunden zu handeln. Ivanti-Geräte sollen vom Netz. --------------------------------------------- https://www.heise.de/news/Abschaltbefehl-US-Behoerden-muessen-Ivanti-Geraet… ∗∗∗ Bericht: Wie Angreifer in das Netzwerk von Cloudflare eingedrungen sind ∗∗∗ --------------------------------------------- Nach Abschluss der Untersuchungen eines IT-Sicherheitsvorfalls schildert der CDN-Betreiber Cloudflare, wie die Attacke abgelaufen ist. --------------------------------------------- https://www.heise.de/news/Bericht-Wie-Angreifer-in-das-Netzwerk-von-Cloudfl… ∗∗∗ VajraSpy: Ein Patchwork-Sammelsurium voller Spionage-Apps ∗∗∗ --------------------------------------------- ESET-Forscher entdeckten mehrere Android-Apps, die VajraSpy beinhalten, ein RAT, der von der Patchwork APT-Gruppe verwendet wird. --------------------------------------------- https://www.welivesecurity.com/fr/cybersecurite/vajraspy-ein-patchwork-samm… ∗∗∗ Scheinbar harmloser PDF-Viewer leert Bankkonten ahnungsloser Android-Nutzer:innen ∗∗∗ --------------------------------------------- Derzeit ist eine neue Welle von Schadsoftware im Umlauf, die bereits in der Vergangenheit zahlreiche Bankkonten leergeräumt hat. Es handelt sich dabei um den Banking-Trojaner Anatsa, der über die Installation von Apps wie PDF Viewer oder PDF Reader über den Google Play Store verbreitet wird. --------------------------------------------- https://www.watchlist-internet.at/news/scheinbar-harmloser-pdf-viewer-leert… ∗∗∗ Exploring the Latest Mispadu Stealer Variant ∗∗∗ --------------------------------------------- Evaluation of a new variant of Mispadu, a banking Trojan, highlights how infostealers evolve over time and can be hard to pin to past campaigns. --------------------------------------------- https://unit42.paloaltonetworks.com/mispadu-infostealer-variant/ ∗∗∗ How Memory Forensics Revealed Exploitation of Ivanti Connect Secure VPN Zero-Day Vulnerabilities ∗∗∗ --------------------------------------------- As outlined in the previous blog series, while Volexity leveraged network packet captures and disk images to reconstruct parts of the attack, it was ultimately a memory sample that allowed Volexity to confirm exploitation. --------------------------------------------- https://www.volexity.com/blog/2024/02/01/how-memory-forensics-revealed-expl… ∗∗∗ Threat Actors Installing Linux Backdoor Accounts ∗∗∗ --------------------------------------------- Threat actors install malware by launching brute force and dictionary attacks against Linux systems that are poorly managed, such as using default settings or having a simple password. --------------------------------------------- https://asec.ahnlab.com/en/61185/ ∗∗∗ How We Were Able to Infiltrate Attacker Telegram Bots ∗∗∗ --------------------------------------------- It is not uncommon for attackers to publish malicious packages that exfiltrate victims’ data to them using Telegram bots. However, what if we could eavesdrop on what the attacker sees? --------------------------------------------- https://checkmarx.com/blog/how-we-were-able-to-infiltrate-attacker-telegram… ∗∗∗ Jenkins Vulnerability Estimated to Affect 43% of Cloud Environments ∗∗∗ --------------------------------------------- >From our scans on the Orca Cloud Security Platform, we found that 43% of organizations operate at least one unmanaged Jenkins server in their environment. --------------------------------------------- https://orca.security/resources/blog/jenkins-arbitrary-file-read-vulnerabil… ===================== = Vulnerabilities = ===================== ∗∗∗ CISA-Warnung: Alte iPhone-Schwachstelle wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Eine von Apple gestopfte Kernel-Lücke wird der US-Sicherheitsbehörde zufolge für Angriffe aktiv genutzt. Für ältere iPhones scheint es keinen Patch zu geben. --------------------------------------------- https://www.heise.de/news/CISA-Warnung-Alte-iPhone-Schwachstelle-wird-aktiv… ∗∗∗ Sicherheitsupdate: IBM-Sicherheitslösung QRadar SIEM unter Linux angreifbar ∗∗∗ --------------------------------------------- Mehrere Komponenten eines Add ons von IBMs Security Information and Event Management-System QRadar sind verwundbar. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdate-IBM-Sicherheitsloesung-QRadar-S… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, man-db, and openjdk-17), Fedora (chromium, indent, jupyterlab, kernel, and python-notebook), Gentoo (glibc), Oracle (firefox, thunderbird, and tigervnc), Red Hat (rpm), SUSE (cpio, gdb, gstreamer, openconnect, slurm, slurm_18_08, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, squid, webkit2gtk3, and xerces-c), and Ubuntu (imagemagick and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/960604/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ QNAP Security Advisories ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisories/ ∗∗∗ Moby and Open Container Initiative Release Critical Updates for Multiple Vulnerabilities Affecting Docker-related Components ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/01/moby-and-open-container-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.02.2024
by Daily end-of-shift report 01 Feb '24

01 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 31-01-2024 18:00 − Donnerstag 01-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Exploit released for Android local elevation flaw impacting 7 OEMs ∗∗∗ --------------------------------------------- A proof-of-concept (PoC) exploit for a local privilege elevation flaw impacting at least seven Android original equipment manufacturers (OEMs) is now publicly available on GitHub. However, as the exploit requires local access, its release will mostly be helpful to researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-android… ∗∗∗ Hackers push USB malware payloads via news, media hosting sites ∗∗∗ --------------------------------------------- A financially motivated threat actor using USB devices for initial infection has been found abusing legitimate online platforms, including GitHub, Vimeo, and Ars Technica, to host encoded payloads embedded in seemingly benign content. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-push-usb-malware-pay… ∗∗∗ The Fun and Dangers of Top Level Domains (TLDs), (Wed, Jan 31st) ∗∗∗ --------------------------------------------- In the beginning, life was easy. We had a very limited set of top-level domains: .com, .edu, .gov, ..int, org, .mil, .net, .org, .edu. In addition, we had .arpa for infrastructure use and various two letter country level domains. [..] But yesterday, I noticed some news about a new interesting TLD that you may want to consider adopting: .internal. --------------------------------------------- https://isc.sans.edu/diary/rss/30608 ∗∗∗ FritzFrog Returns with Log4Shell and PwnKit, Spreading Malware Inside Your Network ∗∗∗ --------------------------------------------- The threat actor behind a peer-to-peer (P2P) botnet known as FritzFrog has made a return with a new variant that leverages the Log4Shell vulnerability to propagate internally within an already compromised network. --------------------------------------------- https://thehackernews.com/2024/02/fritzfrog-returns-with-log4shell-and.html ∗∗∗ Stealthy Persistence & PrivEsc in Entra ID by using the Federated Auth Secondary Token-signing Cert. ∗∗∗ --------------------------------------------- Microsoft Entra ID (formerly known as Azure AD) offers a feature called federation that allows you to delegate authentication to another Identity Provider (IdP), such as AD FS with on-prem Active Directory. When users log in, they will be redirected to the external IdP for authentication, before being redirected back to Entra ID who will then verify the successful authentication on the external IdP and the user’s identity. [..] The external IdP signs the token with a private key, which has an associated public key stored in a certificate. [..] In this post, I’ll show you where this certificate can be found and how attackers can add it (given the necessary privileges) and use it to forge malicious tokens. Finally, I will provide some recommendations for defense in light of this. --------------------------------------------- https://medium.com/tenable-techblog/stealthy-persistence-privesc-in-entra-i… ∗∗∗ OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges ∗∗∗ --------------------------------------------- Open Automation Software recently released patches for multiple vulnerabilities in their OAS Engine. Cisco Talos publicly disclosed these issues after working with Open Automation Software to ensure that patches were available for users. Now that a fix has been released with Version 19, we want to take the time to dive into a few of these vulnerabilities and show how a handful of bugs that could be viewed as low-impact could be exploited as a series to carry out various malicious actions, even going as far to gaining access to the underlying system. --------------------------------------------- https://blog.talosintelligence.com/oas-engine-deep-dive/ ===================== = Vulnerabilities = ===================== ∗∗∗ Mastodon: Diebstahl beliebiger Identitäten im föderierten Kurznachrichtendienst ∗∗∗ --------------------------------------------- Angreifer können jeden beliebigen Account übernehmen und fälschen. [..] Die Sicherheitslücke hat die CVE-ID CVE-2024-23832 erhalten und hat immerhin 9,4 von 10 CVSS-Punkten. Es handelt sich nach Einschätzung des Mastodon-Teams um eine leicht aus der Ferne ausnutzbare Lücke, die keinerlei Vorbedingungen mitbringt. Weder muss der Angreifer über besondere Privilegien verfügen, noch einen legitimen Nutzer austricksen, etwa mit einem gefälschten Link. Weitere Details verraten die Entwickler erst am 15. Februar. --------------------------------------------- https://www.heise.de/-9615961 ∗∗∗ Security Update for Ivanti Connect Secure and Ivanti Policy Secure Gateways ∗∗∗ --------------------------------------------- Update 1 February: A patch addressing all known vulnerabilities is now available for Ivanti Connect Secure version 22.5R2.2 and Ivanti Policy Secure 22.5R1.1. --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-i… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-security-support, firefox-esr, openjdk-11, and python-asyncssh), Fedora (glibc, python-templated-dictionary, thunderbird, and xorg-x11-server-Xwayland), Gentoo (Chromium, Google Chrome, Microsoft Edge and WebKitGTK+), Red Hat (firefox, gnutls, libssh, thunderbird, and tigervnc), SUSE (mbedtls, rear116, rear1172a, runc, squid, and tinyssh), and Ubuntu (glibc and runc). --------------------------------------------- https://lwn.net/Articles/960436/ ∗∗∗ Gessler GmbH WEB-MASTER ∗∗∗ --------------------------------------------- Successful exploitation of these vulnerabilities could allow a user to take control of the web management of the device. An attacker with access to the device could also extract and break the password hashes for all users stored on the device. CVSS v3 9.8 --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01 ∗∗∗ Entity Delete Log - Moderately critical - Access bypass - SA-CONTRIB-2024-007 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-007 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Lexmark Security Advisories ∗∗∗ --------------------------------------------- https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisorie… ∗∗∗ Juniper: (Critical) 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved in JSA Applications ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-S… ∗∗∗ Juniper: (Medium) 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved in 7.5.0 UP7 IF04 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-S… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (January 22, 2024 to January 28, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/02/wordfence-intelligence-weekly-wordpr… ∗∗∗ AVEVA Edge products (formerly known as InduSoft Web Studio) ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.01.2024
by Daily end-of-shift report 31 Jan '24

31 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-01-2024 18:00 − Mittwoch 31-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Debian, Ubuntu und mehr: glibc-Schwachstelle ermöglicht Root-Zugriff unter Linux ∗∗∗ --------------------------------------------- Darüber hinaus wurden weitere Schwachstellen in der Gnu-C-Bibliothek aufgedeckt. Eine davon existiert wohl schon seit über 30 Jahren. --------------------------------------------- https://www.golem.de/news/debian-ubuntu-und-mehr-glibc-schwachstelle-ermoeg… ∗∗∗ Tracking 15 Years of Qakbot Development ∗∗∗ --------------------------------------------- Qakbot (aka QBot or Pinkslipbot) is a malware trojan that has been used to operate one of the oldest and longest running cybercriminal enterprises. Qakbot has evolved from a banking trojan to a malware implant that can be used for lateral movement and the eventual deployment of ransomware. In August 2023, the Qakbot infrastructure was dismantled by law enforcement. However, just several months later in December 2023, the fifth (and latest) version of Qakbot was released, [...] --------------------------------------------- https://www.zscaler.com/blogs/security-research/tracking-15-years-qakbot-de… ∗∗∗ Ransomware: Online-Tool entschlüsselt unter Umständen BlackCat & Co. ∗∗∗ --------------------------------------------- Stimmen die Voraussetzungen, können Ransomwareopfer auf einer Website Daten entschlüsseln, ohne Lösegeld zu zahlen. --------------------------------------------- https://www.heise.de/-9614278.html ∗∗∗ A zero-day vulnerability (and PoC) to blind defenses relying on Windows event logs ∗∗∗ --------------------------------------------- A zero-day vulnerability that, when triggered, could crash the Windows Event Log service on all supported (and some legacy) versions of Windows could spell trouble for enterprise defenders. Discovered by a security researcher named Florian and reported to Microsoft, the vulnerability is yet to be patched. In the meantime, the researcher has gotten the go-ahead from the company to publish a PoC exploit. --------------------------------------------- https://www.helpnetsecurity.com/2024/01/31/windows-event-log-vulnerability/ ∗∗∗ Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation ∗∗∗ --------------------------------------------- Update (Jan. 31): We released a follow-up blog post containing additional details from our investigations into this threat, along with more recommendations for defenders. Note: This is a developing campaign under active analysis by Mandiant and Ivanti. We will continue to add more indicators, detections, and information to this blog post as needed. --------------------------------------------- https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-d… ∗∗∗ CISA and FBI Release Secure by Design Alert Urging Manufacturers to Eliminate Defects in SOHO Routers ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) published guidance on Security Design Improvements for SOHO Device Manufacturers as a part of the new Secure by Design (SbD) Alert series that focuses on how manufacturers should shift the burden of security away from customers by integrating security into product design and development. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-and-fbi-release-sec… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and glibc), Fedora (ncurses), Gentoo (containerd, libaom, and xorg-server, xwayland), Mageia (python-pillow and zlib), Oracle (grub2 and tomcat), Red Hat (avahi, c-ares, container-tools:3.0, curl, firefox, frr, kernel, kernel-rt, kpatch-patch, libfastjson, libmicrohttpd, linux-firmware, oniguruma, openssh, perl-HTTP-Tiny, python-pip, python-urllib3, python3, rpm, samba, sqlite, tcpdump, thunderbird, tigervnc, and virt:rhel and virt-devel:rhel modules), SUSE (python-Pillow, slurm, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, and xen), and Ubuntu (libde265, linux-nvidia, mysql-8.0, openldap, pillow, postfix, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/960248/ ∗∗∗ Mattermost security updates 9.4.2 / 9.3.1 / 9.2.5 / 8.1.9 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-4-2-9-3-1-9-2-5-8… ∗∗∗ CISA ICS Advisories ∗∗∗ --------------------------------------------- - Hitron Systems Security Camera DVR - Rockwell Automation ControlLogix and GuardLogix - Rockwell Automation FactoryTalk Service Platform - Rockwell Automation LP30/40/50 and BM40 Operator Interface --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories?f%5B0%5D=advisory… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2022-48618 Apple Multiple Products Improper Authentication Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-adds-one-known-expl… ∗∗∗ Security Advisory Report - OBSO-2401-03 ∗∗∗ --------------------------------------------- A Command injection vulnerability has been identified in the MyPortal@Work application of Atos OpenScape Business which, if successfully exploited, could allow a malicious actor to execute arbitrary scripts on a client machine. The severity is rated high. Customers are advised to update the systems with the available fix release. --------------------------------------------- https://networks.unify.com/security/advisories/OBSO-2401-03.pdf ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Google Chrome: Update schließt vier Sicherheitslücken ∗∗∗ --------------------------------------------- https://www.heise.de/-9613823.html ∗∗∗ SVD-2024-0112: Third-Party Package Updates in Splunk Add-on Builder - January 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0112 ∗∗∗ SVD-2024-0111: Sensitive Information Disclosure to Internal Log Files in Splunk Add-on Builder ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0111 ∗∗∗ SVD-2024-0110: Session Token Disclosure to Internal Log Files in Splunk Add-on Builder ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0110 ∗∗∗ The WordPress 6.4.3 Security Update – What You Need to Know ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/01/the-wordpress-6-4-3-security-update-… ∗∗∗ Tor Code Audit Finds 17 Vulnerabilities ∗∗∗ --------------------------------------------- https://www.securityweek.com/tor-code-audit-finds-17-vulnerabilities/ ∗∗∗ Update #5: Kritische Sicherheitslücken in Ivanti Connect Secure und Ivanti Policy Secure - aktiv ausgenützt - Patches verfügbar ∗∗∗ --------------------------------------------- https://cert.at/de/warnungen/2024/1/kritische-sicherheitslucken-in-ivanti-c… ∗∗∗ List of Security Fixes and Improvements in Veeam Backup for Nutanix AHV ∗∗∗ --------------------------------------------- https://www.veeam.com/kb4236 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.01.2024
by Daily end-of-shift report 30 Jan '24

30 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Montag 29-01-2024 18:00 − Dienstag 30-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ransomwareattacke: Hacker greifen interne Daten von Schneider Electric ab ∗∗∗ --------------------------------------------- Angeblich steckt die Ransomwaregruppe Cactus hinter dem Angriff. Sie hat offenbar mehrere TByte an Daten exfiltriert und fordert ein Lösegeld. --------------------------------------------- https://www.golem.de/news/ransomwareattacke-hacker-greifen-interne-daten-vo… ∗∗∗ What did I say to make you stop talking to me?, (Tue, Jan 30th) ∗∗∗ --------------------------------------------- We use Cowrie to emulate an SSH and Telnet server for our honeypots. Cowrie is great software maintained by Michel Oosterhof. --------------------------------------------- https://isc.sans.edu/diary/rss/30604 ∗∗∗ New ZLoader Malware Variant Surfaces with 64-bit Windows Compatibility ∗∗∗ --------------------------------------------- Threat hunters have identified a new campaign that delivers the ZLoader malware, resurfacing nearly two years after the botnets infrastructure was dismantled in April 2022. --------------------------------------------- https://thehackernews.com/2024/01/new-zloader-malware-variant-surfaces.html ∗∗∗ Is Your SAP Cloud Connector Safe? The Risk You Can’t Ignore ∗∗∗ --------------------------------------------- In this article, we will discuss security issues and provide recommendations to mitigate the risks associated with using SAP CC on the Windows platform. --------------------------------------------- https://redrays.io/blog/sap-cloud-connector-security/ ∗∗∗ Ransomware-Bericht: Immer weniger Opfer zahlen Lösegeld ∗∗∗ --------------------------------------------- Sicherheitsforscher zeigen aktuelle Trends bei Verschlüsselungstrojanern auf. Unter anderem schrumpfen die Summen von Lösegeldern. --------------------------------------------- https://www.heise.de/news/Ransomware-Bericht-Immer-weniger-Opfer-zahlen-Loe… ∗∗∗ Lieber nicht: Abnehm-Pillen von Keto Base ∗∗∗ --------------------------------------------- In einem gefälschten Online-Artikel werden Abnehm-Pillen von Keto Base beworben. Angeblich wurde dieses „Wundermittel“ zum schnellen Abnehmen in der TV-Show „Höhle des Löwen“ vorgestellt und finanziert. Dabei handelt es sich aber um Fake News. Dieses Angebot ist unseriös und schädigt im schlimmsten Fall Ihrer Gesundheit. --------------------------------------------- https://www.watchlist-internet.at/news/lieber-nicht-abnehm-pillen-von-keto-… ∗∗∗ Trigona Ransomware Threat Actor Uses Mimic Ransomware ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has recently identified a new activity of the Trigona ransomware threat actor installing Mimic ransomware. --------------------------------------------- https://asec.ahnlab.com/en/61000/ ∗∗∗ DarkGate malware delivered via Microsoft Teams - detection and response ∗∗∗ --------------------------------------------- While most end users are well-acquainted with the dangers of traditional phishing attacks, such as those delivered via email or other media, a large proportion are likely unaware that Microsoft Teams chats could be a phishing vector. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-de… ===================== = Vulnerabilities = ===================== ∗∗∗ DLL Proxying: Trend Micro liefert Updates, weitere Hersteller angreifbar ∗∗∗ --------------------------------------------- Bei Antivirenprogrammen mehrerer Hersteller haben IT-Forscher DLL-Proxying-Schwachstellen gefunden. Trend Micro hat schon Updates. --------------------------------------------- https://www.heise.de/news/DLL-Proxying-Trend-Micro-liefert-Updates-weitere-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pillow, postfix, and redis), Fedora (python-templated-dictionary and selinux-policy), Red Hat (gnutls, kpatch-patch, libssh, and tomcat), and Ubuntu (amanda, ceph, linux-azure, linux-azure-4.15, linux-kvm, and tinyxml). --------------------------------------------- https://lwn.net/Articles/960008/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-450 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-450.html ∗∗∗ XSA-449 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-449.html ∗∗∗ Festo: Multiple products contain CoDe16 vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-063/ ∗∗∗ Pilz: Vulnerabiiity in PASvisu and PMI v8xx ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-050/ ∗∗∗ Emerson Rosemount GC370XA, GC700XA, GC1500XA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01 ∗∗∗ Mitsubishi Electric FA Engineering Software Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-02 ∗∗∗ Mitsubishi Electric MELSEC WS Series Ethernet Interface Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-03 ∗∗∗ Zyxel security advisory for post-authentication command injection vulnerability in NAS products ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.01.2024
by Daily end-of-shift report 29 Jan '24

29 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-01-2024 18:00 − Montag 29-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Token-Leak: Quellcode von Mercedes-Benz lag wohl frei zugänglich im Netz ∗∗∗ --------------------------------------------- Ein Authentifizierungstoken von Mercedes-Benz lag wohl für mehrere Monate in einem öffentlichen Github-Repository - mit weitreichenden Zugriffsrechten. --------------------------------------------- https://www.golem.de/news/token-leak-quellcode-von-mercedes-benz-lag-wohl-f… ∗∗∗ Exploit Flare Up Against Older Altassian Confluence Vulnerability, (Mon, Jan 29th) ∗∗∗ --------------------------------------------- Last October, Atlassian released a patch for CVE-2023-22515 [1]. This vulnerability allowed attackers to create new admin users in Confluence. Today, I noticed a bit a "flare up" in a specific exploit variant. --------------------------------------------- https://isc.sans.edu/diary/rss/30600 ∗∗∗ Trusted Domain, Hidden Danger: Deceptive URL Redirections in Email Phishing Attacks ∗∗∗ --------------------------------------------- In this ever-evolving landscape of cyberthreats, email has become a prime target for phishing attacks. Cybercriminals continue to adapt and employ more sophisticated methods to effectively deceive users and bypass detection measures. One of the most prevalent tactics nowadays involves exploiting legitimate platforms for redirection through deceptive links. In this blog post, well explore how trusted platforms are increasingly being exploited as redirectors, [...] --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trusted-dom… ∗∗∗ Albabat, Kasseika, Kuiper: New Ransomware Gangs Rise with Rust and Golang ∗∗∗ --------------------------------------------- Cybersecurity researchers have detected in the wild yet another variant of the Phobos ransomware family known as Faust. Fortinet FortiGuard Labs, which detailed the latest iteration of the ransomware, said its being propagated by means of an infection that delivers a Microsoft Excel document (.XLAM) containing a VBA script. --------------------------------------------- https://thehackernews.com/2024/01/albabat-kasseika-kuiper-new-ransomware.ht… ∗∗∗ Jetzt updaten! Exploits für kritische Jenkins-Sicherheitslücke im Umlauf ∗∗∗ --------------------------------------------- Für die in der vergangenen Woche bekanntgewordene kritische Sicherheitslücke in Jenkins ist Exploit-Code aufgetaucht. Höchste Zeit zum Aktualisieren! --------------------------------------------- https://www.heise.de/-9611923.html ∗∗∗ Erpressung in Südwestfalen: Akira kam mit geratenem Passwort ins kommunale Netz ∗∗∗ --------------------------------------------- Ein nun vorliegender forensischer Bericht stellt dem kommunalen IT-Verbund ein mittelprächtiges Zeugnis aus. Die Krisenbewältigung läuft weiter. --------------------------------------------- https://www.heise.de/-9610102.html ∗∗∗ 10 things to do to improve your online privacy ∗∗∗ --------------------------------------------- Its Data Privacy Week so here are 10 tips from our VP of Consumer Privacy, Oren Arar, about how to stay private online. --------------------------------------------- https://www.malwarebytes.com/blog/personal/2024/01/10-things-to-do-to-impro… ∗∗∗ So werden Sie bei der Wohnungssuche abgezockt ∗∗∗ --------------------------------------------- Zentrale Lage, frisch renoviert, hochwertige Möbel - und das vergleichsweise günstig. Wer auf Wohnungssuche ist, stößt früher oder später auf ein solches Angebot und ist überwältigt. Leider handelt es sich hierbei sehr wahrscheinlich um ein betrügerisches Inserat. Kriminelle versuchen Ihnen mit einmaligen Angeboten, Vorauszahlungen zu entlocken. Wir zeigen Ihnen, wie Sie bei der Wohnungssuche nicht betrogen werden. --------------------------------------------- https://www.watchlist-internet.at/news/so-werden-sie-bei-der-wohnungssuche-… ∗∗∗ Akira Ransomware and exploitation of Cisco Anyconnect vulnerability CVE-2020-3259 ∗∗∗ --------------------------------------------- In several recent incident response missions, the Truesec CSIRT team made forensic observations indicating that the old vulnerability CVE-2020-3259 is likely to be actively exploited --------------------------------------------- https://www.truesec.com/hub/blog/akira-ransomware-and-exploitation-of-cisco… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (gstreamer-plugins-bad-free, java-1.8.0-openjdk, java-11-openjdk, kernel, LibRaw, python-pillow, and xorg-x11-server), Debian (gst-plugins-bad1.0, libspreadsheet-parsexlsx-perl, mariadb-10.3, and slurm-wlm), Fedora (atril, dotnet8.0, gnutls, prometheus-podman-exporter, python-jinja2, sudo, and vips), Oracle (frr, kernel, php:8.1, python-urllib3, python3.9, rpm, sqlite, and tomcat), Slackware (pam), SUSE (cpio, rear23a, rear27a, sevctl, and xorg-x11-server), and Ubuntu (exim4 and firefox). --------------------------------------------- https://lwn.net/Articles/959882/ ∗∗∗ Vulnerabilities in WatchGuard, Panda Security Products Lead to Code Execution ∗∗∗ --------------------------------------------- Two memory safety vulnerabilities in WatchGuard and Panda Security products could lead to code execution with System privileges. --------------------------------------------- https://www.securityweek.com/vulnerabilities-in-watchguard-panda-security-p… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Trumpf: Multiple products contain WIBU CodeMeter vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-001/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.01.2024
by Daily end-of-shift report 26 Jan '24

26 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-01-2024 18:00 − Freitag 26-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Über Push-Benachrichtigungen: Prominente iOS-Apps spähen heimlich Gerätedaten aus ∗∗∗ --------------------------------------------- Zu den Datensammlern zählen wohl iOS-Apps namhafter Onlinedienste wie Tiktok, Facebook, Instagram, Threads, Linkedin, Bing und X. --------------------------------------------- https://www.golem.de/news/ueber-push-benachrichtigungen-prominente-ios-apps… ∗∗∗ MFA war inaktiv: Microsoft deckt auf, wie Hacker an interne Mails kamen ∗∗∗ --------------------------------------------- Die Angreifer haben laut Microsoft zuerst einen Testaccount mit inaktiver MFA infiltriert - unter Einsatz einer Proxy-Infrastruktur. --------------------------------------------- https://www.golem.de/news/mfa-war-inaktiv-microsoft-deckt-auf-wie-hacker-an… ∗∗∗ Präparierte URL kann für Juniper-Firewalls und Switches gefährlich werden ∗∗∗ --------------------------------------------- Entwickler von Juniper haben in Junos OS mehrere Sicherheitslücken geschlossen. Noch sind aber nicht alle Updates verfügbar. --------------------------------------------- https://www.heise.de/-9609333.html ∗∗∗ Verwirrend: Internet-Domain fritz.box zeigt NFT-Galerie statt Router-Verwaltung ∗∗∗ --------------------------------------------- Bereits vor einer Woche haben Unbekannte die Domain "fritz.box" für sich registriert. Ihr Vorhaben ist unklar, Fritz-Besitzer sollten sich vorsehen. --------------------------------------------- https://www.heise.de/-9610149.html ∗∗∗ Blackwood hackers hijack WPS Office update to install malware ∗∗∗ --------------------------------------------- A previously unknown advanced threat actor tracked as Blackwood is using sophisticated malware called NSPX30 in cyberespionage attacks against companies and individuals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackwood-hackers-hijack-wps… ∗∗∗ Midnight Blizzard: Guidance for responders on nation-state attack ∗∗∗ --------------------------------------------- The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-… ∗∗∗ A Batch File With Multiple Payloads, (Fri, Jan 26th) ∗∗∗ --------------------------------------------- Windows batch files (.bat) are often seen by people as very simple but they can be pretty complex or.. contain interesting encoded payloads! I found one that contains multiple payloads decoded and used by a Powershell process. The magic is behind how comments can be added to such files. --------------------------------------------- https://isc.sans.edu/diary/rss/30592 ∗∗∗ Erbschaft per SMS: Ignorieren Sie diese betrügerische Nachricht ∗∗∗ --------------------------------------------- Immer wieder warnen wir vor E-Mails, in denen Betrüger:innen das große Geld versprechen: Millionengewinne, eine Spende oder eine Erbschaft sollen die Empfänger:innen plötzlich reich machen. Aktuell setzen Kriminelle jedoch nicht nur auf E-Mails, sondern auch auf SMS, um mit potenziellen Opfern in Kontakt zu treten. Danach läuft die Masche wie gewohnt ab: Mit Angeboten, die zu schön sind, um wahr zu sein, werden gutgläubige Opfer um ihr Geld gebracht. --------------------------------------------- https://www.watchlist-internet.at/news/erbschaft-per-sms-ignorieren-sie-die… ∗∗∗ Assessing and mitigating supply chain cybersecurity risks ∗∗∗ --------------------------------------------- Blindly trusting your partners and suppliers on their security posture is not sustainable – it’s time to take control through effective supplier risk management --------------------------------------------- https://www.welivesecurity.com/en/business-security/assessing-mitigating-cy… ∗∗∗ Cybersecurity for Industrial Control Systems: Best practices ∗∗∗ --------------------------------------------- Network segmentation, software patching, and continual threats monitoring are key cybersecurity best practices for Industrial Control Systems (ICS). --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/cybersecurity-for-i… ∗∗∗ Guidance: Assembling a Group of Products for SBOM ∗∗∗ --------------------------------------------- Today, CISA published Guidance on Assembling a Group of Products created by the Software Bill of Materials (SBOM) Tooling & Implementation Working Group, one of the five SBOM community-driven workstreams facilitated by CISA. CISA’s community-driven working groups publish documents and reports to advance and refine SBOM and ultimately promote adoption. Specifically, software producers often need to assemble and test products together before releasing them to customers. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/26/guidance-assembling-grou… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Unified Communications Products Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Version 1.1 - Updated list of affected products and products confirmed not vulnerable. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Jenkins CLI PoC CVE-2024-23897 ∗∗∗ --------------------------------------------- Remote Code Execution: Jenkins CLI arbitrary read (CVE-2024-23897 applies to versions below 2.442 and LTS 2.426.3) --------------------------------------------- https://github.com/gquere/pwn_jenkins/blob/master/README.md#jenkins-cli-arb… ∗∗∗ Microsoft Edge 121 unterstützt moderne Codecs und stopft Sicherheitslecks ∗∗∗ --------------------------------------------- Microsoft hat den Webbrowser Edge in Version 121 herausgegeben. Sie stopft eine kritische Sicherheitslücke und liefert Support für AV1-Videos. --------------------------------------------- https://www.heise.de/-9609475.html ∗∗∗ Diesmal bitte patchen: Security-Update behebt kritische Schwachstelle in GitLab ∗∗∗ --------------------------------------------- GitLab 16.x enthält fünf Schwachstellen, von denen eine als kritisch eingestuft ist. Patchen ist nicht selbstverständlich, wie jüngst eine Untersuchung zeigte. --------------------------------------------- https://www.heise.de/-9609319.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server), Fedora (chromium, dotnet8.0, firefox, freeipa, and thunderbird), Red Hat (avahi, c-ares, curl, edk2, expat, freetype, frr, git, gnutls, grub2, kernel, kernel-rt, libcap, libfastjson, libssh, libtasn1, libxml2, linux-firmware, ncurses, oniguruma, openssh, openssl, perl-HTTP-Tiny, protobuf-c, python-urllib3, python3, python3.9, rpm, samba, shadow-utils, sqlite, tcpdump, tomcat, and virt:rhel and virt-devel:rhel modules), SUSE (cpio, jasper, rear23a, thunderbird, and xorg-x11-server), and Ubuntu (jinja2, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-oem-6.1, and mariadb, mariadb-10.3, mariadb-10.6). --------------------------------------------- https://lwn.net/Articles/959640/ ∗∗∗ 2024-01 Reference Advisory: Junos OS and Junos OS Evolved: Impact of Terrapin SSH Attack (CVE-2023-48795) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Reference-Advisory-Juno… ∗∗∗ 2024-01 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web have been addressed ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Out-of-Cycle-Security-B… ∗∗∗ Security Vulnerabilities fixed in Focus for iOS 122 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-03/ ∗∗∗ Open redirect in parameter might affect IBM Storage Defender Data Protect. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7106918 ∗∗∗ AIX is vulnerable to a denial of service (CVE-2023-5678, CVE-2023-6129, CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7111837 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to multiple issues due to Eclipse Jetty. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7111880 ∗∗∗ Vulnerabilities in GNU Binutils, Bootstrap, PortSmash, Node.js, and libarchive might affect IBM Storage Defender Data Protect. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7091980 ∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2023-22006, CVE-2023-22036 & CVE-2023-22049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7112089 ∗∗∗ IBM Security Directory Integrator affected by multiple vulnerabilities affecting IBM Java SDK ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7047118 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2024
by Daily end-of-shift report 25 Jan '24

25 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-01-2024 18:00 − Donnerstag 25-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New CherryLoader Malware Mimics CherryTree to Deploy PrivEsc Exploits ∗∗∗ --------------------------------------------- A new Go-based malware loader called CherryLoader has been discovered by threat hunters in the wild to deliver additional payloads onto compromised hosts for follow-on exploitation. --------------------------------------------- https://thehackernews.com/2024/01/new-cherryloader-malware-mimics.html ∗∗∗ SystemBC Malwares C2 Server Analysis Exposes Payload Delivery Tricks ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on the command-and-control (C2) server of a known malware family called SystemBC. --------------------------------------------- https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html ∗∗∗ Memory Scanning for the Masses ∗∗∗ --------------------------------------------- In this blog post we will go into a user-friendly memory scanning Python library that was created out of the necessity of having more control during memory scanning. --------------------------------------------- https://research.nccgroup.com/2024/01/25/memory-scanning-for-the-masses/ ∗∗∗ ADCS Attack Paths in BloodHound — Part 1 ∗∗∗ --------------------------------------------- This blog post details the ESC1 domain escalation requirements and explains how BloodHound incorporates the relevant components. --------------------------------------------- https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-1-799f3d3b… ∗∗∗ CERT.at/GovCERT Austria PGP Teamkey Rotation ∗∗∗ --------------------------------------------- Da diese in einem Monat ablaufen, haben wir gestern neue PGP Keys für team(a)cert.at, reports(a)cert.at, team(a)govcert.gv.at sowie reports(a)govcert.gv.at generiert und ausgerollt. --------------------------------------------- https://cert.at/de/aktuelles/2024/1/certatgovcert-austria-pgp-teamkey-rotat… ∗∗∗ Ablauf einer Schwachstellen-Information durch CERT.at am Beispiel Ivanti Connect Secure VPN (CVE-2024-21887, CVE-2023-46805) ∗∗∗ --------------------------------------------- Nach der Veröffentlichung begann nun der normale Prozess für CERTs weltweit, ebenso natürlich für CERT.at ... die Verbreitung der Information über die Schwachstellen vorzubreiten beziehungsweise zu finalisieren. Die CERTs veröffentlichten und sendeten ihre Warnung aus. Unsere Warnung, die laufend aktualisiert wird, wurde Donnerstag 11.01.24 gegen Mittag ins Netz gestellt, über den freien RSS-Feed für Abonnenten zugänglich gemacht und ausgesandt. --------------------------------------------- https://cert.at/de/blog/2024/1/ablauf-einer-schwachstellen-information-durc… ===================== = Vulnerabilities = ===================== ∗∗∗ Konfigurationsfehler: Unzählige Kubernetes-Cluster sind potenziell angreifbar ∗∗∗ --------------------------------------------- Viele Nutzer räumen der Gruppe system:authenticated ihres GKE-Clusters aufgrund einer Fehlannahme zu viele Rechte ein - mit gravierenden Folgen. --------------------------------------------- https://www.golem.de/news/konfigurationsfehler-unzaehlige-kubernetes-cluste… ∗∗∗ Trend Micro Apex Central: Update schließt im zweiten Anlauf Sicherheitslücken ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in Trend Micros Apex Central ermöglichen Angreifern etwa, Schadcode einzuschleusen. Ein erstes Update machte Probleme. --------------------------------------------- https://www.heise.de/news/Trend-Micro-Apex-Central-Update-schliesst-im-zwei… ∗∗∗ Tausende Gitlab-Server noch für Zero-Click-Kontoklau anfällig ∗∗∗ --------------------------------------------- IT-Forscher haben das Netz durchforstet und dabei mehr als 5000 verwundbare Gitlab-Server gefunden. Angreifer können dort einfach Konten übernehmen. --------------------------------------------- https://www.heise.de/news/Tausende-Gitlab-Server-noch-fuer-Zero-Click-Konto… ∗∗∗ Cisco: Lücke erlaubt komplette Übernahme von Unified Communication-Produkten ∗∗∗ --------------------------------------------- Cisco warnt vor einer kritischen Lücke in Unified Communication-Produkten, durch die Angreifer die Kontrolle übernehmen können. --------------------------------------------- https://www.heise.de/news/Cisco-Luecke-erlauben-komplette-Uebernahme-von-Un… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, php-phpseclib, phpseclib, thunderbird, and zabbix), Fedora (dotnet7.0, firefox, fonttools, and python-jinja2), Mageia (avahi and chromium-browser-stable), Oracle (java-1.8.0-openjdk, java-11-openjdk, LibRaw, openssl, and python-pillow), Red Hat (gnutls, kpatch-patch, php:8.1, and squid:4), SUSE (apache-parent, apache-sshd, bluez, cacti, cacti-spine, erlang, firefox, java-11-openjdk, opera, python-Pillow, tomcat, tomcat10, [...] --------------------------------------------- https://lwn.net/Articles/959455/ ∗∗∗ Potentielle Remote Code Execution in Jenkins - Patch verfügbar ∗∗∗ --------------------------------------------- Mit der neuesten Version der CI/CD-Plattform Jenkins haben die Entwickler:innen neun Sicherheitslücken behoben - darunter befindet sich auch eine kritische Schwachstelle, CVE-2024-23987. --------------------------------------------- https://cert.at/de/aktuelles/2024/1/potentielle-remote-code-execution-in-je… ∗∗∗ Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-006 ∗∗∗ Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-005 ∗∗∗ Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-004 ∗∗∗ Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-003 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Publish SBA-ADV-20200707-02: CloudLinux CageFS Insufficiently Restric… ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/fd86295907334f9cd81d8c1a7f… ∗∗∗ Publish SBA-ADV-20200707-01: CloudLinux CageFS Token Disclosure ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/c2db0b1da76486e2876f1c64f9… ∗∗∗ SystemK NVR 504/508/516 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.01.2024
by Daily end-of-shift report 24 Jan '24

24 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-01-2024 18:00 − Mittwoch 24-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Firefox: Passkey-Unterstützung und Sicherheitsfixes ∗∗∗ --------------------------------------------- Die Version 122 von Firefox kann mit Passkeys umgehen. Außerdem schließen die Entwickler darin wie in Firefox ESR und Thunderbird 115.7 Sicherheitslecks. --------------------------------------------- https://www.heise.de/-9606909 ∗∗∗ "Mother of all Breaches": 26 Milliarden altbekannte Datensätze ∗∗∗ --------------------------------------------- Was die Entdecker als "Mutter aller Lücken" bezeichnen, entpuppt sich laut dem "Have I Been Pwned"- Gründer Troy Hunt als Sammlung längst bekannter Daten. --------------------------------------------- https://www.heise.de/-9604882 ∗∗∗ Trello API abused to link email addresses to 15 million accounts ∗∗∗ --------------------------------------------- An exposed Trello API allows linking private email addresses with Trello accounts, enabling the creation of millions of data profiles containing both public and private information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trello-api-abused-to-link-em… ∗∗∗ Cybercrime’s Silent Operator: The Unraveling of VexTrio’s Malicious Network Empire ∗∗∗ --------------------------------------------- VexTrio is a massive and complex malicious TDS (traffic direction system) organization. It has a network of more than 60 affiliates that divert traffic into VexTrio, while it also operates its own TDS network. While aspects of the operation have been discovered and analyzed by different researchers, the core network has remained largely unknown. --------------------------------------------- https://www.securityweek.com/cybercrimes-silent-operator-the-unraveling-of-… ∗∗∗ Orca Flags Dangerous Google Kubernetes Engine Misconfiguration ∗∗∗ --------------------------------------------- A misconfiguration in Google Kubernetes Engine (GKE) could allow attackers to take over Kubernetes clusters and access sensitive information, according to a warning from cloud security startup Orca Security. The issue is related to the privileges granted to users in the system:authenticated group, which includes all users with a Google account, although it could be mistakenly believed to include only verified identities. --------------------------------------------- https://www.securityweek.com/orca-flags-dangerous-google-kubernetes-engine-… ∗∗∗ PC- und Online-Gamer:innen: Vorsicht beim Account-Handel über Marktplätze! ∗∗∗ --------------------------------------------- Aktuell erreichen uns immer wieder Meldungen zu betrügerischen Angeboten im Gaming-Bereich auf Marktplätzen wie difmark.com oder in diversen Internet-Foren. Kriminelle bieten dort unter anderem Gaming-Accounts und Nutzungsprofile an. Das Problem: Diese dürften laut Nutzungsbedingungen eigentlich gar nicht verkauft werden und Sperren sind möglich. Auch nach erfolgreichen Käufen lauern noch Fallen, durch die Spielende plötzlich durch die Finger schauen können. --------------------------------------------- https://www.watchlist-internet.at/news/pc-und-online-gamerinnen-vorsicht-be… ∗∗∗ Update #3: Kritische Sicherheitslücken in Ivanti Connect Secure und Ivanti Policy Secure - aktiv ausgenützt ∗∗∗ --------------------------------------------- Update #3: 24. Jänner 2024: Mandiant und Volexity berichten davon, Exploits gegen diese Sicherheitslücken bereits Anfang Dezember 2023 beobachtet zu haben. Es empfiehlt sich daher, gegebenenfalls den Zeitraum etwaiger Untersuchungen auf stattgefundene Angriffsversuche zumindest bis inklusive Dezember 2023 auszudehnen. --------------------------------------------- https://cert.at/de/warnungen/2024/1/kritische-sicherheitslucken-in-ivanti-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra GoAnywhere MFT: Kritische Lücke macht Angreifer zu Admins ∗∗∗ --------------------------------------------- Jetzt patchen! Es ist Exploitcode für die Dateiübertragungslösung Fortra GoAnywhere MFT in Umlauf. --------------------------------------------- https://www.heise.de/-9606659 ∗∗∗ Codeschmuggel-Lücke in HPE Oneview ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in der IT-Infrastrukturverwaltung HPE Oneview ermöglichen Angreifern, etwa Schadcode einzuschleusen. Updates stehen bereit. --------------------------------------------- https://www.heise.de/-9607490 ∗∗∗ Chrome-Update dichtet 17 Sicherheitslecks ab ∗∗∗ --------------------------------------------- Googles Entwickler aktualisieren den Chrome-Webbrowser und schließen 17 Sicherheitslücken darin. Einige ermöglichen wohl Codeschmuggel. --------------------------------------------- https://www.heise.de/-9606618 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jinja2, openjdk-11, ruby-httparty, and xorg-server), Fedora (ansible-core and mingw-jasper), Gentoo (GOCR, Ruby, and sudo), Oracle (gstreamer-plugins-bad-free, java-17-openjdk, java-21-openjdk, python-cryptography, and xorg-x11-server), Red Hat (kernel, kernel-rt, kpatch-patch, LibRaw, python-pillow, and python-pip), Slackware (mozilla), SUSE (python-Pillow, rear118a, and redis7), and Ubuntu (libapache-session-ldap-perl and pycryptodome). --------------------------------------------- https://lwn.net/Articles/959325/ ∗∗∗ Cisco Unified Communications Products Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. CVE-2024-20253, CVSS Score: Base 9.9 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unity Connection Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Small Business Series Switches Stacked Reload ACL Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ High Severity Arbitrary File Upload Vulnerability Patched in File Manager Pro WordPress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/01/high-severity-arbitrary-file-upload-… ∗∗∗ APsystems Energy Communication Unit (ECU-C) Power Control Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-01 ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/24/cisa-adds-one-known-expl… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.01.2024
by Daily end-of-shift report 23 Jan '24

23 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Montag 22-01-2024 18:00 − Dienstag 23-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MavenGate Attack Could Let Hackers Hijack Java and Android via Abandoned Libraries ∗∗∗ --------------------------------------------- Several public and popular libraries abandoned but still used in Java and Android applications have been found susceptible to a new software supply chain attack method called MavenGate. --------------------------------------------- https://thehackernews.com/2024/01/hackers-hijack-popular-java-and-android.h… ∗∗∗ Cactus Ransomware malware analysis ∗∗∗ --------------------------------------------- On January 20th the Cactus ransomware group attacked a number of victims across varying industries. The attacks were disclosed on their leak site with the accompanying victim data. --------------------------------------------- https://www.shadowstackre.com/analysis/cactus ∗∗∗ Vorsicht vor Peek & Cloppenburg Fake-Shops ∗∗∗ --------------------------------------------- Auf Facebook und Instagram werden gefälschte Angebote vom Modehaus „Peek & Cloppenburg“ beworben. In den gefälschten Werbeanzeigen werden Rabatte bis zu 90 % versprochen. Wenn Sie auf die Anzeige klicken, landen Sie in einem betrügerischen Shop, mit einer glaubwürdigen Internetadresse: „peek-cloppenburgsale.shop“. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-peek-cloppenburg-fake-s… ∗∗∗ Threat Assessment: BianLian ∗∗∗ --------------------------------------------- We analyze the extremely active ransomware group BianLian. Mostly targeting healthcare, they have moved from double-extortion to extortion without encryption. --------------------------------------------- https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assess… ∗∗∗ Conditional QR Code Routing Attacks ∗∗∗ --------------------------------------------- Over the summer, we saw a somewhat unexpected rise in QR-code based phishing attacks. These attacks were all fairly similar. The main goal was to induce the end-user to scan the QR Code, where they would be redirected to a credential harvesting page. --------------------------------------------- https://blog.checkpoint.com/harmony-email/conditional-qr-code-routing-attac… ∗∗∗ Lazarus Group Uses the DLL Side-Loading Technique (2) ∗∗∗ --------------------------------------------- Through the “Lazarus Group Uses the DLL Side-Loading Technique” [1] blog post, AhnLab SEcurity intelligence Center(ASEC) has previously covered how the Lazarus group used the DLL side-loading attack technique using legitimate applications in the initial access stage to achieve the next stage of their attack process. --------------------------------------------- https://asec.ahnlab.com/en/60792/ ∗∗∗ Kasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec and Exploits Martini Driver ∗∗∗ --------------------------------------------- In this blog, we detail our investigation of the Kasseika ransomware and the indicators we found suggesting that the actors behind it have acquired access to the source code of the notorious BlackMatter ransomware. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra warns of new critical GoAnywhere MFT auth bypass, patch now ∗∗∗ --------------------------------------------- Fortra is warning of a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) versions before 7.4.1 that allows an attacker to create a new admin user. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortra-warns-of-new-critical… ∗∗∗ Exploiting 0-click Android Bluetooth vulnerability to inject keystrokes without pairing ∗∗∗ --------------------------------------------- A recently discovered critical vulnerabilities (CVE-2023-45866, CVE-2024-21306) in Bluetooth can be exploited to inject keystrokes without user confirmation – by accepting any Bluetooth pairing request. --------------------------------------------- https://www.mobile-hacker.com/2024/01/23/exploiting-0-click-android-bluetoo… ∗∗∗ Sicherheitsfixes: Apple aktualisiert ältere Systeme – und räumt Zero Days ein ∗∗∗ --------------------------------------------- Apple hat neben macOS 14.3 und iOS 17.3 auch neue Versionen von iOS 15, 16, macOS 12 und 13 sowie Safari veröffentlicht. Es gab einen erneuten Zero-Day-Exploit. --------------------------------------------- https://www.heise.de/news/Sicherheitsfixes-Apple-aktualisiert-aeltere-Syste… ∗∗∗ Konfigurationsübertragung kann Behelfslösung zum Schutz von Ivanti ICS aufheben ∗∗∗ --------------------------------------------- Bislang können Admins Ivanti Connect Secure und Policy Secure nur über einen Workaround vor laufenden Attacken schützen. Dieser funktioniert aber nicht immer. --------------------------------------------- https://www.heise.de/news/Konfigurationsuebertragung-kann-Behelfsloesung-zu… ∗∗∗ Barracuda WAF: Kritische Sicherherheitslücken ermöglichen Umgehung des Schutzes ∗∗∗ --------------------------------------------- Barracuda hat einen Sicherheitshinweis bezüglich der Web Application Firewall veröffentlicht. Sicherheitslücken ermöglichen das Umgehen des Schutzes. --------------------------------------------- https://www.heise.de/news/Barracuda-WAF-Kritische-Sicherherheitsluecken-erm… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kodi and squid), Fedora (ansible-core, java-latest-openjdk, mingw-python-jinja2, openssh, and pgadmin4), Gentoo (Apache XML-RPC), Red Hat (gnutls and xorg-x11-server), Slackware (postfix), SUSE (bluez and openssl-3), and Ubuntu (gnutls28, libssh, and squid). --------------------------------------------- https://lwn.net/Articles/959127/ ∗∗∗ Splunk Security Advisories 2024-01-22 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-448 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-448.html ∗∗∗ Security Vulnerabilities fixed in Thunderbird 115.7 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.7 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/ ∗∗∗ Security Vulnerabilities fixed in Firefox 122 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/ ∗∗∗ TRUMPF: Oseon contains vulnerable version of OpenSSL 1.1.x ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-006/ ∗∗∗ TRUMPF: Multiple products include a vulnerable version of Notepad++ ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-003/ ∗∗∗ TRUMPF: Multiple products contain vulnerable version of 7-zip ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-005/ ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2023-46838 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX587605/citrix-hypervisor-security-bul… ∗∗∗ Crestron AM-300 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-02 ∗∗∗ Lantronix XPort ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-05 ∗∗∗ Voltronic Power ViewPower Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-03 ∗∗∗ Orthanc Osimis DICOM Web Viewer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-023-01 ∗∗∗ APsystems Energy Communication Unit (ECU-C) Power Control Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-01 ∗∗∗ Westermo Lynx 206-F2G ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.01.2024
by Daily end-of-shift report 22 Jan '24

22 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-01-2024 18:00 − Montag 22-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Cracked software beats gold: new macOS backdoor stealing cryptowallets ∗∗∗ --------------------------------------------- We review a new macOS backdoor that piggybacks on cracked software to replace Bitcoin and Exodus wallets with malware. --------------------------------------------- https://securelist.com/new-macos-backdoor-crypto-stealer/111778/ ∗∗∗ Apache ActiveMQ Flaw Exploited in New Godzilla Web Shell Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers are warning of a "notable increase" in threat actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts. --------------------------------------------- https://thehackernews.com/2024/01/apache-activemq-flaw-exploited-in-new.html ∗∗∗ Confluence: Kritische Sicherheitslücke in veralteten Versionen wird ausgenutzt ∗∗∗ --------------------------------------------- Wie das Shadowserver-Projekt auf Mastodon meldet, durchpflügen Angreifer derzeit von 600 verschiedenen IP-Adressen das Netz nach möglichen Opfern. Eine simple HTTP-POST-Anfrage genügt, um die Sicherheitslücke auszunutzen und den Confluence-Server zu übernehmen. [..] Der Hersteller wies seine Kunden bereits am vergangenen Dienstag auf die Sicherheitslücke hin, die er wie 27 weitere im Rahmen des Atlassian-Patchday behoben hat. --------------------------------------------- https://www.heise.de/-9605028 ∗∗∗ VMware vCenter Server seit Monaten über CVE-2023-3404 angegriffen; Attacken weiten sich aus ∗∗∗ --------------------------------------------- Inzwischen hat auch VMware bestätigt, dass eine im Oktober 2023 gepatchte vCenter Server-Sicherheitslücke jetzt aktiv ausgenutzt wird. vCenter Server ist die Management-Plattform für VMware vSphere-Umgebungen, die Administratoren bei der Verwaltung von ESX- und ESXi-Servern und virtuellen Maschinen (VMs) unterstützt. [..] Sicherheitsforscher von Mandiant haben in diesem Beitrag offen gelegt, dass die chinesische Spionage-Gruppe UNC3886 diese Schwachstelle CVE-2023-34048 längst kannte und diese seit mindestens Ende 2021 aktiv angegriffen habe. --------------------------------------------- https://www.borncity.com/blog/2024/01/22/vmware-vcenter-server-seit-monaten… ∗∗∗ NS-STEALER Uses Discord Bots to Exfiltrate Your Secrets from Popular Browsers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new Java-based "sophisticated" information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts. The malware, named NS-STEALER, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week. --------------------------------------------- https://thehackernews.com/2024/01/ns-stealer-uses-discord-bots-to.html ∗∗∗ Domain Escalation – Backup Operator ∗∗∗ --------------------------------------------- The Backup Operators is a Windows built-in group. Users which are part of this group have permissions to perform backup and restore operations. More specifically, these users have the SeBackupPrivilege assigned which enables them to read sensitive files from the domain controller i.e. Security Account Manager (SAM). --------------------------------------------- https://pentestlab.blog/2024/01/22/domain-escalation-backup-operator/ ∗∗∗ Vorsicht vor PayLife-E-Mails mit einem QR-Code ∗∗∗ --------------------------------------------- In einem gefälschten E-Mail werden Sie informiert, dass Ihre myPayLife App gesperrt ist. Angeblich können Sie keine Aufträge oder Internetzahlungen mehr freigeben. Um die Sperre aufzuheben, müssen Sie einen QR-Code scannen. Ignorieren Sie dieses E-Mail, es handelt sich um eine Phishing-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-paylife-e-mails-mit-ein… ∗∗∗ Parrot TDS: A Persistent and Evolving Malware Campaign ∗∗∗ --------------------------------------------- Traffic detection system Parrot has infected tens of thousands of websites worldwide. We outline the scripting evolution of this injection campaign and its scope. --------------------------------------------- https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysi… ∗∗∗ Is the Google search bar enough to hack Belgian companies? ∗∗∗ --------------------------------------------- In this blog post, we will go over a technique called Google Dorking and demonstrate how it can be utilized to uncover severe security vulnerabilities in web applications hosted right here in Belgium, where NVISO was founded. --------------------------------------------- https://blog.nviso.eu/2024/01/22/is-the-google-search-bar-enough-to-hack-be… ∗∗∗ The Confusing History of F5 BIG-IP RCE Vulnerabilities ∗∗∗ --------------------------------------------- If you want to know way too much about attacks against F5 BIG-IP devices, then this is the blog for you! --------------------------------------------- https://www.greynoise.io/blog/the-confusing-history-of-f5-big-ip-rce-vulner… ===================== = Vulnerabilities = ===================== ∗∗∗ Gambio 4.9.2.0 - Insecure Deserialization ∗∗∗ --------------------------------------------- Gambio is software designed for running online shops. It provides various features and tools to help businesses manage their inventory, process orders, and handle customer interactions. According to their homepage, the software is used by more than 25.000 shops. Security Risk: Critical, CVE Number: Pending, Vendor Status: Not fixed --------------------------------------------- https://herolab.usd.de/security-advisories/usd-2023-0046/ ∗∗∗ Sicherheitsupdates: Schlupflöcher für Schadcode in Lexmark-Druckern geschlossen ∗∗∗ --------------------------------------------- Angreifer können an vielen Druckermodellen von Lexmark ansetzen, um Geräte zu kompromittieren. Derzeit soll es noch keine Attacken geben. --------------------------------------------- https://www.heise.de/-9604795 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (keystone and subunit), Fedora (dotnet6.0, golang, kernel, sos, and tigervnc), Mageia (erlang), Red Hat (openssl), SUSE (bluez, python-aiohttp, and seamonkey), and Ubuntu (postfix and xorg-server). --------------------------------------------- https://lwn.net/Articles/959006/ ∗∗∗ Critical Vulnerabilities Found in Open Source AI/ML Platforms ∗∗∗ --------------------------------------------- Security researchers flag multiple severe vulnerabilities in open source AI/ML solutions MLflow, ClearML, Hugging Face.The post Critical Vulnerabilities Found in Open Source AI/ML Platforms appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/critical-vulnerabilities-found-in-ai-ml-open-s… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ WAGO: WIBU-SYSTEMS CodeMeter Runtime vulnerabilities in multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-007/ ∗∗∗ Spring: CVE-2024-22233: Spring Framework server Web DoS Vulnerability ∗∗∗ --------------------------------------------- https://spring.io/blog/2024/01/22/cve-2024-22233-spring-framework-server-we… ∗∗∗ Roundcube: Update 1.6.6 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2024/01/20/update-1.6.6-released -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.01.2024
by Daily end-of-shift report 19 Jan '24

19 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-01-2024 18:00 − Freitag 19-01-2024 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ TeamViewer abused to breach networks in new ransomware attacks ∗∗∗ --------------------------------------------- Ransomware actors are again using TeamViewer to gain initial access to organization endpoints and attempt to deploy encryptors based on the leaked LockBit ransomware builder. --------------------------------------------- https://www.bleepingcomputer.com/news/security/teamviewer-abused-to-breach-… ∗∗∗ macOS Python Script Replacing Wallet Applications with Rogue Apps, (Fri, Jan 19th) ∗∗∗ --------------------------------------------- Still today, many people think that Apple and its macOS are less targeted by malware. But the landscape is changing and threats are emerging in this ecosystem too. --------------------------------------------- https://isc.sans.edu/diary/rss/30572 ∗∗∗ Experts Warn of macOS Backdoor Hidden in Pirated Versions of Popular Software ∗∗∗ --------------------------------------------- Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines. --------------------------------------------- https://thehackernews.com/2024/01/experts-warn-of-macos-backdoor-hidden.html ∗∗∗ Taking over WhatsApp accounts by reading voicemails ∗∗∗ --------------------------------------------- The investigation is centered on a vulnerability related to the Personal Identification Number (PIN) required for authenticating WhatsApp’s account backup feature. I describe how this PIN could be compromised through a voice call backup delivery method, forcing the call to go voicemail, and spoofing the victims phone number to read their voicemail. --------------------------------------------- https://medium.com/@rramgattie/taking-over-whatsapp-accounts-by-reading-voi… ∗∗∗ Recovery Scam: Kriminelle geben sich als blockchain.com aus und informieren über angeblich ruhende Bitcoin-Wallet ∗∗∗ --------------------------------------------- Opfer einer betrügerischen Trading-Plattform erleiden mitunter erhebliche finanzielle Verluste. Entsprechend groß ist die Verzweiflung und der Wunsch, das Geld zurückzubekommen. Kriminelle nutzen dies aus und kontaktieren die Opfer nach einiger Zeit erneut. --------------------------------------------- https://www.watchlist-internet.at/news/recovery-scam-kriminelle-geben-sich-… ∗∗∗ Virtual kidnapping: How to see through this terrifying scam ∗∗∗ --------------------------------------------- Phone fraud takes a frightening twist as fraudsters can tap into AI to cause serious emotional and financial damage to the victims. --------------------------------------------- https://www.welivesecurity.com/en/scams/virtual-kidnapping-see-through-scam/ ∗∗∗ Ivanti Connect Secure VPN Exploitation: New Observations ∗∗∗ --------------------------------------------- Volexity also recently learned of a potential issue that organizations may be facing when attempting to bring fresh Ivanti Connect Secure VPN appliances back online that leave them in a vulnerable state. These findings may partially account for why there has been an increase in compromised systems in subsequent scans. --------------------------------------------- https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploita… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware confirms critical vCenter flaw now exploited in attacks ∗∗∗ --------------------------------------------- VMware has confirmed that a critical vCenter Server remote code execution vulnerability patched in October is now under active exploitation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-confirms-critical-vce… ∗∗∗ Npm Trojan Bypasses UAC, Installs AnyDesk with "Oscompatible" Package ∗∗∗ --------------------------------------------- A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines. --------------------------------------------- https://thehackernews.com/2024/01/npm-trojan-bypasses-uac-installs.html ∗∗∗ Smartphones und mehr: Auch Umgebungslichtsensoren können spionieren ∗∗∗ --------------------------------------------- Nicht nur Smartphone-Kameras können Personen ausspionieren, sondern auch Umgebungslichtsensoren. Das geht aus einer in "Science" veröffentlichen Studie hervor. --------------------------------------------- https://heise.de/-9601724 ∗∗∗ Angreifer attackieren Ivanti EPMM und MobileIron Core ∗∗∗ --------------------------------------------- Angreifer nutzen derzeit eine kritische Sicherheitslücke in Ivanti EPMM und MobileIron Core aus. --------------------------------------------- https://www.heise.de/news/Angreifer-attackieren-Ivanti-EPMM-und-MobileIron-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (ImageMagick), Debian (chromium), Fedora (golang-x-crypto, golang-x-mod, golang-x-net, golang-x-text, gtkwave, redis, and zbar), Mageia (tinyxml), Oracle (.NET 7.0, .NET 8.0, java-1.8.0-openjdk, java-11-openjdk, python3, and sqlite), Red Hat (gstreamer-plugins-bad-free, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and java-21-openjdk), SUSE (kernel, libqt5-qtbase, libssh, pam, rear23a, and rear27a), and Ubuntu (pam and zookeeper). --------------------------------------------- https://lwn.net/Articles/958676/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, golang-github-facebook-time, podman, and xorg-x11-server-Xwayland), Oracle (.NET 6.0, java-1.8.0-openjdk, java-11-openjdk, and python3.11-cryptography), Red Hat (java-11-openjdk, python-requests, and python-urllib3), SUSE (chromium, kernel, libcryptopp, libuev, perl-Spreadsheet-ParseExcel, suse-module-tools, and xwayland), and Ubuntu (filezilla and xerces-c). --------------------------------------------- https://lwn.net/Articles/958760/ ∗∗∗ Important Progress OpenEdge Critical Alert for Progress Application Server in OpenEdge (PASOE) - Arbitrary File Upload Vulnerability in WEB Transport ∗∗∗ --------------------------------------------- https://community.progress.com/s/article/Important-Progress-OpenEdge-Critic… ∗∗∗ ZDI Security Advisories ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.01.2024
by Daily end-of-shift report 18 Jan '24

18 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-01-2024 18:00 − Donnerstag 18-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Missbrauch möglich: Whatsapp lässt fremde Nutzer Geräteinformationen abgreifen ∗∗∗ --------------------------------------------- Anhand ihrer Rufnummer lässt sich zum Beispiel feststellen, wie viele Geräte eine Zielperson mit Whatsapp verwendet und wann sie diese wechselt. --------------------------------------------- https://www.golem.de/news/missbrauch-moeglich-whatsapp-laesst-fremde-nutzer… ∗∗∗ New Microsoft Incident Response guides help security teams analyze suspicious activity ∗∗∗ --------------------------------------------- Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-microsoft-inci… ∗∗∗ More Scans for Ivanti Connect "Secure" VPN. Exploits Public, (Thu, Jan 18th) ∗∗∗ --------------------------------------------- Exploits around the Ivanti Connect "Secure" VPN appliance, taking advantage of CVE-2023-46805, continue evolving. Late on Tuesday, more details became public, particularly the blog post by Rapid7 explaining the underlying vulnerability in depth. --------------------------------------------- https://isc.sans.edu/diary/rss/30568 ∗∗∗ PixieFail UEFI Flaws Expose Millions of Computers to RCE, DoS, and Data Theft ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in the TCP/IP network protocol stack of an open-source reference implementation of the Unified Extensible Firmware Interface (UEFI) specification used widely in modern computers.Collectively dubbed PixieFail by Quarkslab, the nine issues reside in the TianoCore EFI Development Kit II (EDK II) and could be exploited to --------------------------------------------- https://thehackernews.com/2024/01/pixiefail-uefi-flaws-expose-millions-of.h… ∗∗∗ MFA Spamming and Fatigue: When Security Measures Go Wrong ∗∗∗ --------------------------------------------- MFA spamming refers to the malicious act of inundating a target user's email, phone, or other registered devices with numerous MFA prompts or confirmation codes. The objective behind this tactic is to overwhelm the user with notifications, in the hopes that they will inadvertently approve an unauthorized login. To execute this attack, hackers require the target victim's account credentials (username and password) to initiate the login process and trigger the MFA notifications. --------------------------------------------- https://thehackernews.com/2024/01/mfa-spamming-and-fatigue-when-security.ht… ∗∗∗ Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware ∗∗∗ --------------------------------------------- [..] COLDRIVER has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language.Googles Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence. --------------------------------------------- https://thehackernews.com/2024/01/russian-coldriver-hackers-expand-beyond.h… ∗∗∗ Daten aus GPU belauscht: KI-Sicherheitslücke bei Apple Silicon, AMD und Qualcomm ∗∗∗ --------------------------------------------- Sicherheitsforscher haben ein Problem in den Grafikkernen älterer iPhones und Macs entdeckt, außerdem bei AMD und Qualcomm. Apple patcht – teilweise. --------------------------------------------- https://heise.de/-9600829 ∗∗∗ Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers ∗∗∗ --------------------------------------------- Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. --------------------------------------------- https://blog.talosintelligence.com/exploring-malicious-windows-drivers-part… ∗∗∗ Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024 ∗∗∗ --------------------------------------------- Cisco Talos’ Vulnerability Research team has disclosed dozens of vulnerabilities over the past month, including more than 30 advisories in GTKWave and a critical vulnerability in ManageEngine OpManager. Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator [..] There are also multiple vulnerabilities in AVideo [..] All the vulnerabilities mentioned in this blog post have been patched by their respective vendors --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-jan-17-2024/ ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001 ∗∗∗ --------------------------------------------- The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS). Sites that do not use the Comment module are not affected. --------------------------------------------- https://www.drupal.org/sa-core-2024-001 ∗∗∗ MOVEit Transfer: Updates gegen DOS-Lücke ∗∗∗ --------------------------------------------- Updates für MOVEit Transfer dichten Sicherheitslecks ab, durch die Angreifer Rechenfehler provozieren oder den Dienst lahmlegen können. --------------------------------------------- https://heise.de/-9601492 ∗∗∗ Trend Micro: Sicherheitslücken in Security-Agents ermöglichen Rechteausweitung ∗∗∗ --------------------------------------------- Trend Micro warnt vor Sicherheitslücken in den Security-Agents, durch die Angreifer ihre Rechte ausweiten können. Software-Updates stehen bereit. --------------------------------------------- https://heise.de/-9601595 ∗∗∗ Nextcloud: Lücken in Apps gefährden Nutzerkonten und Datensicherheit ∗∗∗ --------------------------------------------- In mehreren Erweiterungen, etwa zur Lastverteilung, zur Anmeldung per OAuth und ZIP-Download, klaffen Löcher. Updates sind bereits verfügbar. --------------------------------------------- https://heise.de/-9601589 ∗∗∗ 2024-01 Security Bulletin: Junos OS and Junos OS Evolved: rpd process crash due to BGP flap on NSR-enabled devices (CVE-2024-21585) ∗∗∗ --------------------------------------------- An Improper Handling of Exceptional Conditions vulnerability in BGP session processing of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated network-based attacker, using specific timing outside the attacker's control, to flap BGP sessions and cause the routing protocol daemon (rpd) process to crash and restart, leading to a Denial of Service (DoS) condition. Continued BGP session flapping will create a sustained Denial of Service (DoS) condition. --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos… ∗∗∗ 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been resolved in Juniper Secure Analytics in 7.5.0 UP7 IF04. --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-S… ∗∗∗ Oracle Releases Critical Patch Update Advisory for January 2024 ∗∗∗ --------------------------------------------- Oracle released its Critical Patch Update Advisory for January 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/18/oracle-releases-critical… ∗∗∗ Multiple Dahua Technology products vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN83655695/ ∗∗∗ There is a vulnerability in batik-all-1.15.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-44730 and CVE-2022-44729) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7107742 ∗∗∗ IBM Maximo Manage is vulnerable to attack due to Eclipse Jetty ( IBM X-Force ID 261776) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7107716 ∗∗∗ There is a vulnerability in CSRF Token used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-47718) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7107740 ∗∗∗ IBM Asset Data Dictionary Component uses bcprov-jdk18on-1.72.jar which is vulnerable to CVE-2023-33201 and CVE-2023-33202 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108953 ∗∗∗ IBM Maximo Application Suite and IBM Maximo Application Suite - IoT Component uses Werkzeug-2.2.3-py3-none-any.whl which is vulnerable to CVE-2023-46136 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108960 ∗∗∗ IBM Asset Data Dictionary Component uses netty-codec-http2-4.1.94, netty-handler-4.1.86 and netty-handler-4.1.92 which is vulnerable to CVE-2023-44487 and CVE-2023-34462 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108959 ∗∗∗ IBM Storage Ceph is vulnerable to Use After Free in the RHEL UBI (CVE-2023-4813) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108974 ∗∗∗ IBM Storage Ceph is vulnerable to Cross Site Scripting in Grafana (CVE-2022-39324) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108973 ∗∗∗ AVEVA PI Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-018-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.01.2024
by Daily end-of-shift report 17 Jan '24

17 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-01-2024 18:00 − Mittwoch 17-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Vorsicht vor DoS-Angriffen auf Citrix NetScaler ADC und Gateway ∗∗∗ --------------------------------------------- Citrix hat Produkte seiner NetScaler-Serie auf den aktuellen Stand gebracht und gegen laufende Attacken gerüstet. --------------------------------------------- https://www.heise.de/-9599627.html ∗∗∗ Tausende Geräte kompromittiert durch Ivanti-Sicherheitslücken ∗∗∗ --------------------------------------------- Die Schwachstellen in Ivantis VPN-Software werden massiv angegriffen. IT-Forscher haben tausende kompromittierte Systeme gefunden. --------------------------------------------- https://www.heise.de/-9599887.html ∗∗∗ LKA warnt vor WhatsApp-Betrugsmasche ∗∗∗ --------------------------------------------- Eine neue Betrugsmasche setzt auf erneutes Kontaktieren von Opfern vorheriger Betrügereien. Davor warnt das LKA Niedersachsen. --------------------------------------------- https://www.heise.de/-9600403.html ∗∗∗ Apple, AMD, Qualcomm: GPUs mehrerer Hersteller anfällig für Datenklau ∗∗∗ --------------------------------------------- Ein Angriff ist wohl einfach ausführbar und benötigt weniger als 10 Zeilen Code. Abgreifen lassen sich zum Beispiel Unterhaltungen mit KI-Chatbots. --------------------------------------------- https://www.golem.de/news/apple-amd-qualcomm-gpus-mehrerer-hersteller-anfae… ∗∗∗ GitHub rotates keys to mitigate impact of credential-exposing flaw ∗∗∗ --------------------------------------------- GitHub rotated keys potentially exposed by a vulnerability patched in December that could let attackers access credentials within production containers via environment variables. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-rotates-keys-to-mitig… ∗∗∗ PAX PoS Terminal Flaw Could Allow Attackers to Tamper with Transactions ∗∗∗ --------------------------------------------- The point-of-sale (PoS) terminals from PAX Technology are impacted by a collection of high-severity vulnerabilities that can be weaponized by threat actors to execute arbitrary code. --------------------------------------------- https://thehackernews.com/2024/01/pax-pos-terminal-flaw-could-allow.html ∗∗∗ Whats worse than paying an extortion bot that auto-pwned your database? ∗∗∗ --------------------------------------------- Paying one that lied to you and only saved the first 20 rows of each table --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/01/17/extortion_bo… ∗∗∗ Website Takeover Campaign Takes Advantage of Unauthenticated Stored Cross-Site Scripting Vulnerability in Popup Builder Plugin ∗∗∗ --------------------------------------------- On December 11, 2023, we added an Unauthenticated Stored XSS vulnerability in the Popup Builder WordPress plugin to our Wordfence Intelligence Vulnerability Database. This vulnerability, which was originally reported by WPScan, allows an unauthenticated attacker to inject arbitrary JavaScript that will be executed whenever a user accesses an injected page. --------------------------------------------- https://www.wordfence.com/blog/2024/01/website-takeover-campaign-takes-adva… ∗∗∗ Vorsicht vor versteckten Kosten auf prosperi.academy! ∗∗∗ --------------------------------------------- Investieren für alle zugänglich zu machen. So lautet die Mission der Prosperi Academy, die derzeit auf Facebook und Instagram kräftig die Werbetrommel rührt. Mit Hilfe der Prosperi Plattform sollen Interessierte die wichtigsten Begriffe und Regeln rund ums Investieren lernen und zusätzliche Einnahmequellen entdecken. Doch wer sich entscheidet, Prosperi zu testen, muss mit versteckten Kosten rechnen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-versteckten-kosten-auf-… ∗∗∗ Threat Brief: Ivanti Vulnerabilities CVE-2023-46805 and CVE-2024-21887 ∗∗∗ --------------------------------------------- Ivanti VPNs can be exploited by CVE-2023-46805 (High severity) and CVE-2024-21887 (Critical severity), chained together to run commands without authentication. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2023-46805-cve-… ∗∗∗ The 7 deadly cloud security sins and how SMBs can do things better ∗∗∗ --------------------------------------------- By eliminating these mistakes and blind spots, your organization can take massive strides towards optimizing its use of cloud without exposing itself to cyber-risk --------------------------------------------- https://www.welivesecurity.com/en/business-security/7-deadly-cloud-security… ∗∗∗ Countdown für die NIS2-Richtline läuft ∗∗∗ --------------------------------------------- Zahlreiche Unternehmen müssen die NIS2-Richtlinie umsetzen. EU-Direktive schreibt strenge Maßnahmen zur Gewährleistung der Cybersicherheit vor. --------------------------------------------- https://www.zdnet.de/88413795/countdown-fuer-die-nis2-richtline-laeuft%e2%8… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. - CVE-2023-6549 Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability - CVE-2023-6548 Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability - CVE-2024-0519 Google Chromium V8 Out-of-Bounds Memory Access Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/17/cisa-adds-three-known-ex… ∗∗∗ Static Code Analysis: Why Your Company’s Reputation Depends On It ∗∗∗ --------------------------------------------- Static application security testing (SAST) solutions provide organizations with peace of mind that their applications are secure. But SAST platforms differ from each other. A SAST tool that meets developers where they are can make AppSec team’s lives much easier, and significantly enhance the organization’s ability to defend itself from code vulnerabilities in the SDLC. This comprehensive guide covers all aspects of Static Application Security Testing, on your journey to choosing a SAST tool and vendor. --------------------------------------------- https://checkmarx.com/appsec-knowledge-hub/sast/static-code-analysis-why-yo… ===================== = Vulnerabilities = ===================== ∗∗∗ MOVEit Transfer Service Pack (January 2024) ∗∗∗ --------------------------------------------- This article contains the details of the specific updates within the MOVEit Transfer January 2024 Service Pack. The Service Pack contains fixes for (1) newly disclosed CVE described below. Progress Software highly recommends you apply this Service Pack for product updates and security improvements. For Service Pack content, please review the Service Pack Release Notes and this knowledgebase article carefully. --------------------------------------------- https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-Janua… ∗∗∗ MOVEit Automation Service Pack (January 2024) ∗∗∗ --------------------------------------------- As of January 17, 2024, the MOVEit Automation Service Pack is available for download from the Progress Download Center at https://community.progress.com/s/products-list using your Progress ID credentials. Progress Software highly recommends you apply this Service Pack for product updates and security improvements. For Service Pack content, please review the Service Pack Release Notes and this knowledgebase article carefully. --------------------------------------------- https://community.progress.com/s/article/MOVEit-Automation-Service-Pack-Jan… ∗∗∗ Google Chrome: Sicherheitslücke wird in freier Wildbahn ausgenutzt ∗∗∗ --------------------------------------------- Google aktualisiert den Webbrowser Chrome. Das Update schließt hochriskante Sicherheitslücken. Eine davon wird bereits missbraucht. --------------------------------------------- https://www.heise.de/-9599575.html ∗∗∗ Critical Patch Update: Oracle veröffentlicht 389 Sicherheitsupdates ∗∗∗ --------------------------------------------- Oracle hat in seinem Quartalsupdate unter anderem Banking Enterprise, MySQL und Solaris gegen mögliche Angriffe abgesichert. --------------------------------------------- https://www.heise.de/-9600083.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (zabbix), Gentoo (OpenJDK), Red Hat (kernel), Slackware (gnutls and xorg), SUSE (cloud-init, kernel, xorg-x11-server, and xwayland), and Ubuntu (freeimage, postgresql-10, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/958497/ ∗∗∗ 2024-01-10: Cyber Security Advisory - AC500 V3 Multiple DoS vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR011264&Language… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000138178 : Apache Tomcat vulnerability CVE-2023-42795 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138178 ∗∗∗ K000138242 : OpenSSL vulnerability CVE-2023-5678 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138242 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.01.2024
by Daily end-of-shift report 16 Jan '24

16 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Montag 15-01-2024 18:00 − Dienstag 16-01-2024 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ A lightweight method to detect potential iOS malware ∗∗∗ --------------------------------------------- Analyzing Shutdown.log file as a lightweight method to detect indicators of infection with sophisticated iOS malware such as Pegasus, Reign and Predator. --------------------------------------------- https://securelist.com/shutdown-log-lightweight-ios-malware-detection-metho… ∗∗∗ DORA: Noch ein Jahr bis zur vollständigen Einhaltung des neuen Rechtsrahmens ∗∗∗ --------------------------------------------- In einem Jahr, am 17. Januar 2025, wird die EU-Verordnung über die über die digitale operationale Resilienz im Finanzsektor (DORA) in Kraft treten. --------------------------------------------- https://sec-consult.com/de/blog/detail/dora-noch-ein-jahr-bis-zur-vollstaen… ∗∗∗ Phemedrone-Infostealer umgeht Windows Defender Smartscreeen-Filter ∗∗∗ --------------------------------------------- Trend Micro hat den Phemedrone-Infostealer analysiert. Der schaffte es durch eine Lücke im Windows Defender Smartscreen-Filter auf Rechner. --------------------------------------------- https://www.heise.de/news/Phemedrone-Infostealer-umgeht-Windows-Defender-Sm… ∗∗∗ Deepfake-Videos mit bekannten Gesichtern locken in Investmentfallen ∗∗∗ --------------------------------------------- Kriminelle greifen bei der Bewerbung betrügerischer Finanzangebote besonders tief in die Trickkiste. Website-Kopien von Zeitungen mit gefälschten Promi-Artikel kennen wir nur zu gut. Mittlerweile kommen aber auch zum Teil sehr professionelle Deep-Fake-Videos zum Einsatz. Darin erklären Ihnen bekannte Promis, Moderator:innen oder Politiker:innen, wie Sie mit einer „geheimen“ Plattform schnell reich werden. --------------------------------------------- https://www.watchlist-internet.at/news/deepfake-videos-mit-bekannten-gesich… ∗∗∗ Vorsicht vor Kryptoscams, die in Wien auf der Straße liegen ∗∗∗ --------------------------------------------- Ein seltsamer Fund in der Nähe der Wiener Karlskirche legt nahe, dass Passanten derzeit mit gefälschten Paper-Wallets geködert werden --------------------------------------------- https://www.derstandard.at/story/3000000203274/vorsicht-vor-kryptoscams-die… ∗∗∗ CISA and FBI Release Known IOCs Associated with Androxgh0st Malware ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), Known Indicators of Compromise Associated with Androxgh0st Malware, to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/16/cisa-and-fbi-release-kno… ∗∗∗ Ivanti Connect Secure VPN Exploitation Goes Global ∗∗∗ --------------------------------------------- Important: If your organization uses Ivanti Connect Secure VPN and you have not applied the mitigation, then please do that immediately! Organizations should immediately review the results of the built-in Integrity Check Tool for log entries indicating mismatched or new files. --------------------------------------------- https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploita… ===================== = Vulnerabilities = ===================== ∗∗∗ Sonicwall: Angreifer können über 178.000 Firewalls zum Absturz bringen ∗∗∗ --------------------------------------------- Die beiden Schwachstellen, über die der DoS-Angriff gelingt, sind eigentlich schon lange bekannt. Auch ein Exploit steht seit Monaten bereit. --------------------------------------------- https://www.golem.de/news/sonicwall-angreifer-koennen-ueber-178-000-firewal… ∗∗∗ Cross-Site-Scripting in Monitoringsoftware PRTG erlaubt Sessionklau ∗∗∗ --------------------------------------------- Mit einem präparierten Link können Angreifer PRTG-Nutzer in die Irre führen und die Authentifizierung umgehen. Ein Update schafft Abhilfe. --------------------------------------------- https://www.heise.de/news/Cross-Site-Scripting-in-Monitoringsoftware-PRTG-e… ∗∗∗ Atlassian: Updates zum Patchday schließen 28 hochriskante Schwachstellen ∗∗∗ --------------------------------------------- Atlassian veranstaltet einen Patchday und schließt dabei 28 Sicherheitslücken in diversen Programmen, die als hohes Risiko gelten. --------------------------------------------- https://www.heise.de/news/Atlassian-Updates-zum-Patchday-schliessen-28-hoch… ∗∗∗ Kritische Sicherheitslücke: VMware vergaß Zugriffskontrollen in Aria Automation ∗∗∗ --------------------------------------------- Angreifer mit einem gültigen Konto können sich erweiterte Rechte verschaffen. VMWare bietet Patches an, Cloud-Kunden bleiben verschont. --------------------------------------------- https://www.heise.de/news/Kritische-Sicherheitsluecke-VMware-vergass-Zugrif… ∗∗∗ Codeschmuggel in Juniper JunOS: Weltweit tausende Geräte betroffen ∗∗∗ --------------------------------------------- Ist auf einer Firewall der SRX-Serie oder einem Switch der EX-Reihe das Web-Management-Interface aktiviert, drohen Angriffe. Juniper hat Updates in petto. --------------------------------------------- https://www.heise.de/news/Codeschmuggel-in-Juniper-JunOS-Weltweit-tausende-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Gentoo (KTextEditor, libspf2, libuv, and Nettle), Mageia (hplip), Oracle (container-tools:4.0, gnutls, idm:DL1, squid, squid34, and virt:ol, virt-devel:rhel), Red Hat (.NET 6.0, krb5, python3, rsync, and sqlite), SUSE (chromium, perl-Spreadsheet-ParseXLSX, postgresql, postgresql15, postgresql16, and rubygem-actionpack-5_1), and Ubuntu (binutils, libspf2, libssh2, mysql-5.7, w3m, webkit2gtk, and xerces-c). --------------------------------------------- https://lwn.net/Articles/958416/ ∗∗∗ VU#132380: Vulnerabilities in EDK2 NetworkPkg IP stack implementation. ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/132380 ∗∗∗ VU#302671: SMTP end-of-data uncertainty can be abused to spoof emails and bypass policies ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/302671 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ VMSA-2024-0001 - VMware Aria Automation (formerly vRealize Automation) update addresses a Missing Access Control vulnerability (CVE-2023-34063) ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2024-0001.html ∗∗∗ NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-ga… ∗∗∗ Citrix Session Recording Security Bulletin for CVE-2023-6184 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX583930/citrix-session-recording-secur… ∗∗∗ Citrix StoreFront Security Bulletin for CVE-2023-5914 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX583759/citrix-storefront-security-bul… ∗∗∗ SFPMonitor.sys KOOB Write vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-6340 ∗∗∗ SEW-EURODRIVE MOVITOOLS MotionStudio ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-01 ∗∗∗ Integration Objects OPC UA Server Toolkit ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.01.2024
by Daily end-of-shift report 15 Jan '24

15 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-01-2024 18:00 − Montag 15-01-2024 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 2FA war wohl inaktiv: Aufarbeitung des Angriffs auf X-Konto der SEC gefordert ∗∗∗ --------------------------------------------- Die SEC hatte es wohl versäumt, die Zwei-Faktor-Authentifizierung ihres X-Accounts zu aktivieren. Einige US-Senatoren halten dies für "unentschuldbar". --------------------------------------------- https://www.golem.de/news/2fa-war-wohl-inaktiv-aufarbeitung-des-angriffs-au… ∗∗∗ Opera MyFlaw Bug Could Let Hackers Run ANY File on Your Mac or Windows ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system. The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow [...] --------------------------------------------- https://thehackernews.com/2024/01/opera-myflaw-bug-could-let-hackers-run.ht… ∗∗∗ Cybersecurity Alert - Self-Service Password Reset ∗∗∗ --------------------------------------------- Effective controls are essential to authenticate users who access your information systems. As configured by some organizations, applications or features that allow users to reset passwords themselves, do not securely authenticate users. If your organization uses, or is considering using, these features (commonly referred to as self-service password reset or SSPR), please review the information below. --------------------------------------------- https://www.dfs.ny.gov/industry_guidance/industry_letters/il20240112_cyber_… ∗∗∗ Nvidia-Updates schließen kritische Sicherheitslücken in KI-Systemen ∗∗∗ --------------------------------------------- Nvidia hat aktualisierte Firmware für die KI-Systeme DGX A100 und H100 veröffentlicht. Sie dichtet kritische Sicherheitslecks ab. --------------------------------------------- https://www.heise.de/-9597460.html ∗∗∗ Vorsicht vor gefälschten FinanzOnline-E-Mails ∗∗∗ --------------------------------------------- „Bitte überprüfen Sie Ihre Angaben zur zusätzlichen Verpflichtung“ lautet der Betreff eines betrügerischen E-Mails angeblich von FinanzOnline. Im Mail wird behauptet, dass sich in Ihrem Briefkasten ein Dokument befindet. Dieses können Sie über einen Link aufrufen. Wenn Sie auf den Link klicken, landen Sie auf einer gefälschten FinanzOnline-Login-Seite. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-finanzonli… ∗∗∗ Microsoft SharePoint Server: RCE-Schwachstelle CVE-2024-21318 patchen, und alte CVE-2023-29357 wird angegriffen ∗∗∗ --------------------------------------------- Noch ein Nachtrag vom Januar 2024-Patchday zu Microsoft SharePoint Server. Ich hatte in den Patchday-Artikeln die SharePoint Server RCE-Schwachstelle CVE-2024-21318 angesprochen. Diese wurde mit den Sicherheitsupdates vom 9. Januar 2023 geschlossen. Es gibt eine zweite, bereits im Juni 2023 geschlossene, Elevation of Privilege-Schwachstelle CVE-2023-29357, für die ein Exploit bekannt ist. Die US CISA hat eine Warnung veröffentlicht, weil inzwischen Angriffe auf die RCE-Schwachstelle beobachtet wurden. --------------------------------------------- https://www.borncity.com/blog/2024/01/13/microsoft-sharepoint-server-rce-sc… ∗∗∗ Bitdefender findet Schwachstellen in Bosch BCC100-Thermostaten ∗∗∗ --------------------------------------------- Kleiner Nachtrag von dieser Woche, denn der Sicherheitsanbieter Bitdefender hat mich darüber informiert, dass Sicherheitsforscher in seinen Labs Schwachstellen in Bosch BCC100-Thermostaten gefunden haben. Hacker können solche intelligenten Thermostate über diese Schwachstellen unter ihre Kontrolle bringen und sich einen Zugriff auf Smart-Home-Netzwerke verschaffen. --------------------------------------------- https://www.borncity.com/blog/2024/01/14/bitdefender-findet-schwachstellen-… ∗∗∗ Deobfuscating Android ARM64 strings with Ghidra: Emulating, Patching, and Automating ∗∗∗ --------------------------------------------- In a recent engagement I had to deal with some custom encrypted strings inside an Android ARM64 app. I had a lot of fun reversing the app and in the process I learned a few cool new techniques which are discussed in this writeup. This is mostly a beginner guide which explains step-by-step how you [...] --------------------------------------------- https://blog.nviso.eu/2024/01/15/deobfuscating-android-arm64-strings-with-g… ===================== = Vulnerabilities = ===================== ∗∗∗ OpenSSL Security Advisory - Excessive time spent checking invalid RSA public keys (CVE-2023-6237) ∗∗∗ --------------------------------------------- Impact summary: Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a Denial of Service. --------------------------------------------- https://www.openssl.org/news/secadv/20240115.txt ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind, cups, curl, firefox, ipa, iperf3, java-1.8.0-openjdk, java-11-openjdk, kernel, libssh2, linux-firmware, open-vm-tools, openssh, postgresql, python, python3, squid, thunderbird, tigervnc, and xorg-x11-server), Fedora (chromium, python-flask-security-too, and tkimg), Gentoo (libgit2, Opera, QPDF, and zlib), Mageia (chromium-browser-stable, gnutls, openssh, packages, and vlc), Oracle (.NET 6.0, fence-agents, frr, ipa, kernel, nss, pixman, and tomcat), and SUSE (gstreamer-plugins-bad). --------------------------------------------- https://lwn.net/Articles/958315/ ∗∗∗ Mattermost security updates 9.2.4 / 9.1.5 / 8.1.8 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 9.2.4, 9.1.5, and 8.1.8 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-2-4-9-1-5-8-1-8-e… ∗∗∗ CVE-2024-0057 NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability ∗∗∗ --------------------------------------------- Revised the Security Updates table as follows: Added PowerShell 7.2, PowerShell 7.3, and PowerShell 7.4 because these versions of PowerShell 7 are affected by this vulnerability. See [https://github.com/PowerShell/Announcements/issues/72](https://github.com/P… for more information. Corrected Download and Article links for .NET Framework 3.5 and 4.8.1 installed on Windows 10 version 22H2. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0057 ∗∗∗ ZDI-24-073: Paessler PRTG Network Monitor Cross-Site Scripting Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-24-073/ ∗∗∗ ZDI-24-072: Synology RT6600ax Qualcomm LDB Service Improper Input Validation Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-24-072/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000138219 : libssh2 vulnerability CVE-2020-22218 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138219 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily